What question did this study set out to answer?

This research aims to enhance cyber threat intelligence by addressing challenges in knowledge graph construction.

May 7, 2026Open Access

KGAgent4CTI: unlocking the power of LLM in threat intelligence

Key Points

This research aims to enhance cyber threat intelligence by addressing challenges in knowledge graph construction.
Developed KGAgent4CTI framework based on large language models.
Constructed attack knowledge graphs through a multi-agent collaborative architecture.
Implemented a dynamic knowledge adaptation engine with version-aware indexing.
Achieved attack technique identification precision of 92.3%.
Reduced manual intervention and computational resource requirements.
Enabled effective attack scenario reconstruction and organizational attribution.

Abstract

Abstract Cyber threat intelligence (CTI) serves as the cognitive hub for cybersecurity defense, deeply integrating the domain knowledge of security experts with the characteristics of attack behaviors. Constructing attack knowledge graphs from CTI provides critical support for attack chain reconstruction and defensive decision-making. However, traditional knowledge graph construction methods exhibit significant limitations when facing the domain-specific challenges of CTI: ambiguous entity boundaries leading to named entity recognition (NER) drift, the long-tail phenomenon causing the omission of low-frequency threat elements, and difficulties in modeling multi-hop contextual dependencies. Furthermore, the dynamic evolution of adversarial technique frameworks such as MITRE ATT&CK poses a severe version drift risk for traditional models that rely on parameterized knowledge storage. To address these challenges, this paper introduces KGAgent4CTI—a threat intelligence analysis framework based on large language models (LLMs). Its core breakthroughs are twofold: (1) It establishes a multi-agent collaborative architecture that, through a task decoupling mechanism, decomposes knowledge graph construction into five specialized modules, enabling a progressive cognitive enhancement for attack chain analysis. (2) It designs a dynamic knowledge adaptation engine that combines a hybrid retrieval-augmented generation strategy with version-aware indexing technology, overcoming the limitations of an LLM’s parameterized knowledge storage to achieve precise, zero-shot identification of attack techniques. Our experimental results indicate that, compared with state-of-the-art methods, KGAgent4CTI demonstrates significant improvements, achieving an attack technique identification precision of 92.3% while also reducing the need for manual intervention and computational resources. Furthermore, the knowledge graphs we construct directly enable downstream security tasks, such as attack scenario reconstruction and organizational attribution.

Read Full Paperexternally

Mark Helpful

Bookmark

Relay

View Full Paper