| --- |
| language: en |
| library_name: transformers |
| pipeline_tag: token-classification |
| tags: |
| - ner |
| - token-classification |
| - cybersecurity |
| - threat-intelligence |
| - secureBert |
| license: mit |
| metrics: |
| - accuracy |
| base_model: |
| - answerdotai/ModernBERT-large |
| --- |
| |
| # Model Overview |
|
|
| **SecureModernBERT-NER** represents a new generation of cybersecurity-focused language models — combining the **state-of-the-art architecture of ModernBERT** with one of the **largest and most diverse CTI-labelled NER corpora ever built**. |
|
|
| Unlike conventional NER systems, SecureModernBERT-NER recognises **22 finely-grained, security-specific entity types**, covering the full spectrum of cyber-threat intelligence — from `THREAT-ACTOR` and `MALWARE` to `CVE`, `IPV4`, `DOMAIN`, and `REGISTRY-KEYS`. |
|
|
| Trained on more than **half a million manually curated spans** sourced from real-world threat reports, vulnerability advisories, and incident analyses, it achieves an exceptional balance of **accuracy, generalisation, and contextual depth**. |
|
|
| This model is designed to **parse complex security narratives with human-level precision**, extracting both contextual metadata (e.g., `ORG`, `PRODUCT`, `PLATFORM`) and highly technical indicators (e.g., `HASHES`, `URLS`, `NETWORK ADDRESSES`) — all within a single unified framework. |
|
|
| SecureModernBERT-NER sets a new standard for **automated CTI entity recognition**, enabling the next wave of **threat-intelligence automation, enrichment, and analytics**. |
|
|
| ## Quick Start |
|
|
| ```python |
| from transformers import pipeline |
| |
| model_id = "attack-vector/SecureModernBERT-NER" |
| |
| pipe = pipeline( |
| task="token-classification", |
| model=model_id, |
| tokenizer=model_id, |
| aggregation_strategy="first", |
| ) |
| |
| text = "TrickBot connects to hxxp://185.222.202.55 to exfiltrate data from Windows hosts." |
| predictions = pipe(text) |
| for pred in predictions: |
| print(pred) |
| ``` |
|
|
| Sample output: |
|
|
| ``` |
| {'entity_group': 'MALWARE', 'score': np.float32(0.9615546), 'word': 'TrickBot', 'start': 0, 'end': 8} |
| {'entity_group': 'URL', 'score': np.float32(0.9905957), 'word': ' hxxp://185.222.202.55', 'start': 20, 'end': 42} |
| {'entity_group': 'PLATFORM', 'score': np.float32(0.92317337), 'word': ' Windows', 'start': 66, 'end': 74} |
| ``` |
|
|
| ## Intended Use & Limitations |
|
|
| - **Use cases:** automated tagging of CTI reports, IOC extraction pipelines, knowledge-base enrichment, security-focused RAG systems. |
| - **Languages:** English (model was trained and evaluated on English sources only). |
| - **Input format:** free-form prose or long-form CTI articles; maximum sequence length 128 tokens during training. |
| - **Limitations:** noisy or ambiguous extractions may occur, especially with rare entity types (`IPV6`, `EMAIL`) and obfuscated strings. The model does not normalise entities (e.g., deobfuscating `hxxp`) nor validate indicator authenticity. Always pair with downstream validation and human review. |
|
|
| ## Training Data |
|
|
| - **Size:** 502,726 labelled text spans before filtering; 22 distinct entity classes in BIO format. |
| - **Label distribution (spans):** `ORG` (approx. 198k), `PRODUCT` (approx. 79k), `MALWARE` (approx. 67k), `PLATFORM` (approx. 57k), `THREAT-ACTOR` (approx. 49k), `SERVICE` (approx. 46k), `CVE` (approx. 41k), `LOC` (approx. 38k), `SECTOR` (approx. 34k), `TOOL` (approx. 29k), plus indicator types such as `URL`, `IPV4`, `SHA256`, `MD5`, and `REGISTRY-KEYS`. |
| - **Pre-processing:** JSONL articles were tokenised and converted to BIO tags; spans in conflict were resolved manually and via automated heuristics before upload. |
|
|
| ## Label Mapping |
|
|
| | Label | Description | Example mention | |
