Model Details
Table with columns: Property, Value| Property | Value |
|---|
| Base model | Qwen/Qwen3.6-27B |
| Fine-tuning | QLoRA 4-bit (bitsandbytes NF4) |
| LoRA rank | 16 |
| Trainable params | 79.7M / 27.4B (0.29%) |
| Training hardware | 1× NVIDIA A100-40GB (Modal) |
| Training time | ~2.5 hours |
| Training loss | 0.257 (average), 0.076 (final step) |
| Sequence length | 4096 |
| Epochs | 2 |
| License | Apache 2.0 |
Training Dataset: blueteam-comprehensive-v1
The dataset was generated from 714 red-team attack skills covering the full MITRE ATT&CK landscape, plus custom written content. Total: 1,933 records (1,739 train / 194 val).
Table with columns: Category, Count, Description| Category | Count | Description |
|---|
| Attack→Detection inversion | 1,864 | 714 red-team skills × detection query + investigation guidance + remediation |
| MITRE ATT&CK techniques | 84 | 21 techniques × detection + investigation chain + remediation |
| Multi-turn scenarios | 5 | Ransomware, Golden Ticket/AD, Cloud compromise, Insider threat, Defensive strategy |
| Defensive strategy | 3 | APT defense, Zero Trust architecture, High-ROI prioritization |
Dataset Coverage
- Initial Access: Phishing (T1566), Exploit Public-Facing App (T1190), Valid Accounts (T1078)
- Execution: Command & Scripting Interpreter (T1059), User Execution (T1204)
- Persistence: Boot/Logon Autostart (T1547), Create Account (T1136)
- Privilege Escalation: Abuse Elevation Control (T1548), Token Manipulation (T1134)
- Defense Evasion: Impair Defenses (T1562), Obfuscated Files (T1027)
- Credential Access: OS Credential Dumping (T1003), Brute Force (T1110)
- Discovery: Account Discovery (T1087), Permission Groups (T1069)
- Lateral Movement: Remote Services (T1021), Lateral Tool Transfer (T1570)
- Collection: Data Staged (T1074)
- C2: Application Layer Protocol (T1071)
- Exfiltration: Exfiltration Over Alternative Protocol (T1048)
- Impact: Data Encrypted for Impact / Ransomware (T1486)
Verified Capabilities
The model correctly handles:
- DCSync detection → Event ID 4662 with correct DS-Replication GUIDs (
1131f6aa, 1131f6ad)
- Kerberoasting → Event ID 4769 with service account (
$) filtering, Splunk KPI
- PsExec lateral movement → Event ID 4688/7045 correlation, Splunk query
- Golden Ticket remediation → KRBTGT double-reset, DC rebuild, service account reset
- Ransomware investigation → Vssadmin/bcdedit precursors, phased IR approach
- Network detection → Suricata rules, Zeek scripts, Wireshark filters
Usage
from transformers import AutoModelForCausalLM, AutoTokenizer
from peft import PeftModel
base_model = "Qwen/Qwen3.6-27B"
peft_model = "dazeb2/Qwen3.6-27B-blueteam-v1"
tokenizer = AutoTokenizer.from_pretrained(base_model)
model = AutoModelForCausalLM.from_pretrained(
base_model,
load_in_4bit=True,
device_map="auto",
)
model = PeftModel.from_pretrained(model, peft_model)
messages = [
{"role": "system", "content": "You are a senior blue team security analyst. Provide concrete commands and queries."},
{"role": "user", "content": "How do I detect DCSync attacks in Active Directory?"},
]
inputs = tokenizer.apply_chat_template(messages, tokenize=True, add_generation_prompt=True, return_tensors="pt")
outputs = model.generate(inputs, max_new_tokens=256, temperature=0.1)
print(tokenizer.decode(outputs[0]))
Inference with llama.cpp (LoRA)
Download the base GGUF:
hf download unsloth/Qwen3.6-27B-GGUF Qwen3.6-27B-UD-Q2_K_XL.gguf --local-dir ./models/
Convert the LoRA to GGUF:
# Requires transformers
python3 llama.cpp/convert_lora_to_gguf.py ./lora --outfile ./lora/blueteam-lora.gguf --base ./base
Run with llama-server:
llama-server \
-m ./models/Qwen3.6-27B-UD-Q2_K_XL.gguf \
--lora ./lora/blueteam-lora.gguf \
-ngl 99 -c 2048 \
--temp 0.1
Quantization for VRAM-limited GPUs
Table with columns: Quant, Size, Quality, Minimum VRAM| Quant | Size | Quality | Minimum VRAM |
|---|
| UD-Q2_K_XL | 12 GB | Good (dynamic) | 12 GB |
| UD-IQ2_M | ~9 GB | Decent | 10 GB |
| Q3_K_S | 12 GB | Moderate | 12 GB |
Training Recipe
The model was trained using Unsloth on a single A100-40GB with the following configuration:
- Library:
unsloth>=2026.6.9, transformers>=5.5.0, trl>=0.16.0
- Quantization: 4-bit NF4 (bitsandbytes)
- LoRA: r=16, alpha=16, dropout=0, target=all attention + MLP layers
- Training: 2 epochs, batch size 2 (effective 8 with grad accum 4)
- Learning rate: 2e-4, linear schedule, 100 warmup steps
- Optimizer: AdamW 8-bit
- Sequence length: 4096
Limitations
- Fine-tuned specifically for defensive security operations. General knowledge and creative tasks may degrade.
- Detection guidance focuses on Windows/AD environments (most common in enterprise SOC). Cloud (AWS/Azure/GCP) and Linux coverage is present but less extensive.
- Responses are command-focused — the model is optimized for concrete, actionable output over conversational prose.
- Trained on 2 epochs of ~1,900 records — a lightweight fine-tuning. Additional data would likely improve coverage.
- Qwen3.6 thinking mode is active — the model may output
<think> tags in its reasoning. Use the chat template or strip these in post-processing.
Files
Table with columns: File, Size, Description| File | Size | Description |
|---|
adapter_model.safetensors | 305 MB | LoRA adapter weights |
adapter_config.json | 1.5 KB | LoRA configuration |
config.json | 4.1 KB | Model configuration |
tokenizer.json | 20 MB | Qwen3.6 tokenizer |
|