Large Language Models Are Unreliable for Cyber Threat Intelligence
Emanuele Mezzi, Fabio Massacci, Katja Tuma
TL;DR
This work evaluates large language models (LLMs) for cyber threat intelligence (CTI) tasks using a rigorous, multi-faceted pipeline that measures not only accuracy but also consistency and calibration on real-size CTI reports. By testing three state-of-the-art LLMs on 350Threat Intelligence reports, the study shows that zero-shot performance is limited, while few-shot learning and fine-tuning often fail to improve results and can even degrade performance. It also demonstrates substantial output inconsistency and poor confidence calibration, which together undermine trust in automated CTI pipelines. The findings argue for caution in deploying LLMs for CTI tasks without robust uncertainty management and further methodological advances. The work provides a benchmark and a roadmap for future CTI evaluation, including better datasets, prompting techniques, and multi-model architectures to address reliability challenges.
Abstract
Several recent works have argued that Large Language Models (LLMs) can be used to tame the data deluge in the cybersecurity field, by improving the automation of Cyber Threat Intelligence (CTI) tasks. This work presents an evaluation methodology that other than allowing to test LLMs on CTI tasks when using zero-shot learning, few-shot learning and fine-tuning, also allows to quantify their consistency and their confidence level. We run experiments with three state-of-the-art LLMs and a dataset of 350 threat intelligence reports and present new evidence of potential security risks in relying on LLMs for CTI. We show how LLMs cannot guarantee sufficient performance on real-size reports while also being inconsistent and overconfident. Few-shot learning and fine-tuning only partially improve the results, thus posing doubts about the possibility of using LLMs for CTI scenarios, where labelled datasets are lacking and where confidence is a fundamental factor.