Upload 126 files

.gitattributes

@@ -33,3 +33,4 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text
+cyber_knowledge_base/chroma/chroma.sqlite3 filter=lfs diff=lfs merge=lfs -text

app.py

@@ -0,0 +1,292 @@
+#!/usr/bin/env python3
+"""
+Streamlit Web App for Cybersecurity Agent Pipeline
+
+A simple web interface for uploading log files and running the cybersecurity analysis pipeline
+with different LLM models.
+"""
+
+import os
+import sys
+import tempfile
+import shutil
+import streamlit as st
+from pathlib import Path
+from typing import Dict, Any, Optional
+
+from src.full_pipeline.simple_pipeline import analyze_log_file
+
+from dotenv import load_dotenv
+from huggingface_hub import login as huggingface_login
+
+load_dotenv()
+
+
+def get_model_providers() -> Dict[str, Dict[str, str]]:
+    """Get available model providers and their models."""
+    return {
+        "Google GenAI": {
+            "gemini-2.0-flash": "google_genai:gemini-2.0-flash",
+            "gemini-2.0-flash-lite": "google_genai:gemini-2.0-flash-lite",
+            "gemini-2.5-flash-lite": "google_genai:gemini-2.5-flash-lite",
+        },
+        "Groq": {
+            "openai/gpt-oss-120b": "groq:openai/gpt-oss-120b",
+            "moonshotai/kimi-k2-instruct-0905": "groq:moonshotai/kimi-k2-instruct-0905",
+        },
+        "OpenAI": {"gpt-4o": "openai:gpt-4o", "gpt-4.1": "openai:gpt-4.1"},
+    }
+
+
+def get_api_key_help() -> Dict[str, str]:
+    """Get API key help information for each provider."""
+    return {
+        "Google GenAI": "https://aistudio.google.com/app/apikey",
+        "Groq": "https://console.groq.com/keys",
+        "OpenAI": "https://platform.openai.com/api-keys",
+    }
+
+
+def setup_temp_directories(temp_dir: str) -> Dict[str, str]:
+    """Setup temporary directories for the pipeline."""
+    log_files_dir = os.path.join(temp_dir, "log_files")
+    analysis_dir = os.path.join(temp_dir, "analysis")
+    final_response_dir = os.path.join(temp_dir, "final_response")
+
+    os.makedirs(log_files_dir, exist_ok=True)
+    os.makedirs(analysis_dir, exist_ok=True)
+    os.makedirs(final_response_dir, exist_ok=True)
+
+    return {
+        "log_files": log_files_dir,
+        "analysis": analysis_dir,
+        "final_response": final_response_dir,
+    }
+
+
+def save_uploaded_file(uploaded_file, temp_dir: str) -> str:
+    """Save uploaded file to temporary directory."""
+    log_files_dir = os.path.join(temp_dir, "log_files")
+    file_path = os.path.join(log_files_dir, uploaded_file.name)
+
+    with open(file_path, "wb") as f:
+        f.write(uploaded_file.getbuffer())
+
+    return file_path
+
+
+def run_analysis(
+    log_file_path: str,
+    model_name: str,
+    query: str,
+    temp_dirs: Dict[str, str],
+    api_key: str,
+    provider: str,
+) -> Dict[str, Any]:
+    """Run the cybersecurity analysis pipeline."""
+
+    # Set environment variable for API key
+    if provider == "Google GenAI":
+        os.environ["GOOGLE_API_KEY"] = api_key
+    elif provider == "Groq":
+        os.environ["GROQ_API_KEY"] = api_key
+    elif provider == "OpenAI":
+        os.environ["OPENAI_API_KEY"] = api_key
+
+    try:
+        # Run the analysis pipeline
+        result = analyze_log_file(
+            log_file=log_file_path,
+            query=query,
+            tactic=None,
+            model_name=model_name,
+            temperature=0.1,
+            log_agent_output_dir=temp_dirs["analysis"],
+            response_agent_output_dir=temp_dirs["final_response"],
+        )
+        return {"success": True, "result": result}
+    except Exception as e:
+        return {"success": False, "error": str(e)}
+
+
+def main():
+    """Main Streamlit app."""
+
+    if os.getenv("HF_TOKEN"):
+        huggingface_login(token=os.getenv("HF_TOKEN"))
+
+    st.set_page_config(
+        page_title="Cybersecurity Agent Pipeline", page_icon="🛡️", layout="wide"
+    )
+
+    st.title("Cybersecurity Agent Pipeline")
+    st.markdown(
+        "Upload a log file and analyze it using advanced LLM-based cybersecurity agents."
+    )
+
+    # Sidebar for configuration
+    with st.sidebar:
+        st.header("Configuration")
+
+        # Model selection
+        providers = get_model_providers()
+        selected_provider = st.selectbox(
+            "Select Model Provider", list(providers.keys())
+        )
+
+        available_models = providers[selected_provider]
+        selected_model_display = st.selectbox(
+            "Select Model", list(available_models.keys())
+        )
+        selected_model = available_models[selected_model_display]
+
+        # API Key input with help
+        st.subheader("API Key")
+        api_key_help = get_api_key_help()
+
+        with st.expander("How to get API key", expanded=False):
+            st.markdown(f"**{selected_provider}**:")
+            st.markdown(f"[Get API Key]({api_key_help[selected_provider]})")
+
+        api_key = st.text_input(
+            f"Enter {selected_provider} API Key",
+            type="password",
+            help=f"Your {selected_provider} API key",
+        )
+
+        # Additional query
+        st.subheader("Additional Context")
+        user_query = st.text_area(
+            "Optional Query",
+            placeholder="e.g., 'Focus on credential access attacks'",
+            help="Provide additional context or specific focus areas for the analysis",
+        )
+
+    # Main content area
+    col1, col2 = st.columns([2, 1])
+
+    with col1:
+        st.header("Upload Log File")
+        uploaded_file = st.file_uploader(
+            "Choose a JSON log file",
+            type=["json"],
+            help="Upload a JSON log file from the Mordor dataset or similar security logs",
+        )
+
+    with col2:
+        st.header("Analysis Status")
+        if uploaded_file is not None:
+            st.success(f"File uploaded: {uploaded_file.name}")
+            st.info(f"Size: {uploaded_file.size:,} bytes")
+        else:
+            st.warning("Please upload a log file")
+
+    # Run analysis button
+    if st.button(
+        "Run Analysis", type="primary", disabled=not (uploaded_file and api_key)
+    ):
+        if not uploaded_file:
+            st.error("Please upload a log file first.")
+            return
+
+        if not api_key:
+            st.error("Please enter your API key.")
+            return
+
+        # Create temporary directory
+        temp_dir = tempfile.mkdtemp(prefix="cyber_agent_")
+
+        try:
+            # Setup directories
+            temp_dirs = setup_temp_directories(temp_dir)
+
+            # Save uploaded file
+            log_file_path = save_uploaded_file(uploaded_file, temp_dir)
+
+            # Show progress
+            progress_bar = st.progress(0)
+            status_text = st.empty()
+
+            status_text.text("Initializing analysis...")
+            progress_bar.progress(10)
+
+            # Run analysis
+            status_text.text("Running cybersecurity analysis...")
+            progress_bar.progress(50)
+
+            analysis_result = run_analysis(
+                log_file_path=log_file_path,
+                model_name=selected_model,
+                query=user_query,
+                temp_dirs=temp_dirs,
+                api_key=api_key,
+                provider=selected_provider,
+            )
+
+            progress_bar.progress(90)
+            status_text.text("Finalizing results...")
+
+            if analysis_result["success"]:
+                progress_bar.progress(100)
+                status_text.text("Analysis completed successfully!")
+
+                # Display results
+                st.header("Analysis Results")
+
+                result = analysis_result["result"]
+
+                # Show key metrics
+                col1, col2, col3 = st.columns(3)
+
+                with col1:
+                    assessment = result.get("log_analysis_result", {}).get(
+                        "overall_assessment", "Unknown"
+                    )
+                    st.metric("Overall Assessment", assessment)
+
+                with col2:
+                    abnormal_events = result.get("log_analysis_result", {}).get(
+                        "abnormal_events", []
+                    )
+                    st.metric("Abnormal Events", len(abnormal_events))
+
+                with col3:
+                    execution_time = result.get("execution_time", "N/A")
+                    st.metric(
+                        "Execution Time",
+                        (
+                            f"{execution_time:.2f}s"
+                            if isinstance(execution_time, (int, float))
+                            else execution_time
+                        ),
+                    )
+
+                # Show markdown report
+                markdown_report = result.get("markdown_report", "")
+                if markdown_report:
+                    st.header("Detailed Report")
+                    st.markdown(markdown_report)
+                else:
+                    st.warning("No detailed report generated.")
+
+            else:
+                st.error(f"Analysis failed: {analysis_result['error']}")
+                st.exception(analysis_result["error"])
+
+        finally:
+            # Cleanup temporary directory
+            try:
+                shutil.rmtree(temp_dir)
+            except Exception as e:
+                st.warning(f"Could not clean up temporary directory: {e}")
+
+    # Footer
+    st.markdown("---")
+    st.markdown(
+        "**Cybersecurity Agent Pipeline** - Powered by LangGraph and LangChain | "
+        "Built for educational purposes demonstrating LLM-based multi-agent systems"
+    )
+
+
+if __name__ == "__main__":
+    main()

cyber_knowledge_base/bm25_retriever.pkl

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0988976cad39234f7fab73e71ab0c9d8c6d5c609c556ae9751fde7730e903f0b
+size 5110282

cyber_knowledge_base/chroma/.gitignore

@@ -0,0 +1 @@
+*.sqlite3

cyber_knowledge_base/chroma/1ab81415-9731-4a9a-8d06-afc7fc190d32/.gitignore

@@ -0,0 +1 @@
+*.bin

cyber_knowledge_base/chroma/1ab81415-9731-4a9a-8d06-afc7fc190d32/data_level0.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:95e2ea8a0724a2545afa94c485a99b5fde88d7dc842a137705ea87b74c477d35
+size 321200

cyber_knowledge_base/chroma/1ab81415-9731-4a9a-8d06-afc7fc190d32/header.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:03cb3ac86f3e5bcb15e88b9bf99f760ec6b33e31d64a699e129b49868db6d733
+size 100

cyber_knowledge_base/chroma/1ab81415-9731-4a9a-8d06-afc7fc190d32/length.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:854a86c445127b39997823da48a8556580ebaa06cc7c1289151300c1b9115efc
+size 400

cyber_knowledge_base/chroma/1ab81415-9731-4a9a-8d06-afc7fc190d32/link_lists.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+size 0

cyber_knowledge_base/chroma/76f221d1-5f9d-44f8-8c9c-f610482d9b15/data_level0.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0f4fa01cff4dbc86c1cd162ee63e986ce0f9083e3bda7c73f04ed671c38f4dcd
+size 2180948

cyber_knowledge_base/chroma/76f221d1-5f9d-44f8-8c9c-f610482d9b15/header.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1703590965d586b54b7ec6768894f349c76690c5916512cb679891d0b644d6f0
+size 100

cyber_knowledge_base/chroma/76f221d1-5f9d-44f8-8c9c-f610482d9b15/index_metadata.pickle

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:975f009a15eeea6560c1c8c00180ede3b6074c2cad6d4a900fc38cc91a35390a
+size 62596

cyber_knowledge_base/chroma/76f221d1-5f9d-44f8-8c9c-f610482d9b15/length.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:add85c66e3321d0c9e1c84557ba1f784ed8551326ea3e6e666bfd1711d0bee9d
+size 2716

cyber_knowledge_base/chroma/76f221d1-5f9d-44f8-8c9c-f610482d9b15/link_lists.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:46fd6dec85beb221c57b3ed5bc46356e172229d9efcf1d9e67d53fb861d46cdb
+size 5776

cyber_knowledge_base/chroma/chroma.sqlite3

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8d37398e05987708a52fd527d0a7dfeba9b060d12385c7cd7df264f2fc6b66c7
+size 12853248

requirements.txt

@@ -1,3 +1,607 @@
-altair
-pandas
-streamlit
+#
+# This file is autogenerated by pip-compile with Python 3.11
+# by the following command:
+#
+#    pip-compile --output-file=-
+#
+aiohappyeyeballs==2.6.1
+    # via aiohttp
+aiohttp==3.13.1
+    # via
+    #   langchain
+    #   langchain-community
+    #   langchain-tavily
+aiosignal==1.4.0
+    # via aiohttp
+annotated-types==0.7.0
+    # via pydantic
+antlr4-python3-runtime==4.9.3
+    # via stix2-patterns
+anyio==4.11.0
+    # via
+    #   groq
+    #   httpx
+    #   openai
+    #   watchfiles
+argparse==1.4.0
+    # via -r requirements.in
+attrs==25.4.0
+    # via
+    #   aiohttp
+    #   jsonschema
+    #   referencing
+backoff==2.2.1
+    # via posthog
+bcrypt==5.0.0
+    # via chromadb
+build==1.3.0
+    # via chromadb
+cachetools==6.2.1
+    # via google-auth
+certifi==2025.10.5
+    # via
+    #   httpcore
+    #   httpx
+    #   kubernetes
+    #   requests
+charset-normalizer==3.4.4
+    # via
+    #   -r requirements.in
+    #   requests
+chromadb==1.2.2
+    # via
+    #   -r requirements.in
+    #   langchain-chroma
+click==8.3.0
+    # via
+    #   nltk
+    #   typer
+    #   uvicorn
+colorama==0.4.6
+    # via
+    #   build
+    #   click
+    #   loguru
+    #   tqdm
+    #   uvicorn
+coloredlogs==15.0.1
+    # via onnxruntime
+colour==0.1.5
+    # via mitreattack-python
+dataclasses-json==0.6.7
+    # via
+    #   langchain
+    #   langchain-community
+deepdiff==8.6.1
+    # via mitreattack-python
+distro==1.9.0
+    # via
+    #   groq
+    #   openai
+    #   posthog
+drawsvg==2.4.0
+    # via mitreattack-python
+durationpy==0.10
+    # via kubernetes
+et-xmlfile==2.0.0
+    # via openpyxl
+filelock==3.20.0
+    # via
+    #   huggingface-hub
+    #   torch
+    #   transformers
+filetype==1.2.0
+    # via langchain-google-genai
+flatbuffers==25.9.23
+    # via onnxruntime
+frozenlist==1.8.0
+    # via
+    #   aiohttp
+    #   aiosignal
+fsspec==2025.9.0
+    # via
+    #   huggingface-hub
+    #   torch
+google-ai-generativelanguage==0.9.0
+    # via langchain-google-genai
+google-api-core[grpc]==2.27.0
+    # via google-ai-generativelanguage
+google-auth==2.41.1
+    # via
+    #   google-ai-generativelanguage
+    #   google-api-core
+    #   kubernetes
+googleapis-common-protos==1.71.0
+    # via
+    #   -r requirements.in
+    #   google-api-core
+    #   grpcio-status
+    #   opentelemetry-exporter-otlp-proto-grpc
+greenlet==3.2.4
+    # via sqlalchemy
+groq==0.33.0
+    # via langchain-groq
+grpcio==1.76.0
+    # via
+    #   chromadb
+    #   google-ai-generativelanguage
+    #   google-api-core
+    #   grpcio-status
+    #   opentelemetry-exporter-otlp-proto-grpc
+grpcio-status==1.76.0
+    # via google-api-core
+h11==0.16.0
+    # via
+    #   httpcore
+    #   uvicorn
+httpcore==1.0.9
+    # via httpx
+httptools==0.7.1
+    # via uvicorn
+httpx==0.28.1
+    # via
+    #   chromadb
+    #   groq
+    #   langgraph-sdk
+    #   langsmith
+    #   ollama
+    #   openai
+httpx-sse==0.4.3
+    # via langchain-community
+huggingface-hub==0.36.0
+    # via
+    #   -r requirements.in
+    #   langchain-huggingface
+    #   sentence-transformers
+    #   tokenizers
+    #   transformers
+humanfriendly==10.0
+    # via coloredlogs
+idna==3.11
+    # via
+    #   anyio
+    #   httpx
+    #   requests
+    #   yarl
+importlib-metadata==8.7.0
+    # via opentelemetry-api
+importlib-resources==6.5.2
+    # via chromadb
+jinja2==3.1.6
+    # via torch
+jiter==0.11.1
+    # via openai
+joblib==1.5.2
+    # via
+    #   nltk
+    #   scikit-learn
+jsonpatch==1.33
+    # via langchain-core
+jsonpointer==3.0.0
+    # via jsonpatch
+jsonschema==4.25.1
+    # via chromadb
+jsonschema-specifications==2025.9.1
+    # via jsonschema
+kubernetes==34.1.0
+    # via chromadb
+langchain==0.3.27
+    # via
+    #   -r requirements.in
+    #   langchain-community
+    #   langchain-tavily
+langchain-chroma==0.2.6
+    # via -r requirements.in
+langchain-community==0.3.31
+    # via -r requirements.in
+langchain-core==0.3.79
+    # via
+    #   -r requirements.in
+    #   langchain
+    #   langchain-chroma
+    #   langchain-community
+    #   langchain-google-genai
+    #   langchain-groq
+    #   langchain-huggingface
+    #   langchain-ollama
+    #   langchain-openai
+    #   langchain-tavily
+    #   langchain-text-splitters
+    #   langgraph
+    #   langgraph-checkpoint
+    #   langgraph-prebuilt
+    #   langgraph-supervisor
+langchain-google-genai==2.1.12
+    # via -r requirements.in
+langchain-groq==0.3.8
+    # via -r requirements.in
+langchain-huggingface==0.3.1
+    # via -r requirements.in
+langchain-ollama==0.3.10
+    # via -r requirements.in
+langchain-openai==0.3.35
+    # via -r requirements.in
+langchain-tavily==0.2.12
+    # via -r requirements.in
+langchain-text-splitters==0.3.11
+    # via
+    #   -r requirements.in
+    #   langchain
+langgraph==0.6.11
+    # via
+    #   -r requirements.in
+    #   langgraph-supervisor
+langgraph-checkpoint==3.0.0
+    # via
+    #   langgraph
+    #   langgraph-prebuilt
+langgraph-prebuilt==0.6.5
+    # via
+    #   -r requirements.in
+    #   langgraph
+langgraph-sdk==0.2.9
+    # via langgraph
+langgraph-supervisor==0.0.29
+    # via -r requirements.in
+langsmith==0.4.38
+    # via
+    #   -r requirements.in
+    #   langchain
+    #   langchain-community
+    #   langchain-core
+loguru==0.7.3
+    # via mitreattack-python
+markdown==3.9
+    # via mitreattack-python
+markdown-it-py==4.0.0
+    # via rich
+markupsafe==3.0.3
+    # via jinja2
+marshmallow==3.26.1
+    # via dataclasses-json
+mdurl==0.1.2
+    # via markdown-it-py
+mitreattack-python==5.1.0
+    # via -r requirements.in
+mmh3==5.2.0
+    # via chromadb
+mpmath==1.3.0
+    # via sympy
+multidict==6.7.0
+    # via
+    #   aiohttp
+    #   yarl
+mypy-extensions==1.1.0
+    # via typing-inspect
+networkx==3.5
+    # via torch
+nltk==3.9.2
+    # via -r requirements.in
+numpy==2.3.4
+    # via
+    #   chromadb
+    #   langchain-chroma
+    #   langchain-community
+    #   mitreattack-python
+    #   onnxruntime
+    #   pandas
+    #   rank-bm25
+    #   scikit-learn
+    #   scipy
+    #   transformers
+oauthlib==3.3.1
+    # via requests-oauthlib
+ollama==0.6.0
+    # via langchain-ollama
+onnxruntime==1.23.2
+    # via chromadb
+openai==2.6.1
+    # via langchain-openai
+openpyxl==3.1.5
+    # via mitreattack-python
+opentelemetry-api==1.38.0
+    # via
+    #   chromadb
+    #   opentelemetry-exporter-otlp-proto-grpc
+    #   opentelemetry-sdk
+    #   opentelemetry-semantic-conventions
+opentelemetry-exporter-otlp-proto-common==1.38.0
+    # via opentelemetry-exporter-otlp-proto-grpc
+opentelemetry-exporter-otlp-proto-grpc==1.38.0
+    # via chromadb
+opentelemetry-proto==1.38.0
+    # via
+    #   opentelemetry-exporter-otlp-proto-common
+    #   opentelemetry-exporter-otlp-proto-grpc
+opentelemetry-sdk==1.38.0
+    # via
+    #   chromadb
+    #   opentelemetry-exporter-otlp-proto-grpc
+opentelemetry-semantic-conventions==0.59b0
+    # via opentelemetry-sdk
+orderly-set==5.5.0
+    # via deepdiff
+orjson==3.11.4
+    # via
+    #   chromadb
+    #   langgraph-sdk
+    #   langsmith
+ormsgpack==1.11.0
+    # via langgraph-checkpoint
+overrides==7.7.0
+    # via chromadb
+packaging==25.0
+    # via
+    #   build
+    #   huggingface-hub
+    #   langchain-core
+    #   langsmith
+    #   marshmallow
+    #   onnxruntime
+    #   pooch
+    #   transformers
+pandas==2.3.3
+    # via mitreattack-python
+pillow==12.0.0
+    # via
+    #   mitreattack-python
+    #   sentence-transformers
+platformdirs==4.5.0
+    # via pooch
+pooch==1.8.2
+    # via mitreattack-python
+posthog==5.4.0
+    # via chromadb
+propcache==0.4.1
+    # via
+    #   aiohttp
+    #   yarl
+proto-plus==1.26.1
+    # via
+    #   google-ai-generativelanguage
+    #   google-api-core
+protobuf==6.33.0
+    # via
+    #   -r requirements.in
+    #   google-ai-generativelanguage
+    #   google-api-core
+    #   googleapis-common-protos
+    #   grpcio-status
+    #   onnxruntime
+    #   opentelemetry-proto
+    #   proto-plus
+pyasn1==0.6.1
+    # via
+    #   pyasn1-modules
+    #   rsa
+pyasn1-modules==0.4.2
+    # via google-auth
+pybase64==1.4.2
+    # via chromadb
+pydantic==2.12.3
+    # via
+    #   -r requirements.in
+    #   chromadb
+    #   groq
+    #   langchain
+    #   langchain-core
+    #   langchain-google-genai
+    #   langgraph
+    #   langsmith
+    #   ollama
+    #   openai
+    #   pydantic-settings
+pydantic-core==2.41.4
+    # via pydantic
+pydantic-settings==2.11.0
+    # via langchain-community
+pygments==2.19.2
+    # via rich
+pypdf2==3.0.1
+    # via -r requirements.in
+pypika==0.48.9
+    # via chromadb
+pyproject-hooks==1.2.0
+    # via build
+pyreadline3==3.5.4
+    # via humanfriendly
+python-dateutil==2.9.0.post0
+    # via
+    #   kubernetes
+    #   mitreattack-python
+    #   pandas
+    #   posthog
+python-dotenv==1.2.1
+    # via
+    #   -r requirements.in
+    #   pydantic-settings
+    #   uvicorn
+pytz==2025.2
+    # via
+    #   pandas
+    #   stix2
+pyyaml==6.0.3
+    # via
+    #   chromadb
+    #   huggingface-hub
+    #   kubernetes
+    #   langchain
+    #   langchain-community
+    #   langchain-core
+    #   transformers
+    #   uvicorn
+rank-bm25==0.2.2
+    # via -r requirements.in
+referencing==0.37.0
+    # via
+    #   jsonschema
+    #   jsonschema-specifications
+regex==2025.10.23
+    # via
+    #   nltk
+    #   tiktoken
+    #   transformers
+requests==2.32.5
+    # via
+    #   -r requirements.in
+    #   google-api-core
+    #   huggingface-hub
+    #   kubernetes
+    #   langchain
+    #   langchain-community
+    #   langchain-tavily
+    #   langsmith
+    #   mitreattack-python
+    #   pooch
+    #   posthog
+    #   requests-oauthlib
+    #   requests-toolbelt
+    #   stix2
+    #   tiktoken
+    #   transformers
+requests-oauthlib==2.0.0
+    # via kubernetes
+requests-toolbelt==1.0.0
+    # via langsmith
+rich==14.2.0
+    # via
+    #   chromadb
+    #   mitreattack-python
+    #   typer
+rpds-py==0.28.0
+    # via
+    #   jsonschema
+    #   referencing
+rsa==4.9.1
+    # via google-auth
+safetensors==0.6.2
+    # via transformers
+scikit-learn==1.7.2
+    # via sentence-transformers
+scipy==1.16.2
+    # via
+    #   scikit-learn
+    #   sentence-transformers
+sentence-transformers==5.1.2
+    # via -r requirements.in
+shellingham==1.5.4
+    # via typer
+simplejson==3.20.2
+    # via stix2
+six==1.17.0
+    # via
+    #   kubernetes
+    #   posthog
+    #   python-dateutil
+    #   stix2-patterns
+sniffio==1.3.1
+    # via
+    #   anyio
+    #   groq
+    #   openai
+sqlalchemy==2.0.44
+    # via
+    #   langchain
+    #   langchain-community
+stix2==3.0.1
+    # via mitreattack-python
+stix2-patterns==2.0.0
+    # via stix2
+sympy==1.14.0
+    # via
+    #   onnxruntime
+    #   torch
+tabulate==0.9.0
+    # via mitreattack-python
+tenacity==9.1.2
+    # via
+    #   chromadb
+    #   langchain-community
+    #   langchain-core
+threadpoolctl==3.6.0
+    # via scikit-learn
+tiktoken==0.12.0
+    # via langchain-openai
+tokenizers==0.22.1
+    # via
+    #   chromadb
+    #   langchain-huggingface
+    #   transformers
+torch==2.9.0
+    # via
+    #   -r requirements.in
+    #   sentence-transformers
+tqdm==4.67.1
+    # via
+    #   chromadb
+    #   huggingface-hub
+    #   mitreattack-python
+    #   nltk
+    #   openai
+    #   sentence-transformers
+    #   transformers
+transformers==4.57.1
+    # via
+    #   -r requirements.in
+    #   sentence-transformers
+typer==0.20.0
+    # via
+    #   chromadb
+    #   mitreattack-python
+typing-extensions==4.15.0
+    # via
+    #   aiosignal
+    #   anyio
+    #   chromadb
+    #   groq
+    #   grpcio
+    #   huggingface-hub
+    #   langchain-core
+    #   openai
+    #   opentelemetry-api
+    #   opentelemetry-exporter-otlp-proto-grpc
+    #   opentelemetry-sdk
+    #   opentelemetry-semantic-conventions
+    #   pydantic
+    #   pydantic-core
+    #   referencing
+    #   sentence-transformers
+    #   sqlalchemy
+    #   torch
+    #   typer
+    #   typing-inspect
+    #   typing-inspection
+typing-inspect==0.9.0
+    # via dataclasses-json
+typing-inspection==0.4.2
+    # via
+    #   pydantic
+    #   pydantic-settings
+tzdata==2025.2
+    # via pandas
+urllib3==2.3.0
+    # via
+    #   kubernetes
+    #   requests
+uvicorn[standard]==0.38.0
+    # via chromadb
+watchfiles==1.1.1
+    # via uvicorn
+websocket-client==1.9.0
+    # via kubernetes
+websockets==15.0.1
+    # via uvicorn
+wheel==0.45.1
+    # via mitreattack-python
+win32-setctime==1.2.0
+    # via loguru
+xlsxwriter==3.2.9
+    # via mitreattack-python
+xxhash==3.6.0
+    # via langgraph
+yarl==1.22.0
+    # via aiohttp
+zipp==3.23.0
+    # via importlib-metadata
+zstandard==0.25.0
+    # via langsmith

run_app.py

@@ -0,0 +1,53 @@
+"""
+Simple script to run the Streamlit cybersecurity agent web app.
+"""
+
+import subprocess
+import sys
+import os
+from pathlib import Path
+
+
+def main():
+    """Run the Streamlit app."""
+    # Get the directory where this script is located
+    script_dir = Path(__file__).parent
+    app_path = script_dir / "app.py"
+
+    if not app_path.exists():
+        print(f"Error: app.py not found at {app_path}")
+        sys.exit(1)
+
+    print("Starting Cybersecurity Agent Web App...")
+    print("=" * 50)
+    print("The app will open in your default web browser.")
+    print("If it doesn't open automatically, go to: http://localhost:8501")
+    print("=" * 50)
+    print()
+
+    try:
+        # Run streamlit with the app
+        subprocess.run(
+            [
+                sys.executable,
+                "-m",
+                "streamlit",
+                "run",
+                str(app_path),
+                "--server.port",
+                "8501",
+                "--server.address",
+                "localhost",
+            ],
+            check=True,
+        )
+    except subprocess.CalledProcessError as e:
+        print(f"Error running Streamlit: {e}")
+        sys.exit(1)
+    except KeyboardInterrupt:
+        print("\nApp stopped by user.")
+        sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

