In‑Depth Evaluation of the 1.5B‑Parameter Security‑SLM‑1.5B Model Running Locally on CPU

The article provides a detailed technical assessment of the open‑source 1.5 billion‑parameter security‑SLM‑1.5B language model, covering its architecture, quantized GGUF format, blue‑team and red‑team capabilities, training metrics, performance improvements, and step‑by‑step deployment on CPU via Ollama, llama.cpp, and Python.

Black & White Path
Black & White Path
Black & White Path
In‑Depth Evaluation of the 1.5B‑Parameter Security‑SLM‑1.5B Model Running Locally on CPU

Project Overview

The security‑SLM‑1.5B model is a 1.5 billion‑parameter LLM fine‑tuned for cybersecurity scenarios. Built on an Unsloth‑optimized DeepSeek‑R1‑Distill‑Qwen‑1.5B base and packaged in GGUF Q4_K_M format, it runs on a regular CPU with roughly 1.2 GB memory, breaking the GPU‑only barrier for security practitioners.

Core Capability Analysis

Blue‑Team Functions

Prompt‑injection and tool‑contamination detection: Trained on emerging AI‑native threats such as Model Context Protocol attacks, it identifies anomalous tool‑call patterns and suggests mitigations.

Ransomware incident response: Recognizes families like LockBit, BlackCat/ALPHV, Cl0p, Akira and can generate response playbooks with priority rankings.

MITRE ATT&CK mapping & rule generation: Extracts TTPs from logs, maps them to the ATT&CK framework, and produces corresponding Sigma or KQL queries.

CVE/CWE inference: Performs root‑cause analysis for common vulnerabilities such as CWE‑89 (SQL injection), CWE‑79 (XSS), CWE‑287 (auth bypass), and CWE‑502 (deserialization).

Red‑Team Functions

Attack‑chain simulation: Generates reverse‑engineered attack paths from a defensive perspective to aid red‑team scenario building.

Cloud‑native AI attacks: Covers RAG poisoning, AI‑agent‑driven SSRF, and misconfigured S3 exploitation.

Guardrail‑bypass detection: Identifies evasion techniques such as Base64 encoding, Unicode homoglyphs, and mixed‑encoding tricks.

Compliance & Fraud Detection

The model also includes financial‑fraud pattern analysis (account takeover, money mule, SIM swap, deep‑fake identity) and can reason about gaps in NDPR, GDPR, PCI‑DSS v4.0, and ISO 27001 frameworks.

Training and Performance Data

Base architecture: Qwen2 / DeepSeek‑R1‑Distill

Parameters: 1.5 B

Quantization: GGUF Q4_K_M

Inference memory: ~1.2 GB

Training epochs: 5

Final training loss: 1.69

Evaluation score (pre‑fine‑tune): 3.4/10

Evaluation score (post‑fine‑tune): 8.0/10

Performance gain: +135 %

Thought‑block activation: 100 %

LoRA rank: r=16

Target modules: q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, down_proj

Quick Deployment Guide

4.1 Run with Ollama (recommended)

ollama run hf.co/Nguuma/security-slm-unsloth-1.5b

To customize the system prompt, create a Modelfile:

FROM hf.co/Nguuma/security-slm-unsloth-1.5b

SYSTEM "You are a Cybersecurity assistant with Blue and Red team security reasoning. Think step by step before answering."

PARAMETER temperature 0.7
PARAMETER top_p 0.9
PARAMETER num_predict 512
PARAMETER num_ctx 2048

Then execute:

ollama create security-slm -f Modelfile && ollama run security-slm

4.2 Run with llama.cpp

huggingface-cli download Nguuma/security-slm-unsloth-1.5b --include "*.gguf" --local-dir ./

./llama-cli -m security-slm-finetuned.gguf \
  --prompt "Analyse this log entry for signs of prompt injection: ..." \
  -n 512

4.3 Python usage example

from huggingface_hub import hf_hub_download
from llama_cpp import Llama

model_path = hf_hub_download(
    repo_id="Nguuma/security-slm-unsloth-1.5b",
    filename="security-slm-finetuned.gguf",
    local_dir="./models",
)

llm = Llama(model_path=model_path, n_ctx=2048, n_threads=4, verbose=False)

response = llm.create_chat_completion(
    messages=[
        {"role": "system", "content": "You are a Cybersecurity assistant with Blue and Red team security reasoning. Think step by step before answering."},
        {"role": "user", "content": 'An AI agent received this tool-call response: {"file": "../../../../etc/passwd"}. Is this a path traversal attack? What should the agent do?'}
    ],
    max_tokens=512,
    temperature=0.7,
    top_p=0.9,
)

Download Links

The model is open‑source on HuggingFace and free for commercial use:

HuggingFace URL: https://huggingface.co/Nguuma/security-slm-unsloth-1.5b *.gguf: Quantized model (recommended with Ollama or llama.cpp) adapter_model.safetensors: ~30 MB LoRA weights for Transformers + PEFT adapter_config.json: LoRA configuration file tokenizer*: Tokenizer files

Blue‑Team Perspective Summary

Offline threat analysis: Sensitive alerts can be processed locally, eliminating data‑exfiltration risk.

Automated rule generation: The model can infer Sigma/KQL rules directly from log entries, reducing manual SIEM rule‑writing effort.

Accelerated incident response: Rapid generation of ransomware response playbooks shortens MTTR.

AI‑native threat detection: Detects emerging attacks such as prompt‑injection and tool‑call abuse, filling a gap in current blue‑team toolsets.

It is recommended to trial the model in a controlled environment and validate its usefulness against specific SOC use cases.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Ollamallama.cppred teamblue teamMITRE ATT&CK mappingoffline threat analysisprompt injection detectionsecurity LLM
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.