CyBERTa: a hybrid self-updating framework for automated extraction of MITRE ATT&CK tactics and techniques from security text
摘要
The ability to automatically extract MITRE ATT&CK tactics and techniques from unstructured threat intelligence reports is critical for proactive cyber defense. However, existing systems commonly rely on static taxonomies and datasets that fail to reflect the framework’s continual evolution, potentially leading to performance degradation as the ATT&CK knowledge base expands. In this paper, we present CyBERTa, a hybrid DeBERTa–SetFit MLOps pipeline for multi-label extraction of ATT&CK tactics and techniques from unstructured CTI text. The framework supports taxonomy-aware adaptation by retrieving updated ATT&CK STIX JSON releases, identifying newly introduced or modified techniques, and incrementally fine-tuning a SetFit few-shot classifier without retraining large transformer backbones. Because transformer-based NLP models involve computationally intensive training and inference over large volumes of unstructured security text, scalable processing infrastructure is required to support timely analysis in operational threat intelligence environments. CyBERTa achieves an LRAP of 0.89, reflecting strong ranking performance in a multi-label TTP extraction when compared to baseline extraction approaches. Furthermore, our analysis shows that prior studies may have overstated performance by up to 13% due to uncleaned or duplicate datasets. We provide detailed dataset analysis and design recommendations, along with an inference dashboard supporting tactic and technique ranking and mitigation lookup, offering a structured blueprint for next-generation Cyber Threat Intelligence extraction systems.