Organizations employ diverse solutions to combat online attacks, leading to varied countermeasure playbooks. As part of the CyberGuard project, Fraunhofer researchers are developing standardized playbooks to help companies streamline and align their security strategies. Generated by large language models, these playbooks enhance IT security automation.

IT security teams in companies and organizations create playbooks to document defensive measures against cyberattacks. These guides outline response strategies for incidents such as detecting a Trojan in an email, malware infection on a laptop, or an attack on the organization's website.

Figure 1. AI-Driven Playbooks for Enhanced Cybersecurity

Until now, companies have developed their security concepts and playbooks independently, resulting in minimal sharing of security-related information [1]. This lack of collaboration poses a challenge, especially for industries where business partners, such as manufacturers and suppliers, frequently exchange data. Figure 1 shows AI-Driven Playbooks for Enhanced Cybersecurity.

With this challenge in mind, researchers from the Fraunhofer Institute for Applied Information Technology FIT launched the CyberGuard project to develop a standardized framework for cyber defense. At its core, the project features a set of standardized playbooks with machine-readable process descriptions.

The researchers are leveraging the Collaborative Automated Course of Action Operations (CACAO) open-source format from the Organization for the Advancement of Structured Information Standards (OASIS). Playbooks created using the CACAO standard are interoperable, allowing seamless sharing between companies and organizations.

"This allows even small businesses and start-ups without large IT security teams to access playbooks, helping them prepare for emergencies and enhance their protection," says Mehdi Akbari Gurabi, a data protection and data sovereignty expert at Fraunhofer FIT.

Large Language Model Creates Security Playbooks

The first step is to transform existing manually created playbooks, typically in text or table format, into machine-readable documents. Fraunhofer researchers achieve this by leveraging AI-powered large language models (LLMs), which analyze employee-written texts in natural language and convert them into the CACAO format.

The finalized playbooks, containing valuable security expertise, can be securely shared with customers or business partners via trusted platforms, while internal data remains excluded. "For sharing purposes, the machine-readable step-by-step instructions are written in an abstract manner, ensuring that internal details—such as file or drive names—are not included," explains Akbari Gurabi.

Cyberattacks are constantly evolving and becoming more sophisticated. To keep pace, Akbari Gurabi and his team at Fraunhofer plan to enhance the AI’s ability to learn autonomously. If a new variant of an attack emerges, the AI will update and refine the relevant playbook using existing expertise. However, the AI does not operate without oversight.

"Mistakes are unacceptable in IT security," Akbari Gurabi emphasizes. "That’s why CyberGuard includes a review stage where IT managers assess the AI-generated machine-readable documents to ensure all steps are accurate and effective."

Automated Workflows

Fraunhofer FIT security experts are also working to automate the actions outlined in the playbooks. Once implemented, IT systems could respond instantly—for example, by taking immediate action when an intrusion detection system identifies an attack. This reduces the workload on IT personnel while significantly speeding up response times.

The CyberGuard architecture and related research projects offer numerous benefits for businesses and organizations [2]. Shared playbooks enable more effective responses to cyber threats, while automated workflows enhance reaction speed and reduce the burden on security teams. As a result, business operations are better protected against disruptions, and even small businesses and start-ups can access professional-grade security solutions.

Reference:

1. https://techxplore.com/news/2025-03-standardized-playbooks-cyberattacks.html
2. https://www.cisa.gov/sites/default/files/2024-08/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf

Cite this article:

Janani R (2025), Standardized Security Playbooks Enhance Cyberattack Protection, AnaTechMaz, pp. 595