1. Gathering 

During the report gathering phase, we collected attack reports from multiple sources to build a comprehensive dataset. Guided by previous studies, we developed web crawlers to gather reports from platforms show as bellow:

To ensure relevance and quality of collected reports, we rigorously filtered reports based on predefined criteria Table I. This process involved collaboration among four authors (with 2–3 years of attack detection experience) and two industry experts (with 7–8 years in router and endpoint security). After manual review, the final dataset comprised 260 APT reports and 7,098 attack cases spanning 268 MITRE ATT&CK techniques.