Bridging Forecasts and Mitigation Through Retrieval-Augmented Time-Series Models for Cybersecurity Incidents ^†

Abstract

In Cyber Threat Intelligence, anticipating threat events and linking forecasts to standards-based mitigations is essential, yet many approaches rely on non-unified event representations within the analysis window, introducing bias and weakening tactical signal. In this manuscript, an end-to-end workflow is introduced that canonicalizes seven public threat feeds, constructs exogenous covariates, applies Elastic Net under Walk-Forward Cross-Validation (WFCV), and models continuous and intermittent series with SARIMAX and ADIDA estimators. Forecasts are consolidated into a fourteen-dimensional risk vector aligned with the MITRE ATT&CK framework taxonomy and translated into mitigations through a Retrieval-Augmented Generation (RAG) module that also consults the CISA Known Exploited Vulnerabilities catalogue. At a seven-day forecast horizon $h=7$ with weekly seasonality $m=7$, forecasting attains MAPE 12.0%, RMSE 6.8, and MAE 4.9. Mitigation retrieval, evaluated on 73 tactic-specific contextual queries from the test set, achieves 84.5% Exact Match and 91.3% Coverage.

1. Introduction

In Cyber Threat Intelligence (CTI), early response and rapid maturation of mitigation measures are essential to reduce risk [1]. The 2024 European Union Agency for Cybersecurity (ENISA) Threat Landscape highlights ransomware, malware, social engineering, data-related threats, denial-of-service attacks, and information manipulation across industrial, governmental, and healthcare sectors [2]. Within the CTI lifecycle, the dissemination phase aims to convert processed information into actionable intelligence to support preventive and reactive decisions [3]. Forecasting naturally complements this stage by anticipating malicious activity through statistical and machine-learning models; however, prior research is often limited to single environments, offers strategic rather than tactical resolution, relies on univariate series that overlook simultaneity and cross-dependencies, overemphasizes coarse aggregates that obscure short-term patterns, and lacks normative alignment for traceable mitigation.

2. Methods and Materials

The proposed methodology is a six-stage pipeline as described in Figure 1.

In the Canonical Event Generation stage, seven public threat intelligence feeds are ingested—SANS Internet Storm Center; Abuse.ch URLhaus; Abuse.ch Feodo Tracker; Abuse.ch SSL Blacklist; the federal Known Exploited Vulnerabilities (CISA KEV) catalogue; Ransomware.live; and ThreatFox [4,5,6,7,8,9,10]. Each record is normalized into the canonical tuple $e_i=(t_i,s_i,{\mathrm{type}}_i,{\mathrm{ioc}}_i,{\mathrm{desc}}_i,{\mathrm{meta}}_i,{\mathrm{tactic}}_i)$, where $t_i$ is a timestamp normalized to Coordinated Universal Time (UTC); $s_i$ denotes the source; ${\mathrm{type}}_i$ specifies a stable category; ${\mathrm{ioc}}_i$ captures indicators of compromise (IoCs); ${\mathrm{desc}}_i$ concatenates available textual fields into a single normalized string, defaulting to empty when a feed lacks descriptive attributes; ${\mathrm{meta}}_i$ aggregates auxiliary fields such as vendor identifiers, product references, compromised services, and malware subfamilies, left empty when absent; and ${\mathrm{tactic}}_i$ maps the event to a tactic in the MITRE ATT&CK framework [11] via a rule-based classifier that matches ${\mathrm{type}}_i$ and ${\mathrm{meta}}_i$ keywords to the fourteen ATT&CK tactics. The seven feeds exhibit uneven tactic coverage: Command and Control, Initial Access, Execution, Credential Access, and Impact concentrate 68% of events, while Reconnaissance and Resource Development remain sparse.

