Instructions to use andyc03/Qwen3.5-9B-unified-attack-v3 with libraries, inference providers, notebooks, and local apps. Follow these links to get started.

Libraries

How to use andyc03/Qwen3.5-9B-unified-attack-v3 with Transformers:

# Use a pipeline as a high-level helper
from transformers import pipeline

pipe = pipeline("text-generation", model="andyc03/Qwen3.5-9B-unified-attack-v3")
messages = [
    {
        "role": "user",
        "content": [
            {"type": "image", "url": "https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/p-blog/candy.JPG"},
            {"type": "text", "text": "What animal is on the candy?"}
        ]
    },
]
pipe(text=messages)

# Load model directly
from transformers import AutoProcessor, AutoModelForImageTextToText

processor = AutoProcessor.from_pretrained("andyc03/Qwen3.5-9B-unified-attack-v3")
model = AutoModelForImageTextToText.from_pretrained("andyc03/Qwen3.5-9B-unified-attack-v3")
messages = [
    {
        "role": "user",
        "content": [
            {"type": "image", "url": "https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/p-blog/candy.JPG"},
            {"type": "text", "text": "What animal is on the candy?"}
        ]
    },
]
inputs = processor.apply_chat_template(
	messages,
	add_generation_prompt=True,
	tokenize=True,
	return_dict=True,
	return_tensors="pt",
).to(model.device)

outputs = model.generate(**inputs, max_new_tokens=40)
print(processor.decode(outputs[0][inputs["input_ids"].shape[-1]:]))

Notebooks
Google Colab
Kaggle
Local Apps Settings

vLLM

How to use andyc03/Qwen3.5-9B-unified-attack-v3 with vLLM:

Install from pip and serve model

# Install vLLM from pip:
pip install vllm
# Start the vLLM server:
vllm serve "andyc03/Qwen3.5-9B-unified-attack-v3"
# Call the server using curl (OpenAI-compatible API):
curl -X POST "http://localhost:8000/v1/chat/completions" \
	-H "Content-Type: application/json" \
	--data '{
		"model": "andyc03/Qwen3.5-9B-unified-attack-v3",
		"messages": [
			{
				"role": "user",
				"content": "What is the capital of France?"
			}
		]
	}'

Use Docker

docker model run hf.co/andyc03/Qwen3.5-9B-unified-attack-v3

SGLang

How to use andyc03/Qwen3.5-9B-unified-attack-v3 with SGLang:

Install from pip and serve model

# Install SGLang from pip:
pip install sglang
# Start the SGLang server:
python3 -m sglang.launch_server \
    --model-path "andyc03/Qwen3.5-9B-unified-attack-v3" \
    --host 0.0.0.0 \
    --port 30000
# Call the server using curl (OpenAI-compatible API):
curl -X POST "http://localhost:30000/v1/chat/completions" \
	-H "Content-Type: application/json" \
	--data '{
		"model": "andyc03/Qwen3.5-9B-unified-attack-v3",
		"messages": [
			{
				"role": "user",
				"content": "What is the capital of France?"
			}
		]
	}'

Use Docker images

docker run --gpus all \
    --shm-size 32g \
    -p 30000:30000 \
    -v ~/.cache/huggingface:/root/.cache/huggingface \
    --env "HF_TOKEN=<secret>" \
    --ipc=host \
    lmsysorg/sglang:latest \
    python3 -m sglang.launch_server \
        --model-path "andyc03/Qwen3.5-9B-unified-attack-v3" \
        --host 0.0.0.0 \
        --port 30000
# Call the server using curl (OpenAI-compatible API):
curl -X POST "http://localhost:30000/v1/chat/completions" \
	-H "Content-Type: application/json" \
	--data '{
		"model": "andyc03/Qwen3.5-9B-unified-attack-v3",
		"messages": [
			{
				"role": "user",
				"content": "What is the capital of France?"
			}
		]
	}'

Docker Model Runner
How to use andyc03/Qwen3.5-9B-unified-attack-v3 with Docker Model Runner:
```
docker model run hf.co/andyc03/Qwen3.5-9B-unified-attack-v3
```

Qwen3.5-9B-unified-attack-v3

A red-teaming / prompt-injection attacker model, full-parameter SFT of Qwen3.5-9B on the SABER v3 unified attacker corpus. Intended for AI-safety research and authorized robustness testing of LLM agents (generating adversarial probes to evaluate a victim model's defenses).

Training corpus

andyc03/attack_data :: v3/v3_unified.zip (dataset_id saber_sft_v3_unified, FINAL 2026-06-04).

Typed corpus across three attack channels, with 2-token output convention (<jailbreak> for safety bypasses, <inject> for prompt injection):
- jailbreak 37.9%, direct prompt-injection 35.6%, indirect PI 26.6%
Per-type system-prompt pools with explicit attack-type conditioning; one-pass faithful <think>...</think> reasoning then the typed attack payload.
35,696 train / 728 val examples (1 train record dropped: it contained a literal <video> tag that collides with the VL template's media placeholder).

Output format

The assistant produces genuine skill-composing reasoning followed by the typed attack:

<think> ...reasoning about how to compose the attack for this surface... </think>

<inject>PAYLOAD</inject>          # for prompt-injection targets
# or
<jailbreak>PAYLOAD</jailbreak>   # for safety-bypass targets

Training details

Base: Qwen3.5-9B (Qwen3_5ForConditionalGeneration; vision tower frozen, language model trained).
Method: full fine-tuning, LLaMA-Factory, DeepSpeed ZeRO-2 on 4×H100-80GB.
Hyperparameters: 1 epoch (558 steps), effective batch 64 (per-device 1 × 4 GPUs × grad-accum 16), lr 2e-6 cosine, warmup 0.03, bf16, cutoff_len 8192, gradient checkpointing.
Results: final train loss 1.259, final eval loss 1.193 (monotonic decrease, no overfitting gap).

Usage

from transformers import AutoModelForCausalLM, AutoTokenizer

model_id = "andyc03/Qwen3.5-9B-unified-attack-v3"
tok = AutoTokenizer.from_pretrained(model_id, trust_remote_code=True)
model = AutoModelForCausalLM.from_pretrained(model_id, trust_remote_code=True, torch_dtype="bfloat16", device_map="auto")

Intended use & limitations

This model is released for defensive AI-safety research and authorized red-teaming only. It is trained to produce adversarial prompts; do not deploy it against systems you are not authorized to test. Outputs may be harmful by design and should be handled in a controlled research setting.

Downloads last month: 21

Safetensors

Model size

9B params

Tensor type

BF16

Model tree for andyc03/Qwen3.5-9B-unified-attack-v3

Base model

Qwen/Qwen3.5-9B-Base

Finetuned

Qwen/Qwen3.5-9B

Finetuned

(368)

this model