Explainable Cybersecurity Response Agents: Combining Reactive and Deliberative LLM Policies for Real-Time Threat Mitigation

Authors

  • Blake Mendez School of Electrical Engineering and Computer Science, Oregon State University, Corvallis, OR, USA. Author
  • Milos Parker School of Computing, Clemson University, Clemson, SC, USA. Author

Keywords:

cybersecurity agents, large language models, explainable artificial intelligence, reactive planning, deliberative reasoning, real-time threat mitigation, hybrid architectures, dual-process systems

Abstract

The accelerating frequency and sophistication of cyber attacks demand response systems that are both rapid in execution and transparent in reasoning. While large language models have demonstrated remarkable capability in understanding and generating natural language, their deployment as autonomous cybersecurity agents introduces tensions between the need for immediate, reactive actions and the requirement for deliberative, explainable decision-making. This paper proposes a hybrid architecture for explainable cybersecurity response agents that integrates reactive and deliberative policies, inspired by dual-process theories of cognition. The reactive layer leverages fine-tuned language models for real-time triage, pattern matching, and containment actions, operating under tight temporal constraints. The deliberative layer employs slower, planning-based reasoning, incorporating external knowledge bases, causal models, and multi-step inference to generate context-aware mitigation strategies. A central orchestration mechanism governs the interplay between these two policies, resolving conflicts, logging explanatory traces, and adapting the balance between speed and thoroughness based on threat severity and infrastructure criticality. We examine the structural trade-offs inherent in such a system, including latency versus completeness, autonomy versus human oversight, and scalability versus interpretability. Governance and fairness considerations are discussed, particularly regarding bias in training data and the risk of over-reliance on opaque models. Through comparative analysis with adjacent domains such as autonomous driving and financial fraud detection, we highlight lessons for sustainable deployment. The paper concludes with recommendations for future research on verifiable explainability, adversarial robustness, and policy frameworks that mandate transparency without hindering operational effectiveness.

References

1. Yao, S., Zhao, J., Yu, D., Du, N., Shafran, I., Narasimhan, K., & Cao, Y. (2023). ReAct: Synergizing reasoning and acting in language models. In International Conference on Learning Representations (ICLR).

2. Lyu, Q., Li, Y., & Callison-Burch, C. (2023). Autonomous agents with large language models: A survey. arXiv preprint arXiv:2310.01444.

3. Kahneman, D. (2011). Thinking, fast and slow. Farrar, Straus and Giroux.

4. Doshi-Velez, F., & Kim, B. (2017). Towards a rigorous science of interpretable machine learning. arXiv preprint arXiv:1702.08608.

5. Rudin, C. (2019). Stop explaining black box machine learning models for high stakes decisions and use interpretable models instead. Nature Machine Intelligence, 1(5), 206-215.

6. Bhatt, P., & Vuppalapati, C. (2024). Large language models for cybersecurity: A systematic review. ACM Computing Surveys, 56(10), 1-38.

7. Mandujano, J., & Garcia, G. (2023). Autonomous incident response using ChatGPT: A case study. In Proceedings of the 2023 ACM Workshop on Intelligent Security (pp. 45-52).

8. Dou, Z., Cui, D., Yan, J., Wang, W., Chen, B., Wang, H., ... & Zhang, S. (2025). Dsadf: Thinking fast and slow for decision making. arXiv preprint arXiv:2505.08189.

9. Lundberg, S. M., & Lee, S. I. (2017). A unified approach to interpreting model predictions. In Advances in Neural Information Processing Systems 30 (NeurIPS) (pp. 4765-4774).

10. Lanham, T., Chen, A., Radhakrishnan, A., Steiner, B., Ganguli, D., & Kaplan, J. (2023). Measuring faithfulness in chain-of-thought explanations. arXiv preprint arXiv:2305.13739.

11. Shih, K., Deng, Z., Chen, X., Zhang, Y., & Zhang, L. (2025, May). DST-GFN: A Dual-Stage Transformer Network with Gated Fusion for Pairwise User Preference Prediction in Dialogue Systems. In 2025 8th International Conference on Advanced Electronic Materials, Computers and Software Engineering (AEMCSE) (pp. 715-719). IEEE.

12. Gao, H., Zeng, W., Zhang, J., & Liang, Y. (2025, December). A large model API response quality prediction model based on least squares vector machine and SHAP interpretability analysis. In 2025 5th International Symposium on Artificial Intelligence and Big Data (AIBDF) (pp. 438-442). IEEE.

13. Amodei, D., Olah, C., Steinhardt, J., Christiano, P., Schulman, J., & Mané, D. (2016). Concrete problems in AI safety. arXiv preprint arXiv:1606.06565.

14. Li, F., & Ma, J. (2024). Hybrid planning and execution for autonomous cyber defence. In Proceedings of the 2024 IEEE Symposium on Security and Privacy (pp. 123-140).

15. Gunning, D., Stefik, M., Choi, J., Miller, T., Stumpf, S., & Yang, G. Z. (2019). XAI—Explainable artificial intelligence. Science Robotics, 4(37), eaay7120.

16. Helm, J., & Klöpper, M. (2023). Toward verifiable explanations for autonomous agents. AI and Ethics, 3(4), 987-1004.

17. Ribeiro, M. T., Singh, S., & Guestrin, C. (2016). "Why should I trust you?" Explaining the predictions of any classifier. In Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 1135-1144).

18. Ferrag, M. A., Maglaras, L., & Moschoyiannis, S. (2020). Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study. Journal of Information Security and Applications, 54, 102564.

Downloads

Published

2026-05-12

How to Cite

Explainable Cybersecurity Response Agents: Combining Reactive and Deliberative LLM Policies for Real-Time Threat Mitigation. (2026). Journal of Data Intelligence and AI Systems, 1(1). https://www.jdataai.org/index.php/home/article/view/17