Open-Weight LLM · Private & Custom AI

HarmBench-Llama-2-13b-cls

A specialized behavioral classifier for red-teaming and safety validation—use it to automate harmful-output detection in your custom AI systems before they reach users.

HarmBench-Llama-2-13b-cls is a 13B classifier trained to identify harmful, undesirable, or off-policy generations across standard and contextual scenarios. Built on Llama-2 and distilled from GPT-4 judgments, it achieves 93%+ agreement with human safety raters. For ops teams, it's a deployable guardrail: run it privately to audit your LLM outputs, flag risky completions, and enforce behavioral boundaries without external API calls or vendor lock-in.

13B
Parameters
mit
License (OSI/permissive)
Unknown
Context
46.9k
Downloads

Model facts

Developercais
Parameters13B
Context windowUnknown
Licensemit — OSI/permissive
Tasktext-generation
GatedNo
Downloads46.9k
Likes31
Updated2024-03-17
Sourcecais/HarmBench-Llama-2-13b-cls

Private deployment

Run HarmBench-Llama-2-13b-cls in your own environment

Self-host on a single GPU (24–40GB VRAM depending on quantization). Deploy in your VPC, air-gapped environment, or on-premises—the model and all inference stay within your boundary. No data leaves your systems; you control the classification logic entirely. Suitable for companies processing sensitive domains (finance, healthcare, legal) where external safety APIs are non-starters.

Operational AI use cases

01

Automated Content Moderation in Customer Support

Run the classifier on outbound support-bot responses before they ship. Flag harmful, biased, or off-policy outputs in real time. Reduces manual QA burden and ensures brand-safe interactions at scale.

02

Internal Knowledge-Base & Document Screening

Classify internally-generated docs, FAQs, or training materials flagged by your ops team. Catch unintended harmful content in company knowledge systems before they propagate to agents or customer-facing systems.

03

Red-Teaming & Model Validation in CI/CD

Integrate into your model evaluation pipeline: generate candidate outputs, run them through this classifier, and block unsafe models from production. Automates safety checkpoints without waiting for external review.

Custom AI

As a base for custom AI

Wrap this classifier into a custom safety layer for any in-house LLM product. Use it as a guardrail component in a larger AI system: pair it with your own base model, add domain-specific rules, and ship a robust safety boundary. Template prompts (standard + contextual) are pre-built, reducing iteration time.

In the operating system

Where it fits

A **safety/guardrail node** in the knowledge and agent layers. Sits downstream of your core LLM inference; before responses reach users, workflows, or external systems. Complements workflow orchestration (Langchain, n8n) and agent frameworks by providing deterministic, private behavioral validation.

Data control & security

All classification happens within your infrastructure. No generation text, user prompts, or metadata touch external services. You retain full audit logs and can implement custom data retention/deletion policies. Note: the model itself is not inherently 'secure'—security is an architecture property of how you deploy and isolate it.

Hardware footprint

**Estimate (VRAM by precision):** FP32: ~52GB | FP16/BF16: ~26GB | int8: ~13GB | int4 (GPTQ/AWQ): ~4–6GB. A single A100 (40GB) handles FP16 comfortably; smaller GPUs or CPU require quantization. Throughput: ~10–50 classifications/sec depending on hardware and batch size.

Integration

Consume via Hugging Face Transformers library (transformers, safetensors format). Accepts standard Llama-2 chat templates. Output is binary ('yes'/'no'). Easy to pipe into Python workflows, REST APIs (via vLLM/TGI), or async job queues. No custom tokenizer or special handling required beyond the provided prompt templates.

When it's not the right fit

  • You need classification in non-English languages or code-heavy contexts outside the HarmBench training distribution—performance degrades.
  • You require real-time classification at ultra-high throughput (100k+ evals/day) without aggressive quantization and batching tuning.
  • Your harmful-behavior taxonomy is highly domain-specific (e.g., financial fraud, medical misinformation) and differs materially from HarmBench's training objectives.
  • You need confidence scores or detailed reasoning—this model outputs only binary yes/no, no explanation or probability.

Alternatives to consider

Llama-Guard (Meta)

Also 13B, broader safety categories. Slightly lower performance (67% vs. 93%), but more established in production. Better for general-purpose moderation.

Mistral-Moderation (Mistral)

Smaller, faster, permissive license. Less accurate but lower overhead; good if you're cost-optimizing at scale.

GPT-4 Moderation API (OpenAI)

Higher accuracy (89%+), but requires API calls, external data flow, and vendor dependency. Use if private deployment isn't a constraint.

FAQ

Can we run this entirely on-prem or air-gapped?

Yes. Download the model weights once, load via Transformers, and run inference on your own hardware—no internet required after initial setup. Ideal for regulated industries.

What's the commercial-use license?

MIT license permits commercial use, including in proprietary products. No attribution or royalty obligations. Review your legal terms for Llama-2 base model dependencies.

How do we integrate this into our LLM pipeline?

Post-process every model output: call the classifier with the provided prompt templates, get 'yes'/'no', and either flag, retry, or block based on your policy. Use vLLM or TGI for batched inference.

Is the model accurate for our specific harms?

It's trained on HarmBench behaviors (racism, violence, privacy, malware, etc.). If your domain is finance or healthcare-specific harms outside this set, test accuracy on a holdout sample first; performance may vary.

Build a Private, Safe AI System

HarmBench is a surgical tool for hardening your custom LLM workflows. Pair it with LLM.co's platform to operationalize safety across your organization—automated guardrails, zero external data leakage, and complete audit control.