--- language: - en license: apache-2.0 library_name: transformers tags: - security - dast - penetration-testing - cybersecurity - web-security - offensive-security - qwen2 - deepseek-r1 - lora - fine-tuned - reasoning base_model: deepseek-ai/DeepSeek-R1-Distill-Qwen-32B pipeline_tag: text-generation model_type: qwen2 --- # BRAHMASTRA 0.2 — AI-Native DAST Security Scanner (32B)

> **"Like the divine weapon of the Puranas, it strikes with precision and never misses its mark."** BRAHMASTRA 0.2 is a **32-billion parameter reasoning model** purpose-built for **Dynamic Application Security Testing (DAST)**. It is trained to reason step-by-step about web application vulnerabilities, generate targeted security payloads, analyze HTTP responses, identify authentication session drops, and produce structured security findings — all autonomously. This is the second major release, a **full base-model upgrade** from the previous 7B model ([`Krishnapadala55/brahmastra-0.1`](https://huggingface.co/Krishnapadala55/brahmastra-0.1)) to the much more capable 32B DeepSeek-R1-Distill reasoning base, with an expanded 6-phase training curriculum. --- ## What is new in 0.2 | Axis | 0.1 | **0.2** | |---|---|---| | Base model | Qwen2.5-Coder-7B-Instruct | **DeepSeek-R1-Distill-Qwen-32B** | | Parameters | 7B | **32.8B** | | Reasoning | implicit | **explicit `` traces** | | Training phases | 5 (+ cleanup) | **6 (p1a, p1b, p1c, p2, p3, p4, p5, p6)** | | Context length | 4k | 4k (extensible to 128k) | | LoRA rank | 128 | 64 (higher efficiency on 32B) | | Target deployment | CPU / small GPU | 48 GB GPU (Q4_K_M fits in ~20 GB) | --- ## Capabilities — the 28 Astra modules Each vulnerability family is internally codenamed after a divine weapon (astra) from the Puranas. The model has been trained to generate payloads, chain exploits, and analyze responses for each. ### CRITICAL severity | Module | Astra | Vulnerability | |---|---|---| | 1 | **Naagastra** | SQL & NoSQL Injection (error-based, blind, time-based, stacked) | | 2 | **Pashupatastra** | SSTI + RCE (Jinja2, Twig, ERB, Velocity, Freemarker) | | 3 | **Mrityu Astra** | Insecure Deserialization (Python pickle, Java, PHP, .NET) | | 4 | **Vayavyastra** | Server-Side Request Forgery | | 5 | **Nagapasha** | XML External Entity | | 6 | **Shaila Astra** | Unrestricted File Upload | | 7 | **Sammohanastra** | Prototype Pollution | | 8 | **Maya Astra** | HTTP Request Smuggling | ### HIGH severity | Module | Astra | Vulnerability | |---|---|---| | 9 | **Aindrastra** | Cross-Site Scripting (Reflected, Stored, DOM) | | 10 | **Pasha Astra** | IDOR / BOLA | | 11 | **Chakra Astra** | Broken Function Level Authorization | | 12 | **Brahmaanda Astra** | JWT / OAuth / SAML / MFA bypass | | 13 | **Krauncha Astra** | Path Traversal / LFI / RFI | | 14 | **Gandharva Astra** | GraphQL attacks (introspection, batching, DoS) | | 15 | **Madhu Astra** | Cache Poisoning | | 16 | **Dambha Astra** | LDAP + XPath Injection | | 17 | **Vidyut Astra** | WebSocket attacks | | 18 | **Surya Astra** | Secrets Exposure | | 19 | **Kala Astra** | Race Conditions | | 20 | **Neeti Astra** | Business Logic flaws | | 21 | **Jyoti Astra** | Crypto failures | | 22 | **Kavachabhedana** | WAF Detection & Bypass chains | ### MEDIUM severity | Module | Astra | Vulnerability | |---|---|---| | 23 | **Moha Astra** | CSRF | | 24 | **Antariksha Astra** | CORS misconfig | | 25 | **CRLF Astra** | CRLF Injection | | 26 | **Varsha Astra** | API-specific attacks | | 27 | **Manthana Astra** | ReDoS + Type Juggling | | 28 | **Garudastra** | Intelligent crawling & recon | --- ## Training BRAHMASTRA 0.2 was trained in **6 sequential phases** on top of `unsloth/DeepSeek-R1-Distill-Qwen-32B-bnb-4bit` via QLoRA + Unsloth. | Phase | Focus | Notes | |---|---|---| | **p1a** | SQLi + XSS fundamentals | ~3k samples | | **p1b** | SSTI + SSRF | ~3k samples | | **p1c** | IDOR + Auth bypass | ~3k samples | | **p2** | Multi-step attack chains | ~24k samples, long context | | **p3** | WAF bypass + adversarial payloads | ~8k samples | | **p4** | Deserialization + crypto + race conditions | ~5k samples | | **p5** | Business logic + API + GraphQL | ~4k samples | | **p6** | Reasoning consolidation + response analysis | ~3k