Search papers, labs, and topics across Lattice.
This paper presents TACTIC-KG, a modular framework for constructing Cybersecurity Knowledge Graphs (CSKGs) from unstructured Cyber Threat Intelligence (CTI) reports, addressing the limitations of monolithic Large Language Models (LLMs). By employing specialized LLM agents for tasks such as extraction, typing, verification, and curation, TACTIC-KG achieves improved stability, recall, and graph consistency while significantly reducing deployment costs. Experimental results demonstrate that this agentic approach outperforms larger ICL baselines in key metrics, including extraction F1-score and typing accuracy, highlighting the effectiveness of modularity in knowledge graph construction.
Modular LLM agents can outperform larger monolithic models in constructing Cybersecurity Knowledge Graphs, achieving better accuracy and consistency at a lower cost.
Cyber Threat Intelligence (CTI) reports are predominantly unstructured, heterogeneous, and noisy, which limits their direct usability for automated analysis and reasoning. Cybersecurity Knowledge Graphs (CSKGs) provide a structured representation of adversarial entities, actions, and relations, but constructing such graphs from free-text CTI remains a challenge. Recent approaches rely on monolithic Large Language Models (LLMs) to perform end-to-end extraction and completion, leading to high cost, limited controllability, and unstable performance. This paper introduces TACTIC-KG, an agentic framework for CSKG construction that decomposes the task into modular, specialized LLM agents responsible for extraction, typing, verification, and curation. Using lightweight models (3B--8B), TACTIC-KG improves stability, recall, and graph consistency while reducing deployment cost. We implement and evaluate TACTIC-KG against recent state-of-the-art systems. Experiments on human-annotated CTI reports show that agent specialization consistently outperforms larger monolithic in-context-learning (ICL) baselines in extraction F1-score, typing accuracy, and structural graph similarity.