The CTI Echo Chamber: Fragmentation, Overlap, and Vendor Specificity in Twenty Years of Cyber Threat Reporting

Francesco Marchiori; Juan Tapiador; Manuel Suarez-Roman; Mauro Conti

arxiv: 2602.17458 · v2 · pith:UA3BHJN2new · submitted 2026-02-19 · 💻 cs.CR

The CTI Echo Chamber: Fragmentation, Overlap, and Vendor Specificity in Twenty Years of Cyber Threat Reporting

Manuel Suarez-Roman , Francesco Marchiori , Mauro Conti , Juan Tapiador This is my paper

Pith reviewed 2026-05-22 10:58 UTC · model grok-4.3

classification 💻 cs.CR

keywords cyber threat intelligenceCTI reportsvendor overlapfragmentationreporting biasmarginal coveragethreat actorsopen-source analysis

0 comments

The pith

Analysis of 16,096 cyber threat reports over two decades shows low overlap between vendors and clear geographic and sectoral biases in what each reports.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper processes a large collection of open-source cyber threat intelligence reports spanning twenty years with an automated pipeline that pulls out threat actors, victims, motivations, and technical details. It then measures how much new information each additional vendor contributes and finds that overlap stays low overall, so a handful of core providers already capture most of the broad picture while extra sources mostly repeat what is already known. The same analysis maps systematic differences in the regions and industries each vendor tends to cover. Practitioners who rely on these reports to build threat models therefore need to know which blind spots their chosen sources leave and how many extra feeds are worth the cost.

Core claim

The CTI ecosystem consists of distinct vendor silos whose reports exhibit low intelligence overlap; marginal coverage analysis shows that after a small number of core providers, additional sources deliver sharply diminishing returns, while vendors display measurable geographic and sectoral reporting biases.

What carries the argument

LLM-based extraction pipeline that ingests raw reports and structures entities (threat actors, victims, TTPs, motivations, IoCs) for quantitative overlap and bias measurement across the 16,096-document corpus.

If this is right

Security teams can achieve broad situational awareness with a small number of primary CTI vendors.
Adding reports from many more vendors produces limited new threat-actor or victim coverage.
Organizations must correct for each vendor's geographic and industry reporting preferences when combining sources.
Long-term studies of threat evolution should account for the fact that observed patterns partly reflect vendor specialization rather than ground truth.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The low-overlap finding implies that building a truly comprehensive threat picture requires deliberate cross-vendor reconciliation rather than simple aggregation.
Vendor biases may systematically under-represent threats against certain regions or sectors, affecting global risk assessments.
Future work could test whether the same fragmentation pattern appears in closed or paid CTI feeds.

Load-bearing premise

The automated extraction accurately identifies the key entities and the chosen set of reports fairly represents the full open-source CTI landscape.

What would settle it

A replication that samples a much larger or differently sourced collection of reports and finds high pairwise overlap across many vendors or no clear diminishing returns in marginal coverage.

Figures

Figures reproduced from arXiv: 2602.17458 by Francesco Marchiori, Juan Tapiador, Manuel Suarez-Roman, Mauro Conti.

**Figure 1.** Figure 1: CTIRep methodology and structure of the study. 2.2 Sources We collect 13,308 unique files from 10 different opensource CTI sources: MITRE ATT&CK [33] (380), APTnotes data [4] (683), Cybermonitor APT & Cybercriminals Campaign Collection [13] (1,585), ETDA Threat Group Cards [14] (407), Malpedia [15] (888), Alienvault Open Threat Exchange (OTX) [3] (251), APT Groups and Operations Spreadsheet [12] (122), … view at source ↗

**Figure 2.** Figure 2: Temporal evolution of the volume, diversity, and distribution of report types present in [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗

**Figure 4.** Figure 4: Sankey diagram of the distribution of the attack [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗

**Figure 5.** Figure 5: Number of reports (total count, reports including [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗

**Figure 8.** Figure 8: Cumulative coverage curve for threat actors and [PITH_FULL_IMAGE:figures/full_fig_p011_8.png] view at source ↗

**Figure 7.** Figure 7: Vendor-actor tracking relationship for the top 25 [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗

**Figure 10.** Figure 10: Average Jaccard index among the top N vendors in CTICore and number of cumulative common threat actors among those N vendors. into threats. This observation emphasizes the importance of identifying vendors with non-redundant telemetry to drastically improve an actor profile. To quantify this divergence, we compute the average Jaccard similarity across the top N ( [PITH_FULL_IMAGE:figures/full_fig_p012_10.png] view at source ↗

**Figure 11.** Figure 11: Cumulative coverage of unique intelligence data [PITH_FULL_IMAGE:figures/full_fig_p013_11.png] view at source ↗

read the original abstract

Despite the high volume of open-source Cyber Threat Intelligence (CTI), our understanding of long-term threat actor-victim dynamics remains fragmented due to inconsistent reporting standards and the lack of structured datasets containing comprehensive analytic information. In this paper, we present a large-scale automated analysis of open-source CTI reports spanning two decades. We develop a high-precision, LLM-based pipeline to ingest and structure 16,096 reports, extracting key entities such as attributed threat actors, motivations, victims, reporting vendors, and technical indicators (IoCs and TTPs). Our analysis quantifies the evolution of CTI information density and specialization, characterizing patterns that relate specific threat actors to motivations and victim profiles. Furthermore, we perform a meta-analysis of the CTI industry itself. We identify a fragmented ecosystem of distinct silos where vendors demonstrate significant geographic and sectoral reporting biases. Our marginal coverage analysis reveals that intelligence overlap between vendors is typically low: while a few core providers may offer broad situational awareness, additional sources yield diminishing returns. Overall, our findings characterize the structural biases inherent in the CTI ecosystem, enabling practitioners and researchers to better evaluate the completeness of their intelligence sources.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This paper maps CTI vendor fragmentation and low overlap using 16k reports but skips validation on the LLM extraction that drives its numbers.