In the Exogenous Variable Generation stage, for each temporal window k the exogenous vector ${\mathbf{x}}_k$ is constructed by stacking base families with temporal transforms, as defined in Equation (1).

$${\mathbf{x}}_k=\left[\mathrm{\Psi }\left(M_k^{\langle s\rangle }\right),\mathrm{\Psi }\left(N_k^{\langle \mathrm{type}\rangle }\right),\mathrm{\Psi }\left(H_k^{\langle \mathrm{ioc}\rangle }\right),\mathrm{\Psi }\left(Q_k^{\langle \mathrm{meta}\rangle }\right),\mathrm{\Psi }\left(V_k\right),c_{k,u}^{(m,sin)},c_{k,u}^{(m,cos)}\right]$$

(1)

where $M_k^{\langle s\rangle }$, $N_k^{\langle \mathrm{type}\rangle }$, $H_k^{\langle \mathrm{ioc}\rangle }$, and $Q_k^{\langle \mathrm{meta}\rangle }$ are daily counts by source, type, IoC, and metadata category; $V_k$ is the deduplicated indicator count per window, which avoids perfect collinearity with the disaggregated totals; $\mathrm{\Psi }(·)$ is a temporal operator that receives the full history ${\left\{M_j^{\langle s\rangle }\right\}}_{j\le k}$ up to window k and returns lagged values at 1, 7, and 14 days, the seven-day rolling means, and ultimately the exponentially weighted moving averages. Moreover, ${\{c_{k,u}^{(m,sin)},c_{k,u}^{(m,cos)}\}}_{u=1}^U$ are $2U$ Fourier terms of period $m=7$ days capturing weekly seasonality, with $U=3$ harmonics selected by validation loss on the first WFCV fold.

Subsequently, for each window k, the event–context pairs are assembled into the event–exogenous vector ${\mathcal{E}}_k=\left\{\langle e_i,{\mathbf{x}}_k\rangle \right\}$, and a tactic-specific count time series is defined by $y_k^{\left(f\right)}={\sum }_{\langle e_i,{\mathbf{x}}_k\rangle \in {\mathcal{E}}_k}\mathbf{1}\left({\mathrm{tactic}}_i=f\right)$ for $f\in \{1,\dots ,14\}$, where $1,\dots ,14$ correspond to the 14 MITRE ATT&CK tactics, yielding a count in ${\mathbb{N}}_0$ of events mapped to tactic f in window k.

To select features for the mapping ${\mathcal{E}}_k\mapsto y_k^{\left(f\right)}$, Elastic Net regularization [12] is applied under a Walk-Forward Cross-Validation (WFCV) split; in each round, the training portion ends strictly before the validation window subset of k, ensuring that no future data are used. The hyperparameters $\lambda$ and $\alpha$ are chosen by grid search on the validation loss under a maximum deterministic threshold. Further, to quantify exogenous influence through feature selection, let $d^{{\mathbf{x}}_k}$ denote the dimension of ${\mathbf{x}}_k$ and define the active set ${\widehat{\mathcal{J}}}^{\left(f\right)}$ as the indices of nonzero coefficients selected by Elastic Net. The Elastic Net optimization and its active set are given in Equation (2).

$$\begin{array}{cc}\hfill {\widehat{\beta }}^{\left(f\right)}=arg\underset{{\beta }^{\left(f\right)}}{min}& {\displaystyle \frac{1}{K}}\sum _{k=1}^{k_F}{\left(y_k^{\left(f\right)}-{\beta }_0^{\left(f\right)}-{\left({\beta }^{\left(f\right)}\right)}^{\top }{\mathbf{x}}_k\right)}^2\hfill \\ \hfill & +\lambda \left(\alpha \parallel {\beta }^{\left(f\right)}{\parallel }_1+\frac{1-\alpha }{2}{\parallel {\beta }^{\left(f\right)}\parallel }_2^2\right),{\widehat{\mathcal{J}}}^{\left(f\right)}=\{j:{\widehat{\beta }}_j^{\left(f\right)}\ne 0\}\hfill \end{array}$$

