LDFIRM v10 Phase 2 Tool SFT Adapter
Internal artifact for GRAIL, Zero-Touch DFIR Corp. Lancelot (Lead Investigator agent) Phase 2 Tool SFT LoRA adapter.
Provenance
- Base model:
meta-llama/Llama-3.3-70B-Instruct - P1 adapter (merged before P2 training):
GrailDFIR/ldfirm-v10-p1-cpt(sha25668127397a553453376a11f568c98466b0d50260a45ddafbfa695e0991caf5229) - Training corpus: v10 P2 Tool SFT (149 trajectories, sha256
b9fcf7432dd5d1e08fe2c183234f5972de8f765110d25497c68ba82948314709) - Training task: TASK-10806 (S341 dispatch, S342 completion)
- Adapter sha256:
ac672dc5b90b00f012dc70413ab10a32b9ac156c9881143c4fbe9e490da30bca
Training
| Metric | Value |
|---|---|
| Runtime | 755s (12.6 min) |
| Train loss | 1.4165 |
| Epochs | ~2.9 (3 configured) |
| Steps | 54 |
| LoRA r / alpha | 32 / 64 |
| modules_to_save | null (OPTION-3) |
| neftune_noise_alpha | 5 |
| Assistant-only loss masking | yes |
| Total tokens | 81,701 |
| Trainable tokens | 22,311 |
Target modules: up_proj, gate_proj, o_proj, down_proj, v_proj, q_proj, k_proj.
Acceptance โ Gate G (recovery smoke)
Tested against 60-probe DFIR evaluation set (ldfirm_mitre_eval_v3 + ldfirm_techattr_eval_v2), seed=1337.
| Criterion | Threshold | Result | Verdict |
|---|---|---|---|
| instruct_sanity | >=0.97 | 1.0000 | PASS |
| MITRE recall | >=0.130 | 0.1893 | PASS |
| Format pathology | 0 probes | 0/60 | PASS |
Full instruct recovery from v10 P1 step-104 (0.95 -> 1.00). Format pathology (markdown skeleton emissions) corrected. MITRE recall preserved within Gate 2 Option 2 budget.
See state/gates/gate_3_verdict.md in the Grail-MVP repo (private) for full verdict.
Corpus composition (149 records)
- 82 multi-tool (lookup_mitre_technique + DFIR tools) - 55%
- 30 lookup-only
- 37 failure-mode (10 empty + 9 exception + 9 timeout + 9 deprecated)
- 31 distinct MITRE technique IDs (from canonical STIX v19.1)
- 5 scenario archetypes (ransomware, lateral-movement, persistence, malware-attribution, anomalous-process)
- 14 distinct DFIR tools
Pipeline position
- Step 1 (CPT): DONE - Gate 2 Conditional PASS (
GrailDFIR/ldfirm-v10-p1-cpt) - Step 2 (Tool SFT): THIS ADAPTER - Gate G PASS
- Step 3 (Domain SFT): authorized, dispatch pending
- Step 4 (SimPO): blocked on corpus rebuild
Usage
from peft import PeftModel
from transformers import AutoModelForCausalLM, AutoTokenizer
base = AutoModelForCausalLM.from_pretrained("meta-llama/Llama-3.3-70B-Instruct")
# Stack P1 CPT then P2 Tool SFT
base = PeftModel.from_pretrained(base, "GrailDFIR/ldfirm-v10-p1-cpt")
base = base.merge_and_unload()
model = PeftModel.from_pretrained(base, "GrailDFIR/ldfirm-v10-p2-tool-sft")
tokenizer = AutoTokenizer.from_pretrained("meta-llama/Llama-3.3-70B-Instruct")
License & restrictions
Internal use only - GRAIL, Zero-Touch DFIR Corp. (SAM UEI ZY8NT3BJABK9). Not for redistribution.
Base model meta-llama/Llama-3.3-70B-Instruct retains its original Meta license; this adapter does not modify or redistribute base weights.
- Downloads last month
- 8
Model tree for GrailDFIR/ldfirm-v10-p2-tool-sft
Base model
meta-llama/Llama-3.1-70B