Introducing Sentinel-R2.1

Published on July 14, 2026

Security work is rarely a single-step problem. A useful assessment requires an operator to build a picture of the target, test hypotheses, interpret tool output, connect weaknesses into an attack path, and explain how each issue should be fixed.

Today, we’re introducing Sentinel-R2.1, Glyph Software’s reasoning and tool-use model built for that workflow. Sentinel is designed to assist with authorized penetration testing and security research in isolated, explicitly scoped environments.

Sentinel-R2.1 is available on Hugging Face as a gated, proprietary release.

From a Prompt to an Attack Path

Sentinel-R2.1 is trained to operate as an agent rather than a one-shot security chatbot. Given a permitted target scope and an execute tool, it can:

  • plan and carry out structured enumeration
  • reason over command output and revise its approach
  • investigate possible footholds and privilege-escalation paths
  • document the weaknesses it found, their root causes, and practical remediation

The surrounding harness remains in control. It executes approved tool calls, returns results to the model, and enforces the engagement’s boundaries. This separation is important: Sentinel supplies reasoning and proposed actions, while the operator and harness supply authorization, isolation, policy, and oversight.

Built for Agentic Security Work

The release is a 9B-parameter, causal decoder-only model based on empero-ai/Qwythos-9B-v2. It was fine-tuned on curated, multi-turn penetration-testing trajectories that follow the complete arc of an authorized lab assessment: enumeration, foothold discovery, privilege escalation, and remediation reporting.

Those trajectories include system, user, assistant, and tool messages. That format teaches the model to do more than describe a technique. It must decide what information it needs, issue a tool call, interpret the result, and continue from evidence.

Sentinel-R2.1 supports a native context length of up to 1,048,576 tokens, making it suitable for long-running sessions with substantial command output, notes, and source material. The model is released as merged bfloat16 weights, so authorized users can load it directly without separately applying a LoRA adapter.

The weights also retain the base model’s multi-token-prediction head. Compatible runtimes can use that head for speculative decoding, while runtimes that do not support it can load the model normally.

Evaluation Results

We re-evaluated this build with EleutherAI’s lm-evaluation-harness v0.4.12. While these general reasoning benchmarks do not measure end-to-end penetration-testing performance, they provide a useful view of the model’s reasoning foundation.

  • GSM8K, 5-shot: 0.850 strict exact match
  • MMLU, 0-shot: 0.775 accuracy
  • ARC Challenge, 0-shot: 0.587 normalized accuracy
  • GPQA Diamond, chain-of-thought 0-shot: 0.545 flexible exact match

These figures belong specifically to the current R2.1 build. Results from earlier internal versions used a different base model and are not carried forward.

Deliberately Gated

Sentinel-R2.1 is an offensive-security model. That capability makes responsible distribution a product requirement, not a footnote.

The repository is publicly visible on Hugging Face, but access to the weights is gated. Requesters must confirm that they are authorized users, agree to use the model only against systems they have explicit permission to test, and accept the proprietary license terms.

The model must not be used for unauthorized access, disruption, data theft, or testing outside an agreed scope. It should also not be operated unattended. Every proposed command should be reviewed, and every deployment should include clear target restrictions, network isolation, logging, and human oversight.

Sentinel can make mistakes. Its commands and explanations are hypotheses to validate, not ground truth. It is an aid for skilled operators, not a substitute for them.

Accessing Sentinel-R2.1

Authorized teams can request access from the model page:

  1. Visit glyphsoftware/sentinel-r2.1
  2. Review and accept the repository’s access conditions
  3. Submit the access request using your Hugging Face account
  4. After approval, authenticate with a permitted Hugging Face token and load the merged weights

The model works with the Hugging Face Transformers ecosystem and can also be served through compatible runtimes such as vLLM and SGLang. Recommended generation settings and the expected tool-call format are documented in the model card.

What Comes Next

Sentinel-R2.1 is a step toward security agents that are more useful across the entire assessment lifecycle—not only finding a possible weakness, but connecting evidence, explaining impact, and producing remediation that defenders can act on.

We’ll continue evaluating the model in controlled environments, expanding the coverage and quality of its training trajectories, and improving the guardrails around agentic execution.

For licensing, access, or security inquiries, contact Glyph Software.