HackerTrans
TopNewTrendsCommentsPastAskShowJobs

dk189

no profile record

Submissions

Show HN: We post-trained a model that pen tests instead of refusing

argusred.com
93 points·by dk189·21 ngày trước·40 comments

comments

dk189
·21 ngày trước·discuss
It's named throughout our main website, the RL is on Kimi K2.6, benchmarks are vs K2.6: https://cosine.sh/blog/introducing-lumen-outpost. The ArgusRed page is a week old so it's not on there yet, but nothing's hidden. And K2.6 only needs attribution above a certain scale, the threshold Cursor hit and we haven't.

On Shannon airgapped in your VPC, if it works for you, you might not need us. A normal model will refuse or hedge on offensive tasks, we post-trained ours to just run the authorised stuff. For this one narrow job, a specialist that'll actually attack beats a generalist that won't.
dk189
·21 ngày trước·discuss
Agreed, and that's basically our premise. If a 5 person team can post-train an open model to do this, so can the people you don't want doing it, model-level refusals on open weights are a speed bump. Which is the argument for defenders having it too, not against.
dk189
·21 ngày trước·discuss
Fair, should've been precise. What's free today is the scan: read-only. The Bank of Anthos integer overflow is a scan finding, clone it and you'll get the same. The active mode that actually sends the exploit and shows the response is gated for now, that's the part that's really 'pen test'. Juice Shop's a fair target for showing it, will try to get this done and post an update.
dk189
·21 ngày trước·discuss
Did you follow the link? There is a brew install binary you can install and test. It's live.
dk189
·21 ngày trước·discuss
The tool is live, you can test it.
dk189
·21 ngày trước·discuss
The RL is easy to describe, hard to do. The nice thing about pen testing is the reward isn't a vibe like training for code quality, the exploit either lands or it doesn't. The day to day is not glamorous at all, mostly fighting for stable gpu access, watching a cluster sit half-idle with nodes you somehow can't book.
dk189
·21 ngày trước·discuss
You need both, scanning for your own code, pen testing to actually prove vulnerabilities, otherwise it can be very noisy and one of the things that most tools currently suffer from is they give you too many false positives. For the moment. The pen testing we gated it for now until we resolve the debate of safety.
dk189
·21 ngày trước·discuss
I think the policy universally makes sense, who would want to give a tool like this to bad actors? But it does leave a big section of the market underserved. Particularly when Mythos was made accessible to very large orgs and then Fable was pulled on export grounds.
dk189
·tháng trước·discuss
[flagged]