ThreatPilot: Attack-Driven Threat Intelligence Extraction

TL;DR

ThreatPilot addresses the fragmentation of threat intelligence by introducing Attack-driven Threat Intelligence (ATI), a complete TTP-based representation including procedure variants. It couples an LLM-augmented ATI extractor with GraphRAG-backed reasoning and validation to produce ground-truth-aligned Sigma rules and executable commands, improving downstream detection and reproduction. Evaluated on thousands of CTI reports and real-world logs, ThreatPilot outperforms AttacKG by up to 1.34x in F1 for technique extraction and achieves a 99.3% command-execution rate when procedures are used, underscoring practical impact for SOC workflows. The work demonstrates the value of ATI-grounded rule and command generation and provides data/code for reproducibility, signaling a path toward more automated, scalable threat-intelligence-to-defense pipelines.

Abstract

Efficient defense against dynamically evolving advanced persistent threats (APT) requires the structured threat intelligence feeds, such as techniques used. However, existing threat-intelligence extraction techniques predominantly focuses on individual pieces of intelligence-such as isolated techniques or atomic indicators-resulting in fragmented and incomplete representations of real-world attacks. This granularity inherently limits on both the depth and the contextual richness of the extracted intelligence, making it difficult for downstream security systems to reason about multi-step behaviors or to generate actionable detections. To address this gap, we propose to extract the layered Attack-driven Threat Intelligence (ATIs), a comprehensive representation that captures the full spectrum of adversarial behavior. We propose ThreatPilot, which can accurately identify the AITs including complete tactics, techniques, multi-step procedures, and their procedure variants, and integrate the threat intelligence to software security application scenarios: the detection rules (i.e., Sigma) and attack command can be generated automatically to a more accuracy level. Experimental results on 1,769 newly crawly reports and 16 manually calibrated reports show ThreatPilot's effectiveness in identifying accuracy techniques, outperforming state-of-the-art approaches of AttacKG by 1.34X in F1 score. Further studies upon 64,185 application logs via Honeypot show that our Sigma rule generator significantly outperforms several existing rules-set in detecting the real-world malicious events. Industry partners confirm that our Sigma rule generator can significantly help save time and costs of the rule generation process. In addition, our generated commands achieve an execution rate of 99.3%, compared to 50.3% without the extracted intelligence.

Figures (8)

• Figure 1: A demonstrating example of ThreatPilot. The prior works show individual intelligence while ThreatPilot exhibits the whole attack-driven intelligence including three attack stages (e.g., Initial Access), with their techniques (e.g., Phishing), procedures and variants, and contextual explanations. The Sigma rule and command are derived from the "phishing" technique.
• Figure 2: General overview of ThreatPilot, which includes ATI extractor, command generator, and rule generator
• Figure 3: Overview of attack-driven threat intelligence (ATI) extractor.
• Figure 4: Overview of Sigma Rule/Command Generator.
• Figure 5: Examples misflagged by AttacKG but correctly classified by ThreatPilot.