Advancing Autonomous Incident Response: Leveraging LLMs and Cyber Threat Intelligence
Amine Tellache, Abdelaziz Amara Korba, Amdjed Mokhtari, Horea Moldovan, Yacine Ghamri-Doudane
TL;DR
The paper tackles IR bottlenecks from alert fatigue and fragmented CTI by introducing a Retrieval-Augmented Generation framework that fuses dynamic CTI with SIEM alerts through a hybrid retrieval strategy (CTI API queries and NLP-based vector similarity). It eliminates the need for frequent fine-tuning by embedding CTI reports into a vector store and employs LLM-driven generation to produce actionable incident response plans. A dual evaluation framework—automated LLM scoring complemented by cybersecurity experts—assesses answer relevance, context relevance, and groundedness on real-world and simulated alerts, demonstrating improved accuracy, contextualization, and efficiency with some context-relevance limitations due to CTI/IOC gaps. The approach significantly eases analyst workload and reduces response latency, laying a foundation for adaptive, intelligent security operations that can ingest new CTI data in real time.
Abstract
Effective incident response (IR) is critical for mitigating cyber threats, yet security teams are overwhelmed by alert fatigue, high false-positive rates, and the vast volume of unstructured Cyber Threat Intelligence (CTI) documents. While CTI holds immense potential for enriching security operations, its extensive and fragmented nature makes manual analysis time-consuming and resource-intensive. To bridge this gap, we introduce a novel Retrieval-Augmented Generation (RAG)-based framework that leverages Large Language Models (LLMs) to automate and enhance IR by integrating dynamically retrieved CTI. Our approach introduces a hybrid retrieval mechanism that combines NLP-based similarity searches within a CTI vector database with standardized queries to external CTI platforms, facilitating context-aware enrichment of security alerts. The augmented intelligence is then leveraged by an LLM-powered response generation module, which formulates precise, actionable, and contextually relevant incident mitigation strategies. We propose a dual evaluation paradigm, wherein automated assessment using an auxiliary LLM is systematically cross-validated by cybersecurity experts. Empirical validation on real-world and simulated alerts demonstrates that our approach enhances the accuracy, contextualization, and efficiency of IR, alleviating analyst workload and reducing response latency. This work underscores the potential of LLM-driven CTI fusion in advancing autonomous security operations and establishing a foundation for intelligent, adaptive cybersecurity frameworks.