Automatic processing of VA/PT tools output using LLM agents

Over the past two decades, technological and engineering developments have collaborated to create an increasingly sophisticated and diverse information technology landscape, but while this has led us today to have extremely complex and feature-rich hardware and software systems, it has inevitably increased the likelihood that they may contain conceptual or implementation flaws, some of which can potentially be exploited by malicious individuals or organizations, who nowadays find ever-changing methods and tools to threaten the secrecy, availability and integrity of resources and data. In this scenario, risk analysis methodologies such as VAPTs, i.e., Vulnerability Assessment and Penetration Testing, that assess the criticality and actual dangerousness of vulnerabilities found in web systems and applications, are paramount. However, they travel different paths and tools, as well as the type of output they produce: VAs are often automated, focus on a broader view of the system, and often produce false positives, while PTs are tests performed manually by an expert, who focuses in more detail on the part of the system and can demonstrate the real vulnerabilities of the target and how they can be exploited. Over time, numerous software tools and scripts have been created, each focusing at different levels on different technologies, areas, and protocols, attempting to automate and optimize part of or the entire analysis. With the integration of artificial intelligence in the automation of more and more processes, the opportunity to apply them to VAPT analysis is certainly a valuable object of research and experimentation. This thesis analyzes the behavior of an LLM-type AI model concerning the processing of output generated by some widespread tools used in VAPT to construct a methodology that, through an appropriate prompt engineering component, can lead the AI to extract intelligence information from the generated output, process its meaning correctly and try to possibly produce a possible, albeit basic, attack strategy against the designated target. The end product should be a process that, once preliminary input information is defined, can perform a sufficiently accurate analysis in a preferably automatic manner. The validation of the designed and implemented model includes several tests conducted on various tools and software in the security assessment landscape, comparing the accuracy and efficiency of the analyses produced.