SoK: Challenges and Opportunities for AI in Converting Attack Evidence to Shareable Intelligence

Saastha Vasan, Christopher Kruegel, Giovanni Vigna
January, 2025

Abstract

Cyber Threat Intelligence (CTI) plays a critical role in enabling organizations to understand, respond to, and anticipate cyber threats. Yet the pipeline from raw attack evidence to shareable, actionable intelligence remains largely manual, fragmented, and inconsistent across practitioners. This SoK paper conducts a systematic literature review and practitioner survey to define the CTI generation pipeline and evaluate where AI — particularly large language models (LLMs) — can meaningfully automate or augment each stage. We identify key challenges including incomplete data, lack of standardization, and the research–practice gap, and present a structured assessment of near-term opportunities and open problems for AI-driven CTI automation.

Type
Preprint
Publication
Under Review
Cyber Threat Intelligence LLMs AI Security SoK
Saastha Vasan
Saastha Vasan
AI Security Researcher

My research interests include malware analysis, machine learning, threat intelligence and program analysis.