To address critical challenges in cybersecurity incident response—including alert fatigue, high false-positive rates, and inefficient utilization of unstructured cyber threat intelligence (CTI)—this paper proposes an intelligent analysis framework integrating large language models (LLMs) with retrieval-augmented generation (RAG). The method introduces a hybrid retrieval mechanism combining NLP-based semantic similarity search with standardized queries to external CTI platforms, enabling context-aware CTI enrichment. It further incorporates a two-tier expert cross-validation evaluation paradigm and integrates vector databases with multi-source CTI platforms to support semantic alert understanding and dynamic intelligence correlation. Experimental evaluation on both real-world and synthetic alert datasets demonstrates significant improvements: average response accuracy and contextual adaptability increase markedly, while mean response latency decreases by 37.2%. The framework delivers explainable, verifiable, and automated decision support for security operations centers.

Effective incident response (IR) is critical for mitigating cyber threats, yet security teams are overwhelmed by alert fatigue, high false-positive rates, and the vast volume of unstructured Cyber Threat Intelligence (CTI) documents. While CTI holds immense potential for enriching security operations, its extensive and fragmented nature makes manual analysis time-consuming and resource-intensive. To bridge this gap, we introduce a novel Retrieval-Augmented Generation (RAG)-based framework that leverages Large Language Models (LLMs) to automate and enhance IR by integrating dynamically retrieved CTI. Our approach introduces a hybrid retrieval mechanism that combines NLP-based similarity searches within a CTI vector database with standardized queries to external CTI platforms, facilitating context-aware enrichment of security alerts. The augmented intelligence is then leveraged by an LLM-powered response generation module, which formulates precise, actionable, and contextually relevant incident mitigation strategies. We propose a dual evaluation paradigm, wherein automated assessment using an auxiliary LLM is systematically cross-validated by cybersecurity experts. Empirical validation on real-world and simulated alerts demonstrates that our approach enhances the accuracy, contextualization, and efficiency of IR, alleviating analyst workload and reducing response latency. This work underscores the potential of LLM-driven CTI fusion in advancing autonomous security operations and establishing a foundation for intelligent, adaptive cybersecurity frameworks.