As cybersecurity threats escalate in volume and complexity, security professionals face a critical challenge: how to scale their intelligence and decision-making without compromising precision. Enter Foundation-Sec-8B, Cisco’s domain-specific large language model (LLM) purpose-built for cybersecurity, trained, evaluated, and released under open weights.

While most LLMs today are generalists, Foundation-Sec-8B focuses exclusively on cybersecurity workflows, enabling defenders to triage incidents faster, write more effective detections, and simulate threats more realistically.

What Is Foundation-Sec-8B?

Foundation-Sec-8B is an 8-billion parameter LLM based on Llama 3.1 architecture, fine-tuned through continued pretraining on a carefully curated cybersecurity corpus. Unlike general-purpose models, Foundation-Sec-8B is built from the ground up with the terminologies, behaviors, and logic of cybersecurity operations in mind.

It understands the MITRE ATT&CK framework, CVEs, CIS Controls, and even how threat intelligence reports are written and consumed.

How Cisco Built It: A Peek Behind the Scenes

Purpose-Built Dataset (5B Tokens, 25 GiB)

• Cisco scraped over 4 TiB of raw data, then distilled it down to just 0.6% using a rigorous pipeline.

• Sources include:

  • MITRE ATT&CK, CVEs, CWEs

  • Threat reports

  • Security blogs and RFCs

  • NIST guidelines and red team manuals

A relevancy classifier (F1 score: 0.92) helped exclude irrelevant or low-quality documents, making this one of the cleanest security-specific datasets available.

Cybersecurity-Centric Training Approach

• Continued pretraining on security data (not just instruction tuning)

• Uses 4096-token sequences for efficient transformer learning

• Trained with DeepSpeed + AdamW optimizer for scalability

Result: A model that retains general reasoning (MMLU drop only ~2.4%) but excels in security tasks.

Benchmark Results: Small But Mighty

Despite being 8B parameters, Foundation-Sec-8B matches or beats models 10x its size:

Notably, it outperformed GPT-4o-mini and Llama 70B on root cause mapping—a nuanced cybersecurity task.

Real-World Applications

Foundation-Sec-8B is already being deployed across three primary use cases:

1. SOC Acceleration

• Summarize multi-source alerts

• Draft human-style incident reports

• Build timelines and identify IOCs

2. Proactive Threat Defense

• Extract MITRE techniques from reports

• Prioritize vulnerabilities

• Generate hypothetical attack paths

📈 Fine-tuned for MITRE technique extraction, it beats its untuned Llama peer by 10+ points.

3. Secure Engineering & Compliance

• Validate configs and IaC templates

• Check compliance evidence

• Flag outdated or inconsistent security policies

Why This Model Matters

Most open-source LLMs are still generalists. Even those marketed for security are often retrofitted or lack real domain depth. Foundation-Sec-8B sets a new bar:

• CapabilityFoundation-Sec-8BOpen-weight?✅

• Trained on security data?✅ (custom dataset)

• CVE/CWE/ATT&CK fluent?✅

• On-premise deployable?✅

• Multi-shot ready?✅

• General knowledge loss?❌ Minimal (~2.4% drop)

It provides organizations with full control over deployment and privacy—ideal for air-gapped environments, compliance-intensive industries, or regulated workloads.

What’s Next?

Cisco's Foundation AI team has made it clear: Foundation-Sec-8B is just the beginning. Coming soon:

• A reasoning-enhanced model for deeper investigation and explainability

• Benchmark suites tailored to real-world security tasks

• Tools for safe agentic integration with security platforms

🎯 This model is designed not to just support security—it’s here to transform how defenders build and respond.

How to Get Started

You can access and start experimenting with Foundation-Sec-8B here:

• Hugging Face: Foundation-Sec-8B

• Read the full technical report

Final Thoughts

Cisco’s Foundation-Sec-8B demonstrates that specialization is a key advantage in cybersecurity. At the same time, ChatGPT and Claude excel at general tasks, defending infrastructure, hunting threats, and validating compliance, which require deep context—something only a focused, open-weight model can deliver.

This release represents a significant leap forward for open-source security LLMs and could serve as a blueprint for embedding AI at the core of our defense systems.