Cyber Threat Intelligence Enrichment

• Cyber Threat Intelligence (CTI) enrichment is the systematic transformation of unstructured threat data into structured, semantically rich intelligence through extraction, normalization, and graph construction.
• It leverages advanced NLP techniques, embedding models, and domain ontologies to extract, disambiguate, and predict relationships from diverse cyber threat sources.
• Performance metrics indicate significant improvements in detection accuracy and operational efficiency, enabling seamless integration with TIPs, SIEMs, and automated response systems.

Cyber Threat Intelligence (CTI) enrichment refers to the systematic transformation of raw, often unstructured threat data (e.g., incident reports, blogs, feeds, and logs) into structured, semantically-rich, and actionable intelligence consumable by defensive systems and human analysts. This process involves a sequence of extraction, normalization, disambiguation, and correlation steps, leveraging advanced NLP, knowledge graph engineering, and domain ontologies to enhance threat detection, response, and attribution. CTI enrichment is driven by the need for high-fidelity, interoperable, and dynamically updatable situational awareness in an environment of rapidly evolving threats and expanding data modalities.

1. Conceptual and Technical Foundations

Modern CTI enrichment pipelines implement multi-stage information extraction and graph construction workflows, converting unstructured or partially structured cybersecurity text into knowledge graphs, event schemas, or indicator objects with precise semantics. A canonical example is the CTINexus framework, which sequentially applies:

1. Optimized In-Context Learning (ICL) for Entity & Relation Extraction: Using LLMs with task-specific prompts incorporating minimal yet carefully selected demonstration examples, CTINexus produces a set of ⟨head, relation, tail⟩ triplets from raw threat reports. Demonstration selection is performed via k-nearest-neighbor embedding retrieval, maximizing semantic similarity to the current query and organized to exploit the LLM's positional recency bias (Cheng et al., 2024).
2. Hierarchical Entity Alignment: A hybrid process of coarse-grained type assignment (ICL-driven, ontology-guided) followed by fine-grained clustering in embedding space (e.g., “text-embedding-3-large”, with merging at cosine similarity threshold τ=0.6). This canonicalizes synonym-rich or variant-labeled CTI entities, producing high-precision, non-redundant graph nodes.
3. Long-Distance Relation Prediction: To address disconnected subgraphs, CTINexus uses degree-centrality heuristics to identify central and topic entities. Further ICL-prompted LLM calls infer missing relations between disconnected components, leveraging the entire CTI context as evidence. This ensures knowledge graph completeness and the ability to infer cross-sentence or implicit linkages.

Other frameworks similarly adopt transformer-based architectures for end-to-end information extraction (see 0-CTI (Sorokoletova et al., 8 Jan 2025)) or leverage BiGRU-CRF and XLM-RoBERTa variants for multilingual event extraction pipelines (see XBC (Al-Yasiri et al., 4 Jun 2025)).

2. Methodologies: Extraction, Normalization, and Knowledge Graph Construction

CTI enrichment universally centers on (1) entity/relation extraction, (2) canonicalization and disambiguation, and (3) structured graph or event construction.

• Entity & Relationship Extraction: Approaches range from ICL-driven LLM extraction (CTINexus), transformer-based supervised NER (0-CTI, F1=0.85–0.98), to hybrid CNN+BiLSTM/CRF and spaCy pipelines tuned for cybersecurity-specific span labeling (Hanks et al., 2022, Alevizos et al., 2024). Supervised systems leverage annotated corpora, while zero-shot or few-shot learners utilize flat cyber ontologies and cross-encoder entailment models for class inference.
• Normalization and Disambiguation: Hierarchical alignment (CTINexus), rule-based and gazetteer-driven standardization, as well as embedding-based clustering (cosine similarity, MMR diversified retrieval) resolve lexical variations, merge aliases, and support entity linking (e.g., to Wikidata or knowledge bases for type constraint and context validation).
• Graph Construction: CTI entities and relations are assembled as nodes and edges in cybersecurity knowledge graphs (CSKGs), usually adhering to ontologies derived from MALOnt, STIX, or custom schemas. Ontology-driven constraints (e.g., SHACL in OntoLogX (Cotti et al., 26 Aug 2025)) enforce graph semantic validity, and edge-completion logic closes gaps due to cross-sentence/paragraph entity dispersion.
• Examples:
  • CTINexus: Input–“Akira ransomware group uses ransomware Trojan” → Extracted triplet, canonicalized nodes, cross-sentence linkage (Cheng et al., 2024).
  • 0-CTI: “APT28 exploited CVE-2021-34527…” → Four entities (threat actor, vulnerability, malware, IP), mapped to STIX objects, with explicit “exploits”, “delivers”, “communicates-with” relations (Sorokoletova et al., 8 Jan 2025).
  • spaCy pipeline: Custom NER tags for Malware_Name, Vulnerability, Threat_Actor; entity linking to Wikidata for canonicalization (Hanks et al., 2022).

3. Evaluation, Benchmarking, and Performance

CTI enrichment frameworks systematically report precision, recall, F1, and operational utility metrics to validate enrichment fidelity and completeness.

