CTINexus is a framework that leverages optimized in-context learning (ICL) of large language models (LLMs) for automatic cyber threat intelligence (CTI) knowledge extraction and cybersecurity knowledge graph (CSKG) construction. CTINexus adapts to various cybersecurity ontologies with minimal annotated examples and provides a user-friendly web interface for instant threat intelligence analysis.
The framework automatically processes unstructured threat intelligence reports to:
- Extract cybersecurity entities (malware, vulnerabilities, tactics, IOCs)
- Identify relationships between security concepts
- Construct knowledge graphs with interactive visualizations
- Require minimal configuration - no extensive data or parameter tuning needed
- Intelligence Extraction (IE): Automatically extracts cybersecurity entities and relationships from unstructured text using optimized prompt construction and demonstration retrieval
- Hierarchical Entity Alignment: Canonicalizes extracted knowledge and removes redundancy through:
- Entity Typing (ET): Groups mentions of the same semantic type
- Entity Merging (EM): Merges mentions referring to the same entity with IOC (Indicator of Compromise) protection
- Link Prediction (LP): Predicts and adds missing relationships to complete the knowledge graph
- Graph Visualization: Interactive network visualization of the constructed cybersecurity knowledge graph
π¦ [2025/09/03] CTINexus Python package released! Install with pip install ctinexus for seamless integration into your Python projects.
π [2025/07/29] CTINexus now features an intuitive Gradio interface! Submit threat intelligence text and instantly visualize extracted interactive graphs.
π₯ [2025/04/21] We released the camera-ready paper on arxiv.
π₯ [2025/02/12] CTINexus is accepted at 2025 IEEE European Symposium on Security and Privacy (Euro S&P).
You can use CTINexus in three ways:
- π¦ Python Package: Python package for easy integration
- β‘ Command Line: For automation and batch processing β π CLI Guide
- π₯οΈ Web Interface: User-friendly GUI for interactive analysis (follow the setup below)
CTINexus supports the following AI providers: OpenAI, Gemini, AWS, Ollama
All models from these providers are supported. If you would like to see additional providers integrated, please open a feature request issue here.
CTINexus can be used as a Python library for seamless integration into your projects.
pip install ctinexusBefore using CTINexus, you need to configure API keys. Create a .env file in your project directory with your credentials. Look at the example env for reference.
from ctinexus import process_cti_report
from dotenv import load_dotenv
load_dotenv()
# Example usage
text = "Your CTI text here"
result = process_cti_report(
text=text,
provider="openai", # optional: auto-detected if not specified
model="gpt-4", # optional: uses default if not specified
similarity_threshold=0.6,
output="results.json" # optional: save results to file
)
# Access results
print(f"Graph:", result["entity_relation_graph"])
# Outputs the html file with the graph visualization.
# Open the html file on your browser to see the results.text(str): The threat intelligence report text to processprovider(str, optional): AI provider ("openai", "gemini", "aws", "ollama"). Auto-detected from available keys if not specifiedmodel(str, optional): Specific model name (e.g., "gpt-4", "gemini-pro")embedding_model(str, optional): Model for embeddingsie_model,et_model,ea_model,lp_model(str, optional): Specific models for each pipeline componentsimilarity_threshold(float, default 0.6): Threshold for entity similarity matchingoutput(str, optional): File path to save JSON results
Returns a dictionary containing the complete CTI analysis results:
text: The original input textIE: Intelligence Extraction results with:triplets: Raw extracted subject-relation-object triplets
ET: Entity Typing results with:typed_triplets: Triplets with entity type classifications (Malware, Vulnerability, Infrastructure, etc.)
EA: Entity Alignment results with:aligned_triplets: Triplets with merged entities and canonical entity IDs
LP: Link Prediction results with:predicted_links: Additional predicted relationships between entities
entity_relation_graph: File path to the interactive HTML visualization
For users who want to run the web interface, use the command line interface, or contribute to the project, you'll need to clone the repository and set up the development environment.
- API Key from one of the supported providers: OpenAI, Gemini, AWS, or Ollama (local, free)
- Python 3.11+ and pip
git clone https://github.com/peng-gao-lab/CTINexus.git
cd CTINexusCreate a .env file in the project root:
cp .env.example .envEdit the .env file with your API credentials.
Note: You only need to set up one provider. If using Ollama, see the Ollama Guide.
# Create virtual environment
python -m venv .venv
# Activate virtual environment (macOS/Linux:)
source .venv/bin/activate
# On Windows:
# .venv\Scripts\activate
# Install package
pip install -e .ctinexusOpen your browser and navigate to: http://127.0.0.1:7860
Use Ctrl+C in the terminal to stop the application.
For containerized deployment or development:
- Docker and Docker Compose installed
- API keys configured (see Local Development Setup above)
git clone https://github.com/peng-gao-lab/CTINexus.git
cd CTINexusCreate a .env file as described in the Local Development Setup section.
# Build and start
docker compose up --build
# Or run in detached mode (runs in background)
docker compose up -d --buildOpen your browser and navigate to: http://localhost:8000
docker compose downAfter setting up the local environment, you can use CTINexus through the web interface or command line.
For automation and batch processing:
ctinexus --input-file report.txtπ Complete CLI Documentation - Detailed usage examples and options.
Once the application is running:
-
Open your browser to the appropriate URL:
- Docker:
http://localhost:8000 - Local:
http://127.0.0.1:7860
- Docker:
-
Paste threat intelligence text into the input area
-
Select your preferred AI model from the dropdown
-
Click "Run" to analyze the text
-
View results:
- Extracted Entities: Identified cybersecurity entities
- Relationships: Discovered connections between entities
- Interactive Graph: Network visualization
- Export Options: Download results as JSON or images
We warmly welcome contributions from the community! Whether you're interested in:
- π Fixing bugs or adding new features
- π Improving documentation or adding examples
- π¨ UI/UX enhancements for the web interface
Please check out our Contributing Guide for detailed information on how to get started, development setup, and submission guidelines.
@inproceedings{cheng2025ctinexusautomaticcyberthreat,
title={CTINexus: Automatic Cyber Threat Intelligence Knowledge Graph Construction Using Large Language Models},
author={Yutong Cheng and Osama Bajaber and Saimon Amanuel Tsegai and Dawn Song and Peng Gao},
booktitle={2025 IEEE European Symposium on Security and Privacy (EuroS\&P)},
year={2025},
organization={IEEE}
}The source code is licensed under the MIT License. We warmly welcome industry collaboration. If youβre interested in building on CTINexus or exploring joint initiatives, please email [email protected] or [email protected], weβd be happy to set up a brief call to discuss ideas.