Security/ security · ai · enterprise · networking

AI Agents Auto-Patch Enterprise Networks After Attacks

A new multi-agent framework called COHORT cuts the weeks-long manual process of hardening networks after a cyberattack down to an automated pipeline.

An academic framework automates one of enterprise security's most tedious jobs: figuring out how to block a known attacker without breaking the network they were in.

COHORT uses a team of large language model agents to propose, implement, and stress-test network mitigations — firewall rules, switch configs, router changes — on a high-fidelity emulator running real vendor firmware rather than a toy simulation. The key test is what the researchers call offensive replay: after applying a candidate fix, the system re-runs the original attack and checks whether it still works. A separate check confirms the mitigation didn't accidentally kill legitimate traffic. The framework stacks approved mitigations cumulatively to catch compound effects. Across three network topologies and four attack types — ransomware, lateral movement, DNS exfiltration, and data theft — 46.7% of generated mitigations blocked the attack and kept the network functional, a rate 4.4 times higher than a single-agent baseline.

The gap between detecting a breach and actually fixing the configuration that allowed it is where most enterprise security teams bleed time and money. Automating that loop with verifiable, replay-tested mitigations — not just suggested ones — is a meaningful step toward closing it. It also matters that the emulator runs real vendor firmware rather than abstracted proxies, which has historically been where simulation-based security research falls apart.

The 46.7% success rate sounds modest until you remember the alternative is weeks of expert work per incident; the harder question is how well the emulated topology reflects the target network in production.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →