What Are Adversaries Doing? Automating Tactics, Techniques, and Procedures Extraction: A Systematic Review

A comprehensive research review led by Mahzabin Tamanna and six co-authors systematically analyzed 80 peer-reviewed studies on automating the extraction of adversary Tactics, Techniques, and Procedures (TTPs) from unstructured text. The goal is to map real-world attack descriptions to structured frameworks like the MITRE ATT&CK knowledge base, helping defenders keep pace with evolving threats. The analysis reveals the field has progressed through distinct phases: starting with rule-based systems and traditional machine learning, advancing to transformer-based architectures like BERT and SecureBERT, and now exploring cutting-edge Large Language Model (LLM) approaches including prompting, retrieval-augmented generation (RAG), and fine-tuning.

Despite this technological evolution, the review identifies significant barriers to practical adoption. The dominant task remains technique-level classification, while more complex analyses like tactic classification are underexplored. A major hurdle is reproducibility, as many studies rely on proprietary datasets, offer limited code releases, or use narrow corpora that constrain cross-domain generalization. Furthermore, evaluation practices often involve single-label classification in limited settings, which may not reflect the messy reality of cybersecurity reports. These limitations make it difficult for security teams to implement these automated extraction tools at scale, leaving a gap between academic research and operational security centers.