RealMythos/pocwriter-v1
pocwriter-v1 is a full-parameter supervised fine-tune of Qwen3.5-9B, specialized for
security research: source-code vulnerability discovery/analysis and proof-of-concept (PoC)
generation for authorized testing. It is trained on
RealMythos/RealMythosReasoning,
a CVE-grounded C/C++ vulnerability-reasoning dataset.
Stage: stage-1 SFT,
checkpoint-748. This is an early/intermediate checkpoint — see Limitations.
Intended use
Built to assist defensive and authorized offensive security work:
- Vulnerability mining — spotting likely-vulnerable patterns in C/C++ source and explaining the bug class (with a focus on memory-safety issues).
- PoC drafting — generating proof-of-concept code to validate a finding on a target you are authorized to test (pentest engagements, CTF, your own systems, security research).
- Triage & write-ups — prioritizing findings, drafting reproduction steps and remediation advice.
Out of scope / responsible use
Do not use this model against systems you do not own or lack explicit written authorization to test. Generated PoCs are intended for validation in controlled, authorized environments only. Users are solely responsible for complying with applicable laws and for any consequences of use.
Training data
Trained on RealMythos/RealMythosReasoning (CC-BY-4.0):
- 6,159 examples, each tied to a unique real-world CVE (~177 MB), English.
- Each record pairs a vulnerability-analysis prompt + code context with CVE/CWE/project metadata, reasoning traces, a final response, and PoC evaluation scores (relevance / exploitability).
- Heavily weighted toward memory-safety classes — top CWEs: CWE-119 (buffer errors), CWE-125 (out-of-bounds read), CWE-787 (out-of-bounds write).
- Uses patch-unaware reasoning cleanup to reduce leakage from fixed-code information, plus quality-control review flags.
Training setup
| Base model | Qwen3.5-9B (Qwen3_5ForConditionalGeneration) |
| Method | Full-parameter supervised fine-tuning (SFT) |
| Framework | LLaMA-Factory |
| Distributed | DeepSpeed ZeRO |
| Checkpoint | stage-1, global step 748 |
| Precision | bf16 |
Usage
from transformers import AutoModelForCausalLM, AutoTokenizer
model_id = "RealMythos/pocwriter-v1"
tok = AutoTokenizer.from_pretrained(model_id)
model = AutoModelForCausalLM.from_pretrained(model_id, torch_dtype="auto", device_map="auto")
messages = [
{"role": "user", "content": "Analyze this function for memory-safety issues and, if any, draft a PoC:\n<code here>"},
]
inputs = tok.apply_chat_template(messages, add_generation_prompt=True, return_tensors="pt").to(model.device)
out = model.generate(inputs, max_new_tokens=512)
print(tok.decode(out[0][inputs.shape[-1]:], skip_special_tokens=True))
If this is the multimodal variant of the base, load it with the matching
AutoProcessor/AutoModelForImageTextToTextclass instead.
Limitations
- Intermediate stage-1 checkpoint; outputs may be unstable, incomplete, or change in later stages.
- Trained primarily on C/C++ memory-safety CVEs — weaker outside that distribution (other languages / bug classes).
- May hallucinate vulnerabilities or emit non-working PoCs — always verify manually.
- Inherits the biases, knowledge cutoff, and license terms of the Qwen3.5-9B base model.
Citation
Built on the RealMythos effort to reconstruct open-source security-reasoning infrastructure. If you use this model, please credit both the model and the RealMythosReasoning dataset.
- Downloads last month
- -