Text Generation
Transformers
GGUF
English
French
cybersecurity
mitre-attack
threat-intelligence
cti
qlora
unsloth
qwen2.5
fine-tuned
conversational
How to use from
llama.cppInstall from brew
brew install llama.cpp
# Start a local OpenAI-compatible server with a web UI:
llama-server -hf chrisbst48/MITRE_QWEN2.5_7b_Q4_K_M:Q4_K_M# Run inference directly in the terminal:
llama-cli -hf chrisbst48/MITRE_QWEN2.5_7b_Q4_K_M:Q4_K_MInstall from WinGet (Windows)
winget install llama.cpp
# Start a local OpenAI-compatible server with a web UI:
llama-server -hf chrisbst48/MITRE_QWEN2.5_7b_Q4_K_M:Q4_K_M# Run inference directly in the terminal:
llama-cli -hf chrisbst48/MITRE_QWEN2.5_7b_Q4_K_M:Q4_K_MUse pre-built binary
# Download pre-built binary from:
# https://github.com/ggerganov/llama.cpp/releases# Start a local OpenAI-compatible server with a web UI:
./llama-server -hf chrisbst48/MITRE_QWEN2.5_7b_Q4_K_M:Q4_K_M# Run inference directly in the terminal:
./llama-cli -hf chrisbst48/MITRE_QWEN2.5_7b_Q4_K_M:Q4_K_MBuild from source code
git clone https://github.com/ggerganov/llama.cpp.git
cd llama.cpp
cmake -B build
cmake --build build -j --target llama-server llama-cli# Start a local OpenAI-compatible server with a web UI:
./build/bin/llama-server -hf chrisbst48/MITRE_QWEN2.5_7b_Q4_K_M:Q4_K_M# Run inference directly in the terminal:
./build/bin/llama-cli -hf chrisbst48/MITRE_QWEN2.5_7b_Q4_K_M:Q4_K_MUse Docker
docker model run hf.co/chrisbst48/MITRE_QWEN2.5_7b_Q4_K_M:Q4_K_MQuick Links
You need to agree to share your contact information to access this model
This repository is publicly accessible, but you have to accept the conditions to access its files and content.
This model is designed for defensive cybersecurity research, threat intelligence analysis, and authorized security operations only. By accessing this model, you confirm that you will use it solely for lawful and defensive purposes, and not to facilitate unauthorized access, attacks, or any malicious activity.
Log in or Sign Up to review the conditions and access this model content.
Qwen2.5-7B โ MITRE ATT&CK CTI Specialist
A fine-tuned language model specialized in cyber threat intelligence, trained to identify and chain MITRE ATT&CK techniques from natural language attack scenario descriptions.
Model Overview
| Base model | unsloth/Qwen2.5-7B-Instruct |
| Method | QLoRA 4-bit (r=16, alpha=16) |
| Languages | English / French |
| Domain | Cybersecurity โ CTI โ MITRE ATT&CK v15 |
| Output format | Structured JSON |
| Status | Preview v1 |
Given a textual description of an attack scenario, this model produces a structured attack chain with MITRE ATT&CK technique IDs, names, descriptions, a confidence level, and underlying assumptions.
Usage
Prompt Format
### Instruction
Analyze the following text and identify the MITRE ATT&CK techniques involved.
Generate a structured attack chain.
### Context
{your_scenario_here}
### Response
Recommended System Prompt
You are an expert in offensive cybersecurity and cyber threat intelligence (CTI).
You analyze attack scenarios and identify MITRE ATT&CK techniques with precision,
including sub-techniques (e.g. T1059.003).
You ALWAYS respond in structured JSON with exactly these fields:
scenario_summary, attack_chain (list of technique_id, name, description),
confidence_level (high/medium/low), assumptions.
Example
Input:
An attacker sends a spearphishing email with an obfuscated VBA macro attachment.
The macro uses certutil.exe to decode a base64 payload and execute it.
The payload establishes an HTTPS beacon via Azure CDN domain fronting every 4 hours,
then dumps LSASS credentials using Mimikatz.
Output:
{
"scenario_summary": "Spearphishing โ certutil decode โ domain fronting C2 โ LSASS dump",
"attack_chain": [
{
"technique_id": "T1566.001",
"name": "Spearphishing Attachment",
"description": "Malicious attachment delivered via targeted email."
},
{
"technique_id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"description": "Base64 payload decoded using certutil.exe."