• CTINexus:
  • Triplet Extraction (GPT-4, k=2): F1 = 87.65%
  • Entity Extraction (vs. LADDER): F1 = 90.13% (+19pp F1)
  • Long-Distance Relation Prediction: F1 = 90.99%
  • Substantial improvement over fine-tuned BERT (EXTRACTOR): +25.36 pp in F1 for relation extraction (Cheng et al., 2024).
• 0-CTI:
  • Supervised NER: F1 = 0.85 (own corpus); F1 = 0.98 (STIXnet)
  • Zero-shot NER: mean LLM-as-judge score = 0.91 (STD=0.06)
  • Relation extraction: mean score = 0.83 (STD=0.15) (Sorokoletova et al., 8 Jan 2025).
• XBC (conceptual, BERT-BiGRU-CRF style):
  • Expected F1: 70–75% on CTI event extraction (Chinese APT datasets baseline)
  • Projected 5–10% higher F1 for multilingual, regularized extraction relative to monolingual baselines (Al-Yasiri et al., 4 Jun 2025).

Further, SHACL-driven ontological validation (as in OntoLogX) can reduce schema violations below 5% and boost F1 by 0.25 versus vanilla prompt-only LLM extraction (Cotti et al., 26 Aug 2025).

4. Downstream Applications and Integration

Enriched CTI flows into a variety of operational and analytical pipelines:

• Threat Intelligence Platforms (TIPs): Graphs and indicators are serialized as STIX 2.1 bundles or OpenCTI objects for ingestion into systems such as OTX, MISP, OpenCTI, and SOC dashboards. The CSKG schema is naturally aligned with these platforms, facilitating integration for threat hunting, kill-chain visualization, and SIEM automation.
• Automated Detection & Response: Enrichment output powers the drafting and deployment of Sigma and YARA rules (e.g., CTIMP (Papanikolaou et al., 2023)), with event correlation to internal asset inventories, enabling auto-approval of “self-healing” responses in high-priority threat cases.
• Question-Answering and Reasoning: Retrieval-augmented generation interfaces (as in CTIArena (Cheng et al., 13 Oct 2025)) support evidence-grounded reasoning about mapped vulnerabilities, TTPs, campaign attribution, and actor profiling.
• Multilingual and Long-Tail Threats: Data-augmentation frameworks like SynthCTI employ LLM-based synthetic data generation to remediate class imbalance in MITRE ATT&CK mappings, yielding up to +50% relative macro-F1 gains, allowing compact models to match or surpass much larger baselines (Ruiz-Ródenas et al., 21 Jul 2025).

5. Data Efficiency, Ontology Adaptivity, and Limitations

A hallmark of recent CTI enrichment is extreme data efficiency and ontology flexibility:

• Minimal Supervision: CTINexus achieves high accuracy using only a few dozen demonstration examples per task. The absence of fine-tuning and parameter adjustment enables rapid adaptation to new entity/relation schemas (e.g., swapping in new JSON ontologies) (Cheng et al., 2024).
• Ontology Adaptivity: Explicit inclusion of ontology definitions in the LLM prompt (instruction block) supports instant re-targeting to emerging threat landscapes and custom organization ontologies.
• Limitations:
  • Quality of demonstration data critically impacts LLM-driven extraction accuracy; recommended minimum is ≥100 curated demos.
  • LLM hallucinations, especially in smaller models, can produce spurious or unsupported relations; mitigations include post-prompt verification, self-consistency checks, and human-in-the-loop validation.
  • Continuous integration of new threat data (real-time feed ingestion) remains a target for future research and deployment optimization.

6. Theoretical Basis and Future Research Directions

CTI enrichment solidifies key areas of theoretical and practical importance:

• Alignment to Industry Standards: Structured output is mapped to STIX domain/cyber-observable/relationship objects, with bidirectional compatibility with OASIS and MITRE standards (e.g., ATT&CK, CAPEC ontologies and taxonomies) (Mavroeidis et al., 2021).
• Formal Frameworks: Advanced frameworks formalize entity types, property axioms, and reasoning logic—e.g., OWL and SHACL constraints in OntoLogX enforce precise data validity, enabling machine reasoning and high-fidelity semantic search (Cotti et al., 26 Aug 2025).
• Evaluation Metrics: Coverage scores (5W1H, technical indicators, mitigation objects), axiom usage, and reasoning performance are increasingly standardized as evaluation criteria for enrichment frameworks.
• Open Problems:
  • Continual adaptation to concept drift as threat types and nomenclature evolve.
  • Detection and mitigation of LLM hallucinations in production enrichment.
  • Incremental, near-real-time updating of the CSKG as new feeds and intelligence are ingested.
  • Privacy-preserving/federated enrichment in cross-organizational and regulated environments.

These directions underscore the importance of combining data-driven (LLM, GNN) and symbolic (ontology, rule-based) techniques for resilient, high-quality CTI enrichment in hostile and dynamic cyber threat landscapes (Cheng et al., 2024, Papanikolaou et al., 2023, Sorokoletova et al., 8 Jan 2025, Cotti et al., 26 Aug 2025).