To address the low efficiency, error-proneness, and poor scalability of manual threat modeling and test plan generation in hardware security verification, this paper proposes the first LLM-driven multi-agent framework. The framework integrates retrieval-augmented generation (RAG), multi-agent collaborative reasoning, and interactive human-in-the-loop feedback to jointly generate explainable threat models and test cases. Empirical evaluation on the NEORV32 SoC demonstrates that our approach significantly reduces manual verification effort, broadens threat coverage, and enhances the practicality of test plans—enabling structured, adaptive security verification for complex SoCs. Key contributions include: (1) the first multi-agent LLM architecture specifically designed for hardware security verification; and (2) a synergistic co-evolution mechanism between threat analysis and test case generation, ensuring mutual refinement and interpretability throughout the verification workflow.

Current hardware security verification processes predominantly rely on manual threat modeling and test plan generation, which are labor-intensive, error-prone, and struggle to scale with increasing design complexity and evolving attack methodologies. To address these challenges, we propose ThreatLens, an LLM-driven multi-agent framework that automates security threat modeling and test plan generation for hardware security verification. ThreatLens integrates retrieval-augmented generation (RAG) to extract relevant security knowledge, LLM-powered reasoning for threat assessment, and interactive user feedback to ensure the generation of practical test plans. By automating these processes, the framework reduces the manual verification effort, enhances coverage, and ensures a structured, adaptable approach to security verification. We evaluated our framework on the NEORV32 SoC, demonstrating its capability to automate security verification through structured test plans and validating its effectiveness in real-world scenarios.