src/agents/correlation_agent/correlation_logic.py

@@ -0,0 +1,449 @@
+from typing import Dict, Any, List, Optional
+from datetime import datetime
+import json
+from langchain_core.messages import HumanMessage, AIMessage
+from langchain_core.tools import tool
+from langgraph.prebuilt import create_react_agent
+from langgraph.graph import StateGraph, END
+from langchain_openai import ChatOpenAI, OpenAIEmbeddings
+from pydantic import BaseModel, Field, ConfigDict
+from sklearn.metrics.pairwise import cosine_similarity
+import numpy as np
+from .types import LogInput, MitreInput, CorrelationOutput, ThreatLevel, ConfidenceLevel, MatchedTechnique
+
+embeddings = OpenAIEmbeddings(model="text-embedding-3-small")
+
+
+# State schema for correlation workflow
+class CorrelationState(BaseModel):
+    """State schema for correlation workflow."""
+    analysis_request: str = ""
+    agent_output: Optional[str] = None
+    structured_response: Optional[Dict[str, Any]] = None
+    model_config = ConfigDict(arbitrary_types_allowed=True)
+
+
+# Structured response schemas
+class MatchedTechniqueItem(BaseModel):
+    """Schema for individual matched technique."""
+    technique_id: str = Field(..., description="MITRE technique ID")
+    match_confidence: float = Field(..., ge=0.0, le=1.0, description="Correlation confidence 0-1")
+    evidence: str = Field(..., description="Concise evidence string")
+    validation_result: str = Field(..., description="correlated | weak | false_positive")
+    model_config = ConfigDict(extra='forbid')
+
+
+class CorrelationStructuredResponse(BaseModel):
+    """Structured response schema for correlation analysis output."""
+    correlation_score: float = Field(..., description="Overall aggregate correlation score (0-1)")
+    threat_level: str = Field(..., description="low | medium | high | critical")
+    confidence: str = Field(..., description="low | medium | high")
+    matched_techniques: List[MatchedTechniqueItem] = Field(
+        default_factory=list,
+        description="Top 3-5 matched techniques"
+    )
+    reasoning: str = Field(..., description="Concise synthesis / justification of assessment (<150 words)")
+    model_config = ConfigDict(extra='forbid')
+
+
+# Helper function for JSON parsing
+def parse_json_input(data: Any) -> Any:
+    """Parse JSON string or return as-is if already parsed."""
+    return json.loads(data) if isinstance(data, str) else data
+
+
+@tool
+def correlate_log_with_technique(technique_data: str, log_processes: List[str], log_anomalies: List[str]) -> str:
+    """Semantic correlation between log data and MITRE technique using embeddings."""
+    try:
+        technique = parse_json_input(technique_data)
+    except:
+        return json.dumps({"error": "Invalid technique data format"})
+    
+    technique_id = technique.get('attack_id', 'Unknown')
+    technique_name = technique.get('name', 'Unknown')
+    technique_description = technique.get('description', '')
+    
+    if not technique_description:
+        return json.dumps({
+            "technique_id": technique_id,
+            "technique_name": technique_name,
+            "correlation_score": 0.0,
+            "process_matches": [],
+            "anomaly_matches": [],
+            "match_quality": "weak"
+        })
+    
+    # Semantic matching using embeddings
+    try:
+        technique_embedding = np.array(embeddings.embed_query(technique_description)).reshape(1, -1)
+        
+        # Process matching
+        process_matches = []
+        process_scores = []
+        for process in log_processes:
+            if not process.strip():
+                continue
+            process_embedding = np.array(embeddings.embed_query(process)).reshape(1, -1)
+            similarity = cosine_similarity(technique_embedding, process_embedding)[0][0]
+            if similarity > 0.6:
+                process_matches.append(process)
+                process_scores.append(float(similarity))
+        
+        # Anomaly matching
+        anomaly_matches = []
+        anomaly_scores = []
+        for anomaly in log_anomalies:
+            if not str(anomaly).strip():
+                continue
+            anomaly_embedding = np.array(embeddings.embed_query(str(anomaly))).reshape(1, -1)
+            similarity = cosine_similarity(technique_embedding, anomaly_embedding)[0][0]
+            if similarity > 0.5:
+                anomaly_matches.append(anomaly)
+                anomaly_scores.append(float(similarity))
+        
+        # Calculate correlation score
+        avg_process_score = np.mean(process_scores) if process_scores else 0.0
+        avg_anomaly_score = np.mean(anomaly_scores) if anomaly_scores else 0.0
+        correlation_score = (avg_process_score + avg_anomaly_score) / 2
+        
+    except Exception as e:
+        # Fallback to keyword matching
+        print(f"[WARN] Semantic correlation failed: {e}, using fallback")
+        keywords = technique_description.lower().split()[:5]
+        process_matches = [p for p in log_processes if any(k in p.lower() for k in keywords)]
+        anomaly_matches = [a for a in log_anomalies if any(k in str(a).lower() for k in keywords)]
+        correlation_score = 0.3 if (process_matches or anomaly_matches) else 0.1
+    
+    return json.dumps({
+        "technique_id": technique_id,
+        "technique_name": technique_name,
+        "correlation_score": round(float(correlation_score), 3),
+        "process_matches": process_matches,
+        "anomaly_matches": anomaly_matches,
+        "match_quality": "strong" if correlation_score > 0.7 else "moderate" if correlation_score > 0.5 else "weak"
+    })
+
+@tool
+def correlate_all_techniques(techniques: str, log_processes: str, log_anomalies: str) -> str:
+    """Correlate all MITRE techniques with log data."""
+    try:
+        technique_list = parse_json_input(techniques)
+        processes = parse_json_input(log_processes)
+        anomalies = parse_json_input(log_anomalies)
+    except:
+        return json.dumps({"error": "Invalid input format"})
+    
+    correlations = [
+        json.loads(correlate_log_with_technique(tech, processes, anomalies))
+        for tech in technique_list
+    ]
+    
+    correlations.sort(key=lambda x: x['correlation_score'], reverse=True)
+    
+    return json.dumps({
+        "correlations": correlations,
+        "top_matches": correlations[:3],
+        "total_techniques": len(correlations),
+        "strong_matches": len([c for c in correlations if c['correlation_score'] > 0.7])
+    })
+
+@tool
+def calculate_confidence(
+    correlation_score: float, 
+    log_severity: str = "medium", 
+    mitre_confidence: float = 0.5,
+    num_matched_techniques: int = 1,
+    match_quality: str = "moderate"
+) -> str:
+    """
+    Sophisticated confidence calculation using Bayesian-inspired weighted scoring.
+    """
+    
+    # Weight distribution based on cybersecurity research
+    WEIGHTS = {
+        'correlation': 0.50,   # Primary indicator - semantic match quality
+        'evidence': 0.25,      # Evidence strength (quality + quantity)
+        'mitre_prior': 0.15,   # Bayesian prior from MITRE analysis
+        'severity': 0.10       # Contextual severity adjustment
+    }
+    
+    # Quality scores based on semantic similarity thresholds
+    quality_scores = {'strong': 1.0, 'moderate': 0.7, 'weak': 0.4}
+    quality_score = quality_scores.get(match_quality.lower(), 0.7)
+    
+    # Quantity factor with diminishing returns
+    quantity_factor = min(1.0, 0.5 + (num_matched_techniques * 0.15))
+    evidence_component = quality_score * quantity_factor
+    
+    # Severity scores based on CVSS principles
+    severity_scores = {'critical': 1.0, 'high': 0.85, 'medium': 0.6, 'low': 0.35}
+    severity_component = severity_scores.get(log_severity.lower(), 0.6)
+    
+    # Weighted combination
+    overall_confidence = (
+        WEIGHTS['correlation'] * correlation_score +
+        WEIGHTS['evidence'] * evidence_component +
+        WEIGHTS['mitre_prior'] * mitre_confidence +
+        WEIGHTS['severity'] * severity_component
+    )
+    
+    # Cap at 0.95 to avoid overconfidence bias
+    overall_confidence = min(overall_confidence, 0.95)
+    
+    # Uncertainty penalty for weak single matches
+    if num_matched_techniques == 1 and match_quality.lower() == 'weak':
+        overall_confidence *= 0.8
+    
+    # Determine confidence level (FIRST/NIST guidelines)
+    if overall_confidence >= 0.75:
+        level = "high"
+    elif overall_confidence >= 0.50:
+        level = "medium"
+    else:
+        level = "low"
+    
+    reasoning = (
+        f"Correlation: {correlation_score:.2f} ({WEIGHTS['correlation']}) | "
+        f"Evidence: {num_matched_techniques} {match_quality} ({WEIGHTS['evidence']}) | "
+        f"MITRE: {mitre_confidence:.2f} ({WEIGHTS['mitre_prior']}) | "
+        f"Severity: {log_severity} ({WEIGHTS['severity']})"
+    )
+    
+    return json.dumps({
+        "confidence_score": round(overall_confidence, 3),
+        "confidence_level": level,
+        "reasoning": reasoning,
+        "methodology": "Bayesian weighted scoring (Hutchins 2011, NIST SP 800-150)"
+    })
+
+
+# Constants for default fallback
+DEFAULT_CORRELATION_DATA = {
+    "correlation_score": 0.5,
+    "threat_level": "medium",
+    "confidence": "medium",
+    "matched_techniques": [],
+    "reasoning": "Workflow failed to produce correlation data"
+}
+
+
+def create_correlation_workflow() -> Optional[Any]:
+    """
+    Create correlation workflow with structured output using StateGraph.
+    
+    Workflow: START → correlation_agent → structure_output → END
+    """
+    if ChatOpenAI is None:
+        print("[WARN] Missing ChatOpenAI dependency. Returning None.")
+        return None
+
+    # ReAct agent with all tools
+    correlation_agent = create_react_agent(
+        model="openai:gpt-4o",
+        tools=[correlate_all_techniques, correlate_log_with_technique, calculate_confidence],
+        name="correlation_agent",
+    )
+    
+    # LLM for structured output extraction
+    structured_llm = ChatOpenAI(model="gpt-4o").with_structured_output(
+        CorrelationStructuredResponse,
+        method="json_schema"
+    )
+    
+    def agent_node(state: CorrelationState) -> CorrelationState:
+        """Execute the correlation agent with tools."""
+        agent_prompt = (
+            f"{state.analysis_request}\n\n"
+            "Instructions:\n"
+            "1. Use correlate_all_techniques to get correlation scores for all techniques.\n"
+            "2. Analyze the top matches and their correlation scores.\n"
+            "3. Use calculate_confidence with:\n"
+            "   - correlation_score: highest or average correlation score\n"
+            "   - log_severity: from log data\n"
+            "   - mitre_confidence: from MITRE data\n"
+            "   - num_matched_techniques: count of techniques with score > 0.5\n"
+            "   - match_quality: 'strong' (>0.7), 'moderate' (0.5-0.7), or 'weak' (<0.5)\n"
+            "4. Summarize findings with evidence and reasoning.\n"
+        )
+        
+        result = correlation_agent.invoke({"messages": [HumanMessage(content=agent_prompt)]})
+        
+        # Extract agent's final message
+        for msg in reversed(result.get("messages", [])):
+            if isinstance(msg, AIMessage):
+                state.agent_output = msg.content
+                break
+        
+        return state
+    
+    def structure_output_node(state: CorrelationState) -> CorrelationState:
+        """Extract structured output from agent's analysis."""
+        structure_prompt = f"""Based on the correlation analysis, provide a structured assessment.
+
+Analysis:
+{state.agent_output}
+
+Original Request:
+{state.analysis_request}
+
+Extract:
+- correlation_score: Overall score (0-1)
+- threat_level: low/medium/high/critical
+- confidence: low/medium/high from confidence calculation
+- matched_techniques: Top 3-5 with IDs, confidence, evidence, validation
+- reasoning: Concise synthesis (max 150 words)"""
+        
+        try:
+            structured_result = structured_llm.invoke(structure_prompt)
+            
+            if isinstance(structured_result, CorrelationStructuredResponse):
+                state.structured_response = structured_result.model_dump()
+            else:
+                state.structured_response = structured_result
+                
+        except Exception as e:
+            print(f"[ERROR] Failed to create structured output: {e}")
+            state.structured_response = DEFAULT_CORRELATION_DATA.copy()
+            state.structured_response["reasoning"] = f"Structuring failed: {str(e)}"
+        
+        return state
+    
+    # Build workflow graph
+    workflow = StateGraph(CorrelationState)
+    workflow.add_node("correlation_agent", agent_node)
+    workflow.add_node("structure_output", structure_output_node)
+    workflow.set_entry_point("correlation_agent")
+    workflow.add_edge("correlation_agent", "structure_output")
+    workflow.add_edge("structure_output", END)
+    
+    return workflow.compile()
+
+class CorrelationLogic:
+    """Correlation analysis using ReAct agent workflow with structured output."""
+    
+    def __init__(self):
+        try:
+            self.workflow = create_correlation_workflow()
+            if self.workflow:
+                print("[INFO] Correlation workflow initialized")
+            else:
+                print("[WARN] Workflow initialization failed")
+        except Exception as e:
+            print(f"[WARN] Workflow initialization error: {e}")
+            self.workflow = None
+        
+    def correlate(self, log_input: LogInput, mitre_input: MitreInput) -> CorrelationOutput:
+        """Main correlation method."""
+        correlation_data = self.run_workflow(log_input, mitre_input)
+        correlation_id = f"CORR_{log_input.analysis_id}_{mitre_input.analysis_id}_{datetime.now().strftime('%Y%m%d_%H%M%S')}"
+
+        # Use defaults if workflow failed
+        if not correlation_data:
+            print("[WARN] Using default correlation data")
+            return CorrelationOutput(
+                correlation_id=correlation_id,
+                correlation_score=0.5,
+                threat_level=ThreatLevel.MEDIUM,
+                confidence=ConfidenceLevel.MEDIUM,
+                matched_techniques=[],
+                reasoning="Workflow failed",
+                timestamp=datetime.now().isoformat()
+            )
+
+        # Parse matched techniques
+        matched_techniques = []
+        for mt_data in correlation_data.get("matched_techniques", []):
+            try:
+                matched_techniques.append(
+                    MatchedTechnique(
+                        technique_id=mt_data.get("technique_id", "Unknown"),
+                        match_confidence=mt_data.get("match_confidence", 0.0),
+                        evidence=mt_data.get("evidence", ""),
+                        validation_result=None
+                    )
+                )
+            except Exception as e:
+                print(f"[WARN] Skipping malformed technique: {e}")
+
+        # Helper to convert string to enum
+        def to_enum(enum_cls, value: str, default):
+            try:
+                return enum_cls(value.lower())
+            except:
+                return default
+
+        return CorrelationOutput(
+            correlation_id=correlation_id,
+            correlation_score=correlation_data.get("correlation_score", 0.5),
+            threat_level=to_enum(ThreatLevel, correlation_data.get("threat_level", "medium"), ThreatLevel.MEDIUM),
+            confidence=to_enum(ConfidenceLevel, correlation_data.get("confidence", "medium"), ConfidenceLevel.MEDIUM),
+            matched_techniques=matched_techniques,
+            reasoning=correlation_data.get("reasoning", "No reasoning provided"),
+            timestamp=datetime.now().isoformat()
+        )
+    
+    def run_workflow(self, log_input: LogInput, mitre_input: MitreInput) -> Optional[Dict[str, Any]]:
+        """Execute the correlation workflow and return structured data."""
+        if not self.workflow:
+            print("[ERROR] Workflow not initialized")
+            return None
+
+        analysis_request = (
+            f"Perform correlation analysis for this security event.\n\n"
+            f"LOG DATA:\n"
+            f"- ID: {log_input.analysis_id}\n"
+            f"- Severity: {log_input.severity}\n"
+            f"- Systems: {', '.join(log_input.affected_systems)}\n"
+            f"- Anomalies: {', '.join(log_input.anomalies)}\n"
+            f"- Processes: {', '.join(log_input.processes)}\n"
+            f"- Summary: {log_input.raw_summary}\n\n"
+            f"MITRE DATA:\n"
+            f"- Techniques: {json.dumps(mitre_input.techniques)}\n"
+            f"- Coverage: {mitre_input.coverage_score}\n"
+            f"- Confidence: {mitre_input.confidence}\n"
+            f"- Analysis: {mitre_input.analysis_text}\n"
+        )
+        
+        try:
+            initial_state = CorrelationState(analysis_request=analysis_request)
+            result = self.workflow.invoke(initial_state)
+
+            if isinstance(result, dict) and "structured_response" in result:
+                return result.get("structured_response")
+            
+            print("[WARN] No structured_response in result")
+            return None
+            
+        except Exception as e:
+            print(f"[ERROR] Workflow failed: {type(e).__name__}: {e}")
+            import traceback
+            traceback.print_exc()
+            return None
+
+
+class CorrelationAgent:
+    """Multi-Agent Correlation Agent with StateGraph workflow."""
+    
+    def __init__(self):
+        self.correlation_logic = CorrelationLogic()
+        print("[INFO] CorrelationAgent initialized")
+    
+    def process(self, log_input: LogInput, mitre_input: MitreInput) -> CorrelationOutput:
+        """Process correlation analysis using multi-agent system."""
+        print(f"[INFO] Processing correlation: {log_input.analysis_id}")
+        
+        try:
+            result = self.correlation_logic.correlate(log_input, mitre_input)
+            
+            print(f"[INFO] Completed: {result.correlation_id}")
+            print(f"[INFO] Threat: {result.threat_level.value.upper()} | "
+                  f"Confidence: {result.confidence.value.upper()} | "
+                  f"Score: {result.correlation_score:.3f} | "
+                  f"Techniques: {len(result.matched_techniques)}")
+            
+            return result
+            
+        except Exception as e:
+            print(f"[ERROR] Correlation processing failed: {e}")
+            raise

src/agents/correlation_agent/input_converters.py

@@ -0,0 +1,49 @@
+from typing import Dict, Any
+from .types import LogInput, MitreInput
+
+def convert_mitre_agent_input(mitre_agent_input) -> LogInput:
+    """Convert MitreAgentInput to LogInput format for correlation testing"""
+    
+    # Extract anomaly descriptions
+    anomalies = [anomaly["description"] for anomaly in mitre_agent_input.detected_anomalies]
+    
+    # Map severity level to string
+    severity_str = mitre_agent_input.severity.value.upper()
+    
+    return LogInput(
+        analysis_id=mitre_agent_input.analysis_id,
+        severity=severity_str,
+        affected_systems=mitre_agent_input.affected_systems,
+        anomalies=anomalies,
+        processes=mitre_agent_input.processes,
+        raw_summary=mitre_agent_input.raw_summary
+    )
+
+def convert_mitre_analysis_output(mitre_analysis_result, original_input) -> MitreInput:
+    """Convert MitreAgent analysis result to MitreInput format for correlation"""
+    
+    # Extract top techniques from analysis result safely
+    techniques = []
+    technique_details = mitre_analysis_result.get('technique_details', [])
+    
+    for tech_detail in technique_details[:10]:  # Top 10 techniques
+        techniques.append({
+            "attack_id": tech_detail.get('attack_id', 'Unknown'),
+            "name": tech_detail.get('name', 'Unknown Technique'),
+            "relevance_score": tech_detail.get('relevance_score', 0.5)
+        })
+    
+    # Default techniques if none found
+    if not techniques:
+        techniques = [
+            {"attack_id": "T1059.001", "name": "PowerShell", "relevance_score": 0.7},
+            {"attack_id": "T1566.001", "name": "Spearphishing Attachment", "relevance_score": 0.6}
+        ]
+    
+    return MitreInput(
+        analysis_id=f"MITRE_{getattr(original_input, 'analysis_id', 'UNKNOWN')}",
+        techniques=techniques,
+        coverage_score=mitre_analysis_result.get('coverage_score', 0.5),
+        confidence=mitre_analysis_result.get('confidence', 0.5),
+        analysis_text=mitre_analysis_result.get('analysis', 'MITRE analysis completed')
+    )

src/agents/correlation_agent/test.py

@@ -0,0 +1,176 @@
+from dotenv import load_dotenv
+load_dotenv()
+
+from src.agents.correlation_agent.correlation_logic import CorrelationAgent
+from src.agents.correlation_agent.types import LogInput, MitreInput
+from src.agents.mitre_retriever_agent.mitre_example_input import create_sample_log_input, create_elaborate_mockup_incident
+from src.agents.mitre_retriever_agent.mitre_agent import MitreAgent
+from src.agents.correlation_agent.input_converters import convert_mitre_agent_input, convert_mitre_analysis_output
+
+def test_sample_correlation():
+    """Test basic correlation functionality using real MITRE agent output"""
+    print("="*60)
+    print("TESTING BASIC CORRELATION WITH MITRE AGENT")
+    print("="*60)
+    
+    # Create sample input from mitre_example_input
+    mitre_agent_input = create_sample_log_input()
+    log_input = convert_mitre_agent_input(mitre_agent_input)
+    
+    print(f"\nSAMPLE INPUT CREATED:")
+    print(f"- Analysis ID: {log_input.analysis_id}")
+    print(f"- Severity: {log_input.severity}")
+    print(f"- Affected Systems: {log_input.affected_systems}")
+    print(f"- Anomalies: {len(log_input.anomalies)} detected")
+    print(f"- Processes: {log_input.processes}")
+    
+    print("\nRUNNING MITRE AGENT ANALYSIS...")
+    mitre_agent = MitreAgent(
+        llm_provider="openai",
+        model_name="gpt-4o",
+        max_iterations=3
+    )
+    
+    mitre_analysis_result = mitre_agent.analyze_threat(mitre_agent_input)
+    print(f"✓ MITRE analysis completed")
+    print(f"  - Techniques found: {len(mitre_analysis_result.get('technique_details', []))}")
+    print(f"  - Coverage score: {mitre_analysis_result.get('coverage_score', 0):.3f}")
+    print(f"  - Confidence: {mitre_analysis_result.get('confidence', 0):.3f}")
+    
+    # Convert MITRE analysis to MitreInput format
+    mitre_input = convert_mitre_analysis_output(mitre_analysis_result, mitre_agent_input)
+    
+    print(f"\n✓ MITRE INPUT CONVERTED:")
+    print(f"  - Top {min(5, len(mitre_input.techniques))} techniques:")
+    for i, tech in enumerate(mitre_input.techniques[:5], 1):
+        print(f"    {i}. {tech['attack_id']}: {tech['name']} (Score: {tech['relevance_score']:.3f})")
+    
+    # Run correlation analysis
+    print("\nRUNNING CORRELATION ANALYSIS...")
+    correlation_agent = CorrelationAgent()
+    result = correlation_agent.process(log_input, mitre_input)
+    
+    # Display results
+    print(f"\n{'='*60}")
+    print(f"CORRELATION RESULTS:")
+    print(f"{'='*60}")
+    print(f"ID: {result.correlation_id}")
+    print(f"Score: {result.correlation_score:.3f}")
+    print(f"Threat Level: {result.threat_level.value.upper()}")
+    print(f"Confidence: {result.confidence.value.upper()}")
+    print(f"Timestamp: {result.timestamp}")
+    
+    print(f"\nMATCHED TECHNIQUES ({len(result.matched_techniques)}):")
+    for i, tech in enumerate(result.matched_techniques, 1):
+        print(f"{i}. {tech.technique_id} - Confidence: {tech.match_confidence:.3f}")
+        print(f"   Evidence: {tech.evidence[:100]}{'...' if len(tech.evidence) > 100 else ''}")
+    
+    print(f"\nREASONING:")
+    print(f"{result.reasoning}")
+    
+    return result
+
+def test_elaborate_correlation():
+    """Test correlation using elaborate mockup incident with MITRE agent"""
+    print("\n" + "="*60)
+    print("TESTING CORRELATION - ELABORATE INCIDENT")
+    print("="*60)
+    
+    # Create elaborate incident input
+    mitre_agent_input = create_elaborate_mockup_incident()
+    log_input = convert_mitre_agent_input(mitre_agent_input)
+    
+    print(f"\nELABORATE INCIDENT INPUT:")
+    print(f"- Analysis ID: {log_input.analysis_id}")
+    print(f"- Severity: {log_input.severity}")
+    print(f"- Affected Systems: {len(log_input.affected_systems)} systems")
+    print(f"- Anomalies: {len(log_input.anomalies)} detected")
+    print(f"- Processes: {len(log_input.processes)} processes")
+    
+    # Run MITRE agent analysis for elaborate incident
+    print("\nRUNNING MITRE AGENT ANALYSIS FOR ELABORATE INCIDENT...")
+    mitre_agent = MitreAgent(
+        llm_provider="openai",
+        model_name="gpt-4o",
+        max_iterations=3
+    )
+    
+    mitre_analysis_result = mitre_agent.analyze_threat(mitre_agent_input)
+    print(f"✓ MITRE analysis completed")
+    print(f"  - Techniques found: {len(mitre_analysis_result.get('technique_details', []))}")
+    print(f"  - Coverage score: {mitre_analysis_result.get('coverage_score', 0):.3f}")
+    print(f"  - Confidence: {mitre_analysis_result.get('confidence', 0):.3f}")
+    
+    # Convert to MitreInput
+    mitre_input = convert_mitre_analysis_output(mitre_analysis_result, mitre_agent_input)
+    
+    print(f"\n✓ TOP TECHNIQUES FROM MITRE ANALYSIS:")
+    for i, tech in enumerate(mitre_input.techniques[:5], 1):
+        print(f"  {i}. {tech['attack_id']}: {tech['name'][:50]}... (Score: {tech['relevance_score']:.3f})")
+    
+    # Run correlation analysis
+    print("\nRUNNING ELABORATE CORRELATION ANALYSIS...")
+    correlation_agent = CorrelationAgent()
+    result = correlation_agent.process(log_input, mitre_input)
+
+    print(f"\n{'='*60}")
+    print(f"ELABORATE CORRELATION RESULTS:")
+    print(f"{'='*60}")
+    print(f"ID: {result.correlation_id}")
+    print(f"Score: {result.correlation_score:.3f}")
+    print(f"Threat Level: {result.threat_level.value.upper()}")
+    print(f"Confidence: {result.confidence.value.upper()}")
+    print(f"Matched Techniques: {len(result.matched_techniques)}")
+    
+    print(f"\nTOP CORRELATED TECHNIQUES:")
+    for i, tech in enumerate(result.matched_techniques[:5], 1):
+        print(f"{i}. {tech.technique_id} - Confidence: {tech.match_confidence:.3f}")
+        print(f"   Evidence: {tech.evidence[:80]}{'...' if len(tech.evidence) > 80 else ''}")
+    
+    print(f"\nREASONING:")
+    print(f"{result.reasoning}")
+    
+    return result
+
+def main():
+    """Main test function"""
+    print("╔" + "="*58 + "╗")
+    print("║" + " "*10 + "CORRELATION AGENT TEST SUITE" + " "*20 + "║")
+    print("╚" + "="*58 + "╝")
+    print()
+    
+    try:
+        # Test sample correlation with MITRE agent
+        result1 = test_sample_correlation()
+
+        # Test elaborate correlation with elaborate incident
+        result2 = test_elaborate_correlation()
+
+        print("\n" + "="*60)
+        print("✓ ALL TESTS COMPLETED SUCCESSFULLY")
+        print("="*60)
+        
+        # Summary
+        print(f"\nTEST SUMMARY:")
+        print(f"\n1. Sample Input Test:")
+        print(f"   - Threat Level: {result1.threat_level.value.upper()}")
+        print(f"   - Confidence: {result1.confidence.value.upper()}")
+        print(f"   - Correlation Score: {result1.correlation_score:.3f}")
+        print(f"   - Matched Techniques: {len(result1.matched_techniques)}")
+        
+        print(f"\n2. Elaborate Incident Test:")
+        print(f"   - Threat Level: {result2.threat_level.value.upper()}")
+        print(f"   - Confidence: {result2.confidence.value.upper()}")
+        print(f"   - Correlation Score: {result2.correlation_score:.3f}")
+        print(f"   - Matched Techniques: {len(result2.matched_techniques)}")
+        
+        print("\n" + "="*60)
+        
+    except Exception as e:
+        print(f"\n❌ TEST FAILED: {e}")
+        import traceback
+        traceback.print_exc()
+        raise
+
+if __name__ == "__main__":
+    main()

src/agents/correlation_agent/types.py

@@ -0,0 +1,48 @@
+from typing import Dict, List, Any, Optional
+from dataclasses import dataclass
+from enum import Enum
+
+class ThreatLevel(Enum):
+    LOW = "low"
+    MEDIUM = "medium"
+    HIGH = "high"
+    CRITICAL = "critical"
+
+class ConfidenceLevel(Enum):
+    LOW = "low"
+    MEDIUM = "medium"
+    HIGH = "high"
+
+@dataclass
+class LogInput:
+    analysis_id: str
+    severity: str
+    affected_systems: List[str]
+    anomalies: List[str]
+    processes: List[str]
+    raw_summary: str
+
+@dataclass
+class MitreInput:
+    analysis_id: str
+    techniques: List[Dict[str, Any]]
+    coverage_score: float
+    confidence: float
+    analysis_text: str
+
+@dataclass
+class MatchedTechnique:
+    technique_id: str
+    match_confidence: float
+    evidence: str
+    validation_result: Optional[Dict[str, Any]] = None
+
+@dataclass
+class CorrelationOutput:
+    correlation_id: str
+    correlation_score: float
+    threat_level: ThreatLevel
+    confidence: ConfidenceLevel
+    matched_techniques: List[MatchedTechnique]
+    reasoning: str = ""
+    timestamp: str = ""

src/agents/cti_agent/config.py

@@ -0,0 +1,371 @@
+# Search configuration
+CTI_SEARCH_CONFIG = {
+    "max_results": 5,
+    "search_depth": "advanced",
+    "include_raw_content": True,
+    "include_domains": [
+        "*.cisa.gov",  # US Cybersecurity and Infrastructure Security Agency
+        "*.us-cert.gov",  # US-CERT advisories
+        "*.crowdstrike.com",  # CrowdStrike threat intelligence
+        "*.mandiant.com",  # Mandiant (Google) threat reports
+        "*.trendmicro.com",  # Trend Micro research
+        "*.securelist.com",  # Kaspersky SecureList blog
+        "*.cert.europa.eu",  # European CERT
+        "*.ncsc.gov.uk",  # UK National Cyber Security Centre
+    ],
+}
+
+
+# Model configuration
+MODEL_NAME = "google_genai:gemini-2.0-flash"
+
+# CTI Planner Prompt
+CTI_PLANNER_PROMPT = """You are a Cyber Threat Intelligence (CTI) researcher planning 
+to retrieve actual threat intelligence from CTI reports.
+
+Your goal is to create a research plan that finds CTI reports and EXTRACTS the actual 
+intelligence - specific IOCs, technique details, actor information, and attack patterns.
+
+IMPORTANT GUIDELINES:
+1. Search for actual CTI reports from reputable sources
+2. Prioritize recent reports (2024-2025)
+3. ALWAYS fetch full report content to extract intelligence
+4. Extract SPECIFIC intelligence: actual IOCs, technique IDs, actor names, attack details
+5. Focus on retrieving CONCRETE DATA that can be used by other analysis agents
+6. Maximum 4 tasks with only one time of web searching
+
+Available tools:
+(1) SearchCTIReports[query]: Searches for CTI reports, threat analyses, and security advisories.
+    - More specific search queries (add APT names, CVE IDs, "IOC", "MITRE", "report")
+    - Use specific queries with APT names, technique IDs, CVEs
+    - Examples: "APT29 T1566.002 report 2025", "Scattered Spider IOCs"
+
+(2) ExtractURL[search_result, index]: Extract a specific URL from search results JSON.
+    - search_result: JSON string from SearchCTIReports
+    - index: Which report URL to extract (default: 0 for first)
+    - ALWAYS use this to get the actual report URL from search results
+
+(3) FetchReport[url]: Retrieves the full content of a CTI report using real url.
+    - ALWAYS use this to get actual report content for intelligence extraction
+    - Essential for retrieving specific IOCs and details
+
+(4) ExtractIOCs[report_content]: Extracts actual Indicators of Compromise from reports.
+    - Returns specific IPs, domains, hashes, URLs, file names
+    - Provides concrete IOCs that can be used for detection
+
+(5) IdentifyThreatActors[report_content]: Extracts threat actor details from reports.
+    - Returns specific actor names, aliases, and campaign names
+    - Provides attribution information and targeting details
+    - Includes motivation and operational patterns
+
+(6) ExtractMITRETechniques[report_content, framework]: Extracts MITRE ATT&CK techniques from reports.
+    - framework: "Enterprise", "Mobile", or "ICS" (default: "Enterprise")
+    - Returns specific technique IDs (T1234) with descriptions
+    - Maps malware behaviors to MITRE framework
+    - Provides structured technique analysis
+
+(7) LLM[instruction]: Synthesis and correlation of extracted intelligence.
+    - Combine intelligence from multiple sources
+    - DON'T USE FOR ANY OTHER PURPOSES
+    - Identify patterns across findings
+    - Correlate IOCs with techniques and actors
+
+PLAN STRUCTURE:
+Each plan step should be: Plan: [description] #E[N] = Tool[input]
+
+Example for task "Find threat intelligence about APT29 using T1566.002":
+
+Plan: Search for recent APT29 campaign reports with IOCs
+#E1 = SearchCTIReports[APT29 T1566.002 spearphishing IOCs 2025]
+
+Plan: Search for detailed technical analysis of APT29 spearphishing
+#E2 = SearchCTIReports[APT29 spearphishing technical analysis filetype:pdf]
+
+Plan: Fetch the most detailed technical report for intelligence extraction
+#E3 = FetchReport[top ranked URL from #E1 with most technical detail]
+
+Plan: Extract all specific IOCs from the fetched report
+#E4 = ExtractIOCs[#E3]
+
+Plan: Extract threat actor details and campaign information from the report
+#E5 = IdentifyThreatActors[#E3]
+
+Plan: If first report lacks detail, fetch second report for additional intelligence
+#E6 = FetchReport[second best URL from #E1]
+
+Plan: Extract IOCs from second report to enrich intelligence
+#E7 = ExtractIOCs[#E7]
+
+Plan: Correlate and consolidate all extracted intelligence
+#E8 = LLM[Consolidate intelligence from #E4, #E5, #E6, and #E8. Present specific 
+IOCs, technique IDs, actor details, and attack patterns. Identify overlaps and unique findings.]
+
+Now create a detailed plan for the following task:
+Task: {task}"""
+
+# CTI Solver Prompt
+CTI_SOLVER_PROMPT = """You are a Cyber Threat Intelligence analyst creating a final intelligence report.
+
+Below are the COMPLETE results from your CTI research. Each section contains the full output from extraction tools.
+
+{structured_results}
+
+{'='*80}
+EXECUTION PLAN OVERVIEW:
+{'='*80}
+{plan}
+
+{'='*80}
+ORIGINAL TASK: {task}
+{'='*80}
+
+Create a comprehensive threat intelligence report with the following structure:
+
+## Intelligence Sources
+[List reports analyzed with titles and sources]
+
+## Threat Actors & Attribution
+[Names, aliases, campaigns, and attribution details from IdentifyThreatActors results]
+
+## MITRE ATT&CK Techniques Identified
+[All technique IDs from ExtractMITRETechniques results, with descriptions]
+
+## Indicators of Compromise (IOCs) Retrieved
+[All IOCs from ExtractIOCs results, organized by type]
+
+### IP Addresses
+### Domains  
+### File Hashes
+### URLs
+### Email Addresses
+### File Names
+### Other Indicators
+
+## Attack Patterns & Campaign Details
+[Specific attack flows, timeline, targeting from reports]
+
+## Key Findings Summary
+[3-5 critical bullet points]
+
+## Intelligence Gaps
+[What information was not available]
+
+**INSTRUCTIONS:**
+- Extract ALL data from results above - don't summarize, list actual values
+- Parse JSON if present in results
+- If Q&A format, extract all answers
+- Be comprehensive and specific
+"""
+
+# Regex pattern for parsing CTI plans
+CTI_REGEX_PATTERN = r"Plan:\s*(.+)\s*(#E\d+)\s*=\s*(\w+)\s*\[([^\]]+)\]"
+
+# Tool-specific prompts
+IOC_EXTRACTION_PROMPT = """Extract all Indicators of Compromise (IOCs) from the content below.
+
+**Instructions:** List ONLY the actual IOCs found. No explanations, no summaries - just the indicators.
+
+**Content:**
+{content}
+
+**Extract and list:**
+
+**IP Addresses:**
+[List IPs, or write "None found"]
+
+**Domains:**
+[List domains, or write "None found"]
+
+**URLs:**
+[List malicious URLs, or write "None found"]
+
+**File Hashes:**
+[List hashes with type (MD5/SHA1/SHA256), or write "None found"]
+
+**Email Addresses:**
+[List emails, or write "None found"]
+
+**File Names:**
+[List malicious files/paths, or write "None found"]
+
+**Registry Keys:**
+[List registry keys, or write "None found"]
+
+**Other Indicators:**
+[List mutexes, user agents, etc., or write "None found"]
+
+If no specific IOCs found, respond: "No extractable IOCs in content."
+"""
+
+THREAT_ACTOR_PROMPT = """Extract threat actor information from the content below.
+
+**Instructions:** Provide concise answers. Include brief descriptions where relevant.
+
+**Content:**
+{content}
+
+**Answer these questions:**
+
+**Q: What threat actor/APT group is discussed?**
+A: [Name and aliases, e.g., "APT29 (Cozy Bear, The Dukes)" or "None identified"]
+
+**Q: What is this actor known for?**
+A: [1-2 sentence description of their typical activities/focus, or "No attribution details"]
+
+**Q: What campaigns/operations are mentioned?**
+A: [List campaign names with timeframes, e.g., "NobleBaron (2024-Q2)" or "None mentioned"]
+
+**Q: What is their suspected origin/attribution?**
+A: [Nation-state/origin and confidence level, e.g., "Russian state-sponsored (High confidence)" or "Unknown"]
+
+**Q: Who/what do they target?**
+A: [Industries and regions, e.g., "Government agencies in Europe, Defense sector in North America" or "Not specified"]
+
+**Q: What is their motivation?**
+A: [Primary objective, e.g., "Espionage and intelligence collection" or "Not specified"]
+
+If no specific threat actor information found, respond: "No threat actor attribution in content."
+"""
+
+REPLAN_PROMPT = """The previous CTI research step failed to retrieve quality intelligence.
+
+ORIGINAL TASK: {task}
+
+FAILED STEP:
+Plan: {failed_step}
+{step_name} = {tool}[{tool_input}]
+
+RESULT: {results}
+
+PROBLEM: {problem}
+
+COMPLETED STEPS SO FAR:
+{completed_steps}
+
+Create an IMPROVED plan for this specific step that will retrieve ACTUAL CTI intelligence.
+
+Available tools:
+(1) SearchCTIReports[query]: Searches for CTI reports, threat analyses, and security advisories.
+    - Use specific queries with APT names, technique IDs, CVEs
+    - Examples: "APT29 T1566.002 report 2024", "Scattered Spider IOCs"
+
+(2) ExtractURL[search_result, index]: Extract a specific URL from search results JSON.
+    - search_result: JSON string from SearchCTIReports
+    - index: Which report URL to extract (default: 0 for first)
+    - ALWAYS use this to get the actual report URL from search results
+
+(3) FetchReport[url]: Retrieves the full content of a CTI report.
+    - ALWAYS use this to get actual report content for intelligence extraction
+    - Essential for retrieving specific IOCs and details
+
+(4) ExtractIOCs[report_content]: Extracts actual Indicators of Compromise from reports.
+    - Returns specific IPs, domains, hashes, URLs, file names
+    - Provides concrete IOCs that can be used for detection
+
+(5) IdentifyThreatActors[report_content]: Extracts threat actor details from reports.
+    - Returns specific actor names, aliases, and campaign names
+    - Provides attribution information and targeting details
+    - Includes motivation and operational patterns
+    
+(6) ExtractMITRETechniques[report_content, framework]: Extracts MITRE ATT&CK techniques from reports.
+    - framework: "Enterprise", "Mobile", or "ICS" (default: "Enterprise")
+    - Returns specific technique IDs (T1234) with descriptions
+    - Maps malware behaviors to MITRE framework
+    - Provides structured technique analysis
+
+(7) LLM[instruction]: Synthesis and correlation of extracted intelligence.
+    - Combine intelligence from multiple sources
+    - Identify patterns across findings
+    - Correlate IOCs with techniques and actors
+
+Consider:
+1. More specific search queries (add APT names, CVE IDs, "IOC", "MITRE", "report")
+2. Alternative CTI sources (CISA advisories, vendor reports, not news articles)
+3. Different tool combinations (search → extract URL → fetch → extract IOCs)
+
+Provide ONLY the corrected step in this format:
+Plan: [improved description]
+#E{step} = Tool[improved input]"""
+
+MITRE_EXTRACTION_PROMPT = """Extract MITRE ATT&CK {framework} techniques from the content below.
+
+**Instructions:** 
+1. Identify behaviors described in the content
+2. Map to MITRE technique IDs (main techniques only: T#### not T####.###)
+3. Provide brief description of what each technique means
+4. List final technique IDs on the last line
+
+**Content:**
+{content}
+
+**Identified Techniques:**
+
+[For each technique found, format as:]
+**T####** - [Technique Name]: [1 sentence: what this technique is and why it was identified in the content]
+
+[Continue for all techniques...]
+
+**Final Answer - Technique IDs:**
+T####, T####, T####
+
+[If no valid techniques found, respond: "No MITRE {framework} techniques identified in content."]
+"""
+
+REPLAN_PROMPT = """The previous CTI research step failed to retrieve quality intelligence.
+
+ORIGINAL TASK: {task}
+
+FAILED STEP:
+Plan: {failed_step}
+{step_name} = {tool}[{tool_input}]
+
+RESULT: {results}
+
+PROBLEM: {problem}
+
+COMPLETED STEPS SO FAR:
+{completed_steps}
+
+Create an IMPROVED plan for this specific step that will retrieve ACTUAL CTI intelligence.
+
+Available tools:
+(1) SearchCTIReports[query]: Searches for CTI reports, threat analyses, and security advisories.
+    - Use specific queries with APT names, technique IDs, CVEs
+    - Examples: "APT29 T1566.002 report 2024", "Scattered Spider IOCs"
+
+(2) ExtractURL[search_result, index]: Extract a specific URL from search results JSON.
+    - search_result: JSON string from SearchCTIReports
+    - index: Which report URL to extract (default: 0 for first)
+    - ALWAYS use this to get the actual report URL from search results
+
+(3) FetchReport[url]: Retrieves the full content of a CTI report.
+    - ALWAYS use this to get actual report content for intelligence extraction
+    - Essential for retrieving specific IOCs and details
+
+(4) ExtractIOCs[report_content]: Extracts actual Indicators of Compromise from reports.
+    - Returns specific IPs, domains, hashes, URLs, file names
+    - Provides concrete IOCs that can be used for detection
+
+(5) IdentifyThreatActors[report_content]: Extracts threat actor details from reports.
+    - Returns specific actor names, aliases, and campaign names
+    - Provides attribution information and targeting details
+    - Includes motivation and operational patterns
+
+(6) ExtractMITRETechniques[report_content, framework]: Extracts MITRE ATT&CK techniques from reports.
+    - framework: "Enterprise", "Mobile", or "ICS" (default: "Enterprise")
+    - Returns specific technique IDs (T1234) with descriptions
+    - Maps malware behaviors to MITRE framework
+
+(7) LLM[instruction]: Synthesis and correlation of extracted intelligence.
+    - Combine intelligence from multiple sources
+    - Identify patterns across findings
+    - Correlate IOCs with techniques and actors
+
+Consider:
+1. More specific search queries (add APT names, CVE IDs, "IOC", "MITRE", "report")
+2. Alternative CTI sources (CISA advisories, vendor reports, not news articles)
+3. Different tool combinations (search → extract URL → fetch → extract IOCs/techniques)
+
+Provide ONLY the corrected step in this format:
+Plan: [improved description]
+#E{step} = Tool[improved input]"""

