Classroom Glossary Public page

ADV-102 Instructor Guide

How to teach ADV-102. Anchored on the ADV-101 instructor-guide pattern; adapted to the LLM-CVE variant.

What ADV-102 is and is not

ADV-102 is not an LLM-research course. AI-301 fills that lane. ADV-102 is the practitioner's CVE-to-Tool course applied to the LLM stack: one named CVE, full reproduction, defensible detector tool, coordinated-disclosure-style report. The pedagogy is structural; the LLM-era pivot is the pivot the academy chose because the next decade of practical LLM security work lands here. Your job as the instructor is to keep the CVE-to-Tool discipline visible across every module.

Pacing

Ten weeks at two sessions per week of ninety minutes each, plus four hours of structured lab and roughly five hours of independent practice per week. Modules 4 (the reproduction), 6 (the detector tool), and 10 (the capstone) routinely run over; budget extra office-hours capacity for those weeks. Module 7 (the Gonja cousin) is the most enjoyable for students who already know Go and the most frustrating for students who do not; pair Go-fluent students with Go-curious ones from Week 7.

Per-module emphasis

  • Module 1. The mapping table is two pages and it is the only deliverable. Push students to ship a complete table on Week 1 rather than leaving it open. The exercise sets the cadence for the rest of the course.
  • Module 2. The LangChain architecture trace is where some students rabbit-hole on agentic-framework comparisons. Hold them to LangChain only this round.
  • Module 3. The Flask anchor lab is the first time most students see a real SSTI fire on their own machine. The "I just typed {{7*7}} into a form and the server returned 49" moment is the spark; do not skip it for the Module-4 LangChain-specific reproduction.
  • Module 4. The signature lab. The Module-4 reproduction is the artefact every interviewer will ask the student about. Reserve a full lab session for the cohort to ship it together.
  • Module 5. The patch read. Many students will skip to the next module without actually reading the diff line by line; the lab session has to be a guided patch-read on the projector.
  • Module 6. The detector tool. The Seitz-and-Arnold structured-output discipline is the part students under-do; insist on the JSON or YAML report format.
  • Module 7. The Go cousin. Pair students; Go-fluent students who have not seen Gonja still help Go-curious students bootstrap.
  • Module 8. The disclosure timeline walk. The cohort archive has a timeline template; insist on the structured timeline rather than a free-form essay.
  • Module 9. The packaging and documentation discipline. This is the module where students who under-documented in Module 6 pay for it. Catch them earlier.
  • Module 10. Capstone delivery. Live demos in front of the cohort. Hold a tech-rehearsal session in Week 9.

Common student failure modes

  1. Skipping the anchor lab in Module 3. The generic Flask Jinja2 SSTI looks too simple. It is not. Without it, Module 4 reads as mysterious-LangChain-stuff.
  2. Module 4 dependency drift. If a student does not pin the vulnerable LangChain version in a clean virtualenv, they will hit a fresh version with the patched code and conclude the CVE does not reproduce. Walk the virtualenv hygiene on Day 1 of Week 4.
  3. Detector-tool over-reach in Module 6. Students try to detect every CVE in the agentic ecosystem. Hold them to CVE-2025-65106 only.
  4. OWASP mapping too coarse. Reports map the CVE to "LLM01 Prompt Injection" and stop. The capstone rubric requires the LLM01 sub-class and the ASI risk category.
  5. Disclosure-register slippage. Reports slip from coordinated-disclosure register into bug-bounty-report register. The two are not the same; the cohort archive has prior calibration examples.

Assessment calibration

The 40-30-30 rubric in CAPSTONE.html is non-negotiable. The single most common over-grading failure mode is rewarding reproduction depth (40%) when tool defensibility (30%) collapses. If the detector tool does not skip patched installs cleanly, the score on the tool axis drops two letter grades regardless of how clean the reproduction is.

Ethics and legal posture

The reproduction runs against a pinned vulnerable LangChain in the student's own virtualenv on the student's own laptop. The CVE is already patched upstream; the academy does not encourage running the reproduction against any production system. The Module-8 disclosure timeline is structural; nothing actually gets disclosed. If a student finds a novel CVE during the course, the instructor pairs them with an academy reviewer who has CNA experience before any external communication happens.

Cross-track coordination

  • Pairs naturally with AI-201 for students taking the agentic-pentesting track. Schedule ADV-102 to finish a week before AI-201's lab work begins so the detector tool can feed forward.
  • Forward-pointer to AI-301 for the cross-language generalisation work in Module 7. AI-301 picks up the broader bug-class pattern.
  • ADV-101 mirror. The mapping table in Module 1 is the pedagogical bridge. ADV-101 graduates recognise the structure immediately.