BRAHMASTRA 0.1: AI-Native DAST Security Scanner

BRAHMASTRA 0.1 is a specialized 7.6 billion parameter language model, fine-tuned from Qwen2.5-Coder-7B-Instruct, dedicated to Dynamic Application Security Testing (DAST). Developed by Krishna Padala, this model is engineered to autonomously identify and analyze web application vulnerabilities, generate targeted security payloads, and produce structured security findings.

Key Capabilities

• Comprehensive Vulnerability Detection: Capable of identifying a wide range of vulnerabilities, including:
  • SQL Injection (Error-based, Blind, Time-based)
  • Cross-Site Scripting (Reflected, Stored, DOM)
  • Server-Side Template Injection (Jinja2, Twig, ERB)
  • Server-Side Request Forgery
  • Authentication Bypass
  • IDOR / Broken Object Level Authorization
• WAF Detection & Bypass: Includes capabilities for Web Application Firewall detection and bypass techniques.
• Autonomous Operation: Designed to reason about vulnerabilities, generate payloads, analyze responses, and report findings without human intervention.

Training Methodology

BRAHMASTRA was trained in 5 distinct phases using LoRA fine-tuning, focusing on progressively complex security scenarios:

• Phase 1 (a, b, c): Fundamentals of SQLi, XSS, SSTI, SSRF, IDOR, and Auth bypass.
• Phase 2: Multi-step attack chains.
• Phase 3: WAF bypass and adversarial techniques.
• Cleanup Phase: Focused on hallucination removal and generating concrete payloads.

Benchmark Results

Tested against phpvulnbank, the model demonstrated strong performance:

• Requests made: 436
• Scan duration: 176 seconds
• Critical findings: 18
• False positives: 0

Responsible Use

This model is strictly intended for authorized penetration testing, security research, and educational purposes. It must NOT be used for unauthorized testing, malicious exploitation, or any illegal activities. Users are required to agree to these terms upon use.