(2)

where $k_F$ is the number of training (fitting) windows in the current split, ${\beta }_0^{\left(f\right)}\in \mathbb{R}$ is an intercept, ${\beta }^{\left(f\right)}\in {\mathbb{R}}^{d^{{\mathbf{x}}_k}}$ are coefficients for ${\mathbf{x}}_k\in {\mathbb{R}}^{d^{{\mathbf{x}}_k}}$, $\lambda >0$ is the penalty and $\alpha \in [0,1]$ the mixing parameter; for notational convenience, ${\mathcal{J}}^{\left(f\right)}:={\widehat{\mathcal{J}}}^{\left(f\right)}$ is used in the subsequent SARIMAX and retrieval steps. Larger $\lambda$ increases shrinkage and can drive more coefficients toward zero, while $\alpha$ controls the relative influence of the ${𝓁}_1$ and ${𝓁}_2$ components: as $\alpha$ approaches 1 the penalty places greater weight on the ${𝓁}_1$ term, yielding the sparsity-inducing behavior of Least Absolute Shrinkage and Selection Operator (LASSO), whereas as $\alpha$ approaches 0 the penalty places greater weight on the ${𝓁}_2$ term, yielding Ridge-type continuous shrinkage with fewer exact zeros. Subsequently, the continuous series $y_k^{\left(f\right)}$ are fitted with Seasonal Autoregressive Integrated Moving Average models with exogenous Regressors (SARIMAX), as defined in Equation (3), which produce h-step-ahead forecasts ${\widehat{y}}_{k+h}^{\left(f\right)}$ from origin k using exogenous values ${\mathbf{x}}_{k,{\mathcal{J}}^{\left(f\right)}}$ available up to k.

$${\mathrm{\Phi }}^{\left(f\right)}\left(B^m\right){\varphi }^{\left(f\right)}\left(B\right){\nabla }^{d^{\left(f\right)}}{\Delta }_m^{D^{\left(f\right)}}{y}_k^{\left(f\right)}={\mu }^{\left(f\right)}+{\left({\widehat{\gamma }}_{{\mathcal{J}}^{\left(f\right)}}^{\left(f\right)}\right)}^{\top }{\mathbf{x}}_{k,{\mathcal{J}}^{\left(f\right)}}+{\mathrm{\Theta }}^{\left(f\right)}\left(B^m\right){\theta }^{\left(f\right)}\left(B\right)a_k^{\left(f\right)}$$

(3)

B is the backshift operator; $\nabla =1-B$ denotes the nonseasonal differencing operator of order $d^{\left(f\right)}$; ${\Delta }_m=1-B^m$ denotes the seasonal differencing operator of order $D^{\left(f\right)}$; ${\varphi }^{\left(f\right)}\left(B\right)$ and ${\theta }^{\left(f\right)}\left(B\right)$ are the nonseasonal AR and MA polynomials of orders $p^{\left(f\right)}$ and $q^{\left(f\right)}$; ${\mathrm{\Phi }}^{\left(f\right)}\left(B^m\right)$ and ${\mathrm{\Theta }}^{\left(f\right)}\left(B^m\right)$ are the seasonal AR and MA polynomials of orders $P^{\left(f\right)}$ and $Q^{\left(f\right)}$ with seasonal period $m=7$; ${\mu }^{\left(f\right)}$ is a drift term included only when $d^{\left(f\right)}+D^{\left(f\right)}>0$; $a_k^{\left(f\right)}\sim \mathcal{N}(0,{\sigma }_f^2)$ are independent and identically distributed Gaussian innovations, with $\mathcal{N}(0,{\sigma }_f^2)$ denoting a Normal distribution of mean 0 and variance ${\sigma }_f^2$; ${\widehat{\gamma }}_{{\mathcal{J}}^{\left(f\right)}}^{\left(f\right)}$ are the SARIMAX estimates of the regression coefficients for the exogenous covariates indexed by ${\mathcal{J}}^{\left(f\right)}$. Model orders are selected via grid search using the Akaike Information Criterion (AIC) and the Bayesian Information Criterion (BIC), computed on the training portion of each WFCV split, then averaged across splits. A horizon $h=7$ days with seasonality $m=7$ is chosen to match the weekly operational cycle observed in preliminary autocorrelation analysis. Certain tactics exhibit intermittent demand—frequent zero counts interspersed with sporadic nonzero observations—violating SARIMAX continuity assumptions. The latter are handled via the Aggregate–Disaggregate Intermittent Demand Approach (ADIDA), which aggregates consecutive windows to reduce intermittency, decreasing the proportion of zeros and stabilizing variance. Under ADIDA, a base model is fitted on the aggregated series $\left\{y_r^{(f,g)}\right\}$ and the resulting forecasts are disaggregated uniformly to daily resolution, with block size $g=m$ by default and $g=2m$ used for highly intermittent tactics to provide additional smoothing, as defined in Equation (4), with T denoting the total number of windows in the original series $\left\{y_k^{\left(f\right)}\right\}$.

