securityllm-notebooks
Build the SecurityLLM quant — and call the model — on a Spark or a free cloud GPU
What this notebook does
The artifact → card → article loop sells the outcome but offers no runnable on-ramp: a researcher who wants to reproduce the five-variant quant, or a developer who wants to call the model, has to reconstruct the journey from prose. These two notebooks close that gap. The builder notebook walks the feasibility → quantize → measure → publish journey as typed fieldkit API calls; the user notebook calls SecurityLLM on real security-MCQ and threat- reasoning tasks. Both are one-click via Open in Colab / Open in Kaggle and run offline on a DGX Spark — no incident detail leaves the network.
Use cases
- Builder: reproduce the release — feasibility envelope, quantize sweep, the Spark-tested quad + variants table, publish — as fieldkit calls
- User: security knowledge MCQ across CyberMetric's domains, threat reasoning from a log line, and governance/compliance questions
- User: ground answers in CVE / MITRE ATT&CK / RFC text with fieldkit.rag and gate MCQ answers with fieldkit.eval.mcq_letter
- Both: run offline on a DGX Spark or on a free Colab / Kaggle GPU (dual-path, runtime-detected)
Audience — AI researchers and engineers who want to reproduce the quant, and security practitioners, threat analysts, and developers building security tooling who want a private offline assistant — on Spark-class hardware (GB10, 128 GB unified memory) or a free cloud GPU.
Choosing the variant
Two facets of the same notebook — pick by your goal.
- builder
- Walks the build journey on Spark — fieldkit API calls replacing ad-hoc scripts; surfaces speed, feasibility, and viability.
- user
- Demonstrates the published model on realistic domain tasks — runtime-detected, runs on Spark or on a free Colab/Kaggle GPU.
Methods
Read the field note Orionfold/SecurityLLM-GGUF on Spark — five cyber variants, CyberMetric mini-eval, MCQ letter scoring Five GGUF variants of ZySec-AI/SecurityLLM measured on a DGX Spark — Q4_K_M scores 40% on CyberMetric MCQ at 47.7 tok/s and 4.1 GB; the smaller variants matched or beat F16's 34%. Third vertical card; zero fieldkit source changes. Open articleKnown drift
Bounded limitations — Colab/Kaggle runs use the published quant; reasoning quality may differ from the BF16 weights on Spark. Each entry carries an explicit bound.
- Cloud (Colab / Kaggle) path serves the Q4_K_M quant; the Spark path serves Q5_K_M
- One quant level apart, and on this model the cloud quant is no worse — Q4_K_M tops the CyberMetric n=50 mini-eval at 40% vs Q5_K_M's 38% (2 points, inside the noise floor); both run the identical code path. See the sibling GGUF card.
- The builder notebook's quantize + publish steps render the recorded Spark run, not a live re-execution
- 2 recorded Spark-only cells (the quantize sweep and the publish dry-run); the remaining cells — feasibility envelope, the spark_quad panel, and the variants table — run live on any runtime from the manifest.
- The user notebook's live model-chat cells are not captured in the published marketing snapshot
- 4 use-case cells call the model live on any runtime; the snapshot captures the deterministic charts + banners and describes the chat output rather than screenshotting it.
Sibling artifacts
The model this notebook targets, plus other variants in the same family.