Next-gen threat intelligence: New GPT framework delivers scalable, explainable cyber risk monitoring

A newly published study titled “A GPT-Based Approach for Cyber Threat Assessment” in the journal AI (Vol. 6, Article 99, May 2025) introduces a breakthrough framework that uses Generative Pretrained Transformer (GPT) models to enhance cyber threat detection and analysis. Developed by Fahim Sufi at the COEUS Institute, the system integrates large-scale natural language processing with anomaly detection, clustering, regression analysis, and knowledge graph generation to monitor and interpret cyber threats in industrial cyber–physical systems (ICPSs).

Drawing from 9018 cyber-related events across 44 global news outlets between September 2023 and November 2024, the model achieved exceptional performance: a precision of 0.999, recall of 0.998, and an F1-score of 0.998. Unlike traditional keyword-based cybersecurity tools, this system leverages GPT-3.5 Turbo to semantically classify and categorize real-world threats, extract industry and attack type metadata, and quantify event significance using geopolitical criteria. The structured insights are visualized through knowledge graphs and time-series analytics, enabling organizations to proactively address threats in real time.

What technologies and data power the detection framework?

The architecture consists of five modular layers. The first is a data ingestion module that scrapes real-time cyber news from verified sources using APIs and RSS feeds. The second layer processes this unstructured text using GPT, extracting features such as attack type, industry, location, and severity. A dedicated analytical layer then applies clustering algorithms, regression models, and CNN-based anomaly detection.

A knowledge graph engine connects affected industries to attack types, weighting the severity of each node using geopolitically informed significance scores. For example, attacks on nations like Iran and Ukraine were shown to significantly elevate threat severity due to geopolitical implications. Regression analysis revealed that events affecting critical infrastructure, government, and healthcare were more significant, especially when associated with advanced persistent threats (APTs), zero-day exploits, or ransomware attacks.

The clustering module identified five distinct event segments with shared features, such as APTs and multinational targeting. Events involving multiple sectors and countries ranked highest in significance, revealing patterns in coordinated cyber campaigns. The anomaly detection layer used spectral residual transformation and convolutional neural networks to isolate six significant surges in cyber activity, including a spike on July 19, 2024, when cyber incidents reached nearly five times the baseline average.

Why this framework matters for industrial cyber–physical systems

The study targets industrial cyber–physical systems, including energy grids, manufacturing platforms, and transportation networks, which face growing exposure to ransomware, phishing, and nation-state-level attacks. These environments produce massive volumes of event data, which traditional cybersecurity tools struggle to process in real time.

By leveraging GPT models, the proposed system bridges the gap between unstructured text analysis and structured threat intelligence. Its high accuracy enables security teams to identify which sectors are under attack, by what means, and how severely—all within a unified dashboard powered by Microsoft Power BI. The structured database generated from raw cyber news enables real-time monitoring, historical trend analysis, and predictive insights into emerging threats.

Moreover, the framework sets a new precedent by integrating schema-constrained prompt engineering into its GPT-based classification pipeline. This approach ensures reliable categorization of events into a fixed label set, drastically reducing the risk of hallucination or misclassification—an issue common with generative models. Its application of cosine similarity-based querying, supported by Approximate Nearest Neighbors (ANN), further ensures fast, scalable retrieval of relevant data for real-time threat response.

Toward scalable, explainable, and proactive cybersecurity

The system also addresses the long-standing challenge of explainability in AI-based threat intelligence. Through SHAP- and LIME-supported visual analytics in Power BI, users can trace exactly how conclusions were reached - whether via frequency-based correlations in the knowledge graph or temporal patterns detected by CNNs. This transparency is critical for risk analysts and incident response teams tasked with communicating threat intelligence to business stakeholders.

With open-source availability of the structured dataset and GPT classification schema via GitHub, the system supports replication, validation, and adaptation across sectors. It demonstrates the viability of using advanced language models in cybersecurity beyond academic testing—offering a real-world deployment scenario at scale.