# üéØ CTI-to-Hunt Logic Fine-Tuning (MacBook Local)

**Goal**: Fine-tune Mistral 7B locally on Apple Silicon to convert CTI text into hunt logic.

**Hardware**: MacBook with MPS (Metal Performance Shaders)
**Model**: Mistral 7B Instruct (optimal for MacBook)

## üîß Step 1: Environment Check

In [None]:
import torch
import sys

print(f"Python version: {sys.version}")
print(f"PyTorch version: {torch.__version__}")
print(f"MPS available: {torch.backends.mps.is_available()}")
print(f"MPS built: {torch.backends.mps.is_built()}")

device = "mps" if torch.backends.mps.is_available() else "cpu"
print(f"Using device: {device}")

## üì¶ Step 2: Load Mistral 7B Model

In [None]:
from transformers import AutoTokenizer, AutoModelForCausalLM
import torch

model_name = "mistralai/Mistral-7B-Instruct-v0.2"
print(f"Loading {model_name} for Apple Silicon...")

tokenizer = AutoTokenizer.from_pretrained(model_name)
tokenizer.pad_token = tokenizer.eos_token

model = AutoModelForCausalLM.from_pretrained(
    model_name,
    torch_dtype=torch.float16
)

if torch.backends.mps.is_available():
    model = model.to("mps")

print("‚úÖ Mistral 7B loaded successfully!")
print(f"üìä Parameters: {sum(p.numel() for p in model.parameters()):,}")
print(f"üéÆ Device: {next(model.parameters()).device}")

## üß™ Step 3: Test Base Model

In [None]:
test_prompt = "[INST] Convert this cyber threat intelligence into concise hunt logic: The malware establishes persistence by creating a new Windows service named WindowsUpdateService that executes a payload from C:\\Windows\\Temp\\update.exe. Hunt Logic: [/INST]"

inputs = tokenizer(test_prompt, return_tensors="pt")
if torch.backends.mps.is_available():
    inputs = {k: v.to("mps") for k, v in inputs.items()}

with torch.no_grad():
    outputs = model.generate(
        **inputs,
        max_new_tokens=100,
        temperature=0.7,
        do_sample=True,
        pad_token_id=tokenizer.eos_token_id
    )

response = tokenizer.decode(outputs[0], skip_special_tokens=True)
hunt_logic = response.split("[/INST]")[-1].strip()

print("üéØ Base Model Output:")
print("=" * 50)
print(hunt_logic)
print("=" * 50)

## üìù Step 4: Training Data

In [None]:
training_examples = [
    {
        "input": "[INST] Convert this threat intelligence into concise hunt logic: The malware creates a scheduled task named SystemUpdate that runs C:\\Users\\Public\\svchost.exe every 5 minutes with SYSTEM privileges. Hunt Logic: [/INST]",
        "output": "Scheduled Task Creation: Name=SystemUpdate\nProcess Execution: C:\\Users\\Public\\svchost.exe\nPrivilege Escalation: SYSTEM context\nPersistence: Auto-start"
    },
    {
        "input": "[INST] Convert this threat intelligence into concise hunt logic: Network traffic shows malware communicating with 192.168.1.100:8080 via HTTP POST with Mozilla User-Agent and base64 encoded data. Hunt Logic: [/INST]",
        "output": "Network Connection: 192.168.1.100:8080\nProtocol: HTTP POST\nUser-Agent: Mozilla/5.0\nData Encoding: Base64"
    }
]

print(f"üìä Training examples ready: {len(training_examples)}")

## üéØ Step 5: Setup Complete

Your MacBook fine-tuning environment is ready!
- Mistral 7B loaded with MPS acceleration
- Training data in Mistral format
- Ready for LoRA fine-tuning