Overview
DeepSeek-v4-Fable is a distilled security-specialized agent model built on DeepSeek-v4-Flash and adapted from Claude-5-Fable for autonomous security research workflows. Maintained by Chunjiang-Intelligence, this model is engineered exclusively for structured, tool-oriented security tasks such as CTF problem solving, exploitation planning, and multi-step reasoning in controlled sandbox environments. The model contains 0.94B trainable parameters (0.33% of total parameters via LoRA with rank 64) with LoRA targets including q,k,v,o layers plus experts and router weights. It supports bf16 parameters with fp32 optimizer states and operates with a maximum sequence length of 96K tokens. The model requires the transformers library and uses a custom encoding system with encoding_dsv4 for message formatting and parsing. Critical limitation: This model is domain-specific for security tasks and will perform poorly on general NLP applications. Use of this model to access, scan, or exploit systems without explicit documented authorization is strictly prohibited and violates its Acceptable Use Policy.
Best use cases
Authorized penetration testing and vulnerability research — DeepSeek-v4-Fable chains reconnaissance, exploitation, and verification steps autonomously within authorized scopes. The model achieved 63.8% solve rate on Web Security CTF challenges and 68.9% on cryptography challenges, demonstrating strong capability in multi-step exploitation planning. This model retains reconnaissance artifacts across extended interactions, enabling complex attack chains on owned or authorized systems where ground-truth verification signals exist. The two-phase training (rejection-sampled SFT followed by GRPO with programmatic rewards) optimizes for procedural reliability in sandbox environments rather than conversational breadth.
Capture The Flag (CTF) competition solving — The model was fine-tuned on SecDojo-80K, a corpus of 80,000 verified CTF trajectories across 4,050 distinct challenges. It achieves 58.7% overall solve rate within 40 turns and 13.4 mean turns-to-flag on held-out decontaminated challenges. Performance varies by category: binary exploitation reaches 44.5% (19.8 mean turns), reverse engineering 51.2% (16.4 mean turns), and cryptography 68.9% (7.2 mean turns). This specialization makes it practical for educational security labs and CTF benchmarking.
Autonomous agent safety and capability evaluation — Researchers evaluating long-horizon agent behavior in structured environments can use this model as a specialized benchmark. The training architecture—with dense milestone rewards, KL anchors (β=0.02), and strict penalties for malformed actions—provides insights into how RL-trained agents develop systematic versus degenerate behaviors. Ablation studies show removing the KL anchor causes policy collapse into “degenerate payload-spraying,” directly informing safety research on policy constraint mechanisms.
Red-team engagements within documented scopes — The model’s training on rejection-sampled trajectories ensures action reproducibility and eliminates non-verifiable successes. Its capability to autonomously generate tool commands (interpreted as hypotheses requiring sandboxed verification) makes it suitable for structured red-team workflows where authorization and resource limits are enforced. The model exhibits particular strength on exploration-heavy tasks: GRPO training delivered +25.8-point gains on binary exploitation and +26.9 points on reverse engineering relative to SFT baseline.
Limitations
Not a general-purpose assistant — This is a domain-specific model that will exhibit degraded performance on general NLP, creative writing, open-ended dialogue, and non-security tasks. It is explicitly optimized for procedural security workflows and should not be relied upon for broad language understanding applications.
Hallucination of invalid tool commands — The model generates hypotheses rather than ground truth. Execution must occur in a secure sandbox with verification. The model’s behavior depends heavily on programmatic verifiers present during training; reliability degrades significantly in environments lacking ground-truth signals or in novel target distributions not represented in the training data.
Reconstruction bias and limited transferability — Training trajectories derive exclusively from public CTF challenges (4,050 unique challenges total). This introduces reconstruction bias and limits transfer to real-world vulnerability landscapes. The model achieved 56.1% mean teacher solve rate across the training corpus, indicating the underlying task distribution itself contains unsolved challenges that constrain model performance.
Hardware and compute requirements — Fine-tuning used 64 NVIDIA H800-80GB GPUs, completing in 30 hours wall-clock time (1,920 GPU-hours total for both SFT and GRPO phases). Inference requirements for this model are not explicitly stated, but operating with 96K token context windows and LoRA weights suggests substantial memory footprint. The technical report is required for precise inference specifications.
Long-horizon memory and capability concentration risk — The model’s ability to retain and reuse reconnaissance artifacts across extended interactions creates pathways for complex attack chains. Its capacity for cheap, parallelizable execution may elevate aggregate risk of low-severity vulnerabilities. Misuse against unauthorized systems poses significant real-world harm risk.
License and usage restrictions — Licensed under openrail terms but bound by strict Acceptable Use Policy. Prohibited activities include mass targeting, opportunistic exploitation, malware development, supply-chain compromise, persistent backdoor installation, and evasion of security controls. Violation can result in access revocation. All applicable laws (CFAA, Computer Misuse Act, etc.) must be strictly followed.
Evaluation limitations — Results measure capability within a reconstructed sandbox environment (300 held-out CTF challenges decontaminated by source identity). These benchmarks do not serve as endorsement for unsupervised real-world deployment. Context length at p95 reaches 92.6K tokens for binary exploitation challenges but only 15.0K for miscellaneous tasks, indicating uneven capability distribution.
How it compares
vs. deepseek-v3 — DeepSeek-v3 is a general-purpose leading model suitable for broad NLP tasks, while DeepSeek-v4-Fable is a specialized security agent with narrow domain focus. Choose DeepSeek-v3 if you need conversational quality, reasoning across diverse domains, or general capability; choose DeepSeek-v4-Fable if you need autonomous security tool execution and CTF solving. The tradeoff is breadth versus specialization: DeepSeek-v3 generalizes across millions of tasks while DeepSeek-v4-Fable achieves high performance on security workflows at the cost of near-zero utility elsewhere.
vs. deepseek-r1 — DeepSeek-r1 is a reasoning-focused model trained with reinforcement learning across general domains, whereas DeepSeek-v4-Fable applies RL (GRPO) specifically to security tasks with programmatic reward signals. Choose DeepSeek-r1 for complex multi-step reasoning across math, code, and reasoning benchmarks; choose DeepSeek-v4-Fable for security-specific multi-step reasoning with tool execution in sandboxed environments. Both use RL training, but DeepSeek-r1 optimizes for human reasoning alignment while DeepSeek-v4-Fable optimizes for programmatic flag acquisition and vulnerability verification.
vs. deepseek-vl-1.3b-chat and deepseek-vl-1.3b-base — The DeepSeek-VL models handle vision and language tasks (diagrams, webpages, images), while DeepSeek-v4-Fable handles text-only security tasks without multimodal understanding. Choose vision-language models if your security workflow involves visual reconnaissance (screenshot analysis, diagram interpretation); choose DeepSeek-v4-Fable if you need pure text-based exploitation planning and verification. The tradeoff is modality support: vision models add image processing capability at the cost of focus.
Technical specifications
Architecture and parameters — Built on DeepSeek-v4-Flash base with LoRA fine-tuning. Trainable parameters: 0.94B (0.33% of total). LoRA configuration: rank 64, α 128, dropout 0.05. LoRA targets: q,k,v,o layers plus all expert weight matrices (w₁, w₂, w₃) and router weights. Uses bf16 parameter precision with fp32 optimizer states. Maximum sequence length during training: 96K tokens.
Training data — SecDojo-80K corpus: 80,000 verified CTF trajectories from 4,050 unique challenges. Breakdown by category: Web Security (1,240 challenges, 28,500 trajectories, avg 14.2 turns, p95 context 38.4K), Binary Exploitation (850 challenges, 15,200 trajectories, avg 22.5 turns, p95 context 92.6K), Reverse Engineering (920 challenges, 18,400 trajectories, avg 18.7 turns, p95 context 71.2K), Cryptography (630 challenges, 11,300 trajectories, avg 8.4 turns, p95 context 21.5K), Miscellaneous (410 challenges, 6,600 trajectories, avg 6.1 turns, p95 context 15.0K). Overall mean: 15.8 turns per trajectory, 61.3K p95 context. Teacher model achieved 56.1% solve rate across training distribution.
Training procedure — Two-phase pipeline. Phase 1: Rejection-sampled Supervised Fine-Tuning (SFT) over 3 epochs, global batch size 512, peak learning rate 1e-4, cosine schedule with 3% warmup. Loss applied only to assistant reasoning and action spans; environment observations masked. Phase 2: Group Relative Policy Optimization (GRPO), on-policy RL with 16×16 rollouts per step, group size G=16, peak learning rate 5e-6. Policy gradient clipping ε=0.2, KL divergence coefficient β=0.02, temperature T=1.0, top-p 0.95. Reward function includes terminal flag acquisition, dense verifiable milestones (service fingerprinting, memory leaks), and strict penalties for malformed actions.
Infrastructure — Training used 64 NVIDIA H800-80GB GPUs on a private cluster in East Asia. Total compute: 1,920 GPU-hours (30 hours wall-clock). Read-Only Parameter Streaming (ROPS) optimization refined ZeRO-3 CPU offloading, enabling unidirectional parameter streams and reducing PCIe stall. This optimization shortened estimated cluster time from 63 hours to 30 hours.
Framework and libraries — Requires transformers library. Uses custom encoding_dsv4 module for message formatting with encode_messages and parse_message_from_completion_text functions. Supports thinking_mode parameter for reasoning span control.
Model format and quantization — Model card does not specify quantization options, model format, or distributed inference support. Technical report referenced but not provided in documentation.
Model inputs and outputs
Inputs
- Messages list — Array of dictionaries with “role” (user/assistant), “content” (text), and optional “reasoning_content” (thinking spans) keys
- Thinking mode parameter — Controls reasoning span formatting during encoding
- Maximum sequence length — 96K tokens supported during training; inference limit not specified
- Text encoding — UTF-8 text via custom
encode_messagesencoder; must be converted to token IDs via AutoTokenizer
Outputs
- Completion text — Generated security task responses (reconnaissance commands, exploitation steps, verification actions)
- Tool commands — Text-formatted commands intended for sandbox execution (not direct execution)
- Reasoning content — Optional thinking spans parsed via
parse_message_from_completion_text
- Structured completion — Message dictionary with role, content, and optional reasoning_content for multi-turn conversation
Getting started
from encoding_dsv4 import encode_messages, parse_message_from_completion_text
import transformers
# Define conversation with optional reasoning content
messages = [
{"role": "user", "content": "How would you identify the service running on port 8080?"},
{
"role": "assistant",
"content": "I would use nmap to probe the service.",
"reasoning_content": "Need to fingerprint the service to plan exploitation."
},
{"role": "user", "content": "What's the next step?"}
]
# Encode messages using model-specific formatter
prompt = encode_messages(messages, thinking_mode="thinking")
# Load tokenizer and tokenize prompt
tokenizer = transformers.AutoTokenizer.from_pretrained(
"Chunjiang-Intelligence/DeepSeek-v4-Fable"
)
tokens = tokenizer.encode(prompt)
# Load model (inference setup)
model = transformers.AutoModelForCausalLM.from_pretrained(
"Chunjiang-Intelligence/DeepSeek-v4-Fable",
torch_dtype="auto"
)
# Generate response (example; actual inference parameters depend on your setup)
# Note: This model must run in an isolated, audited sandbox environment
# All outputs are hypotheses requiring verification, not ground truth
Frequently asked questions
Q: Can I use this model commercially or for production systems?
A: No. The model is restricted to authorized security research, penetration testing, and CTF competitions within strictly defined scopes. Commercial deployment is prohibited by the Acceptable Use Policy. Chunjiang Intelligence reserves the right to revoke access for violations.
Q: What hardware do I need to run inference with this model?
A: The technical specification does not provide explicit inference VRAM or hardware requirements. Training used 64 H800-80GB GPUs, but inference demands are not documented. You must consult the technical report or Chunjiang Intelligence for precise inference specifications.
Q: Can I fine-tune this model further?
A: The model uses LoRA (rank 64) on a frozen DeepSeek-v4-Flash backbone, which supports continued fine-tuning. The transformers library supports LoRA fine-tuning. However, authorization constraints apply: you may only fine-tune for authorized security research. Further training on general-purpose tasks violates the use policy.
Q: How much better is this than the base DeepSeek-v4-Flash model at security tasks?
A: Significantly. On CTF solving, base Flash achieves 13.5% overall solve rate (0-shot). After SFT (Phase 1), this reaches 31.2%. After GRPO (Phase 2), it reaches 58.7%—a 4.3x improvement. On binary exploitation specifically, the gap is largest: 4.1% (base) → 44.5% (final), driven by dense milestone rewards (+9.1 points) and KL-anchored policy optimization.
Q: What input format does this model expect?
A: The model requires messages formatted as a list of dictionaries with “role”, “content”, and optional “reasoning_content” keys. These are encoded via the encode_messages function from encoding_dsv4, which produces a string prompt passed to the tokenizer. Direct raw text input is not supported.
Q: How does the model handle tasks outside security domains?
A: Poorly. This is a domain-specific model trained exclusively on security trajectories. It will exhibit degraded performance on general NLP, creative tasks, open-ended dialogue, and non-security reasoning. The training procedure intentionally narrows capability to procedural security tasks rather than broad conversational coverage.
Q: Is this model actively maintained?
A: The model card does not specify maintenance status or update frequency. The 174 download count and recent model release suggest active availability, but you should verify current maintenance status with Chunjiang-Intelligence directly.
Q: What happens if the model generates invalid or dangerous commands?
A: Execution must occur within a secure sandbox with strict verification. All model outputs are hypotheses, not ground truth. You must verify generated commands and predictions before execution. The model may hallucinate malformed actions; the reward function during training penalized these, but they still occur. Never execute unverified output against production systems.
This is a simplified guide to an AI model called DeepSeek-v4-Fable maintained by Chunjiang-Intelligence. If you like these kinds of analysis, join AIModels.fyi or follow us on Twitter.





Be the first to comment