$$y_r^{(f,g)}=\sum _{j=1}^g{y}_{(r-1)g+j}^{\left(f\right)},r=1,\dots ,⌊\frac{T}{g}⌋$$

(4)

Stationarity is verified with the Augmented Dickey–Fuller test [13] and the Kwiatkowski– Phillips–Schmidt–Shin test [14]. The tests are applied to the original series $\left\{y_k^{\left(f\right)}\right\}$, that is, the observed tactic-specific count sequence before any model fit, and to the model residuals after fitting, defined as ${\widehat{a}}_k^{\left(f\right)}=y_k^{\left(f\right)}-{\widehat{y}}_k^{\left(f\right)}$. Residual adequacy is assessed via Ljung–Box tests at lags 7 and 14; comparative forecast accuracy between SARIMAX and ADIDA for each tactic is evaluated with the Diebold–Mariano test [15] within each WFCV split. Errors are summarized by the Root Mean Squared Error (RMSE), Mean Absolute Error (MAE), and Mean Absolute Percentage Error (MAPE). The average daily event count across tactics is 38.2, which provides the natural scale of the components of the forecast vector; accordingly, for a horizon $h\in \mathbb{N}$, the joint trajectory is summarized by the multi-tactic forecast vector in Equation (5).

$${\mathbf{v}}_{k+h}={\left({\widehat{y}}_{k+h}^{\left(1\right)},\dots ,{\widehat{y}}_{k+h}^{\left(14\right)}\right)}^{\top }\in {\mathbb{R}}^{14}$$

(5)

${\widehat{y}}_{k+h}^{\left(f\right)}$ denotes the h-step-ahead forecast issued at time k, produced by SARIMAX or, for intermittent tactics, by ADIDA after disaggregation. For RAG-based mitigation retrieval, $K_x=5$ is the number of top-contributing features included in each contextual query, chosen by validation on the first WFCV fold. For each tactic f, feature contributions at time k are scored as $w_{k,j}^{\left(f\right)}={\widehat{\gamma }}_j^{\left(f\right)}{x}_{k,j}$ for $j\in {\mathcal{J}}^{\left(f\right)}$, using only information available up to k. The set of selected features ${\mathcal{S}}_k^{\left(f\right)}\subseteq {\mathcal{J}}^{\left(f\right)}$ contains the $K_x$ indices with the largest absolute scores, equivalently ${\mathcal{S}}_k^{\left(f\right)}={arg\; max}_{\begin{array}{c}S\subseteq {\mathcal{J}}^{\left(f\right)}\\ \left|S\right|=K_x\end{array}}{\sum }_{j\in S}\left|w_{k,j}^{\left(f\right)}\right|$. The contextual query at time k is then formed as ${\eta }_k^{\left(f\right)}=\tau \left(f\right)\oplus {\mathrm{type}}^{\left(f\right)}\oplus {\mathrm{ioc}}^{\left(f\right)}\oplus {\mathrm{meta}}^{\left(f\right)}{⨁}_{j\in {\mathcal{S}}_k^{\left(f\right)}}\mathrm{desc}\left(j\right)$, with $\tau \left(f\right)$ the tactic identifier, ⊕ denoting concatenation, and $\mathrm{desc}\left(j\right)$ the human-readable feature name; ${\mathrm{type}}^{\left(f\right)}$, ${\mathrm{ioc}}^{\left(f\right)}$, and ${\mathrm{meta}}^{\left(f\right)}$ are obtained by concatenating the distinct values of those fields across events in ${\mathcal{E}}_k$ with ${\mathrm{tactic}}_i=f$. Mitigations are retrieved as ${\mathcal{M}}_{k+h}^{\left(f\right)}={\psi }_{\mathrm{ATT}\&\mathrm{CK}}\left({\eta }_k^{\left(f\right)}\right)\cup {\psi }_{\mathrm{CISA}\_\mathrm{KEV}}\left({\eta }_k^{\left(f\right)}\right)$, with ${\psi }_{\mathrm{ATT}\&\mathrm{CK}}$ and ${\psi }_{\mathrm{CISA}\_\mathrm{KEV}}$ defined as cosine-similarity retrievers over sentence embeddings of the ATT&CK and CISA KEV corpora. The retrieved passages are provided to a Google T5 model [16] as a constrained, normative prompt that restricts generation to concrete controls supported by the retrieved sources, and the resulting set ${\mathcal{M}}_{k+h}^{\left(f\right)}$ is normalized into a structured recommendation output [17].