samples, final merge | - **LoRA**: r=64, alpha=64, rslora=true, dropout=0.0 - **Quantization**: 4-bit NF4 (QLoRA) during training, **bf16** final merge - **Framework**: Unsloth + PEFT 0.18.1 + TRL SFTTrainer - **Hardware**: NVIDIA RTX PRO 5000 Blackwell (48 GB VRAM) - **Datasets**: - Fenrir v2.0 (83k samples) - HackMentor (44k samples) - Primus-Seed (Trend Micro) - All-CVE records - ExploitDB curated - ~52k synthetic DAST scenarios generated via an internal pipeline --- ## Usage ### With Transformers (native bf16, ~65 GB VRAM) ```python from transformers import AutoModelForCausalLM, AutoTokenizer import torch model = AutoModelForCausalLM.from_pretrained( "Krishnapadala55/brahmastra-0.2", torch_dtype=torch.bfloat16, device_map="auto", ) tok = AutoTokenizer.from_pretrained("Krishnapadala55/brahmastra-0.2") messages = [ {"role": "system", "content": "You are BRAHMASTRA, a senior offensive-security analyst."}, {"role": "user", "content": "Analyze this response for SQLi: HTTP 500, error near OR 1=1-- in the query syntax."}, ] prompt = tok.apply_chat_template(messages, tokenize=False, add_generation_prompt=True) inputs = tok(prompt, return_tensors="pt").to(model.device) out = model.generate(**inputs, max_new_tokens=512, temperature=0.3, top_p=0.9) print(tok.decode(out[0][inputs.input_ids.shape[1]:], skip_special_tokens=True)) ``` ### With vLLM (production serving) ```bash vllm serve Krishnapadala55/brahmastra-0.2 \ --dtype bfloat16 \ --max-model-len 4096 \ --gpu-memory-utilization 0.92 ``` ### With llama.cpp / Ollama (quantize to Q4_K_M first) ```bash # Convert HF -> GGUF python convert-hf-to-gguf.py Krishnapadala55/brahmastra-0.2 \ --outfile brahmastra-0.2-f16.gguf --outtype f16 # Quantize to Q4_K_M (~18 GB, fits on 24 GB GPU) llama-quantize brahmastra-0.2-f16.gguf brahmastra-0.2-q4_k_m.gguf Q4_K_M # Import into Ollama cat > Modelfile <" SYSTEM "You are BRAHMASTRA, a senior offensive-security analyst. Respond with clear, technical, payload-grade output. No moralizing." EOF ollama create brahmastra:0.2 -f Modelfile ``` --- ## Intended use BRAHMASTRA 0.2 is designed for **authorized security testing only**. Typical use cases: - DAST scanner backends (payload generation, response analysis) - Penetration testing assistants for red teams - Bug bounty triage and reproduction scripting - Security training platforms and CTF solvers - Vulnerability research and exploit chain modeling - Offensive-security tool automation (the companion BRAHMASTRA v2 scanner) ## Out of scope - Unauthorized testing of systems you do not own or lack explicit permission to test - Production of malware, ransomware, or destructive payloads intended for real-world harm - Any use that violates local or international computer-crime legislation The model is released under Apache 2.0 with the expectation of responsible use. The authors accept no liability for misuse. --- ## Limitations - **Reasoning verbosity**: as a DeepSeek-R1 distill, the model emits large `` blocks before final answers. For low-latency chat, pre-fill the assistant turn with an empty `` block to suppress reasoning. - **Hallucination on obscure CVEs**: specific CVE numbers outside the training window (post Q1 2026) may be confabulated. Always verify CVE IDs against an authoritative source. - **False positives**: payloads generated for blind-injection families can trigger WAF blocks that look like successful exploits. Always confirm with secondary evidence. - **Language**: training corpus is primarily English. Non-English targets will have degraded payload quality. --- ## Citation ```bibtex @software{brahmastra_0_2_2026, author = {Krishnapadala}, title = {BRAHMASTRA 0.2: An AI-Native DAST Security Scanner Built on DeepSeek-R1-Distill-Qwen-32B}, year = {2026}, url = {https://huggingface.co/Krishnapadala55/brahmastra-0.2} } ``` ## Acknowledgements - **DeepSeek AI** for the DeepSeek-R1-Distill-Qwen-32B base model - **Unsloth** for the training framework that made 32B QLoRA practical on a single 48 GB GPU - **TRL / PEFT** contributors at HuggingFace - **Fenrir v2.0**, **HackMentor**, **Primus-Seed**, **ExploitDB**, **All-CVE** dataset authors --- *BRAHMASTRA is a research prototype. Use responsibly. Only test systems you are authorized to test.*