AI/ cybersecurity · ai · knowledge-graphs · threat-intelligence

Small AI Agent Teams Beat Big Models at Cyber Threat Mapping

A new agentic framework uses teams of small language models to build cybersecurity knowledge graphs more cheaply and accurately than single large models.

Researchers have built a smarter way to turn messy threat intelligence reports into structured data — and they did it with small, cheap models instead of one giant one.

TACTIC-KG breaks the job of building cybersecurity knowledge graphs into four specialized agents: one extracts entities, one classifies them, one verifies the output, and one curates the final graph. Each agent runs a model in the 3B-8B parameter range — a fraction of the size of the frontier models commonly used for this work. In head-to-head tests against monolithic large language model baselines, TACTIC-KG outperformed on extraction F1-score, typing accuracy, and structural graph consistency. The test bed: real, human-annotated cyber threat intelligence reports, the kind analysts actually wrestle with.

Structured threat intelligence is the backbone of automated threat detection, but most CTI exists as unstructured prose — analyst blogs, vendor advisories, incident writeups. A system that reliably structures that material with 3B-8B models is cheaper to deploy and easier to audit than running a large frontier model end-to-end, which has been the dominant approach and comes with real costs in money and opacity.

Whether these gains hold outside a curated research benchmark — against the chaos of live threat feeds — is the part the paper does not yet answer.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →