In‑Depth Evaluation of the 1.5B‑Parameter Security‑SLM‑1.5B Model Running Locally on CPU
The article provides a detailed technical assessment of the open‑source 1.5 billion‑parameter security‑SLM‑1.5B language model, covering its architecture, quantized GGUF format, blue‑team and red‑team capabilities, training metrics, performance improvements, and step‑by‑step deployment on CPU via Ollama, llama.cpp, and Python.
Project Overview
The security‑SLM‑1.5B model is a 1.5 billion‑parameter LLM fine‑tuned for cybersecurity scenarios. Built on an Unsloth‑optimized DeepSeek‑R1‑Distill‑Qwen‑1.5B base and packaged in GGUF Q4_K_M format, it runs on a regular CPU with roughly 1.2 GB memory, breaking the GPU‑only barrier for security practitioners.
Core Capability Analysis
Blue‑Team Functions
Prompt‑injection and tool‑contamination detection: Trained on emerging AI‑native threats such as Model Context Protocol attacks, it identifies anomalous tool‑call patterns and suggests mitigations.
Ransomware incident response: Recognizes families like LockBit, BlackCat/ALPHV, Cl0p, Akira and can generate response playbooks with priority rankings.
MITRE ATT&CK mapping & rule generation: Extracts TTPs from logs, maps them to the ATT&CK framework, and produces corresponding Sigma or KQL queries.
CVE/CWE inference: Performs root‑cause analysis for common vulnerabilities such as CWE‑89 (SQL injection), CWE‑79 (XSS), CWE‑287 (auth bypass), and CWE‑502 (deserialization).
Red‑Team Functions
Attack‑chain simulation: Generates reverse‑engineered attack paths from a defensive perspective to aid red‑team scenario building.
Cloud‑native AI attacks: Covers RAG poisoning, AI‑agent‑driven SSRF, and misconfigured S3 exploitation.
Guardrail‑bypass detection: Identifies evasion techniques such as Base64 encoding, Unicode homoglyphs, and mixed‑encoding tricks.
Compliance & Fraud Detection
The model also includes financial‑fraud pattern analysis (account takeover, money mule, SIM swap, deep‑fake identity) and can reason about gaps in NDPR, GDPR, PCI‑DSS v4.0, and ISO 27001 frameworks.
Training and Performance Data
Base architecture: Qwen2 / DeepSeek‑R1‑Distill
Parameters: 1.5 B
Quantization: GGUF Q4_K_M
Inference memory: ~1.2 GB
Training epochs: 5
Final training loss: 1.69
Evaluation score (pre‑fine‑tune): 3.4/10
Evaluation score (post‑fine‑tune): 8.0/10
Performance gain: +135 %
Thought‑block activation: 100 %
LoRA rank: r=16
Target modules: q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, down_proj
Quick Deployment Guide
4.1 Run with Ollama (recommended)
ollama run hf.co/Nguuma/security-slm-unsloth-1.5bTo customize the system prompt, create a Modelfile:
FROM hf.co/Nguuma/security-slm-unsloth-1.5b
SYSTEM "You are a Cybersecurity assistant with Blue and Red team security reasoning. Think step by step before answering."
PARAMETER temperature 0.7
PARAMETER top_p 0.9
PARAMETER num_predict 512
PARAMETER num_ctx 2048Then execute:
ollama create security-slm -f Modelfile && ollama run security-slm4.2 Run with llama.cpp
huggingface-cli download Nguuma/security-slm-unsloth-1.5b --include "*.gguf" --local-dir ./
./llama-cli -m security-slm-finetuned.gguf \
--prompt "Analyse this log entry for signs of prompt injection: ..." \
-n 5124.3 Python usage example
from huggingface_hub import hf_hub_download
from llama_cpp import Llama
model_path = hf_hub_download(
repo_id="Nguuma/security-slm-unsloth-1.5b",
filename="security-slm-finetuned.gguf",
local_dir="./models",
)
llm = Llama(model_path=model_path, n_ctx=2048, n_threads=4, verbose=False)
response = llm.create_chat_completion(
messages=[
{"role": "system", "content": "You are a Cybersecurity assistant with Blue and Red team security reasoning. Think step by step before answering."},
{"role": "user", "content": 'An AI agent received this tool-call response: {"file": "../../../../etc/passwd"}. Is this a path traversal attack? What should the agent do?'}
],
max_tokens=512,
temperature=0.7,
top_p=0.9,
)Download Links
The model is open‑source on HuggingFace and free for commercial use:
HuggingFace URL: https://huggingface.co/Nguuma/security-slm-unsloth-1.5b *.gguf: Quantized model (recommended with Ollama or llama.cpp) adapter_model.safetensors: ~30 MB LoRA weights for Transformers + PEFT adapter_config.json: LoRA configuration file tokenizer*: Tokenizer files
Blue‑Team Perspective Summary
Offline threat analysis: Sensitive alerts can be processed locally, eliminating data‑exfiltration risk.
Automated rule generation: The model can infer Sigma/KQL rules directly from log entries, reducing manual SIEM rule‑writing effort.
Accelerated incident response: Rapid generation of ransomware response playbooks shortens MTTR.
AI‑native threat detection: Detects emerging attacks such as prompt‑injection and tool‑call abuse, filling a gap in current blue‑team toolsets.
It is recommended to trial the model in a controlled environment and validate its usefulness against specific SOC use cases.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
