Graph RAG and MITRE ATT&CK

Flat RAG retrieves paragraphs. An offensive operation does not think in paragraphs: it thinks in relationships — this technique enables that one, this actor uses this malware, this mitigation breaks this chain. That is why we wired Beorn to a knowledge graph built on MITRE ATT&CK.

From chunks to a TTP graph

We model tactics, techniques, sub-techniques, groups and mitigations as nodes; ATT&CK relationships as edges. Every writeup we index is linked to the techniques it demonstrates. Retrieval stops being "similar documents" and becomes "what can I do from here".

Retrieval that follows the kill chain

When the agent gets execution, we don't ask for "text about persistence". We walk the graph from the current technique toward the next tactics, weighted by what we observed on the target.

graph.walk({ from: "T1190",
  toward: ["persistence","privilege-escalation"],
  filter: { platform: "linux", observed: true }, k: 5 })

Why the graph wins

The graph gives precision (curated edges, not cosine similarity), explainability (each suggestion carries its path) and coverage (adjacent techniques no embedding would pull). The vector store stays for fuzzy search; the graph decides the next move.

What we ship

Beorn answers with ATT&CK subgraphs, not just passages. The agent gets a map of its kill chain anchored to evidence, and every report comes out mapped to ATT&CK for your SIEM.