Order from Chaos: Benchmarking LLMs for Threat Intelligence

November 16, 2025

Today we at Athena Security Group are proud to announce the official release of AthenaBench, our new benchmark suite designed to assess large language models (LLMs) and AI agents in real-world cybersecurity workflows. AthenaBench emerges from our internal research lab and reflects our belief that true defense depends on measurement — that if you cannot test, verify and understand how your AI systems perform in security settings, you cannot trust them in operation.

“In the midst of chaos, there is also opportunity.”
— *Sun Tzu, The Art of War, Ch. V: “Energy”, v. 11

Why AthenaBench — and why now?

The cybersecurity industry is racing to adopt AI: for threat detection, incident triage, automated intelligence, and even response. Yet despite rapid adoption, there remains a glaring gap: how well do current AI models actually perform in adversarial, operational security contexts? Many benchmarks focus on general language tasks, but few measure the nuanced combination of domain-specific reasoning, dynamism, ambiguity and risk that characterize SOC workflows.

AthenaBench was created to fill that gap. It builds on prior academic efforts (e.g., CTI-Bench, CyberMetric, SECURE) and extends them by focusing squarely on the live telemetry, fight-patterns and decision-points relevant to SOCs, CTI teams and enterprise cyber-defense operations.

The Thrust of the Research

AthenaBench – published on arXiv (arXiv:2511.01144) — see the full text here: https://arxiv.org/abs/2511.01144 – is structured to evaluate models across multiple dimensions:

  • Threat actor attribution: Given telemetry and intelligence inputs, how accurately can a model identify adversary groups, TTPs, or campaign context?
  • Vulnerability / exploit reasoning: Beyond mapping a CVE to a weakness, can the model infer exploit likelihood and remediation urgency?
  • Incident-response suggestion: When faced with an evolving breach scenario, can the model propose valid containment and recovery strategies?
  • Model resilience and drift: How stable are model predictions when faced with noise, ambiguity or evolving threat patterns?
  • Operational latency/throughput trade-offs: Given SOC constraints (time to triage, alert volume, false-positive risk), how do models balance speed and accuracy?

The team’s findings are sobering: even state-of-the-art models show significant declines when moving from “text-knowledge” tasks (e.g., identifying known vulnerabilities) to “reasoning-under-uncertainty” tasks (e.g., recommending mitigation strategy or identifying a novel attack chain). In many cases, performance drops to near-chance levels, implying that human oversight remains essential.

Key Implications for Practitioners

  • AI does not equal autonomy. AthenaBench demonstrates that, in high-stakes settings like security, competence must be proven — not assumed.
  • Benchmarking is operational defense. By measuring model behavior under realistic threat scenarios, organizations gain insight into where models succeed, where they fail — and thus where human controls must remain.
  • Model routing matters. AthenaBench helps inform decisions about which tasks are safe for automation, which require human-in-the-loop, and where hybrid approaches deliver best value.
  • Continuous evaluation is required. Threat landscapes evolve; models drift. AthenaBench is designed for repeated, incremental testing, not one-time “model deployment and forget”.
  • Audit and governance integration. Results from AthenaBench can feed into control frameworks (e.g., SOC 2, ISO 27001/42001) as evidence of AI reliability, safe-lifecycle management and performance monitoring.

Athena Security Group’s Role

At Athena Security Group, our platform and MDR services are built on two pillars: AI-enabled intelligence and human-centered operations. With AthenaBench we now extend our commitment into research transparency: publishing data, methods and results so that the security community can progress together.

We are making AthenaBench publicly available to select partners and researchers. We invite academic, commercial and government teams to engage, replicate, and contribute.

Final Note: Measuring What Matters

In the mythology of conflict, as in cybersecurity, victory belongs to those who see clearly, prepare thoroughly and measure relentlessly. AthenaBench is not just another dataset — it is a benchmark of readiness. Because when you entrust portions of your defense to AI, you must be able to ask: How does this machine perform when the game changes, the adversary shifts and the pressure rises?

At Athena Security Group we believe that trust is built on evidence. AthenaBench is our contribution to making AI trustworthy — one benchmark at a time.