2025-08-04 –, Firenze
Threat hunting is a proactive approach for identifying undetected threats within an organization's environment, and it requires various sophisticated skills.
RAGnarok is an assisting tool for the threat hunting process with Large Language Model (LLM). It can generate a Sigma rule automatically for a specific attack technique based on threat intelligence.
As the threat hunting strongly depends on environmental elements that are often regarded as confidential information, RAGnarok adopts a local LLM. RAGnarok can collect and interpret the environmental information autonomously, then reflect it in the generated results without uploading any information to the Internet.
To achieve better results with limited computer resources, RAGnarok is based mainly on 3 technologies: "Quantized LLM", "Retrieval-Augmented Generation (RAG)", and "Multi-Agent System". Quantized LLM can make the execution faster, and the RAG mechanism enables RAGnarok to avoid hallucination and improve the accuracy of the generated result without fine-tuning. In addition, combining RAG with a multi-agent system allows the application to gain deeper specialization. These technologies can allow RAGnarok run on CPU only machine and generate practical outputs.
This talk provides the technical details of RAGnarok, a demo, know-how, and tips obtained by developing it.
RAGnarok is an assisting tool for the threat hunting process with a local Large Language Model (LLM). It can generate a Sigma rule automatically for a specific attack technique based on threat intelligence like MITRE ATT&CK.
In this talk, I will explain the architecture of RAGnarok, then elaborate on the technologies implemented. Also, I will provide a pre-recorded demo for a better understanding of RAGnarok. And finally, some know-hows and tips obtained from developing RAGnarok will be covered.
This talk has been developed based on my experience. When I was involved in threat hunting, there were many different procedures and approaches for it, and I felt it was too much for beginners. On the other hand, threat hunting also has many monotonous operations, and it can easily become boring.
My motivation for developing RAGnarok is to automate the threat hunting process with local LLM, especially boring processes, and concentrate on only interesting processes. In other words, humans will focus on only the advanced steps in the threat hunting process. Additionally, assisting beginners by generating practical results (Sigma rules) is also my motivation.
Threat hunting usually requires environment information such as server configuration or account information. In this talk, Windows Active Directory configuration is especially focused on as environmental information, and collected and manipulated by using "Bloodhound". These types of environmental information are often regarded as confidential information, so RAGnarok adopts a local LLM instead of a cloud-based LLM in order to avoid uploading the information to the Internet.
The base technologies of RAGnarok are "Quantized LLM", "Retrieval-Augmented Generation (RAG)", and "Multi-Agent System". Combining them enables RAGnarok to generate highly professional and accurate results without fine-tuning on CPU only machine.
However, there are a lot of misunderstandings in using these LLM-related technologies because of their complexity. Therefore, this talk will provide not only the technical details of RAGnarok, but also the points of utilizing LLM especially local LLM as know-how or tips.
Furthermore, one of the concepts behind RAGnarok is scalability. Of course, we can easily add a new feature to RAGnarok. But it also means that the architecture of RAGnarok is applicable to other areas of cybersecurity, such as red teaming. In other words, threat hunting is just one of the use cases of the proposed architecture. I believe that this talk can contribute to promoting the use of a local LLM in the whole cybersecurity field.
RAGnarok is going to be available as open source by the time of the talk.
Tools:
- Docker: https://www.docker.com/
- Bloodhound-CE: https://github.com/SpecterOps/BloodHound
- Langgraph: https://www.langchain.com/langgraph
- Ollama: https://ollama.com/
The following presentation is the prototype of RAGnarok.
Of course, as RAGnarok has been evolved from the prototype, they are not the same.
For example, there are some differences in architecture and function related to treating environmental information. (I will elaborate on them in the talk.)
But this presentation will help you imagine what RAGnarok is all about!
- Presentation record: https://www.youtube.com/watch?v=a0FvmNkpVLI&list=PLALq3Th79NnpPtZ28R-WPbepAPwgYHYiz&index=5&pp=iAQB
- Presentation material: https://ctid.mitre.org/events/apac-2025/08%20-%20MITRE%20ATT&CK%20Driven%20Threat%20Hunting%20Automated%20by%20Local%20LLM.pdf
Jun Miura is a security researcher with Fujitsu Defense & National Security LTD (FDNS). After working as a security engineer at a financial company in Japan, he had experienced vulnerability assessment, penetration testing, and red teaming at Secureworks since 2022. From November 2023, he joined the current department at FDNS, and he is mainly focused on Offensive Security, especially Active Directory / Entra ID attacks and EDR / Anti Virus Bypass techniques. In addition, he has been involved in Threat Hunting research from an attacker's perspective using his knowledge and experience as a red teamer.
Currently, he is also focused on local LLM, especially its usage in cyber security and the attack against it. He is also a Ph.D student at Okayama University in Japan.