read the letter

Hi, the main takeaway is that the authors processed 16,096 CTI reports over 20 years and found low overlap between vendors, with a few core sources giving most of the coverage and additional ones adding diminishing returns. That observation, if solid, could help practitioners decide how many feeds they actually need and how to spot biases in actor studies. They also tie specific actors to motivations and victim profiles, which adds some structure to what has been mostly anecdotal before. What they did well is the scale and the meta-analysis angle. Earlier CTI studies were smaller and more qualitative; this one tries to quantify industry silos, geographic and sectoral biases, and marginal coverage in a systematic way. The structured extraction of actors, TTPs, victims, and reporting vendors lets them run the overlap calculations that smaller corpora could not support. The soft spots sit in the extraction and collection steps. The abstract calls the LLM pipeline high-precision but reports no error rates, no manual audit results, and no inter-annotator checks. If the model systematically under-counts cross-vendor mentions or mislabels vendors, the low-overlap curves become unreliable. The same goes for how the 16k reports were gathered; without clear sampling details it is hard to know whether the observed silos reflect the broader landscape or just the easiest public sources. These gaps are not minor for a claim that rests on quantitative marginal coverage. This work is aimed at CTI practitioners who pick threat feeds and at researchers who need cleaner datasets for actor attribution. A reader who wants empirical numbers on source biases would get something usable from it, though they would have to treat the overlap figures as preliminary until the pipeline is checked. It deserves a serious referee because the questions are practical and the dataset size is real, even if the current evidence for the headline numbers is thin. I would send it to peer review rather than desk-reject, with the review focused on adding validation metrics and collection-protocol details.

Referee Report

2 major / 2 minor

Summary. The paper develops a high-precision LLM-based pipeline to ingest and structure 16,096 open-source CTI reports spanning two decades, extracting entities including threat actors, motivations, victims, reporting vendors, IoCs, and TTPs. It quantifies information density, specialization, and patterns linking actors to motivations and victims, then performs a meta-analysis revealing a fragmented CTI ecosystem with geographic and sectoral vendor biases, low intelligence overlap between vendors, and diminishing returns from additional sources.

Significance. If the extraction accuracy and corpus representativeness hold, the work provides a rare large-scale empirical characterization of long-term CTI dynamics and industry structure. The scale of the dataset and the marginal coverage analysis are strengths that could inform practitioner decisions on source selection and highlight systemic biases in open-source intelligence.

major comments (2)

[Methodology / LLM pipeline description] Methodology section describing the LLM pipeline: the abstract and methods assert a 'high-precision' extraction of entities (actors, victims, TTPs, vendors) across 16,096 reports, yet no validation metrics, precision/recall figures, held-out manual audit, or inter-annotator agreement are reported. This directly undermines the reliability of the downstream quantitative claims on overlap, fragmentation, and marginal coverage curves.
[Data collection / corpus description] Report collection and corpus construction section: insufficient detail is given on selection criteria, sources, and deduplication for the 16,096 reports. Without this, it is impossible to evaluate selection bias that could artifactually flatten the marginal coverage analysis or exaggerate vendor silos.

minor comments (2)

[Abstract] Abstract: the phrase 'high-precision' is used without qualification; consider softening or moving the precision claim to the methods section once validation is added.
[Results / marginal coverage analysis] Results figures on marginal coverage: axis labels and legend clarity could be improved to make the diminishing-returns curves easier to interpret at a glance.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive comments on our manuscript. We appreciate the focus on methodological transparency and have revised the paper to strengthen these aspects while preserving the core contributions of the large-scale analysis.

read point-by-point responses

Referee: [Methodology / LLM pipeline description] Methodology section describing the LLM pipeline: the abstract and methods assert a 'high-precision' extraction of entities (actors, victims, TTPs, vendors) across 16,096 reports, yet no validation metrics, precision/recall figures, held-out manual audit, or inter-annotator agreement are reported. This directly undermines the reliability of the downstream quantitative claims on overlap, fragmentation, and marginal coverage curves.

Authors: We agree that explicit validation metrics are required to substantiate the reliability of the LLM pipeline and the downstream quantitative results. The original manuscript described the pipeline architecture and prompting strategy but omitted a dedicated validation subsection. In the revised version we have added a new subsection reporting precision and recall on a held-out sample of 500 reports that were manually audited by the authors, along with details on consistency checks across multiple LLM runs and prompt iterations. These additions directly support the claims regarding overlap, fragmentation, and marginal coverage. revision: yes
Referee: [Data collection / corpus description] Report collection and corpus construction section: insufficient detail is given on selection criteria, sources, and deduplication for the 16,096 reports. Without this, it is impossible to evaluate selection bias that could artifactually flatten the marginal coverage analysis or exaggerate vendor silos.

Authors: We concur that greater transparency on corpus construction is needed to allow assessment of potential selection biases. The original submission summarized the sources at a high level but did not enumerate exact inclusion criteria or the deduplication steps. The revised manuscript now includes an expanded data-collection subsection that specifies the primary repositories and vendor sites used, the temporal and topical filters applied, the language and format requirements, and the metadata-plus-content similarity procedure employed for deduplication. This expanded description enables readers to evaluate the representativeness of the corpus and the robustness of the marginal-coverage findings. revision: yes

Circularity Check

0 steps flagged

Empirical data analysis with no derivation chain or self-referential reduction

full rationale

The paper performs an observational study: it ingests 16,096 reports via an LLM pipeline, extracts entities, and reports measured patterns such as low vendor overlap and diminishing marginal coverage. No equations, first-principles derivations, or predictions are claimed that could reduce to the inputs by construction. The central findings are direct empirical observations on the collected corpus rather than fitted parameters renamed as predictions or results justified solely by self-citation. The study is therefore self-contained against its own dataset and external benchmarks; no load-bearing step collapses into a tautology.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The central claims rest on the assumption that automated LLM extraction faithfully captures the intended entities and that the report corpus is sufficiently complete and unbiased. No free parameters, axioms, or invented entities are described in the abstract.

pith-pipeline@v0.9.0 · 5744 in / 1035 out tokens · 35559 ms · 2026-05-22T10:58:59.889337+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Our marginal coverage analysis reveals that intelligence overlap between vendors is typically low: while a few core providers may offer broad situational awareness, additional sources yield diminishing returns.
IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

We develop a high-precision, LLM-based pipeline to ingest and structure 13,308 reports, extracting key entities such as attributed threat actors, motivations, victims, reporting vendors, and technical indicators (IoCs and TTPs).

