An academic framework automates one of enterprise security's most tedious jobs: figuring out how to block a known attacker without breaking the network they were in.
COHORT uses a team of large language model agents to propose, implement, and stress-test network mitigations — firewall rules, switch configs, router changes — on a high-fidelity emulator running real vendor firmware rather than a toy simulation. The key test is what the researchers call offensive replay: after applying a candidate fix, the system re-runs the original attack and checks whether it still works. A separate check confirms the mitigation didn't accidentally kill legitimate traffic. The framework stacks approved mitigations cumulatively to catch compound effects. Across three network topologies and four attack types — ransomware, lateral movement, DNS exfiltration, and data theft — 46.7% of generated mitigations blocked the attack and kept the network functional, a rate 4.4 times higher than a single-agent baseline.
The gap between detecting a breach and actually fixing the configuration that allowed it is where most enterprise security teams bleed time and money. Automating that loop with verifiable, replay-tested mitigations — not just suggested ones — is a meaningful step toward closing it. It also matters that the emulator runs real vendor firmware rather than abstracted proxies, which has historically been where simulation-based security research falls apart.
The 46.7% success rate sounds modest until you remember the alternative is weeks of expert work per incident; the harder question is how well the emulated topology reflects the target network in production.