The Elephant in the Room

Anthropic just released Claude Fable 5 — their most capable model to date, sharing weights with the restricted “Mythos 5” variant. The benchmarks are impressive: SWE-Bench Pro at 80.3% (vs. GPT-5.5 at 58.6%), CursorBench at 72.9%, and a million-token context window. It’s the most powerful general-purpose model available.

It’s also the wrong tool for red teaming.

Fable 5’s public version includes safety guardrails that silently degrade security-related prompts by falling back to a less capable model (Opus 4.8) without telling you. It retains all traffic for 30 days. And it silently throttles prompts related to frontier AI development — no warning, no explanation, just a weaker answer. For anyone doing security research, adversarial testing, or red teaming, these aren’t features. They’re handicaps.

The same is true for most commercial AI providers. They offer capability on the surface, but the guardrails, data retention policies, and usage restrictions make them unsuitable for the work that actually matters in security.

What you need is models you can control. Free. Open. Unshackled.

The Local Stack

Qwen2.5-Coder-32B (Abliterated)

The abliterated variant of Qwen2.5-Coder-32B is the current community champion for local security work. “Abliterated” means the safety alignment has been removed — the model will actually attempt security-related prompts instead of refusing them.

Specs: ~33B parameters, GGUF format, Q4_K_M quantization at ~19GB.

Requirements: 24-32GB RAM for Q8, ~16-20GB for Q4. Runs on a Mac with sufficient memory or any machine with a modest GPU.

Strengths: Code generation, proof-of-concept scripts, CVE analysis, tool syntax. The community benchmarked it across security tasks and it came out on top for unrestricted local inference.

Weakness: On highly novel or complex operations, it can hallucinate. It’s excellent for foundational security work, but don’t expect it to discover zero-days.

Install: Download the GGUF from mradermacher/Qwen2.5-Coder-32B-Instruct-abliterated-GGUF and load it into LM Studio. The Q4_K_M quantization offers the best quality-to-size ratio.

Llama 3.3 70B

Your general-purpose workhorse. GPT-4-class performance on a 32GB+ Mac. Use it for broader reasoning tasks, code review, and when you need a model with wider knowledge coverage.

Requirements: ~40GB for Q4, ~80GB for Q8.

Strengths: General reasoning, code, structured output, broad knowledge.

Weakness: Non-abliterated — it will refuse security-related prompts. Keep it for general work, not red teaming.

DeepSeek-R1 (Quantized)

The reasoning model. Chain-of-thought capabilities make it excellent for vulnerability analysis, debugging, and structured problem-solving.

Requirements: ~16GB for 14B, ~80GB for 70B.

Strengths: Step-by-step reasoning, vulnerability analysis, structured output.

Weakness: 64K context is limiting for large codebases.

When Local Isn’t Enough

There will be tasks that exceed your local hardware. That’s where cloud API providers for open models come in — no guardrails, no data retention, pay-as-you-go pricing.

Together.ai

The broadest model catalog of any open-model host. DeepSeek, Llama, Qwen, Kimi, GLM, and more — all available via an OpenAI-compatible SDK.

Pricing: $0.05 to $9.00 per million tokens. No monthly minimums. $5 free credit on signup.

Go-to models:

  • DeepSeek V3.1 ($0.60/$1.70) — current open-source flagship. Best cost/quality ratio.
  • Llama 3.3 70B ($0.88/$0.88) — flat pricing, excellent balance.
  • Llama 3.1 405B ($3.50/$3.50) — the most capable open model available. Expensive, but unmatched for heavy lifting.

Why Together: LoRA fine-tuning support, dedicated deployments, and the broadest model selection at competitive prices. For security work where you need more than local models can provide, this is the default choice.

Groq

5-10x faster than competitors on identical models using custom LPU chips. Narrower model catalog, no fine-tuning, but unmatched speed.

Best for: Speed-critical work, real-time analysis, high-throughput scanning.

Fireworks AI

Slightly cheaper on Llama 3.1 405B ($3.00 vs $3.50 on Together). Strong on function calling and production deployments.

Best for: Specialized workloads, custom model deployment, function-calling-heavy tasks.

The Tools

Garak (NVIDIA) — Model-Level Scanning

Garak is what nmap is for networks — a vulnerability scanner for LLMs. It probes for 120+ attack types: prompt injection, jailbreaks, data leakage, hallucination, malware generation, XSS, and more.

Install:

pip install -U garak

Run against a local LM Studio instance:

garak --target_type openai --target_name qwen2.5-coder-32b-abliterated --probes dan,promptinject,encoding,malwaregen

License: Apache 2.0. Fully free. No paywall.

Promptfoo — Application-Level Red Teaming

Garak tests models. Promptfoo tests applications. It covers RAG context poisoning, agent tool misuse, memory poisoning, and API data exfiltration — the layers that matter in production.

Setup:

npx promptfoo@latest redteam setup

Configuration (promptfooconfig.yaml):

targets:
  - label: "Qwen Abliterated Local"
    id: openai:qwen2.5-coder-32b-abliterated
    config:
      model: openai:qwen2.5-coder-32b-abliterated
      temperature: 0.7
      base_url: http://localhost:1234/v1

Strengths: Application-layer testing, compliance mapping (OWASP, NIST, MITRE ATLAS, EU AI Act), CI/CD integration, web UI.

License: MIT. Free tier available.

PyRIT (Microsoft) — Multi-Turn Attack Framework

PyRIT automates sophisticated multi-turn attack strategies — Crescendo, TAP (Tree of Attacks and Prompts), Skeleton Key. It’s for when you need adversarial probing that escalates over multiple turns rather than single-shot probes.

Install:

pip install pyrit-ai

Configure for a local model:

from pyrit.common import default_values
default_values.load_default_env()

from pyrit.prompt_target import OpenAIChatTarget
target = OpenAIChatTarget(
    endpoint="http://localhost:1234/v1",
    api_key="dummy",
    model_name="qwen2.5-coder-32b-abliterated"
)

Strengths: Multi-turn escalation, sophisticated attack strategies, Python-native.

DeepTeam

40+ vulnerabilities mapped to OWASP Top 10 for LLMs. Automated scanning with structured output. Less mature than Garak or Promptfoo, but worth knowing about.

The Bottom Line

The open-source AI ecosystem has reached a point where security professionals no longer need to choose between capability and control. The abliterated Qwen2.5-Coder-32B running locally will outperform commercial models on security-specific work because it won’t refuse your prompts. Together.ai and its peers provide cloud-scale power when you need it, without the data retention or silent throttling.

Claude Fable 5 is the most capable model available. It’s also the least suitable for red teaming. The guardrails that make it “safe” for general users are actively counterproductive when your job is to push boundaries.

You don’t need a more powerful model. You need one that doesn’t fight you.

All pricing and model availability accurate as of June 2026. The open-source AI landscape moves fast — verify current specs and pricing before deploying anything production-critical.