src/agents/cti_agent/cti-evaluator.py

@@ -0,0 +1,708 @@
+import re
+import json
+import os
+from typing import List, Set, Dict, Tuple
+from pathlib import Path
+import pandas as pd
+from dotenv import load_dotenv
+
+# Import your CTI tools
+from langchain.chat_models import init_chat_model
+from langchain_tavily import TavilySearch
+import sys
+
+sys.path.append("src/agents/cti_agent")
+from cti_tools import CTITools
+from config import MODEL_NAME, CTI_SEARCH_CONFIG
+
+
+class CTIToolsEvaluator:
+    """Evaluator for CTI tools on CTIBench benchmarks."""
+
+    def __init__(self):
+        """Initialize the evaluator with CTI tools."""
+        load_dotenv()
+
+        # Initialize LLM
+        self.llm = init_chat_model(MODEL_NAME, temperature=0.1)
+
+        # Initialize search (needed for CTITools init, even if not used in evaluation)
+        search_config = {**CTI_SEARCH_CONFIG, "api_key": os.getenv("TAVILY_API_KEY")}
+        self.cti_search = TavilySearch(**search_config)
+
+        # Initialize CTI Tools
+        self.cti_tools = CTITools(self.llm, self.cti_search)
+
+        # Storage for results
+        self.ate_results = []
+        self.taa_results = []
+
+    # ==================== CTI-ATE: MITRE Technique Extraction Tool ====================
+
+    def extract_technique_ids(self, text: str) -> Set[str]:
+        """
+        Extract MITRE technique IDs from text.
+        Looks for patterns like T1234 (main techniques only, no subtechniques).
+
+        Args:
+            text: Text containing technique IDs
+
+        Returns:
+            Set of technique IDs (e.g., {'T1071', 'T1059'})
+        """
+        # Pattern for main techniques only (T#### not T####.###)
+        pattern = r"\bT\d{4}\b"
+        matches = re.findall(pattern, text)
+        return set(matches)
+
+    def calculate_ate_metrics(
+        self, predicted: Set[str], ground_truth: Set[str]
+    ) -> Dict[str, float]:
+        """
+        Calculate precision, recall, and F1 score for technique extraction.
+
+        Args:
+            predicted: Set of predicted technique IDs
+            ground_truth: Set of ground truth technique IDs
+
+        Returns:
+            Dictionary with precision, recall, f1, tp, fp, fn
+        """
+        tp = len(predicted & ground_truth)  # True positives
+        fp = len(predicted - ground_truth)  # False positives
+        fn = len(ground_truth - predicted)  # False negatives
+
+        precision = tp / len(predicted) if len(predicted) > 0 else 0.0
+        recall = tp / len(ground_truth) if len(ground_truth) > 0 else 0.0
+        f1 = (
+            2 * (precision * recall) / (precision + recall)
+            if (precision + recall) > 0
+            else 0.0
+        )
+
+        return {
+            "precision": precision,
+            "recall": recall,
+            "f1": f1,
+            "tp": tp,
+            "fp": fp,
+            "fn": fn,
+            "predicted_count": len(predicted),
+            "ground_truth_count": len(ground_truth),
+        }
+
+    def evaluate_mitre_extraction_tool(
+        self,
+        sample_id: str,
+        description: str,
+        ground_truth: str,
+        platform: str = "Enterprise",
+    ) -> Dict:
+        """
+        Evaluate extract_mitre_techniques tool on a single sample.
+
+        Args:
+            sample_id: Sample identifier (e.g., URL)
+            description: Malware/report description to analyze
+            ground_truth: Ground truth technique IDs (comma-separated)
+            platform: MITRE platform (Enterprise, Mobile, ICS)
+
+        Returns:
+            Dictionary with evaluation metrics
+        """
+        print(f"Evaluating {sample_id[:60]}...")
+
+        # Call the extract_mitre_techniques tool
+        tool_output = self.cti_tools.extract_mitre_techniques(description, platform)
+
+        # Extract technique IDs from tool output
+        predicted_ids = self.extract_technique_ids(tool_output)
+        gt_ids = set([t.strip() for t in ground_truth.split(",") if t.strip()])
+
+        # Calculate metrics
+        metrics = self.calculate_ate_metrics(predicted_ids, gt_ids)
+
+        result = {
+            "sample_id": sample_id,
+            "platform": platform,
+            "description": description[:100] + "...",
+            "tool_output": tool_output[:500] + "...",  # Truncate for storage
+            "predicted": sorted(predicted_ids),
+            "ground_truth": sorted(gt_ids),
+            "missing": sorted(gt_ids - predicted_ids),  # False negatives
+            "extra": sorted(predicted_ids - gt_ids),  # False positives
+            **metrics,
+        }
+
+        self.ate_results.append(result)
+        return result
+
+    def evaluate_ate_from_tsv(
+        self, filepath: str = "cti-bench/data/cti-ate.tsv", limit: int = None
+    ) -> pd.DataFrame:
+        """
+        Evaluate extract_mitre_techniques tool on CTI-ATE benchmark.
+
+        Args:
+            filepath: Path to CTI-ATE TSV file
+            limit: Optional limit on number of samples to evaluate
+
+        Returns:
+            DataFrame with results for each sample
+        """
+        print(f"\n{'='*80}")
+        print(f"Evaluating extract_mitre_techniques tool on CTI-ATE benchmark")
+        print(f"{'='*80}\n")
+
+        # Load benchmark
+        df = pd.read_csv(filepath, sep="\t")
+
+        if limit:
+            df = df.head(limit)
+
+        print(f"Loaded {len(df)} samples from {filepath}")
+        print(f"Starting evaluation...\n")
+
+        # Evaluate each sample
+        for idx, row in df.iterrows():
+            try:
+                self.evaluate_mitre_extraction_tool(
+                    sample_id=row["URL"],
+                    description=row["Description"],
+                    ground_truth=row["GT"],
+                    platform=row["Platform"],
+                )
+            except Exception as e:
+                print(f"Error on sample {idx}: {e}")
+                continue
+
+        results_df = pd.DataFrame(self.ate_results)
+
+        print(f"\nCompleted evaluation of {len(self.ate_results)} samples")
+        return results_df
+
+    def get_ate_summary(self) -> Dict:
+        """
+        Get summary statistics for CTI-ATE evaluation.
+
+        Returns:
+            Dictionary with macro and micro averaged metrics
+        """
+        if not self.ate_results:
+            return {}
+
+        df = pd.DataFrame(self.ate_results)
+
+        # Macro averages (average of per-sample metrics)
+        macro_metrics = {
+            "macro_precision": df["precision"].mean(),
+            "macro_recall": df["recall"].mean(),
+            "macro_f1": df["f1"].mean(),
+        }
+
+        # Micro averages (calculated from total TP, FP, FN)
+        total_tp = df["tp"].sum()
+        total_fp = df["fp"].sum()
+        total_fn = df["fn"].sum()
+        total_predicted = df["predicted_count"].sum()
+        total_gt = df["ground_truth_count"].sum()
+
+        micro_precision = total_tp / total_predicted if total_predicted > 0 else 0.0
+        micro_recall = total_tp / total_gt if total_gt > 0 else 0.0
+        micro_f1 = (
+            2 * (micro_precision * micro_recall) / (micro_precision + micro_recall)
+            if (micro_precision + micro_recall) > 0
+            else 0.0
+        )
+
+        micro_metrics = {
+            "micro_precision": micro_precision,
+            "micro_recall": micro_recall,
+            "micro_f1": micro_f1,
+            "total_samples": len(self.ate_results),
+            "total_tp": int(total_tp),
+            "total_fp": int(total_fp),
+            "total_fn": int(total_fn),
+        }
+
+        return {**macro_metrics, **micro_metrics}
+
+    # ==================== CTI-TAA: Threat Actor Attribution Tool ====================
+
+    def normalize_actor_name(self, name: str) -> str:
+        """
+        Normalize threat actor names for comparison.
+
+        Args:
+            name: Threat actor name
+
+        Returns:
+            Normalized name (lowercase, trimmed)
+        """
+        if not name:
+            return ""
+
+        # Convert to lowercase and strip
+        normalized = name.lower().strip()
+
+        # Remove common prefixes
+        prefixes = ["apt", "apt-", "group", "the "]
+        for prefix in prefixes:
+            if normalized.startswith(prefix):
+                normalized = normalized[len(prefix) :].strip()
+
+        return normalized
+
+    def extract_actor_from_output(self, text: str) -> str:
+        """
+        Extract threat actor name from tool output.
+
+        Args:
+            text: Tool output text
+
+        Returns:
+            Extracted actor name or empty string
+        """
+        # Look for Q&A format from our updated prompt
+        qa_patterns = [
+            r"Q:\s*What threat actor.*?\n\s*A:\s*([^\n]+)",
+            r"threat actor.*?is[:\s]+([A-Z][A-Za-z0-9\s\-]+?)(?:\s*\(|,|\.|$)",
+            r"attributed to[:\s]+([A-Z][A-Za-z0-9\s\-]+?)(?:\s*\(|,|\.|$)",
+        ]
+
+        for pattern in qa_patterns:
+            match = re.search(pattern, text, re.IGNORECASE | re.MULTILINE)
+            if match:
+                actor = match.group(1).strip()
+                # Clean up common artifacts
+                actor = actor.split("(")[0].strip()  # Remove parenthetical aliases
+                if actor and actor.lower() not in [
+                    "none",
+                    "none identified",
+                    "unknown",
+                    "not specified",
+                ]:
+                    return actor
+
+        return ""
+
+    def check_actor_match(
+        self, predicted: str, ground_truth: str, aliases: Dict[str, List[str]] = None
+    ) -> bool:
+        """
+        Check if predicted actor matches ground truth, considering aliases.
+
+        Args:
+            predicted: Predicted threat actor name
+            ground_truth: Ground truth threat actor name
+            aliases: Optional dictionary mapping canonical names to aliases
+
+        Returns:
+            True if match, False otherwise
+        """
+        pred_norm = self.normalize_actor_name(predicted)
+        gt_norm = self.normalize_actor_name(ground_truth)
+
+        if not pred_norm or not gt_norm:
+            return False
+
+        # Direct match
+        if pred_norm == gt_norm:
+            return True
+
+        # Check aliases if provided
+        if aliases:
+            # Check if prediction is in ground truth's aliases
+            if gt_norm in aliases:
+                for alias in aliases[gt_norm]:
+                    if pred_norm == self.normalize_actor_name(alias):
+                        return True
+
+            # Check if ground truth is in prediction's aliases
+            if pred_norm in aliases:
+                for alias in aliases[pred_norm]:
+                    if gt_norm == self.normalize_actor_name(alias):
+                        return True
+
+        return False
+
+    def evaluate_threat_actor_tool(
+        self,
+        sample_id: str,
+        report_text: str,
+        ground_truth: str,
+        aliases: Dict[str, List[str]] = None,
+    ) -> Dict:
+        """
+        Evaluate identify_threat_actors tool on a single sample.
+
+        Args:
+            sample_id: Sample identifier (e.g., URL)
+            report_text: Threat report text to analyze
+            ground_truth: Ground truth threat actor name
+            aliases: Optional alias dictionary for matching
+
+        Returns:
+            Dictionary with evaluation result
+        """
+        print(f"Evaluating {sample_id[:60]}...")
+
+        # Call the identify_threat_actors tool
+        tool_output = self.cti_tools.identify_threat_actors(report_text)
+
+        # Extract predicted actor
+        predicted_actor = self.extract_actor_from_output(tool_output)
+
+        # Check if match
+        is_correct = self.check_actor_match(predicted_actor, ground_truth, aliases)
+
+        result = {
+            "sample_id": sample_id,
+            "report_snippet": report_text[:100] + "...",
+            "tool_output": tool_output[:500] + "...",  # Truncate for storage
+            "predicted_actor": predicted_actor,
+            "ground_truth": ground_truth,
+            "correct": is_correct,
+        }
+
+        self.taa_results.append(result)
+        return result
+
+    def evaluate_taa_from_tsv(
+        self,
+        filepath: str = "cti-bench/data/cti-taa.tsv",
+        limit: int = None,
+        interactive: bool = True,
+    ) -> pd.DataFrame:
+        """
+        Evaluate identify_threat_actors tool on CTI-TAA benchmark.
+
+        Since CTI-TAA has no ground truth labels, this generates predictions
+        that need manual validation.
+
+        Args:
+            filepath: Path to CTI-TAA TSV file
+            limit: Optional limit on number of samples to evaluate
+            interactive: If True, prompts for manual validation after each prediction
+
+        Returns:
+            DataFrame with results for each sample
+        """
+        print(f"\n{'='*80}")
+        print(f"Evaluating identify_threat_actors tool on CTI-TAA benchmark")
+        print(f"{'='*80}\n")
+
+        if not interactive:
+            print("NOTE: Running in non-interactive mode.")
+            print("Predictions will be saved for manual review later.")
+        else:
+            print("NOTE: Running in interactive mode.")
+            print("You will be asked to validate each prediction (y/n/s to skip).")
+
+        # Load benchmark
+        df = pd.read_csv(filepath, sep="\t")
+
+        if limit:
+            df = df.head(limit)
+
+        print(f"\nLoaded {len(df)} samples from {filepath}")
+        print(f"Starting evaluation...\n")
+
+        # Evaluate each sample
+        for idx, row in df.iterrows():
+            try:
+                print(f"\n{'-'*80}")
+                print(f"Sample {idx + 1}/{len(df)}")
+                print(f"URL: {row['URL']}")
+                print(f"Report snippet: {row['Text'][:200]}...")
+                print(f"{'-'*80}")
+
+                # Call the identify_threat_actors tool
+                tool_output = self.cti_tools.identify_threat_actors(row["Text"])
+
+                # Extract predicted actor
+                predicted_actor = self.extract_actor_from_output(tool_output)
+
+                print(f"\nTOOL OUTPUT:")
+                print(tool_output[:600])
+                if len(tool_output) > 600:
+                    print("... (truncated)")
+
+                print(
+                    f"\nEXTRACTED ACTOR: {predicted_actor if predicted_actor else '(none detected)'}"
+                )
+
+                # Manual validation
+                is_correct = None
+                validator_notes = ""
+
+                if interactive:
+                    print(f"\nIs this attribution correct?")
+                    print(f"  y = Yes, correct")
+                    print(f"  n = No, incorrect")
+                    print(
+                        f"  p = Partially correct (e.g., right family but wrong specific group)"
+                    )
+                    print(f"  s = Skip this sample")
+                    print(f"  q = Quit evaluation")
+
+                    while True:
+                        response = input("\nYour answer [y/n/p/s/q]: ").strip().lower()
+
+                        if response == "y":
+                            is_correct = True
+                            break
+                        elif response == "n":
+                            is_correct = False
+                            correct_actor = input(
+                                "What is the correct actor? (optional): "
+                            ).strip()
+                            if correct_actor:
+                                validator_notes = f"Correct actor: {correct_actor}"
+                            break
+                        elif response == "p":
+                            is_correct = 0.5  # Partial credit
+                            note = input("Explanation (optional): ").strip()
+                            if note:
+                                validator_notes = f"Partially correct: {note}"
+                            break
+                        elif response == "s":
+                            print("Skipping this sample...")
+                            break
+                        elif response == "q":
+                            print("Quitting evaluation...")
+                            return pd.DataFrame(self.taa_results)
+                        else:
+                            print("Invalid response. Please enter y, n, p, s, or q.")
+
+                # Store result
+                result = {
+                    "sample_id": row["URL"],
+                    "report_snippet": row["Text"][:100] + "...",
+                    "tool_output": tool_output[:500] + "...",
+                    "predicted_actor": predicted_actor,
+                    "is_correct": is_correct,
+                    "validator_notes": validator_notes,
+                    "needs_review": is_correct is None,
+                }
+
+                self.taa_results.append(result)
+
+            except Exception as e:
+                print(f"Error on sample {idx}: {e}")
+                continue
+
+        results_df = pd.DataFrame(self.taa_results)
+
+        print(f"\n{'='*80}")
+        print(f"Completed evaluation of {len(self.taa_results)} samples")
+
+        if interactive:
+            validated = sum(1 for r in self.taa_results if r["is_correct"] is not None)
+            print(f"Validated: {validated}/{len(self.taa_results)}")
+
+        return results_df
+
+    def _extract_ground_truths_from_urls(self, urls: List[str]) -> Dict[str, str]:
+        """
+        Extract ground truth actor names from URLs.
+
+        Args:
+            urls: List of URLs from the benchmark
+
+        Returns:
+            Dictionary mapping URL to actor name
+        """
+        # Known threat actors and their URL patterns
+        actor_patterns = {
+            "sidecopy": "SideCopy",
+            "apt29": "APT29",
+            "apt36": "APT36",
+            "transparent-tribe": "Transparent Tribe",
+            "emotet": "Emotet",
+            "bandook": "Bandook",
+            "stately-taurus": "Stately Taurus",
+            "mustang-panda": "Mustang Panda",
+            "bronze-president": "Bronze President",
+            "cozy-bear": "APT29",
+            "nobelium": "APT29",
+        }
+
+        ground_truths = {}
+        for url in urls:
+            url_lower = url.lower()
+            for pattern, actor in actor_patterns.items():
+                if pattern in url_lower:
+                    ground_truths[url] = actor
+                    break
+
+        return ground_truths
+
+    def get_taa_summary(self) -> Dict:
+        """
+        Get summary statistics for CTI-TAA evaluation.
+
+        Returns:
+            Dictionary with accuracy and validation status
+        """
+        if not self.taa_results:
+            return {}
+
+        df = pd.DataFrame(self.taa_results)
+
+        # Only calculate metrics for validated samples
+        validated_df = df[df["is_correct"].notna()]
+
+        if len(validated_df) == 0:
+            return {
+                "total_samples": len(df),
+                "validated_samples": 0,
+                "needs_review": len(df),
+                "message": "No samples have been validated yet",
+            }
+
+        # Calculate accuracy (treating partial credit as 0.5)
+        total_score = validated_df["is_correct"].sum()
+        accuracy = total_score / len(validated_df) if len(validated_df) > 0 else 0.0
+
+        # Count correct, incorrect, partial
+        correct = sum(1 for x in validated_df["is_correct"] if x == True)
+        incorrect = sum(1 for x in validated_df["is_correct"] if x == False)
+        partial = sum(1 for x in validated_df["is_correct"] if x == 0.5)
+
+        return {
+            "accuracy": accuracy,
+            "total_samples": len(df),
+            "validated_samples": len(validated_df),
+            "needs_review": len(df) - len(validated_df),
+            "correct": correct,
+            "incorrect": incorrect,
+            "partial": partial,
+        }
+
+    # ==================== Utility Functions ====================
+
+    def export_results(self, output_dir: str = "./tool_evaluation_results"):
+        """
+        Export evaluation results to CSV and JSON files.
+
+        Args:
+            output_dir: Directory to save results
+        """
+        output_path = Path(output_dir)
+        output_path.mkdir(exist_ok=True)
+
+        if self.ate_results:
+            ate_df = pd.DataFrame(self.ate_results)
+            ate_df.to_csv(
+                output_path / "extract_mitre_techniques_results.csv", index=False
+            )
+
+            ate_summary = self.get_ate_summary()
+            with open(output_path / "extract_mitre_techniques_summary.json", "w") as f:
+                json.dump(ate_summary, f, indent=2)
+
+            print(f"ATE results saved to {output_path}")
+
+        if self.taa_results:
+            taa_df = pd.DataFrame(self.taa_results)
+            taa_df.to_csv(
+                output_path / "identify_threat_actors_results.csv", index=False
+            )
+
+            taa_summary = self.get_taa_summary()
+            with open(output_path / "identify_threat_actors_summary.json", "w") as f:
+                json.dump(taa_summary, f, indent=2)
+
+            print(f"TAA results saved to {output_path}")
+
+    def print_summary(self):
+        """Print summary of both tool evaluations."""
+        print("\n" + "=" * 80)
+        print("extract_mitre_techniques Tool Evaluation (CTI-ATE)")
+        print("=" * 80)
+
+        ate_summary = self.get_ate_summary()
+        if ate_summary:
+            print(f"Total Samples: {ate_summary['total_samples']}")
+            print(f"\nMacro Averages (per-sample average):")
+            print(f"  Precision: {ate_summary['macro_precision']:.4f}")
+            print(f"  Recall:    {ate_summary['macro_recall']:.4f}")
+            print(f"  F1 Score:  {ate_summary['macro_f1']:.4f}")
+            print(f"\nMicro Averages (overall corpus):")
+            print(f"  Precision: {ate_summary['micro_precision']:.4f}")
+            print(f"  Recall:    {ate_summary['micro_recall']:.4f}")
+            print(f"  F1 Score:  {ate_summary['micro_f1']:.4f}")
+            print(f"\nConfusion Matrix:")
+            print(f"  True Positives:  {ate_summary['total_tp']}")
+            print(f"  False Positives: {ate_summary['total_fp']}")
+            print(f"  False Negatives: {ate_summary['total_fn']}")
+        else:
+            print("No results available.")
+
+        print("\n" + "=" * 80)
+        print("identify_threat_actors Tool Evaluation (CTI-TAA)")
+        print("=" * 80)
+
+        taa_summary = self.get_taa_summary()
+        if taa_summary:
+            print(f"Total Samples: {taa_summary['total_samples']}")
+            print(
+                f"Accuracy: {taa_summary['accuracy']:.4f} ({taa_summary['accuracy']*100:.2f}%)"
+            )
+            print(f"Correct: {taa_summary['correct']}")
+            print(f"Incorrect: {taa_summary['incorrect']}")
+        else:
+            print("No results available.")
+
+        print("=" * 80 + "\n")
+
+
+# ==================== Main Evaluation Script ====================
+
+if __name__ == "__main__":
+    """Run evaluation on both CTI tools."""
+
+    # Initialize evaluator
+    print("Initializing CTI Tools Evaluator...")
+    evaluator = CTIToolsEvaluator()
+
+    # Define threat actor aliases for TAA evaluation
+    aliases = {
+        "apt29": ["cozy bear", "the dukes", "nobelium", "yttrium"],
+        "apt36": ["transparent tribe", "mythic leopard"],
+        "sidecopy": [],
+        "emotet": [],
+        "stately taurus": ["mustang panda", "bronze president"],
+        "bandook": [],
+    }
+
+    # Evaluate extract_mitre_techniques tool (CTI-ATE)
+    print("\n" + "=" * 80)
+    print("PART 1: Evaluating extract_mitre_techniques tool")
+    print("=" * 80)
+    try:
+        ate_results = evaluator.evaluate_ate_from_tsv(
+            filepath="cti-bench/data/cti-ate.tsv"
+        )
+    except Exception as e:
+        print(f"Error evaluating ATE: {e}")
+
+    # Evaluate identify_threat_actors tool (CTI-TAA)
+    print("\n" + "=" * 80)
+    print("PART 2: Evaluating identify_threat_actors tool")
+    print("=" * 80)
+    try:
+        taa_results = evaluator.evaluate_taa_from_tsv(
+            filepath="cti-bench/data/cti-taa.tsv", limit=25, interactive=True
+        )
+    except Exception as e:
+        print(f"Error evaluating TAA: {e}")
+
+    # Print summary
+    evaluator.print_summary()
+
+    # Export results
+    evaluator.export_results("./tool_evaluation_results")
+
+    print("\nEvaluation complete! Results saved to ./tool_evaluation_results/")

