Hugging Face's logo

chrisbst48
/
MITRE_QWEN2.5_7b_Q4_K_M

Text Generation
Transformers
GGUF
English
French
cybersecurity
mitre-attack
threat-intelligence
cti
qlora
unsloth
qwen2.5
fine-tuned
conversational
Model card Files
xet
 Community
How to use from the
Use from the
llama-cpp-python library
# Gated model: Login with a HF token with gated access permission
hf auth login
# !pip install llama-cpp-python

from llama_cpp import Llama

llm = Llama.from_pretrained(
	repo_id="chrisbst48/MITRE_QWEN2.5_7b_Q4_K_M",
	filename="mitre_qwen2.5_7b_Q4_K_M.gguf",
)

llm.create_chat_completion(
	messages = [
		{
			"role": "user",
			"content": "What is the capital of France?"
		}
	]
)

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

This model is designed for defensive cybersecurity research, threat intelligence analysis, and authorized security operations only. By accessing this model, you confirm that you will use it solely for lawful and defensive purposes, and not to facilitate unauthorized access, attacks, or any malicious activity.

Log in or Sign Up to review the conditions and access this model content.

Qwen2.5-7B โ€” MITRE ATT&CK CTI Specialist

A fine-tuned language model specialized in cyber threat intelligence, trained to identify and chain MITRE ATT&CK techniques from natural language attack scenario descriptions.

Model Overview

Base model unsloth/Qwen2.5-7B-Instruct
Method QLoRA 4-bit (r=16, alpha=16)
Languages English / French
Domain Cybersecurity โ€” CTI โ€” MITRE ATT&CK v15
Output format Structured JSON
Status Preview v1

Given a textual description of an attack scenario, this model produces a structured attack chain with MITRE ATT&CK technique IDs, names, descriptions, a confidence level, and underlying assumptions.

Usage

Prompt Format 

### Instruction
Analyze the following text and identify the MITRE ATT&CK techniques involved.
Generate a structured attack chain.

### Context
{your_scenario_here}

### Response

Recommended System Prompt 

You are an expert in offensive cybersecurity and cyber threat intelligence (CTI).
You analyze attack scenarios and identify MITRE ATT&CK techniques with precision,
including sub-techniques (e.g. T1059.003).
You ALWAYS respond in structured JSON with exactly these fields:
scenario_summary, attack_chain (list of technique_id, name, description),
confidence_level (high/medium/low), assumptions.

Example

Input:

An attacker sends a spearphishing email with an obfuscated VBA macro attachment.
The macro uses certutil.exe to decode a base64 payload and execute it.
The payload establishes an HTTPS beacon via Azure CDN domain fronting every 4 hours,
then dumps LSASS credentials using Mimikatz.

Output:

{
  "scenario_summary": "Spearphishing โ†’ certutil decode โ†’ domain fronting C2 โ†’ LSASS dump",
  "attack_chain": [
    {
      "technique_id": "T1566.001",
      "name": "Spearphishing Attachment",
      "description": "Malicious attachment delivered via targeted email."
    },
    {
      "technique_id": "T1140",
      "name": "Deobfuscate/Decode Files or Information",
      "description": "Base64 payload decoded using certutil.exe."
    },
    {
      "technique_id": "T1090.004",
      "name": "Domain Fronting",
      "description": "C2 traffic routed through Azure CDN to mask true destination."
    },
    {
      "technique_id": "T1071.001",
      "name": "Web Protocols",
      "description": "C2 communication over HTTPS."
    },
    {
      "technique_id": "T1003.001",
      "name": "LSASS Memory",
      "description": "Credential extraction from LSASS process memory using Mimikatz."
    }
  ],
  "confidence_level": "high",
  "assumptions": [
    "Macro enabled by user",
    "No outbound HTTPS filtering",
    "LSASS not protected by PPL"
  ]
}

Python 

from transformers import AutoTokenizer, AutoModelForCausalLM
import torch, json

model_id = "YOUR_USERNAME/mitre-attack-qwen2.5-7b"

tokenizer = AutoTokenizer.from_pretrained(model_id)
model = AutoModelForCausalLM.from_pretrained(
    model_id,
    torch_dtype=torch.bfloat16,
    device_map="auto",
)

