pith. sign in

Uncovering vulnerabilities of llm-assisted cyber threat intelligence

2 Pith papers cite this work. Polarity classification is still indexing.

2 Pith papers citing it
abstract

Large language models (LLMs) are increasingly used to help security analysts manage the surge of cyber threats, automating tasks from vulnerability assessment to incident response. Yet in operational CTI workflows, reliability gaps remain substantial. Existing explanations often point to generic model issues (e.g., hallucination), but we argue the dominant bottleneck is the threat landscape itself: CTI is heterogeneous, volatile, and fragmented. Under these conditions, evidence is intertwined, crowdsourced, and temporally unstable, which are properties that standard LLM-based studies rarely capture. In this paper, we present a comprehensive empirical study of LLM vulnerabilities in CTI reasoning. We introduce a human-in-the-loop categorization framework that robustly labels failure modes across the CTI lifecycle, avoiding the brittleness of automated "LLM-as-a-judge" pipelines. We identify three domain-specific cognitive failures: spurious correlations from superficial metadata, contradictory knowledge from conflicting sources, and constrained generalization to emerging threats. We validate these mechanisms via causal interventions and show that targeted defenses reduce failure rates significantly. Together, these results offer a concrete roadmap for building resilient, domain-aware CTI agents.

citation-role summary

background 1

citation-polarity summary

fields

cs.CR 1 cs.LG 1

years

2026 2

verdicts

UNVERDICTED 2

roles

background 1

polarities

background 1

clear filters

representative citing papers

citing papers explorer

Showing 2 of 2 citing papers after filters.