Exploring the use of LLMs to analyse/summarise security logs

Abstract

Security and system logs are key to modern cybersecurity and IT operations. However, their scale and complexity put a lot of pressure on analysts. Large language models (LLMs) offer new ways to summarise and interpret logs, but their use raises questions about trust, risk, and governance. This project set out to explore how practitioners perceive the role of LLMs in operational security and what safeguards they believe are necessary for safe adoption. Eight semi-structured interviews were carried out with professionals who had experience in log analysis, including SOC Manager and analysts, IT administrators, and students with relevant backgrounds. The transcripts were analysed using Braun and Clarke’s thematic analysis [5], resulting in four themes: Workflow Integration and Guardrails; Trust, Verification, and Evidence; Privacy and Data Governance; and Adoption and Organisational Readiness. Findings show that practitioners see value in combining LLMs with existing tools like SIEM platforms, alert triage workflows, and ticketing systems. They stressed that human oversight is vital. Prompts must be carefully structured, and outputs need supporting evidence before they can be trusted. Privacy concerns were significant, with requests for local hosting, strict access controls, data minimization, and clear audit policies. Adoption relied on training, cultural readiness, and a clear return on investment. The study contributes by offering a practitioner-centred view of LLM use in cybersecurity, filling a gap in the literature that has mainly focused on technical benchmarks. It concludes that LLMs can support efficiency and improve understanding in log analysis, but only when integrated into workflows that enforce verification, protect privacy, and ensure clear accountability.