2026-05-07 –, IFEN room 1, Workshops and Detection Engineering village (Building D)
Every week, hundreds of threat intelligence reports are published in prose — rich in context, but locked in a format that no SIEM, TIP, or AI agent can consume. Without structure, CTI stays trapped in PDFs and blog posts, disconnected from the defensive stack that needs it most.
This talk presents a practitioner and research-driven approach to closing that gap. Drawing from independent research on the TI Mindmap HUB project and an academic study currently under peer review, benchmarking five LLM families against government-grade STIX 2.1 ground truth, the speaker demonstrates how a hybrid architecture — combining deterministic extraction with LLM-based semantic inference — can transform unstructured reports into machine-readable STIX 2.1 bundles.
Beyond generation, the talk explores how STIX bundles become the foundation for LLM-powered knowledge graphs and how the Model Context Protocol (MCP) exposes structured CTI as tool calls for AI agents — making intelligence not just structured, but conversationally actionable for both human analysts and autonomous copilots.
This is independent research, not a product pitch. The speaker invites collaboration from the CTI community.
Disclaimer: TI Mindmap HUB is a personal, independent research project. It is not affiliated with, endorsed by, or representative of any employer, organization, or commercial entity.
Problem Statement
The CTI community produces an enormous volume of high-quality threat intelligence every week — malware analyses, campaign reports, government advisories. The vast majority is published as unstructured text. Despite the existence of STIX 2.1 as a mature, graph-based interoperability standard, most organizations skip the conversion step entirely because it is slow, manual, and requires deep domain expertise. The consequence: intelligence that could feed automated detection, correlation, and response workflows remains locked in prose.
This section frames STIX not as bureaucratic overhead, but as the critical prerequisite layer that makes everything downstream — from SIEM rules to AI-driven threat hunting — possible.
The Hybrid Architecture: GenAI-STIX
The core of the talk introduces a hybrid pipeline architecture developed through independent research and validated in an academic study currently under peer review (University of Salerno, AY 2025/2026). The key design insight is that not everything should be delegated to a generative model:
- Deterministic extraction (regex + validation) handles Indicators of Compromise (IoCs) — IP addresses, hashes, domains, URLs — where precision and resistance to hallucination are paramount.
- LLM-based semantic inference handles the hard part: extracting Tactics, Techniques, and Procedures (TTPs), threat actors, malware families, victims, and the relationships between them, then mapping these to the MITRE ATT&CK framework.
The talk walks through the evaluation methodology: a dual pipeline (object-level detection metrics + holistic graph similarity) tested against a ground-truth dataset built from real UK National Cyber Security Centre (NCSC) STIX bundles. Five LLM families were benchmarked. Key finding: high-reasoning models exceed 94% precision in TTP extraction, demonstrating that automated MITRE ATT&CK mapping is no longer a theoretical prospect but a production-ready capability.
TI Mindmap HUB: The Living Research Lab
TI Mindmap HUB is the independent research platform where these concepts are implemented and tested at scale, processing 50–60 threat reports weekly. The speaker demonstrates how a single unstructured report flows through the pipeline and emerges as a multi-lens analyst workstation:
- STIX graph view — interactive entity/relationship exploration
- Diamond Model — campaign framing from STIX objects
- MITRE ATT&CK heatmap — behavioral coverage visualization
- CVE analyst table — vulnerability prioritization with threat context
- TI Mindmap — narrative structure for executive and analyst consumption
The same structured artifacts (STIX bundles, ATT&CK layers, IOC/CVE objects) power all views — different analytical lenses from shared data, not isolated widgets. A brief visual walkthrough shows the end-to-end flow from URL submission to structured intelligence.
MCP: Making CTI Actionable for AI Agents
Structure alone is not enough — intelligence must be accessible where decisions are made. This section introduces the Model Context Protocol (MCP) server built for TI Mindmap HUB, which exposes structured CTI as native tool calls for AI copilots and agents:
- Report discovery and deep-dive — search, filter, and retrieve processed intelligence artifacts directly from a chat interface
- IOC pivoting — "where else was this indicator seen?" as a single tool call
- STIX bundle retrieval — portable intelligence packages ready for TIP/SOAR/SIEM integration
- Article submission — trigger the full processing pipeline from conversation context
This transforms CTI from a static product into a conversational operations layer. The MCP server implements secure API key + OAuth authentication, making it ready for both human analysts and autonomous agent workflows.
Toward Knowledge Graphs: The Research Horizon
With STIX bundles as building blocks, the next research frontier is LLM-inferred cross-report relationships — connecting entities across dozens of reports to build a threat intelligence knowledge graph that reveals patterns invisible in individual analyses. The speaker briefly outlines this ongoing research direction and its implications for strategic CTI.
Closing
TI Mindmap HUB is an independent research project exploring the intersection of Generative AI and Cyber Threat Intelligence. It is not a product and not affiliated with any employer or commercial entity. The speaker actively seeks collaboration from the CTI research and practitioner community.
Antonio Formato is a Senior Cybersecurity Solution Engineer at Microsoft, where he leads technical engagements on security platforms including Defender XDR, Sentinel, and Defender for Cloud for enterprise and public sector customers across EMEA. With 18+ years of experience in cybersecurity, he advises CISOs and security teams on Zero Trust strategies, multi-cloud security posture, and secure AI adoption.
Outside his professional role, Antonio is an independent researcher exploring the intersection of Generative AI and Cyber Threat Intelligence. He is the creator of TI Mindmap HUB, an AI-powered research platform that automates the transformation of unstructured threat reports into structured, machine-readable intelligence using LLMs and the STIX 2.1 standard. He is co-author of an academic paper on automated STIX 2.1 bundle generation currently under peer review, and collaborates with the University of Salerno as co-advisor on cybersecurity thesis projects.
Antonio is a regular speaker at security conferences including RomHack, HackInBo, BSides Athens, and ITASEC. His independent research is open to community collaboration at ti-mindmap-hub.com.
TI Mindmap HUB is a personal, independent research project, not affiliated with any employer or commercial entity.