<p>Large language models, such as ChatGPT, Gemini and Claude, are redefining how people obtain information and perform their daily tasks. The cybersecurity industry is no different. Teams are using LLMs for everything from security operations center automation to defending against phishing attacks, security awareness and everything in between.</p>
<div class=”ad-wrapper ad-embedded”>
<div id=”halfpage” class=”ad ad-hp”>
<script>GPT.display(‘halfpage’)</script>
</div>
<div id=”mu-1″ class=”ad ad-mu”>
<script>GPT.display(‘mu-1’)</script>
</div>
</div>
<p>One particular area where LLMs shine is helping practitioners analyze the security of applications — specifically in supporting <a href=”https://www.techtarget.com/searchsecurity/tip/Red-team-vs-blue-team-vs-purple-team-Whats-the-difference”>red team activities</a>. LLM-based tools and plugins are already paying benefits. Among them are ones that analyze HTTP stream information — e.g., via context menu — exported from testing apps such as Burp Suite or Zed Attack Proxy (ZAP), and tools that sit in the proxy chain to bulk offload requests and responses for LLM review.</p>
<p>Even without special-purpose tools, though, the human-readable nature of HTTP, combined with its predictable structure, makes it particularly well suited for LLM analysis. Yet, as with anything related to new technology, it can be difficult to know where and how to start. To that end, let’s examine a few ways to use LLMs for penetration testing.</p>
<p>But first, here are a couple quick caveats:</p>
<ul class=”default-list”>
<li>Be aware of both terms of service and guardrails. Each LLM might have different rules about what is allowed and what constitutes acceptable use. Stay informed of those constraints to ensure you adhere to them. Some LLMs have guardrails that gate use even if you’re following the rules. Others might filter information they decide could potentially be sensitive in a different context — for example, non-authentication fields within a JSON Web Token (JWT).</li>
<li>The five use cases detailed below are not intended to be exhaustive; these are not the only potential deployments. The ones included are generally applicable under most test conditions and because they reliably add significant value. You might have needs or circumstances not covered here.<
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: