Safe LLM Research Workflow
Purpose
Define a safe workflow for using LLMs in public, defensive CTI research.
Practitioner-Level Explanation
Safe LLM use starts with scope and data handling; use Customer project AI governance for delivery work. Public TLP:CLEAR material may be appropriate for external tools. Internal telemetry, credentials, victim data, proprietary reporting, or sensitive incident data should not be pasted into public models.
The model should be asked to produce structured claims, source links, confidence caveats, and gaps. The analyst verifies everything.
CTI Relevance
This workflow lets teams gain speed without losing source integrity or data-handling discipline.
Common Mistakes
- Letting the model invent sources or facts.
- Using AI output without source verification.
- Putting sensitive or restricted data into public tools.
- Skipping human analytic judgment.
Practical Workflow
- Classify the data.
- Define task and allowed sources.
- Ask for structured output.
- Require evidence labels.
- Verify links and content.
- Downgrade unsupported claims.
- Record AI use if project policy requires it.
Example / Mini Case
Prompt the model to extract claims from public reporting into a table: claim, source URL, evidence label, confidence, detection implication, gap. Then manually check each URL and claim before using it.
Analyst Checklist
- Are sources real and checked?
- Are claims evidence-labeled?
- Is sensitive data excluded?
- Has a human reviewed the output?
- Are hallucination controls applied?
Output Artifact
Task:
Allowed Data:
Prompt Version:
Model Output:
Source Verification:
Claim Review:
Corrections:
Final Use:
Reviewer: