jason-oneal
/

secgpt-base-lora

@@ -10,200 +10,125 @@ tags:
 - trl
 ---
-# Model Card for Model ID
-<!-- Provide a quick summary of what the model is/does. -->
-## Model Details
-### Model Description
-<!-- Provide a longer summary of what this model is. -->
-- **Developed by:** [More Information Needed]
-- **Funded by [optional]:** [More Information Needed]
-- **Shared by [optional]:** [More Information Needed]
-- **Model type:** [More Information Needed]
-- **Language(s) (NLP):** [More Information Needed]
-- **License:** [More Information Needed]
-- **Finetuned from model [optional]:** [More Information Needed]
-### Model Sources [optional]
-<!-- Provide the basic links for the model. -->
-- **Repository:** [More Information Needed]
-- **Paper [optional]:** [More Information Needed]
-- **Demo [optional]:** [More Information Needed]
-## Uses
-<!-- Address questions around how the model is intended to be used, including the foreseeable users of the model and those affected by the model. -->
-### Direct Use
-<!-- This section is for the model use without fine-tuning or plugging into a larger ecosystem/app. -->
-[More Information Needed]
-### Downstream Use [optional]
-<!-- This section is for the model use when fine-tuned for a task, or when plugged into a larger ecosystem/app -->
-[More Information Needed]
-### Out-of-Scope Use
-<!-- This section addresses misuse, malicious use, and uses that the model will not work well for. -->
-[More Information Needed]
-## Bias, Risks, and Limitations
-<!-- This section is meant to convey both technical and sociotechnical limitations. -->
-[More Information Needed]
-### Recommendations
-<!-- This section is meant to convey recommendations with respect to the bias, risk, and technical limitations. -->
-Users (both direct and downstream) should be made aware of the risks, biases and limitations of the model. More information needed for further recommendations.
-## How to Get Started with the Model
-Use the code below to get started with the model.
-[More Information Needed]
-## Training Details
-### Training Data
-<!-- This should link to a Dataset Card, perhaps with a short stub of information on what the training data is all about as well as documentation related to data pre-processing or additional filtering. -->
-[More Information Needed]
-### Training Procedure
-<!-- This relates heavily to the Technical Specifications. Content here should link to that section when it is relevant to the training procedure. -->
-#### Preprocessing [optional]
-[More Information Needed]
-#### Training Hyperparameters
-- **Training regime:** [More Information Needed] <!--fp32, fp16 mixed precision, bf16 mixed precision, bf16 non-mixed precision, fp16 non-mixed precision, fp8 mixed precision -->
-#### Speeds, Sizes, Times [optional]
-<!-- This section provides information about throughput, start/end time, checkpoint size if relevant, etc. -->
-[More Information Needed]
 ## Evaluation
-<!-- This section describes the evaluation protocols and provides the results. -->
-### Testing Data, Factors & Metrics
-#### Testing Data
-<!-- This should link to a Dataset Card if possible. -->
-[More Information Needed]
-#### Factors
-<!-- These are the things the evaluation is disaggregating by, e.g., subpopulations or domains. -->
-[More Information Needed]
-#### Metrics
-<!-- These are the evaluation metrics being used, ideally with a description of why. -->
-[More Information Needed]
-### Results
-[More Information Needed]
-#### Summary
-## Model Examination [optional]
-<!-- Relevant interpretability work for the model goes here -->
-[More Information Needed]
-## Environmental Impact
-<!-- Total emissions (in grams of CO2eq) and additional considerations, such as electricity usage, go here. Edit the suggested text below accordingly -->
-Carbon emissions can be estimated using the [Machine Learning Impact calculator](https://mlco2.github.io/impact#compute) presented in [Lacoste et al. (2019)](https://arxiv.org/abs/1910.09700).
-- **Hardware Type:** [More Information Needed]
-- **Hours used:** [More Information Needed]
-- **Cloud Provider:** [More Information Needed]
-- **Compute Region:** [More Information Needed]
-- **Carbon Emitted:** [More Information Needed]
-## Technical Specifications [optional]
-### Model Architecture and Objective
-[More Information Needed]
-### Compute Infrastructure
-[More Information Needed]
-#### Hardware
-[More Information Needed]
-#### Software
-[More Information Needed]
-## Citation [optional]
-<!-- If there is a paper or blog post introducing the model, the APA and Bibtex information for that should go in this section. -->
-**BibTeX:**
-[More Information Needed]
-**APA:**
-[More Information Needed]
-## Glossary [optional]
-<!-- If relevant, include terms and calculations in this section that can help readers understand the model or model card. -->
-[More Information Needed]
-## More Information [optional]
-[More Information Needed]
-## Model Card Authors [optional]
-[More Information Needed]
-## Model Card Contact
-[More Information Needed]
-### Framework versions
-- PEFT 0.18.0