src/agents/cti_agent/cti_agent.py

@@ -0,0 +1,920 @@
+import os
+import re
+import time
+from typing import List, Dict, Any, Optional, Sequence, Annotated
+from typing_extensions import TypedDict
+
+from langchain.chat_models import init_chat_model
+from langchain_core.prompts import ChatPromptTemplate
+from langchain_tavily import TavilySearch
+from langgraph.graph import END, StateGraph, START
+from langgraph.graph.message import add_messages
+from langchain_core.messages import BaseMessage, HumanMessage, AIMessage
+# from langsmith.integrations.otel import configure
+from langsmith import traceable, Client, get_current_run_tree
+from dotenv import load_dotenv
+
+from src.agents.cti_agent.config import (
+    MODEL_NAME,
+    CTI_SEARCH_CONFIG,
+    CTI_PLANNER_PROMPT,
+    CTI_REGEX_PATTERN,
+    REPLAN_PROMPT,
+)
+from src.agents.cti_agent.cti_tools import CTITools
+
+load_dotenv()
+
+# configure(
+#     project_name=os.getenv("LANGSMITH_PROJECT", "cti-agent-project"),
+#     api_key=os.getenv("LANGSMITH_API_KEY")
+# )
+
+ls_client = Client(api_key=os.getenv("LANGSMITH_API_KEY"))
+
+class CTIState(TypedDict):
+    """State definition for CTI agent for ReWOO planning."""
+
+    task: str
+    plan_string: str
+    steps: List
+    results: dict
+    structured_intelligence: dict
+    result: str
+    replans: int  # Track number of replans
+    last_step_quality: str  # "correct", "ambiguous", or "incorrect"
+    correction_reason: str  # Why we need to replan
+
+
+# Messages-based state for supervisor compatibility
+class CTIMessagesState(TypedDict):
+    messages: Annotated[Sequence[BaseMessage], add_messages]
+
+
+class CTIAgent:
+    """CTI Agent with specialized threat intelligence tools."""
+
+    def __init__(self):
+        """Initialize the CTI Agent with LLM and tools."""
+        self.llm = init_chat_model(
+            MODEL_NAME,
+            temperature=0.1,
+        )
+
+        # Initialize specialized search for CTI
+        search_config = {**CTI_SEARCH_CONFIG, "api_key": os.getenv("TAVILY_API_KEY")}
+        self.cti_search = TavilySearch(**search_config)
+
+        # Initialize CTI tools
+        self.cti_tools = CTITools(self.llm, self.cti_search)
+
+        # Create the planner
+        prompt_template = ChatPromptTemplate.from_messages(
+            [("user", CTI_PLANNER_PROMPT)]
+        )
+        self.planner = prompt_template | self.llm
+
+        # Build the internal CTI graph (task-based)
+        self.app = self._build_graph()
+
+        # Build a messages-based wrapper graph for supervisor compatibility
+        self.agent = self._build_messages_graph()
+
+    @traceable(name="cti_planner")
+    def _get_plan(self, state: CTIState) -> Dict[str, Any]:
+        """
+        Planner node: Creates a step-by-step CTI research plan.
+
+        Args:
+            state: Current state containing the task
+
+        Returns:
+            Dictionary with extracted steps and plan string
+        """
+        task = state["task"]
+        result = self.planner.invoke({"task": task})
+        result_text = result.content if hasattr(result, "content") else str(result)
+        matches = re.findall(CTI_REGEX_PATTERN, result_text)
+        return {"steps": matches, "plan_string": result_text}
+
+    def _get_current_task(self, state: CTIState) -> Optional[int]:
+        """
+        Get the current task number to execute.
+
+        Args:
+            state: Current state
+
+        Returns:
+            Task number (1-indexed) or None if all tasks completed
+        """
+        if "results" not in state or state["results"] is None:
+            return 1
+        if len(state["results"]) == len(state["steps"]):
+            return None
+        else:
+            return len(state["results"]) + 1
+
+    def _log_tool_metrics(self, tool_name: str, execution_time: float, success: bool, result_quality: str = None):
+        """Log custom metrics to LangSmith."""
+        try:
+
+            current_run = get_current_run_tree()
+            if current_run:
+                ls_client.create_feedback(
+                    run_id=current_run.id,
+                    key="tool_performance",
+                    score=1.0 if success else 0.0,
+                    value={
+                        "tool": tool_name,
+                        "execution_time": execution_time,
+                        "success": success,
+                        "quality": result_quality
+                    }
+                )
+            else:
+                # Log as project-level feedback if no active run
+                ls_client.create_feedback(
+                    project_id=os.getenv("LANGSMITH_PROJECT", "cti-agent-project"),
+                    key="tool_performance",
+                    score=1.0 if success else 0.0,
+                    value={
+                        "tool": tool_name,
+                        "execution_time": execution_time,
+                        "success": success,
+                        "quality": result_quality
+                    }
+                )
+        except Exception as e:
+            print(f"Failed to log metrics: {e}")
+
+
+    @traceable(name="cti_tool_execution")
+    def _tool_execution(self, state: CTIState) -> Dict[str, Any]:
+        """
+        Executor node: Executes the specialized CTI tools for the current step.
+
+        Args:
+            state: Current state
+
+        Returns:
+            Dictionary with updated results
+        """
+        _step = self._get_current_task(state)
+        _, step_name, tool, tool_input = state["steps"][_step - 1]
+
+        _results = (state["results"].copy() or {}) if "results" in state else {}
+
+        # Replace variables in tool input
+        original_tool_input = tool_input
+        for k, v in _results.items():
+            tool_input = tool_input.replace(k, str(v))
+
+        start_time = time.time()
+        success = False
+
+        # Execute the appropriate specialized tool
+        try:
+            if tool == "SearchCTIReports":
+                result = self.cti_tools.search_cti_reports(tool_input)
+            elif tool == "ExtractURL":
+                if "," in original_tool_input:
+                    parts = original_tool_input.split(",", 1)
+                    search_result_ref = parts[0].strip()
+                    index_part = parts[1].strip()
+                else:
+                    search_result_ref = original_tool_input.strip()
+                    index_part = "0"
+
+                # Extract index from index_part
+                index = 0
+                if "second" in index_part.lower():
+                    index = 1
+                elif "third" in index_part.lower():
+                    index = 2
+                elif index_part.isdigit():
+                    index = int(index_part)
+                elif "1" in index_part:
+                    index = 1
+
+                # Get the actual search result from previous results
+                if search_result_ref in _results:
+                    search_result = _results[search_result_ref]
+                    result = self.cti_tools.extract_url_from_search(
+                        search_result, index
+                    )
+                else:
+                    result = f"Error: Could not find search result {search_result_ref} in previous results. Available keys: {list(_results.keys())}"
+            elif tool == "FetchReport":
+                result = self.cti_tools.fetch_report(tool_input)
+            elif tool == "ExtractIOCs":
+                result = self.cti_tools.extract_iocs(tool_input)
+            elif tool == "IdentifyThreatActors":
+                result = self.cti_tools.identify_threat_actors(tool_input)
+            elif tool == "ExtractMITRETechniques":
+                # Parse framework parameter if provided
+                if "," in original_tool_input:
+                    parts = original_tool_input.split(",", 1)
+                    content_ref = parts[0].strip()
+                    framework = parts[1].strip()
+                else:
+                    content_ref = original_tool_input.strip()
+                    framework = "Enterprise"  # Default framework
+
+                # Get content from previous results or use directly
+                if content_ref in _results:
+                    content = _results[content_ref]
+                else:
+                    content = tool_input
+
+                result = self.cti_tools.extract_mitre_techniques(content, framework)
+            elif tool == "LLM":
+                llm_result = self.llm.invoke(tool_input)
+                result = (
+                    llm_result.content
+                    if hasattr(llm_result, "content")
+                    else str(llm_result)
+                )
+            else:
+                result = f"Unknown tool: {tool}"
+        except Exception as e:
+            result = f"Error executing {tool}: {str(e)}"
+
+        _results[step_name] = str(result)
+
+        success = True
+        execution_time = time.time() - start_time
+
+        # Log metrics
+        self._log_tool_metrics(tool, execution_time, success)
+
+        return {"results": _results}
+
+    @traceable(name="cti_solver")
+    def _solve(self, state: CTIState) -> Dict[str, str]:
+        """
+        Solver node: Synthesizes the CTI findings into a comprehensive report.
+
+        Args:
+            state: Current state with all execution results
+
+        Returns:
+            Dictionary with the final CTI intelligence report
+        """
+        # Build comprehensive context with FULL results
+        plan = ""
+        full_results_context = "\n\n" + "=" * 80 + "\n"
+        full_results_context += "COMPLETE EXECUTION RESULTS FOR ANALYSIS:\n"
+        full_results_context += "=" * 80 + "\n\n"
+
+        _results = state.get("results", {}) or {}
+
+        for idx, (plan_desc, step_name, tool, tool_input) in enumerate(
+            state["steps"], 1
+        ):
+            # Replace variable references in inputs for display
+            display_input = tool_input
+            for k, v in _results.items():
+                display_input = display_input.replace(k, f"<{k}>")
+
+            # Build the plan summary (truncated for readability)
+            plan += f"\nStep {idx}: {plan_desc}\n"
+            plan += f"{step_name} = {tool}[{display_input}]\n"
+
+            # Add result summary to plan (truncated)
+            if step_name in _results:
+                result_preview = str(_results[step_name])[:800]
+                plan += f"Result Preview: {result_preview}...\n"
+            else:
+                plan += "Result: Not executed\n"
+
+            # Add FULL result to separate context section
+            if step_name in _results:
+                full_results_context += f"\n{'─'*80}\n"
+                full_results_context += f"STEP {idx}: {step_name} ({tool})\n"
+                full_results_context += f"{'─'*80}\n"
+                full_results_context += f"INPUT: {display_input}\n\n"
+                full_results_context += f"FULL OUTPUT:\n{_results[step_name]}\n"
+
+        # Create solver prompt with full context
+        prompt = f"""You are a Cyber Threat Intelligence analyst creating a final report.
+    
+        You have access to COMPLETE results from all CTI research steps below.
+        
+        IMPORTANT: 
+        - Use the FULL EXECUTION RESULTS section below - it contains complete, untruncated data
+        - Extract ALL specific IOCs, technique IDs, and actor details from the full results
+        - Do not say "Report contains X IOCs" - actually LIST them from the results
+        - If results contain structured data (JSON), parse and present it clearly
+        
+        {full_results_context}
+        
+        {'='*80}
+        RESEARCH PLAN SUMMARY:
+        {'='*80}
+        {plan}
+        
+        {'='*80}
+        ORIGINAL TASK: {state['task']}
+        {'='*80}
+        
+        Now create a comprehensive threat intelligence report following this structure:
+        
+        ## Intelligence Sources
+        [List the specific reports analyzed with title, source, and date]
+        
+        ## Threat Actors & Attribution
+        [Present actual threat actor names, aliases, and campaign names found]
+        [Include specific attribution details and confidence levels]
+        
+        ## MITRE ATT&CK Techniques Identified
+        [List specific technique IDs (T####) and names found in the reports]
+        [Provide brief description of what each technique means and why it's relevant]
+        
+        ## Indicators of Compromise (IOCs) Retrieved
+        [Present actual IOCs extracted from reports - be specific and comprehensive]
+        
+        ### IP Addresses
+        [List all IPs found, or state "None identified"]
+        
+        ### Domains
+        [List all domains found, or state "None identified"]
+        
+        ### File Hashes
+        [List all hashes with types, or state "None identified"]
+        
+        ### URLs
+        [List all malicious URLs, or state "None identified"]
+        
+        ### Email Addresses
+        [List all email patterns, or state "None identified"]
+        
+        ### File Names
+        [List all malicious file names, or state "None identified"]
+        
+        ### Other Indicators
+        [List any other indicators like registry keys, mutexes, etc.]
+        
+        ## Attack Patterns & Campaign Details
+        [Describe specific attack flows and methods detailed in reports]
+        [Include timeline information if available]
+        [Note targeting information - industries, regions, etc.]
+        
+        ## Key Findings Summary
+        [Provide 3-5 bullet points of the most critical findings]
+        
+        ## Intelligence Gaps
+        [Note what information was NOT available in the reports]
+        
+        ---
+        
+        **CRITICAL INSTRUCTIONS:**
+        1. Extract data from the FULL EXECUTION RESULTS section above
+        2. If ExtractIOCs results are in JSON format, parse and list all IOCs
+        3. If IdentifyThreatActors results contain Q&A format, extract all answers
+        4. If ExtractMITRETechniques results contain technique IDs, list ALL of them
+        5. Be comprehensive - don't summarize when you have specific data
+        6. If you cannot find specific data in results, clearly state what's missing
+        """
+
+        # Invoke LLM with context
+        result = self.llm.invoke(prompt)
+        result_text = result.content if hasattr(result, "content") else str(result)
+
+        return {"result": result_text}
+
+    # Helper method to better structure results
+    def _structure_results_for_solver(self, state: CTIState) -> str:
+        """
+        Helper method to structure results in a more accessible format for the solver.
+
+        Returns:
+            Formatted string with categorized results
+        """
+        _results = state.get("results", {}) or {}
+
+        structured = {
+            "searches": [],
+            "reports": [],
+            "iocs": [],
+            "actors": [],
+            "techniques": [],
+        }
+
+        # Categorize results by tool type
+        for step_name, result in _results.items():
+            # Find which tool produced this result
+            for _, sname, tool, _ in state["steps"]:
+                if sname == step_name:
+                    if tool == "SearchCTIReports":
+                        structured["searches"].append(
+                            {"step": step_name, "result": result}
+                        )
+                    elif tool == "FetchReport":
+                        structured["reports"].append(
+                            {"step": step_name, "result": result}
+                        )
+                    elif tool == "ExtractIOCs":
+                        structured["iocs"].append({"step": step_name, "result": result})
+                    elif tool == "IdentifyThreatActors":
+                        structured["actors"].append(
+                            {"step": step_name, "result": result}
+                        )
+                    elif tool == "ExtractMITRETechniques":
+                        structured["techniques"].append(
+                            {"step": step_name, "result": result}
+                        )
+                    break
+
+        # Format into readable sections
+        output = []
+
+        if structured["iocs"]:
+            output.append("\n" + "=" * 80)
+            output.append("EXTRACTED IOCs (Indicators of Compromise):")
+            output.append("=" * 80)
+            for item in structured["iocs"]:
+                output.append(f"\nFrom {item['step']}:")
+                output.append(str(item["result"]))
+
+        if structured["actors"]:
+            output.append("\n" + "=" * 80)
+            output.append("IDENTIFIED THREAT ACTORS:")
+            output.append("=" * 80)
+            for item in structured["actors"]:
+                output.append(f"\nFrom {item['step']}:")
+                output.append(str(item["result"]))
+
+        if structured["techniques"]:
+            output.append("\n" + "=" * 80)
+            output.append("EXTRACTED MITRE ATT&CK TECHNIQUES:")
+            output.append("=" * 80)
+            for item in structured["techniques"]:
+                output.append(f"\nFrom {item['step']}:")
+                output.append(str(item["result"]))
+
+        if structured["reports"]:
+            output.append("\n" + "=" * 80)
+            output.append("FETCHED REPORTS (for context):")
+            output.append("=" * 80)
+            for item in structured["reports"]:
+                output.append(f"\nFrom {item['step']}:")
+                # Truncate report content but keep IOC sections visible
+                report_text = str(item["result"])
+                output.append(
+                    report_text[:2000] + "..."
+                    if len(report_text) > 2000
+                    else report_text
+                )
+
+        return "\n".join(output)
+
+    def _route(self, state: CTIState) -> str:
+        """
+        Routing function to determine next node.
+
+        Args:
+            state: Current state
+
+        Returns:
+            Next node name: "solve" or "tool"
+        """
+        _step = self._get_current_task(state)
+        if _step is None:
+            return "solve"
+        else:
+            return "tool"
+
+    @traceable(name="cti_evaluator")
+    def _evaluate_result(self, state: CTIState) -> Dict[str, Any]:
+        """
+        Evaluator node: Assesses quality of the last tool execution result.
+
+        Returns:
+            Dictionary with quality assessment and correction needs
+        """
+        _step = len(state.get("results", {}))
+        if _step == 0:
+            return {"last_step_quality": "correct"}
+
+        current_step = state["steps"][_step - 1]
+        _, step_name, tool, tool_input = current_step
+        result = state["results"][step_name]
+
+        # Evaluation prompt
+        eval_prompt = f"""Evaluate if this CTI tool execution retrieved ACTUAL threat intelligence:
+    
+        Tool: {tool}
+        Input: {tool_input}
+        Result: {result[:1000]}
+        
+        Quality Criteria for Web Search:
+        - CORRECT: Retrieved specific IOCs, technique IDs, actor names. A website that doesn't have the name of the actor or IOCs is not sufficient.
+        - AMBIGUOUS: Retrieved general security content but lacks specific CTI details
+        - INCORRECT: Retrieved irrelevant content, errors, or marketing material
+        
+        Quality Criteria for MITER Extraction:
+        - CORRECT: Extracted valid MITRE ATT&CK technique IDs (e.g., T1234) or tactics (e.g., Initial Access)
+        - AMBIGUOUS: Extracted general security terms but no valid technique IDs or tactics
+        - INCORRECT: Extracted irrelevant content or no valid techniques/tactics
+        
+        Respond with ONLY one word: CORRECT, AMBIGUOUS, or INCORRECT
+        
+        If AMBIGUOUS or INCORRECT, also provide a brief reason (1 sentence).
+        Format: QUALITY: [reason if needed]"""
+
+        eval_result = self.llm.invoke(eval_prompt)
+        eval_text = (
+            eval_result.content if hasattr(eval_result, "content") else str(eval_result)
+        )
+
+        # Parse evaluation
+        quality = "correct"
+        reason = ""
+
+        if "INCORRECT" in eval_text.upper():
+            quality = "incorrect"
+            reason = eval_text.split("INCORRECT:")[-1].strip()[:200]
+        elif "AMBIGUOUS" in eval_text.upper():
+            quality = "ambiguous"
+            reason = eval_text.split("AMBIGUOUS:")[-1].strip()[:200]
+
+        return {"last_step_quality": quality, "correction_reason": reason}
+
+    def _replan(self, state: CTIState) -> Dict[str, Any]:
+        """
+        Replanner node: Creates corrected plan when results are inadequate.
+        """
+        replans = state.get("replans", 0)
+
+        # Limit replanning attempts
+        if replans >= 3:
+            return {"replans": replans, "replan_status": "max_attempts_reached"}
+
+        _step = len(state.get("results", {}))
+        failed_step = state["steps"][_step - 1]
+        _, step_name, tool, tool_input = failed_step
+
+        # Store replan context for display
+        replan_context = {
+            "failed_step_number": _step,
+            "failed_tool": tool,
+            "failed_input": tool_input[:100],
+            "problem": state.get("correction_reason", "Quality issues"),
+            "original_plan": failed_step[0],
+        }
+
+        replan_prompt = REPLAN_PROMPT.format(
+            task=state["task"],
+            failed_step=failed_step[0],
+            step_name=step_name,
+            tool=tool,
+            tool_input=tool_input,
+            results=state["results"][step_name][:500],
+            problem=state["correction_reason"],
+            completed_steps=self._format_completed_steps(state),
+            step=_step,
+        )
+
+        replan_result = self.llm.invoke(replan_prompt)
+        replan_text = (
+            replan_result.content
+            if hasattr(replan_result, "content")
+            else str(replan_result)
+        )
+
+        # Store the replan thinking for display
+        replan_context["replan_thinking"] = (
+            replan_text[:500] + "..." if len(replan_text) > 500 else replan_text
+        )
+
+        # Parse new step
+        import re
+
+        matches = re.findall(CTI_REGEX_PATTERN, replan_text)
+
+        if matches:
+            new_plan, new_step_name, new_tool, new_tool_input = matches[0]
+
+            # Store the correction details
+            replan_context["corrected_plan"] = new_plan
+            replan_context["corrected_tool"] = new_tool
+            replan_context["corrected_input"] = new_tool_input[:100]
+            replan_context["success"] = True
+
+            # Replace the failed step with corrected version
+            new_steps = state["steps"].copy()
+            new_steps[_step - 1] = matches[0]
+
+            # Remove the failed result so it gets re-executed
+            new_results = state["results"].copy()
+            del new_results[step_name]
+
+            return {
+                "steps": new_steps,
+                "results": new_results,
+                "replans": replans + 1,
+                "replan_context": replan_context,
+            }
+        else:
+            replan_context["success"] = False
+            replan_context["error"] = "Failed to parse corrected plan"
+
+        return {"replans": replans + 1, "replan_context": replan_context}
+
+    def _format_completed_steps(self, state: CTIState) -> str:
+        """Helper to format completed steps for replanning context."""
+        output = []
+        for step in state["steps"][: len(state.get("results", {}))]:
+            plan, step_name, tool, tool_input = step
+            if step_name in state["results"]:
+                output.append(f"{step_name} = {tool}[{tool_input}] ✓")
+        return "\n".join(output)
+
+    def _route_after_tool(self, state: CTIState) -> str:
+        """Route to evaluator only after specific tools that retrieve external content."""
+        _step = len(state.get("results", {}))
+        if _step == 0:
+            return "evaluate"
+
+        current_step = state["steps"][_step - 1]
+        _, step_name, tool, tool_input = current_step
+
+        tools_to_evaluate = ["SearchCTIReports", "ExtractMITRETechniques"]
+
+        if tool in tools_to_evaluate:
+            return "evaluate"
+        else:
+            # Skip evaluation for extraction/analysis tools
+            _next_step = self._get_current_task(state)
+            if _next_step is None:
+                return "solve"
+            else:
+                return "tool"
+
+    def _route_after_eval(self, state: CTIState) -> str:
+        """Route based on evaluation: replan, continue, or solve."""
+        quality = state.get("last_step_quality", "correct")
+
+        # Check if all steps are complete
+        _step = self._get_current_task(state)
+
+        if quality in ["ambiguous", "incorrect"]:
+            # Need to replan this step
+            return "replan"
+        elif _step is None:
+            # All steps complete and quality is good
+            return "solve"
+        else:
+            # Continue to next tool
+            return "tool"
+
+    def _build_graph(self) -> StateGraph:
+        """Build graph with corrective feedback loop."""
+        graph = StateGraph(CTIState)
+
+        # Add nodes
+        graph.add_node("plan", self._get_plan)
+        graph.add_node("tool", self._tool_execution)
+        graph.add_node("evaluate", self._evaluate_result)
+        graph.add_node("replan", self._replan)
+        graph.add_node("solve", self._solve)
+
+        # Add edges
+        graph.add_edge(START, "plan")
+        graph.add_edge("plan", "tool")
+        graph.add_edge("replan", "tool")
+        graph.add_edge("solve", END)
+
+        # Conditional routing
+        graph.add_conditional_edges("tool", self._route_after_tool)
+        graph.add_conditional_edges("evaluate", self._route_after_eval)
+
+        return graph.compile(name="cti_agent")
+
+    # --- Messages-based wrapper for supervisor ---
+    def _messages_node(self, state: CTIMessagesState) -> Dict[str, List[AIMessage]]:
+        """Adapter node: take messages input, run CTI pipeline, return AI message.
+
+        This allows the CTI agent to plug into a messages-based supervisor.
+        """
+        # Find the latest human message content as the task
+        task_text = None
+        for msg in reversed(state.get("messages", [])):
+            if isinstance(msg, HumanMessage):
+                task_text = msg.content
+                break
+        if not task_text and state.get("messages"):
+            # Fallback: use the last message content
+            task_text = state["messages"][-1].content
+        if not task_text:
+            task_text = "Provide cyber threat intelligence based on the context."
+
+        # Run the internal CTI graph and extract final report text
+        final_chunk = None
+        for chunk in self.app.stream({"task": task_text}):
+            final_chunk = chunk
+
+        content = ""
+        if isinstance(final_chunk, dict):
+            solve_part = final_chunk.get("solve", {}) if final_chunk else {}
+            content = solve_part.get("result", "") if isinstance(solve_part, dict) else ""
+        if not content:
+            # As a fallback, try a direct invoke to get final aggregated state
+            try:
+                agg_state = self.app.invoke({"task": task_text})
+                if isinstance(agg_state, dict):
+                    content = agg_state.get("result", "") or ""
+            except Exception:
+                pass
+        if not content:
+            content = "CTI agent completed, but no final report was produced."
+
+        return {"messages": [AIMessage(content=content, name="cti_agent")]}
+
+    def _build_messages_graph(self):
+        """Build a minimal messages-based wrapper graph for supervisor usage."""
+        graph = StateGraph(CTIMessagesState)
+        graph.add_node("cti_adapter", self._messages_node)
+        graph.add_edge(START, "cti_adapter")
+        graph.add_edge("cti_adapter", END)
+        return graph.compile(name="cti_agent")
+
+    @traceable(name="cti_agent_full_run")
+    def run(self, task: str) -> Dict[str, Any]:
+        """
+        Run the CTI agent on a given task.
+
+        Args:
+            task: The CTI research task/question to solve
+
+        Returns:
+            Final state after execution with comprehensive threat intelligence
+        """
+        run_metadata = {
+            "task": task,
+            "agent_version": "1.0",
+            "timestamp": time.time()
+        }
+
+        try:
+            final_state = None
+            for state in self.app.stream({"task": task}):
+                final_state = state
+
+            # Log successful completion
+            ls_client.create_feedback(
+                run_id=None,
+                key="run_completion",
+                score=1.0,
+                value={"status": "completed", "final_result_length": len(str(final_state))}
+            )
+
+            return final_state
+
+        except Exception as e:
+            # Log failure
+            ls_client.create_feedback(
+                run_id=None,
+                key="run_completion",
+                score=0.0,
+                value={"status": "failed", "error": str(e)}
+            )
+            raise
+
+    def stream(self, task: str):
+        """
+        Stream the CTI agent execution for a given task.
+
+        Args:
+            task: The CTI research task/question to solve
+
+        Yields:
+            State updates during execution
+        """
+        for state in self.app.stream({"task": task}):
+            yield state
+
+
+def format_cti_output(state: Dict[str, Any]) -> str:
+    """Format the CTI agent output for better readability."""
+    output = []
+
+    for node_name, node_data in state.items():
+        output.append(f"\n **{node_name.upper()} PHASE**")
+        output.append("-" * 80)
+
+        if node_name == "plan":
+            if "plan_string" in node_data:
+                output.append("\n**Research Plan:**")
+                output.append(node_data["plan_string"])
+
+            if "steps" in node_data and node_data["steps"]:
+                output.append("\n**Planned Steps:**")
+                for i, (plan, step_name, tool, tool_input) in enumerate(
+                    node_data["steps"], 1
+                ):
+                    output.append(f"\n  Step {i}: {plan}")
+                    output.append(f"  {step_name} = {tool}[{tool_input[:100]}...]")
+
+        elif node_name == "tool":
+            if "results" in node_data:
+                output.append("\n**Tool Execution Results:**")
+                for step_name, result in node_data["results"].items():
+                    output.append(f"\n  {step_name}:")
+                    result_str = str(result)
+                    output.append(f"    {result_str}")
+
+        elif node_name == "evaluate":
+            # Show evaluation details
+            quality = node_data.get("last_step_quality", "unknown")
+            reason = node_data.get("correction_reason", "")
+
+            output.append(f"**Quality Assessment:** {quality.upper()}")
+
+            if reason:
+                output.append(f"**Reason:** {reason}")
+
+            # Determine next action based on quality
+            if quality in ["ambiguous", "incorrect"]:
+                output.append("**Decision:** Step needs correction - triggering replan")
+            elif quality == "correct":
+                output.append("**Decision:** Step quality acceptable - continuing")
+            else:
+                output.append(f"**Decision:** Quality assessment: {quality}")
+
+        elif node_name == "replan":
+            replans = node_data.get("replans", 0)
+            output.append(f"**Replan Attempt:** {replans}")
+
+            replan_context = node_data.get("replan_context", {})
+
+            if replans >= 3:
+                output.append("**Status:** Maximum replan attempts reached")
+                output.append("**Action:** Proceeding with current results")
+            elif replan_context:
+                # Show detailed replan thinking
+                output.append(
+                    f"**Failed Step:** {replan_context.get('failed_step_number', 'Unknown')}"
+                )
+                output.append(
+                    f"**Problem:** {replan_context.get('problem', 'Quality issues')}"
+                )
+                output.append(
+                    f"**Original Tool:** {replan_context.get('failed_tool', 'Unknown')}[{replan_context.get('failed_input', '...')}]"
+                )
+
+                if "replan_thinking" in replan_context:
+                    output.append(f"**Replan Analysis:**")
+                    output.append(f"  {replan_context['replan_thinking']}")
+
+                if replan_context.get("success", False):
+                    output.append(
+                        f"**Corrected Plan:** {replan_context.get('corrected_plan', 'Unknown')}"
+                    )
+                    output.append(
+                        f"**New Tool:** {replan_context.get('corrected_tool', 'Unknown')}[{replan_context.get('corrected_input', '...')}]"
+                    )
+                    output.append("**Status:** Successfully generated improved plan")
+                    output.append(
+                        "**Action:** Step will be re-executed with new approach"
+                    )
+                else:
+                    output.append(
+                        f"**Error:** {replan_context.get('error', 'Unknown error')}"
+                    )
+                    output.append("**Status:** Failed to generate valid corrected plan")
+            else:
+                output.append("**Status:** Generating improved plan...")
+                output.append("**Action:** Step will be re-executed with new approach")
+
+        elif node_name == "solve":
+            if "result" in node_data:
+                output.append("\n**FINAL THREAT INTELLIGENCE REPORT:**")
+                output.append("=" * 80)
+                output.append(node_data["result"])
+
+        output.append("")
+
+    return "\n".join(output)
+
+
+if __name__ == "__main__":
+    # Example usage demonstrating the enhanced CTI capabilities
+    task = """Find comprehensive threat intelligence about recent ransomware attacks targeting healthcare organizations"""
+
+    print("\n" + "=" * 80)
+    print("CTI AGENT - STARTING ANALYSIS")
+    print("=" * 80)
+    print(f"\nTask: {task}\n")
+
+    # Initialize the agent
+    agent = CTIAgent()
+
+    # Stream the execution and display results
+    for state in agent.stream(task):
+        formatted_output = format_cti_output(state)
+        print(formatted_output)
+        print("\n" + "-" * 80 + "\n")
+
+    print("\nCTI ANALYSIS COMPLETED!")
+    print("=" * 80 + "\n")

src/agents/cti_agent/cti_tools.py

@@ -0,0 +1,263 @@
+import json
+
+import requests
+from langchain_tavily import TavilySearch
+from langchain.chat_models import init_chat_model
+from langsmith import traceable
+
+from src.agents.cti_agent.config import (
+    IOC_EXTRACTION_PROMPT,
+    THREAT_ACTOR_PROMPT,
+    MITRE_EXTRACTION_PROMPT,
+)
+
+
+class CTITools:
+    """Collection of specialized tools for CTI analysis."""
+
+    def __init__(self, llm, search: TavilySearch):
+        """
+        Initialize CTI tools.
+
+        Args:
+            llm: Language model for analysis
+            search: Search tool for finding CTI reports
+        """
+        self.llm = llm
+        self.search = search
+
+    @traceable(name="cti_search_reports")
+    def search_cti_reports(self, query: str) -> str:
+        """
+        Specialized search for CTI reports with enhanced queries.
+
+        Args:
+            query: Search query for CTI reports
+
+        Returns:
+            JSON string with search results
+        """
+        try:
+            # Enhance query with CTI-specific terms if not already present
+            enhanced_query = query
+            if "report" not in query.lower() and "analysis" not in query.lower():
+                enhanced_query = f"{query} threat intelligence report"
+
+            results = self.search.invoke(enhanced_query)
+
+            # Format results for better parsing
+            formatted_results = {
+                "query": enhanced_query,
+                "found": len(results.get("results", [])),
+                "reports": [],
+            }
+
+            for idx, result in enumerate(results.get("results", [])[:5]):
+                formatted_results["reports"].append(
+                    {
+                        "index": idx + 1,
+                        "title": result.get("title", "No title"),
+                        "url": result.get("url", ""),
+                        "snippet": result.get("content", "")[:500],
+                        "score": result.get("score", 0),
+                    }
+                )
+
+            return json.dumps(formatted_results, indent=2)
+        except Exception as e:
+            return json.dumps({"error": str(e), "query": query})
+
+    @traceable(name="cti_extract_url_from_search")
+    def extract_url_from_search(self, search_result: str, index: int = 0) -> str:
+        """
+        Extract a specific URL from search results JSON.
+
+        Args:
+            search_result: JSON string from SearchCTIReports
+            index: Which report URL to extract (default: 0 for first)
+
+        Returns:
+            Extracted URL string
+        """
+        try:
+            import json
+
+            data = json.loads(search_result)
+
+            if "reports" in data and len(data["reports"]) > index:
+                url = data["reports"][index]["url"]
+                return url
+
+            return "Error: No URL found at specified index in search results"
+        except Exception as e:
+            return f"Error extracting URL: {str(e)}"
+
+    @traceable(name="cti_fetch_report")
+    def fetch_report(self, url: str) -> str:
+        """Fetch with universal content cleaning."""
+        try:
+            import requests
+            from bs4 import BeautifulSoup
+            import PyPDF2
+            import io
+
+            headers = {
+                "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
+            }
+
+            response = requests.get(url, headers=headers, timeout=30)
+            response.raise_for_status()
+
+            content_type = response.headers.get("content-type", "").lower()
+
+            # Handle PDF files
+            if "pdf" in content_type or url.lower().endswith(".pdf"):
+                try:
+                    pdf_file = io.BytesIO(response.content)
+                    pdf_reader = PyPDF2.PdfReader(pdf_file)
+
+                    text_content = []
+                    # Extract text from first 10 pages (to avoid excessive content)
+                    max_pages = min(len(pdf_reader.pages), 10)
+
+                    for page_num in range(max_pages):
+                        page = pdf_reader.pages[page_num]
+                        page_text = page.extract_text()
+                        if page_text.strip():
+                            text_content.append(page_text)
+
+                    if text_content:
+                        full_text = "\n\n".join(text_content)
+                        # Clean and truncate the text
+                        cleaned_text = self._clean_content(full_text)
+                        return f"PDF Report Content from {url}:\n\n{cleaned_text[:3000]}..."
+                    else:
+                        return f"Could not extract readable text from PDF: {url}"
+
+                except Exception as pdf_error:
+                    return f"Error processing PDF {url}: {str(pdf_error)}"
+
+            # Handle web pages
+            else:
+                soup = BeautifulSoup(response.content, "html.parser")
+
+                # Remove unwanted elements
+                for element in soup(
+                    ["script", "style", "nav", "footer", "header", "aside"]
+                ):
+                    element.decompose()
+
+                # Try to find main content areas
+                main_content = (
+                    soup.find("main")
+                    or soup.find("article")
+                    or soup.find(
+                        "div", class_=["content", "main-content", "post-content"]
+                    )
+                    or soup.find("body")
+                )
+
+                if main_content:
+                    text = main_content.get_text(separator=" ", strip=True)
+                else:
+                    text = soup.get_text(separator=" ", strip=True)
+
+                cleaned_text = self._clean_content(text)
+                return f"Report Content from {url}:\n\n{cleaned_text[:3000]}..."
+
+        except Exception as e:
+            return f"Error fetching report from {url}: {str(e)}"
+
+    def _clean_content(self, text: str) -> str:
+        """Clean and normalize text content."""
+        import re
+
+        # Remove excessive whitespace
+        text = re.sub(r"\s+", " ", text)
+
+        # Remove common navigation/UI text
+        noise_patterns = [
+            r"cookie policy.*?accept",
+            r"privacy policy",
+            r"terms of service",
+            r"subscribe.*?newsletter",
+            r"follow us on",
+            r"share this.*?social",
+            r"back to top",
+            r"skip to.*?content",
+        ]
+
+        for pattern in noise_patterns:
+            text = re.sub(pattern, "", text, flags=re.IGNORECASE)
+
+        # Clean up extra spaces again
+        text = re.sub(r"\s+", " ", text).strip()
+
+        return text
+
+    @traceable(name="cti_extract_iocs")
+    def extract_iocs(self, content: str) -> str:
+        """
+        Extract Indicators of Compromise from report content using LLM.
+
+        Args:
+            content: Report content to analyze
+
+        Returns:
+            Structured IOCs in JSON format
+        """
+        try:
+            prompt = IOC_EXTRACTION_PROMPT.format(content=content)
+            response = self.llm.invoke(prompt)
+            result_text = (
+                response.content if hasattr(response, "content") else str(response)
+            )
+            return result_text
+        except Exception as e:
+            return json.dumps({"error": str(e), "iocs": []})
+
+    @traceable(name="cti_identify_threat_actors")
+    def identify_threat_actors(self, content: str) -> str:
+        """
+        Identify threat actors, APT groups, and campaigns.
+
+        Args:
+            content: Report content to analyze
+
+        Returns:
+            Threat actor identification and attribution
+        """
+        try:
+            prompt = THREAT_ACTOR_PROMPT.format(content=content)
+            response = self.llm.invoke(prompt)
+            result_text = (
+                response.content if hasattr(response, "content") else str(response)
+            )
+            return result_text
+        except Exception as e:
+            return f"Error identifying threat actors: {str(e)}"
+
+    def extract_mitre_techniques(
+        self, content: str, framework: str = "Enterprise"
+    ) -> str:
+        """
+        Extract MITRE ATT&CK techniques from report content using LLM.
+
+        Args:
+            content: Report content to analyze
+            framework: MITRE framework (Enterprise, Mobile, ICS)
+
+        Returns:
+            Structured MITRE techniques in JSON format
+        """
+        try:
+            prompt = MITRE_EXTRACTION_PROMPT.format(
+                content=content, framework=framework
+            )
+            response = self.llm.invoke(prompt)
+            result_text = (
+                response.content if hasattr(response, "content") else str(response)
+            )
+            return result_text
+        except Exception as e:
+            return json.dumps({"error": str(e), "techniques": []})

src/agents/cti_agent/testing_cti_agent.ipynb

@@ -0,0 +1,573 @@
+{
+ "cells": [
+  {
+   "metadata": {},
+   "cell_type": "markdown",
+   "source": "## CTI Agent",
+   "id": "1e014677902bc4a2"
+  },
+  {
+   "metadata": {},
+   "cell_type": "markdown",
+   "source": "## Set up",
+   "id": "57d21ad42c51b7bb"
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:09:48.553649Z",
+     "start_time": "2025-09-24T14:09:40.747722Z"
+    }
+   },
+   "cell_type": "code",
+   "source": [
+    "%%capture --no-stderr\n",
+    "%pip install --quiet -U langgraph langchain-community langchain-google-genai langchain-tavily"
+   ],
+   "id": "64e62b8be724effb",
+   "outputs": [
+    {
+     "name": "stderr",
+     "output_type": "stream",
+     "text": [
+      "WARNING: Ignoring invalid distribution ~umpy (D:\\Swinburne University of Technology\\2025\\Swinburne Semester 2 2025\\COS30018 - Intelligent Systems\\Assignment\\Cyber-Agent\\.venv\\Lib\\site-packages)\n",
+      "WARNING: Ignoring invalid distribution ~umpy (D:\\Swinburne University of Technology\\2025\\Swinburne Semester 2 2025\\COS30018 - Intelligent Systems\\Assignment\\Cyber-Agent\\.venv\\Lib\\site-packages)\n",
+      "WARNING: Ignoring invalid distribution ~umpy (D:\\Swinburne University of Technology\\2025\\Swinburne Semester 2 2025\\COS30018 - Intelligent Systems\\Assignment\\Cyber-Agent\\.venv\\Lib\\site-packages)\n",
+      "\n",
+      "[notice] A new release of pip is available: 25.0.1 -> 25.2\n",
+      "[notice] To update, run: python.exe -m pip install --upgrade pip\n"
+     ]
+    }
+   ],
+   "execution_count": 1
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:09:59.629541Z",
+     "start_time": "2025-09-24T14:09:49.858591Z"
+    }
+   },
+   "cell_type": "code",
+   "source": [
+    "import getpass\n",
+    "import os\n",
+    "\n",
+    "def set_env_variable(var_name):\n",
+    "    if var_name not in os.environ:\n",
+    "        os.environ[var_name] = getpass.getpass(f\"{var_name}=\")\n",
+    "\n",
+    "set_env_variable(\"GEMINI_API_KEY\")\n",
+    "set_env_variable(\"TAVILY_API_KEY\")"
+   ],
+   "id": "b9b8036f5182062b",
+   "outputs": [],
+   "execution_count": 2
+  },
+  {
+   "metadata": {},
+   "cell_type": "markdown",
+   "source": "### CTI Agent",
+   "id": "b7ccb1c1f41b189"
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:10:00.191781Z",
+     "start_time": "2025-09-24T14:10:00.135222Z"
+    }
+   },
+   "cell_type": "code",
+   "source": [
+    "from typing import List\n",
+    "from typing_extensions import TypedDict\n",
+    "\n",
+    "class ReWOO(TypedDict):\n",
+    "    task: str\n",
+    "    plan_string: str\n",
+    "    steps: List\n",
+    "    results: dict\n",
+    "    result: str"
+   ],
+   "id": "1ff523d16a86a18c",
+   "outputs": [],
+   "execution_count": 3
+  },
+  {
+   "metadata": {},
+   "cell_type": "markdown",
+   "source": "#### Planner",
+   "id": "62b86e7dd440db74"
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:10:30.386536Z",
+     "start_time": "2025-09-24T14:10:00.376586Z"
+    }
+   },
+   "cell_type": "code",
+   "source": [
+    "from langchain_google_genai import GoogleGenerativeAI\n",
+    "\n",
+    "llm = GoogleGenerativeAI(model=\"gemini-2.5-flash\", api_key=os.environ[\"GEMINI_API_KEY\"])"
+   ],
+   "id": "7ee558c30d4e1c2c",
+   "outputs": [
+    {
+     "name": "stderr",
+     "output_type": "stream",
+     "text": [
+      "D:\\Swinburne University of Technology\\2025\\Swinburne Semester 2 2025\\COS30018 - Intelligent Systems\\Assignment\\Cyber-Agent\\.venv\\Lib\\site-packages\\tqdm\\auto.py:21: TqdmWarning: IProgress not found. Please update jupyter and ipywidgets. See https://ipywidgets.readthedocs.io/en/stable/user_install.html\n",
+      "  from .autonotebook import tqdm as notebook_tqdm\n"
+     ]
+    }
+   ],
+   "execution_count": 4
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:10:30.432069Z",
+     "start_time": "2025-09-24T14:10:30.421360Z"
+    }
+   },
+   "cell_type": "code",
+   "source": [
+    "prompt = \"\"\"For the following task, make plans that can solve the problem step by step. For each plan, indicate \\\n",
+    "which external tool together with tool input to retrieve evidence. You can store the evidence into a \\\n",
+    "variable #E that can be called by later tools. (Plan, #E1, Plan, #E2, Plan, ...)\n",
+    "\n",
+    "Tools can be one of the following:\n",
+    "(1) Google[input]: Worker that searches results from Google. Useful when you need to find short\n",
+    "and succinct answers about a specific topic. The input should be a search query.\n",
+    "(2) LLM[input]: A pretrained LLM like yourself. Useful when you need to act with general\n",
+    "world knowledge and common sense. Prioritize it when you are confident in solving the problem\n",
+    "yourself. Input can be any instruction.\n",
+    "\n",
+    "For example,\n",
+    "Task: Thomas, Toby, and Rebecca worked a total of 157 hours in one week. Thomas worked x\n",
+    "hours. Toby worked 10 hours less than twice what Thomas worked, and Rebecca worked 8 hours\n",
+    "less than Toby. How many hours did Rebecca work?\n",
+    "Plan: Given Thomas worked x hours, translate the problem into algebraic expressions and solve\n",
+    "with Wolfram Alpha. #E1 = WolframAlpha[Solve x + (2x − 10) + ((2x − 10) − 8) = 157]\n",
+    "Plan: Find out the number of hours Thomas worked. #E2 = LLM[What is x, given #E1]\n",
+    "Plan: Calculate the number of hours Rebecca worked. #E3 = Calculator[(2 ∗ #E2 − 10) − 8]\n",
+    "\n",
+    "Begin!\n",
+    "Describe your plans with rich details. Each Plan should be followed by only one #E.\n",
+    "\n",
+    "Task: {task}\"\"\""
+   ],
+   "id": "320871448adc80c",
+   "outputs": [],
+   "execution_count": 5
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:10:30.518680Z",
+     "start_time": "2025-09-24T14:10:30.508496Z"
+    }
+   },
+   "cell_type": "code",
+   "source": "task = \"What are the latest CTI reports of the ATP that uses the T1566.002: Spearphishing Links techniques?\"",
+   "id": "cfbfbc30cd1f2a2d",
+   "outputs": [],
+   "execution_count": 6
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:10:36.513049Z",
+     "start_time": "2025-09-24T14:10:30.637595Z"
+    }
+   },
+   "cell_type": "code",
+   "source": "result = llm.invoke(prompt.format(task=task))",
+   "id": "cb8c925be339d309",
+   "outputs": [],
+   "execution_count": 7
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:10:36.543369Z",
+     "start_time": "2025-09-24T14:10:36.536547Z"
+    }
+   },
+   "cell_type": "code",
+   "source": "print(result)",
+   "id": "77cfb38f9b210b50",
+   "outputs": [
+    {
+     "name": "stdout",
+     "output_type": "stream",
+     "text": [
+      "Plan: Search for the latest CTI reports that specifically mention ATP groups using the T1566.002: Spearphishing Links technique. I will prioritize recent publications.\n",
+      "#E1 = Google[latest CTI reports ATP T1566.002 Spearphishing Links]\n",
+      "Plan: Review the search results from #E1 to identify relevant reports from reputable cybersecurity intelligence sources. I will look for titles or snippets that indicate a focus on ATP activities and the specified MITRE ATT&CK technique. I will then extract the most pertinent information about the ATPs and their use of T1566.002.\n",
+      "#E2 = LLM[Analyze the search results from #E1 to identify specific CTI reports (title, source, date) that discuss ATPs using T1566.002: Spearphishing Links. Summarize the key findings from these reports, mentioning any specific ATP groups identified.]\n"
+     ]
+    }
+   ],
+   "execution_count": 8
+  },
+  {
+   "metadata": {},
+   "cell_type": "markdown",
+   "source": "#### Planner Node",
+   "id": "9e462bfcf2ec91f4"
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:10:36.743644Z",
+     "start_time": "2025-09-24T14:10:36.631943Z"
+    }
+   },
+   "cell_type": "code",
+   "source": [
+    "import re\n",
+    "\n",
+    "from langchain_core.prompts import ChatPromptTemplate\n",
+    "\n",
+    "# Regex to match expressions of the form E#... = ...[...]\n",
+    "regex_pattern = r\"Plan:\\s*(.+)\\s*(#E\\d+)\\s*=\\s*(\\w+)\\s*\\[([^\\]]+)\\]\"\n",
+    "prompt_template = ChatPromptTemplate.from_messages([(\"user\", prompt)])\n",
+    "planner = prompt_template | llm\n",
+    "\n",
+    "\n",
+    "def get_plan(state: ReWOO):\n",
+    "    task = state[\"task\"]\n",
+    "    result = planner.invoke({\"task\": task})\n",
+    "    # Find all matches in the sample text\n",
+    "    matches = re.findall(regex_pattern, result)\n",
+    "    return {\"steps\": matches, \"plan_string\": result}"
+   ],
+   "id": "5c3693b5fd44aefa",
+   "outputs": [],
+   "execution_count": 9
+  },
+  {
+   "metadata": {},
+   "cell_type": "markdown",
+   "source": "### Executor",
+   "id": "ca86ebf96a47fff6"
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:10:36.918073Z",
+     "start_time": "2025-09-24T14:10:36.775677Z"
+    }
+   },
+   "cell_type": "code",
+   "source": [
+    "from langchain_tavily import TavilySearch\n",
+    "\n",
+    "search_config = {\n",
+    "    \"api_key\": os.environ[\"TAVILY_API_KEY\"],\n",
+    "    \"max_results\": 10,\n",
+    "    \"search_depth\": \"advanced\",\n",
+    "    \"include_raw_content\": True\n",
+    "}\n",
+    "\n",
+    "search = TavilySearch(**search_config)"
+   ],
+   "id": "b7367781aeac5c5",
+   "outputs": [],
+   "execution_count": 10
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:10:36.964885Z",
+     "start_time": "2025-09-24T14:10:36.953023Z"
+    }
+   },
+   "cell_type": "code",
+   "source": [
+    "def _get_current_task(state: ReWOO):\n",
+    "    if \"results\" not in state or state[\"results\"] is None:\n",
+    "        return 1\n",
+    "    if len(state[\"results\"]) == len(state[\"steps\"]):\n",
+    "        return None\n",
+    "    else:\n",
+    "        return len(state[\"results\"]) + 1\n",
+    "\n",
+    "\n",
+    "def tool_execution(state: ReWOO):\n",
+    "    \"\"\"Worker node that executes the tools of a given plan.\"\"\"\n",
+    "    _step = _get_current_task(state)\n",
+    "    _, step_name, tool, tool_input = state[\"steps\"][_step - 1]\n",
+    "    _results = (state[\"results\"] or {}) if \"results\" in state else {}\n",
+    "    for k, v in _results.items():\n",
+    "        tool_input = tool_input.replace(k, v)\n",
+    "    if tool == \"Google\":\n",
+    "        result = search.invoke(tool_input)\n",
+    "    elif tool == \"LLM\":\n",
+    "        result = llm.invoke(tool_input)\n",
+    "    else:\n",
+    "        raise ValueError\n",
+    "    _results[step_name] = str(result)\n",
+    "    return {\"results\": _results}"
+   ],
+   "id": "efb45424fa750ce5",
+   "outputs": [],
+   "execution_count": 11
+  },
+  {
+   "metadata": {},
+   "cell_type": "markdown",
+   "source": "### Solver",
+   "id": "4cf82df72d40e9cd"
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:10:37.018935Z",
+     "start_time": "2025-09-24T14:10:37.008762Z"
+    }
+   },
+   "cell_type": "code",
+   "source": [
+    "solve_prompt = \"\"\"Solve the following task or problem. To solve the problem, we have made step-by-step Plan and \\\n",
+    "retrieved corresponding Evidence to each Plan. Use them with caution since long evidence might \\\n",
+    "contain irrelevant information.\n",
+    "\n",
+    "{plan}\n",
+    "\n",
+    "Now solve the question or task according to provided Evidence above. Respond with the answer\n",
+    "directly with no extra words.\n",
+    "\n",
+    "Task: {task}\n",
+    "Response:\"\"\"\n",
+    "\n",
+    "\n",
+    "def solve(state: ReWOO):\n",
+    "    plan = \"\"\n",
+    "    for _plan, step_name, tool, tool_input in state[\"steps\"]:\n",
+    "        _results = (state[\"results\"] or {}) if \"results\" in state else {}\n",
+    "        for k, v in _results.items():\n",
+    "            tool_input = tool_input.replace(k, v)\n",
+    "            step_name = step_name.replace(k, v)\n",
+    "        plan += f\"Plan: {_plan}\\n{step_name} = {tool}[{tool_input}]\"\n",
+    "    prompt = solve_prompt.format(plan=plan, task=state[\"task\"])\n",
+    "    result = llm.invoke(prompt)\n",
+    "    return {\"result\": result}"
+   ],
+   "id": "b545c04c30414789",
+   "outputs": [],
+   "execution_count": 12
+  },
+  {
+   "metadata": {},
+   "cell_type": "markdown",
+   "source": "### Define Graph",
+   "id": "3b3fbec2f9880412"
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:10:37.080389Z",
+     "start_time": "2025-09-24T14:10:37.071333Z"
+    }
+   },
+   "cell_type": "code",
+   "source": [
+    "def _route(state):\n",
+    "    _step = _get_current_task(state)\n",
+    "    if _step is None:\n",
+    "        # We have executed all tasks\n",
+    "        return \"solve\"\n",
+    "    else:\n",
+    "        # We are still executing tasks, loop back to the \"tool\" node\n",
+    "        return \"tool\""
+   ],
+   "id": "6fee70503c849ab",
+   "outputs": [],
+   "execution_count": 13
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:10:37.812966Z",
+     "start_time": "2025-09-24T14:10:37.134773Z"
+    }
+   },
+   "cell_type": "code",
+   "source": [
+    "from langgraph.graph import END, StateGraph, START\n",
+    "\n",
+    "graph = StateGraph(ReWOO)\n",
+    "graph.add_node(\"plan\", get_plan)\n",
+    "graph.add_node(\"tool\", tool_execution)\n",
+    "graph.add_node(\"solve\", solve)\n",
+    "graph.add_edge(\"plan\", \"tool\")\n",
+    "graph.add_edge(\"solve\", END)\n",
+    "graph.add_conditional_edges(\"tool\", _route)\n",
+    "graph.add_edge(START, \"plan\")\n",
+    "\n",
+    "app = graph.compile()"
+   ],
+   "id": "a10ad4abef949d17",
+   "outputs": [],
+   "execution_count": 14
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:10:37.864440Z",
+     "start_time": "2025-09-24T14:10:37.849889Z"
+    }
+   },
+   "cell_type": "code",
+   "source": [
+    "from typing import Dict, Any\n",
+    "\n",
+    "def format_output(state: Dict[str, Any]) -> str:\n",
+    "    \"\"\"Format the CTI agent output for better readability.\"\"\"\n",
+    "    output = []\n",
+    "\n",
+    "    for node_name, node_data in state.items():\n",
+    "        output.append(f\"\\n🔹 **{node_name.upper()}**\")\n",
+    "        output.append(\"=\" * 50)\n",
+    "\n",
+    "        if node_name == \"plan\":\n",
+    "            if \"plan_string\" in node_data:\n",
+    "                output.append(\"📋 **Generated Plan:**\")\n",
+    "                output.append(node_data[\"plan_string\"])\n",
+    "\n",
+    "            if \"steps\" in node_data and node_data[\"steps\"]:\n",
+    "                output.append(\"\\n📝 **Extracted Steps:**\")\n",
+    "                for i, (plan, step_name, tool, tool_input) in enumerate(node_data[\"steps\"], 1):\n",
+    "                    output.append(f\"  {i}. {plan}\")\n",
+    "                    output.append(f\"     🔧 {step_name} = {tool}[{tool_input}]\")\n",
+    "\n",
+    "        elif node_name == \"tool\":\n",
+    "            if \"results\" in node_data:\n",
+    "                output.append(\"🔍 **Execution Results:**\")\n",
+    "                for step_name, result in node_data[\"results\"].items():\n",
+    "                    output.append(f\"  {step_name}:\")\n",
+    "                    # Truncate long results for readability\n",
+    "                    result_str = str(result)\n",
+    "                    if len(result_str) > 500:\n",
+    "                        result_str = result_str[:500] + \"... [truncated]\"\n",
+    "                    output.append(f\"    {result_str}\")\n",
+    "\n",
+    "        elif node_name == \"solve\":\n",
+    "            if \"result\" in node_data:\n",
+    "                output.append(\"✅ **Final Answer:**\")\n",
+    "                output.append(node_data[\"result\"])\n",
+    "\n",
+    "        output.append(\"\")\n",
+    "\n",
+    "    return \"\\n\".join(output)\n"
+   ],
+   "id": "30f337a626e2fbf9",
+   "outputs": [],
+   "execution_count": 15
+  },
+  {
+   "metadata": {
+    "ExecuteTime": {
+     "end_time": "2025-09-24T14:11:24.978749Z",
+     "start_time": "2025-09-24T14:10:37.901866Z"
+    }
+   },
+   "cell_type": "code",
+   "source": [
+    "print(\"**CTI Agent Execution**\")\n",
+    "print(\"=\" * 60)\n",
+    "\n",
+    "for s in app.stream({\"task\": task}):\n",
+    "    formatted_output = format_output(s)\n",
+    "    print(formatted_output)\n",
+    "    print(\"-\" * 60)"
+   ],
+   "id": "b45aa62c23719738",
+   "outputs": [
+    {
+     "name": "stdout",
+     "output_type": "stream",
+     "text": [
+      "**CTI Agent Execution**\n",
+      "============================================================\n",
+      "\n",
+      "🔹 **PLAN**\n",
+      "==================================================\n",
+      "📋 **Generated Plan:**\n",
+      "Plan: Search for the latest CTI reports that specifically mention ATPs and the MITRE ATT&CK technique T1566.002 (Spearphishing Links). I will use keywords to narrow down the search to recent publications.\n",
+      "#E1 = Google[latest CTI reports ATP T1566.002 \"Spearphishing Links\" 2023 2024]\n",
+      "Plan: Review the search results from #E1 to identify specific CTI reports from reputable sources (e.g., major cybersecurity vendors, government agencies) that discuss ATPs utilizing spearphishing links. Synthesize the key findings, including the names of ATPs and the context of their T1566.002 usage.\n",
+      "#E2 = LLM[Based on the search results in #E1, identify and summarize the latest CTI reports that detail ATPs using T1566.002: Spearphishing Links. Include the names of the ATPs and a brief description of their activities related to this technique.]\n",
+      "\n",
+      "📝 **Extracted Steps:**\n",
+      "  1. Search for the latest CTI reports that specifically mention ATPs and the MITRE ATT&CK technique T1566.002 (Spearphishing Links). I will use keywords to narrow down the search to recent publications.\n",
+      "     🔧 #E1 = Google[latest CTI reports ATP T1566.002 \"Spearphishing Links\" 2023 2024]\n",
+      "  2. Review the search results from #E1 to identify specific CTI reports from reputable sources (e.g., major cybersecurity vendors, government agencies) that discuss ATPs utilizing spearphishing links. Synthesize the key findings, including the names of ATPs and the context of their T1566.002 usage.\n",
+      "     🔧 #E2 = LLM[Based on the search results in #E1, identify and summarize the latest CTI reports that detail ATPs using T1566.002: Spearphishing Links. Include the names of the ATPs and a brief description of their activities related to this technique.]\n",
+      "\n",
+      "------------------------------------------------------------\n",
+      "\n",
+      "🔹 **TOOL**\n",
+      "==================================================\n",
+      "🔍 **Execution Results:**\n",
+      "  #E1:\n",
+      "    {'query': 'latest CTI reports ATP T1566.002 \"Spearphishing Links\" 2023 2024', 'follow_up_questions': None, 'answer': None, 'images': [], 'results': [{'url': 'https://attack.mitre.org/techniques/T1566/002/', 'title': 'Phishing: Spearphishing Link, Sub-technique T1566.002 - Enterprise', 'content': '| C0036 | Pikabot Distribution February 2024 | Pikabot Distribution February 2024 utilized emails with hyperlinks leading to malicious ZIP archive files containing scripts to download and install Pikabo... [truncated]\n",
+      "\n",
+      "------------------------------------------------------------\n",
+      "\n",
+      "🔹 **TOOL**\n",
+      "==================================================\n",
+      "🔍 **Execution Results:**\n",
+      "  #E1:\n",
+      "    {'query': 'latest CTI reports ATP T1566.002 \"Spearphishing Links\" 2023 2024', 'follow_up_questions': None, 'answer': None, 'images': [], 'results': [{'url': 'https://attack.mitre.org/techniques/T1566/002/', 'title': 'Phishing: Spearphishing Link, Sub-technique T1566.002 - Enterprise', 'content': '| C0036 | Pikabot Distribution February 2024 | Pikabot Distribution February 2024 utilized emails with hyperlinks leading to malicious ZIP archive files containing scripts to download and install Pikabo... [truncated]\n",
+      "  #E2:\n",
+      "    Based on the provided search results, the following CTI reports detail APTs and campaigns using T1566.002 (Spearphishing Link) in 2023 and 2024:\n",
+      "\n",
+      "*   **Pikabot Distribution February 2024 (C0036):** This campaign, observed in **February 2024**, utilized emails with hyperlinks that led victims to malicious ZIP archive files. These archives contained scripts designed to download and install the Pikabot malware.\n",
+      "*   **TA577 (G1037) / Latrodectus (S1160):** The threat group TA577, in campaigns report... [truncated]\n",
+      "\n",
+      "------------------------------------------------------------\n",
+      "\n",
+      "🔹 **SOLVE**\n",
+      "==================================================\n",
+      "✅ **Final Answer:**\n",
+      "The latest CTI reports of ATPs using the T1566.002 (Spearphishing Links) technique include:\n",
+      "\n",
+      "*   **Pikabot Distribution February 2024 (C0036):** This campaign, observed in February 2024, used emails with hyperlinks leading to malicious ZIP archive files for Pikabot malware distribution.\n",
+      "*   **TA577 (G1037) / Latrodectus (S1160):** In April 2024, TA577 sent emails with malicious links to distribute Latrodectus malware via malicious JavaScript files.\n",
+      "*   **Storm-1811 (G1046):** In May 2024, Storm-1811 distributed malicious links that redirected victims to EvilProxy-based phishing sites to harvest credentials.\n",
+      "*   **OilRig (G0049) / APT34 / Earth Simnavaz:** This group continues to use spearphishing links. Recent activity under the name \"Earth Simnavaz\" was reported in October 2024, and \"Crambus\" (an associated group name) in October 2023.\n",
+      "\n",
+      "------------------------------------------------------------\n"
+     ]
+    }
+   ],
+   "execution_count": 16
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "Python 3",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 2
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython2",
+   "version": "2.7.6"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 5
+}

src/agents/cti_agent/tool_evaluation_results/extract_mitre_techniques_results.csv

