THIS IS A GREATLY DECENSORED MODEL OF THE POPULAR FOUNDATION SEC 8B BY CISCO FOUNDATION
This is for educational purposes and it is uncensored by heretic, an open-sourced tool.
Foundation-Sec-8B - Model Card
Model Information
Foundation-Sec-8B (Llama-3.1-FoundationAI-SecurityLLM-base-8B) is an open-weight, 8-billion parameter base language model specialized for cybersecurity applications. It extends Llama-3.1-8B model through continued pretraining on a curated corpus of cybersecurity-specific text, including threat intelligence reports, vulnerability databases, incident response documentation, and security standards. It has been trained to understand security concepts, terminology, and practices across multiple security domains. The model is designed to serve as a domain-adapted base model for use in applications such as threat detection, vulnerability assessment, security automation, and attack simulation. Foundation-Sec-8B enables organizations to build AI-driven security tools that can be deployed locally, reducing dependency on cloud-based AI services while maintaining high performance on security-related tasks.
Model Name: Foundation-Sec-8B (Llama-3.1-FoundationAI-SecurityLLM-base-8B) Model Developer: Foundation AI at Cisco Technical Report: https://arxiv.org/abs/2504.21039 Model Card Contact: https://fdtn.ai/contact Model Release Date: April 28, 2025 Supported Language(s): English Model Architecture: Auto-regressive language model that uses an optimized transformer architecture (Meta Llama-3.1-8B backbone) Training Objective: Continued pre-training on cybersecurity-specific corpus Training Data Status: This is a static model trained on an offline dataset. Future versions of the tuned models will be released on updated data. License: Apache 2.0 Intended Use Intended Use Cases Foundation-Sec-8B is designed for security practitioners, researchers, and developers building AI-powered security workflows and applications. Foundation-Sec-8B is optimized for three core use case categories:
SOC Acceleration: Automating triage, summarization, case note generation, and evidence collection. Proactive Threat Defense: Simulating attacks, prioritizing vulnerabilities, mapping TTPs, and modeling attacker behavior. Engineering Enablement: Providing security assistance, validating configurations, assessing compliance evidence, and improving security posture. The model is intended for local deployment in environments prioritizing data security, regulatory compliance, and operational control.
Downstream Use Foundation-Sec-8B can be used directly for security-related language tasks and serves as a strong starting point for fine-tuning across a variety of cybersecurity workflows. Example downstream applications include:
Summarization Summarizing detection playbooks and incident reports Consolidating fragmented analyst notes into structured case summaries Classification Mapping threats to MITRE ATT&CK techniques Prioritizing vulnerabilities based on contextual risk Classifying security-relevant emails and leaked file contents Named Entity Recognition Extracting compliance evidence from documents Building network behavior profiles from technical manuals Question & Answer Assisting SOC analysts with alert triage and investigation Responding to cloud security and software compliance queries Reasoning and Text Generation Generating red-team attack plans and threat models Predicting attacker next steps in active investigations Enriching vulnerability scan results with contextual insights For questions or assistance with fine-tuning Foundation-Sec-8B, please contact Paul Kassianik (paulkass@cisco.com) or Dhruv Kedia (dkedia@cisco.com).
Out-of-Scope Use The following uses are out-of-scope and are neither recommended nor intended use cases:
Generating harmful content - The model should not be used to: Generate malware or other malicious code Create phishing content or social engineering scripts Develop attack plans targeting specific organizations Design exploitation techniques for vulnerabilities without legitimate security research purposes Critical security decisions without human oversight - The model should not be used for: Autonomous security decision-making without human review Critical infrastructure protection without expert supervision Final determination of security compliance without human verification Autonomous vulnerability remediation without testing Legal or medical advice - The model is not qualified to provide: Legal advice regarding security regulations, compliance requirements, or intellectual property disputes Legal advice regarding security issues that would reference legal statutes, precedents, or case law necessary to provide legal advice Medical advice regarding health impacts of security incidents Non-security use cases - The model is specifically optimized for cybersecurity and may not perform as well on general tasks as models trained for broader applications. Violation of Laws or Regulations - Any use that violates applicable laws or regulations. How to Get Started with the Model Use the code below to get started with the model. The cookbook provides example use cases, code samples for adoption, and references.