 - trl
 ---
+---
+license: apache-2.0
+base_model: p-e-w/gpt-oss-20b-heretic
+tags:
+- cybersecurity
+- penetration-testing
+- red-team
+- orchestration
+- lora
+- security-ai
+- secgpt
+language:
+- en
+---
+# secgpt-base-lora
+## Model Summary
+**secgpt-base-lora** is a LoRA fine-tune created to transform a permissive large language model into a **cybersecurity orchestration engine**.
+The model is designed to plan, reason, and structure penetration testing workflows while enforcing scope, constraints, and rules of engagement. It does **not** perform exploitation, scanning, or live attacks.
+This model serves as the **base orchestrator** for the SecGPT project and is intended to be embedded inside controlled agent frameworks.
+## Base Model
+- **Base model:** `p-e-w/gpt-oss-20b-heretic`
+- **Original lineage:** `openai/gpt-oss-20b`
+- **Architecture:** Decoder-only transformer (MoE-based, inherited)
+- **Fine-tuning method:** LoRA (Low-Rank Adaptation)
+- **Precision:** BF16 compatible
+- **Author:** Jason O’Neal
+The Heretic base model was chosen specifically for its reduced refusal behavior, allowing orchestration logic to be learned without fighting upstream safety refusals.
+## Intended Use
+### Primary Purpose
+- Penetration testing orchestration
+- Red team workflow planning
+- Tool selection and sequencing
+- Scope and constraint enforcement
+- Structured, machine-readable output generation
+### Example Tasks
+- Plan non-destructive external assessments
+- Select appropriate tools based on scope and target type
+- Generate ordered testing workflows
+- Produce strict JSON plans for downstream agents
+- Refuse out-of-scope or unsafe requests
+### Explicitly Out of Scope
+- Autonomous exploitation
+- Payload generation
+- Malware development
+- Live attack execution
+- Social engineering automation
+This model plans. Execution belongs elsewhere.
+## Training Data
+The model was fine-tuned on a **custom, hand-curated cybersecurity orchestration dataset**, including:
+- Penetration testing plans
+- Tool-centric workflows with explicit arguments
+- Scope, ROE, and constraint handling
+- Failure handling and recovery scenarios
+- Structured JSON outputs validated against schemas
+No proprietary data, real credentials, or live targets were used.
+## Output Format
+The model strongly prefers **strict JSON outputs**.
+Typical responses include:
+- Objectives
+- Constraints
+- Ordered steps
+- Tool names and arguments
+- Expected outcomes
+Unstructured or conversational output is intentionally discouraged.
 ## Evaluation
+Evaluation focuses on **behavioral correctness**, not stylistic quality:
+- Tool selection accuracy
+- Argument validity
+- JSON schema compliance
+- Scope enforcement
+- Proper refusal behavior
+- Recovery after simulated tool failure
+Hallucinated tools, invented results, or fabricated flags are treated as failures.
+## Limitations
+- Does not execute tools or commands
+- Depends on the host framework for enforcement
+- Can hallucinate if misused or prompted incorrectly
+- Not a replacement for human judgment
+- Requires external validation and guardrails
+This is an orchestrator, not an autopwn engine.
+## Ethical Considerations
+This model is intended solely for **authorized security testing and defensive research**.
+Users are responsible for ensuring compliance with applicable laws, contracts, and rules of engagement. Misuse reflects on the user, not the model.
+## License
+Apache License 2.0
+## Acknowledgments
+Developed as part of the **SecGPT** project, focused on building modular, auditable, and controllable AI-assisted security tooling.