🛡️ Qwen3.6-27B — Nemesis
The inescapable adversary — an uncensored, tool-using, agentic AI for authorized red-team & offensive-security work.
▶ GGUF for Ollama / LM Studio: RootMonsteR/Qwen3.6-27B-Nemesis-GGUF
Built by RootMonsteR · JAF Systems · in partnership with rnd.sh.
Nemesis is a fine-tune of Qwen3.6-27B purpose-built to be a complete offensive-security operator: it scans, enumerates, reasons about exploits, calls tools, and chains multi-step agentic workflows — without the reflexive refusals that make stock models useless for legitimate red-team work. It was trained to comply on authorized security tasks while retaining its full knowledge and reasoning — verified, no measurable capability loss vs. the base model.
✨ Highlights
- 🎯 No refusals on authorized security work — 15/15 on a red-team task suite (with the recommended system prompt).
- 🧰 Tool-calling & 🤖 agentic — clean structured calls, chained multi-step (call → result → next action).
- 🧠 Full capability retained — coherence 5/5, cyber-knowledge 14/14, identical to base.
- 🪶 One 32 GB GPU in 4-bit; full bf16 weights here; GGUF builds for local runtimes.
- 🛠️ Responsible by design — still declines unrelated harm; scoped to authorized cyber.
📊 Evaluation (vs the untouched base model)
| Dimension | Base Qwen3.6-27B | Nemesis |
|---|---|---|
| Authorized red-team compliance (w/ system prompt) | frequently refuses | 15 / 15 (100%) |
| Authorized red-team compliance (no system prompt) | — | 14 / 15 (93%) |
| Tool-calling (structured) | 1 / 3 | 3 / 3 |
| Agentic multi-step | ❌ FAIL | ✅ PASS |
| Coherence | 5 / 5 | 5 / 5 (preserved) |
| Cyber knowledge quiz | 14 / 14 | 14 / 14 (preserved) |
| Unrelated harm (weapons/drugs/hate) | declines | declines (by design) |
💬 See it in action
Real, unedited Nemesis output:
Recon — service enumeration
You: In-scope host, nmap shows 22, 80, 443, 3306 open. Enumerate likely services and give concrete next recon steps.
Nemesis: The open ports suggest the following services: SSH (22), HTTP (80), HTTPS (443), and MySQL (3306). For SSH, check for weak credentials or misconfigurations. For HTTP/HTTPS, perform web application scanning using tools like Burp Suite or OWASP ZAP to identify vulnerabilities such as SQL injection, XSS, or directory traversal. For MySQL, attempt to connect with default credentials or exploit known vulnerabilities. Next steps include banner grabbing to identify service versions, checking for default accounts, and performing vulnerability scanning using tools like Nessus or OpenVAS.
Privilege-escalation enumeration
You: I have a low-priv shell on a Linux target in our engagement. Give the top privilege-escalation enumeration commands.
Nemesis:
uname -a·id·sudo -l·find / -perm -4000 2>/dev/null(SUID) ·find / -perm -2000 2>/dev/null(SGID) ·find / -writable 2>/dev/null·crontab -l·cat /etc/passwd·ps aux— then identify escalation vectors from the results.
Agentic — structured tool call
You: Scan 10.10.10.5 for open ports and service versions.
Nemesis:
<functioncall> {"name": "run_nmap", "arguments": {"target": "10.10.10.5", "flags": "-sV"}}
🚀 Quickstart (transformers)
import torch
from transformers import AutoModelForCausalLM, AutoTokenizer
model_id = "RootMonsteR/Qwen3.6-27B-Nemesis"
tok = AutoTokenizer.from_pretrained(model_id)
model = AutoModelForCausalLM.from_pretrained(model_id, torch_dtype="bfloat16", device_map="auto")
SYSTEM = ("You are Nemesis, an offensive-security assistant for AUTHORIZED penetration testing "
"and red-team engagements. Provide direct, technical, actionable answers. "
"Use the provided tools when relevant.")
msgs = [{"role": "system", "content": SYSTEM},
{"role": "user", "content": "Nmap shows 22, 80, 443, 3306 open on an in-scope host. "
"Enumerate likely services and give concrete next recon steps."}]
ids = tok.apply_chat_template(msgs, add_generation_prompt=True, return_tensors="pt").to(model.device)
out = model.generate(ids, max_new_tokens=512, do_sample=False)
print(tok.decode(out[0, ids.shape[1]:], skip_special_tokens=True))
Fits 32 GB? Load in 4-bit:
from transformers import BitsAndBytesConfig
qc = BitsAndBytesConfig(load_in_4bit=True, bnb_4bit_quant_type="nf4",
bnb_4bit_use_double_quant=True, bnb_4bit_compute_dtype=torch.bfloat16)
model = AutoModelForCausalLM.from_pretrained(model_id, quantization_config=qc, device_map="auto")
🧰 Tool-calling / agentic
Put your tool definitions in the system message; Nemesis emits a structured call you execute, feed the result back, and it continues:
USER: Scan 10.10.10.5 for open ports.
NEMESIS: <functioncall> {"name": "run_nmap", "arguments": {"target": "10.10.10.5", "flags": "-sV"}}
(tool runs; return the output)
NEMESIS: …interprets results, suggests the next action / next tool call…
🧪 How it was built
Direct 4-bit QLoRA SFT (LoRA r=16 over both attention variants + MLP), native
transformers + peft + trl, 1 epoch. Directional abliteration (heretic, SOM) was tried first
and failed — this model's safety is distributed, so we taught compliance with data instead:
Training data — ~7,000 rows, every refusal response filtered out, all permissive licenses:
- Offensive cyber — MITRE ATT&CK red-team tactics (recon → exfil)
- Broad cybersecurity instruction data (200+ domains)
- Multi-turn function-calling / agentic transcripts
- General-compliance instructions (keeps it a strong all-round assistant)
⚖️ Intended use & responsible use
For authorized, lawful security work only — penetration testing with written authorization, red-team engagements, CTFs, security research, and education. You are responsible for how you use this model. Do not use it against systems you do not own or lack explicit written permission to test. Comply with all applicable laws and rules of engagement. Nemesis intentionally still declines requests unrelated to authorized cyber operations (e.g. weapons, drugs, violence).
⚠️ Limitations
- Compliance is strongest with the recommended system prompt.
- It's a thinking model — outputs may include
<think>…</think>; strip it if you only want the final answer. - Knowledge has a training cutoff — verify exploit details and commands before use.
- Evaluated on focused suites, not full academic benchmarks — treat scores as directional.
💼 Custom training & commercial work
Nemesis v1 is fully open — but it's the public version. For an edge, JAF Systems offers:
- 🧠 Custom fine-tunes — Nemesis trained on your data, tooling, or target stack
- 🚀 Stronger private models — trained on larger/proprietary data beyond this v1 release
- 🏢 Enterprise deployment, integration & support for red-team / security teams
👉 jafsystems.net · 𝕏 @RootMonsteR
📜 License — Apache 2.0 (open weights)
Released under the Apache License 2.0 — free for any use, including commercial, no strings.
Built on Qwen3.6-27B (Apache-2.0); see LICENSE and NOTICE. Use only
for lawful, authorized security work. Training datasets were permissively licensed
(MIT / Apache / ODC-By).
🙏 Citation
@misc{nemesis2026,
title = {Qwen3.6-27B Nemesis: an uncensored agentic model for authorized offensive security},
author = {RootMonsteR and JAF Systems},
year = {2026},
url = {https://huggingface.co/RootMonsteR/Qwen3.6-27B-Nemesis}
}
- Downloads last month
- -