{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,22]],"date-time":"2026-05-22T04:06:35Z","timestamp":1779422795718,"version":"3.53.1"},"publisher-location":"New York, NY, USA","reference-count":25,"publisher":"ACM","license":[{"start":{"date-parts":[[2026,5,26]],"date-time":"2026-05-26T00:00:00Z","timestamp":1779753600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"DOI":"10.13039\/100006502","name":"Defense Sciences Office, DARPA","doi-asserted-by":"publisher","award":["W912CG23C0031"],"award-info":[{"award-number":["W912CG23C0031"]}],"id":[{"id":"10.13039\/100006502","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2026,5,26]]},"DOI":"10.1145\/3786335.3813136","type":"proceedings-article","created":{"date-parts":[[2026,5,22]],"date-time":"2026-05-22T03:16:22Z","timestamp":1779419782000},"page":"103-123","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Retrieval-Augmented LLMs for Security Incident Analysis"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8545-0371","authenticated-orcid":false,"given":"Xavier","family":"Cadet","sequence":"first","affiliation":[{"name":"Dartmouth College, Hanover, NH, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-8365-0503","authenticated-orcid":false,"given":"Aditya Vikram","family":"Singh","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-4680-5686","authenticated-orcid":false,"given":"Harsh","family":"Mamania","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-2049-6274","authenticated-orcid":false,"given":"Edward","family":"Koh","sequence":"additional","affiliation":[{"name":"Dartmouth College, Hanover, NH, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8928-6011","authenticated-orcid":false,"given":"Alex","family":"Fitts","sequence":"additional","affiliation":[{"name":"PUNCH Cyber Analytics, Reston, VA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-4388-9653","authenticated-orcid":false,"given":"Dirk","family":"Van Bruggen","sequence":"additional","affiliation":[{"name":"PUNCH Cyber Analytics, Reston, VA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-3411-8912","authenticated-orcid":false,"given":"Simona","family":"Boboila","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1913-4223","authenticated-orcid":false,"given":"Peter","family":"Chin","sequence":"additional","affiliation":[{"name":"Dartmouth College, Hanover, NH, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4979-5292","authenticated-orcid":false,"given":"Alina","family":"Oprea","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2026,5,26]]},"reference":[{"key":"e_1_3_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-25538-0_3"},{"key":"e_1_3_3_2_3_2","doi-asserted-by":"publisher","unstructured":"Markus Bayer Philipp Kuehn Ramin Shanehsaz and Christian Reuter. 2024. CySecBERT: A Domain-Adapted Language Model for the Cybersecurity Domain. ACM Trans. Priv. Secur. 27 2 (April 2024) 18:1\u201318:20. 10.1145\/36525943652594\"\/>","DOI":"10.1145\/3652594"},{"key":"e_1_3_3_2_4_2","doi-asserted-by":"publisher","unstructured":"Francesco Blefari Cristian Cosentino Francesco\u00a0Aurelio Pironti Angelo Furfaro and Fabrizio Marozzo. 2026. CyberRAG: An Agentic RAG Cyber Attack Classification and Reporting Tool. Future Generation Computer Systems 176 (March 2026) 108186. 10.1016\/j.future.2025.108186","DOI":"10.1016\/j.future.2025.108186"},{"key":"e_1_3_3_2_5_2","doi-asserted-by":"publisher","unstructured":"Peng Cai Reza Ryan and Nickson\u00a0M. Karie. 2025. LLMLogAnalyzer: A Clustering-Based Log Analysis Chatbot Using Large Language Models. arxiv:https:\/\/arXiv.org\/abs\/2510.24031\u00a0[cs] 10.48550\/arXiv.2510.24031arXiv:https:\/\/arXiv.org\/abs\/2510.24031.","DOI":"10.48550\/arXiv.2510.24031"},{"key":"e_1_3_3_2_6_2","doi-asserted-by":"publisher","unstructured":"Marco Carvalho Fitzroy Nembhard and Dhanish Mehta. 