Skip to content
/ secrag Public

GraphRAG over MITRE ATT&CK NIST and CIS security knowledge

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cwccie/secrag

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.github/workflows
.github/workflows
 
 
src/secrag
src/secrag
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

SecRAG

GraphRAG over MITRE ATT&CK, NIST CSF, and CIS Controls security knowledge.

SecRAG builds a knowledge graph from structured security frameworks and uses graph-enhanced retrieval augmented generation (GraphRAG) to answer security questions with cross-framework context that standard RAG misses.

Architecture

                         +------------------+
                         |   Natural Lang   |
                         |     Query        |
                         +--------+---------+
                                  |
                         +--------v---------+
                         |  Query Engine    |
                         |  (hybrid search) |
                         +---+----------+---+
                             |          |
                +------------v--+  +----v-----------+
                | Graph Search  |  | Vector Search  |
                | (BFS expand)  |  | (TF-IDF sim)   |
                +-------+------+  +----+-----------+
                        |              |
                +-------v------+  +----v-----------+
                |  Knowledge   |  |  Vector Store  |
                |    Graph     |  |  (TF-IDF idx)  |
                |  (NetworkX)  |  |  (numpy)       |
                +-------+------+  +----------------+
                        |
        +---------------+----------------+
        |               |                |
+-------v------+ +------v-------+ +------v-------+
| MITRE ATT&CK | |  NIST CSF    | | CIS Controls |
| 50+ techs    | |  6 functions | | 18 controls  |
| 14 tactics   | |  19 subcats  | | cross-mapped |
| 31 mitigns   | |              | |              |
+--------------+ +--------------+ +--------------+

    Entities: technique, tactic, mitigation, control, framework, subcategory
    Edges:    uses_tactic, mitigated_by, maps_to, part_of, implements, addresses

How GraphRAG Works

Standard RAG embeds documents and retrieves by vector similarity. This misses structural relationships between security concepts. SecRAG adds a knowledge graph layer:

  1. Query expansion: "ransomware defense" maps to ATT&CK technique T1486 (Data Encrypted for Impact)
  2. Graph traversal: T1486 links to tactic TA0040 (Impact), mitigations M1053 (Data Backup), M1040 (Behavior Prevention)
  3. Cross-framework hop: M1053 maps to CIS-11 (Data Recovery) and NIST-RC (Recover function)
  4. Score fusion: Graph distance scores + TF-IDF similarity scores are combined with configurable weights

The result: a single query surfaces techniques, mitigations, and controls across three frameworks that would require separate searches in standard RAG.

Installation

pip install .

For development:

pip install -e ".[dev]"

Usage

CLI

# Build and display knowledge graph statistics
secrag build

# Query with natural language (default: hybrid search)
secrag query "How do I defend against lateral movement?"

# Use a specific search method
secrag query "What NIST controls apply to data exfiltration?" --method graph
secrag query "ransomware mitigations" --method vector

# Compare all three methods on the same query
secrag compare "How do I defend against phishing?"

# Show graph statistics
secrag graph

Python API

from secrag.engine import SecRAGEngine

engine = SecRAGEngine()
engine.build()

# Hybrid search (recommended)
results = engine.query("How do I defend against credential theft?")
for r in results.top(5):
    print(f"[{r.entity.entity_id}] {r.entity.name} (score: {r.score:.3f})")
    print(f"  {r.entity.description[:100]}")

# Compare methods
comparison = engine.compare("ransomware defense")
for method, results in comparison.items():
    print(f"\n{method}: {results.count} results")

Docker

# Build
docker compose build

# Run a query
docker compose run query-engine query "phishing defense"

# Show graph stats
docker compose run graph-store

# Build and verify
docker compose run api

Built-in Knowledge

SecRAG ships with structured data from three major security frameworks:

Framework Entities Description
MITRE ATT&CK 53 techniques, 14 tactics, 31 mitigations Adversary tactics, techniques, and mitigations
NIST CSF 2.0 6 functions, 19 subcategories Cybersecurity risk management framework
CIS Controls v8 18 controls Prioritized security best practices

Cross-framework mappings link ATT&CK mitigations to CIS Controls and NIST CSF functions, enabling queries that traverse framework boundaries.

Search Methods

Method How it works Best for
graph BFS expansion from matched entities through the knowledge graph Finding related concepts across frameworks
vector TF-IDF cosine similarity over entity text Keyword-heavy queries, baseline comparison
hybrid Weighted fusion of graph + vector scores with overlap bonus General use (recommended default)

Development

# Install dev dependencies
pip install -e ".[dev]"

# Run tests
pytest -v

# Lint
ruff check src/ tests/

# Format
ruff format src/ tests/

License

MIT License. Copyright (c) 2026 Corey Wade.

About

GraphRAG over MITRE ATT&CK NIST and CIS security knowledge

Topics

nist cis security-knowledge mitre-attack rag graphrag

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages