To address the high hallucination rate, excessive computational cost, and poor generalization of large language models (LLMs) in cybersecurity incident response, this paper proposes a lightweight three-stage framework: instruction fine-tuning, retrieval-augmented generation, and state-space-based forward planning. For the first time, under reasonable assumptions, we theoretically bound the hallucination probability—proving it can be reduced to an arbitrarily small value. The method eliminates reliance on ultra-large models and enables deployment on commodity hardware. Experiments demonstrate a 22% reduction in mean recovery time compared to state-of-the-art LLMs, alongside strong generalization across diverse real-world attack logs. The core contribution is a novel LLM-driven response planning paradigm that jointly ensures reliability (controllable hallucination), efficiency (lightweight design), and practicality (low-cost, hardware-agnostic deployment).

Timely and effective incident response is key to managing the growing frequency of cyberattacks. However, identifying the right response actions for complex systems is a major technical challenge. A promising approach to mitigate this challenge is to use the security knowledge embedded in large language models (LLMs) to assist security operators during incident handling. Recent research has demonstrated the potential of this approach, but current methods are mainly based on prompt engineering of frontier LLMs, which is costly and prone to hallucinations. We address these limitations by presenting a novel way to use an LLM for incident response planning with reduced hallucination. Our method includes three steps: fine-tuning, information retrieval, and lookahead planning. We prove that our method generates response plans with a bounded probability of hallucination and that this probability can be made arbitrarily small at the expense of increased planning time under certain assumptions. Moreover, we show that our method is lightweight and can run on commodity hardware. We evaluate our method on logs from incidents reported in the literature. The experimental results show that our method a) achieves up to 22% shorter recovery times than frontier LLMs and b) generalizes to a broad range of incident types and response actions.