Saved in:
Bibliographic Details
Main Authors: Chakraborty, Arjun, Ho, Sandra, Cook, Adam, Meléndez, Manuel
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.13517
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910055885963264
author Chakraborty, Arjun
Ho, Sandra
Cook, Adam
Meléndez, Manuel
author_facet Chakraborty, Arjun
Ho, Sandra
Cook, Adam
Meléndez, Manuel
contents CTI-REALM (Cyber Threat Real World Evaluation and LLM Benchmarking) is a benchmark designed to evaluate AI agents' ability to interpret cyber threat intelligence (CTI) and develop detection rules. The benchmark provides a realistic environment that replicates the security analyst workflow. This enables agents to examine CTI reports, execute queries, understand schema structures, and construct detection rules. Evaluation involves emulated attacks of varying complexity across Linux systems, cloud platforms, and Azure Kubernetes Service (AKS), with ground truth data for accurate assessment. Agent performance is measured through both final detection results and trajectory-based rewards that capture decision-making effectiveness. This work demonstrates the potential of AI agents to support labor-intensive aspects of detection engineering. Our comprehensive evaluation of 16 frontier models shows that Claude Opus 4.6 (High) achieves the highest overall reward (0.637), followed by Claude Opus 4.5 (0.624) and the GPT-5 family. An ablation study confirms that CTI-specific tools significantly improve agent performance, a variance analysis across repeated runs demonstrates result stability. Finally, a memory augmentation study shows that seeded context can close 33\% of the performance gap between smaller and larger models.
format Preprint
id arxiv_https___arxiv_org_abs_2603_13517
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle CTI-REALM: Benchmark to Evaluate Agent Performance on Security Detection Rule Generation Capabilities
Chakraborty, Arjun
Ho, Sandra
Cook, Adam
Meléndez, Manuel
Cryptography and Security
CTI-REALM (Cyber Threat Real World Evaluation and LLM Benchmarking) is a benchmark designed to evaluate AI agents' ability to interpret cyber threat intelligence (CTI) and develop detection rules. The benchmark provides a realistic environment that replicates the security analyst workflow. This enables agents to examine CTI reports, execute queries, understand schema structures, and construct detection rules. Evaluation involves emulated attacks of varying complexity across Linux systems, cloud platforms, and Azure Kubernetes Service (AKS), with ground truth data for accurate assessment. Agent performance is measured through both final detection results and trajectory-based rewards that capture decision-making effectiveness. This work demonstrates the potential of AI agents to support labor-intensive aspects of detection engineering. Our comprehensive evaluation of 16 frontier models shows that Claude Opus 4.6 (High) achieves the highest overall reward (0.637), followed by Claude Opus 4.5 (0.624) and the GPT-5 family. An ablation study confirms that CTI-specific tools significantly improve agent performance, a variance analysis across repeated runs demonstrates result stability. Finally, a memory augmentation study shows that seeded context can close 33\% of the performance gap between smaller and larger models.
title CTI-REALM: Benchmark to Evaluate Agent Performance on Security Detection Rule Generation Capabilities
topic Cryptography and Security
url https://arxiv.org/abs/2603.13517