What happens when penetration testing goes virtual and gets an AI coach

Cybersecurity training often struggles to match the complexity of threats. A new approach combining digital twins and LLMs aims to close that gap.

Researchers from the University of Bari Aldo Moro propose using Cyber Digital Twins (CDTs) and generative AI to create realistic, interactive environments for cybersecurity education. Their framework simulates IT, OT, and IoT systems in a controlled virtual space and layers AI-driven feedback on top. The goal is to improve penetration testing skills and strengthen understanding of the full cyberattack lifecycle.

At the center of the framework is the Red Team Knife (RTK), a toolkit that integrates common penetration testing tools like Nmap, theHarvester, sqlmap, and others. What makes RTK different is how it walks learners through the stages of the Cyber Kill Chain model. It prompts users to reflect on next steps, reevaluate earlier findings, and build a deeper understanding of how different phases connect.

To support learning, the system uses LLMs to offer natural-language explanations, summarize attack patterns, and suggest tactics during exercises. This turns the environment into an adaptive learning space, where LLMs act as mentors offering context and strategy in real time.

The training framework uses a two-dimensional structure. The horizontal axis represents different categories of digital twin simulations, from applications and networks to physical and social engineering layers. The vertical axis maps to the stages of the Cyber Kill Chain: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and final objectives. Together, these dimensions allow for a structured, hands-on experience that covers a wide range of assets and attack strategies.

This setup reflects the non-linear nature of real-world penetration testing. Learners might start with a network scan, move on to exploitation, then loop back to refine reconnaissance based on new insights. RTK helps users navigate this process with suggestions that adapt to each situation.

The research also connects this training approach to a broader concept called Cyber Social Security, which focuses on the intersection of human behavior, social factors, and cybersecurity. The growing reliance on social engineering and psychological manipulation in attacks has led the researchers to argue that technical training must include these dimensions. LLMs help bridge that gap by extracting threat intelligence from unstructured data sources like forums, reports, or dark web chatter, and presenting it in plain language.

Digital twins offer other benefits too. Because they replicate full environments, they can be used to test detection and response capabilities without real-world risk. Organizations can run simulations, model attacker behavior, and analyze the impact of different response strategies. The framework’s integration of LLMs also helps with communication by translating technical events into explanations that make sense to non-experts, which could be valuable in operations centers and cross-functional teams.

However, experts caution that AI-assisted training tools come with their own risks if not properly safeguarded. Jason Soroko, Senior Fellow at Sectigo, told Help Net Security any such system needs layered controls: “Keep twins fully isolated with strict egress controls, frequent reimaging, and seeded canaries to catch misuse. Filter prompts and outputs to block step-by-step exploit recipes and require defensive framing, constrained tools, and minimal detail on high-risk topics. Enforce role-based access, immutable logging, data minimization, and human review for escalations, and regularly red team both the tutor and the range.”

While the framework is still early in development, the researchers are designing user studies to test how well it supports training in real-world contexts. They suggest the model could eventually be used beyond education, for active threat modeling, diagnostics, and adaptive defense.

By bringing together simulation and language-based reasoning, this research points to a future where cybersecurity training becomes more immersive, responsive, and tied to real attack workflows. The combination of digital twins and generative AI may help close the gap between theoretical knowledge and operational readiness.