Scientists at Pacific Northwest National Laboratory in Washington state have built a generative Artificial Intelligence powered system, known as Aloha, that is designed to let cyber defenders quickly simulate the attacks targeting their organizations. National laboratories such as Los Alamos, Sandia and Lawrence Livermore have long driven some of the biggest and least publicized advances in cyberspace, and the decision to talk about Aloha signals that the U.S. government is likely further along in countering adversarial Artificial Intelligence attacks than it publicly reveals. Reconstructing an attack chain is a central part of incident response, since defenders must retrace an intruder’s steps to see how they entered and which vulnerabilities need to be fixed.
The PNNL team built Aloha by combining Anthropic’s Claude with MITRE’s open source Caldera attack simulation platform. A security analyst begins by entering a plain language description of a real or hypothetical attack, including what happened across their systems, and the Artificial Intelligence system, powered by Claude, then generates a detailed representation of the attack’s sequences from its own knowledge base, expanding the description into an executable play by play. Caldera uses those steps to run a simulation in a contained environment against a test network, which emulates how the attack would unfold under different conditions, while Aloha watches the simulation in real time, evaluates each step, and determines whether the intended effect was achieved. If the simulation stalls, Aloha can automatically adjust the next action to keep it progressing, and the analyst can repeatedly tweak defensive conditions and replay the scenario until the results are acceptable.
According to PNNL’s Loc Truong, the new tool compresses what has traditionally been weeks of manual scripting and expert work into a largely automated workflow, speeding up defenders’ responses so that cybersecurity experts do not have to execute as many operations themselves and making the process closer to “click and go.” By lowering the expertise and budget required to run attack emulation, Aloha could open advanced testing to more organizations at a time when both security teams and malicious actors are leaning heavily on Artificial Intelligence. Anthropic reported evidence that Chinese state sponsored hackers used Claude to break into about 30 global organizations, ransomware gangs are steadily automating their kill chains, and at last year’s DEF CON Capture the Flag competition nearly every team relied on Artificial Intelligence support. PNNL researcher Kristopher Willis said the lab is now working from recent DARPA findings at DEF CON to evolve Aloha so it can automatically test newly discovered vulnerabilities, assess their severity, translate proofs of vulnerabilities into proofs of concept, and help create or validate remediation steps.
