Cyber Threat Analyst LLM
A fine-tuned language model specialized in cybersecurity vulnerability analysis, MITRE ATT&CK mapping, risk assessment, and threat intelligence triage.
Author: Soham Dahivalkar
Base Model: microsoft/Phi-3-mini-4k-instruct
Method: QLoRA (4-bit quantized LoRA fine-tuning)
Dataset: soham-dahivalkar/cyber-threat-intelligence
License: MIT
Model Description
This model is a domain-specific fine-tune of Microsoft's Phi-3-mini-4k-instruct, trained on a curated cybersecurity dataset containing:
- 5,000+ CVE vulnerability records from NVD (National Vulnerability Database)
- 700+ MITRE ATT&CK techniques with descriptions and detection methods
- 15,000+ instruction-response pairs covering vulnerability analysis, risk scoring, remediation, and MITRE mapping
The model excels at tasks that cybersecurity analysts perform daily:
| Task | What It Does |
|---|---|
| CVE Analysis | Provides detailed vulnerability assessments with severity, impact, and context |
| Risk Scoring | Evaluates risk level based on CVSS metrics, exploit availability, and KEV status |
| Remediation Advice | Recommends specific patching and mitigation actions |
| MITRE ATT&CK Mapping | Maps vulnerabilities to ATT&CK tactics and techniques |
| Triage Decisions | Prioritizes vulnerabilities for SOC team response |
| Technique Explanation | Explains ATT&CK techniques and their detection methods |
Usage
Quick Start
from peft import AutoPeftModelForCausalLM
from transformers import AutoTokenizer
import torch
# Load model
model = AutoPeftModelForCausalLM.from_pretrained(
"soham-dahivalkar/cyber-threat-analyst-llm",
torch_dtype=torch.float16,
device_map="auto",
trust_remote_code=True,
)
tokenizer = AutoTokenizer.from_pretrained(
"soham-dahivalkar/cyber-threat-analyst-llm",
trust_remote_code=True,
)
# Analyze a CVE
prompt = """<|user|>
Analyze the following CVE and provide a detailed security assessment.
CVE-2024-3400: A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.<|end|>
<|assistant|>
"""
inputs = tokenizer(prompt, return_tensors="pt").to(model.device)
with torch.no_grad():
outputs = model.generate(
**inputs,
max_new_tokens=512,
do_sample=True,
temperature=0.7,
top_p=0.9,
)
response = tokenizer.decode(outputs[0], skip_special_tokens=True)
print(response)
Using with Transformers Pipeline
from transformers import pipeline
analyst = pipeline(
"text-generation",
model="soham-dahivalkar/cyber-threat-analyst-llm",
torch_dtype="auto",
device_map="auto",
trust_remote_code=True,
)
result = analyst(
"Analyze CVE-2024-21762: FortiOS SSL VPN remote code execution vulnerability.",
max_new_tokens=512,
do_sample=True,
temperature=0.7,
)
print(result[0]["generated_text"])
Training Details
Training Data
Trained on the soham-dahivalkar/cyber-threat-intelligence dataset containing:
| Data | Count |
|---|---|
| CVE Records | ~5,000 |
| MITRE ATT&CK Techniques | ~700 |
| Instruction-Tuning Pairs (Train) | ~15,000 |
| Instruction-Tuning Pairs (Eval) | ~1,500 |
Training Configuration
| Parameter | Value |
|---|---|
| Base Model | microsoft/Phi-3-mini-4k-instruct (3.8B) |
| Fine-Tuning Method | QLoRA (4-bit NF4 quantization) |
| LoRA Rank (r) | 16 |
| LoRA Alpha | 32 |
| LoRA Dropout | 0.05 |
| Target Modules | q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, down_proj |
| Epochs | 3 |
| Batch Size | 2 (effective: 16 with gradient accumulation) |
| Learning Rate | 2e-4 |
| Optimizer | Paged AdamW 8-bit |
| LR Scheduler | Cosine |
| Max Sequence Length | 1024 |
| Precision | FP16 |
| Hardware | NVIDIA T4 (16GB) |
Trainable Parameters
| Metric | Value |
|---|---|
| Total Parameters | ~3.8B |
| Trainable Parameters | ~26M (LoRA) |
| Trainable % | ~0.7% |
| Adapter Size | ~50 MB |
Evaluation
The model was evaluated on a held-out test set (10% of instruction data):
| Metric | Value |
|---|---|
| Eval Loss | See training logs |
| Response Relevancy | High β responses directly address CVE context |
| Format Compliance | Follows structured security assessment format |
| Technical Accuracy | Grounded in CVSS metrics and MITRE framework |
Example Outputs
Example 1: CVE Analysis
Input: CVE-2024-3400: Command injection in Palo Alto GlobalProtect...
Output:
**CVE-2024-3400 β Security Assessment**
**Severity:** CRITICAL (CVSS 10.0/10)
**Risk Score:** 98/100 (CRITICAL)
**Attack Type:** OS Command Injection
...
Example 2: MITRE Mapping
Input: T1190 β Exploit Public-Facing Application
Output:
**T1190: Exploit Public-Facing Application**
**Tactic(s):** Initial Access
**Platforms:** Linux, Windows, macOS, Network
...
Limitations
- This is a LoRA adapter β requires the base model (
microsoft/Phi-3-mini-4k-instruct) to be loaded first - Trained primarily on CVE data from 2020-2026; may not cover older vulnerabilities
- Risk scores use a custom formula and should be validated against organizational standards
- Not a replacement for professional security analysis β use as an assistive tool
- May generate plausible-sounding but incorrect details for CVEs not in the training data
Ethical Considerations
- This model is designed for defensive cybersecurity purposes only
- It should not be used to identify or exploit vulnerabilities for malicious purposes
- All training data comes from publicly available, authorized sources
- Users should verify model outputs against authoritative sources before acting
About the Author
Soham Dahivalkar β Generative AI Engineer with expertise in agentic AI, enterprise RAG, LLM security, and cybersecurity intelligence.
- Book: "Generative AI: High Stakes Cyber Security" (Amazon Kindle)
- Research: "AI in Security: ML Approach for Vulnerability Management" (ResearchGate)
- PyPI:
ai-bridge-kitβ Unified Python SDK for AI Providers - Experience: Alembic Pharmaceuticals | CyberNX Technologies | TalaKunchi Networks
- LinkedIn: Soham Dahivalkar
- Email: sohamdahivalkar4@gmail.com
Citation
@model{dahivalkar2026cyberthreatllm,
author = {Dahivalkar, Soham},
title = {Cyber Threat Analyst LLM},
year = {2026},
publisher = {HuggingFace},
base_model = {microsoft/Phi-3-mini-4k-instruct},
url = {https://huggingface.co/soham-dahivalkar/cyber-threat-analyst-llm}
}
- Downloads last month
- 23
Model tree for Shomi28/cyber-threat-analyst-llm
Base model
microsoft/Phi-3-mini-4k-instruct