Classroom Glossary Public page

ADV-102 Equipment and Setup Guide

What you need before Module 1 and where to get it. Read this once before you install anything.

Required software

  • Python 3.11 or newer. Most distributions ship it; the SETUP video covers the install for the few that do not.
  • venv (the standard library virtualenv tool). Pinned dependency-version reproduction is non-negotiable for CVE work; you will be creating a clean virtualenv per lab.
  • The pinned vulnerable LangChain version (Module 4 target). The exact pin is in the cohort-shared lab-4/requirements.txt; you install it into a clean virtualenv that does not touch the rest of your Python environment.
  • OpenAI or Anthropic SDK keys. The reproduction does not require a model call to demonstrate the SSTI surface, but the cohort labs default to running the LangChain Expression Language pipeline with a real model so students see the agentic context. Either provider works; the SETUP guide walks the key setup.
  • Burp Suite Community. Free download from PortSwigger. ADV-101 graduates already have it; ADV-102 deepens the use against agentic endpoints in Module 6.
  • Flask, for the Module 3 anchor lab. Pip-installable; the SETUP guide pins the version.
  • Go 1.21 or newer, for Module 7. Single-binary download; the SETUP guide walks the install on Linux, Mac, and WSL.
  • Gonja (the Go templating library). Pinned vulnerable version per the cohort-shared lab-7/go.mod.

Optional software

  • The academy in-browser pcap analyzer at virtuscyberacademy.org/pcap-tools/. Used in Module 2 to inspect the HTTP requests LangChain makes to a model API. Same-origin upload is the right path for Module 2 lab work.
  • Mitmproxy or another HTTPS intercepting proxy as a Burp alternative for the Module 6 detector tool's reach-out behavior. Cohort instructor's choice.
  • Volatility 3 if you want to push the Module 6 forensic-trace section deeper; Seitz and Arnold's Black Hat Python Ch 10 has the canonical walkthrough.

No hardware required

ADV-102 is a software-only course. No FPGA, no breadboard, no SDR. The reproduction labs run on whatever laptop your cohort uses. The Module 4 reproduction draws roughly two megabytes of model-API output if you choose to wire in a live provider; the rest is local.

Account setup

  • The academy classroom portal at portal.virtuscyberacademy.org. Same login as ADV-101.
  • An OpenAI or Anthropic developer account if you want the optional live-model reproduction; the SETUP video walks key creation.
  • A private GitHub or GitLab repo for your Module 9 detector-tool publication and Module 10 capstone submission. The instructor will share the academy archive link in Week 1.
  • Optional: a CVE numbering authority watchlist subscription. The Module 8 disclosure-timeline lab references real CNA processes.

First-week checklist

  1. Install Python 3.11+ and confirm python3 -m venv works.
  2. Install Burp Suite Community; launch it once; confirm the proxy listens on 8080.
  3. Set up your OpenAI or Anthropic SDK key in a way you can revoke (per-cohort key, not your main personal key).
  4. Skim the public page at vca-adv-102.html and the LLM-ASI vocabulary handout linked from the classroom index.
  5. Open ADV-102 Course Outline and read the module map.

Ethics, legal posture

The Module 4 reproduction runs on a pinned vulnerable LangChain in your own virtualenv on your own laptop. The detector tool you build in Module 6 scans your own installs by default and only reaches out to remote targets when you explicitly point it. The coordinated-disclosure discipline in Module 8 is structural; you do not actually disclose anything in Week 8 because the CVE is already patched. The capstone artefact stays in a private repo for instructor review unless you and the instructor agree to publish.