Retrieval-Augmented LLMs for Security Incident Analysis
Capture
- arXiv: 2603.18196
- DOI: https://doi.org/10.48550/arXiv.2603.18196
- Submitted: 2026-03-18; revised: 2026-05-04
- Venue note: ACM Conference on AI and Agentic Systems, CAIS 2026
- Source URL: https://arxiv.org/abs/2603.18196
Abstract Summary
The paper presents a RAG-based system for cybersecurity incident analysis. It combines targeted query-based filtering, MITRE ATT&CK-associated query libraries, and LLM semantic reasoning to reconstruct malware and Active Directory attack scenarios within context limits.
Why It Matters For The Wiki
This source is important for evaluating whether AI SOC should rely on generic chat context or structured retrieval over telemetry. It is also useful for comparing RAG-style SOC evidence collection against agentic investigation and provenance contracts.
Recommended Ingest Notes
- Extract evidence on RAG necessity, query libraries, ATT&CK mappings, recall/precision tradeoffs, and cost-performance differences.
- Link to
AI Security Operations,AI for Security, and RAG poisoning/provenance topics.