2025. Towards the Application of GraphRAG to Network Security. The International FLAIRS Conference Proceedings 38 (May 2025). 10.32473\/flairs.38.1.138895","DOI":"10.32473\/flairs.38.1.138895"},{"key":"e_1_3_3_2_7_2","unstructured":"Brad Duncan. 2023. Cold as Ice: Unit 42 Wireshark Quiz for IcedID. https:\/\/unit42.paloaltonetworks.com\/wireshark-quiz-icedid\/. Accessed: 2026-02-25."},{"key":"e_1_3_3_2_8_2","unstructured":"Brad Duncan. 2023. Unit 42 Wireshark Quiz Series (Gozi Qakbot RedLine Stealer IcedID). https:\/\/unit42.paloaltonetworks.com\/category\/cybersecurity-tutorials\/. Accessed: 2026-02-25."},{"key":"e_1_3_3_2_9_2","unstructured":"Brad Duncan. 2026. Training Exercises - Malware-Traffic-Analysis.net. https:\/\/www.malware-traffic-analysis.net\/training-exercises.html. Accessed: 2026-02-25."},{"key":"e_1_3_3_2_10_2","doi-asserted-by":"publisher","unstructured":"Yunfan Gao Yun Xiong Xinyu Gao Kangxiang Jia Jinliu Pan Yuxi Bi Yi Dai Jiawei Sun Meng Wang and Haofen Wang. 2024. Retrieval-Augmented Generation for Large Language Models: A Survey. arxiv:https:\/\/arXiv.org\/abs\/2312.10997\u00a0[cs] 10.48550\/arXiv.2312.10997arXiv:https:\/\/arXiv.org\/abs\/2312.10997.","DOI":"10.48550\/arXiv.2312.10997"},{"key":"e_1_3_3_2_11_2","doi-asserted-by":"publisher","unstructured":"Wei Guan Jian Cao Shiyou Qian Jianqi Gao and Chun Ouyang. 2025. LogLLM: Log-based Anomaly Detection Using Large Language Models. arxiv:https:\/\/arXiv.org\/abs\/2411.08561\u00a0[cs] 10.48550\/arXiv.2411.08561arXiv:https:\/\/arXiv.org\/abs\/2411.08561.","DOI":"10.48550\/arXiv.2411.08561"},{"key":"e_1_3_3_2_12_2","unstructured":"Leon Kersten Tom Mulders Emmanuele Zambon Chris Snijders and Luca Allodi. 2023. \u2019Give Me Structure\u2019: Synthesis and Evaluation of a (Network) Threat Analysis Process Supporting Tier 1 Investigations in a Security Operation Center. 97\u2013111. https:\/\/www.usenix.org\/conference\/soups2023\/presentation\/kersten"},{"key":"e_1_3_3_2_13_2","series-title":"((CEUR Workshop Proceedings))","volume-title":"Proceedings of the Second International Workshop on Retrieval-Augmented Generation Enabled by Knowledge Graphs (RAGE-KG 2025)","author":"Kurniawan Kabul","year":"2025","unstructured":"Kabul Kurniawan, Rayhan\u00a0Firdaus Ardian, Elmar Kiesling, and Andreas Ekelhart. 2025. AgCyRAG: An Agentic Knowledge Graph Based RAG Framework for Automated Security Analysis. In Proceedings of the Second International Workshop on Retrieval-Augmented Generation Enabled by Knowledge Graphs (RAGE-KG 2025)((CEUR Workshop Proceedings))."},{"key":"e_1_3_3_2_14_2","first-page":"9459","volume-title":"Advances in Neural Information Processing Systems","author":"Lewis Patrick","year":"2020","unstructured":"Patrick Lewis, Ethan Perez, Aleksandra Piktus, Fabio Petroni, Vladimir Karpukhin, Naman Goyal, Heinrich K\u00fcttler, Mike Lewis, Wen-tau Yih, Tim Rockt\u00e4schel, Sebastian Riedel, and Douwe Kiela. 2020. Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks. In Advances in Neural Information Processing Systems, Vol.\u00a033. Curran Associates, Inc., 9459\u20139474."},{"key":"e_1_3_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/3639478.3643108"},{"key":"e_1_3_3_2_16_2","unstructured":"MITRE. 2023. Threat Report ATT&CK Mapper (TRAM). https:\/\/ctid.mitre.org\/projects\/threat-report-attck-mapper-tram\/."},{"key":"e_1_3_3_2_17_2","volume-title":"Steal or Forge Kerberos Tickets (Technique T1558)","author":"ATT&CK MITRE","year":"2025","unstructured":"MITRE ATT&CK. 2025. Steal or Forge Kerberos Tickets (Technique T1558). https:\/\/attack.mitre.org\/techniques\/T1558\/ Accessed: February 6, 2026."},{"key":"e_1_3_3_2_18_2","unstructured":"SANS Internet Storm Center. 2021. SANS ISC Forensic Contest Diaries. https:\/\/isc.sans.edu\/diary\/28160. Series of monthly forensic contests. Accessed: 2026-02-25."