},
{
"technique_id": "T1090.004",
"name": "Domain Fronting",
"description": "C2 traffic routed through Azure CDN to mask true destination."
},
{
"technique_id": "T1071.001",
"name": "Web Protocols",
"description": "C2 communication over HTTPS."
},
{
"technique_id": "T1003.001",
"name": "LSASS Memory",
"description": "Credential extraction from LSASS process memory using Mimikatz."
}
],
"confidence_level": "high",
"assumptions": [
"Macro enabled by user",
"No outbound HTTPS filtering",
"LSASS not protected by PPL"
]
}
Python
from transformers import AutoTokenizer, AutoModelForCausalLM
import torch, json
model_id = "YOUR_USERNAME/mitre-attack-qwen2.5-7b"
tokenizer = AutoTokenizer.from_pretrained(model_id)
model = AutoModelForCausalLM.from_pretrained(
model_id,
torch_dtype=torch.bfloat16,
device_map="auto",
)
SYSTEM = (
"You are a CTI expert specialized in MITRE ATT&CK. "
"Always respond in structured JSON with: "
"scenario_summary, attack_chain (technique_id, name, description), "
"confidence_level, assumptions."
)
scenario = """
An attacker exploits an SQL injection vulnerability on a public web application
to drop a PHP webshell. Via the webshell, they steal IAM credentials from the
EC2 metadata service and create a persistent IAM account to maintain access.
"""
prompt = f"""### Instruction
Analyze the following text and identify the MITRE ATT&CK techniques involved.
### Context
{scenario.strip()}
### Response
"""
messages = [
{"role": "system", "content": SYSTEM},
{"role": "user", "content": prompt},
]
inputs = tokenizer.apply_chat_template(
messages,
tokenize=True,
add_generation_prompt=True,
return_tensors="pt",
).to(model.device)
outputs = model.generate(
inputs,
max_new_tokens=512,
temperature=0.1,
do_sample=True,
)
response = tokenizer.decode(outputs[0][inputs.shape[1]:], skip_special_tokens=True)
print(json.dumps(json.loads(response), indent=2))
llama.cpp / Ollama (GGUF Q4_K_M)
# llama-server
./llama-server \
-m mitre_qwen2.5_7b_Q4_K_M.gguf \
--port 10001 \
--host 0.0.0.0 \
-ngl 99 \
-c 8192 \
--temp 0.1
# Ollama
ollama create mitre-cti -f Modelfile
ollama run mitre-cti
Training
Hyperparameters
base_model: unsloth/Qwen2.5-7B-Instruct
method: QLoRA
quantization: 4-bit (bitsandbytes)
lora_r: 16
lora_alpha: 16
lora_dropout: 0
target_modules: [q_proj, k_proj, v_proj, o_proj,
gate_proj, up_proj, down_proj]
gradient_checkpointing: unsloth
per_device_train_batch_size: 2
gradient_accumulation_steps: 8
effective_batch_size: 16
num_train_epochs: 3
learning_rate: 2.0e-4
lr_scheduler_type: cosine
warmup_ratio: 0.05
optimizer: adamw_8bit
max_seq_length: 2048
bf16: true
Training Metrics
| Metric | Value |
|---|---|
| Training Loss (final) | 0.2670 |
| Training Loss (selected checkpoint) | 0.2068 |
| Eval Loss (minimum) | ~2.75 |
| Total steps | 4272 (3 epochs) |
Hardware Requirements
| Format | Size | Min VRAM |
|---|---|---|
| GGUF Q4_K_M | ~4.8 GB | 8 GB |
Ethical Use
This model is intended for defensive cybersecurity purposes only โ threat intelligence analysis, SOC operations, red team exercises within authorized engagements, and security research.
Any use of this model to facilitate unauthorized access, attacks, or malicious activities is strictly prohibited.
Citation
@misc{mitre-attack-qwen2.5-7b-2026,
title = {Qwen2.5-7B MITRE ATT{&}CK CTI Specialist},
author = {Chris E.},
year = {2026},
publisher = {Hugging Face},
url = {[https://huggingface.co/chrisbst48/mitre-attack-qwen2.5-7b](https://huggingface.co/chrisbst48/mitre-attack-qwen2.5-7b)}
}
---
License
Apache 2.0 โ inherited from the Qwen2.5 base model.
- Downloads last month
- 12
Hardware compatibility
Log In to add your hardware
4-bit
# Gated model: Login with a HF token with gated access permission hf auth login