DEFENGRAPH: Knowledge Graph-Enhanced LLMs for Blue Team Cyber Defense

Focus: Blue team operations require reasoning about complex, evolving relationships between threat actors, attack techniques, software vulnerabilities, and network assets — a structure that fits knowledge graphs better than flat document retrieval. DEFENGRAPH uses a continuously-updated cybersecurity knowledge graph as the retrieval backbone for an LLM-based blue team assistant.

Key Insights

• Structured threat reasoning: Knowledge graph queries can answer multi-hop questions (e.g., “which threat actors use technique X against organisations in sector Y?”) that flat RAG systems struggle with, since they require composing relationships across multiple documents.
• Real-time knowledge graph updates: The graph is updated continuously from threat intelligence feeds, CTI reports, and CVE announcements, keeping the LLM’s reasoning grounded in current threat landscapes rather than training cutoff knowledge.
• Outperforms RAG on complex queries: The paper benchmarks DEFENGRAPH against RAG baselines, showing superior performance on multi-hop queries that require relationship reasoning, while performing comparably on simpler lookups.

Failure-First Relevance

DEFENGRAPH’s architecture is directly applicable to the Failure-First red-teaming infrastructure: a knowledge graph of attack techniques, model vulnerabilities, and observed failure patterns would enable more structured operator selection and threat modelling. The continuously-updated design is relevant to the Failure-First attack evolution pipeline — as new jailbreak techniques are discovered and indexed, the attack selection system should reason over their relationships to existing operators rather than treating each discovery as independent.