| Abstrak/Abstract |
Cybersecurity analysis is a critical activity that aims to detect threats, respond to incidents, and ensure organizations’ resilience. It is a highly complex task where analysts typically navigate and interpret vast amounts of
heterogeneous data across structured and unstructured sources, ranging from system logs and network activity
logs to threat intelligence and policy documents. Large Language Models (LLMs) can provide simplified access to
this data through a natural language interface and have the potential to unlock advanced analytic capabilities.
In this paper, we propose to combine a number of Retrieval-Augmented Generation (RAG) techniques to make
this diverse and highly dynamic information accessible to LLMs and enable factual grounding of cybersecurity
analyses. A key challenge in this context is that RAG approaches typically focus on unstructured text and
often overlook symbolic representations and conceptual relations that are essential in cybersecurity – including
network structures, IT assets hierarchies and attack patterns. To address this gap, we propose AgCyRAG: a
hybrid Agentic RAG framework that integrates Knowledge Graphs (KGs) and vector-based retrieval to enhance
the factual accuracy and contextual relevance of security analyses. The framework orchestrates multiple agents
that interpret user queries and adaptively select the optimal retrieval strategy according to the analytical context.
The agentic workflows enable systems to combine structured semantic reasoning with vector-based retrieval,
resulting in more comprehensive and interpretable security analyses. We validate AgCyRAG by means of three
real-world use-cases and demonstrate its ability to support advanced, context-aware security analyses |
