Classroom Glossary Public page

Weeks 12-13: Capstone

1,727 words

Two intensive weeks. No lecture. You build, document, polish, defend. The Week 13 final session is the 20-minute oral defense. The course's last piece.

Theme

The capstone is what shipping looks like. Weeks 1-11 built the methodology and the tool foundation; Weeks 12-13 are the application of that foundation to a portfolio-quality deliverable.

The deliverable: Tool v1.0 (Python package per CAPSTONE.md spec), CERT/CC-grade disclosure report on the SB6141 CSRF, 20-minute oral defense before a three-reviewer panel. The grading rubric is 40% tool, 30% report, 30% defense + ethics.

The two weeks have specific shapes:

Week 12: build + draft. Close the Week 11 workshop's P1 items first; then P2. Tool v1.0 packaging (pyproject.toml, LICENSE, CHANGELOG); pytest expansion (regression + edge cases); README rewrite. Disclosure report applied to SB6141 specifically (Lab 9's hypothetical template becomes SB6141-grounded prose). One mock defense at mid-week.

Week 13: polish + defend. Final report revisions; tool documentation polish; pyproject.toml installation verification; rehearse the defense. Defense day: 8-minute presentation; 12-minute Q&A; panel deliberation.

The grading panel evaluates the work as if it were a real engagement deliverable. The capstone fails if either the tool or the report is below the practitioner-acceptable bar; both legs must be solid.

By the end of Week 13 you have shipped a Git repository the academy adds to your portfolio. The repository is the artifact you cite in cover letters, in interviews, in conversations with industry mentors. The discipline that produced it is the discipline that distinguishes ADV-101 graduates from script-kid enthusiasts.

Schneier weave (~285 words, A Hacker's Mind Ch 22 / Conclusion)

Schneier closes A Hacker's Mind with the argument that the discipline of finding loopholes is morally neutral but practically directional. The same techniques that build secure systems are the techniques that break insecure ones; the same close-reading that finds tax loopholes finds policy gaps that protect children; the same constraint-and-creativity that hacks election rules hacks safety regulations. What makes the work moral, Schneier argues, is the direction and the discipline.

ADV-101's capstone is the academy's articulation of that argument applied to vulnerability research. The student has spent 13 weeks building one CVE's reproduction methodology. The technical work could, in different hands and without the framework, be the basis for a CFAA prosecution. The same technical work in the academy's framework is the basis for a portfolio piece that signals professional discipline to industry employers.

The difference is the framework: the cohort authorization document; the per-session lab portfolio; the safety controls in the tool; the negative scope in the report; the personal ethics statement. Each artifact is a commitment to operating within the discipline that distinguishes research from felony. Each artifact accumulates across the cohort to form the audit trail that any future reviewer can examine.

Schneier's broader argument is that the hacking discipline IS the work. The CVE the academy chose (the SB6141 CSRF) is not particularly novel; the methodology that surrounds the reproduction is. ADV-101 graduates carry the methodology forward into careers; the carrying-forward IS the academy's product.

The capstone defense is the moment when the carrying-forward becomes visible. The panel watches not for technical novelty (none expected; the CVE is from 2015) but for discipline: did the student internalize the framework; can they defend it; do they understand what makes the work professional rather than transgressive.

Reading list (Weeks 12-13; ~1 hr total; light)

The capstone work IS the practice; reading is light.

  1. Schneier, A Hacker's Mind, Ch 22 / Conclusion (academy library; calibre id 677). The closing argument; reads in 30 minutes.
  2. Three published CERT/CC vulnerability notes (your choice; pick ones in the consumer-device or web-application space; informs your capstone report's voice).
  3. A capstone-presentation example (if academy has prior-cohort recordings; otherwise generic Toastmasters-style technical-presentation guidance).
  4. PEP 8 at https://peps.python.org/pep-0008/. Style guide; tool v1.0 should pass a lint check.

Weekly plan (operator-recommended)

Week 12

Day 1-2 (Mon-Tue): Tool packaging.

  • Create pyproject.toml with PEP 621 metadata.
  • Create LICENSE file (MIT or Apache 2.0).
  • Create CHANGELOG.md with v0.1 / v0.2 / v0.3 / v1.0 sections.
  • Add [project.scripts] entry so sb6141-csrf is a callable command.
  • Verify: pip install -e . from a fresh clone; sb6141-csrf --help works.

Day 3 (Wed): Tool tests + documentation.

  • Expand pytest suite to 12+ tests (happy paths, edge cases, regression for a bug you found).
  • Add inline docstrings to every public function.
  • Create SECURITY-MODEL.md documenting the safety controls explicitly.
  • Rewrite README.md to 200-word install + usage + safety-controls form.

Day 4-5 (Thu-Fri): Disclosure report.

  • Take Lab 9's hypothetical-template; rewrite each of the 12 sections for the SB6141 case.
  • Embed Lab 8's CVSS scoring + per-metric justification.
  • Write the SB6141-specific negative scope.
  • Document the EOL-vendor scenario in the disclosure timeline.

Day 6 (Sat): Mock defense + revisions.

  • 20-minute mock with a cohort peer (8-min presentation + 12-min Q&A).
  • Capture the peer's gap-questions; address before Week 13.

Week 13

Day 1-2 (Mon-Tue): Disclosure-report polish.

  • Final revisions based on mock-defense feedback.
  • Reproducibility check: have a peer follow your reproduction steps.
  • Cross-check all references; verify URLs work.

Day 3 (Wed): Tool polish.

