Existing vulnerability databases (e.g., NVD) lack fine-grained characterization of the real-world attack impact of CVEs and systematically omit mappings to MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs). Method: We propose TRIAGE, a hybrid approach combining rule-based reasoning with large language model (LLM) in-context learning to enable automated, high-recall CVE-to-ATT&CK TTP mapping. TRIAGE integrates MITRE’s official mapping guidelines with state-of-the-art LLMs (e.g., GPT-4o-mini), balancing interpretability and generalization. Contribution/Results: Experiments demonstrate that TRIAGE significantly outperforms either rule-only or LLM-only baselines, achieving a 23.6% higher recall. Moreover, GPT-4o-mini surpasses Llama3.3-70B in both accuracy and inference efficiency. This work delivers a scalable, verifiable foundation for vulnerability prioritization and incident response decision-making.

Vulnerability databases, such as the National Vulnerability Database (NVD), offer detailed descriptions of Common Vulnerabilities and Exposures (CVEs), but often lack information on their real-world impact, such as the tactics, techniques, and procedures (TTPs) that adversaries may use to exploit the vulnerability. However, manually linking CVEs to their corresponding TTPs is a challenging and time-consuming task, and the high volume of new vulnerabilities published annually makes automated support desirable. This paper introduces TRIAGE, a two-pronged automated approach that uses Large Language Models (LLMs) to map CVEs to relevant techniques from the ATT&CK knowledge base. We first prompt an LLM with instructions based on MITRE's CVE Mapping Methodology to predict an initial list of techniques. This list is then combined with the results from a second LLM-based module that uses in-context learning to map a CVE to relevant techniques. This hybrid approach strategically combines rule-based reasoning with data-driven inference. Our evaluation reveals that in-context learning outperforms the individual mapping methods, and the hybrid approach improves recall of exploitation techniques. We also find that GPT-4o-mini performs better than Llama3.3-70B on this task. Overall, our results show that LLMs can be used to automatically predict the impact of cybersecurity vulnerabilities and TRIAGE makes the process of mapping CVEs to ATT&CK more efficient. Keywords: vulnerability impact, CVE, ATT&CK techniques, large language models, automated mapping.