PRISM Workshop Tutorial 2026

CTINexus: Automatic Cyber Threat Intelligence Knowledge Graph Construction Using LLMs

Join us for a deep dive into using Large Language Models to automate the extraction and structuring of CTI data into actionable Knowledge Graphs.

Date

February 23, 2026

Time

5:00 PM - 5:30 PM PST

Location

Bay Room

Overview

Cyber threat intelligence (CTI) is often communicated through long textual reports, requiring analysts to manually extract relevant information. This tutorial introduces CTINexus, an open-source system that converts individual CTI reports into structured cybersecurity knowledge graphs using large language models.


CTINexus provides a robust pipeline that extracts entities such as malware names, vulnerabilities, threat actors, TTPs, and infrastructure details, identifying explicit relationships within the report text. This streamlines threat intelligence analysis, moving beyond manual relationship tracing. The tool has been adopted by various industry partners within their threat intelligence analysis workflows.


Participants will learn how CTINexus processes CTI reports, from input text through extraction, entity typing, and graph construction. The session will include a demonstration of running the pipeline, interpreting output, and exploring results using a provided web interface to visualize and inspect extracted relationships.


This tutorial is ideal for security professionals, students, and researchers working with CTI sources who seek a systematic way to structure intelligence for inspection, reasoning, and downstream analysis. Attendees will gain a working understanding of CTINexus and its utility in transforming unstructured narratives into actionable insights.

Schedule

5:00 - 5:05 PM

Introduction to CTI

The problem with unstructured CTI data and the need for structured representation.

5:05 - 5:10 PM

The CTINexus Architecture

Deep dive into the LLM-based extraction pipeline, ontology mapping, and graph construction logic.

5:10 - 5:20 PM

Live Demo: From Report to Graph

Interactive demonstration processing a live CTI report and visualizing the resulting Knowledge Graph.

5:25 - 5:30 PM

Q&A and Future Work

Open floor for questions, discussion on limitations, and roadmap.

Organizers

Alex Rivera

Saimon Amanuel Tsegai

PhD Student - Virginia Tech

Saimon Amanuel Tsegai is a Ph.D. student in Computer Science at Virginia Tech, advised by Prof. Peng Gao, and a Graduate Fellow with the Commonwealth Cyber Initiative (CCI). His research lies at the intersection of system security, cyber threat intelligence, and AI, with a focus on building interpretable and practitioner-oriented security mechanisms. He is the co-author and lead maintainer of CTINexus. He led the engineering effort to transform the system from a research artifact into a deployment-ready tool, architecting the extraction pipeline and developing the interactive visualization interface used for knowledge graph inspection. His broader work has appeared in leading peer-reviewed venues including VLDB and Euro S&P, and he is a recipient of multiple distinctions, including the CCI Cyber Innovation Scholarship and the Alibaba Cloud GenAI Ambassador Award.

Sarah Chen

Dr. Peng Gao

Assistant Professor - Virginia Tech

Peng Gao is an Assistant Professor in the Department of Computer Science at Virginia Tech and a Faculty Fellow with the Commonwealth Cyber Initiative (CCI). He is an IEEE Senior Member. His work focuses on designing scalable, intelligent, secure, and trustworthy solutions to address real-world security, privacy, and computing challenges. His research has been published at multiple top-tier venues and has been demonstrated through multiple patents and industry adoption. He has received multiple honors and awards, including the 2018 CSAW Applied Research Finalist, the 2020 Microsoft Security AI Research Award, the 2021 Amazon Research Award, the 2021 Cisco Research Award, the 2021 Meta Research Award Finalist, the 2022 Amazon-VT Initiative Faculty Research Award, the 2025 Google Academic Research Award, and the 2025 NSF CAREER Award.

Resources & Setup

  Workshop Essentials

What to prepare:

A laptop
Python 3.10+ installed
VS Code (or preferred IDE)

What we provide:

Temporary OpenAI API key for demo
Ready-to-use code environment & example reports

CTINexus Toolkit

Explore and test out our open-source code and datasets on GitHub. Don't forget to star ⭐ the repo to stay updated! Read our paper for in-depth details, and workshop presentation slides will be available after the event.

View on GitHub
Downloads
Loading...
Live
Paper Slides (coming soon)