Researchers have released CyberPal 2.0, a set of compact language models purpose-built for cybersecurity work.
The model family ranges from 4 billion to 20 billion parameters — small by frontier standards — and was trained on SecKnowledge 2.0, a dataset built with a mix of human expert steering and automated multi-step grounding to produce detailed, task-specific reasoning traces. On threat-investigation benchmarks — the kind of work that involves correlating vulnerabilities with bug tickets and known weaknesses — the 20B model outperformed GPT-4o, o1, o3-mini, and Sec-Gemini v1, ranking first. The 4B model placed second. On cyber threat intelligence tasks, the models beat nearly every tested frontier model, trailing only Sec-Gemini v1.
The practical argument here is straightforward: security teams often cannot send sensitive data to a third-party API, and running a 200B-parameter model on-premise is not realistic for most organizations. A capable 4B or 20B model that can be self-hosted changes that calculus. The gap between general-purpose frontier models and domain-specific ones has been narrowing for a while in fields like medicine and law — cybersecurity is catching up.
That said, benchmark performance on curated datasets and performance in a live SOC environment are two different things, and the paper does not claim otherwise.