Zero: A Minimal Viable Reasoning Model for Security Research

Zero is an open-source family of small language models specifically trained to reason about security issues directly, just like senior security researchers. Addressing the pain point of large language models giving ambiguous responses when handling security problems, it adheres to the core philosophy of "no avoidance, no whitewashing" and strives to provide direct and accurate answers in the security domain. The project explores the minimal model size required for true security reasoning and the transferability of capabilities. Training data comes from CTF competition challenges, and it uses GRPO (Generalized Reward Policy Optimization) adversarial self-play training.

When handling security-related issues, current large language models often give ambiguous "hedging" responses, which reduce risk but are hard to provide useful insights. The Zero project was born out of this need, with the core philosophy of "no avoidance, no whitewashing". Its goal is to train models that can directly point out the essence of problems like senior security researchers, even if the conclusions may be unsettling.

Zero is trained using an adversarial self-play framework. The reward function design embodies core values: calibrated uncertainty is rewarded (when correctly identifying knowledge boundaries and expressing uncertainty); confident wrong answers receive the harshest punishment. This mechanism encourages the model to develop healthy metacognition, knowing what it knows and what it doesn't. The training also uses GRPO (Generalized Reward Policy Optimization) adversarial self-play training.

Zero plans to release three models of different sizes in phases: zero-1.5b (minimum feasible reasoning lower limit, in planning), zero-3b (main version, in planning), zero-7b (minimum feasible reasoning upper limit, in planning), to explore the trade-off between size and security reasoning capabilities. Currently, it is in the first phase of baseline mapping (ongoing). The team has established reasoning capability baselines for different-sized models before training, and technical specifications have been documented in the SPEC.md file.

The significance of the Zero project lies in providing a dedicated security reasoning model, and more importantly, exploring a new training paradigm for deep optimization in specific professional domains. For security researchers: gain an AI assistant that directly points out vulnerabilities, reduce the cost of information screening, and have a virtual teammate trained at the CTF level. For the AI field: provide an experimental platform to study the relationship between model size and professional capabilities.

Zero is open-sourced under the Apache 2.0 license. The code and model weights will be publicly released after training is completed. The project welcomes community contributions, especially in evaluation benchmarks and dataset construction.

In the security domain, ambiguous advice can be more dangerous than clear errors, as it easily creates a false sense of security. Zero's directness philosophy represents a more valuable way of AI assistance: not to please users, but to help them understand risks. It is expected that this small but focused model family can challenge or even surpass the performance of general large models in the field of security reasoning.