Overview
PortShim is designed from the ground up for air-gapped, on-site operations. Every component โ inference engine, model storage, CVE database, and report generator โ runs locally on the operator's machine.
Local Inference Stack
llama.cpp serves as the inference backend with Vulkan GPU offload. The portshim CLI manages the entire lifecycle: server start, model loading, health checks, and graceful shutdown.
Hardware targets: Consumer GPUs with 16โ32 GB VRAM (RTX 4090, RX 7900 XTX, Radeon 8060S). Models run at Q4_K_M quantisation for optimal quality-to-speed ratio.
Three-Model Architecture
Each phase is assigned a model optimised for its task:
- Recon & CVE analysis: Qwen3-Coder 30B (Q4_K_M) โ 447 PP tok/s on Vulkan
- Exploitation & reporting: SuperGemma4 26B (Q4_K_M) โ 525 PP tok/s
- Alternative exploit path: HauhauCS 35B (Q4_K_S) โ 481 PP tok/s
All models are Apache 2.0 or permissive licences โ no restrictions on security use cases.
Pre-Synced Knowledge Bases
Before going on-site, sync the following data:
- CVE database โ Local SQLite copy of known vulnerabilities with CVSS scores
- NSE scripts โ Full nmap NSE library
- Nuclei templates โ Curated set of protocol-specific detection templates
- Device classifiers โ 40+ role signatures for topology mapping
Run python scripts/sync_knowledge.py to update before deployment.
Bootstrap Process
deploy.py handles first-time setup:
- Detects GPU capabilities (Vulkan vs. CPU fallback)
- Downloads the three recommended GGUF models to
~/local-models/ - Initialises the SQLite database and knowledge stores
- Installs the
portshimCLI to the system PATH
Hybrid Mode
When the engagement allows, PortShim supports a hybrid mode: keep exploitation fully local (to avoid API refusals on exploit-specific prompts) while routing reporting and CVE analysis through cloud APIs for faster iteration. Configure via llm-config.py hybrid.