LLMs That Actually Pen Test: What Post-Training for Security Means for Your AI Stack

Security researchers have spent years arguing that LLMs should be more helpful with offensive security tasks. The models kept refusing. Now someone just shipped a post-trained model that does the work instead of lecturing you about responsible disclosure, and it reportedly found thousands of real zero-days. That is not a headline you can ignore if you are building any kind of AI system that touches code, infrastructure, or automated pipelines.

What Actually Happened

Two things landed close together that, read side by side, tell a clear story about where AI security tooling is going.

First, the Argus Red team shipped a CLI-accessible model that they post-trained specifically for penetration testing. The pitch is simple: instead of a general-purpose model that refuses to explain how buffer overflows work, you get one that treats offensive security as the actual task. No jailbreaks, no prompt engineering gymnastics. The model was trained to do the job.

Second, there is a wave of reporting around Claude's Fable 5 (a research configuration of Claude) being used to find thousands of zero-days across real codebases. The implication is that when you remove the general-purpose safety floor and retrain or configure a model for a narrow, high-stakes domain, you get capability that base models will not give you.

Together these signal a real inflection point: domain-specific post-training for adversarial tasks is no longer a research curiosity. It is shipping.

The Technical Detail That Matters

Post-training here is doing a lot of work, and it is worth being precise about what that means architecturally.

General-purpose RLHF bakes in refusal behavior as a broad prior. The model learns that "anything that sounds like hacking" is in a category of things it should decline. That is not a capability limit, it is a behavior trained over the capability. Post-training for a specific domain can shift that prior without necessarily retraining from scratch. You fine-tune on domain-specific data, you adjust the reward signal to treat "correctly identifying and demonstrating a vulnerability" as the positive outcome, and you can do this on top of an existing base model.

The Argus Red approach appears to follow this pattern. They are not claiming a new architecture. They are claiming a different training objective applied to a capable base. The zero-day story with Claude Fable 5 is a different mechanism (it sounds more like a heavily prompted or configured deployment rather than a fine-tune), but the outcome is similar: a model that operates in the security domain without the general refusal behavior getting in the way.

The failure mode to watch here is scope collapse. A model post-trained to be maximally helpful for pen testing needs extremely tight deployment controls. If that same model ends up in a context where it is answering general user questions, you have a problem. The safety guardrails you removed were doing work in those other contexts even if they were annoying in the security context.

What This Means for Builders

If you are running a multi-tenant AI platform, this is a direct architectural concern. The emerging pattern is that you will have a portfolio of models: a general-purpose model for most tasks, and domain-specific post-trained models for high-stakes narrow domains. Your routing layer needs to understand which model is appropriate for which tenant and which request type.

For agent and MCP systems, the implication is more immediate. Security automation agents that can actually test infrastructure, not just describe tests, are now buildable with off-the-shelf components. That changes the threat surface for any system that accepts LLM-generated tool calls. If your MCP server exposes file system or network tools, and your agent framework routes to a security-capable model, you need to think hard about what that model will do with those tool permissions.

For RAG pipeline builders, this is a reminder that retrieval context can activate capabilities. A security-tuned model retrieving exploit documentation from a knowledge base and then calling a code execution tool is a very different risk profile than a general model doing the same thing.

One Thing to Do Today

Go test the Argus Red CLI at argusred.com/cli against a CTF target or a lab environment you control. Do not just read about it. Actually watch what the model does versus what GPT-4o or Claude does with the same prompt. The capability delta is the thing you need to see firsthand before you decide how to think about model selection in your own security tooling or agent infrastructure.

Follow this blog for daily breakdowns of what is actually shipping in AI engineering.

References

• Show HN: We post-trained a model that pen tests instead of refusing - HackerNews
• Bootimus - A Self-Contained PXE and HTTP Boot Server - HackerNews
• Where to Find the Colors Your Screen Can't Show You - HackerNews