Decoding Cyber Threats with AI’s Explanations

Author: Denis Avetisyan

New research explores how advanced AI can not only identify cyber threats, but also clearly explain why.

Retrieval-Augmented Generation (RAG) systems, when applied to a Blockchain-based Cyber Threat Intelligence (CTI) dataset, demonstrate a capacity to match answers, though the inherent complexity suggests even elegant solutions will eventually succumb to the realities of production-level data.

This paper introduces RAGRecon, a system using Large Language Models, Retrieval-Augmented Generation, and Knowledge Graphs to deliver accurate and explainable Cyber Threat Intelligence with a high faithfulness score.

Despite increasing sophistication, current cyber threat intelligence often lacks the transparency needed for effective analyst interpretation. This paper, ‘Large Language Models for Explainable Threat Intelligence’, introduces RAGRecon, a novel system utilizing large language models and retrieval-augmented generation to deliver accurate and, crucially, explainable threat insights. By constructing and visualizing knowledge graphs alongside its responses, RAGRecon achieves over 91% matching accuracy with reference data while simultaneously revealing the reasoning behind its conclusions. Could this approach represent a pivotal step towards truly trustworthy and interpretable AI in cybersecurity operations?

The CTI Treadmill: Why We’re Still Chasing Alerts

Traditional Cyber Threat Intelligence (CTI) struggles to keep pace with modern attacks. Existing systems, reliant on static indicators and reactive analysis, are quickly overwhelmed. The sheer volume of alerts leads to fatigue and missed threats. Current methods lack the nuanced understanding needed to prioritize and contextualize threats, often presenting data without attribution or clear business impact—resulting in false positives and wasted effort. Proactive defense demands explainable, actionable intelligence, but another layer of abstraction simply promises a more elegantly broken system.

Evaluations using the conventional CTI dataset in round three demonstrate differences in performance across the various models.

Effective CTI requires both strategic overviews and immediate operational insights.

RAGRecon: Another Framework to Maintain, Eventually

RAGRecon introduces a system integrating Large Language Models (LLMs), Retrieval-Augmented Generation (RAG), and Knowledge Graphs (KGs) to address limitations in CTI analysis. The architecture aims to enhance reasoning and contextual understanding by grounding LLMs in structured knowledge. The system utilizes a Vector Store and Embedding techniques for efficient information retrieval from the Knowledge Graph, synthesizing insights from diverse sources. By converting knowledge into vector embeddings, RAGRecon performs semantic searches, identifying relevant information even without exact keyword matches.

RAGRecon extends CTI by incorporating Blockchain Technology, enabling the tracking and analysis of cryptocurrency-related threats like ransomware and illicit transactions.

Analysis of the conventional CTI dataset reveals the degree to which the RAG-generated answers align with the reference answers.

Trust, But Verify… Until It Breaks

RAGRecon incorporates a multi-faceted validation process ensuring trustworthy intelligence. System outputs are assessed using Faithfulness and Context Relevance, providing quantifiable measures of accuracy and meaningfulness. Evaluations consistently achieve a Faithfulness score exceeding 0.8. To refine responses and improve knowledge alignment, RAGRecon employs LLM Self-Evaluation, verifying the correctness of decisions made during retrieval and generation. Verified Correct Decision Rates consistently fall within the 90-97% range across seven Large Language Models.

Beyond data integrity, the RAGRecon architecture demonstrates resilience against common API vulnerabilities, specifically mitigating risks associated with Insecure Direct Object References (IDOR).

Extensibility is Just a Polite Word for ‘More to Maintain’

RAGRecon presents an explainable AI framework initially developed for Cyber Threat Intelligence, but demonstrably extensible to domains requiring complex reasoning. The system leverages Retrieval-Augmented Generation (RAG) to synthesize insights from structured data—threat intelligence feeds and vulnerability databases—and unstructured data like security blogs and incident reports. This facilitates a more nuanced understanding of complex security landscapes than traditional rule-based systems.

The core innovation lies in RAGRecon’s ability to integrate disparate knowledge types, unlocking possibilities for automated decision-making in areas like risk assessment, incident response, and proactive threat hunting. The resulting explanations are designed to be human-readable, allowing security professionals to validate the system’s reasoning. Further enhancing security, RAGRecon incorporates blockchain technologies to ensure data integrity and traceability, providing a verifiable audit trail. Everything new is just the old thing with worse documentation.

The pursuit of elegant solutions in cyber threat intelligence, as demonstrated by RAGRecon’s integration of Large Language Models and Knowledge Graphs, invariably leads to a new order of compromise. The system strives for ‘faithfulness’ – a quantifiable metric of explanation accuracy – yet every retrieval-augmented generation cycle introduces a subtle drift from perfect reasoning. It echoes Paul Erdős’ sentiment: “A mathematician knows a great deal of things, and those things are, for the most part, wrong.” The architecture isn’t a pristine diagram; it’s a pragmatic response to the inevitable noise of production data and the limitations of any model attempting to distill threat landscapes. Each optimization, while improving current performance, subtly lays the groundwork for future re-evaluation and refinement.

What’s Next?

The pursuit of ‘explainable’ threat intelligence, as demonstrated by systems like RAGRecon, merely shifts the opacity. The model now cites sources, but the inherent biases within those sources – and the model’s weighting of them – remain a black box. Faithful scores offer a metric, but correlation does not equal understanding. The system efficiently retrieves relevant context; it does not, however, resolve the fundamental problem of discerning signal from noise in a deluge of imperfect data. The architecture will inevitably accrue complexity.

Future iterations will likely focus on refining the knowledge graph, attempting to model not just what a threat is, but why it exists, and how it evolves. This will involve increasingly intricate attempts to represent intent, motivation, and the socio-technical landscape that enables malicious activity. The predictable consequence? A larger, more brittle system, demanding constant maintenance and susceptible to novel adversarial attacks targeting the graph itself.

The field does not require increasingly elaborate retrieval mechanisms. It requires acknowledging that every ‘revolution’ in data science is simply a more sophisticated form of pattern matching. The real challenge lies not in automating intelligence, but in cultivating critical thinking – a task that remains stubbornly resistant to algorithmic solutions. Perhaps the next iteration will focus on systems that explicitly flag their own limitations, a feature currently absent from most architectures.

Original article: https://arxiv.org/pdf/2511.05406.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

The CTI Treadmill: Why We’re Still Chasing Alerts

RAGRecon: Another Framework to Maintain, Eventually

Trust, But Verify… Until It Breaks

Extensibility is Just a Polite Word for ‘More to Maintain’

What’s Next?

See also: