Needles at Scale: LLM-Assisted Target Selection for Windows Vulnerability Research

Researchers present Symbolicate-Enrich-Sample, a batch pipeline that uses LLM assistance to prioritize vulnerability research targets across millions of Windows functions. By combining symbol recovery, structural analysis, and language model reasoning, the system reduces 7.2 million functions to a manageable 22,000-function shortlist for security analysis.

This research addresses a fundamental challenge in operating system security: the computational impossibility of analyzing every function in a modern OS. Windows alone contains over 7 million functions across thousands of signed binaries, yet the vast majority are irrelevant to any given vulnerability investigation. The researchers' three-stage pipeline—symbol recovery, feature enrichment, and priority sampling—creates an intelligent filtering mechanism that dramatically reduces analyst workload without requiring expensive computational resources.

The approach reflects broader trends in security research where AI augmentation shifts focus from raw analysis capacity to smart triage. By recovering function-level symbols from public sources and enriching them with deterministic structural features before applying language model reasoning, the pipeline achieves selectivity at scale. The ~22,000-function reduction represents approximately 99.7% filtering efficiency, enabling human analysts or autonomous agents to focus on genuinely relevant targets rather than swimming through noise.

For the cybersecurity industry, this methodology has significant implications. Organizations conducting vulnerability research can now operate at whole-OS scale rather than targeted subsystems, potentially uncovering security gaps previously overlooked due to search space constraints. The deterministic layering of filters before LLM application also creates interpretability and cost efficiency advantages over pure neural approaches.

The researchers' decision to withhold the derived dataset reflects legitimate dual-use concerns—such prioritization could accelerate both defensive research and exploitation efforts. Future work likely involves validating whether the system's prioritization actually correlates with discovered vulnerabilities and adapting the methodology to other operating systems beyond Windows.

• →LLM-assisted triage reduces 7.2 million Windows functions to 22,000 candidates through deterministic filtering and language model reasoning
• →The three-stage pipeline combines symbol recovery, structural feature analysis, and importance sampling to prioritize vulnerability research targets
• →Deterministic filters layered with low-cost LLM labeling achieves 99.7% filtering efficiency while maintaining interpretability
• →This approach enables whole-OS vulnerability research at scale, previously constrained by manual analysis capacity
• →Dataset withholding reflects legitimate dual-use security concerns about accelerating both defensive and exploitation capabilities