| |-------|-------------|-----------------| |
| | URL | Web address or obfuscated link used in campaigns. | `hxxp://185.222.202.55` | |
| | ORG | Organisations such as companies, CERTs, or research groups. | `Microsoft Threat Intelligence` | |
| | SERVICE | Online or cloud services referenced in attacks. | `Google Ads` | |
| | SECTOR | Industry sectors or verticals targeted. | `critical infrastructure` | |
| | FILEPATH | File system paths observed in malware samples. | `C:\Windows\System32\svchost.exe` | |
| | DOMAIN | Fully qualified domains or subdomains. | `malicious-domain[.]com` | |
| | PLATFORM | Operating systems or computing platforms. | `Windows Server` | |
| | THREAT-ACTOR | Named adversary groups or aliases. | `LockBit` | |
| | PRODUCT | Commercial or open-source software products. | `VMware ESXi` | |
| | MALWARE | Malware families, strains, or toolkits. | `TrickBot` | |
| | LOC | Countries, cities, or regions. | `United States` | |
| | CVE | CVE identifiers for vulnerabilities. | `CVE-2023-23397` | |
| | TOOL | Legitimate or dual-use tools leveraged in incidents. | `Cobalt Strike` | |
| | IPV4 | IPv4 addresses. | `185.222.202.55` | |
| | MITRE-TACTIC | MITRE ATT&CK tactic categories. | `Credential Access` | |
| | MD5 | MD5 cryptographic hashes. | `d41d8cd98f00b204e9800998ecf8427e` | |
| | CAMPAIGN | Named operations or campaigns. | `Operation Cronos` | |
| | SHA1 | SHA-1 hashes. | `da39a3ee5e6b4b0d3255bfef95601890afd80709` | |
| | SHA256 | SHA-256 hashes. | `9e107d9d372bb6826bd81d3542a419d6...` | |
| | EMAIL | Email addresses. | `alerts@example.com` | |
| | IPV6 | IPv6 addresses. | `2001:0db8:85a3:0000:0000:8a2e:0370:7334` | |
| | REGISTRY-KEYS | Windows registry keys or paths. | `HKLM\Software\Microsoft\Windows\CurrentVersion\Run` | |
|
|
| ## Training Procedure |
|
|
| - **Base model:** [`answerdotai/ModernBERT-large`](https://huggingface.co/answerdotai/ModernBERT-large). |
| - **Hardware:** single Nvidia L40S instance (8 vCPU / 62 GB RAM / 48 GB VRAM). |
| - **Optimisation setup:** mixed precision `fp16`, optimiser `adamw_torch`, cosine learning-rate scheduler, gradient accumulation `1`. |
| - **Key hyperparameters:** learning rate `5e-5`, batch size `128`, epochs `5`, maximum sequence length `128`. |
|
|
| | Parameter | Value | |
| |-----------|-------| |
| | Mixed precision | `fp16` | |
| | Batch size | `128` | |
| | Learning rate | `5e-5` | |
| | Optimiser | `adamw_torch` | |
| | Scheduler | `cosine` | |
| | Epochs | `5` | |
| | Gradient accumulation | `1` | |
| | Max sequence length | `128` | |
|
|
| ## Evaluation |
|
|
| AutoTrain reports the following micro-averaged metrics on its validation split (seqeval entity scoring): |
|
|
| | Metric | Score | |
| |------------|--------| |
| | Precision | 0.8468 | |
| | Recall | 0.8484 | |
| | F1 | 0.8476 | |
| | Accuracy | 0.9589 | |
|
|
| An independent re-evaluation against a consolidated CTI set (same taxonomy as this model) produced the label-level accuracy breakdown below. These scores are macro-averaged across labels and therefore are not numerically comparable to the micro metrics above, but they provide insight into class balance and span quality. |
|
|
| | Label | Used | Accuracy | |
| |-------|------|----------| |
| | CAMPAIGN | 1,817 | 0.7980 | |
| | CVE | 28,293 | 0.9995 | |
| | DOMAIN | 12,182 | 0.8878 | |
| | EMAIL | 731 | 0.8495 | |
| | FILEPATH | 13,889 | 0.7957 | |
| | IPV4 | 1,164 | 0.9631 | |
| | IPV6 | 563 | 0.7425 | |
| | LOC | 7,915 | 0.9557 | |
| | MALWARE | 10,405 | 0.9087 | |
| | MD5 | 389 | 0.9100 | |
| | MITRE-TACTIC | 2,181 | 0.7093 | |
| | ORG | 36,324 | 0.9301 | |
| | PLATFORM | 8,036 | 0.8977 | |
| | PRODUCT | 18,720 | 0.8432 | |
| | REGISTRY-KEYS | 1,589 | 0.8490 | |
| | SECTOR | 6,453 | 0.8309 | |
| | SERVICE | 8,533 | 0.8179 | |
| | SHA1 | 222 | 0.9189 | |
