Model Card — Securie Specialist Fleet
Version 1.0 · Effective 2026-04-22 · EU AI Act Article 13 disclosure
Intended use
Analyze application source code + configuration + dependencies for security-relevant defects. Emit JSON findings conforming to the Securie Finding schema. Propose code-level fixes (GitHub Suggested-Change format). Not intended for general-purpose code generation, chat, or content moderation.
Model stack
| Tier | Model | Role | License |
|---|---|---|---|
| Local | Foundation-Sec-8B-Reasoning (Cisco) | secret-scan chain — primary | Llama 3.1 (commercial) |
| OSS API | Gemini 2.5 Flash-Lite (Google) | secret-scan chain — fallback | Proprietary |
| OSS API | GLM-5.1 (Zhipu AI) | auth-authz + default chain — primary; supabase-rls/bola-bfla/idor — fallback | MIT |
| OSS API | Hermes 4 405B (NousResearch) | supabase-rls/bola-bfla/idor — primary; auth-authz + default — fallback | MIT |
| Frontier (<5%) | Claude Sonnet 4.6 (Anthropic) | Last-resort escalation on supabase-rls / auth-authz / bola-bfla / default chains. Enterprise + Sovereign tiers hard-block via TenantOverrides. | Proprietary |
Last validated 2026-04-29. Picks measured across 4 bench rounds (208 fixtures, 5 candidates, held-out validation). DeepSeek V3.2 + Kimi K2.6 + GPT-5.4 Nano were previously listed but dropped 2026-04-29: DeepSeek scored F1=0.000 on TaintAnalysis (zero recall on SQLi); Kimi K2.6 had a 50% provider decode-error rate; GPT-5.4 Nano replaced by Claude Sonnet 4.6 on the frontier last-resort step. Full rationale + bench data:docs/adr/ADR-019-model-default-flip-protocol.md +docs/launch-validation/model-bench-v3-final.md.
Training data
Securie does not fine-tune at launch. The stack ships stock weights. Prompts are grounded with retrieval over OWASP, CWE, HackerOne public disclosures, and Exploit-DB — all publicly licensed.
Customer code is never used for training on the Free, Indie, Pro, Solo-Founder, or Startup tiers. On those tiers the `training_opt_in` flag on your tenant row is FALSE, and the database-layer writer (TrainingCorpusStore:: insert_with_consent_check) refuses to persist a single row of customer-derived content. The writer re-reads consent transactionally on every insert, so a flag flip to FALSE at any point before the commit aborts the write.
Two signal streams are collected across all tiers as product telemetry, and both only hold Securie's own model output — not your source:
positive_samples— fixes we suggested that stuck at the 30-day mark. Stored fields: class, CWE, the suggested code we produced, provider/model provenance.negative_samples— fixes we suggested that were reverted or dismissed. Same shape.
Neither table contains customer source, prompts, or retrieved context. Both are tenant-scoped via Postgres row-level security.
Enterprise Federated tier (separate ToS addendum and contract): customers who sign the training-addendum can opt in per tenant. Their code snippets (capped at 16 KiB per finding), prompt digests, and retrieval chunk ids land intraining_corpus for the customer's own LoRA — not a shared pool. Opt-out is a DSAR away; tenant deletion cascades through the foreign key and every row is gone from the next export.
Known limitations
- Single-file scope. Intra-procedural taint only; cross- file data-flow is not tracked at launch.
- Language coverage. Launch specialists cover Supabase RLS (SQL), Next.js auth/authz (TS/JS), and secret-scan (any). Other languages fall to the deterministic static-rules engine only.
- False-positive rate. Target ≤5%. The sandbox-verify layer (Firecracker) drops unreproducible findings when configured.
- LLM output non-determinism. Even at temperature 0.1, outputs can vary. Every finding carries a confidence score and a sandbox-verdict column.
Safety guardrails
- Input/output classifier. Every inference call passes through a safety filter (Llama Guard 4 in production; regex at launch) on both prompt and response.
- Red-team specialist. Offensive reasoning is locked to a dedicated sandbox router; customer-scoped routers cannot dispatch red-team prompts.
- Cost firewall. Per-tenant monthly cap + 5% frontier-ratio cap enforced before dispatch.
- Prove-don't-flag. When Firecracker sandbox is attached, High+ LLM findings are suppressed unless the exploit reproduces.
Human oversight
Every auto-patch is surfaced as a GitHub Suggested-Change — the maintainer must click "Commit suggestion" to merge. Securie never auto-merges. Privileged overrides (deploy-gate bypass, refund issuance) require a human-held admin token.
EU AI Act classification
High-risk AI system (Article 6, Annex III). Risk-management, technical documentation, and logging obligations apply. Formal conformity assessment by a Notified Body is scheduled for Year 2.
Contact
Questions: ai-governance@securie.ai