

@article{4664,
  author = {Maleerat Maliyaem},
  title = {Sector-Aware Cyber Threat Intelligence: A Security-Enhanced RAG Framework for Precision Threat Analysis},
  journal = {Journal of Information Security Research},
  year = {2026},
  volume = {17},
  number = {1},
  doi = {https://doi.org/10.6025/jisr/2026/17/1/1-22},
  url = {https://www.dline.info/jisr/fulltext/v17n1/jisrv17n1_1.pdf},
  abstract = {This paper presents a comprehensive framework for enhancing Cyber Threat Intelligence (CTI) analysis
through a domain specific, security aware Retrieval Augmented Generation (RAG) architecture. It begins by
defining CTI as the process of transforming raw cyber data into actionable intelligence, emphasizing its role
in understanding adversarial Tactics, Techniques, and Procedures (TTPs) via structured knowledge bases
like MITRE ATT&CK. The paper reviews the evolution of CTI analysis from traditional rule based and machinelearning
systems to modern Large Language Model (LLM) driven approaches highlighting persistent
challenges such as hallucinations, a lack of contextual grounding, and vulnerability to adversarial
manipulation in retrieval pipelines.
Drawing on 2025 CrowdStrike threat data, the analysis reveals critical trends: a 27% year over year rise in
interactive intrusions, 73.4% of which are financially motivated (eCrime), while 26.5% stem from nationstate
actors targeting strategic sectors like Government (+126%), Telecommunications (+130%), and
Industrials & Engineering (+185%). Opportunistic attacks declined by 12%, indicating a shift toward highvalue,
precision targeting.
These insights inform a proposed CTI RAG system that integrates real world threat statistics to enable sector
aware retrieval, sector weighted ATT&CK alignment, and evidence grounded reasoning. Unlike generic or
LLM-only baselines, this approach reduces the risk of hallucination, improves TTP accuracy, shortens analyst
triage time, and enhances explainability by linking outputs directly to verified CTI sources and sectorspecific
tactics.
The architecture is designed as an end to end, modular pipeline supporting ingestion, semantic indexing,
secure retrieval, grounded reasoning, and analyst feedback making it suitable for operational Security
Operations Centers (SOCs). By unifying empirical threat trends, structured knowledge, and robust AI
reasoning, the framework offers a scalable, trustworthy solution for next generation CTI that balances tactical
eCrime defence with strategic awareness of nation state threats.},
}