This work addresses the dual challenges of insufficient expert trust in traditional models and the excessive burden of manual analysis in advanced persistent threat (APT) detection. To this end, we propose a collaborative detection framework that integrates multi-agent systems with conventional models. The framework first leverages traditional models for efficient initial anomaly screening, followed by in-depth investigation through autonomous reasoning and hypothesis validation by multiple intelligent agents. Innovatively shifting the human-in-the-loop paradigm toward model–multi-agent collaboration, our approach employs graph contrastive learning to enable fine-grained modeling of identity–behavior consistency and reconstructs complete attack chains. Experimental results on real-world datasets demonstrate that the proposed method significantly outperforms six state-of-the-art approaches while achieving high detection credibility and strong automation, with an operational cost as low as \$0.06 per day.

Advanced Persistent Threats (APTs) pose critical challenges to modern cybersecurity due to their multi-stage and stealthy nature. While provenance-based detection approaches show promise in capturing causal attack semantics, current threat provenance practices face two paradoxical issues: (1) expert skepticism, where human analysts doubt the capability of traditional detection models to identify complex attacks; and (2) expert dependence, as analysts cannot manually process large-scale raw logs to detect threats without these models. Consequently, collaboration between humans and traditional models remains the prevailing paradigm. However, this renders investigation quality contingent upon human expertise and frequently results in alert fatigue. To address these challenges, we present ProvAgent, a framework that evolves the threat provenance paradigm from human-model collaboration to a novel collaboration between multi-agent systems and traditional models. ProvAgent leverages the speed and cost-efficiency of traditional models for initial anomaly screening over large-scale logs. By enforcing fine-grained identity-behavior consistency via graph contrastive learning, it profiles entities based on specific attributes to generate high-fidelity alerts. With these alerts serving as investigation entry points, ProvAgent achieves in-depth autonomous investigation through a hypothesis-verification multi-agent framework. Evaluations with real-world datasets demonstrate that ProvAgent outperforms six state-of-the-art (SOTA) baselines in anomaly detection. Through automated investigation, ProvAgent reconstructs near-complete attack processes at a minimum cost of \$0.06 per day.