Modern multi-stage cyberattacks challenge defenders due to static assumptions in decision-making and the inability to effectively integrate real-time threat intelligence. Method: This paper proposes a dynamic attack-defense game framework that, for the first time, embeds large language models (LLMs) into partially observable stochastic games (POSGs), augmented with retrieval-augmented generation (RAG) and dynamic belief updating. The framework enables attack path prediction, multi-stage tactical reasoning, and dynamic patch prioritization. Contribution/Results: It introduces multi-agent coordination, real-time threat-intelligence-driven policy adaptation, and Cyber Kill Chain–informed modeling of adversarial evolution. Experiments demonstrate significant improvements in high-risk vulnerability identification accuracy and resource allocation efficiency, enhancing both strategic foresight and environmental adaptability of defensive systems.

Modern cyber attacks unfold through multiple stages, requiring defenders to dynamically prioritize mitigations under uncertainty. While game-theoretic models capture attacker-defender interactions, existing approaches often rely on static assumptions and lack integration with real-time threat intelligence, limiting their adaptability. This paper presents CyGATE, a game-theoretic framework modeling attacker-defender interactions, using large language models (LLMs) with retrieval-augmented generation (RAG) to enhance tactic selection and patch prioritization. Applied to a two-agent scenario, CyGATE frames cyber conflicts as a partially observable stochastic game (POSG) across Cyber Kill Chain stages. Both agents use belief states to navigate uncertainty, with the attacker adapting tactics and the defender re-prioritizing patches based on evolving risks and observed adversary behavior. The framework's flexible architecture enables extension to multi-agent scenarios involving coordinated attackers, collaborative defenders, or complex enterprise environments with multiple stakeholders. Evaluated in a dynamic patch scheduling scenario, CyGATE effectively prioritizes high-risk vulnerabilities, enhancing adaptability through dynamic threat integration, strategic foresight by anticipating attacker moves under uncertainty, and efficiency by optimizing resource use.