DEV Community

Bhuvi D
Bhuvi D

Posted on

How We Built CyberGraph RAG: A 3.5M Token Cybersecurity GraphRAG System with TigerGraph

#cybersecurity #database #llm #rag

Traditional Vector RAG struggles with highly connected cybersecurity data.

Threat actors, malware, CVEs, and attack techniques exist as relationships - not isolated text chunks.

To explore whether graph-based retrieval performs better, we built CyberGraph RAG, a cybersecurity benchmarking platform comparing:

  • LLM-only
  • Basic Vector RAG
  • TigerGraph GraphRAG

using a 3.5M+ token cybersecurity corpus built from MITRE ATT&CK, CISA KEV, and NVD feeds.

The Problem with Traditional RAG

Most retrieval systems today use vector similarity search.

Documents are chunked into fixed-size text blocks, embedded into vectors, and retrieved using cosine similarity.

While this works reasonably well for generic QA tasks, cybersecurity intelligence is heavily relationship-driven.

For example:

Which threat actors exploited Log4Shell to deploy ShadowPad in healthcare systems?

Answering this requires understanding relationships between:

  1. Threat actors
  2. Vulnerabilities
  3. Malware families
  4. Target industries

Traditional RAG retrieves nearby chunks of text, but often loses the actual relationships between entities.

This leads to:

  • noisy context
  • larger prompts
  • hallucinations
  • incorrect attack attribution

Our GraphRAG Approach

Instead of storing cybersecurity intelligence as disconnected chunks, we modeled it as a graph inside TigerGraph.

Entities included:

  • Threat Actors
  • Malware
  • CVEs
  • Attack Techniques
  • Target Sectors

Relationships included:

  • USES
  • TARGETS
  • EXPLOITS
  • DELIVERS

Example traversal:

APT41 → EXPLOITS → Log4Shell
Log4Shell → DELIVERS → ShadowPad
ShadowPad → TARGETS → Healthcare
Enter fullscreen mode Exit fullscreen mode

When a query is received:

  1. The system identifies the central entity.
  2. TigerGraph performs multi-hop graph traversal.
  3. Only the most relevant relationships are retrieved.
  4. Gemini generates the final response using focused graph context.

This avoids injecting massive unrelated text chunks into the prompt.

System Architecture

arch

CyberGraph compares LLM-only, Basic RAG, and TigerGraph GraphRAG pipelines side-by-side using a shared cybersecurity dataset.

While Basic RAG retrieves nearby text chunks using vector similarity search, GraphRAG performs multi-hop traversal over structured cybersecurity relationships stored inside TigerGraph.

The retrieved context is then passed to Gemini for final response generation, benchmark evaluation, and graph visualization.

Dashboard Comparison

CyberGraph dashboard comparing LLM-only, Basic RAG, and GraphRAG side-by-side.

img 1

Building the Cybersecurity Dataset

We created a lightweight dataset aggregation pipeline that automatically collected and normalized cybersecurity intelligence from:

  1. MITRE ATT&CK Enterprise Matrix
  2. CISA Known Exploited Vulnerabilities (KEV)
  3. NVD CVE Feeds

Final Dataset Scale

  • 3.5M+ tokens
  • 21,029 processed documents
  • 35,072 graph relationships

The processed dataset was converted into relationship-rich graph structures optimized for GraphRAG traversal.

Interactive Graph Visualization

To improve explainability, we integrated graph visualization directly into the dashboard.

Each query dynamically renders the retrieved graph neighborhood showing:

  • threat actors
  • malware families
  • CVEs
  • attack techniques
  • target industries

This made multi-hop cybersecurity reasoning much easier to validate visually.

Img 2

Interactive graph visualization generated during GraphRAG traversal.

Benchmark Results

We benchmarked all 3 pipelines side-by-side using complex cybersecurity reasoning queries.

Pipeline Avg Tokens Avg Latency Accuracy
LLM-only 950 10.15s 20%
Basic RAG 1280 6.45s 60%
GraphRAG 685 3.80s 100%

Key Improvements with GraphRAG

  1. ~46.5% lower token usage compared to Basic RAG
  2. ~62.5% lower latency
  3. Lower estimated API cost
  4. Higher factual consistency on multi-hop cybersecurity queries

Because GraphRAG retrieves focused entity relationships instead of large overlapping chunks, the prompts become:

  • smaller
  • cleaner
  • more explainable

Metrics Comparison

img 2

Benchmark comparison showing lower latency and token usage for GraphRAG.

Key Learnings

  1. Graph relationships matter more than raw chunk similarity in cybersecurity workflows.

  2. Smaller, focused prompts improved both latency and factual consistency.

  3. Multi-hop graph traversal produced more explainable retrieval than traditional vector search.

  4. Graph visualization significantly improved debugging and trust in retrieved threat intelligence.

Future Improvements

Next steps for CyberGraph include:

  1. Real-time threat feed ingestion
  2. Live attack-chain visualization
  3. Autonomous community detection for emerging threat clusters
  4. Adaptive graph traversal strategies

Conclusion

CyberGraph showed us that GraphRAG is not just a retrieval upgrade — it fundamentally changes how complex cybersecurity intelligence can be explored, explained, and validated.

By combining TigerGraph with Gemini, we built a system that is:

  • faster
  • more token-efficient
  • more explainable
  • and significantly more reliable for multi-hop threat intelligence reasoning.

Project Links

GitHub Repo

Live Demo

Built for the TigerGraph GraphRAG Inference Hackathon 2026.

Top comments (0)