Abstract Cyber threat intelligence (CTI) serves as the cognitive hub for cybersecurity defense, deeply integrating the domain knowledge of security experts with the characteristics of attack behaviors. Constructing attack knowledge graphs from CTI provides critical support for attack chain reconstruction and defensive decision-making. However, traditional knowledge graph construction methods exhibit significant limitations when facing the domain-specific challenges of CTI: ambiguous entity boundaries leading to named entity recognition (NER) drift, the long-tail phenomenon causing the omission of low-frequency threat elements, and difficulties in modeling multi-hop contextual dependencies. Furthermore, the dynamic evolution of adversarial technique frameworks such as MITRE ATT&CK poses a severe version drift risk for traditional models that rely on parameterized knowledge storage. To address these challenges, this paper introduces KGAgent4CTI—a threat intelligence analysis framework based on large language models (LLMs). Its core breakthroughs are twofold: (1) It establishes a multi-agent collaborative architecture that, through a task decoupling mechanism, decomposes knowledge graph construction into five specialized modules, enabling a progressive cognitive enhancement for attack chain analysis. (2) It designs a dynamic knowledge adaptation engine that combines a hybrid retrieval-augmented generation strategy with version-aware indexing technology, overcoming the limitations of an LLM’s parameterized knowledge storage to achieve precise, zero-shot identification of attack techniques. Our experimental results indicate that, compared with state-of-the-art methods, KGAgent4CTI demonstrates significant improvements, achieving an attack technique identification precision of 92.3% while also reducing the need for manual intervention and computational resources. Furthermore, the knowledge graphs we construct directly enable downstream security tasks, such as attack scenario reconstruction and organizational attribution.
Yang et al. (Wed,) studied this question.