Download This PaperSoK: AI-Assisted Threat Intelligence Pipelines -A Taxonomy and Research Agenda for the Agentic Transition
Not applicable. This manuscript has not previously appeared in, nor been accepted to appear in, any paper series, journal, or book.
37 Pages Posted: 5 Jun 2026 Last revised: 5 Jun 2026
Date Written: May 19, 2026
Abstract
Cyber Threat Intelligence (CTI) is in the middle of an architectural transition. Organizations are layering machine learning, large language models, and most recently autonomous agents into operational pipelines faster than the literature can document, and production practice has outpaced academic evaluation. Most published evaluations still focus on isolated model performance, while practitioners report that production success depends on governance, integration, and human-AI collaboration. This systematization makes three contributions. First, it operationalizes the CTI Autonomy-Stakes Framework through the Behavioral Autonomy Criteria (chained reasoning, state change, external effect, approval gating), a proposed set of observable tests for classifying AI-CTI systems by actual behavior rather than vendor description. The framework locates systems on dimensions of agent autonomy and decision consequence, with a "Guarded Agency" zone where viable production systems should sit. Second, it organizes the field into three architectural generations-rule-based with analyst review, AI-assisted analysis, and agent-directed execution-plus an autonomous-defense boundary, and grounds the framing in the documented evolution of named SOAR and SIEM platforms. Third, it identifies a research agenda focused on the evaluation gaps and adversarial-robustness questions most likely to determine whether the agentic transition produces trustworthy systems, in an environment where threat actors themselves are now operating AI-augmented tooling. The corpus weighs practitioner-authored and platform-derived sources alongside peer-reviewed work; in a field where production systems appear before academic evaluation of them, a SoK restricted to peer-reviewed sources would describe a field that does not exist.
Keywords: Cyber Threat Intelligence, Agentic AI, Security Operations, Human Ai Collaboration, Prompt Injection, Adversarial Machine Learning, Systematization of Knowledge
Suggested Citation: Suggested Citation