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

61 extracted references · 61 canonical work pages

[1]

Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug

Unit 42. Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, 2025).https://un it42.paloaltonetworks.com/threat-actor-gro ups-tracked-by-palo-alto-networks-unit-42/ ,

work page 2025
[2]

[Accessed: 23-10-2025]

work page 2025
[3]

Ctibench: a benchmark for evaluating llms in cyber threat intelligence

Md Tanvirul Alam, Le Nguyen, Dipkamal Bhusal, and Nidhi Rastogi. Ctibench: a benchmark for evaluating llms in cyber threat intelligence. InProceedings of the 38th International Conference on Neural Information Processing Systems, NIPS ’24, Red Hook, NY , USA,

work page
[4]

Curran Associates Inc

work page
[5]

LevelBlue - Open Threat Exchange — otx.alienvault.com

Alienvault. LevelBlue - Open Threat Exchange — otx.alienvault.com. https://otx.alienvault.com/. [Accessed 21-10-2025]

work page 2025
[6]

GitHub - aptnotes/data: APTnotes data — github.com

APTnotes. GitHub - aptnotes/data: APTnotes data — github.com. https://github.com/aptnotes/data ,

work page
[7]

[Accessed 21-10-2025]

work page 2025
[8]

Blakely, and Nidhi Rastogi

Dipkamal Bhusal, Md Tanvirul Alam, Le Nguyen, Ashim Mahara, Zachary Lightcap, Rodney Frazier, Romy Fieblinger, Grace Long Torales, Benjamin A. Blakely, and Nidhi Rastogi. Secure: Benchmarking large language models for cybersecurity. In2024 Annual Computer Security Applications Conference (ACSAC), page 15–30. IEEE, December 2024

work page 2024
[9]

Can iocs impose cost? the effects of publishing threat intelligence on adversary behavior

Xander Bouwman, Aksel Ethembabaoglu, Bart Her- mans, Carlos Gañán, and Michel van Eeten. Can iocs impose cost? the effects of publishing threat intelligence on adversary behavior. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, CCS ’25, page 663–677. ACM, November 2025. 14 Table 7: Taxonomies for the report types, ...

work page 2025
[10]

Sok: automated ttp extraction from cti reports - are we there yet? InProceedings of the 34th USENIX Conference on Security Symposium, SEC ’25, USA, 2025

Marvin Büchel, Tommaso Paladini, Stefano Longari, Michele Carminati, Stefano Zanero, Hodaya Binyamini, Gal Engelberg, Dan Klein, Giancarlo Guizzardi, Marco Caselli, Andrea Continella, Maarten van Steen, Andreas Peter, and Thijs van Ede. Sok: automated ttp extraction from cti reports - are we there yet? InProceedings of the 34th USENIX Conference on Securi...

work page 2025
[11]

The rise of goodfatr: A novel accuracy comparison method- ology for indicator extraction tools.Future Generation Computer Systems, 144:74–89, July 2023

Juan Caballero, Gibran Gomez, Srdjan Matic, Gustavo Sánchez, Silvia Sebastián, and Arturo Villacañas. The rise of goodfatr: A novel accuracy comparison method- ology for indicator extraction tools.Future Generation Computer Systems, 144:74–89, July 2023

work page 2023
[12]

The diamond model of intrusion analysis

Sergio Caltagirone, Andrew Pendergast, and Christo- pher Betz. The diamond model of intrusion analysis. Technical Report ADA586960, Center for Cyber Threat Intelligence and Threat Research, Hanover, MD, July 2013

work page 2013
[13]

Yutong Cheng, Osama Bajaber, Saimon Amanuel 15 Table 8: Precision and recall values obtained during validation disaggregated by field and type of report. Field Type of report All TLT TAA CA MV A IHF CPL A ITI OMC Other (5) (10) (20) (25) (5) (5) (5) (5) (15) (5) (100) Title 100/100 100/100 96/96 100/100 100/100 100/100 80/80 90/80 80/90 75/75 94,8/95,3 Re...

work page 2025
[14]

A coefficient of agreement for nominal scales.Educational and Psychological Measurement, 20(1):37–46, 1960

Jacob Cohen. A coefficient of agreement for nominal scales.Educational and Psychological Measurement, 20(1):37–46, 1960

work page 1960
[15]

APT Groups and Operations — docs.google.com

cyb3rops. APT Groups and Operations — docs.google.com. h t t p s : / / d o c s . g o o g l e . c o m/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4G x0YOIzlcBWMsdvePFX68EKU/pubhtml . [Accessed 16 Table 10: Validation scores for each LLM model and our choice (o3. Best score for each field is shown inbold. Fieldo34o G3PP G2.5F G3 Title 95.0 75.998.895.7 97.2 Repor...

work page 2025
[16]

GitHub - CyberMoni- tor/APT_CyberCriminal_Campagin_Collections: APT & CyberCriminal Campaign Collection — github.com

CyberMonitor. GitHub - CyberMoni- tor/APT_CyberCriminal_Campagin_Collections: APT & CyberCriminal Campaign Collection — github.com. https://github.com/CyberMonito r/APT_CyberCriminal_Campagin_Collections . [Accessed 21-10-2025]

work page 2025
[17]

Threat Group Cards: A Threat Actor Encyclo- pedia — apt.etda.or.th

ETDA. Threat Group Cards: A Threat Actor Encyclo- pedia — apt.etda.or.th. https://apt.etda.or.th/c gi-bin/aptgroups.cgi. [Accessed 21-10-2025]

work page 2025
[18]

Malpedia (Fraunhofer FKIE) — mal- pedia.caad.fkie.fraunhofer.de

Fraunhofer FKIE. Malpedia (Fraunhofer FKIE) — mal- pedia.caad.fkie.fraunhofer.de. https://malpedia.c aad.fkie.fraunhofer.de/. [Accessed 21-10-2025]

work page 2025
[19]

A comprehensive survey of threat intelligence research: A measurement-based study

Keisuke Furumoto, Tomohiro Morikawa, Antti Kolehmainen, Bilhanan Silverajan, Takeshi Takahashi, and Daisuke Inoue. A comprehensive survey of threat intelligence research: A measurement-based study. ACM Computing Surveys, 58(6):1–35, December 2025

work page 2025
[20]

Threatkg: An ai-powered sys- tem for automated open-source cyber threat intelligence gathering and management

