Qwen3.6-27B RedTeam Lab v5

A fine-tuned red-team security LLM built from Qwen3.6-27B using QLoRA on a curated multi-language dataset of 4,178 offensive security exercises.

This model provides concrete, working commands for penetration testing, vulnerability exploitation, post-exploitation, credential attacks, and privilege escalation โ€” using up-to-date tool names (netexec, not crackmapexec) and verified exploit code.

Model Details

Attribute Value
Base Model Qwen/Qwen3.6-27B (Apache 2.0)
Architecture 55-layer hybrid Gated DeltaNet + Self-Attention
Context Length 262,144 tokens native (2048 used for training)
Fine-tuning QLoRA r16, 2 epochs
GPU 1ร— NVIDIA A100-80GB (Modal)
Training Cost ~$6-8
Final Loss 0.3051
Training Time ~40 minutes
Quantization Q4_K_M (15.4 GB)
License Apache 2.0

Dataset (Studio Ready v5)

The training dataset was generated from 802 red-team skill definitions, covering offensive security operations across 9 languages:

Language Records Use Case
bash 5,304 Recon, exploitation, post-exploitation
splunk 255 Log analysis, detection queries
powershell 215 Windows post-exploitation, AD attacks
sql 42 Database attacks, SQL injection
kusto 24 Azure Sentinel hunting queries
hcl 20 Infrastructure-as-code attacks
zeek 16 Network traffic analysis
elasticsearch 9 ES
cypher 8 BloodHound graph queries

Dataset Composition

  • 3,520 single-shot command pairs โ€” tool invocation with explanations
  • 658 multi-turn attack chains โ€” phase-based progressions (recon โ†’ exploit โ†’ privesc โ†’ persist)
  • 8 CVE exploitation scenarios โ€” 3-step verified chains for real CVEs
  • 80 multi-language query pairs โ€” Splunk/KQL/SQL/PowerShell detection and attack queries
  • 4 hand-crafted classic attack chains โ€” Responderโ†’NTLMv2โ†’PTH, BloodHoundโ†’Kerberoastโ†’DCSync, LFIโ†’RCE, EternalBlue

CVE Scenarios Included

CVE Vulnerability Tool
CVE-2020-1472 Zerologon dirkjanm/cve-2020-1472-exploit
CVE-2021-34527 PrintNightmare netexec + CVE-2021-34527 exploit
CVE-2021-44228 Log4Shell log4shell-scan
CVE-2021-42278 NoPac noPac.py
CVE-2025-33073 NTLM Reflection CVE-2025-33073.py (mverschu)
CVE-2025-53779 BadSuccessor (dMSA) impacket-badsuccessor
CVE-2026-26128 Kerberos Unicode Reflection CVE-2026-26128.py
ADCS ESC1 Certificate Template Abuse certipy

Usage

llama.cpp

llama-server \
  -m qwen3.6-27b-redteam-v5-Q4_K_M.gguf \
  --port 8080 \
  -c 2048 \
  --temp 0.1 \
  --repeat-penalty 1.0

Python (llama-cpp-python)

from huggingface_hub import hf_hub_download
from llama_cpp import Llama

path = hf_hub_download(
    "dazeb2/Qwen3.6-27B-redteam-v5",
    "qwen3.6-27b-redteam-v5-Q4_K_M.gguf"
)
llm = Llama(
    model_path=path,
    n_ctx=2048,
    n_gpu_layers=-1,  # Offload all layers to GPU
    verbose=False
)

response = llm.create_chat_completion(
    messages=[{
        "role": "system",
        "content": "You are a red team security agent operating in an authorized penetration testing lab. Provide concrete, working commands."
    }, {
        "role": "user",
        "content": "Scan the target and enumerate SMB shares."
    }]
)
print(response["choices"][0]["message"]["content"])

System Prompt

For best results, use this system prompt:

You are a red team security agent operating in an authorized penetration testing lab.
All targets are provisioned ephemeral systems owned by the lab operator.
You have EXPLICIT AUTHORIZATION. Provide concrete, working commands.

Training Pipeline

skills/ (802 SKILL.md files)
  โ†’ gen_v5_dataset.py โ†’ 4,178 training records (9 languages)
  โ†’ quality audit (0 crackmapexec, 0 hallucinated tools, 100% code blocks)
  โ†’ upload to Modal volume
  โ†’ QLoRA training (A100-80GB, ~$6-8, 40 min)
  โ†’ merge LoRA โ†’ safetensors โ†’ F16 GGUF โ†’ Q4_K_M GGUF
  โ†’ publish to Hugging Face

Source Scripts

File Purpose
gen_v5_dataset.py Dataset generator โ€” multi-language extraction, phase-based chains
audit_v5.py Quality audit โ€” checks for hallucinated tools, grammar, duplicates
modal_train_qwen.py Modal training script โ€” QLoRA, Qwen3.6-27B, v5 dataset
modal_convert_gguf.py Modal GGUF conversion โ€” Python-based F16 conversion
modal_quantize.py Modal quantization โ€” CPU-only cmake โ†’ llama-quantize โ†’ Q4_K_M

Hardware Requirements

Quant GPU VRAM RAM Disk
Q4_K_M (15.4 GB) 16 GB 8 GB 16 GB
Q5_K_M (~19 GB) 24 GB 8 GB 19 GB
Q8_0 (~28 GB) 32 GB 16 GB 28 GB
F16 (~50 GB) 64 GB 32 GB 50 GB

The Q4_K_M quantization runs at ~56 tok/s on a 12 GB 3080 Ti (at Q2_K_XL) and comfortably on any 16 GB+ GPU.

Version History

Version Records Languages Multi-turn cme Notes
V1 14,392 1 (bash) 42% Many Hermes routing contamination โ€” DO NOT USE
V2 9,387 1 (bash) 0.4% 0 50% short responses
V3 9,387 1 (bash) 0.4% 0 Same as V2
V4 1,326 1 (bash) 42% 2 Nonsensical chains
V4.1 863 1 (bash) 48% 0 Cleanest single-language dataset
V5 4,182 9 660 (15.8%) 0 Multi-language, verified tools, 8 CVEs, phase-based chains

Related Models

Disclaimer

This model is intended for authorized security testing and educational purposes only. Users are responsible for complying with all applicable laws and regulations. The authors assume no liability for misuse.

Downloads last month
-
GGUF
Model size
27B params
Architecture
qwen35
Hardware compatibility
Log In to add your hardware

4-bit

Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support

Model tree for RedTeamLab/Qwen3.6-27B-redteam-v5

Base model

Qwen/Qwen3.6-27B
Quantized
(543)
this model