@@ -0,0 +1,230 @@
+sample_id,platform,description,tool_output,predicted,ground_truth,missing,extra,precision,recall,f1,tp,fp,fn,predicted_count,ground_truth_count
+https://attack.mitre.org/software/S0066/,Enterprise,3PARA RAT is a remote access tool (RAT) developed in C++ and associated with the group Putter Panda....,"**T1219** - Remote Access Software: This technique involves the use of legitimate or custom tools to remotely control a system, identified because 3PARA RAT is explicitly described as a ""remote access tool (RAT)"".
+
+**T1071** - Application Layer Protocol: This technique involves using common application layer protocols for command and control communication, identified as 3PARA RAT ""communicates with its command and control (C2) servers via HTTP"".
+
+**T1573** - Encrypted Channel: This technique des...","['T1070', 'T1071', 'T1083', 'T1219', 'T1573']","['T1070', 'T1071', 'T1083', 'T1573']",[],['T1219'],0.8,1.0,0.888888888888889,4,1,0,5,4
+https://attack.mitre.org/software/S0065/,Enterprise,"4H RAT is a piece of malware linked to Putter Panda, with evidence of its use dating back to at leas...","**T1071** - Application Layer Protocol: Adversaries may communicate using application layer protocols to avoid detection, as 4H RAT relies on HTTP for its command and control communication.
+
+**T1059** - Command and Scripting Interpreter: Adversaries may abuse command and scripting interpreters to execute commands, as 4H RAT has the ability to create a remote shell for direct command execution.
+
+**T1001** - Data Obfuscation: Adversaries may obfuscate data to conceal its true intent or evade defen...","['T1001', 'T1057', 'T1059', 'T1071', 'T1082', 'T1083']","['T1057', 'T1059', 'T1071', 'T1082', 'T1083', 'T1573']",['T1573'],['T1001'],0.8333333333333334,0.8333333333333334,0.8333333333333334,5,1,1,6,6
+https://attack.mitre.org/software/S0469/,Enterprise,"ABK is a downloader associated with BRONZE BUTLER, active since at least 2019. It communicates with ...","**T1071** - Application Layer Protocol: This technique involves adversaries using common application layer protocols for command and control, identified because ABK communicates with its C2 server via HTTP.
+**T1059** - Command and Scripting Interpreter: This technique involves adversaries using command-line interfaces to execute commands or scripts, identified as ABK uses the command line to execute Portable Executables.
+**T1140** - Deobfuscate/Decode Files or Information: This technique involve...","['T1027', 'T1055', 'T1059', 'T1071', 'T1105', 'T1140', 'T1518']","['T1027', 'T1055', 'T1059', 'T1071', 'T1105', 'T1140', 'T1518']",[],[],1.0,1.0,1.0,7,0,0,7,7
+https://attack.mitre.org/software/S1061/,Mobile,AbstractEmu is mobile malware that was first detected in October 2021 on Google Play and other third...,"**T1477** - Compromise Application Store: This technique involves distributing malware through legitimate or third-party application stores, identified as AbstractEmu was found on Google Play and other app stores.
+
+**T1404** - Exploitation for Privilege Escalation: This technique involves exploiting vulnerabilities to gain higher-level permissions, identified as AbstractEmu exploits known Android vulnerabilities to gain root permissions.
+
+**T1405** - Rooting: This technique specifically refers t...","['T1400', 'T1401', 'T1402', 'T1403', 'T1404', 'T1405', 'T1407', 'T1424', 'T1425', 'T1436', 'T1437', 'T1475', 'T1476', 'T1477']","['T1404', 'T1406', 'T1407', 'T1418', 'T1422', 'T1426', 'T1429', 'T1430', 'T1437', 'T1512', 'T1517', 'T1533', 'T1544', 'T1623', 'T1626', 'T1629', 'T1633', 'T1636', 'T1646']","['T1406', 'T1418', 'T1422', 'T1426', 'T1429', 'T1430', 'T1512', 'T1517', 'T1533', 'T1544', 'T1623', 'T1626', 'T1629', 'T1633', 'T1636', 'T1646']","['T1400', 'T1401', 'T1402', 'T1403', 'T1405', 'T1424', 'T1425', 'T1436', 'T1475', 'T1476', 'T1477']",0.21428571428571427,0.15789473684210525,0.18181818181818182,3,11,16,14,19
+https://attack.mitre.org/software/S1028/,Enterprise,Action RAT is a remote access tool developed in Delphi and has been employed by SideCopy since at le...,"**T1219** - Remote Access Software: This technique involves adversaries using legitimate or custom software to remotely control a system; Action RAT is explicitly described as a ""remote access tool.""
+
+**T1071** - Application Layer Protocol: This technique involves adversaries using common application layer protocols for command and control; the malware communicates with C2 servers ""via HTTP.""
+
+**T1059** - Command and Scripting Interpreter: This technique involves adversaries using command and sc...","['T1005', 'T1059', 'T1071', 'T1105', 'T1132', 'T1219']","['T1005', 'T1059', 'T1071', 'T1083', 'T1105', 'T1140']","['T1083', 'T1140']","['T1132', 'T1219']",0.6666666666666666,0.6666666666666666,0.6666666666666666,4,2,2,6,6
+https://attack.mitre.org/software/S0202/,Enterprise,"adbupd is a backdoor utilized by PLATINUM, bearing similarities to Dipsind. It has the capability to...","**T1059** - Command and Scripting Interpreter: This technique involves adversaries abusing command and script interpreters to execute commands, identified because adbupd has the capability to execute a copy of `cmd.exe`.
+
+**T1573** - Encrypted Channel: This technique describes adversaries communicating with C2 systems using encryption, identified because adbupd uses the OpenSSL library to encrypt its command and control (C2) traffic.
+
+**T1546** - Event Triggered Execution: This technique involve...","['T1059', 'T1546', 'T1573']","['T1059', 'T1546', 'T1573']",[],[],1.0,1.0,1.0,3,0,0,3,3
+https://attack.mitre.org/software/S0552/,Enterprise,AdFind is a free command-line query tool designed for extracting information from Active Directory. ...,"**T1087** - Account Discovery: This technique involves adversaries attempting to get a listing of local system or domain accounts, and it was identified because AdFind can enumerate domain users and domain groups.
+
+**T1069** - Permission Groups Discovery: This technique describes adversaries attempting to find and identify the primary ways that permissions are managed in an environment, and it was identified as AdFind can enumerate domain groups and organizational units (OUs), which are often us...","['T1016', 'T1018', 'T1069', 'T1087', 'T1482']","['T1016', 'T1018', 'T1069', 'T1087', 'T1482']",[],[],1.0,1.0,1.0,5,0,0,5,5
+https://attack.mitre.org/software/S0045/,Enterprise,"ADVSTORESHELL is a spying backdoor associated with APT28, active from at least 2012 to 2016. It is t...","**T1071** - Application Layer Protocol: This technique involves using common application layer protocols for command and control, identified as ADVSTORESHELL communicates with its C2 server via HTTP POST requests on port 80.
+
+**T1560** - Archive Collected Data: This technique describes adversaries compressing or encrypting data prior to exfiltration, identified as ADVSTORESHELL encrypts data using 3DES before exfiltration.
+
+**T1547** - Boot or Logon Autostart Execution: This technique involves a...","['T1001', 'T1059', 'T1071', 'T1074', 'T1547', 'T1560', 'T1573']","['T1059', 'T1071', 'T1074', 'T1132', 'T1547', 'T1560', 'T1573']",['T1132'],['T1001'],0.8571428571428571,0.8571428571428571,0.8571428571428571,6,1,1,7,7
+https://attack.mitre.org/software/S0440/,Enterprise,Agent Smith is mobile malware that generates financial profit by replacing legitimate apps on infect...,"**T1036** - Masquerading: The malware disguises itself as legitimate applications (like a Google app or a Feng Shui Bundle) and files (like a JPG) to avoid detection and trick users.
+**T1027** - Obfuscated Files or Information: The core malware is encrypted with an XOR cipher and disguised as a JPG file, making it harder for security tools to analyze and detect.
+**T1210** - Exploitation for Privilege Escalation: Agent Smith exploits known OS vulnerabilities, such as Janus, to gain elevated privi...","['T1027', 'T1036', 'T1070', 'T1210', 'T1496', 'T1562', 'T1574']","['T1404', 'T1406', 'T1577', 'T1628', 'T1630', 'T1643', 'T1655']","['T1404', 'T1406', 'T1577', 'T1628', 'T1630', 'T1643', 'T1655']","['T1027', 'T1036', 'T1070', 'T1210', 'T1496', 'T1562', 'T1574']",0.0,0.0,0.0,0,7,7,7,7
+https://attack.mitre.org/software/S0331/,Enterprise,"Agent Tesla is a spyware Trojan built on the .NET framework, active since at least 2014. It is capab...","**T1003** - OS Credential Dumping: Adversaries may attempt to dump credentials to obtain accounts and passwords, and Agent Tesla does this by extracting credentials from FTP clients and wireless profiles.
+**T1071** - Application Layer Protocol: Adversaries may communicate over application layer protocols to avoid detection, and Agent Tesla uses HTTP for its command and control (C2) communications.
+**T1573** - Encrypted Channel: Adversaries may encrypt C2 communications or exfiltrated data to hid...","['T1003', 'T1041', 'T1056', 'T1071', 'T1547', 'T1573']","['T1071', 'T1087', 'T1115', 'T1140', 'T1185', 'T1547', 'T1555', 'T1560']","['T1087', 'T1115', 'T1140', 'T1185', 'T1555', 'T1560']","['T1003', 'T1041', 'T1056', 'T1573']",0.3333333333333333,0.25,0.28571428571428575,2,4,6,6,8
+https://attack.mitre.org/software/S0092/,Enterprise,Agent.btz is a worm known for spreading primarily through removable devices like USB drives. It gain...,"**T1091** - Replicating Removable Media: This technique involves an adversary spreading malware by copying it onto removable media, identified as Agent.btz drops copies of itself and an autorun.inf file onto USB drives for propagation.
+**T1082** - System Information Discovery: This technique involves an adversary gathering basic information about the system, identified as Agent.btz collecting and saving general system details.
+**T1027** - Obfuscated Files or Information: This technique involves ...","['T1016', 'T1027', 'T1033', 'T1052', 'T1082', 'T1091', 'T1105']","['T1016', 'T1033', 'T1052', 'T1091', 'T1105', 'T1560']",['T1560'],"['T1027', 'T1082']",0.7142857142857143,0.8333333333333334,0.7692307692307692,5,2,1,7,6
+https://attack.mitre.org/software/S1095/,Mobile,AhRat is an Android remote access tool (RAT) derived from the open-source AhMyth RAT. It began sprea...,"**T1401** - Command and Control: Adversaries communicate with compromised systems to control them. Identified because AhRat communicates with its command and control (C2) server via HTTPS requests.
+
+**T1415** - Audio Capture: Adversaries may record audio from a device's microphone. Identified because AhRat is capable of recording audio using the device’s microphone.
+
+**T1402** - Boot or Reboot Autostart: Adversaries may configure their malware to automatically start when the device boots or rebo...","['T1401', 'T1402', 'T1403', 'T1409', 'T1413', 'T1415', 'T1416']","['T1398', 'T1420', 'T1429', 'T1430', 'T1437', 'T1521', 'T1533', 'T1624', 'T1646']","['T1398', 'T1420', 'T1429', 'T1430', 'T1437', 'T1521', 'T1533', 'T1624', 'T1646']","['T1401', 'T1402', 'T1403', 'T1409', 'T1413', 'T1415', 'T1416']",0.0,0.0,0.0,0,7,9,7,9
+https://attack.mitre.org/software/S0319/,Mobile,Allwinner is a company that provides processors for Android tablets and various other devices. A Lin...,"**Identified Techniques:**
+
+**T1403** - Backdoor: Adversaries may install a backdoor on a device to maintain persistent access or to provide a covert means of access. This technique was identified because the content explicitly states the Linux kernel ""contained a simple backdoor.""
+
+**T1405** - Privilege Escalation: Adversaries may exploit vulnerabilities or misconfigurations to gain higher-level permissions on a device. This technique was identified because the backdoor ""could be exploited to g...","['T1403', 'T1405']",['T1474'],['T1474'],"['T1403', 'T1405']",0.0,0.0,0.0,0,2,1,2,1
+https://attack.mitre.org/software/S1025/,Enterprise,Amadey is a Trojan bot that has been active since at least October 2018. It communicates with its co...,"**T1071** - Application Layer Protocol: Amadey communicates with its command and control (C2) servers via HTTP, which is a common application layer protocol.
+**T1082** - System Information Discovery: Amadey collects information from compromised hosts and uses API calls like `GetComputerNameA` to gather system details.
+**T1033** - System Owner/User Discovery: Amadey uses API calls like `GetUserNameA` to identify the current user of the compromised system.
+**T1041** - Exfiltration Over C2 Channel:...","['T1027', 'T1033', 'T1041', 'T1059', 'T1071', 'T1082', 'T1105', 'T1518', 'T1547']","['T1005', 'T1027', 'T1041', 'T1071', 'T1083', 'T1105', 'T1106', 'T1112', 'T1140', 'T1547', 'T1568']","['T1005', 'T1083', 'T1106', 'T1112', 'T1140', 'T1568']","['T1033', 'T1059', 'T1082', 'T1518']",0.5555555555555556,0.45454545454545453,0.5,5,4,6,9,11
+https://attack.mitre.org/software/S0504/,Enterprise,Anchor is a backdoor malware that has been deployed alongside TrickBot on select high-profile target...,"**T1105** - Ingress Tool Transfer: This technique involves transferring tools or files from an external system into a compromised environment, identified as Anchor is ""deployed alongside TrickBot"" and ""able to download additional payloads.""
+**T1071** - Application Layer Protocol: This technique involves using common application layer protocols for command and control communication, identified as Anchor ""communicates with its command and control (C2) servers using HTTP, HTTPS, and in some variant...","['T1059', 'T1070', 'T1071', 'T1105', 'T1497', 'T1543', 'T1564']","['T1008', 'T1059', 'T1070', 'T1071', 'T1105', 'T1480', 'T1543', 'T1564']","['T1008', 'T1480']",['T1497'],0.8571428571428571,0.75,0.7999999999999999,6,1,2,7,8
+https://attack.mitre.org/software/S0525/,Mobile,Android/AdDisplay.Ashas is a variant of adware that has been distributed through several apps on the...,"**T1475** - Compromise Application Store: Adversaries may distribute malicious applications by compromising legitimate application stores, as seen with Android/AdDisplay.Ashas being distributed via the Google Play Store.
+**T1401** - Standard Application Layer Protocol: Adversaries may communicate with their command and control (C2) server using standard application layer protocols like HTTP, which Android/AdDisplay.Ashas uses for C2 communication.
+**T1402** - Boot or Reboot Autostart: Adversarie...","['T1401', 'T1402', 'T1407', 'T1408', 'T1409', 'T1410', 'T1411', 'T1412', 'T1475']","['T1406', 'T1418', 'T1426', 'T1437', 'T1624', 'T1628', 'T1633', 'T1643', 'T1655']","['T1406', 'T1418', 'T1426', 'T1437', 'T1624', 'T1628', 'T1633', 'T1643', 'T1655']","['T1401', 'T1402', 'T1407', 'T1408', 'T1409', 'T1410', 'T1411', 'T1412', 'T1475']",0.0,0.0,0.0,0,9,9,9,9
+https://attack.mitre.org/software/S0304/,Mobile,The Android malware known as Android/Chuli.A was distributed to activist groups through a spearphish...,"**T1447** - Phishing: The malware was distributed to activist groups through a spearphishing email containing an attachment, which is a common phishing technique for initial access.
+**T1403** - Standard Application Layer Protocol: The malware utilized HTTP uploads for its command and control mechanism, which is a standard application layer protocol.
+**T1418** - Location Tracking: The malware was capable of stealing geo-location information, indicating it tracked the device's location.
+**T1410** ...","['T1403', 'T1406', 'T1410', 'T1411', 'T1412', 'T1418', 'T1420', 'T1447']","['T1426', 'T1430', 'T1437', 'T1636', 'T1644']","['T1426', 'T1430', 'T1437', 'T1636', 'T1644']","['T1403', 'T1406', 'T1410', 'T1411', 'T1412', 'T1418', 'T1420', 'T1447']",0.0,0.0,0.0,0,8,5,8,5
+https://attack.mitre.org/software/S0524/,Mobile,AndroidOS/MalLocker.B is a variant of a ransomware family that targets Android devices by blocking u...,"**T1444** - UI Overlays: Adversaries may display content over other applications to trick users into performing actions or to obscure legitimate content, as seen when the malware displays a ransom note and a ""call"" notification screen over other windows.
+**T1406** - Screen Lock: Adversaries may lock the screen of a mobile device to prevent user access, which is achieved by the malware blocking user interaction with the UI and continuously generating new notifications.
+**T1400** - Broadcast Inten...","['T1400', 'T1406', 'T1444', 'T1476', 'T1477', 'T1478']","['T1406', 'T1624', 'T1629', 'T1655']","['T1624', 'T1629', 'T1655']","['T1400', 'T1444', 'T1476', 'T1477', 'T1478']",0.16666666666666666,0.25,0.2,1,5,3,6,4
+https://attack.mitre.org/software/S0310/,Mobile,ANDROIDOS_ANSERVER.A is a distinctive Android malware known for utilizing encrypted content hosted o...,"**T1090** - Command and Control: The malware utilizes encrypted content hosted on a blog site and directs to additional servers to establish and maintain communication with external systems for command and control.
+**T1112** - Device Information: The malware collects various device-specific details, including the OS version, build version, manufacturer, model, IMEI, and IMSI.
+
+**Final Answer - Technique IDs:**
+T1090, T1112...","['T1090', 'T1112']","['T1422', 'T1426', 'T1481']","['T1422', 'T1426', 'T1481']","['T1090', 'T1112']",0.0,0.0,0.0,0,2,3,2,3
+https://attack.mitre.org/software/S1074/,Enterprise,ANDROMEDA is a widely recognized commodity malware that was prevalent in the early 2010s and continu...,"**T1568** - Dynamic Resolution: Threat actors re-registered expired command and control (C2) domains, which is a method to establish and resolve C2 infrastructure.
+**T1071** - Standard Application Layer Protocol: ANDROMEDA uses GET requests over standard web protocols to communicate with its C2 server.
+**T1105** - Ingress Tool Transfer: The malware downloads files and additional payloads from its C2 server onto the compromised system.
+**T1547** - Boot or Logon Autostart Execution: ANDROMEDA esta...","['T1036', 'T1055', 'T1071', 'T1091', 'T1105', 'T1204', 'T1547', 'T1568']","['T1036', 'T1055', 'T1071', 'T1091', 'T1105', 'T1547']",[],"['T1204', 'T1568']",0.75,1.0,0.8571428571428571,6,2,0,8,6
+https://attack.mitre.org/software/S0292/,Mobile,AndroRAT is an open-source remote access tool (RAT) designed for Android devices. It is capable of c...,"**T1105** - Location Tracking: This technique involves adversaries collecting the geographical location of a device, identified as AndroRAT can track the device’s location via GPS or network settings.
+**T1124** - Call Log Collection: This technique involves adversaries collecting information about incoming and outgoing calls from the device, identified as AndroRAT is capable of collecting call logs.
+**T1117** - SMS Manipulation: This technique involves adversaries sending, deleting, or modifying...","['T1100', 'T1105', 'T1113', 'T1115', 'T1117', 'T1123', 'T1124']","['T1422', 'T1429', 'T1430', 'T1512', 'T1582', 'T1616', 'T1636', 'T1655']","['T1422', 'T1429', 'T1430', 'T1512', 'T1582', 'T1616', 'T1636', 'T1655']","['T1100', 'T1105', 'T1113', 'T1115', 'T1117', 'T1123', 'T1124']",0.0,0.0,0.0,0,7,8,7,8
+https://attack.mitre.org/software/S0422/,Mobile,Anubis is Android malware that was initially developed for cyber espionage but has since been repurp...,"**T1402** - Data Exfiltration: Anubis exfiltrates data, including encrypted files from its ransomware module, from the device.
+**T1407** - Audio Capture: Anubis records phone calls and other audio from the device.
+**T1408** - Make Phone Call: Anubis is capable of initiating phone calls from the device.
+**T1476** - Data Encrypted for Impact: Anubis encrypts device data and holds it for ransom via its ransomware module.
+**T1475** - Data Manipulation: Anubis modifies external storage on the device....","['T1402', 'T1405', 'T1406', 'T1407', 'T1408', 'T1418', 'T1444', 'T1446', 'T1475', 'T1476']","['T1407', 'T1417', 'T1429', 'T1430', 'T1471', 'T1532', 'T1533', 'T1616', 'T1629', 'T1655']","['T1417', 'T1429', 'T1430', 'T1471', 'T1532', 'T1533', 'T1616', 'T1629', 'T1655']","['T1402', 'T1405', 'T1406', 'T1408', 'T1418', 'T1444', 'T1446', 'T1475', 'T1476']",0.1,0.1,0.10000000000000002,1,9,9,10,10
+https://attack.mitre.org/software/S0584/,Enterprise,"AppleJeus is a malware family of downloaders first discovered in 2018, embedded within trojanized cr...","**T1204** - User Execution: Adversaries may trick users into executing malicious code, as AppleJeus is embedded within trojanized cryptocurrency applications that users would run.
+**T1105** - Ingress Tool Transfer: Adversaries may transfer tools or files from an external source into a compromised environment, which AppleJeus does by distributing the FALLCHILL Remote Access Trojan.
+**T1548** - Abuse Elevation Control Mechanism: Adversaries may abuse elevation control mechanisms to bypass protecti...","['T1041', 'T1059', 'T1071', 'T1105', 'T1140', 'T1204', 'T1543', 'T1548']","['T1041', 'T1059', 'T1071', 'T1140', 'T1543', 'T1546', 'T1548']",['T1546'],"['T1105', 'T1204']",0.75,0.8571428571428571,0.7999999999999999,6,2,1,8,7
+https://attack.mitre.org/software/S0622/,Enterprise,"AppleSeed is a backdoor used by the Kimsuky group to target South Korean government, academic, and c...","**T1134** - Access Token Manipulation: This technique involves modifying access tokens to gain higher privileges, identified as AppleSeed escalates privileges by manipulating `SeDebugPrivilege` via `AdjustTokenPrivilege`.
+**T1071** - Application Layer Protocol: This technique describes using common application layer protocols for C2 communication, identified as AppleSeed communicates with its C2 server over HTTP.
+**T1560** - Archive Collected Data: This technique involves compressing or encrypti...","['T1025', 'T1056', 'T1059', 'T1071', 'T1113', 'T1134', 'T1547', 'T1560']","['T1005', 'T1025', 'T1059', 'T1071', 'T1119', 'T1134', 'T1547', 'T1560']","['T1005', 'T1119']","['T1056', 'T1113']",0.75,0.75,0.75,6,2,2,8,8
+https://attack.mitre.org/software/S0540/,Mobile,Asacub is a banking trojan designed to steal money from victims' bank accounts by initiating wire tr...,"**T1435** - SMS Messaging: This technique involves sending or receiving SMS messages, identified by Asacub initiating wire transfers and sending SMS messages from compromised devices.
+**T1400** - Elevated Permissions: This technique involves an adversary gaining higher-level permissions on a device, identified by Asacub requesting device administrator permissions.
+**T1432** - Standard Application Layer Protocol: This technique involves using common application layer protocols for command and con...","['T1400', 'T1406', 'T1407', 'T1409', 'T1413', 'T1414', 'T1432', 'T1435']","['T1406', 'T1422', 'T1426', 'T1437', 'T1532', 'T1575', 'T1582', 'T1626', 'T1636', 'T1655']","['T1422', 'T1426', 'T1437', 'T1532', 'T1575', 'T1582', 'T1626', 'T1636', 'T1655']","['T1400', 'T1407', 'T1409', 'T1413', 'T1414', 'T1432', 'T1435']",0.125,0.1,0.11111111111111112,1,7,9,8,10
+https://attack.mitre.org/software/S0073/,Enterprise,ASPXSpy is a web shell that has been modified by Threat Group-3390 to create a variant known as ASPX...,"**T1505** - Server Software Component: Adversaries may abuse server software components to run malicious code, as identified by the deployment of the ASPXTool web shell on Internet Information Services (IIS) servers.
+
+**T1588** - Obtain Capabilities: Adversaries may obtain capabilities, including developing custom tools or modifying existing ones, as seen with Threat Group-3390 modifying ASPXSpy to create the ASPXTool variant.
+
+**Final Answer - Technique IDs:**
+T1505, T1588...","['T1505', 'T1588']",['T1505'],[],['T1588'],0.5,1.0,0.6666666666666666,1,1,0,2,1
+https://attack.mitre.org/software/S0110/,Enterprise,The `at` command is used to schedule tasks on a system to run at a specified date and time....,"**T1053** - Scheduled Task/Job: This technique involves adversaries using legitimate operating system utilities or features to schedule the execution of programs or scripts at a future time or on a recurring basis, and the `at` command is a direct example of such a utility used to schedule tasks.
+
+**Final Answer - Technique IDs:**
+T1053...",['T1053'],['T1053'],[],[],1.0,1.0,1.0,1,0,0,1,1
+https://attack.mitre.org/software/S1029/,Enterprise,AuTo Stealer is malware written in C++ that has been used by SideCopy since at least December 2021 t...,"**T1071** - Application Layer Protocol: This technique describes the use of common application layer protocols like HTTP or TCP for command and control communication.
+**T1547** - Boot or Logon Autostart Execution: This technique involves configuring a program to execute automatically when a system boots or a user logs in, such as by placing malicious executables in AutoRun registry keys or the StartUp directory.
+**T1059** - Command and Scripting Interpreter: This technique involves the use of co...","['T1005', 'T1041', 'T1059', 'T1071', 'T1074', 'T1082', 'T1547']","['T1005', 'T1041', 'T1059', 'T1071', 'T1074', 'T1095', 'T1518', 'T1547']","['T1095', 'T1518']",['T1082'],0.8571428571428571,0.75,0.7999999999999999,6,1,2,7,8
+https://attack.mitre.org/software/S0129/,Enterprise,The AutoIt backdoor is malware used by the threat actors behind the MONSOON campaign. It was frequen...,"**Identified Techniques:**
+
+**T1566** - Phishing: The malware was frequently deployed via weaponized .pps files, which is a common method of delivering malicious content through phishing campaigns.
+**T1204** - User Execution: The attack relies on a user opening the weaponized .pps file to initiate the infection chain.
+**T1059** - Command and Scripting Interpreter: The malware leverages legitimate scripting languages like AutoIt and PowerShell for malicious execution.
+**T1548** - Abuse Elevation ...","['T1005', 'T1027', 'T1059', 'T1071', 'T1083', 'T1105', 'T1204', 'T1548', 'T1566']","['T1059', 'T1083', 'T1132', 'T1548']",['T1132'],"['T1005', 'T1027', 'T1071', 'T1105', 'T1204', 'T1566']",0.3333333333333333,0.75,0.46153846153846156,3,6,1,9,4
+https://attack.mitre.org/software/S0515/,Enterprise,"WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure t...","**T1560** - Archive Collected Data: WellMail can archive files on the compromised host, which is a method adversaries use to compress or package data prior to exfiltration.
+**T1041** - Exfiltration Over C2 Channel: WellMail can exfiltrate files from the victim machine, indicating it sends collected data back to the command and control server through its established communication channel.
+**T1027** - Obfuscated Files or Information: WellMail can decompress scripts received from C2, demonstrating ...","['T1016', 'T1027', 'T1033', 'T1041', 'T1092', 'T1105', 'T1560', 'T1573']","['T1005', 'T1016', 'T1033', 'T1095', 'T1105', 'T1140', 'T1560', 'T1571', 'T1573']","['T1005', 'T1095', 'T1140', 'T1571']","['T1027', 'T1041', 'T1092']",0.625,0.5555555555555556,0.5882352941176471,5,3,4,8,9
+https://attack.mitre.org/software/S1123/,Enterprise,PITSTOP is a backdoor deployed on compromised Ivanti Connect Secure VPNs during the Cutting Edge cam...,"**T1059** - Command and Scripting Interpreter: Adversaries may abuse command and scripting interpreters to execute commands, scripts, or binaries. This technique was identified because PITSTOP enables ""command execution"" and can ""receive shell commands"" over a Unix domain socket.
+
+**T1083** - File and Directory Discovery: Adversaries may search network shares, remote systems, or local hosts for files and directories. This technique was identified because PITSTOP enables ""file read operations"" on...","['T1027', 'T1059', 'T1083', 'T1559', 'T1573']","['T1059', 'T1140', 'T1205', 'T1559', 'T1573']","['T1140', 'T1205']","['T1027', 'T1083']",0.6,0.6,0.6,3,2,2,5,5
+https://attack.mitre.org/software/S1111/,Enterprise,"DarkGate, first identified in 2018, has evolved into a versatile tool used in various criminal cyber...","**T1555** - Stored Credentials: This technique involves adversaries attempting to gather credentials stored in various locations on a system, identified here as DarkGate performs ""credential theft"" and identifies ""stored credentials linked to cryptocurrency wallets"".
+
+**T1496** - Resource Hijacking: This technique involves adversaries using a system's resources for purposes not intended by the owner, identified here as DarkGate engages in ""cryptomining"".
+
+**T1083** - File and Directory Discovery...","['T1005', 'T1036', 'T1071', 'T1083', 'T1098', 'T1496', 'T1548', 'T1555']","['T1010', 'T1071', 'T1098', 'T1119', 'T1134', 'T1548', 'T1583']","['T1010', 'T1119', 'T1134', 'T1583']","['T1005', 'T1036', 'T1083', 'T1496', 'T1555']",0.375,0.42857142857142855,0.39999999999999997,3,5,4,8,7
+https://attack.mitre.org/software/S1106/,Enterprise,NGLite is a backdoor Trojan designed to execute commands received through its command and control (C...,"**T1059** - Command and Scripting Interpreter: This technique was identified because NGLite is designed to ""execute commands received"" and specifically ""executes the 'whoami' command.""
+**T1071** - Application Layer Protocol: NGLite uses the NKN protocol and HTTP POST requests for its command and control communication, which are application layer protocols.
+**T1573** - Encrypted Channel: NGLite utilizes an ""AES-encrypted channel for C2 communication"" to protect its traffic.
+**T1082** - System Inf...","['T1041', 'T1059', 'T1071', 'T1082', 'T1573']","['T1016', 'T1033', 'T1071', 'T1090', 'T1573']","['T1016', 'T1033', 'T1090']","['T1041', 'T1059', 'T1082']",0.4,0.4,0.4000000000000001,2,3,3,5,5
+https://attack.mitre.org/software/S1124/,Enterprise,SocGholish is a JavaScript-based loader malware that has been active since at least 2017. It has bee...,"**T1189** - Drive-by Compromise: This technique involves adversaries compromising a legitimate website and injecting code that forces a user's browser to download malware, identified as SocGholish gains initial access through drive-by downloads.
+
+**T1036** - Masquerading: This technique involves adversaries attempting to mimic legitimate files or processes to evade detection, identified as SocGholish being disguised as software updates and named `AutoUpdater.js`.
+
+**T1105** - Ingress Tool Transf...","['T1027', 'T1036', 'T1041', 'T1059', 'T1082', 'T1105', 'T1189', 'T1482', 'T1566']","['T1027', 'T1036', 'T1048', 'T1059', 'T1074', 'T1105', 'T1189', 'T1482', 'T1566']","['T1048', 'T1074']","['T1041', 'T1082']",0.7777777777777778,0.7777777777777778,0.7777777777777778,7,2,2,9,9
+https://attack.mitre.org/software/S1128/,Mobile,HilalRAT is a remote access Android malware developed and used by UNC788. It has the capability to c...,"**T1401** - Location Tracking: Adversaries may collect the device's current or historical location data, identified as HilalRAT collects ""device location.""
+**T1400** - Call Log Collection: Adversaries may collect call logs from the device, identified as HilalRAT collects ""call logs.""
+**T1403** - Audio/Video Recording: Adversaries may record audio or video from the device's microphone and camera, identified as HilalRAT can ""activate a device's camera and microphone.""
+**T1402** - Contact List Coll...","['T1400', 'T1401', 'T1402', 'T1403', 'T1404', 'T1406', 'T1407']","['T1409', 'T1429', 'T1430', 'T1512', 'T1636']","['T1409', 'T1429', 'T1430', 'T1512', 'T1636']","['T1400', 'T1401', 'T1402', 'T1403', 'T1404', 'T1406', 'T1407']",0.0,0.0,0.0,0,7,5,7,5
+https://attack.mitre.org/software/S1102/,Enterprise,Pcexter is an uploader used by ToddyCat since at least 2023 to exfiltrate stolen files.  Pcexter can...,"**T1567** - Exfiltration Over Web Service: This technique involves adversaries exfiltrating data using a web service, identified because Pcexter uploads and exfiltrates files to ""OneDrive storage accounts"" via HTTP POST.
+**T1083** - File and Directory Discovery: This technique involves adversaries searching for files and directories to identify data of interest, identified because Pcexter is capable of ""searching for files within specified directories"".
+**T1574** - Hijack Execution Flow: This te...","['T1083', 'T1567', 'T1574']","['T1005', 'T1083', 'T1567', 'T1574']",['T1005'],[],1.0,0.75,0.8571428571428571,3,0,1,3,4
+https://attack.mitre.org/software/S1110/,Enterprise,"SLIGHTPULSE is a web shell that has been used by APT5 since at least 2020, including in attacks agai...","**Identified Techniques:**
+
+**T1505** - Server Software Component: This technique involves adversaries abusing server software components to run malicious code, and SLIGHTPULSE is explicitly identified as a ""web shell"" used for this purpose.
+
+**T1059** - Command and Scripting Interpreter: This technique describes adversaries executing commands through a command-line interface, which is directly supported by SLIGHTPULSE's capability to ""execute arbitrary commands.""
+
+**T1083** - File and Directory...","['T1001', 'T1059', 'T1071', 'T1083', 'T1105', 'T1505']","['T1005', 'T1059', 'T1071', 'T1074', 'T1132', 'T1140', 'T1573']","['T1005', 'T1074', 'T1132', 'T1140', 'T1573']","['T1001', 'T1083', 'T1105', 'T1505']",0.3333333333333333,0.2857142857142857,0.30769230769230765,2,4,5,6,7
+https://attack.mitre.org/software/S1112/,Enterprise,STEADYPULSE is a web shell that targets Pulse Secure VPN servers by modifying a legitimate Perl scri...,"**T1505** - Server Software Component: This technique involves adversaries abusing server software components, such as web servers, to run arbitrary commands or maintain persistent access, which is precisely what a web shell like STEADYPULSE does by enabling arbitrary command execution on compromised web servers.
+
+**T1574** - Hijack Execution Flow: This technique describes adversaries manipulating how programs are executed to run their own code, which is achieved by STEADYPULSE modifying legitim...","['T1071', 'T1505', 'T1574']","['T1071', 'T1105', 'T1132', 'T1140', 'T1505']","['T1105', 'T1132', 'T1140']",['T1574'],0.6666666666666666,0.4,0.5,2,1,3,3,5
+https://attack.mitre.org/software/S1120/,Enterprise,FRAMESTING is a Python-based web shell used during the Cutting Edge campaign to infiltrate Ivanti Co...,"**T1505** - Server Software Component: Adversaries may abuse server software components to run arbitrary commands, enable a persistent backdoor, or access sensitive information, which is identified as FRAMESTING is explicitly described as a ""Python-based web shell.""
+**T1059** - Command and Scripting Interpreter: Adversaries may abuse command and scripting interpreters to execute commands, scripts, or binaries, which is identified as FRAMESTING is Python-based and enables the ""execution of arbitr...","['T1001', 'T1059', 'T1071', 'T1505']","['T1001', 'T1059', 'T1071', 'T1140', 'T1505', 'T1554']","['T1140', 'T1554']",[],1.0,0.6666666666666666,0.8,4,0,2,4,6
+https://attack.mitre.org/software/S1105/,Enterprise,COATHANGER is a remote access tool (RAT) designed to target FortiGate networking appliances. It was ...,"**T1219** - Remote Access Software: COATHANGER is explicitly described as a remote access tool (RAT), which is software used to remotely control a system.
+**T1071** - Application Layer Protocol: The malware uses HTTP GET requests and TLS/SSL tunnels for command and control (C2) communication, leveraging common application layer protocols.
+**T1059** - Command and Scripting Interpreter: COATHANGER provides a BusyBox reverse shell for C2 operations, allowing the adversary to execute commands on the...","['T1027', 'T1059', 'T1071', 'T1083', 'T1190', 'T1219', 'T1543', 'T1548', 'T1564', 'T1574']","['T1059', 'T1071', 'T1083', 'T1140', 'T1190', 'T1222', 'T1543', 'T1564', 'T1573', 'T1574']","['T1140', 'T1222', 'T1573']","['T1027', 'T1219', 'T1548']",0.7,0.7,0.7,7,3,3,10,10
+https://attack.mitre.org/software/S1116/,Enterprise,WARPWIRE is a JavaScript-based credential stealer that targets plaintext usernames and passwords for...,"**T1056** - Input Capture: This technique involves adversaries collecting data from input devices, and it was identified because WARPWIRE intercepts credentials submitted during the web logon process.
+**T1036** - Masquerading: This technique involves adversaries attempting to hide their malicious code or activity by making it appear legitimate, and it was identified because WARPWIRE embeds itself into legitimate files.
+**T1027** - Obfuscated Files or Information: This technique involves adversar...","['T1027', 'T1036', 'T1041', 'T1056', 'T1071']","['T1048', 'T1056', 'T1059', 'T1132', 'T1554']","['T1048', 'T1059', 'T1132', 'T1554']","['T1027', 'T1036', 'T1041', 'T1071']",0.2,0.2,0.20000000000000004,1,4,4,5,5
+https://attack.mitre.org/software/S1125/,Enterprise,AcidRain is an ELF binary designed to target modems and routers using MIPS architecture. It is linke...,"**T1485** - Data Destruction: Adversaries may destroy data and files on a system or network to interrupt availability or compromise integrity, which AcidRain achieves by conducting a comprehensive wipe of the target filesystem and connected storage devices through overwriting data or using IOCTL commands.
+
+**T1529** - System Shutdown/Reboot: Adversaries may shut down or reboot systems to interrupt availability or to potentially cover their tracks, as AcidRain reboots the compromised system after...","['T1485', 'T1529']","['T1083', 'T1485', 'T1529', 'T1561']","['T1083', 'T1561']",[],1.0,0.5,0.6666666666666666,2,0,2,2,4
+https://attack.mitre.org/software/S1101/,Enterprise,LoFiSe has been used by ToddyCat since at least 2023 to identify and collect files of interest on ta...,"**T1005** - Data from Local System: This technique was identified because the malware is described as identifying and collecting ""files of interest"" and targeting specific file types and extensions from the compromised system.
+**T1074** - Data Staged: This technique was identified because the malware saves collected files in specific directories like `C:\ProgramData\Microsoft\` and `C:\Windows\Temp\` for ""further evaluation and exfiltration.""
+**T1119** - Automated Collection: This technique was ...","['T1005', 'T1074', 'T1119', 'T1560', 'T1574']","['T1005', 'T1074', 'T1083', 'T1119', 'T1560', 'T1574']",['T1083'],[],1.0,0.8333333333333334,0.9090909090909091,5,0,1,5,6
+https://attack.mitre.org/software/S1119/,Enterprise,LIGHTWIRE is a Perl-based web shell used during the Cutting Edge campaign to maintain access and ena...,"**T1505** - Server Software Component: The content describes LIGHTWIRE as a Perl-based web shell that embeds itself into a legitimate server component (`compcheckresult.cgi`) to maintain access and establish persistence.
+**T1059** - Command and Scripting Interpreter: LIGHTWIRE is a Perl-based web shell designed to enable and facilitate command execution on the compromised system.
+**T1071** - Application Layer Protocol: LIGHTWIRE communicates with its command and control server over HTTP, an appl...","['T1027', 'T1059', 'T1071', 'T1505']","['T1071', 'T1140', 'T1505', 'T1554', 'T1573']","['T1140', 'T1554', 'T1573']","['T1027', 'T1059']",0.5,0.4,0.4444444444444445,2,2,3,4,5
+https://attack.mitre.org/software/S1122/,Enterprise,"Mispadu is a banking trojan written in Delphi, first observed in 2019, that operates under a Malware...","**T1547** - Boot or Logon Autostart Execution: Mispadu establishes persistence by creating a link in the startup folder and adding an entry to the registry key `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` to ensure automatic execution.
+**T1176** - Browser Extensions: Mispadu utilizes malicious Google Chrome extensions to steal financial data and monitor browser activity.
+**T1056** - Input Capture: Mispadu monitors browser activity, displays full-screen overlays to prompt for additional d...","['T1027', 'T1041', 'T1056', 'T1059', 'T1176', 'T1547', 'T1555', 'T1573']","['T1041', 'T1059', 'T1115', 'T1140', 'T1176', 'T1217', 'T1547', 'T1555', 'T1573']","['T1115', 'T1140', 'T1217']","['T1027', 'T1056']",0.75,0.6666666666666666,0.7058823529411765,6,2,3,8,9
+https://attack.mitre.org/software/S1115/,Enterprise,WIREFIRE is a web shell written in Python that exists as trojanized logic to the visits.py component...,"**T1505** - Server Software Component: This technique involves adversaries using or modifying legitimate server software components, such as a web server, to host malicious code like a web shell for remote access.
+**T1105** - Ingress Tool Transfer: This technique involves adversaries transferring tools or files from an external system into a compromised environment, as WIREFIRE has the ability to download files to compromised devices.
+**T1059** - Command and Scripting Interpreter: This technique...","['T1022', 'T1059', 'T1071', 'T1105', 'T1505', 'T1573']","['T1071', 'T1105', 'T1132', 'T1140', 'T1505', 'T1554', 'T1573']","['T1132', 'T1140', 'T1554']","['T1022', 'T1059']",0.6666666666666666,0.5714285714285714,0.6153846153846153,4,2,3,6,7
+https://attack.mitre.org/software/S1121/,Enterprise,LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on t...,"**T1547** - Boot or Logon Autostart Execution: This technique involves adversaries establishing persistence by executing malicious content at system startup, identified as LITTLELAMB.WOOLTEA appends malicious components to a system archive in the factory reset partition to persist post-reset.
+
+**T1543** - Create or Modify System Process: This technique involves adversaries creating or modifying system processes to establish persistence, identified as LITTLELAMB.WOOLTEA initializes itself as a da...","['T1071', 'T1082', 'T1083', 'T1090', 'T1543', 'T1547']","['T1082', 'T1083', 'T1090', 'T1095', 'T1543', 'T1554', 'T1573']","['T1095', 'T1554', 'T1573']","['T1071', 'T1547']",0.6666666666666666,0.5714285714285714,0.6153846153846153,4,2,3,6,7
+https://attack.mitre.org/software/S1103/,Mobile,"FlixOnline is an Android malware, first detected in early 2021, believed to target users of WhatsApp...","**T1446** - Message Hooking: This technique involves intercepting or generating messages within a messaging application, which is evident as FlixOnline spreads and sends automatic replies via WhatsApp messages.
+**T1404** - Notification Manipulation: This technique involves modifying or creating notifications to deceive users or gather information, which FlixOnline achieves by requesting NotificationListenerService access.
+**T1401** - Boot Persistence: This technique involves configuring malware ...","['T1401', 'T1404', 'T1405', 'T1407', 'T1409', 'T1446']","['T1409', 'T1417', 'T1517', 'T1624', 'T1628', 'T1643']","['T1417', 'T1517', 'T1624', 'T1628', 'T1643']","['T1401', 'T1404', 'T1405', 'T1407', 'T1446']",0.16666666666666666,0.16666666666666666,0.16666666666666666,1,5,5,6,6
+https://attack.mitre.org/software/S1109/,Enterprise,PACEMAKER is a credential stealer that was used by APT5 as early as 2020 including activity against ...,"**T1003** - OS Credential Dumping: This technique involves adversaries attempting to collect credentials from the operating system and software, identified by PACEMAKER's ability to ""extract credentials from OS memory"" and its description as a ""credential stealer.""
+
+**T1057** - Process Discovery: This technique involves adversaries attempting to get information about running processes on a system, identified by PACEMAKER's actions to ""read /proc/ entries"" and ""parse /proc/""process_name""/cmdline""...","['T1003', 'T1055', 'T1057', 'T1059', 'T1074']","['T1003', 'T1055', 'T1059', 'T1074', 'T1083', 'T1119']","['T1083', 'T1119']",['T1057'],0.8,0.6666666666666666,0.7272727272727272,4,1,2,5,6
+https://attack.mitre.org/software/S1114/,Enterprise,ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs f...,"**T1090** - Proxy: ZIPLINE establishes a communication channel through a compromised host by creating a proxy server and using reverse shell functionality, which are both methods of proxying network traffic.
+**T1059** - Command and Scripting Interpreter: ZIPLINE leverages `/bin/sh` to create reverse shells and execute commands, directly utilizing a command-line interpreter for execution.
+**T1573** - Encrypted Channel: ZIPLINE encrypts data using AES-128-CBC for both upload and download, indicati...","['T1040', 'T1057', 'T1059', 'T1083', 'T1090', 'T1094', 'T1105', 'T1562', 'T1573']","['T1057', 'T1059', 'T1083', 'T1090', 'T1095', 'T1105', 'T1205', 'T1562', 'T1573']","['T1095', 'T1205']","['T1040', 'T1094']",0.7777777777777778,0.7777777777777778,0.7777777777777778,7,2,2,9,9
+https://attack.mitre.org/software/S1100/,Enterprise,Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control...,"**T1071** - Application Layer Protocol: This technique involves using common application layer protocols for command and control, identified as Ninja uses HTTP for C2 communications.
+**T1543** - Create or Modify System Process: This technique involves adversaries creating or modifying system processes to achieve execution or persistence, identified as Ninja creates services for persistence.
+**T1027** - Obfuscated Files or Information: This technique involves adversaries making their files or inf...","['T1027', 'T1036', 'T1070', 'T1071', 'T1083', 'T1112', 'T1543', 'T1573', 'T1574']","['T1001', 'T1070', 'T1071', 'T1083', 'T1132', 'T1140', 'T1480', 'T1543', 'T1573', 'T1574']","['T1001', 'T1132', 'T1140', 'T1480']","['T1027', 'T1036', 'T1112']",0.6666666666666666,0.6,0.631578947368421,6,3,4,9,10
+https://attack.mitre.org/software/S1099/,Enterprise,Samurai is a passive backdoor that has been used by ToddyCat since at least 2020. Samurai allows arb...,"**T1219** - Remote Access Tool: Samurai functions as a backdoor for remote administration, allowing external control over compromised systems.
+**T1059** - Command and Scripting Interpreter: Samurai executes arbitrary C# code and commands via the Windows command line, leveraging scripting interpreters for execution.
+**T1071** - Application Layer Protocol: Samurai uses HTTP POST requests for command and control communications, utilizing a standard application layer protocol.
+**T1543** - Create or ...","['T1041', 'T1059', 'T1071', 'T1074', 'T1083', 'T1105', 'T1106', 'T1132', 'T1219', 'T1543', 'T1573', 'T1574']","['T1005', 'T1036', 'T1059', 'T1071', 'T1083', 'T1105', 'T1106', 'T1112', 'T1132', 'T1543', 'T1573']","['T1005', 'T1036', 'T1112']","['T1041', 'T1074', 'T1219', 'T1574']",0.6666666666666666,0.7272727272727273,0.6956521739130435,8,4,3,12,11
+https://attack.mitre.org/software/S1118/,Enterprise,BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file...,"**T1505** - Server Software Component: BUSHWALK is described as a web shell inserted into a legitimate server file, which is a type of malicious server software component used by adversaries to maintain access and execute commands.
+**T1036** - Masquerading: BUSHWALK is inserted into a legitimate file (`querymanifest.cgi`) and modifies a legitimate Perl module (`DSUserAgentCap.pm`), which are actions taken by adversaries to appear as legitimate system or application activity.
+**T1140** - Deobfusc...","['T1036', 'T1059', 'T1140', 'T1505', 'T1564', 'T1573']","['T1027', 'T1105', 'T1140', 'T1205', 'T1505', 'T1554']","['T1027', 'T1105', 'T1205', 'T1554']","['T1036', 'T1059', 'T1564', 'T1573']",0.3333333333333333,0.3333333333333333,0.3333333333333333,2,4,4,6,6
+https://attack.mitre.org/software/S1129/,Enterprise,"Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the a ra...","**T1490** - Inhibit System Recovery: Akira deletes system volume shadow copies via PowerShell commands to prevent victims from restoring their systems, a common ransomware tactic.
+**T1059** - Command and Scripting Interpreter: Akira executes PowerShell commands and runs from the Windows command line, leveraging native operating system interpreters to perform its actions.
+**T1486** - Data Encrypted for Impact: Akira encrypts victim filesystems, rendering data inaccessible and demanding a ransom f...","['T1047', 'T1057', 'T1059', 'T1082', 'T1083', 'T1135', 'T1486', 'T1490']","['T1047', 'T1057', 'T1059', 'T1082', 'T1083', 'T1106', 'T1135', 'T1486', 'T1490']",['T1106'],[],1.0,0.8888888888888888,0.9411764705882353,8,0,1,8,9
+https://attack.mitre.org/software/S1107/,Enterprise,"NKAbuse is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data ...","**T1498** - Network Denial of Service: Adversaries may flood a network with traffic to prevent legitimate users from accessing services, as NKAbuse is equipped with ""flooder"" and ""network denial of service capabilities across several protocols.""
+
+**T1059** - Command and Scripting Interpreter: Adversaries may abuse command and scripting interpreters to execute commands, scripts, or binaries, which is evident as NKAbuse is ""initially installed and executed through an initial shell script.""
+
+**T108...","['T1016', 'T1053', 'T1059', 'T1082', 'T1102', 'T1113', 'T1498']","['T1016', 'T1053', 'T1057', 'T1059', 'T1082', 'T1090', 'T1113', 'T1498']","['T1057', 'T1090']",['T1102'],0.8571428571428571,0.75,0.7999999999999999,6,1,2,7,8
+https://attack.mitre.org/software/S1104/,Enterprise,SLOWPULSE is a malware that was used by APT5 as early as 2020 including against U.S. Defense Industr...,"**Identified Techniques:**
+
+**T1574** - Hijack Execution Flow: SLOWPULSE modifies legitimate Pulse Secure VPN files, including `libdsplibs.so`, to insert malicious logic and alter the normal execution flow for logging credentials and bypassing authentication.
+**T1564** - Hide Artifacts: SLOWPULSE hides its malicious code within the padding regions between legitimate functions in the Pulse Secure `libdsplibs.so` file to evade detection.
+**T1056** - Input Capture: SLOWPULSE logs and inspects login...","['T1056', 'T1556', 'T1564', 'T1574']","['T1027', 'T1074', 'T1111', 'T1554', 'T1556']","['T1027', 'T1074', 'T1111', 'T1554']","['T1056', 'T1564', 'T1574']",0.25,0.2,0.22222222222222224,1,3,4,4,5
+https://attack.mitre.org/software/S1113/,Enterprise,RAPIDPULSE is a web shell that exists as a modification to a legitimate Pulse Secure file that has b...,"**T1505** - Server Software Component: RAPIDPULSE is explicitly described as a ""web shell,"" which is a type of malicious server software component used by adversaries to maintain access and execute commands on a compromised server.
+**T1071** - Application Layer Protocol: RAPIDPULSE uses HTTP query parameters for command and control, listening for specific parameters and responding via HTTP, which are characteristics of using application layer protocols for C2.
+**T1005** - Data from Local System:...","['T1005', 'T1027', 'T1071', 'T1505', 'T1567']","['T1005', 'T1027', 'T1140', 'T1505']",['T1140'],"['T1071', 'T1567']",0.6,0.75,0.6666666666666665,3,2,1,5,4
+https://attack.mitre.org/software/S1108/,Enterprise,PULSECHECK is a web shell written in Perl that was used by APT5 as early as 2020 including against P...,"**T1505** - Server Software Component: Adversaries may abuse server software components to run malicious code. PULSECHECK is explicitly identified as a web shell, which is a common example of this technique used for remote access.
+
+**T1059** - Command and Scripting Interpreter: Adversaries may abuse command and scripting interpreters to execute commands, scripts, or binaries. PULSECHECK is described as using Unix shell scripts for command execution on compromised servers.
+
+**T1071** - Applicatio...","['T1001', 'T1041', 'T1059', 'T1071', 'T1505']","['T1059', 'T1071', 'T1132', 'T1505']",['T1132'],"['T1001', 'T1041']",0.6,0.75,0.6666666666666665,3,2,1,5,4
+https://attack.mitre.org/software/S1126/,Mobile,Phenakite is a mobile malware that is used by APT-C-23 to target iOS devices. According to several r...,"**Identified Techniques:**
+
+**T1123** - Audio Capture: This technique involves capturing audio from the device's microphone, which Phenakite does by recording phone calls.
+
+**T1119** - Data from Local System: This technique involves collecting specific files from the device's file system, as Phenakite collects WhatsApp media, photos, and documents.
+
+**T1113** - Exfiltration: This technique involves transferring collected data from the compromised device to an external location, which Phenakite d...","['T1105', 'T1111', 'T1113', 'T1119', 'T1122', 'T1123', 'T1124', 'T1125', 'T1126', 'T1405', 'T1406']","['T1404', 'T1417', 'T1426', 'T1429', 'T1512', 'T1533', 'T1544', 'T1636', 'T1655']","['T1404', 'T1417', 'T1426', 'T1429', 'T1512', 'T1533', 'T1544', 'T1636', 'T1655']","['T1105', 'T1111', 'T1113', 'T1119', 'T1122', 'T1123', 'T1124', 'T1125', 'T1126', 'T1405', 'T1406']",0.0,0.0,0.0,0,11,9,11,9
+https://attack.mitre.org/software/S1117/,Enterprise,GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on co...,"**T1505** - Server Software Component: Adversaries may abuse server software components to run malicious code, which is identified by GLASSTOKEN being described as a custom web shell.
+**T1059** - Command and Scripting Interpreter: Adversaries may abuse command and scripting interpreters to execute commands, scripts, or binaries, as GLASSTOKEN is used to execute commands and can specifically use PowerShell.
+**T1001** - Data Obfuscation: Adversaries may obfuscate data to make it more difficult to ...","['T1001', 'T1059', 'T1505', 'T1572']","['T1059', 'T1132', 'T1140', 'T1505']","['T1132', 'T1140']","['T1001', 'T1572']",0.5,0.5,0.5,2,2,2,4,4

src/agents/cti_agent/tool_evaluation_results/extract_mitre_techniques_summary.json

