Skip to content

reloading01/threat-intelligence-dataset

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 

Repository files navigation

Cyber Threat Intelligence Dataset for LLM Fine-Tuning

Hugging Face Dataset License: CC BY 4.0

An instruction-tuning dataset for teaching language models to do cyber threat intelligence work: reading a CVE and explaining what the risk actually is, profiling a threat actor from its ATT&CK techniques, turning a Sigma rule into alert-triage guidance, mapping a campaign's kill chain, writing detection logic for a technique, and so on.

The data files live on the Hugging Face dataset page; this repository mirrors them under data/ and documents how the set was built.

Why another CTI dataset

Most "CTI datasets" floating around are a handful of templates with random indicators dropped into the blanks. The IP addresses are made up, the hashes are noise, and the MITRE technique IDs frequently don't match the names next to them. A model trained on that learns to sound like a threat report while being wrong about the facts.

This one is built the other way around. Every record is generated from real sources — MITRE ATT&CK, CISA KEV, CWE, OSV, abuse.ch, ransomware.live, Sigma and others — and every factual claim is checked back against its source before the record is kept. If a technique ID, CVE, CWE, or indicator can't be verified, the record is thrown out rather than shipped.

What's inside

  • 9,970 single-turn examples plus 1,500 multi-turn conversations
  • 37 categories, none of them below 150 examples
  • 97.6% of the instructions are distinct — the phrasing is varied on purpose so the model doesn't latch onto one way of being asked
  • Every MITRE/CVE/CWE/IOC reference verified against its source
  • Near-duplicates stripped out with embeddings

Files

File Records What it is
data/train.jsonl 9,172 CTI training split, single-turn (instruction / input / output)
data/eval.jsonl 798 Held-out evaluation, stratified by category
data/train_blended.jsonl 12,229 The train split with 25% general instructions mixed in (keeps the model from forgetting how to talk about anything outside security)
data/train_multiturn.jsonl 1,500 Grounded two-turn conversations in messages format, for follow-up questions

Loading it from Hugging Face:

from datasets import load_dataset

ds       = load_dataset("reloading0101/threat-intelligence-dataset")               # train + validation
blended  = load_dataset("reloading0101/threat-intelligence-dataset", "blended")    # + 25% general
chat     = load_dataset("reloading0101/threat-intelligence-dataset", "multi_turn") # multi-turn

Format

Single-turn records are plain instruction / input / output:

{
  "instruction": "Analyze CVE-2024-23897 and explain its exploitation risk.",
  "input": "CVE: CVE-2024-23897 (Jenkins CLI)",
  "output": "...grounded analysis...",
  "metadata": {
    "category": "vulnerabilities-cves",
    "task_type": "explain",
    "grounding": "CISA KEV + EPSS",
    "source_refs": { "cves": ["CVE-2024-23897"] }
  }
}

Multi-turn records use the standard messages list. Both assistant turns are grounded — the follow-up answers a second angle on the same real entity (analyze a CVE, then "should we prioritize patching it?").

Where the data comes from

MITRE ATT&CK v19.1 (Enterprise, Mobile, ICS), MITRE ATLAS, MITRE CWE, CISA KEV, FIRST.org EPSS, AttackerKB, OSV.dev, SigmaHQ, abuse.ch (Feodo, SSLBL, URLhaus, ThreatFox), MalwareBazaar, Malpedia, ransomware.live, OpenPhish, plus the usual public frameworks (OWASP Top 10 and API Top 10, STRIDE, NIST SP 800-61, the Diamond Model, the Pyramid of Pain). The general-text blend comes from databricks-dolly-15k.

How it was built

  1. The sources are parsed into a clean knowledge base — techniques linked to their tactics and mitigations, groups to their malware, CVEs to their EPSS scores, and so on.
  2. Records are generated by pulling real entities out of that knowledge base. The generator never invents an ID, a name, or a relationship; it only arranges facts that already exist.
  3. A local model rephrases each instruction so identical tasks don't share identical wording.
  4. A local model rewrites each answer into readable analyst prose, behind a gate that compares the hard facts before and after and reverts anything the model drifted on.
  5. Embeddings remove near-duplicates, and each category is balanced.
  6. A final validation pass re-checks every ID against the knowledge base and drops anything that doesn't hold up.

Categories

37 in total, each with 150–300 examples:

ai-ml-threats, api-security, attribution-analysis, botnet-infrastructure, campaign-analysis, cloud-saas-security, container-security, cryptojacking-mining, cyber-espionage-apt, dark-web-cybercrime, data-exfiltration, deception-technology, digital-risk-management, email-threats, geopolitical-threats, ics-ot-security, incident-response-forensics, insider-threats, malicious-campaigns, malware, mobile-iot-threats, network-based-threats, ransomware-operations, red-team-operations, security-monitoring-detection, social-engineering-fraud, supply-chain-attacks, threat-actors, threat-hunting, threat-intelligence, threat-intelligence-feeds, threat-intelligence-operations, threat-modeling, ttps-mitre-attack, vulnerabilities-cves, web-application-security, zero-day-exploits

Using it for fine-tuning

It's meant for domain-adapting an already instruction-tuned model (Llama 3.x Instruct, Qwen2.5 Instruct, etc.) with LoRA or QLoRA. Train on train_blended.jsonl rather than the pure split — the 25% general mix keeps the model from over-specializing and losing its conversational ability. Keep eval.jsonl pure so it actually measures CTI skill, and break the score down by category to see where the model is weak.

A reasonable starting point: LoRA rank 16–32, learning rate 1e-4 to 2e-4 on a cosine schedule, 2–3 epochs while watching eval loss, sequence length 2048, and masking the prompt so you only train on the answer.

What it won't do

  • It leans on ATT&CK. Around 61% of records reference it. ATT&CK is the common language of threat intelligence, so that's not an accident, but a model trained here will reach for ATT&CK framing.
  • A few categories are small. Cryptojacking, email and social-engineering sit around 150–175 because that's how much real source material exists for them. Better 160 real examples than 300 padded ones.
  • It's mostly single-turn. Instruct base models already handle multi-turn; the multi_turn config tops that up but it's the smaller part of the set.
  • The answers follow a report structure on purpose. That's right for analysis tasks, less so for open-ended chat.

Ethics and scope

Built for defensive security, education, and research. No working exploits or weaponized code, no PII, no private data. Indicators are either reserved/synthetic ranges (RFC 5737 / 2606) or publicly reported indicators used for detection.

License

Released under CC BY 4.0. The underlying sources keep their own terms — ATT&CK's Terms of Use, CISA's public-domain release, Dolly's CC BY-SA 3.0, and so on — so credit those where it applies.

Built with

The paraphrasing and prose passes were run locally with the open-weight gpt-oss-20b model, and deduplication used a local nomic-embed-text embedding model. No paid APIs were involved in generation.

Citation

@misc{cti-instruction-tuning-dataset,
  title  = {Cyber Threat Intelligence Instruction-Tuning Dataset},
  author = {Reloading},
  year   = {2026},
  url    = {https://huggingface.co/datasets/reloading0101/threat-intelligence-dataset}
}

Topics: cyber threat intelligence, CTI dataset, LLM fine-tuning, instruction tuning, MITRE ATT&CK, CVE, threat hunting, detection engineering, incident response, malware analysis, security LLM, infosec dataset.

About

Grounded, fact-checked instruction-tuning dataset for cyber threat intelligence — 10k+ examples across 37 CTI categories, built from MITRE ATT&CK, CVE/KEV, CWE and live threat feeds. For LLM fine-tuning (LoRA/QLoRA).

Topics

Resources

Stars

3 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors