# CyberCoder-7B-v1 🛡️

A cybersecurity-focused code model fine-tuned from [Qwen/Qwen2.5-Coder-7B-Instruct](https://huggingface.co/Qwen/Qwen2.5-Coder-7B-Instruct) for:

- **CVE vulnerability analysis** with structured JSON output
- **AST-based code security review** 
- **GDB crash trace analysis** and exploitability assessment
- **ROP chain construction** and binary exploitation
- **MITRE ATT&CK mapping** and threat intelligence
- **Code reasoning** with chain-of-thought

## Training Recipe

Based on [CyberPal 2.0](https://arxiv.org/abs/2510.14113) methodology:

| Parameter | Value |
|-----------|-------|
| Base model | Qwen/Qwen2.5-Coder-7B-Instruct |
| Method | SFT with LoRA (r=64, α=128) |
| Learning rate | 4e-5 |
| Warmup ratio | 0.15 |
| Epochs | 2 |
| Max seq length | 4096 |
| Optimizer | AdamW + cosine schedule |
| Dataset | moro72842/cybersecurity-sft-dataset (20K examples) |

## Dataset Composition

| Source | Count | Description |
|--------|-------|-------------|
| CVE Records | 10,000 | Multi-turn CVE analysis from 297K records |
| Code Feedback | 5,000 | Code reasoning with iterative refinement |
| OpenCodeReasoning | 5,000 | Chain-of-thought code problem solving |
| Synthetic Security | 8 | JSON-structured CVE, AST, GDB, ROP examples |

## Capabilities

### JSON Structured Output
Trained on examples that require structured JSON output with `<reasoning>` blocks followed by JSON. Pattern:
```
<reasoning>
Step-by-step analysis...
</reasoning>

```json
{...structured output...}
```
```

### Cybersecurity Domains
- Vulnerability analysis (CVE/CWE)
- Static code analysis with AST parsing
- Binary exploitation (ROP chains, buffer overflows)
- Crash dump / GDB trace analysis
- Threat intelligence (MITRE ATT&CK mapping)
- Malware behavior classification
- Network intrusion detection

## Usage

```python
from transformers import pipeline

pipe = pipeline("text-generation", model="moro72842/CyberCoder-7B-v1", torch_dtype="auto", device_map="auto")

messages = [
    {"role": "system", "content": "You are a cybersecurity expert. Provide detailed analysis with structured JSON output."},
    {"role": "user", "content": "Analyze CVE-2021-44228 and provide the analysis as JSON."}
]

response = pipe(messages, max_new_tokens=2048, temperature=0.1)
print(response[0]["generated_text"][-1]["content"])
```

## Architecture & Efficiency Considerations

This model demonstrates the approach described in the training documentation for building cybersecurity-capable models:

- **MoE consideration**: For production 100B+ models, sparse MoE (DeepSeek-V3 style) with 64-128 experts reduces active params to ~37B
- **MLA attention**: Multi-Head Latent Attention compresses KV cache for long-context inference  
- **LoRA efficiency**: This 7B model uses LoRA (r=64), training only ~2% of parameters while achieving strong domain performance
- **Structured output**: JSON structured output trained via SFT examples rather than constrained decoding (per RL-Struct findings)

## License

Apache 2.0 (inherited from Qwen2.5-Coder)