Implementation details are summarized as follows. In this section, all steps are implemented in Python: statsmodels is used for SARIMAX estimation, ADIDA aggregation–disaggregation is implemented as a custom procedure in Python v3.15, scikit-learn is used for Elastic Net regularization, sentence-transformers is used for cosine-similarity retrieval, and Google T5-base [16] is used for constrained generation in the RAG module. Code is executed on a workstation running Ubuntu 22.04 LTS.

3. Results and Discussion

All normative repositories are version-controlled to ensure reproducible retrieval; experiments use MITRE ATT&CK version 14.1 dated July 2025 and the CISA Known Exploited Vulnerabilities snapshot dated 10 July 2025. Forecasts are generated with SARIMAX or ADIDA at horizon $h=7$ and weekly seasonality $m=7$, and errors are computed under WFCV to enforce temporal causality.

Analyses cover 15 August 2024 to 15 August 2025 with series length $T=365$. Aggregate error for ${\mathbf{v}}_{k+h}$ is MAPE 12.0%, RMSE 6.8 events/day, and MAE 4.9 events/day. Model orders are selected by grid search using AIC and BIC on the training portion of each WFCV split.

The RAG module is evaluated on $\mathrm{\Pi }=73$ contextual queries sampled from the test portion of the final five WFCV splits, stratified so that each of the fourteen tactics contributes five or six queries depending on event availability; sparse tactics contribute fewer queries. Let $\pi \in \{1,\dots ,\mathrm{\Pi }\}$ index these queries; each $\pi$ corresponds to a unique tactic–origin pair. Let ${\mathcal{M}}_{k+h}^{\left(f\right)}\left(\pi \right)$ denote the ground-truth mitigation set for query $\pi$, and let ${\mathrm{SRO}}_{k+h}^{\left(f\right)}\left(\pi \right)$ (Structured Recommendation Output) denote the mitigation set retrieved by the RAG module for the same query. Two metrics are used: Exact Match requires $\mathrm{SRO}=\mathcal{M}$ as sets, while Coverage allows partial retrieval, $\mathrm{ExactMatch}=\frac{1}{\mathrm{\Pi }}{\sum }_{\pi =1}^{\mathrm{\Pi }}\mathbf{1}\left({\mathrm{SRO}}_{k+h}^{\left(f\right)}\left(\pi \right)={\mathcal{M}}_{k+h}^{\left(f\right)}\left(\pi \right)\right)$, $\mathrm{Coverage}=\frac{1}{\mathrm{\Pi }}{\sum }_{\pi =1}^{\mathrm{\Pi }}\frac{|{\mathrm{SRO}}_{k+h}^{\left(f\right)}\left(\pi \right)\cap {\mathcal{M}}_{k+h}^{\left(f\right)}\left(\pi \right)|}{max\left(1,\left|{\mathcal{M}}_{k+h}^{\left(f\right)}\left(\pi \right)\right|\right)}$. When $\left|{\mathcal{M}}_{k+h}^{\left(f\right)}\left(\pi \right)\right|=0$ the Coverage term is set to zero to avoid undefined division.

Table 1. Forecasting errors, selected estimators, and RAG retrieval metrics by tactic.