SYSTEM = (
    "You are a CTI expert specialized in MITRE ATT&CK. "
    "Always respond in structured JSON with: "
    "scenario_summary, attack_chain (technique_id, name, description), "
    "confidence_level, assumptions."
)

scenario = """
An attacker exploits an SQL injection vulnerability on a public web application
to drop a PHP webshell. Via the webshell, they steal IAM credentials from the
EC2 metadata service and create a persistent IAM account to maintain access.
"""

prompt = f"""### Instruction
Analyze the following text and identify the MITRE ATT&CK techniques involved.

### Context
{scenario.strip()}

### Response
"""

messages = [
    {"role": "system", "content": SYSTEM},
    {"role": "user",   "content": prompt},
]

inputs = tokenizer.apply_chat_template(
    messages,
    tokenize=True,
    add_generation_prompt=True,
    return_tensors="pt",
).to(model.device)

outputs = model.generate(
    inputs,
    max_new_tokens=512,
    temperature=0.1,
    do_sample=True,
)

response = tokenizer.decode(outputs[0][inputs.shape[1]:], skip_special_tokens=True)
print(json.dumps(json.loads(response), indent=2))

llama.cpp / Ollama (GGUF Q4_K_M) 

# llama-server
./llama-server \
  -m mitre_qwen2.5_7b_Q4_K_M.gguf \
  --port 10001 \
  --host 0.0.0.0 \
  -ngl 99 \
  -c 8192 \
  --temp 0.1

# Ollama
ollama create mitre-cti -f Modelfile
ollama run mitre-cti

Training

Hyperparameters 

base_model:                   unsloth/Qwen2.5-7B-Instruct
method:                       QLoRA
quantization:                 4-bit (bitsandbytes)
lora_r:                       16
lora_alpha:                   16
lora_dropout:                 0
target_modules:               [q_proj, k_proj, v_proj, o_proj,
                               gate_proj, up_proj, down_proj]
gradient_checkpointing:       unsloth
per_device_train_batch_size:  2
gradient_accumulation_steps:  8
effective_batch_size:         16
num_train_epochs:             3
learning_rate:                2.0e-4
lr_scheduler_type:            cosine
warmup_ratio:                 0.05
optimizer:                    adamw_8bit
max_seq_length:               2048
bf16:                         true

Training Metrics

Metric Value
Training Loss (final) 0.2670
Training Loss (selected checkpoint) 0.2068
Eval Loss (minimum) ~2.75
Total steps 4272 (3 epochs)

Hardware Requirements

Format Size Min VRAM
GGUF Q4_K_M ~4.8 GB 8 GB

Ethical Use

This model is intended for defensive cybersecurity purposes only โ€” threat intelligence analysis, SOC operations, red team exercises within authorized engagements, and security research.

Any use of this model to facilitate unauthorized access, attacks, or malicious activities is strictly prohibited.

Citation 

@misc{mitre-attack-qwen2.5-7b-2026,
  title     = {Qwen2.5-7B MITRE ATT{&}CK CTI Specialist},
  author    = {Chris E.},
  year      = {2026},
  publisher = {Hugging Face},
  url       = {[https://huggingface.co/chrisbst48/mitre-attack-qwen2.5-7b](https://huggingface.co/chrisbst48/mitre-attack-qwen2.5-7b)}
}

---

License

Apache 2.0 โ€” inherited from the Qwen2.5 base model.

Downloads last month
12
GGUF
Model size
8B params
Architecture
qwen2
Hardware compatibility
Log In to add your hardware

4-bit

Inference Providers NEW
Text Generation
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support

Model tree for chrisbst48/MITRE_QWEN2.5_7b_Q4_K_M

Base model

Qwen/Qwen2.5-7B
Finetuned
Qwen/Qwen2.5-7B-Instruct
Finetuned
unsloth/Qwen2.5-7B-Instruct
Quantized
(11)
this model