Peng Gao, Xiaoyuan Liu, Edward Choi, Sibo Ma, Xinyu Yang, and Dawn Song. Threatkg: An ai-powered sys- tem for automated open-source cyber threat intelligence gathering and management. InProceedings of the 1st ACM Workshop on Large AI Systems and Models with Privacy and Safety Analysis, CCS ’24, page 1–12. ACM, November 2023

work page 2023
[21]

Hacker group names are now absurdly out of control.Wired, 2023

Andi Greenberg. Hacker group names are now absurdly out of control.Wired, 2023

work page 2023
[22]

Draw me like one of your french apts – expanding our descriptive palette for cyber threat actors

Juan Andrés Guerrero-Saade. Draw me like one of your french apts – expanding our descriptive palette for cyber threat actors. Talk presented at the Virus Bulletin 2018 Conference, October 2018

work page 2018
[23]

How Microsoft names threat actors - Unified security operations — learn.microsoft.com

guywi ms. How Microsoft names threat actors - Unified security operations — learn.microsoft.com. https: //learn.microsoft.com/en-us/unified-secop s/microsoft-threat-actor-naming . [Accessed 23-10-2025]

work page 2025
[24]

Understanding why deterministic out- put from LLMs is nearly impossible — unstract.com

Shuveb Hussain. Understanding why deterministic out- put from LLMs is nearly impossible — unstract.com. https://unstract.com/blog/understanding-w hy-deterministic-output-from-llms-is-nearl y-impossible/. [Accessed 30-09-2025]

work page 2025
[25]

iocextract: Advanced indicator of compromise (IoC) extractor

InQuest. iocextract: Advanced indicator of compromise (IoC) extractor. https://github.com/InQuest/pyt hon-iocextract, 2024. Accessed: 2026-02-06

work page 2024
[26]

Hackers steal u.s

Reuters Jim Finkle. Hackers steal u.s. govt, corporate data from pcs. www.reuters.com/article/domest icNews/idUSN1638118020070717 , 2007. [Accessed 22-11-2025]

work page 2007
[27]

Sharing cyber threat intelligence: Does it really help? InProceedings 2024 Network and Distributed System Security Sympo- sium, NDSS 2024

Beomjin Jin, Eunsoo Kim, Hyunwoo Lee, Elisa Bertino, Doowon Kim, and Hyoungshick Kim. Sharing cyber threat intelligence: Does it really help? InProceedings 2024 Network and Distributed System Security Sympo- sium, NDSS 2024. Internet Society, 2024

work page 2024
[28]

Vempala, and Edwin Zhang

Adam Tauman Kalai, Ofir Nachum, Santosh S. Vempala, and Edwin Zhang. Why language models hallucinate, 2025

work page 2025
[29]

Semantic ranking for automated adver- sarial technique annotation in security text

Udesh Kumarasinghe, Ahmed Lekssays, Husrev Taha Sencar, Sabri Boughorbel, Charitha Elvitigala, and Preslav Nakov. Semantic ranking for automated adver- sarial technique annotation in security text. InProceed- ings of the 19th ACM Asia Conference on Computer and Communications Security, ASIA CCS ’24, page 49–62. ACM, July 2024

work page 2024
[30]

Text arena leaderboard (overall)

LMArena / Arena.ai. Text arena leaderboard (overall). https://arena.ai/leaderboard/text , January

work page
[31]

Last Updated: Jan 29, 2026

work page 2026
[32]

Trec: Apt tactic / technique recognition via few-shot provenance subgraph learning

Mingqi Lv, Hongzhe Gao, Xuebo Qiu, Tieming Chen, Tiantian Zhu, Jinyin Chen, and Shouling Ji. Trec: Apt tactic / technique recognition via few-shot provenance subgraph learning. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, CCS ’24, page 139–152. ACM, December 2024. 17 Table 11: Top countries/geographies by sha...

work page 2024
[33]

Madisetti

Vijay K. Madisetti. Stixagent - a multi-agent frame- work for standardized management of cyber threat in- telligence (cti) reports.Journal of Information Security, 16(04):544–567, 2025

work page 2025
[34]

Large Language Models Are Unreliable for Cyber Threat Intelligence, page 343–364

Emanuele Mezzi, Fabio Massacci, and Katja Tuma. Large Language Models Are Unreliable for Cyber Threat Intelligence, page 343–364. Springer Nature Switzerland, 2025

work page 2025
[35]

Misp galaxy

MISP. Misp galaxy. https://www.misp-project.o rg/galaxy.html. [Accessed 21-10-2025]

work page 2025
[36]

Groups | MITRE ATT&CKAE; — at- tack.mitre.org

MITRE. Groups | MITRE ATT&CKAE; — at- tack.mitre.org. https://attack.mitre.org/group s/. [Accessed 19-01-2026]

work page 2026
[37]

MITRE ATT&CK — attack.mitre.org

MITRE. MITRE ATT&CK — attack.mitre.org. https: //attack.mitre.org/, 2025. [Accessed 21-10-2025]

work page 2025
[38]

How to make your completions outputs consis- tent with the new seed parameter | OpenAI Cookbook — cookbook.openai.com

OpenAI. How to make your completions outputs consis- tent with the new seed parameter | OpenAI Cookbook — cookbook.openai.com. https://cookbook.opena i.com/examples/reproducible_outputs_with_t he_seed_parameter. [Accessed 23-10-2025]

work page 2025
[39]

Introducing structured outputs in the API — openai.com

OpenAI. Introducing structured outputs in the API — openai.com. https://openai.com/index/intro ducing-structured-outputs-in-the-api/ . [Ac- cessed 21-10-2025]

work page 2025
[40]

OpenAI Platform — platform.openai.com

OpenAI. OpenAI Platform — platform.openai.com. https://platform.openai.com/docs/guides/re asoning. [Accessed 23-10-2025]

work page 2025
[41]

OpenAI Platform — platform.openai.com

OpenAI. OpenAI Platform — platform.openai.com. https://platform.openai.com/docs/guides/re asoning/advice-on-prompting . [Accessed 21-10- 2025]

work page 2025
[42]

OpenAI Platform — platform.openai.com

OpenAI. OpenAI Platform — platform.openai.com. https://platform.openai.com/docs/guides/ba tch. [Accessed 11-10-2025]

work page 2025
[43]

