TY - GEN
T1 - IntelForge
T2 - 2025 Annual Computer Security Applications Conference Workshops, ACSACW 2025
AU - Tarshish, Noam
AU - Hodisan, Daniel
AU - Shabtai, Asaf
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025/1/1
Y1 - 2025/1/1
N2 - Cyber threat intelligence (CTI) provides defenders with knowledge about attacks and adversaries, including their infrastructure, tools, and attack techniques. Enriching CTI with contextual information enables security teams to prioritize risks, derive actionable outputs, and respond to threats more effectively. Yet, the growing scale and complexity of cyberattacks make manual enrichment increasingly challenging, creating the need for automated and reliable solutions. In this paper, we present IntelForge, a novel multi-agent framework for automated CTI enrichment, built on orchestrated large language model (LLM)-based AI agents. Each agent in the system performs a distinct role, ranging from entity extraction to external retrieval, scoring, reporting, and evaluation, enabling a scalable and modular enrichment process. Leveraging task specialization and agent collaboration, IntelForge enriches raw CTI reports with high-value external sources and produces analyst-ready intelligence. To assess the quality of this enrichment, we compare IntelForge's source rankings to those of human experts and state-of-the-art LLM baselines. Our results show that IntelForge enriches CTI reports more effectively, achieving substantially lower deviation and higher correlation with human experts than single-LLM baselines. These findings demonstrate that structured agent-based LLM pipelines provide a powerful alternative to single-model solutions for CTI enrichment.
AB - Cyber threat intelligence (CTI) provides defenders with knowledge about attacks and adversaries, including their infrastructure, tools, and attack techniques. Enriching CTI with contextual information enables security teams to prioritize risks, derive actionable outputs, and respond to threats more effectively. Yet, the growing scale and complexity of cyberattacks make manual enrichment increasingly challenging, creating the need for automated and reliable solutions. In this paper, we present IntelForge, a novel multi-agent framework for automated CTI enrichment, built on orchestrated large language model (LLM)-based AI agents. Each agent in the system performs a distinct role, ranging from entity extraction to external retrieval, scoring, reporting, and evaluation, enabling a scalable and modular enrichment process. Leveraging task specialization and agent collaboration, IntelForge enriches raw CTI reports with high-value external sources and produces analyst-ready intelligence. To assess the quality of this enrichment, we compare IntelForge's source rankings to those of human experts and state-of-the-art LLM baselines. Our results show that IntelForge enriches CTI reports more effectively, achieving substantially lower deviation and higher correlation with human experts than single-LLM baselines. These findings demonstrate that structured agent-based LLM pipelines provide a powerful alternative to single-model solutions for CTI enrichment.
KW - cyber threat intelligence
KW - llms
KW - multi-agent systems
UR - https://www.scopus.com/pages/publications/105035991400
U2 - 10.1109/ACSACW69556.2025.00047
DO - 10.1109/ACSACW69556.2025.00047
M3 - Conference contribution
AN - SCOPUS:105035991400
T3 - Proceedings - 2025 Annual Computer Security Applications Conference Workshops, ACSACW 2025
SP - 374
EP - 381
BT - Proceedings - 2025 Annual Computer Security Applications Conference Workshops, ACSACW 2025
PB - Institute of Electrical and Electronics Engineers
Y2 - 8 December 2025 through 12 December 2025
ER -