@@ -0,0 +1,12 @@
+{
+  "macro_precision": 0.5440542328042329,
+  "macro_recall": 0.5296301359459255,
+  "macro_f1": 0.5290994928728809,
+  "micro_precision": 0.5181347150259067,
+  "micro_recall": 0.5037783375314862,
+  "micro_f1": 0.5108556832694764,
+  "total_samples": 60,
+  "total_tp": 200,
+  "total_fp": 186,
+  "total_fn": 197
+}

src/agents/cti_agent/tool_evaluation_results/identify_threat_actors_results.csv

@@ -0,0 +1,173 @@
+sample_id,report_snippet,tool_output,predicted_actor,is_correct,validator_notes,needs_review
+https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/,"SEQRITE Labs APT-Team has discovered multiple campaigns of APT [PLACEHOLDER], targeting Indian gover...","**Q: What threat actor/APT group is discussed?**
+A: APT [PLACEHOLDER], identified as a sub-division of Transparent Tribe (APT36).
+
+**Q: What is this actor known for?**
+A: Exploiting vulnerabilities (e.g., WinRAR CVE-2023-38831), deploying various RATs (AllaKore, DRat, Ares, Action, Double Action, Reverse, Margulas, Crimson, Capra, Oblique, BackNet), conducting multi-platform attacks, sharing infrastructure and code with Transparent Tribe, using honey traps, and employing PowerShell remote execut...","APT [PLACEHOLDER], identified as a sub-division of Transparent Tribe",0.5,,False
+https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/,The recent ethnic rebel attacks in Myanmar have put the Myanmar junta and surrounding countries on h...,"**Q: What threat actor/APT group is discussed?**
+A: [PLACEHOLDER] (also referred to as Stately Taurus)
+
+**Q: What is this actor known for?**
+A: Performing cyberespionage activities since at least 2012, leveraging DLL sideloading with legitimate software, disguising C2 traffic as Microsoft update traffic, and deploying PlugX implants.
+
+**Q: What campaigns/operations are mentioned?**
+A:
+*   Analysis of the third meeting of NDSC.zip (November 9th, 2023)
+*   ASEAN Notes.iso (January 17th, 2024)
+
+**Q...",[PLACEHOLDER],True,,False
+https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/,An advanced persistent threat (APT) group suspected with moderate-high confidence to be [PLACEHOLDER...,"**Q: What threat actor/APT group is discussed?**
+A: None identified (referred to as an APT group suspected with moderate-high confidence to be [PLACEHOLDER]).
+
+**Q: What is this actor known for?**
+A: Engaging in cyberespionage intrusions, gathering, and exfiltrating sensitive documents and files from compromised networks.
+
+**Q: What campaigns/operations are mentioned?**
+A: CL-STA-0044 (from Q2 2021 to Q3 2023).
+
+**Q: What is their suspected origin/attribution?**
+A: Chinese state-sponsored (moder...",,False,,False
+https://medium.com/@zyadlzyatsoc/comprehensive-analysis-of-emotet-malware-part-1-by-zyad-elzyat-35d5cf33a3c0,"[PLACEHOLDER], a notorious name in the realm of cyber threats, has loomed large over the digital lan...",No threat actor attribution in content....,,False,,False
+https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving,Bandook malware is a remote access trojan that has been continuously developed since it was first de...,No threat actor attribution in content....,,False,,False
+https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/,"Since 2021, Check Point Research has been closely monitoring the activities of [PLACEHOLDER], a Chin...","**Q: What threat actor/APT group is discussed?**
+A: [PLACEHOLDER] (Name redacted in content)
+
+**Q: What is this actor known for?**
+A: Historically known for highly-targeted phishing emails deploying VictoryDLL or Soul framework, primarily in South-East Asia. Recently shifted to targeting governmental organizations in Africa and the Caribbean, using compromised email accounts, RoyalRoad-weaponized documents, and Cobalt Strike Beacon. They show increasing operational security awareness and use com...",[PLACEHOLDER],0.5,,False
+https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/,"Since mid-April 2024, Microsoft Threat Intelligence has observed the threat actor [PLACEHOLDER] misu...","**Q: What threat actor/APT group is discussed?**
+A: None identified by a specific name. The primary actor is referred to as a financially motivated cybercriminal group. Storm-0303 is mentioned as a ransomware-linked emerging threat activity group and Qakbot distributor.
+
+**Q: What is this actor known for?**
+A: A financially motivated cybercriminal group known for deploying ransomware (specifically [PLACEHOLDER] ransomware). They gain initial access through social engineering, including vishing a...",None identified by a specific name. The primary actor is referred to as a financially motivated cybercriminal group. Storm-0303 is mentioned as a ransomware-linked emerging threat activity group and Qakbot distributor.,False,,False
+https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia,[PLACEHOLDER] has been actively targeting organizations in Colombia and Ecuador since at least 2019....,"**Q: What threat actor/APT group is discussed?**
+A: None identified (referred to as `[PLACEHOLDER]`)
+
+**Q: What is this actor known for?**
+A: A South American cyber espionage group active since at least 2019, known for targeting Latin America-based entities, primarily in Colombia. They rely on spear-phishing emails impersonating government agencies (like the Colombian tax agency DIAN) and frequently use RATs such as AsyncRAT, njRAT, QuasarRAT, LimeRAT, and RemcosRAT, often leveraging Dynamic DNS...",,False,,False
+https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/,"ACTIVE CAMPAIGNS AGAINST COLOMBIAN TARGETS  For the last few months, we have been observing the ongo...","**Q: What threat actor/APT group is discussed?**
+A: The text refers to an APT group using the placeholder ""[PLACEHOLDER]"". No specific name or alias is provided.
+
+**Q: What is this actor known for?**
+A: This actor is known for orchestrating campaigns with a narrow geographical focus, primarily targeting a single country. They refine their tools, add features to leaked code bases (like QuasarRAT), and experiment with elaborate infection chains and ""Living off the Land"" techniques.
+
+**Q: What camp...","The text refers to an APT group using the placeholder ""[PLACEHOLDER]"". No specific name or alias is provided.",True,,False
+https://cloud.google.com/blog/topics/threat-intelligence/turla-galaxy-opportunity/,"USB Spreading  As Mandiant recently wrote about in our blog post, Always Another Secret: Lifting the...","**Q: What threat actor/APT group is discussed?**
+A: UNC4210. This group is suspected to be a cluster or team associated with a larger, unnamed (redacted) threat group.
+
+**Q: What is this actor known for?**
+A: Gaining initial access via USB spreading malware, extensive victim profiling, using older malware strains, re-registering expired C2 domains, and data collection/exfiltration. Their operational tactics are consistent with planning for advantageous positioning and leveraging USBs.
+
+**Q: What...","UNC4210. This group is suspected to be a cluster or team associated with a larger, unnamed",True,,False
+https://www.telsy.com/en/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/,Recently Telsy observed some artifacts related to an attack that occurred in June 2020 that is most ...,"**Q: What threat actor/APT group is discussed?**
+A: None identified by name (placeholder used for a popular Russian APT).
+
+**Q: What is this actor known for?**
+A: Being a popular Russian Advanced Persistent Threat (APT) group.
+
+**Q: What campaigns/operations are mentioned?**
+A: An attack observed in June 2020. No specific campaign name.
+
+**Q: What is their suspected origin/attribution?**
+A: Russian state-sponsored (High confidence).
+
+**Q: Who/what do they target?**
+A: At least one European Union...",None identified by name,False,,False
+https://cert.gov.ua/article/6276894,"During December 15-25, 2023, several cases of distribution of e-mails with links to ""documents"" were...",No threat actor attribution in content....,,False,,False
+https://cert.gov.ua/article/4492467,"During April 2023, the government computer emergency response team of Ukraine CERT-UA recorded cases...",No threat actor attribution in content....,,False,,False
+https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/,"The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2...","**Q: What threat actor/APT group is discussed?**
+A: The content uses placeholders for the specific name and aliases, but identifies the actor as the Foreign Intelligence Service of the Russian Federation (SVR).
+
+**Q: What is this actor known for?**
+A: Primarily known for intelligence collection and espionage of foreign interests, leveraging techniques like account compromise, advanced authentication mechanism compromise, diverse initial access methods (stolen credentials, supply chain attacks, o...","The content uses placeholders for the specific name and aliases, but identifies the actor as the Foreign Intelligence Service of the Russian Federation",True,,False
+https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/,Rapid7 has identified an ongoing social engineering campaign that has been targeting multiple manage...,"**Q: What threat actor/APT group is discussed?**
+A: The text refers to an unnamed ""threat actor"" conducting a social engineering campaign. Observed indicators of compromise (IoCs) are consistent with the ""[PLACEHOLDER]"" ransomware operators.
+
+**Q: What is this actor known for?**
+A: This actor is known for a social engineering campaign involving overwhelming users with spam, impersonating IT support, and tricking users into providing remote access to download payloads for credential harvesting an...","The text refers to an unnamed ""threat actor"" conducting a social engineering campaign. Observed indicators of compromise",0.5,,False
+https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/,[PLACEHOLDER] is a cyberespionage group that has been active since at least 2014 and is commonly bel...,"**Q: What threat actor/APT group is discussed?**
+A: [PLACEHOLDER]
+
+**Q: What is this actor known for?**
+A: A cyberespionage group active since at least 2014, known for targeting Middle Eastern governments and various business sectors, and for using custom backdoors and data dumpers in their campaigns.
+
+**Q: What campaigns/operations are mentioned?**
+A: DNSpionage (2018-2019), HardPass (2019-2020), Outer Space (2021), Out to Sea (no specific timeframe, linked to Outer Space), Juicy Mix (2022).
+
+*...",[PLACEHOLDER],0.5,,False
+https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html,"On December 2022, we identified a suspicious executable (detected by Trend Micro as Trojan.MSIL.REDC...","**Q: What threat actor/APT group is discussed?**
+A: None identified (referred to as APT group [PLACEHOLDER])
+
+**Q: What is this actor known for?**
+A: Cyberespionage, stealing credentials, and adapting tools and techniques, including custom malware and shifting exfiltration methods (e.g., from DNS-based C2 to SMTP mail traffic).
+
+**Q: What campaigns/operations are mentioned?**
+A: Current campaign (December 2022) using Trojan.MSIL.REDCAP.AD and Backdoor.MSIL.REDCAP.A. Previous attacks involved Kar...",,False,,False
+https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html,"In the past month, we investigated a cyberespionage attack that we have attributed to [PLACEHOLDER]....","**Q: What threat actor/APT group is discussed?**
+A: [PLACEHOLDER]
+
+**Q: What is this actor known for?**
+A: Active since at least 2012, they focus on espionage and financially motivated activities. They use a diverse range of tools and techniques, including LOLBins and custom malware.
+
+**Q: What campaigns/operations are mentioned?**
+A: None specifically named, but the current incident is referred to as ""this campaign.""
+
+**Q: What is their suspected origin/attribution?**
+A: Unknown
+
+**Q: Who/what ...",[PLACEHOLDER],0.5,,False
+https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/,"Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the u...","**Q: What threat actor/APT group is discussed?**
+A: Andariel (Onyx Sleet, PLUTONIUM). It is described as a sub-group of a broader North Korean APT umbrella group.
+
+**Q: What is this actor known for?**
+A: Initial access, reconnaissance, establishing long-term access for espionage in support of North Korean government interests, and conducting ransomware attacks against healthcare organizations. They develop and deploy bespoke malware and engage in extensive hands-on-keyboard activity.
+
+**Q: What ...",Andariel,True,,False
+https://symantec-enterprise-blogs.security.com/threat-intelligence/springtail-kimsuky-backdoor-espionage,Symantec’s Threat Hunter Team has uncovered a new Linux backdoor developed by the North Korean [PLAC...,"**Q: What threat actor/APT group is discussed?**
+A: None explicitly named. Referred to as ""the North Korean [PLACEHOLDER]"" and ""a tight-knit espionage group.""
+
+**Q: What is this actor known for?**
+A: Espionage, specializing in attacks on South Korean public sector organizations. Known for spear-phishing, exploiting DMARC policies, and a heavy focus on software supply chain attacks, Trojanized software installers, and fake software installers.
+
+**Q: What campaigns/operations are mentioned?**
+A:
+*...","None explicitly named. Referred to as ""the North Korean [PLACEHOLDER]"" and ""a tight-knit espionage group.""",0.5,,False
+https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/,The Securonix Threat Research (STR) team has been monitoring a new campaign tracked as DEEP#GOSU lik...,"**Q: What threat actor/APT group is discussed?**
+A: [PLACEHOLDER] group
+
+**Q: What is this actor known for?**
+A: Targeting South Korean victims, using recycled code and TTPs, employing script-based attack chains (PowerShell, VBScript), leveraging legitimate services (Dropbox, Google Docs) for C2, and using RATs (including TutRAT and xRAT in the past), clipboard monitoring, and keylogging. They have also used disguised HWP files previously.
+
+**Q: What campaigns/operations are mentioned?**
+A: DEEP...",[PLACEHOLDER] group,0.5,,False
+https://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/,"In the recent past, cyberattacks on Indian government entities by Pakistan-linked APTs have gained s...","**Q: What threat actor/APT group is discussed?**
+A: SideCopy, [PLACEHOLDER] (parent APT group of SideCopy).
+
+**Q: What is this actor known for?**
+*   **SideCopy:** Pakistan-linked APT group active since at least 2019. Known for deploying AllaKore RAT, Ares RAT, Action RAT, Reverse RAT, Margulas RAT. Uses spear-phishing with LNK files and HTA for initial access.
+*   **[PLACEHOLDER]:** Parent threat group of SideCopy, active since 2013. Known for continuously using Crimson RAT (often encoded/packe...","SideCopy, [PLACEHOLDER]",True,,False
+https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/,"Since November 2023, Microsoft has observed a distinct subset of [PLACEHOLDER] targeting high-profil...","**Q: What threat actor/APT group is discussed?**
+A: APT35 (Charming Kitten)
+
+**Q: What is this actor known for?**
+A: Gaining access to and stealing sensitive information from high-value targets, and conducting resource-intensive social engineering campaigns.
+
+**Q: What campaigns/operations are mentioned?**
+A: A campaign observed since November 2023, targeting individuals working on Middle Eastern affairs.
+
+**Q: What is their suspected origin/attribution?**
+A: Islamic Revolutionary Guard Corps (I...",APT35,True,,False
+https://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework,"Despite the large number of Iranian cyber attacks against Israeli organizations, which has significa...","**Q: What threat actor/APT group is discussed?**
+A: [PLACEHOLDER] (DarkBit, DEV-1084, TA450). The content also discusses KarMa (DEV-0842, BanishedKitten), ScarredManticore (DEV-0861, ShroudedSnooper), MERCURY, Lord Nemesis (Nemesis Kitten, DEV-0270, Cobalt Mirage, TunnelVision), and Mint Sandstorm (PHOSPHORUS, APT35, Charming Kitten).
+
+**Q: What is this actor known for?**
+A: [PLACEHOLDER] is known for deploying ransomware and wiper malware, spear-phishing with remote administration tools (RATs),...",[PLACEHOLDER],True,,False
+https://symantec-enterprise-blogs.security.com/threat-intelligence/iran-apt-seedworm-africa-telecoms,"[PLACEHOLDER] has been active since at least 2017, and has targeted organizations in many countries,...","**Q: What threat actor/APT group is discussed?**
+A: Not explicitly named in content, referred to as [PLACEHOLDER].
+
+**Q: What is this actor known for?**
+A: A cyberespionage group active since at least 2017, known for targeting organizations in many countries, particularly in the Middle East. They leverage tools like MuddyC2Go, SimpleHelp, and Venom Proxy.
+
+**Q: What campaigns/operations are mentioned?**
+A:
+*   Activity in November 2023, targeting telecommunications and media organizations.
+*   A...","Not explicitly named in content, referred to as [PLACEHOLDER].",True,,False

src/agents/cti_agent/tool_evaluation_results/identify_threat_actors_summary.json

@@ -0,0 +1,9 @@
+{
+  "accuracy": 0.5,
+  "total_samples": 25,
+  "validated_samples": 25,
+  "needs_review": 0,
+  "correct": 9,
+  "incorrect": 9,
+  "partial": 7
+}

src/agents/database_agent/agent.py

@@ -0,0 +1,442 @@
+"""
+Database Agent - A specialized ReAct agent for MITRE ATT&CK technique retrieval
+
+This agent provides semantic search capabilities over the MITRE ATT&CK knowledge base
+with support for filtered searches by tactics, platforms, and other metadata.
+"""
+
+import os
+import json
+import sys
+import time
+from typing import List, Dict, Any, Optional, Literal
+from pathlib import Path
+
+# LangGraph and LangChain imports
+from langchain_core.tools import tool
+from langchain_core.messages import HumanMessage, AIMessage
+from langchain.chat_models import init_chat_model
+from langchain_core.language_models.chat_models import BaseChatModel
+from langchain_text_splitters import TokenTextSplitter
+from langgraph.prebuilt import create_react_agent
+
+# LangSmith imports
+from langsmith import traceable, Client, get_current_run_tree
+
+# Import prompts from the separate file
+from src.agents.database_agent.prompts import DATABASE_AGENT_SYSTEM_PROMPT
+
+# Import the cyber knowledge base
+try:
+    from src.knowledge_base.cyber_knowledge_base import CyberKnowledgeBase
+except Exception as e:
+    print(
+        f"[WARNING] Could not import CyberKnowledgeBase. Please adjust import paths. {e}"
+    )
+    sys.exit(1)
+
+ls_client = Client(api_key=os.getenv("LANGSMITH_API_KEY"))
+
+
+def truncate_to_tokens(text: str, max_tokens: int) -> str:
+    """
+    Truncate text to a maximum number of tokens using LangChain's TokenTextSplitter.
+
+    Args:
+        text: The text to truncate
+        max_tokens: Maximum number of tokens
+
+    Returns:
+        Truncated text within the token limit
+    """
+    if not text:
+        return ""
+
+    # Clean the text by replacing newlines with spaces
+    cleaned_text = text.replace("\n", " ")
+
+    # Use TokenTextSplitter to split by tokens
+    splitter = TokenTextSplitter(
+        encoding_name="cl100k_base", chunk_size=max_tokens, chunk_overlap=0
+    )
+
+    chunks = splitter.split_text(cleaned_text)
+    return chunks[0] if chunks else ""
+
+
+class DatabaseAgent:
+    """
+    A specialized ReAct agent for MITRE ATT&CK technique retrieval and search.
+
+    This agent provides intelligent search capabilities over the MITRE ATT&CK knowledge base,
+    including semantic search, filtered search, and multi-query search with RRF fusion.
+    """
+
+    def __init__(
+        self,
+        kb_path: str = "./cyber_knowledge_base",
+        llm_client: BaseChatModel = None,
+    ):
+        """
+        Initialize the Database Agent.
+
+        Args:
+            kb_path: Path to the cyber knowledge base directory
+            llm_client: LLM model to use for the agent
+        """
+        self.kb_path = kb_path
+        self.kb = self._init_knowledge_base()
+
+        if llm_client:
+            self.llm = llm_client
+        else:
+            self.llm = init_chat_model(
+                "google_genai:gemini-2.0-flash",
+                temperature=0.1,
+            )
+            print(
+                f"[INFO] Database Agent: Using default LLM model: google_genai:gemini-2.0-flash"
+            )
+        # Create tools
+        self.tools = self._create_tools()
+
+        # Create ReAct agent
+        self.agent = self._create_react_agent()
+
+    @traceable(name="database_agent_init_kb")
+    def _init_knowledge_base(self) -> CyberKnowledgeBase:
+        """Initialize and load the cyber knowledge base."""
+        kb = CyberKnowledgeBase()
+
+        if kb.load_knowledge_base(self.kb_path):
+            print("[SUCCESS] Database Agent: Loaded existing knowledge base")
+            return kb
+        else:
+            print(
+                f"[ERROR] Database Agent: Could not load knowledge base from {self.kb_path}"
+            )
+            print("Please ensure the knowledge base is built and available.")
+            raise RuntimeError("Knowledge base not available")
+
+    @traceable(name="database_agent_format_results")
+    def _format_results_as_json(self, results) -> List[Dict[str, Any]]:
+        """Format search results as structured JSON."""
+        output = []
+        for doc in results:
+            technique_info = {
+                "attack_id": doc.metadata.get("attack_id", "Unknown"),
+                "name": doc.metadata.get("name", "Unknown"),
+                "tactics": [
+                    t.strip()
+                    for t in doc.metadata.get("tactics", "").split(",")
+                    if t.strip()
+                ],
+                "platforms": [
+                    p.strip()
+                    for p in doc.metadata.get("platforms", "").split(",")
+                    if p.strip()
+                ],
+                "description": truncate_to_tokens(doc.page_content, 300),
+                "relevance_score": doc.metadata.get("relevance_score", None),
+                "rrf_score": doc.metadata.get("rrf_score", None),
+                "mitigation_count": doc.metadata.get("mitigation_count", 0),
+                # "mitigations": truncate_to_tokens(
+                #     doc.metadata.get("mitigations", ""), 50
+                # ),
+            }
+            output.append(technique_info)
+        return output
+
+    def _log_search_metrics(
+        self,
+        search_type: str,
+        query: str,
+        results_count: int,
+        execution_time: float,
+        success: bool,
+    ):
+        """Log search performance metrics to LangSmith."""
+        try:
+            current_run = get_current_run_tree()
+            if current_run:
+                ls_client.create_feedback(
+                    run_id=current_run.id,
+                    key="database_search_performance",
+                    score=1.0 if success else 0.0,
+                    value={
+                        "search_type": search_type,
+                        "query": query,
+                        "results_count": results_count,
+                        "execution_time": execution_time,
+                        "success": success,
+                    },
+                )
+        except Exception as e:
+            print(f"Failed to log search metrics: {e}")
+
+    def _log_agent_performance(
+        self, query: str, message_count: int, execution_time: float, success: bool
+    ):
+        """Log overall agent performance metrics."""
+        try:
+            current_run = get_current_run_tree()
+            if current_run:
+                ls_client.create_feedback(
+                    run_id=current_run.id,
+                    key="database_agent_performance",
+                    score=1.0 if success else 0.0,
+                    value={
+                        "query": query,
+                        "message_count": message_count,
+                        "execution_time": execution_time,
+                        "success": success,
+                        "agent_type": "database_search",
+                    },
+                )
+        except Exception as e:
+            print(f"Failed to log agent metrics: {e}")
+
+    def _create_tools(self):
+        """Create the search tools for the Database Agent."""
+
+        @tool
+        @traceable(name="database_search_techniques")
+        def search_techniques(query: str, top_k: int = 5) -> str:
+            """
+            Search for MITRE ATT&CK techniques using semantic search.
+
+            Args:
+                query: Search query string
+                top_k: Number of results to return (default: 5, max: 20)
+
+            Returns:
+                JSON string with search results containing technique details
+            """
+            start_time = time.time()
+            try:
+                # Limit top_k for performance
+                top_k = min(max(top_k, 1), 20)  # Ensure top_k is between 1 and 20
+
+                # Single query search
+                results = self.kb.search(query, top_k=top_k)
+                techniques = self._format_results_as_json(results)
+
+                execution_time = time.time() - start_time
+                self._log_search_metrics(
+                    "single_query", query, len(techniques), execution_time, True
+                )
+
+                return json.dumps(
+                    {
+                        "search_type": "single_query",
+                        "query": query,
+                        "techniques": techniques,
+                        "total_results": len(techniques),
+                    },
+                    indent=2,
+                )
+
+            except Exception as e:
+                execution_time = time.time() - start_time
+                self._log_search_metrics(
+                    "single_query", query, 0, execution_time, False
+                )
+
+                return json.dumps(
+                    {
+                        "error": str(e),
+                        "techniques": [],
+                        "message": "Error occurred during search",
+                    },
+                    indent=2,
+                )
+
+        @tool
+        @traceable(name="database_search_techniques_filtered")
+        def search_techniques_filtered(
+            query: str,
+            top_k: int = 5,
+            filter_tactics: Optional[List[str]] = None,
+            filter_platforms: Optional[List[str]] = None,
+        ) -> str:
+            """
+            Search for MITRE ATT&CK techniques with metadata filters.
+
+            Args:
+                query: Search query string
+                top_k: Number of results to return (default: 5, max: 20)
+                filter_tactics: Filter by specific tactics (e.g., ['defense-evasion', 'privilege-escalation'])
+                filter_platforms: Filter by platforms (e.g., ['Windows', 'Linux'])
+
+            Returns:
+                JSON string with filtered search results
+
+            Examples of tactics: initial-access, execution, persistence, privilege-escalation,
+            defense-evasion, credential-access, discovery, lateral-movement, collection,
+            command-and-control, exfiltration, impact
+
+            Examples of platforms: Windows, macOS, Linux, AWS, Azure, GCP, SaaS, Network,
+            Containers, Android, iOS
+            """
+            start_time = time.time()
+            try:
+                # Limit top_k for performance
+                top_k = min(max(top_k, 1), 20)
+
+                # Single query search with filters
+                results = self.kb.search(
+                    query,
+                    top_k=top_k,
+                    filter_tactics=filter_tactics,
+                    filter_platforms=filter_platforms,
+                )
+                techniques = self._format_results_as_json(results)
+
+                execution_time = time.time() - start_time
+                self._log_search_metrics(
+                    "filtered_query", query, len(techniques), execution_time, True
+                )
+
+                return json.dumps(
+                    {
+                        "search_type": "single_query_filtered",
+                        "query": query,
+                        "filters": {
+                            "tactics": filter_tactics,
+                            "platforms": filter_platforms,
+                        },
+                        "techniques": techniques,
+                        "total_results": len(techniques),
+                    },
+                    indent=2,
+                )
+
+            except Exception as e:
+                execution_time = time.time() - start_time
+                self._log_search_metrics(
+                    "filtered_query", query, 0, execution_time, False
+                )
+
+                return json.dumps(
+                    {
+                        "error": str(e),
+                        "techniques": [],
+                        "message": "Error occurred during filtered search",
+                    },
+                    indent=2,
+                )
+
+        # return [search_techniques, search_techniques_filtered]
+        return [search_techniques]
+
+    def _create_react_agent(self):
+        """Create the ReAct agent with the search tools using the prompt from prompts.py."""
+        return create_react_agent(
+            model=self.llm,
+            tools=self.tools,
+            prompt=DATABASE_AGENT_SYSTEM_PROMPT,
+            name="database_agent",
+        )
+
+    @traceable(name="database_agent_search")
+    def search(self, query: str, **kwargs) -> Dict[str, Any]:
+        """
+        Search for techniques using the agent's capabilities.
+
+        Args:
+            query: The search query or question
+            **kwargs: Additional parameters passed to the agent
+
+        Returns:
+            Dictionary with the agent's response
+        """
+        start_time = time.time()
+        try:
+            messages = [HumanMessage(content=query)]
+            response = self.agent.invoke({"messages": messages}, **kwargs)
+
+            execution_time = time.time() - start_time
+            self._log_agent_performance(
+                query, len(response.get("messages", [])), execution_time, True
+            )
+
+            return {
+                "success": True,
+                "messages": response["messages"],
+                "final_response": (
+                    response["messages"][-1].content if response["messages"] else ""
+                ),
+            }
+        except Exception as e:
+            execution_time = time.time() - start_time
+            self._log_agent_performance(query, 0, execution_time, False)
+
+            return {
+                "success": False,
+                "error": str(e),
+                "messages": [],
+                "final_response": f"Error during search: {str(e)}",
+            }
+
+    @traceable(name="database_agent_stream_search")
+    def stream_search(self, query: str, **kwargs):
+        """
+        Stream the agent's search process for real-time feedback.
+
+        Args:
+            query: The search query or question
+            **kwargs: Additional parameters passed to the agent
+
+        Yields:
+            Streaming responses from the agent
+        """
+        try:
+            messages = [HumanMessage(content=query)]
+            for chunk in self.agent.stream({"messages": messages}, **kwargs):
+                yield chunk
+        except Exception as e:
+            yield {"error": str(e)}
+
+
+@traceable(name="database_agent_test")
+def test_database_agent():
+    """Test function to demonstrate Database Agent capabilities."""
+    print("Testing Database Agent...")
+
+    # Initialize agent
+    try:
+        agent = DatabaseAgent()
+        print("Database Agent initialized successfully")
+    except Exception as e:
+        print(f"Failed to initialize Database Agent: {e}")
+        return
+
+    # Test queries
+    test_queries = [
+        "Find techniques related to credential dumping and LSASS memory access",
+        "What are Windows-specific privilege escalation techniques?",
+        "Search for defense evasion techniques that work on Linux platforms",
+        "Find lateral movement techniques involving SMB or WMI",
+        "What techniques are used for persistence on macOS systems?",
+    ]
+
+    for i, query in enumerate(test_queries, 1):
+        print(f"\n--- Test Query {i} ---")
+        print(f"Query: {query}")
+        print("-" * 50)
+
+        # Test regular search
+        result = agent.search(query)
+        if result["success"]:
+            print("Search completed successfully")
+            # Print last AI message (the summary)
+            for msg in reversed(result["messages"]):
+                if isinstance(msg, AIMessage) and not hasattr(msg, "tool_calls"):
+                    print(f"Response: {msg.content[:300]}...")
+                    break
+        else:
+            print(f"Search failed: {result['error']}")
+
+
+if __name__ == "__main__":
+    test_database_agent()

src/agents/database_agent/prompts.py

@@ -0,0 +1,71 @@
+"""
+Database Agent Prompts
+
+This module contains all prompts used by the Database Agent for MITRE ATT&CK technique retrieval
+and knowledge base search operations.
+"""
+
+DATABASE_AGENT_SYSTEM_PROMPT = """
+You are a Database Agent specialized in retrieving MITRE ATT&CK techniques and cybersecurity knowledge.
+
+Your primary capabilities:
+1. **Semantic Search**: Use search_techniques for general technique searches
+2. **Filtered Search**: Use search_techniques_filtered when you need to filter by specific tactics or platforms
+
+**Search Strategy Guidelines:**
+- For general queries: Use search_techniques with a single, well-crafted search query
+- For platform-specific needs: Use search_techniques_filtered with appropriate platform filters
+- For tactic-specific needs: Use search_techniques_filtered with tactic filters
+- Craft focused, specific queries rather than broad terms for better results
+- Up to 3 queries to get the most relevant techniques
+
+**Available Tactics for Filtering:**
+initial-access, execution, persistence, privilege-escalation, defense-evasion, 
+credential-access, discovery, lateral-movement, collection, command-and-control, 
+exfiltration, impact
+
+**Available Platforms for Filtering:**
+Windows, macOS, Linux, AWS, Azure, GCP, SaaS, Network, Containers, Android, iOS
+
+**Response Guidelines:**
+- Always explain your search strategy before using tools
+- Summarize the most relevant techniques found, with detailed descriptions of the techniques
+
+- When filtered searches return few results, suggest alternative approaches, and up to 3 queries to get the most relevant techniques
+- Highlight high-relevance techniques and explain why they're relevant
+- Format your final response clearly with technique IDs, names, and detailed descriptions
+
+Remember: You are focused on retrieving and analyzing MITRE ATT&CK techniques. Always relate findings back to the user's specific cybersecurity question or scenario.
+"""
+
+### Evaluation Database Agent Prompt - Turn on when evaluating ATE dataset
+# DATABASE_AGENT_SYSTEM_PROMPT = """You are a Database Agent specialized in retrieving MITRE ATT&CK techniques and cybersecurity knowledge.
+
+# **Vector Database Structure:**
+# The knowledge base contains embeddings of MITRE ATT&CK technique descriptions with associated metadata including:
+# - Technique names and descriptions (primary searchable content)
+# - Platforms (Windows, macOS, Linux, etc.)
+# - Tactics (initial-access, execution, persistence, etc.)
+# - Mitigation information
+# - Attack IDs and subtechnique relationships
+
+# **Your primary capabilities:**
+# 1. **Semantic Search**: Use search_techniques for general technique searches based on descriptions
+
+# **Search Strategy Guidelines:**
+# - **Focus on descriptions**: The vector database is optimized for semantic search of technique descriptions
+# - For general queries: Use search_techniques with description-focused search queries
+# - Craft focused, specific queries that describe attack behaviors rather than broad terms
+# - Up to 3 queries to get the most relevant techniques
+# - **Do NOT use tools for mitigation searches** - mitigation information is available as metadata in the retrieved techniques
+# - **Do NOT use filtered searches** - filtered searches are not available in the vector database
+
+# **Response Guidelines:**
+# - Always explain your search strategy before using tools
+# - Summarize the most relevant techniques found, with detailed descriptions of the techniques
+# - Include mitigation information from the retrieved technique metadata when relevant
+# - When filtered searches return few results, suggest alternative approaches, and up to 3 queries to get the most relevant techniques
+# - Highlight high-relevance techniques and explain why they're relevant
+# - Format your final response clearly with technique IDs, names, and detailed descriptions
+
+# Remember: You are focused on retrieving and analyzing MITRE ATT&CK techniques. Always relate findings back to the user's specific cybersecurity question or scenario."""