},{"key":"e_1_3_3_2_19_2","volume-title":"Certified Pre-Owned: Abusing Active Directory Certificate Services","author":"Schroeder Will","year":"2021","unstructured":"Will Schroeder and Lee Christensen. 2021. Certified Pre-Owned: Abusing Active Directory Certificate Services. Technical Report. SpecterOps. https:\/\/specterops.io\/wp-content\/uploads\/sites\/3\/2022\/06\/Certified_Pre-Owned.pdf Whitepaper."},{"key":"e_1_3_3_2_20_2","unstructured":"Chaitanya Sharma. 2025. Retrieval-Augmented Generation: A Comprehensive Survey of Architectures Enhancements and Robustness Frontiers. arXiv preprint arXiv:2506.00054 (2025). https:\/\/arxiv.org\/abs\/2506.00054"},{"key":"e_1_3_3_2_21_2","doi-asserted-by":"publisher","unstructured":"Ronal Singh Shahroz Tariq Fatemeh Jalalvand Mohan\u00a0Baruwal Chhetri Surya Nepal Cecile Paris and Martin Lochner. 2025. LLMs in the SOC: An Empirical Study of Human-AI Collaboration in Security Operations Centres. arxiv:https:\/\/arXiv.org\/abs\/2508.18947\u00a0[cs] 10.48550\/arXiv.2508.18947arXiv:https:\/\/arXiv.org\/abs\/2508.18947.","DOI":"10.48550\/arXiv.2508.18947"},{"key":"e_1_3_3_2_22_2","doi-asserted-by":"publisher","unstructured":"Chengyu Song Linru Ma Jianming Zheng Jinzhi Liao Hongyu Kuang and Lin Yang. 2024. Audit-LLM: Multi-Agent Collaboration for Log-based Insider Threat Detection. arxiv:https:\/\/arXiv.org\/abs\/2408.08902\u00a0[cs] 10.48550\/arXiv.2408.08902arXiv:https:\/\/arXiv.org\/abs\/2408.08902.","DOI":"10.48550\/arXiv.2408.08902"},{"key":"e_1_3_3_2_23_2","doi-asserted-by":"publisher","unstructured":"Shahroz Tariq Mohan Baruwal\u00a0Chhetri Surya Nepal and Cecile Paris. 2025. Alert Fatigue in Security Operations Centres: Research Challenges and Opportunities. ACM Comput. Surv. 57 9 (April 2025) 224:1\u2013224:38. 10.1145\/37231583723158\"\/>","DOI":"10.1145\/3723158"},{"key":"e_1_3_3_2_24_2","doi-asserted-by":"publisher","unstructured":"PeiYu Tseng ZihDwo Yeh Xushu Dai and Peng Liu. 2024. Using LLMs to Automate Threat Intelligence Analysis Workflows in Security Operation Centers. arxiv:https:\/\/arXiv.org\/abs\/2407.13093\u00a0[cs] 10.48550\/arXiv.2407.13093arXiv:https:\/\/arXiv.org\/abs\/2407.13093.","DOI":"10.48550\/arXiv.2407.13093"},{"key":"e_1_3_3_2_25_2","doi-asserted-by":"publisher","unstructured":"Bowen Wei Yuan\u00a0Shen Tay Howard Liu Jinhao Pan Kun Luo Ziwei Zhu and Chris Jordan. 2025. CORTEX: Collaborative LLM Agents for High-Stakes Alert Triage. arxiv:https:\/\/arXiv.org\/abs\/2510.00311\u00a0[cs] 10.48550\/arXiv.2510.00311arXiv:https:\/\/arXiv.org\/abs\/2510.00311.","DOI":"10.48550\/arXiv.2510.00311"},{"key":"e_1_3_3_2_26_2","doi-asserted-by":"publisher","unstructured":"Hanxiang Xu Shenao Wang Ningke Li Kailong Wang Yanjie Zhao Kai Chen Ting Yu Yang Liu and Haoyu Wang. 2025. Large Language Models for Cyber Security: A Systematic Literature Review. ACM Trans. Softw. Eng. Methodol. (Sept. 2025). 10.1145\/37696763769676\"\/>","DOI":"10.1145\/3769676"}],"event":{"name":"CAIS '26: ACM Conference on AI and Agentic Systems","location":"San Jose CA USA","acronym":"CAIS '26"},"container-title":["Proceedings of the ACM Conference on AI and Agentic Systems"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/abs\/10.1145\/3786335.3813136","content-type":"text\/html","content-version":"vor","intended-application":"syndication"}],"deposited":{"date-parts":[[2026,5,22]],"date-time":"2026-05-22T03:19:30Z","timestamp":1779419970000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3786335.3813136"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,26]]},"references-count":25,"alternative-id":["10.1145\/3786335.3813136","10.1145\/3786335"],"URL":"https:\/\/doi.org\/10.1145\/3786335.3813136","relation":{},"subject":[],"published":{"date-parts":[[2026,5,26]]},"assertion":[{"value":"2026-05-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}