Using a Stack to Find an AI Needle: Topic Modeling for Cyber Threat Intelligence
Schröer, S. L., Seideman, J. D., and Luo, S., and Apruzzese, G., and Dietrich, S., and Laskov, P., ACM Digital Threats: Research and Practice, 2025 Journal
Oneliner:
Abstract. Cyber Threat Intelligence (CTI) is a fundamental activity to ensure the protection of modern organizations against sophisticated cyberattackers. A large body of scientific literature has addressed problems related to CTI. Despite the scientific validity of such results, the reality is that CTI practitioners rarely deploy advanced CTI methods proposed in the research community and mostly rely on manual processes.
We seek to facilitate the manual analyses typical for CTI practice by proposing an original topic modeling technique that enables analysts to identify specific topics in CTI data sources. We demonstrate how our method, released as an open-source tool, can be used to investigate three case studies revolving around the research question whether attackers are deploying AI for malicious purposes “in the wild,” and, if so, what features of AI interest them the most. We analyse 6.9 million discussions from 18 underground forums. Our findings reveal that attackers may favor easy-to-use AI toolkits over sophisticated AI techniques envisioned in research papers. Our contributions are further validated by a user study (N=24) with CTI experts, confirming the relevance of our research. Ultimately, we advocate future endeavours to account for the opinion of CTI practitioners—who should, in turn, try to cooperate.