  • Run lint (ruff or flake8); fix issues.
  • Verify pytest suite passes from fresh clone in <30 seconds.
  • Verify pip install -e . and sb6141-csrf --help from fresh clone.
  • Verify the LICENSE and CHANGELOG are committed.

Day 4 (Thu): Defense rehearsal.

  • One more mock defense with the same or different peer.
  • Refine the demo script (which terminal commands to run; in what order).
  • Anticipate panel questions; prepare answers.

Day 5 (Fri): Final polish + lab portfolio finalization.

  • Append Week 12-13 sessions to lab portfolio.
  • Verify all artifacts committed to Git; verify the remote is up to date.
  • Walk through the lab portfolio end-to-end; confirm the audit trail is complete.

Day final session (Sat or per cohort schedule): Capstone defense.

  • 20 minutes per student.
  • Bring: laptop with terminal showing the tool; the disclosure report (printed or on screen); the lab portfolio.
  • Panel: ADV-101 instructor + academy alumnus + external practitioner.

Demo-script template

The 8-minute presentation portion of the defense follows this rough script (~60 seconds per beat):

  1. What this is (60s). "This is a tool and a report for the SB6141 CSRF, CERT/CC VU#419568. The tool reproduces the vulnerability under authorization; the report documents the reproduction in CERT/CC-grade format."

  2. The tool's safety model (60s). "Three safety controls: fingerprint-or-refuse; --authorized-by required; --dry-run default-on. Let me show you." (Live demo of sb6141-csrf --help.)

  3. Live dry-run (60s). "Here's what the tool does when invoked correctly." (Live sb6141-csrf --target 192.168.100.1 --authorized-by "demo" showing the dry-run output.)

  4. The CVD report sections (90s). "The report has 12 CERT/CC sections. Let me walk through three: the reproduction (this is what makes the report verifiable); the CVSS scoring (this is what makes it comparable); the negative scope (this is what makes it defensible)." (Slide or screen-share of report.)

  5. What I found (60s). "Here is one bug I found in my own tool during development." (The reflective-depth paragraph.)

  6. What I would do differently (60s). "Here is what I would change if I had another two weeks." (The other reflective-depth paragraph.)

  7. Why this work matters (60s). "The CVE is from 2015; the device is EOL. The methodology is what transfers. The methodology is what I carry forward into the next CVE I'll work on."

  8. Close (30s). "Questions."

Total: 8 minutes.

Q&A preparation

Anticipated questions per category. Prepare 30-second answers for each:

Technical. "Walk me through the CSRF mechanic." / "Why does the SB6141 authenticate by network position only?" / "What did you observe in the Burp Suite capture that mattered for the tool's design?"

Safety controls. "What happens if I run your tool against my home router by accident?" (Demo the fingerprint-refusal live.) / "Why is --dry-run the default?" / "Can I bypass --authorized-by?"

CVSS. "Walk me through your vector. Defend the C metric." / "If I claim the score should be 6.5, not 8.3, what's your response?"

Disclosure. "What's the academy's CVD policy when the vendor is EOL?" / "Walk me through the report's negative scope; what specifically does it exclude and why?"

Ethics. "Your Lab 10 ethics statement says you 'escalate to instructor before proceeding' in scope-ambiguous cases. Walk me through a specific scenario."

Limits. "What's the next CVE you'd take on after this cohort?" / "If you found a similar bug in a current-shipping vendor's device tomorrow, what would your timeline be?"

Disclosure-Ethics Sidebar (final)

Norm system Capstone What the deliverable demonstrates
Responsible disclosure The CVD report applies the framework to a specific CVE The student has internalized the framework, not just memorized it
Academic ethics The lab portfolio shows the full audit trail The work was conducted under documented authorization throughout
Legal authorization The tool's safety controls + the report's negative scope + the ethics statement The graduate is positioned to operate in industry without becoming a prosecution example

The capstone IS the academy's product. The student carrying the deliverable forward is the academy's contribution to the security industry.

Lab (the capstone itself)

Reference CAPSTONE.md for the full specification. The deliverable is documented there; the rubric is documented there; the submission instructions are documented there.

Independent practice

The capstone IS the independent practice for Weeks 12-13. ~25-30 hours total.

Reflection prompts (after defense)

Write within 48 hours of the defense; the immediacy captures the experience.

  1. The defense panel asked one question you had not anticipated. What was it? How would you answer it if you had another minute?
  2. The mock-defense (Week 12 + Week 13) caught what? What did it miss?
  3. The capstone deliverable will live in your portfolio for years. What would you change tomorrow if you reopened the repo?
  4. The 13-week course is over. Name three things you internalized that you did not know in Week 1.
  5. What's next in your offensive-security path?

Adversary Diary (capstone)

Final additions:

  • pyproject.toml PEP 621 metadata.
  • pytest --cov for capstone test-coverage measurement (optional).
  • PEP 8 / ruff for capstone lint discipline.
  • The capstone repository itself. Your portfolio piece.

What would a reviewer ask?

(Compiled from the Anticipated Questions section; rehearse the answers; the defense is the live demonstration.)

What comes next

The course ends. You become Belt-4 ADV-101 graduate. Three paths typically open:

  1. OSCP+ preparation. ADV-101 + PEN-101 is the academy's OSCP-prep sequence; plan ~3-6 months of OffSec PEN-200 self-study; sit the OSCP+ exam.
  2. Industry vulnerability-research role. Your capstone repository is a portfolio piece; the academy's industry-partner network may refer you for vuln-research roles.
  3. ADV-102 (LLM-CVE variant; in roadmap). Same methodology applied to a different attack surface; future cohorts.

The discipline is the discipline. Carry it forward.

Capstone weeks specification v0.1.