Existing CTI datasets lack fine-grained, framework-aligned annotations, hindering automated threat intelligence understanding. Method: We introduce CTI-HAL—the first high-quality, open-source dataset built from real-world threat reports, manually co-annotated and strictly aligned with MITRE ATT&CK’s tactical and technical layers. It enables report-level mapping to atomic ATT&CK capabilities and employs Krippendorff’s alpha to quantify inter-annotator agreement (α > 0.85). We evaluate LLMs’ zero-shot and few-shot generalization in realistic operational scenarios. Contribution/Results: Unfine-tuned LLMs accurately reconstruct APT tactical chains and achieve a 23.6% F1-score improvement in cross-report structured extraction over SOTA baselines. CTI-HAL establishes a reproducible, verifiable benchmark and methodological paradigm for automated CTI analysis.

Organizations are increasingly targeted by Advanced Persistent Threats (APTs), which involve complex, multi-stage tactics and diverse techniques. Cyber Threat Intelligence (CTI) sources, such as incident reports and security blogs, provide valuable insights, but are often unstructured and in natural language, making it difficult to automatically extract information. Recent studies have explored the use of AI to perform automatic extraction from CTI data, leveraging existing CTI datasets for performance evaluation and fine-tuning. However, they present challenges and limitations that impact their effectiveness. To overcome these issues, we introduce a novel dataset manually constructed from CTI reports and structured according to the MITRE ATT&CK framework. To assess its quality, we conducted an inter-annotator agreement study using Krippendorff alpha, confirming its reliability. Furthermore, the dataset was used to evaluate a Large Language Model (LLM) in a real-world business context, showing promising generalizability.