To address the disconnection between theoretical instruction and hands-on practice in cybersecurity education—as well as the lack of dynamic, immersive threat scenarios—this paper proposes a novel pedagogical framework integrating Digital Twin (DT) technology with Large Language Models (LLMs). Methodologically, it constructs a dynamically evolving network digital twin environment, incorporating a custom red-teaming toolkit (RTK), designed according to the Cyber Kill Chain model, and tightly coupled with an LLM to enable attack workflow guidance, real-time threat simulation, natural-language-driven interactive feedback, and adaptive learning support. The key contribution lies in the first deep integration of DT and LLMs for cybersecurity education, enabling full-chain visual decomposition of attacks and semantically grounded responses. Pilot deployment at universities demonstrates significant improvements in learners’ practical capabilities in vulnerability assessment and security operations, effectively bridging the gap between theoretical instruction and real-world offensive-defensive scenarios.

Digital Twins (DTs) are gaining prominence in cybersecurity for their ability to replicate complex IT (Information Technology), OT (Operational Technology), and IoT (Internet of Things) infrastructures, allowing for real time monitoring, threat analysis, and system simulation. This study investigates how integrating DTs with penetration testing tools and Large Language Models (LLMs) can enhance cybersecurity education and operational readiness. By simulating realistic cyber environments, this approach offers a practical, interactive framework for exploring vulnerabilities and defensive strategies. At the core of this research is the Red Team Knife (RTK), a custom penetration testing toolkit aligned with the Cyber Kill Chain model. RTK is designed to guide learners through key phases of cyberattacks, including reconnaissance, exploitation, and response within a DT powered ecosystem. The incorporation of Large Language Models (LLMs) further enriches the experience by providing intelligent, real-time feedback, natural language threat explanations, and adaptive learning support during training exercises. This combined DT LLM framework is currently being piloted in academic settings to develop hands on skills in vulnerability assessment, threat detection, and security operations. Initial findings suggest that the integration significantly improves the effectiveness and relevance of cybersecurity training, bridging the gap between theoretical knowledge and real-world application. Ultimately, the research demonstrates how DTs and LLMs together can transform cybersecurity education to meet evolving industry demands.