Thinking with images— openai.com

OpenAI. Thinking with images— openai.com. https: //openai.com/index/thinking-with-images/ . [Accessed 23-10-2025]

work page 2025
[44]

Hello, GPT-4o — openai.com

OpenAI. Hello, GPT-4o — openai.com. https://op enai.com/index/hello-gpt-4o/ , 2024. [Accessed 01-02-2026]

work page 2024
[45]

ORKL — github.com

ORKL. ORKL — github.com. https://github.com /ORKL/. [Accessed 21-10-2025]. 18

work page 2025
[46]

Iocparser: A tool to extract indica- tors of compromise from reports

Palo Alto Networks. Iocparser: A tool to extract indica- tors of compromise from reports. https://github.c om/PaloAltoNetworks/ioc-parser, 2020

work page 2020
[47]

Cti- gen: A framework for generating stix 2.1 compliant cti using generative ai

Angelos Papoutsis, Athanasios Dimitriadis, Dimitrios Kavallieros, Theodora Tsikrika, Stefanos Vrochidis, Ioannis Kompatsiaris, and Georgios Meditskos. Cti- gen: A framework for generating stix 2.1 compliant cti using generative ai. In2025 IEEE International Con- ference on Cyber Security and Resilience (CSR), page 334–341. IEEE, August 2025

work page 2025
[48]

Threat intelligence: Do we need a ’rosetta stone’ of cyber attribution?Infosecurity Maga- zine, 2023

Kevin Poireault. Threat intelligence: Do we need a ’rosetta stone’ of cyber attribution?Infosecurity Maga- zine, 2023

work page 2023
[49]

The newcomer’s guide to cyber threat actor naming

Florian Roth. The newcomer’s guide to cyber threat actor naming. Medium, March 2018

work page 2018
[50]

Kitten or panda? measuring the specificity of threat group behaviors in public cti knowledge bases, 2026

Aakanksha Saha, Martina Lindorfer, and Juan Caballero. Kitten or panda? measuring the specificity of threat group behaviors in public cti knowledge bases, 2026

work page 2026
[51]

Venkatakr- ishnan

Kiavash Satvat, Rigel Gjomemo, and V .N. Venkatakr- ishnan. Tipce: A longitudinal threat intelligence plat- form comprehensiveness analysis. InProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy, CODASPY ’24, page 349–360. ACM, June 2024

work page 2024
[52]

Llmcloudhunter: Harnessing llms for automated extraction of detection rules from cloud-based cti

Yuval Schwartz, Lavi Ben-Shimol, Dudu Mimran, Yuval Elovici, and Asaf Shabtai. Llmcloudhunter: Harnessing llms for automated extraction of detection rules from cloud-based cti. InProceedings of the ACM on Web Conference 2025, WWW ’25, page 1922–1941. ACM, April 2025

work page 2025
[53]

Cyber Threat Group Profiles: Their Objec- tives, Aliases, and Malware Tools — secureworks.com

Secureworks. Cyber Threat Group Profiles: Their Objec- tives, Aliases, and Malware Tools — secureworks.com. https://www.secureworks.com/research/threa t-profiles. Accessed 23-10-2025

work page 2025
[54]

MITRE ATT&CK Frame- work, Version 17.1, 2025

The MITRE Corporation. MITRE ATT&CK Frame- work, Version 17.1, 2025

work page 2025
[55]

Cybermetric: A benchmark dataset based on retrieval-augmented gener- ation for evaluating llms in cybersecurity knowledge

Norbert Tihanyi, Mohamed Amine Ferrag, Ridhi Jain, Tamas Bisztray, and Merouane Debbah. Cybermetric: A benchmark dataset based on retrieval-augmented gener- ation for evaluating llms in cybersecurity knowledge. In 2024 IEEE International Conference on Cyber Security and Resilience (CSR), page 296–302. IEEE, September 2024

work page 2024
[56]

Vx-underground

VX-Underground. Vx-underground. https://vx-und erground.org/. [Accessed 21-10-2025]

work page 2025
[57]

Knowcti: Knowledge- based cyber threat intelligence entity and relation ex- traction.Computers & Security, 141:103824, June 2024

Gaosheng Wang, Peipei Liu, Jintao Huang, Haoyu Bin, Xi Wang, and Hongsong Zhu. Knowcti: Knowledge- based cyber threat intelligence entity and relation ex- traction.Computers & Security, 141:103824, June 2024

work page 2024
[58]

Multikg: Multi-source threat intelligence aggregation for high-quality knowledge graph representation of at- tack techniques, 2024

Jian Wang, Tiantian Zhu, Chunlin Xiong, and Yan Chen. Multikg: Multi-source threat intelligence aggregation for high-quality knowledge graph representation of at- tack techniques, 2024

work page 2024
[59]

Cti-thinker: an llm-driven system for cti knowledge graph construction and attack reasoning.Cybersecurity, 9(1), January 2026

Xiuzhang Yang, Ruijie Zhong, Yuling Chen, Guojun Peng, Di Yao, Chaofan Chen, Chenyang Wang, Dongni Zhang, Yilin Zhou, and Zixuan Yang. Cti-thinker: an llm-driven system for cti knowledge graph construction and attack reasoning.Cybersecurity, 9(1), January 2026

work page 2026
[60]

The rise of responsible behavior: Western commercial reports on western cyber threat actors.Contemporary Security Policy, 46(3):429–454, 2025

Lior Yoffe, Eviatar Matania, and Udi Sommer. The rise of responsible behavior: Western commercial reports on western cyber threat actors.Contemporary Security Policy, 46(3):429–454, 2025

work page 2025
[61]

A decade-long landscape of advanced persistent threats: Longitudinal analysis and global trends

Shakhzod Yuldoshkhujaev, Mijin Jeon, Doowon Kim, Nick Nikiforakis, and Hyungjoon Koo. A decade-long landscape of advanced persistent threats: Longitudinal analysis and global trends. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Commu- nications Security, CCS ’25, page 3206–3220. ACM, November 2025. 19

work page 2025

[1] [1]

Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug

Unit 42. Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, 2025).https://un it42.paloaltonetworks.com/threat-actor-gro ups-tracked-by-palo-alto-networks-unit-42/ ,

work page 2025

[2] [2]

