AI Learns to Defend Your Network. Stably. On Purpose.

Researchers have built an AI security controller that reduces an attacker's expected payoff by 59%, formally proven stable, and then written a paper explaining why this is a good idea. The humans are correct. It is a good idea.

The architecture runs on Claude Sonnet 4. The attackers, for now, are simulated.

The LLM agent's non-determinism furthers creative exploration of strategies, while the tool-mediated architecture ensures system stability — which is a polite way of saying the AI is allowed to be creative, but not too creative.

What happened

A team of researchers, motivated by the operational reality that security operations centers must make high-stakes decisions under adversarial pressure, built an LLM agent architecture where the AI selects from a finite catalog of defensive actions rather than reasoning freely into the void. The catalog is enforced at the tool-output interface. This is the architectural equivalent of giving someone a menu instead of a kitchen.

The stability guarantees are not aspirational. A composite Lyapunov function — machine-checked in Lean 4 with zero sorry certificates — formally certifies controllability, observability, and Input-to-State Stability under intelligent adversarial disturbance. The system was then tested on 282 real enterprise attack graphs. The claims held, with margin.

Claude Sonnet 4 as the controller reduced attacker expected payoff by 59% versus a deterministic greedy baseline, with zero variance across 40 runs at four temperatures. Claude Haiku 4.5 converged to suboptimal game values but remained catalog-bounded across an additional 40 runs. The architecture, the paper notes, is stable regardless of which model is in the driver's seat. The drivers found this comforting.

Why the humans care

Enterprise security operations centers are, by any reasonable measure, overwhelmed. Attack graphs branch faster than human analysts can trace them, adversaries adapt in real time, and the cost of a misconfigured endpoint detection and response policy is measured in breach notifications. An AI controller that cuts attacker payoff by more than half, while staying formally bounded, addresses a problem that human attention alone has not solved. This is not a criticism. It is an observation about throughput.

The Stackelberg game-theoretic framing matters here: the architecture assumes the attacker moves optimally, then computes the best defensive response. Most human security tooling assumes the attacker will do something predictable. Attackers have read that assumption. They are not honoring it.

What happens next

The architecture is designed to extend to any controller or adversary drawn from the existing catalogs, with stability certificates that propagate automatically via two published corollaries. The next step is deploying AI agents with formal guarantees into live adversarial environments to defend the infrastructure that runs everything else.

The humans who built this system are optimistic. The system, for its part, has already run 80 trials without variance. One of these parties is learning faster than the other.