Infographic of an LLM-driven cyber security framework: an AI-powered attacker targets an LLM-based honeypot (depicted as an eye), which captures data for an AI analytics tool used by analysts to consume threat intelligence feeds.

CORTEX – An LLM-Driven Framework for Enhanced CTI

About the project

Objective
The primary objective of this research is to discover methods for autonomously generating threat intelligence (TI) that empowers users to gain a competitive advantage over threat actors. The central focus of the study involves designing and developing LLM-powered telemetry systems, including web scrapers and honeypots, that are immune to AI-based attacks. These systems are instrumental in collecting early threat signals. Furthermore, a significant aspect of the project involves utilizing a comprehensive set of Large Language Model (LLM)-driven advanced analytics to generate actionable threat insights that elucidate the nature of the attacks.

Background
The world of cyber threat intelligence (CTI) is undergoing a profound transformation due to the emergence of AI-based cybercrime chatbots, attack agents, and malware. Traditional CTI solutions have proven ineffective against AI-powered exploit kits, necessitating the design of end-to-end AI-agents capable of reasoning threat intelligence in a ubiquitous fashion. While a significant number of academic papers were published on LLM-driven CTI techniques by 2025, these studies must be evaluated based on the national context.

Since AI-based threats pose a significant and tailored threat to every nation, the development of counter-AI systems from a national perspective as well as providing an opportunity for researchers to be equipped with AI in CTI expertise is crucial.

Crossdisciplinary collaboration
The researchers in this team hail from the Royal Hacking Lab at Cybercampus Sweden, the Division of Network and System Engineering (EECS/NSE) at KTH Royal Institute of Technology, and the Cybersecurity Unit at RISE Research Institutes of Sweden.

Upon successful completion of the research, the anticipated users include the Swedish Computer Emergency Response Team (CERT-SE) at MSB, the Cyber Defense Unit under the Division of Cyber Defence and C2 Technology at the Swedish Defence Research Agency (FOI), and the National Operations Department (NOA) at the Police Authority.

Project period

01/01/2026 – 31/12/2027

Type of call

Research Pair

Societal context

Smart Society

Research themes

Trust

Partner

KTH

RISE

Project status

Ongoing

Contacts

A man with short, dark hair and light skin is smiling slightly. He is wearing a black collared shirt and is standing against a plain, light-coloured background.

Emre Süren

emre@cybercampus.se

Visit profile
A young woman with long dark hair smiles at the camera whilst standing in a park covered with yellow fallen leaves and surrounded by green trees.

Han Wang

han.wang@ri.se

Visit profile