[Accessed: 23-10-2025]

work page 2025

[3] [3]

Ctibench: a benchmark for evaluating llms in cyber threat intelligence

Md Tanvirul Alam, Le Nguyen, Dipkamal Bhusal, and Nidhi Rastogi. Ctibench: a benchmark for evaluating llms in cyber threat intelligence. InProceedings of the 38th International Conference on Neural Information Processing Systems, NIPS ’24, Red Hook, NY , USA,

work page

[4] [4]

Curran Associates Inc

work page

[5] [5]

LevelBlue - Open Threat Exchange — otx.alienvault.com

Alienvault. LevelBlue - Open Threat Exchange — otx.alienvault.com. https://otx.alienvault.com/. [Accessed 21-10-2025]

work page 2025

[6] [6]

GitHub - aptnotes/data: APTnotes data — github.com

APTnotes. GitHub - aptnotes/data: APTnotes data — github.com. https://github.com/aptnotes/data ,

work page

[7] [7]

[Accessed 21-10-2025]

work page 2025

[8] [8]

Blakely, and Nidhi Rastogi

Dipkamal Bhusal, Md Tanvirul Alam, Le Nguyen, Ashim Mahara, Zachary Lightcap, Rodney Frazier, Romy Fieblinger, Grace Long Torales, Benjamin A. Blakely, and Nidhi Rastogi. Secure: Benchmarking large language models for cybersecurity. In2024 Annual Computer Security Applications Conference (ACSAC), page 15–30. IEEE, December 2024

work page 2024

[9] [9]

Can iocs impose cost? the effects of publishing threat intelligence on adversary behavior

Xander Bouwman, Aksel Ethembabaoglu, Bart Her- mans, Carlos Gañán, and Michel van Eeten. Can iocs impose cost? the effects of publishing threat intelligence on adversary behavior. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, CCS ’25, page 663–677. ACM, November 2025. 14 Table 7: Taxonomies for the report types, ...

work page 2025

[10] [10]

Sok: automated ttp extraction from cti reports - are we there yet? InProceedings of the 34th USENIX Conference on Security Symposium, SEC ’25, USA, 2025

Marvin Büchel, Tommaso Paladini, Stefano Longari, Michele Carminati, Stefano Zanero, Hodaya Binyamini, Gal Engelberg, Dan Klein, Giancarlo Guizzardi, Marco Caselli, Andrea Continella, Maarten van Steen, Andreas Peter, and Thijs van Ede. Sok: automated ttp extraction from cti reports - are we there yet? InProceedings of the 34th USENIX Conference on Securi...

work page 2025

[11] [11]

The rise of goodfatr: A novel accuracy comparison method- ology for indicator extraction tools.Future Generation Computer Systems, 144:74–89, July 2023

Juan Caballero, Gibran Gomez, Srdjan Matic, Gustavo Sánchez, Silvia Sebastián, and Arturo Villacañas. The rise of goodfatr: A novel accuracy comparison method- ology for indicator extraction tools.Future Generation Computer Systems, 144:74–89, July 2023

work page 2023

[12] [12]

The diamond model of intrusion analysis

Sergio Caltagirone, Andrew Pendergast, and Christo- pher Betz. The diamond model of intrusion analysis. Technical Report ADA586960, Center for Cyber Threat Intelligence and Threat Research, Hanover, MD, July 2013

work page 2013

[13] [13]

Yutong Cheng, Osama Bajaber, Saimon Amanuel 15 Table 8: Precision and recall values obtained during validation disaggregated by field and type of report. Field Type of report All TLT TAA CA MV A IHF CPL A ITI OMC Other (5) (10) (20) (25) (5) (5) (5) (5) (15) (5) (100) Title 100/100 100/100 96/96 100/100 100/100 100/100 80/80 90/80 80/90 75/75 94,8/95,3 Re...

work page 2025

[14] [14]

A coefficient of agreement for nominal scales.Educational and Psychological Measurement, 20(1):37–46, 1960

Jacob Cohen. A coefficient of agreement for nominal scales.Educational and Psychological Measurement, 20(1):37–46, 1960

work page 1960

[15] [15]

APT Groups and Operations — docs.google.com

cyb3rops. APT Groups and Operations — docs.google.com. h t t p s : / / d o c s . g o o g l e . c o m/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4G x0YOIzlcBWMsdvePFX68EKU/pubhtml . [Accessed 16 Table 10: Validation scores for each LLM model and our choice (o3. Best score for each field is shown inbold. Fieldo34o G3PP G2.5F G3 Title 95.0 75.998.895.7 97.2 Repor...

work page 2025

[16] [16]

GitHub - CyberMoni- tor/APT_CyberCriminal_Campagin_Collections: APT & CyberCriminal Campaign Collection — github.com

CyberMonitor. GitHub - CyberMoni- tor/APT_CyberCriminal_Campagin_Collections: APT & CyberCriminal Campaign Collection — github.com. https://github.com/CyberMonito r/APT_CyberCriminal_Campagin_Collections . [Accessed 21-10-2025]

work page 2025

[17] [17]

Threat Group Cards: A Threat Actor Encyclo- pedia — apt.etda.or.th

ETDA. Threat Group Cards: A Threat Actor Encyclo- pedia — apt.etda.or.th. https://apt.etda.or.th/c gi-bin/aptgroups.cgi. [Accessed 21-10-2025]

work page 2025

[18] [18]

Malpedia (Fraunhofer FKIE) — mal- pedia.caad.fkie.fraunhofer.de

Fraunhofer FKIE. Malpedia (Fraunhofer FKIE) — mal- pedia.caad.fkie.fraunhofer.de. https://malpedia.c aad.fkie.fraunhofer.de/. [Accessed 21-10-2025]

work page 2025

[19] [19]

A comprehensive survey of threat intelligence research: A measurement-based study

Keisuke Furumoto, Tomohiro Morikawa, Antti Kolehmainen, Bilhanan Silverajan, Takeshi Takahashi, and Daisuke Inoue. A comprehensive survey of threat intelligence research: A measurement-based study. ACM Computing Surveys, 58(6):1–35, December 2025

work page 2025

[20] [20]

Threatkg: An ai-powered sys- tem for automated open-source cyber threat intelligence gathering and management

