Saved in:
Bibliographic Details
Main Authors: Dinis, Tiago, Correia, Miguel, Tavares, Roger
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2511.05406
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866911253993095168
author Dinis, Tiago
Correia, Miguel
Tavares, Roger
author_facet Dinis, Tiago
Correia, Miguel
Tavares, Roger
contents As cyber threats continue to grow in complexity, traditional security mechanisms struggle to keep up. Large language models (LLMs) offer significant potential in cybersecurity due to their advanced capabilities in text processing and generation. This paper explores the use of LLMs with retrieval-augmented generation (RAG) to obtain threat intelligence by combining real-time information retrieval with domain-specific data. The proposed system, RAGRecon, uses a LLM with RAG to answer questions about cybersecurity threats. Moreover, it makes this form of Artificial Intelligence (AI) explainable by generating and visually presenting to the user a knowledge graph for every reply. This increases the transparency and interpretability of the reasoning of the model, allowing analysts to better understand the connections made by the system based on the context recovered by the RAG system. We evaluated RAGRecon experimentally with two datasets and seven different LLMs and the responses matched the reference responses more than 91% of the time for the best combinations.
format Preprint
id arxiv_https___arxiv_org_abs_2511_05406
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Large Language Models for Explainable Threat Intelligence
Dinis, Tiago
Correia, Miguel
Tavares, Roger
Computation and Language
As cyber threats continue to grow in complexity, traditional security mechanisms struggle to keep up. Large language models (LLMs) offer significant potential in cybersecurity due to their advanced capabilities in text processing and generation. This paper explores the use of LLMs with retrieval-augmented generation (RAG) to obtain threat intelligence by combining real-time information retrieval with domain-specific data. The proposed system, RAGRecon, uses a LLM with RAG to answer questions about cybersecurity threats. Moreover, it makes this form of Artificial Intelligence (AI) explainable by generating and visually presenting to the user a knowledge graph for every reply. This increases the transparency and interpretability of the reasoning of the model, allowing analysts to better understand the connections made by the system based on the context recovered by the RAG system. We evaluated RAGRecon experimentally with two datasets and seven different LLMs and the responses matched the reference responses more than 91% of the time for the best combinations.
title Large Language Models for Explainable Threat Intelligence
topic Computation and Language
url https://arxiv.org/abs/2511.05406