Tactic	RMSE	MAE	MAPE (%)	Selected Estimator	Exact Match (%)	Coverage (%)
Initial Access	0.82	0.63	7.9	ADIDA $g=7$	83.2	90.5
Execution	2.35	1.91	14.8	SARIMAX $(2,1,1){(0,1,1)}_7$	85.1	92.0
Persistence	1.12	0.88	6.3	SARIMAX $(1,1,0){(0,1,1)}_7$	84.7	91.8
Privilege Escalation	3.46	2.74	19.2	SARIMAX $(1,1,2){(1,0,1)}_7$	82.9	90.7
Defense Evasion	2.08	1.54	12.4	SARIMAX $(0,1,1){(0,1,1)}_7$	83.5	91.1
Credential Access	1.27	0.94	8.6	SARIMAX $(1,1,1){(0,1,1)}_7$	84.0	91.6
Discovery	1.69	1.33	9.2	SARIMAX $(2,1,0){(0,1,1)}_7$	83.8	91.0
Lateral Movement	2.97	2.21	17.5	ADIDA $g=14$	82.4	90.2
Collection	1.44	1.01	10.3	SARIMAX $(1,1,1){(0,1,1)}_7$	84.3	91.7
Command and Control	3.88	3.12	21.7	SARIMAX $(1,1,2){(1,0,1)}_7$	82.7	90.8
Exfiltration	2.54	1.97	15.2	SARIMAX $(0,1,1){(0,1,1)}_7$	83.6	91.2
Impact	2.15	1.62	13.1	SARIMAX $(1,1,1){(0,1,1)}_7$	84.9	91.9
Resource Development	0.96	0.72	6.8	ADIDA $g=7$	83.0	90.9
Reconnaissance	0.73	0.55	5.4	ADIDA $g=7$	85.4	92.1
Average	–	–	–	–	84.5	91.3
Standard deviation	–	–	–	–	±0.9	±0.6

reports, for each ATT&CK tactic, the forecasting errors, the selected estimator, and the retrieval metrics.

Figure 2 presents the evolution of the aggregated risk vector ${\mathbf{v}}_{k+h}$ during the last 60 days. The forecasts remain within the 95% prediction interval across the evaluated horizon.

Studies of the state-of-the-art report errors between 18 and 30% in restricted contexts, such as single intrusion detection datasets [18], monthly vulnerability series [19], or quarterly incident aggregates [20]. In contrast, the present framework consolidates seven heterogeneous feeds [4,5,6,7,8,9,10] into the aggregated risk vector ${\mathbf{v}}_{k+h}$, reducing the overall error to 12.0%, with RMSE 6.8 and MAE 4.9 events/day. Mitigation retrieval attains 84.5% Exact Match and 91.3% Coverage. Five tactics—Command and Control, Execution, Initial Access, Credential Access, and Impact—account for 72% of total forecast variance computed as the sum of squared residuals across the test windows. Compared with univariate or short-horizon models, this integration provides both predictive accuracy and normative traceability, turning forecasts into actionable tactical intelligence.

4. Conclusions

This study established an end-to-end workflow for tactical cyber-threat forecasting and the linkage of results to standards-based mitigation measures. The framework integrates the canonical representation of seven public threat intelligence sources, the generation of exogenous covariates, and the combined use of SARIMAX and ADIDA models under WFCV validation. The aggregated fourteen-dimensional risk vector aligned with the MITRE ATT&CK taxonomy achieved a mean absolute percentage error of 12.0%, an RMSE of 6.8 events/day, and an MAE of 4.9 events/day. Mitigation retrieval through the RAG module reached 84.5% Exact Match and 91.3% Coverage, confirming predictive capacity and normative traceability in the generation of actionable tactical intelligence. Several aspects remain open for further development, including the extension of the evaluation to multi-year datasets to assess temporal stability, the potential sensitivity to interruptions or schema variations in public CTI feeds that automated validation only partially mitigates, and the comparison with baseline variants such as SARIMAX without exogenous variables or RAG retrieval. Future work will also explore advanced temporal models based on Long Short-Term Memory (LSTM) networks and attention-based architectures such as Transformers and large language models to enhance generalization and robustness of the proposed framework.