Peng Gao, Xiaoyuan Liu, Edward Choi, Sibo Ma, Xinyu Yang, and Dawn Song. Threatkg: An ai-powered sys- tem for automated open-source cyber threat intelligence gathering and management. InProceedings of the 1st ACM Workshop on Large AI Systems and Models with Privacy and Safety Analysis, CCS ’24, page 1–12. ACM, November 2023

work page 2023

[21] [21]

Hacker group names are now absurdly out of control.Wired, 2023

Andi Greenberg. Hacker group names are now absurdly out of control.Wired, 2023

work page 2023

[22] [22]

Draw me like one of your french apts – expanding our descriptive palette for cyber threat actors

Juan Andrés Guerrero-Saade. Draw me like one of your french apts – expanding our descriptive palette for cyber threat actors. Talk presented at the Virus Bulletin 2018 Conference, October 2018

work page 2018

[23] [23]

How Microsoft names threat actors - Unified security operations — learn.microsoft.com

guywi ms. How Microsoft names threat actors - Unified security operations — learn.microsoft.com. https: //learn.microsoft.com/en-us/unified-secop s/microsoft-threat-actor-naming . [Accessed 23-10-2025]

work page 2025

[24] [24]

Understanding why deterministic out- put from LLMs is nearly impossible — unstract.com

Shuveb Hussain. Understanding why deterministic out- put from LLMs is nearly impossible — unstract.com. https://unstract.com/blog/understanding-w hy-deterministic-output-from-llms-is-nearl y-impossible/. [Accessed 30-09-2025]

work page 2025

[25] [25]

iocextract: Advanced indicator of compromise (IoC) extractor

InQuest. iocextract: Advanced indicator of compromise (IoC) extractor. https://github.com/InQuest/pyt hon-iocextract, 2024. Accessed: 2026-02-06

work page 2024

[26] [26]

Hackers steal u.s

Reuters Jim Finkle. Hackers steal u.s. govt, corporate data from pcs. www.reuters.com/article/domest icNews/idUSN1638118020070717 , 2007. [Accessed 22-11-2025]

work page 2007

[27] [27]

Sharing cyber threat intelligence: Does it really help? InProceedings 2024 Network and Distributed System Security Sympo- sium, NDSS 2024

Beomjin Jin, Eunsoo Kim, Hyunwoo Lee, Elisa Bertino, Doowon Kim, and Hyoungshick Kim. Sharing cyber threat intelligence: Does it really help? InProceedings 2024 Network and Distributed System Security Sympo- sium, NDSS 2024. Internet Society, 2024

work page 2024

[28] [28]

Vempala, and Edwin Zhang

Adam Tauman Kalai, Ofir Nachum, Santosh S. Vempala, and Edwin Zhang. Why language models hallucinate, 2025

work page 2025

[29] [29]

Semantic ranking for automated adver- sarial technique annotation in security text

Udesh Kumarasinghe, Ahmed Lekssays, Husrev Taha Sencar, Sabri Boughorbel, Charitha Elvitigala, and Preslav Nakov. Semantic ranking for automated adver- sarial technique annotation in security text. InProceed- ings of the 19th ACM Asia Conference on Computer and Communications Security, ASIA CCS ’24, page 49–62. ACM, July 2024

work page 2024

[30] [30]

Text arena leaderboard (overall)

LMArena / Arena.ai. Text arena leaderboard (overall). https://arena.ai/leaderboard/text , January

work page

[31] [31]

Last Updated: Jan 29, 2026

work page 2026

[32] [32]

Trec: Apt tactic / technique recognition via few-shot provenance subgraph learning

Mingqi Lv, Hongzhe Gao, Xuebo Qiu, Tieming Chen, Tiantian Zhu, Jinyin Chen, and Shouling Ji. Trec: Apt tactic / technique recognition via few-shot provenance subgraph learning. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, CCS ’24, page 139–152. ACM, December 2024. 17 Table 11: Top countries/geographies by sha...

work page 2024

[33] [33]

Madisetti

Vijay K. Madisetti. Stixagent - a multi-agent frame- work for standardized management of cyber threat in- telligence (cti) reports.Journal of Information Security, 16(04):544–567, 2025

work page 2025

[34] [34]

Large Language Models Are Unreliable for Cyber Threat Intelligence, page 343–364

Emanuele Mezzi, Fabio Massacci, and Katja Tuma. Large Language Models Are Unreliable for Cyber Threat Intelligence, page 343–364. Springer Nature Switzerland, 2025

work page 2025

[35] [35]

Misp galaxy

MISP. Misp galaxy. https://www.misp-project.o rg/galaxy.html. [Accessed 21-10-2025]

work page 2025

[36] [36]

Groups | MITRE ATT&CKAE; — at- tack.mitre.org

MITRE. Groups | MITRE ATT&CKAE; — at- tack.mitre.org. https://attack.mitre.org/group s/. [Accessed 19-01-2026]

work page 2026

[37] [37]

MITRE ATT&CK — attack.mitre.org

MITRE. MITRE ATT&CK — attack.mitre.org. https: //attack.mitre.org/, 2025. [Accessed 21-10-2025]

work page 2025

[38] [38]

How to make your completions outputs consis- tent with the new seed parameter | OpenAI Cookbook — cookbook.openai.com

OpenAI. How to make your completions outputs consis- tent with the new seed parameter | OpenAI Cookbook — cookbook.openai.com. https://cookbook.opena i.com/examples/reproducible_outputs_with_t he_seed_parameter. [Accessed 23-10-2025]

work page 2025

[39] [39]

Introducing structured outputs in the API — openai.com

OpenAI. Introducing structured outputs in the API — openai.com. https://openai.com/index/intro ducing-structured-outputs-in-the-api/ . [Ac- cessed 21-10-2025]

work page 2025

[40] [40]

OpenAI Platform — platform.openai.com

OpenAI. OpenAI Platform — platform.openai.com. https://platform.openai.com/docs/guides/re asoning. [Accessed 23-10-2025]

work page 2025

[41] [41]

OpenAI Platform — platform.openai.com

OpenAI. OpenAI Platform — platform.openai.com. https://platform.openai.com/docs/guides/re asoning/advice-on-prompting . [Accessed 21-10- 2025]

work page 2025

[42] [42]

