Context: Network intrusion detection systems (NIDS) are software components that analyse network traffic and raise alerts when anomalous behaviour is detected. These systems increasingly rely on artificial intelligence to dynamically learn normal patterns in network traffic and identify abnormal behaviour. A primary challenge in the deployment of AI-based NIDS is automating the correlation of disparate NIDS alerts and the characterisation of ongoing attacks. Large language models (LLMs) are strong candidates for these tasks due to their general ability to undertake network- and security-related tasks of varying complexity. However, due to security and ownership concerns, relying on cloud-based LLM providers is often not viable. Consequently, on-premise small language models (SLMs) are frequently chosen as a replacement. Scope of the internship: This internship will focus on employing SLMs for correlating and characterising NIDS alerts. More specifically, the candidate is expected to investigate different approaches for using on-premise SLMs that ultimately enables to characterise attacks based on MITRE ATT&CK TTPs. Such approaches may make use of agentic workflows and/or information retrieval techniques such as retrieval-augmented generation (RAG).