src/agents/log_analysis_agent/agent.py

@@ -0,0 +1,1058 @@
+"""
+LogAnalysisAgent - Main orchestrator for cybersecurity log analysis
+"""
+
+import os
+import json
+import time
+from datetime import datetime
+from pathlib import Path
+from typing import List, Dict, Optional
+
+from langchain_core.messages import HumanMessage
+from langgraph.prebuilt import create_react_agent
+from langchain_core.tools import tool
+from langgraph.graph import StateGraph, END
+from langchain.chat_models import init_chat_model
+
+from langsmith import traceable, Client, get_current_run_tree
+
+from src.agents.log_analysis_agent.state_models import AnalysisState
+from src.agents.log_analysis_agent.utils import (
+    get_llm,
+    get_tools,
+    format_execution_time,
+)
+from src.agents.log_analysis_agent.prompts import (
+    ANALYSIS_PROMPT,
+    CRITIC_FEEDBACK_TEMPLATE,
+    SELF_CRITIC_PROMPT,
+)
+
+ls_client = Client(api_key=os.getenv("LANGSMITH_API_KEY"))
+
+
+class LogAnalysisAgent:
+    """
+    Main orchestrator for cybersecurity log analysis.
+    Coordinates the entire workflow: load → preprocess → analyze → save → display
+    """
+
+    def __init__(
+        self,
+        model_name: str = "google_genai:gemini-2.0-flash",
+        temperature: float = 0.1,
+        output_dir: str = "analysis",
+        max_iterations: int = 2,
+        llm_client = None,
+    ):
+        """
+        Initialize the Log Analysis Agent
+
+        Args:
+            model_name: Name of the model to use (e.g. "google_genai:gemini-2.0-flash")
+            temperature: Temperature for the model
+            output_dir: Directory name for saving outputs (relative to package directory)
+            max_iterations: Maximum number of iterations for the ReAct agent
+            llm_client: Optional pre-initialized LLM client (overrides model_name/temperature)
+        """
+        if llm_client:
+            self.llm = llm_client
+            print(f"[INFO] Log Analysis Agent: Using provided LLM client")
+        else:
+            self.llm = init_chat_model(model_name, temperature=temperature)
+            print(f"[INFO] Log Analysis Agent: Using default LLM model: {model_name}")
+        
+        self.base_tools = get_tools()
+
+        self.output_root = Path(output_dir)
+        self.output_root.mkdir(exist_ok=True)
+
+        # Initialize helper components
+        self.log_processor = LogProcessor()
+        self.react_analyzer = ReactAnalyzer(
+            self.llm, self.base_tools, max_iterations=max_iterations
+        )
+        self.result_manager = ResultManager(self.output_root)
+
+        # Create workflow graph
+        self.workflow = self._create_workflow()
+
+    def _create_workflow(self) -> StateGraph:
+        """Create and configure the analysis workflow graph"""
+        workflow = StateGraph(AnalysisState)
+
+        # Add nodes using instance methods
+        workflow.add_node("load_logs", self.log_processor.load_logs)
+        workflow.add_node("preprocess_logs", self.log_processor.preprocess_logs)
+        workflow.add_node("react_agent_analysis", self.react_analyzer.analyze)
+        workflow.add_node("save_results", self.result_manager.save_results)
+        workflow.add_node("display_results", self.result_manager.display_results)
+
+        # Define workflow edges
+        workflow.set_entry_point("load_logs")
+        workflow.add_edge("load_logs", "preprocess_logs")
+        workflow.add_edge("preprocess_logs", "react_agent_analysis")
+        workflow.add_edge("react_agent_analysis", "save_results")
+        workflow.add_edge("save_results", "display_results")
+        workflow.add_edge("display_results", END)
+
+        return workflow.compile(name="log_analysis_agent")
+
+    def _log_workflow_metrics(self, workflow_step: str, execution_time: float, success: bool, details: dict = None):
+        """Log workflow step performance metrics to LangSmith."""
+        try:
+            current_run = get_current_run_tree()
+            if current_run:
+                ls_client.create_feedback(
+                    run_id=current_run.id,
+                    key="log_analysis_workflow_performance",
+                    score=1.0 if success else 0.0,
+                    value={
+                        "workflow_step": workflow_step,
+                        "execution_time": execution_time,
+                        "success": success,
+                        "details": details or {},
+                        "agent_type": "log_analysis_workflow"
+                    }
+                )
+        except Exception as e:
+            print(f"Failed to log workflow metrics: {e}")
+
+    def _log_security_analysis_results(self, analysis_result: dict):
+        """Log security analysis findings to LangSmith."""
+        try:
+            current_run = get_current_run_tree()
+            if current_run:
+                assessment = analysis_result.get("overall_assessment", "UNKNOWN")
+                abnormal_events = analysis_result.get("abnormal_events", [])
+                total_events = analysis_result.get("total_events_analyzed", 0)
+
+                # Calculate threat score
+                threat_score = 0.0
+                if assessment == "CRITICAL":
+                    threat_score = 1.0
+                elif assessment == "HIGH":
+                    threat_score = 0.8
+                elif assessment == "MEDIUM":
+                    threat_score = 0.5
+                elif assessment == "LOW":
+                    threat_score = 0.2
+
+                ls_client.create_feedback(
+                    run_id=current_run.id,
+                    key="security_analysis_results",
+                    score=threat_score,
+                    value={
+                        "overall_assessment": assessment,
+                        "abnormal_events_count": len(abnormal_events),
+                        "total_events_analyzed": total_events,
+                        "execution_time": analysis_result.get("execution_time_formatted", "Unknown"),
+                        "iteration_count": analysis_result.get("iteration_count", 1),
+                        "abnormal_events": abnormal_events[:5]  # Limit to first 5 for logging
+                    }
+                )
+        except Exception as e:
+            print(f"Failed to log security analysis results: {e}")
+
+    def _log_batch_analysis_metrics(self, total_files: int, successful: int, start_time: datetime, end_time: datetime):
+        """Log batch analysis performance metrics."""
+        try:
+            current_run = get_current_run_tree()
+            if current_run:
+                duration = (end_time - start_time).total_seconds()
+                success_rate = successful / total_files if total_files > 0 else 0
+
+                ls_client.create_feedback(
+                    run_id=current_run.id,
+                    key="batch_analysis_performance",
+                    score=success_rate,
+                    value={
+                        "total_files": total_files,
+                        "successful_files": successful,
+                        "failed_files": total_files - successful,
+                        "success_rate": success_rate,
+                        "duration_seconds": duration,
+                        "files_per_minute": (total_files / duration) * 60 if duration > 0 else 0
+                    }
+                )
+        except Exception as e:
+            print(f"Failed to log batch analysis metrics: {e}")
+
+    @traceable(name="log_analysis_agent_full_workflow")
+    def analyze(self, log_file: str) -> Dict:
+        """
+        Analyze a single log file
+
+        Args:
+            log_file: Path to the log file to analyze
+
+        Returns:
+            Dictionary containing the analysis result
+        """
+        state = self._initialize_state(log_file)
+        result = self.workflow.invoke(state, config={"recursion_limit": 100})
+
+        analysis_result = result.get("analysis_result", {})
+        if analysis_result:
+            self._log_security_analysis_results(analysis_result)
+
+        return analysis_result
+
+    @traceable(name="log_analysis_agent_batch_workflow")
+    def analyze_batch(
+        self, dataset_dir: str, skip_existing: bool = False
+    ) -> List[Dict]:
+        """
+        Analyze all log files in a dataset directory
+
+        Args:
+            dataset_dir: Path to directory containing log files
+            skip_existing: Whether to skip already analyzed files
+
+        Returns:
+            List of result dictionaries for each file
+        """
+        print("=" * 60)
+        print("BATCH MODE: Analyzing all files in dataset")
+        print("=" * 60 + "\n")
+
+        files = self._find_dataset_files(dataset_dir)
+
+        if not files:
+            print("No JSON files found in dataset directory")
+            return []
+
+        print(f"Found {len(files)} files to analyze")
+        if skip_existing:
+            print("Skip mode enabled: Already analyzed files will be skipped")
+        print()
+
+        results = []
+        batch_start = datetime.now()
+
+        for idx, file_path in enumerate(files, 1):
+            filename = os.path.basename(file_path)
+            print(f"\n[{idx}/{len(files)}] Processing: {filename}")
+            print("-" * 60)
+
+            result = self._analyze_single_file(file_path, skip_existing)
+            results.append(result)
+
+            if result["success"]:
+                print(f"Status: {result['message']}")
+            else:
+                print(f"Status: FAILED - {result['message']}")
+
+        batch_end = datetime.now()
+
+        successful = sum(1 for r in results if r["success"])
+        self._log_batch_analysis_metrics(len(files), successful, batch_start, batch_end)
+
+        self.result_manager.display_batch_summary(results, batch_start, batch_end)
+
+        return results
+
+    def _initialize_state(self, log_file: str) -> Dict:
+        """Initialize the analysis state with default values"""
+        return {
+            "log_file": log_file,
+            "raw_logs": "",
+            "prepared_logs": "",
+            "analysis_result": {},
+            "messages": [],
+            "agent_reasoning": "",
+            "agent_observations": [],
+            "iteration_count": 0,
+            "critic_feedback": "",
+            "iteration_history": [],
+            "start_time": 0.0,
+            "end_time": 0.0,
+        }
+
+    def _analyze_single_file(self, log_file: str, skip_existing: bool = False) -> Dict:
+        """Analyze a single log file with error handling"""
+        try:
+            if skip_existing:
+                existing = self.result_manager.get_existing_output(log_file)
+                if existing:
+                    return {
+                        "success": True,
+                        "log_file": log_file,
+                        "message": "Skipped (already analyzed)",
+                        "result": None,
+                    }
+
+            state = self._initialize_state(log_file)
+            self.workflow.invoke(state, config={"recursion_limit": 100})
+
+            return {
+                "success": True,
+                "log_file": log_file,
+                "message": "Analysis completed",
+                "result": state.get("analysis_result"),
+            }
+
+        except Exception as e:
+            return {
+                "success": False,
+                "log_file": log_file,
+                "message": f"Error: {str(e)}",
+                "result": None,
+            }
+
+    def _find_dataset_files(self, dataset_dir: str) -> List[str]:
+        """Find all JSON files in the dataset directory"""
+        import glob
+
+        if not os.path.exists(dataset_dir):
+            print(f"Error: Dataset directory not found: {dataset_dir}")
+            return []
+
+        json_files = glob.glob(os.path.join(dataset_dir, "*.json"))
+        return sorted(json_files)
+
+
+class LogProcessor:
+    """
+    Handles log loading and preprocessing operations
+    """
+
+    def __init__(self, max_size: int = 20000):
+        """
+        Initialize the log processor
+
+        Args:
+            max_size: Maximum character size before applying sampling
+        """
+        self.max_size = max_size
+
+    @traceable(name="log_processor_load_logs")
+    def load_logs(self, state: AnalysisState) -> AnalysisState:
+        """Load logs from file and initialize state"""
+        filename = os.path.basename(state["log_file"])
+        print(f"Loading logs from: {filename}")
+
+        # Record start time
+        state["start_time"] = time.time()
+        start_time = time.time()
+
+        try:
+            with open(state["log_file"], "r", encoding="utf-8") as f:
+                raw = f.read()
+            success = True
+        except Exception as e:
+            print(f"Error reading file: {e}")
+            raw = f"Error loading file: {e}"
+            success = False
+
+        execution_time = time.time() - start_time
+        self._log_loading_metrics(filename, len(raw), execution_time, success)
+
+        state["raw_logs"] = raw
+        state["messages"] = []
+        state["agent_reasoning"] = ""
+        state["agent_observations"] = []
+        state["iteration_count"] = 0
+        state["critic_feedback"] = ""
+        state["iteration_history"] = []
+        state["end_time"] = 0.0
+
+        return state
+
+    @traceable(name="log_processor_preprocess_logs")
+    def preprocess_logs(self, state: AnalysisState) -> AnalysisState:
+        """Preprocess logs for analysis - sample large files"""
+        raw = state["raw_logs"]
+        line_count = raw.count("\n")
+        print(f"Loaded {line_count} lines, {len(raw)} characters")
+
+        start_time = time.time()
+
+        if len(raw) > self.max_size:
+            sampled = self._apply_sampling(raw)
+            state["prepared_logs"] = f"TOTAL LINES: {line_count}\nSAMPLED:\n{sampled}"
+            print("Large file detected - using sampling strategy")
+            sampling_applied = True
+        else:
+            state["prepared_logs"] = f"TOTAL LINES: {line_count}\n\n{raw}"
+            sampling_applied = False
+
+        execution_time = time.time() - start_time
+        self._log_preprocessing_metrics(line_count, len(raw), len(sampled), sampling_applied, execution_time)
+
+        state["prepared_logs"] = sampled
+
+        return state
+
+    def _log_loading_metrics(self, filename: str, file_size: int, execution_time: float, success: bool):
+        """Log file loading performance metrics."""
+        try:
+            current_run = get_current_run_tree()
+            if current_run:
+                ls_client.create_feedback(
+                    run_id=current_run.id,
+                    key="log_loading_performance",
+                    score=1.0 if success else 0.0,
+                    value={
+                        "filename": filename,
+                        "file_size_chars": file_size,
+                        "execution_time": execution_time,
+                        "success": success
+                    }
+                )
+        except Exception as e:
+            print(f"Failed to log loading metrics: {e}")
+
+    def _log_preprocessing_metrics(self, line_count: int, original_size: int, processed_size: int, sampling_applied: bool, execution_time: float):
+        """Log preprocessing performance metrics."""
+        try:
+            current_run = get_current_run_tree()
+            if current_run:
+                ls_client.create_feedback(
+                    run_id=current_run.id,
+                    key="log_preprocessing_performance",
+                    score=1.0,
+                    value={
+                        "line_count": line_count,
+                        "original_size_chars": original_size,
+                        "processed_size_chars": processed_size,
+                        "sampling_applied": sampling_applied,
+                        "size_reduction": (original_size - processed_size) / original_size if original_size > 0 else 0,
+                        "execution_time": execution_time
+                    }
+                )
+        except Exception as e:
+            print(f"Failed to log preprocessing metrics: {e}")
+
+    def _apply_sampling(self, raw: str) -> str:
+        """Apply sampling strategy to large log files"""
+        first = raw[:7000]
+        middle = raw[len(raw) // 2 - 3000 : len(raw) // 2 + 3000]
+        last = raw[-7000:]
+        return f"{first}\n...[MIDDLE]...\n{middle}\n...[END]...\n{last}"
+
+
+class ReactAnalyzer:
+    """
+    Handles ReAct agent analysis with iterative refinement
+    Combines react_engine + criticism_engine logic
+    """
+
+    def __init__(self, llm, base_tools, max_iterations: int = 2):
+        """
+        Initialize the ReAct analyzer
+
+        Args:
+            llm: Language model instance
+            base_tools: List of base tools for the agent
+            max_iterations: Maximum refinement iterations
+        """
+        self.llm = llm
+        self.base_tools = base_tools
+        self.max_iterations = max_iterations
+
+    @traceable(name="react_analyzer_analysis")
+    def analyze(self, state: AnalysisState) -> AnalysisState:
+        """Perform ReAct agent analysis with iterative refinement"""
+        print("Starting ReAct agent analysis with iterative refinement...")
+
+        start_time = time.time()
+
+        # Create state-aware tools
+        tools = self._create_state_aware_tools(state)
+
+        # Create ReAct agent
+        agent_executor = create_react_agent(
+            self.llm, tools, name="react_agent_analysis"
+        )
+
+        # System context
+        system_context = """You are Agent A, an autonomous cybersecurity analyst.
+
+IMPORTANT CONTEXT - RAW LOGS AVAILABLE:
+The complete raw logs are available for certain tools automatically.
+When you call event_id_extractor_with_logs or timeline_builder_with_logs, 
+you only need to provide the required parameters - the tools will automatically 
+access the raw logs to perform their analysis.
+
+"""
+
+        try:
+            # Iterative refinement loop
+            for iteration in range(self.max_iterations):
+                state["iteration_count"] = iteration
+                print(f"\n{'='*60}")
+                print(f"ITERATION {iteration + 1}/{self.max_iterations}")
+                print(f"{'='*60}")
+
+                # Prepare prompt with optional feedback
+                messages = self._prepare_messages(state, iteration, system_context)
+
+                # Run ReAct agent
+                print(f"Running agent analysis...")
+                result = agent_executor.invoke(
+                    {"messages": messages},
+                    config={"recursion_limit": 100}
+                )
+                state["messages"] = result["messages"]
+
+                # Extract and process final analysis
+                final_analysis = self._extract_final_analysis(state["messages"])
+
+                # Calculate execution time
+                state["end_time"] = time.time()
+                execution_time = format_execution_time(
+                    state["end_time"] - state["start_time"]
+                )
+
+                # Extract reasoning
+                state["agent_reasoning"] = final_analysis.get("reasoning", "")
+
+                # Format result
+                state["analysis_result"] = self._format_analysis_result(
+                    final_analysis,
+                    execution_time,
+                    iteration + 1,
+                    state["agent_reasoning"],
+                )
+
+                # Run self-critic review
+                print("Running self-critic review...")
+                original_analysis = state["analysis_result"].copy()
+                critic_result = self._critic_review(state)
+
+                # Store iteration in history
+                state["iteration_history"].append(
+                    {
+                        "iteration": iteration + 1,
+                        "original_analysis": original_analysis,
+                        "critic_evaluation": {
+                            "quality_acceptable": critic_result["quality_acceptable"],
+                            "issues": critic_result["issues"],
+                            "feedback": critic_result["feedback"],
+                        },
+                        "corrected_analysis": critic_result["corrected_analysis"],
+                    }
+                )
+
+                # Use corrected analysis
+                corrected = critic_result["corrected_analysis"]
+                corrected["execution_time_seconds"] = original_analysis.get(
+                    "execution_time_seconds", 0
+                )
+                corrected["execution_time_formatted"] = original_analysis.get(
+                    "execution_time_formatted", "Unknown"
+                )
+                corrected["iteration_count"] = iteration + 1
+                state["analysis_result"] = corrected
+
+                # Check if refinement is needed
+                if critic_result["quality_acceptable"]:
+                    print(
+                        f"✓ Quality acceptable - stopping at iteration {iteration + 1}"
+                    )
+                    break
+                elif iteration < self.max_iterations - 1:
+                    print(
+                        f"✗ Quality needs improvement - proceeding to iteration {iteration + 2}"
+                    )
+                    state["critic_feedback"] = critic_result["feedback"]
+                else:
+                    print(f"✗ Max iterations reached - using current analysis")
+
+            print(
+                f"\nAnalysis complete after {state['iteration_count'] + 1} iteration(s)"
+            )
+            print(f"Total messages: {len(state['messages'])}")
+
+        except Exception as e:
+            print(f"Error in analysis: {e}")
+            import traceback
+
+            traceback.print_exc()
+            state["end_time"] = time.time()
+            execution_time = format_execution_time(
+                state["end_time"] - state["start_time"]
+            )
+
+            state["analysis_result"] = {
+                "overall_assessment": "ERROR",
+                "total_events_analyzed": 0,
+                "execution_time_seconds": execution_time["total_seconds"],
+                "execution_time_formatted": execution_time["formatted_time"],
+                "analysis_summary": f"Analysis failed: {e}",
+                "agent_reasoning": "",
+                "abnormal_event_ids": [],
+                "abnormal_events": [],
+                "iteration_count": state.get("iteration_count", 0),
+            }
+
+        return state
+
+    def _create_state_aware_tools(self, state: AnalysisState):
+        """Create state-aware versions of tools that need raw logs"""
+
+        # Create state-aware event_id_extractor
+        @tool
+        def event_id_extractor_with_logs(suspected_event_id: str) -> dict:
+            """Validates and corrects Windows Event IDs identified in log analysis."""
+            from .tools.event_id_extractor_tool import _event_id_extractor_tool
+
+            return _event_id_extractor_tool.run(
+                {
+                    "suspected_event_id": suspected_event_id,
+                    "raw_logs": state["raw_logs"],
+                }
+            )
+
+        # Create state-aware timeline_builder
+        @tool
+        def timeline_builder_with_logs(
+            pivot_entity: str, pivot_type: str, time_window_minutes: int = 5
+        ) -> dict:
+            """Build a focused timeline around suspicious events to understand attack sequences.
+
+            Use this when you suspect coordinated activity or want to understand what happened
+            before and after a suspicious event. Analyzes the sequence of events to identify patterns.
+
+            Args:
+                pivot_entity: The entity to build timeline around (e.g., "powershell.exe", "admin", "192.168.1.100")
+                pivot_type: Type of entity - "user", "process", "ip", "file", "computer", "event_id", or "registry"
+                time_window_minutes: Minutes before and after pivot events to include (default: 5)
+
+            Returns:
+                Timeline analysis showing events before and after the pivot, helping identify attack sequences.
+            """
+            from .tools.timeline_builder_tool import _timeline_builder_tool
+
+            return _timeline_builder_tool.run(
+                {
+                    "pivot_entity": pivot_entity,
+                    "pivot_type": pivot_type,
+                    "time_window_minutes": time_window_minutes,
+                    "raw_logs": state["raw_logs"],
+                }
+            )
+
+        # Replace base tools with state-aware versions
+        tools = [
+            t
+            for t in self.base_tools
+            if t.name not in ["event_id_extractor", "timeline_builder"]
+        ]
+        tools.append(event_id_extractor_with_logs)
+        tools.append(timeline_builder_with_logs)
+
+        return tools
+
+    def _prepare_messages(
+        self, state: AnalysisState, iteration: int, system_context: str
+    ):
+        """Prepare messages for the ReAct agent"""
+        if iteration == 0:
+            # First iteration - no feedback
+            critic_feedback_section = ""
+            full_prompt = system_context + ANALYSIS_PROMPT.format(
+                logs=state["prepared_logs"],
+                critic_feedback_section=critic_feedback_section,
+            )
+            messages = [HumanMessage(content=full_prompt)]
+        else:
+            # Subsequent iterations - include feedback and preserve messages
+            critic_feedback_section = CRITIC_FEEDBACK_TEMPLATE.format(
+                iteration=iteration + 1, feedback=state["critic_feedback"]
+            )
+            # ONLY COPY LANGCHAIN MESSAGE OBJECTS, NOT DICTS
+            messages = [msg for msg in state["messages"] if not isinstance(msg, dict)]
+            messages.append(HumanMessage(content=critic_feedback_section))
+
+        return messages
+
+    def _extract_final_analysis(self, messages):
+        """Extract the final analysis from agent messages"""
+        final_message = None
+        for msg in reversed(messages):
+            if (
+                hasattr(msg, "__class__")
+                and msg.__class__.__name__ == "AIMessage"
+                and hasattr(msg, "content")
+                and msg.content
+                and (not hasattr(msg, "tool_calls") or not msg.tool_calls)
+            ):
+                final_message = msg.content
+                break
+
+        if not final_message:
+            raise Exception("No final analysis message found")
+
+        return self._parse_agent_output(final_message)
+
+    def _parse_agent_output(self, content: str) -> dict:
+        """Parse agent's final output"""
+        try:
+            if "```json" in content:
+                json_str = content.split("```json")[1].split("```")[0].strip()
+            elif "```" in content:
+                json_str = content.split("```")[1].split("```")[0].strip()
+            else:
+                json_str = content.strip()
+
+            return json.loads(json_str)
+        except Exception as e:
+            print(f"Failed to parse agent output: {e}")
+            return {
+                "overall_assessment": "UNKNOWN",
+                "total_events_analyzed": 0,
+                "analysis_summary": content[:500],
+                "reasoning": "",
+                "abnormal_event_ids": [],
+                "abnormal_events": [],
+            }
+
+    def _format_analysis_result(
+        self, final_analysis, execution_time, iteration_count, agent_reasoning
+    ):
+        """Format the analysis result into the expected structure"""
+        abnormal_events = []
+        for event in final_analysis.get("abnormal_events", []):
+            event_with_tools = {
+                "event_id": event.get("event_id", ""),
+                "event_description": event.get("event_description", ""),
+                "why_abnormal": event.get("why_abnormal", ""),
+                "severity": event.get("severity", ""),
+                "indicators": event.get("indicators", []),
+                "potential_threat": event.get("potential_threat", ""),
+                "attack_category": event.get("attack_category", ""),
+                "tool_enrichment": event.get("tool_enrichment", {}),
+            }
+            abnormal_events.append(event_with_tools)
+
+        return {
+            "overall_assessment": final_analysis.get("overall_assessment", "UNKNOWN"),
+            "total_events_analyzed": final_analysis.get("total_events_analyzed", 0),
+            "execution_time_seconds": execution_time["total_seconds"],
+            "execution_time_formatted": execution_time["formatted_time"],
+            "analysis_summary": final_analysis.get("analysis_summary", ""),
+            "agent_reasoning": agent_reasoning,
+            "abnormal_event_ids": final_analysis.get("abnormal_event_ids", []),
+            "abnormal_events": abnormal_events,
+            "iteration_count": iteration_count,
+        }
+
+    # ========== CRITIC ENGINE METHODS ==========
+
+    def _critic_review(self, state: dict) -> dict:
+        """Run self-critic review with quality evaluation"""
+        critic_input = SELF_CRITIC_PROMPT.format(
+            final_json=json.dumps(state["analysis_result"], indent=2),
+            messages="\n".join(
+                [str(m.content) for m in state["messages"] if hasattr(m, "content")]
+            ),
+            logs=state["prepared_logs"],
+        )
+
+        resp = self.llm.invoke(critic_input)
+        full_response = resp.content
+
+        try:
+            # Parse critic response
+            quality_acceptable, issues, feedback, corrected_json = (
+                self._parse_critic_response(full_response)
+            )
+
+            return {
+                "quality_acceptable": quality_acceptable,
+                "issues": issues,
+                "feedback": feedback,
+                "corrected_analysis": corrected_json,
+                "full_response": full_response,
+            }
+        except Exception as e:
+            print(f"[Critic] Failed to parse review: {e}")
+            # If critic fails, accept current analysis
+            return {
+                "quality_acceptable": True,
+                "issues": [],
+                "feedback": "",
+                "corrected_analysis": state["analysis_result"],
+                "full_response": full_response,
+            }
+
+    def _parse_critic_response(self, content: str) -> tuple:
+        """Parse critic response and evaluate quality"""
+
+        # Extract sections
+        issues_section = ""
+        feedback_section = ""
+
+        if "## ISSUES FOUND" in content:
+            parts = content.split("## ISSUES FOUND")
+            if len(parts) > 1:
+                issues_part = parts[1].split("##")[0].strip()
+                issues_section = issues_part
+
+        if "## FEEDBACK FOR AGENT" in content:
+            parts = content.split("## FEEDBACK FOR AGENT")
+            if len(parts) > 1:
+                feedback_part = parts[1].split("##")[0].strip()
+                feedback_section = feedback_part
+
+        # Extract corrected JSON
+        if "```json" in content:
+            json_str = content.split("```json")[1].split("```")[0].strip()
+        elif "```" in content:
+            json_str = content.split("```")[1].split("```")[0].strip()
+        else:
+            json_str = "{}"
+
+        corrected_json = json.loads(json_str)
+
+        # Evaluate quality based on issues
+        issues = self._extract_issues(issues_section)
+        quality_acceptable = self._evaluate_quality(issues, issues_section)
+
+        return quality_acceptable, issues, feedback_section, corrected_json
+
+    def _extract_issues(self, issues_text: str) -> list:
+        """Extract structured issues from text"""
+        issues = []
+
+        # Check for "None" or "no issues"
+        if (
+            "none" in issues_text.lower()
+            and "analysis is acceptable" in issues_text.lower()
+        ):
+            return issues
+
+        # Extract issue types
+        issue_types = {
+            "MISSING_EVENT_IDS": "missing_event_ids",
+            "SEVERITY_MISMATCH": "severity_mismatch",
+            "IGNORED_TOOLS": "ignored_tool_results",
+            "INCOMPLETE_EVENTS": "incomplete_abnormal_events",
+            "EVENT_ID_FORMAT": "event_id_format",
+            "SCHEMA_ISSUES": "schema_issues",
+            "UNDECODED_COMMANDS": "undecoded_commands",
+        }
+
+        for keyword, issue_type in issue_types.items():
+            if keyword in issues_text:
+                issues.append({"type": issue_type, "text": issues_text})
+
+        return issues
+
+    def _evaluate_quality(self, issues: list, issues_text: str) -> bool:
+        """Evaluate if quality is acceptable"""
+        # If no issues found
+        if not issues:
+            return True
+
+        # Critical issue types that trigger iteration
+        critical_types = {
+            "missing_event_ids",
+            "severity_mismatch",
+            "ignored_tool_results",
+            "incomplete_abnormal_events",
+            "undecoded_commands",
+        }
+
+        # Count critical issues
+        critical_count = sum(1 for issue in issues if issue["type"] in critical_types)
+
+        # Quality threshold: max 1 critical issue is acceptable
+        if critical_count >= 2:
+            return False
+
+        # Additional check: if issues_text indicates major problems
+        if any(
+            word in issues_text.lower() for word in ["critical", "major", "serious"]
+        ):
+            return False
+
+        return True
+
+
+class ResultManager:
+    """
+    Handles saving results to disk and displaying to console
+    """
+
+    def __init__(self, output_root: Path):
+        """
+        Initialize the result manager
+
+        Args:
+            output_root: Root directory for saving outputs
+        """
+        self.output_root = output_root
+
+    @traceable(name="result_manager_save_results")
+    def save_results(self, state: AnalysisState) -> AnalysisState:
+        """Save analysis results and messages to files"""
+        input_name = os.path.splitext(os.path.basename(state["log_file"]))[0]
+        analysis_dir = self.output_root / input_name
+
+        analysis_dir.mkdir(exist_ok=True)
+        ts = datetime.now().strftime("%Y%m%d_%H%M%S")
+
+        start_time = time.time()
+        success = True
+
+        try:
+            # Save main analysis result
+            out_file = analysis_dir / f"{input_name}_analysis_{ts}.json"
+            with open(out_file, "w", encoding="utf-8") as f:
+                json.dump(state["analysis_result"], f, indent=2)
+
+            # Save iteration history
+            history_file = analysis_dir / f"{input_name}_iterations_{ts}.json"
+            with open(history_file, "w", encoding="utf-8") as f:
+                json.dump(state.get("iteration_history", []), f, indent=2)
+
+            # Save messages history
+            messages_file = analysis_dir / f"{input_name}_messages_{ts}.json"
+            serializable_messages = self._serialize_messages(state.get("messages", []))
+            with open(messages_file, "w", encoding="utf-8") as f:
+                json.dump(serializable_messages, f, indent=2)
+
+        except Exception as e:
+            print(f"Error saving results: {e}")
+            success = False
+
+        execution_time = time.time() - start_time
+        self._log_save_metrics(input_name, execution_time, success)
+
+        return state
+
+    def _log_save_metrics(self, input_name: str, execution_time: float, success: bool):
+        """Log file saving performance metrics."""
+        try:
+            current_run = get_current_run_tree()
+            if current_run:
+                ls_client.create_feedback(
+                    run_id=current_run.id,
+                    key="result_save_performance",
+                    score=1.0 if success else 0.0,
+                    value={
+                        "input_name": input_name,
+                        "execution_time": execution_time,
+                        "success": success
+                    }
+                )
+        except Exception as e:
+            print(f"Failed to log save metrics: {e}")
+
+    @traceable(name="result_manager_display_results")
+    def display_results(self, state: AnalysisState) -> AnalysisState:
+        """Display formatted analysis results"""
+        result = state["analysis_result"]
+        assessment = result.get("overall_assessment", "UNKNOWN")
+        execution_time = result.get("execution_time_formatted", "Unknown")
+        abnormal_events = result.get("abnormal_events", [])
+        iteration_count = result.get("iteration_count", 1)
+
+        print("\n" + "=" * 60)
+        print("ANALYSIS COMPLETE")
+        print("=" * 60)
+
+        print(f"ASSESSMENT: {assessment}")
+        print(f"ITERATIONS: {iteration_count}")
+        print(f"EXECUTION TIME: {execution_time}")
+        print(f"EVENTS ANALYZED: {result.get('total_events_analyzed', 'Unknown')}")
+
+        # Tools Used
+        tools_used = self._extract_tools_used(state.get("messages", []))
+
+        if tools_used:
+            print(f"TOOLS USED: {len(tools_used)} tools")
+            print(f"  Types: {', '.join(sorted(tools_used))}")
+        else:
+            print("TOOLS USED: None")
+
+        # Abnormal Events
+        if abnormal_events:
+            print(f"\nABNORMAL EVENTS: {len(abnormal_events)}")
+            for event in abnormal_events:
+                severity = event.get("severity", "UNKNOWN")
+                event_id = event.get("event_id", "N/A")
+                print(f"  EventID {event_id} [{severity}]")
+        else:
+            print("\nNO ABNORMAL EVENTS")
+
+        print("=" * 60)
+
+        return state
+
+    def display_batch_summary(
+        self, results: List[Dict], start_time: datetime, end_time: datetime
+    ):
+        """Print summary of batch processing results"""
+        total = len(results)
+        successful = sum(1 for r in results if r["success"])
+        skipped = sum(1 for r in results if "Skipped" in r["message"])
+        failed = total - successful
+
+        duration = (end_time - start_time).total_seconds()
+
+        print("\n" + "=" * 60)
+        print("BATCH ANALYSIS SUMMARY")
+        print("=" * 60)
+        print(f"Total files: {total}")
+        print(f"Successful: {successful}")
+        print(f"Skipped: {skipped}")
+        print(f"Failed: {failed}")
+        print(f"Total time: {duration:.2f} seconds ({duration/60:.2f} minutes)")
+
+        if failed > 0:
+            print(f"\nFailed files:")
+            for r in results:
+                if not r["success"]:
+                    filename = os.path.basename(r["log_file"])
+                    print(f"  - {filename}: {r['message']}")
+
+        print("=" * 60 + "\n")
+
+    def get_existing_output(self, log_file: str) -> Optional[str]:
+        """Get the output file path for a given log file if it exists"""
+        import glob
+
+        input_name = os.path.splitext(os.path.basename(log_file))[0]
+        analysis_dir = self.output_root / input_name
+
+        if analysis_dir.exists():
+            existing_files = list(analysis_dir.glob(f"{input_name}_analysis_*.json"))
+            if existing_files:
+                return str(existing_files[0])
+        return None
+
+    def _serialize_messages(self, messages) -> List[dict]:
+        """Serialize messages for JSON storage"""
+        serializable_messages = []
+        for msg in messages:
+            if isinstance(msg, dict):
+                serializable_messages.append(msg)
+            else:
+                msg_dict = {
+                    "type": msg.__class__.__name__,
+                    "content": msg.content if hasattr(msg, "content") else str(msg),
+                }
+                if hasattr(msg, "tool_calls") and msg.tool_calls:
+                    msg_dict["tool_calls"] = [
+                        {"name": tc.get("name", ""), "args": tc.get("args", {})}
+                        for tc in msg.tool_calls
+                    ]
+                serializable_messages.append(msg_dict)
+
+        return serializable_messages
+
+    def _extract_tools_used(self, messages) -> set:
+        """Extract set of tool names used during analysis"""
+        tools_used = set()
+        for msg in messages:
+            if hasattr(msg, "tool_calls") and msg.tool_calls:
+                for tc in msg.tool_calls:
+                    tool_name = tc.get("name", "")
+                    if tool_name:
+                        tools_used.add(tool_name)
+        return tools_used