TACTIC-KG: Toward Small Agent Teams for Cyber Threat Intelligence Knowledge Graph Construction

📅 2026-07-06
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the challenges posed by unstructured, heterogeneous, and noisy cyber threat intelligence (CTI) reports, which hinder direct use in automated analysis. While existing end-to-end knowledge graph construction methods based on large language models suffer from high costs, poor controllability, and unstable performance, this paper proposes TACTIC-KG—a novel framework that leverages a team of modular agents powered by lightweight large language models (3B–8B parameters). The approach decomposes the task into four coordinated stages: extraction, type annotation, validation, and curation. This design significantly enhances system stability, interpretability, and deployment cost-efficiency. Evaluated on a manually annotated CTI dataset, TACTIC-KG outperforms state-of-the-art end-to-end baselines in entity extraction F1 score, type accuracy, and graph structural similarity, while also improving knowledge graph consistency and recall.
📝 Abstract
Cyber Threat Intelligence (CTI) reports are predominantly unstructured, heterogeneous, and noisy, which limits their direct usability for automated analysis and reasoning. Cybersecurity Knowledge Graphs (CSKGs) provide a structured representation of adversarial entities, actions, and relations, but constructing such graphs from free-text CTI remains a challenge. Recent approaches rely on monolithic Large Language Models (LLMs) to perform end-to-end extraction and completion, leading to high cost, limited controllability, and unstable performance. This paper introduces TACTIC-KG, an agentic framework for CSKG construction that decomposes the task into modular, specialized LLM agents responsible for extraction, typing, verification, and curation. Using lightweight models (3B--8B), TACTIC-KG improves stability, recall, and graph consistency while reducing deployment cost. We implement and evaluate TACTIC-KG against recent state-of-the-art systems. Experiments on human-annotated CTI reports show that agent specialization consistently outperforms larger monolithic in-context-learning (ICL) baselines in extraction F1-score, typing accuracy, and structural graph similarity.
Problem

Research questions and friction points this paper is trying to address.

Cyber Threat Intelligence
Knowledge Graph Construction
Large Language Models
Agent-based Framework
Information Extraction
Innovation

Methods, ideas, or system contributions that make the work stand out.

modular LLM agents
cyber threat intelligence
knowledge graph construction
agent specialization
lightweight models