| | SHA256 | 2,146 | 0.9874 | |
| | THREAT-ACTOR | 9,532 | 0.9418 | |
| | TOOL | 4,874 | 0.7895 | |
| | URL | 7,470 | 0.9801 | |
|
|
| - **Macro accuracy:** 0.8776 |
|
|
| Because micro vs macro averaging and dataset composition differ, expect numerical gaps between the two evaluations even though both describe the same checkpoint. |
|
|
| These metrics were computed with the `seqeval` micro-average at the entity level. |
|
|
| ## External Benchmarks |
|
|
| The following tables report detailed results on a shared CTI validation set. **Do not compare the per-label values across models directly:** each checkpoint uses a different taxonomy or remapping strategy, so accuracy percentages can be misleading when labels are aligned or collapsed differently. Use the per-model tables to understand performance within a single schema, and interpret macro-accuracy scores with caution. |
|
|
|
|
| ### CyberPeace-Institute/SecureBERT-NER |
|
|
| | Label | Used | Accuracy | |
| |-------|------|----------| |
| | ACT | 3,945 | 0.1706 | |
| | APT | 9,518 | 0.5331 | |
| | DOM | 10,694 | 0.0196 | |
| | EMAIL | 731 | 0.0000 | |
| | FILE | 31,864 | 0.0747 | |
| | IP | 1,251 | 0.0088 | |
| | LOC | 7,895 | 0.8711 | |
| | MAL | 10,341 | 0.6076 | |
| | MD5 | 354 | 0.8672 | |
| | O | 16,275 | 0.4700 | |
| | OS | 7,974 | 0.6598 | |
| | SECTEAM | 36,083 | 0.3509 | |
| | SHA1 | 191 | 0.0209 | |
| | SHA2 | 1,647 | 0.9709 | |
| | TOOL | 4,816 | 0.4043 | |
| | URL | 6,997 | 0.0795 | |
| | VULID | 27,586 | 0.3849 | |
|
|
| - **Macro accuracy:** 0.3820 |
|
|
| ### PranavaKailash/CyNER-2.0-DeBERTa-v3-base |
|
|
| | Label | Used | Accuracy | |
| |-------|------|----------| |
| | Indicator | 35,936 | 0.7878 | |
| | Location | 7,895 | 0.0113 | |
| | Malware | 12,125 | 0.7800 | |
| | O | 2,896 | 0.7652 | |
| | Organization | 42,537 | 0.6556 | |
| | System | 35,063 | 0.7259 | |
| | TOOL | 4,820 | 0.0000 | |
| | Threat Group | 9,522 | 0.0000 | |
| | Vulnerability | 27,673 | 0.1876 | |
|
|
| - **Macro accuracy:** 0.4348 |
|
|
| ### cisco-ai/SecureBERT2.0-NER |
|
|
| | Label | Used | Accuracy | |
| |-------|------|----------| |
| | Indicator | 35,789 | 0.8854 | |
| | Malware | 16,926 | 0.6204 | |
| | O | 10,786 | 0.6813 | |
| | Organization | 51,993 | 0.5579 | |
| | System | 34,955 | 0.6600 | |
| | Vulnerability | 27,525 | 0.2552 | |
|
|
| - **Macro accuracy:** 0.6100 |
|
|
|
|
| ## Responsible Use |
|
|
| - Confirm entity detections before acting on indicators (e.g., automated blocking). |
| - Combine with enrichment and scoring systems to filter false positives. |
| - Monitor for drift if applying to new domains (e.g., non-English sources, informal channels). |
| - Respect licensing and confidentiality of any proprietary CTI sources used for inference. |
|
|
|
|
| ## Support & Connect |
|
|
| * ❤️ **Like the repo** if you found it useful |
| * ☕ **Support me:** Say thanks by buying me a coffee! [https://buymeacoffee.com/juanmcristobal](https://buymeacoffee.com/juanmcristobal) |
| * 💼 **Open to work:** [https://www.linkedin.com/in/jmcristobal/](https://www.linkedin.com/in/jmcristobal/) |
|
|
| If you use SecureModernBERT-NER in a project, feel free to share it in the Discussions/Issues — I love seeing real-world use cases. |
|
|
| ## Citation |
|
|
| If you find this model useful, please cite the repository and the base model: |
|
|
| ``` |
| @software{securemodernbert_ner_2025, |
| author = {Juan Manuel Cristóbal Moreno}, |
| title = {SecureModernBERT-NER: Cyber Threat Intelligence Named Entity Recogniser}, |
| year = {2025}, |
| publisher = {Hugging Face}, |
| url = {https://huggingface.co/attack-vector/SecureModernBERT-NER} |
| } |
| ``` |
|
|
| ## Contact |
|
|
| Questions or feedback? Open an issue on the Hugging Face model repository or reach out at [`@juanmcristobal`](https://huggingface.co/juanmcristobal). |