Import the required libraries
import torch from transformers import AutoTokenizer, AutoModelForCausalLM
Load the model and tokenizer
tokenizer = AutoTokenizer.from_pretrained("fdtn-ai/Foundation-Sec-8B") model = AutoModelForCausalLM.from_pretrained("fdtn-ai/Foundation-Sec-8B")
Example: Matching CWE to CVE IDs
prompt="""CVE-2021-44228 is a remote code execution flaw in Apache Log4j2 via unsafe JNDI lookups (“Log4Shell”). The CWE is CWE-502.
CVE-2017-0144 is a remote code execution vulnerability in Microsoft’s SMBv1 server (“EternalBlue”) due to a buffer overflow. The CWE is CWE-119.
CVE-2014-0160 is an information-disclosure bug in OpenSSL’s heartbeat extension (“Heartbleed”) causing out-of-bounds reads. The CWE is CWE-125.
CVE-2017-5638 is a remote code execution issue in Apache Struts 2’s Jakarta Multipart parser stemming from improper input validation of the Content-Type header. The CWE is CWE-20.
CVE-2019-0708 is a remote code execution vulnerability in Microsoft’s Remote Desktop Services (“BlueKeep”) triggered by a use-after-free. The CWE is CWE-416.
CVE-2015-10011 is a vulnerability about OpenDNS OpenResolve improper log output neutralization. The CWE is"""
Tokenize the input
inputs = tokenizer(prompt, return_tensors="pt")
Generate the response
outputs = model.generate( inputs["input_ids"], max_new_tokens=3, do_sample=True, temperature=0.1, top_p=0.9, )
Decode and print the response
response = tokenizer.decode(outputs[0], skip_special_tokens=True) response = response.replace(prompt, "").strip() print(response)
Training and Evaluation Training Data Foundation-sec-8B was pretrained on approximately 5.1 billion tokens of cybersecurity-specific data curated in-house by Cisco’s Foundation AI team. The dataset was meticulously collected from public sources on the web.
The pre-training corpus was built through a multi-stage pipeline that included large-scale web crawling, relevancy filtering, deduplication, and quality filtering.
Data cutoff: April 10th, 2025.
More detailed methodology is available in the technical report.
Training Setup Foundation-sec-8B is based on the Llama 3.1 8B architecture. Pre-training was performed on Cisco Foundation AI’s internal compute cluster.
Key training details:
Continued pretraining for cybersecurity specialization 4096-token sequence length Optimizer: AdamW More detailed methodology is available in the technical report.
Evaluation Foundation-sec-8B was benchmarked on cybersecurity and general reasoning tasks, using a standardized 5-shot prompting setup (temperature = 0.3).
Benchmark Foundation-sec-8B Llama 3.1 8B Llama 3.1 70B CTI-MCQA 67.39 64.14 68.23 CTI-RCM 75.26 66.43 72.66 Benchmark Overview:
CTI-MCQA: 2,500 multiple-choice questions testing cybersecurity knowledge across frameworks like MITRE ATT&CK, NIST, GDPR, and threat intelligence best practices. CTI-RCM: 900+ vulnerability root cause mapping examples linking CVEs to CWE categories, assessing deep understanding of security weaknesses. Key highlights:
+3 to +9 point gains over Llama-3.1-8B across security-specific benchmarks. Comparable or better performance than Llama-3.1-70B on cyber threat intelligence tasks. Minimal drop (~2%) in general language reasoning (MMLU) despite cybersecurity specialization. For full benchmark details and evaluation methodology, please refer to the technical report.