New paper on Agentic Knowledge Graph based RAG Framework for Automated Security Analysis

Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

November 20, 2025

Our colleague Andreas Ekelhart, key researcher and Applied Research Lead at SBA Research and researcher at the Research Group Security & Privacy at University of Vienna, has published a new paper titled AgCyRAG: an Agentic Knowledge Graph based RAG Framework for Automated Security Analysis.

Abstract

Cybersecurity analysis is a critical activity that aims to detect threats, respond to incidents, and ensure organizations’ resilience. It is a highly complex task where analysts typically navigate and interpret vast amounts of heterogeneous data across structured and unstructured sources, ranging from system logs and network activity logs to threat intelligence and policy documents. Large Language Models (LLMs) can provide simplified access to this data through a natural language interface and have the potential to unlock advanced analytic capabilities. In this paper, we propose to combine a number of Retrieval-Augmented Generation (RAG) techniques to make this diverse and highly dynamic information accessible to LLMs and enable factual grounding of cybersecurity analyses.

A key challenge in this context is that RAG approaches typically focus on unstructured text and often overlook symbolic representations and conceptual relations that are essential in cybersecurity – including network structures, IT assets hierarchies and attack patterns. To address this gap, we propose AgCyRAG: a hybrid Agentic RAG framework that integrates Knowledge Graphs (KGs) and vector-based retrieval to enhance the factual accuracy and contextual relevance of security analyses. The framework orchestrates multiple agents that interpret user queries and adaptively select the optimal retrieval strategy according to the analytical context. The agentic workflows enable systems to combine structured semantic reasoning with vector-based retrieval, resulting in more comprehensive and interpretable security analyses. We validate AgCyRAG by means of three real-world use-cases and demonstrate its ability to support advanced, context-aware security analyses.

Authors: Kabul Kurniawan, Rayhan Firdaus Ardian, Elmar Kiesling, and Andreas Ekelhart

Link

Workshop
MLDM – SBA Research Group

News