Capstone week. You ship the artefact you have been building since Module 4. The CVE-2025-65106 reproduction, the detector tool, the cross-language Gonja write-up, the six-to-eight-page coordinated-disclosure-style report, the five-minute recorded demo.
Reading
- Re-read CAPSTONE.html in week 9 so the Week-10 sprint is against a clear target.
- Optional: scan prior cohort capstone reports in the academy archive (instructor will share the URL).
Lecture
Roughly three hours across two sessions. Key arc:
- Capstone scope review. Tier 1 versus Tier 2 versus Tier 3 in CAPSTONE.html.
- The demo discipline. What to show in five minutes and what to skip.
- The report discipline. Reproduction depth, OWASP mapping precision, cross-language pointer, disclosure-register.
- Reproducibility. Your requirements.txt has to let a stranger rebuild the virtualenv.
- The cohort showcase. Live demos in front of your peers.
Lab pack
Lab Pack 10 is the capstone delivery package. See Lab Pack 10.
Tools you will use
- Whichever subset of the course-wide tool corpus you actually used.
- Your student repo as the deliverable container.
- OBS or your screen-recorder of choice for the demo capture.
OWASP LLM and ASI anchor
The capstone report is the integration point for every OWASP mapping you have made across the course. LLM01 (specific sub-class), the ASI items applicable to the LangChain architecture, the cross-language pointer, the disclosure-register conformance.
Reflection prompts
- What did you choose to do for Tier 2 versus Tier 3, and why?
- What did you choose to leave out of the report and why?
- If you had another two weeks, what would you add to the detector tool?
What is next
AI-201 picks up the agentic-system pentesting work and points at production scale. The detector tool you shipped is the kind of artefact AI-201 students start from.