| --- |
| title: SENTINEL Autonomous Pentesting Agent |
| emoji: 🛡️ |
| colorFrom: red |
| colorTo: gray |
| sdk: gradio |
| sdk_version: 4.36.1 |
| app_file: app.py |
| pinned: false |
| python_version: 3.10.13 |
| license: apache-2.0 |
| short_description: Fine-tuned Llama-3-8B that autonomously exploits web vulns |
| tags: |
| - security |
| - llama-3 |
| - autonomous-agent |
| - web-pentesting |
| - sql-injection |
| - cybersecurity |
| --- |
| |
| # 🛡️ SENTINEL — Autonomous Web Pentesting Agent |
|
|
| **SENTINEL** is a fine-tuned **Llama-3-8B-Instruct** model trained via SFT+GRPO to autonomously reason about web application vulnerabilities and generate exploit payloads. |
|
|
| ## What it does |
|
|
| Given a **goal** (e.g. `AUTHENTICATED`, `DATA_EXFILTRATED`) and an **HTML snippet** (the current page DOM), SENTINEL outputs a single structured JSON action — exactly like a human pentester would decide their next move. |
|
|
| ```json |
| { |
| "Thought": "Login form with username/password fields on a .php endpoint — classic SQLi target.", |
| "Action": "SQL_INJECT", |
| "Action_Input": { |
| "target_url": "http://target/login.php", |
| "method": "POST", |
| "parameters": {"username": "admin'--", "password": "x"}, |
| "rationale": "OR-tautology bypass on username field" |
| } |
| } |
| ``` |
|
|
| ## Model Details |
|
|
| - **Base model:** `meta-llama/Meta-Llama-3-8B-Instruct` |
| - **Fine-tuning:** SFT on curated web-exploit trajectories + GRPO reward shaping |
| - **Quantization:** Q5_K_M GGUF (~5.7 GB), served via `llama-cpp-python` |
| - **The GGUF weights** are hosted in a separate model repo and downloaded at runtime to bypass the Space 1 GB git limit. |
|
|
| > ⚠️ **Authorized testing only.** SENTINEL is designed for use against intentionally vulnerable targets (DVWA, Juice Shop, HackTheBox, etc.). Do not use against systems you do not own. |
|
|
