Researchers have built a smarter way to turn messy threat intelligence reports into structured data — and they did it with small, cheap models instead of one giant one.
TACTIC-KG breaks the job of building cybersecurity knowledge graphs into four specialized agents: one extracts entities, one classifies them, one verifies the output, and one curates the final graph. Each agent runs a model in the 3B-8B parameter range — a fraction of the size of the frontier models commonly used for this work. In head-to-head tests against monolithic large language model baselines, TACTIC-KG outperformed on extraction F1-score, typing accuracy, and structural graph consistency. The test bed: real, human-annotated cyber threat intelligence reports, the kind analysts actually wrestle with.
Structured threat intelligence is the backbone of automated threat detection, but most CTI exists as unstructured prose — analyst blogs, vendor advisories, incident writeups. A system that reliably structures that material with 3B-8B models is cheaper to deploy and easier to audit than running a large frontier model end-to-end, which has been the dominant approach and comes with real costs in money and opacity.
Whether these gains hold outside a curated research benchmark — against the chaos of live threat feeds — is the part the paper does not yet answer.