TechniqueRAG: Retrieval Augmented Generation for Adversarial Technique Annotation in Cyber Threat Intelligence Text

TL;DR

TechniqueRAG is a retrieval-augmented generation framework tailored for cyber threat intelligence that improves adversarial technique annotation by combining off-the-shelf retrievers, instruction-tuned LLMs, and minimal domain-specific data, achieving state-of-the-art results.

Contribution

It introduces a domain-specific RAG approach that enhances retrieval quality via zero-shot re-ranking and fine-tunes only the generation component, reducing resource needs.

Findings

Achieves state-of-the-art performance on security benchmarks.

Reduces reliance on large labeled datasets and extensive task-specific tuning.

Improves retrieval precision through zero-shot LLM re-ranking.

Abstract

Accurately identifying adversarial techniques in security texts is critical for effective cyber defense. However, existing methods face a fundamental trade-off: they either rely on generic models with limited domain precision or require resource-intensive pipelines that depend on large labeled datasets and task-specific optimizations, such as custom hard-negative mining and denoising, resources rarely available in specialized domains. We propose TechniqueRAG, a domain-specific retrieval-augmented generation (RAG) framework that bridges this gap by integrating off-the-shelf retrievers, instruction-tuned LLMs, and minimal text-technique pairs. Our approach addresses data scarcity by fine-tuning only the generation component on limited in-domain examples, circumventing the need for resource-intensive retrieval training. While conventional RAG mitigates hallucination by coupling retrieval and generation, its reliance on generic retrievers often introduces noisy candidates, limiting domain-specific precision. To address this, we enhance retrieval quality and domain specificity through zero-shot LLM re-ranking, which explicitly aligns retrieved candidates with adversarial techniques. Experiments on multiple security benchmarks demonstrate that TechniqueRAG achieves state-of-the-art performance without extensive task-specific optimizations or labeled data, while comprehensive analysis provides further insights.