OpenAI Platform — platform.openai.com

OpenAI. OpenAI Platform — platform.openai.com. https://platform.openai.com/docs/guides/ba tch. [Accessed 11-10-2025]

work page 2025

[43] [43]

Thinking with images— openai.com

OpenAI. Thinking with images— openai.com. https: //openai.com/index/thinking-with-images/ . [Accessed 23-10-2025]

work page 2025

[44] [44]

Hello, GPT-4o — openai.com

OpenAI. Hello, GPT-4o — openai.com. https://op enai.com/index/hello-gpt-4o/ , 2024. [Accessed 01-02-2026]

work page 2024

[45] [45]

ORKL — github.com

ORKL. ORKL — github.com. https://github.com /ORKL/. [Accessed 21-10-2025]. 18

work page 2025

[46] [46]

Iocparser: A tool to extract indica- tors of compromise from reports

Palo Alto Networks. Iocparser: A tool to extract indica- tors of compromise from reports. https://github.c om/PaloAltoNetworks/ioc-parser, 2020

work page 2020

[47] [47]

Cti- gen: A framework for generating stix 2.1 compliant cti using generative ai

Angelos Papoutsis, Athanasios Dimitriadis, Dimitrios Kavallieros, Theodora Tsikrika, Stefanos Vrochidis, Ioannis Kompatsiaris, and Georgios Meditskos. Cti- gen: A framework for generating stix 2.1 compliant cti using generative ai. In2025 IEEE International Con- ference on Cyber Security and Resilience (CSR), page 334–341. IEEE, August 2025

work page 2025

[48] [48]

Threat intelligence: Do we need a ’rosetta stone’ of cyber attribution?Infosecurity Maga- zine, 2023

Kevin Poireault. Threat intelligence: Do we need a ’rosetta stone’ of cyber attribution?Infosecurity Maga- zine, 2023

work page 2023

[49] [49]

The newcomer’s guide to cyber threat actor naming

Florian Roth. The newcomer’s guide to cyber threat actor naming. Medium, March 2018

work page 2018

[50] [50]

Kitten or panda? measuring the specificity of threat group behaviors in public cti knowledge bases, 2026

Aakanksha Saha, Martina Lindorfer, and Juan Caballero. Kitten or panda? measuring the specificity of threat group behaviors in public cti knowledge bases, 2026

work page 2026

[51] [51]

Venkatakr- ishnan

Kiavash Satvat, Rigel Gjomemo, and V .N. Venkatakr- ishnan. Tipce: A longitudinal threat intelligence plat- form comprehensiveness analysis. InProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy, CODASPY ’24, page 349–360. ACM, June 2024

work page 2024

[52] [52]

Llmcloudhunter: Harnessing llms for automated extraction of detection rules from cloud-based cti

Yuval Schwartz, Lavi Ben-Shimol, Dudu Mimran, Yuval Elovici, and Asaf Shabtai. Llmcloudhunter: Harnessing llms for automated extraction of detection rules from cloud-based cti. InProceedings of the ACM on Web Conference 2025, WWW ’25, page 1922–1941. ACM, April 2025

work page 2025

[53] [53]

Cyber Threat Group Profiles: Their Objec- tives, Aliases, and Malware Tools — secureworks.com

Secureworks. Cyber Threat Group Profiles: Their Objec- tives, Aliases, and Malware Tools — secureworks.com. https://www.secureworks.com/research/threa t-profiles. Accessed 23-10-2025

work page 2025

[54] [54]

MITRE ATT&CK Frame- work, Version 17.1, 2025

The MITRE Corporation. MITRE ATT&CK Frame- work, Version 17.1, 2025

work page 2025

[55] [55]

Cybermetric: A benchmark dataset based on retrieval-augmented gener- ation for evaluating llms in cybersecurity knowledge

Norbert Tihanyi, Mohamed Amine Ferrag, Ridhi Jain, Tamas Bisztray, and Merouane Debbah. Cybermetric: A benchmark dataset based on retrieval-augmented gener- ation for evaluating llms in cybersecurity knowledge. In 2024 IEEE International Conference on Cyber Security and Resilience (CSR), page 296–302. IEEE, September 2024

work page 2024

[56] [56]

Vx-underground

VX-Underground. Vx-underground. https://vx-und erground.org/. [Accessed 21-10-2025]

work page 2025

[57] [57]

Knowcti: Knowledge- based cyber threat intelligence entity and relation ex- traction.Computers & Security, 141:103824, June 2024

Gaosheng Wang, Peipei Liu, Jintao Huang, Haoyu Bin, Xi Wang, and Hongsong Zhu. Knowcti: Knowledge- based cyber threat intelligence entity and relation ex- traction.Computers & Security, 141:103824, June 2024

work page 2024

[58] [58]

Multikg: Multi-source threat intelligence aggregation for high-quality knowledge graph representation of at- tack techniques, 2024

Jian Wang, Tiantian Zhu, Chunlin Xiong, and Yan Chen. Multikg: Multi-source threat intelligence aggregation for high-quality knowledge graph representation of at- tack techniques, 2024

work page 2024

[59] [59]

Cti-thinker: an llm-driven system for cti knowledge graph construction and attack reasoning.Cybersecurity, 9(1), January 2026

Xiuzhang Yang, Ruijie Zhong, Yuling Chen, Guojun Peng, Di Yao, Chaofan Chen, Chenyang Wang, Dongni Zhang, Yilin Zhou, and Zixuan Yang. Cti-thinker: an llm-driven system for cti knowledge graph construction and attack reasoning.Cybersecurity, 9(1), January 2026

work page 2026

[60] [60]

The rise of responsible behavior: Western commercial reports on western cyber threat actors.Contemporary Security Policy, 46(3):429–454, 2025

Lior Yoffe, Eviatar Matania, and Udi Sommer. The rise of responsible behavior: Western commercial reports on western cyber threat actors.Contemporary Security Policy, 46(3):429–454, 2025

work page 2025

[61] [61]

A decade-long landscape of advanced persistent threats: Longitudinal analysis and global trends

Shakhzod Yuldoshkhujaev, Mijin Jeon, Doowon Kim, Nick Nikiforakis, and Hyungjoon Koo. A decade-long landscape of advanced persistent threats: Longitudinal analysis and global trends. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Commu- nications Security, CCS ’25, page 3206–3220. ACM, November 2025. 19

work page 2025