SEC-101 Instructor Guide

For instructors and homeschool parents running SEC-101. The course is self-runnable from the student-facing materials; this guide adds pacing context, common stumbling blocks, the capstone grading rubric, and guidance on handling the dual-use sensitivity of this content.

Course shape at a glance

Cohort pacing recommendations

• Self-paced (one student): 14 calendar weeks is comfortable. Students with prior security exposure may move faster through Weeks 1-3 (threat modeling).
• Homeschool (1-3 students): 14 weeks at one module per week. The STRIDE workshop in Week 3 and the Juice Shop labs in Weeks 6 and 9 are well-suited to side-by-side sessions.
• Classroom (10+ students): 14-17 weeks. Weeks 6-9 (three consecutive OWASP Top 10 weeks + Juice Shop labs) are the most demanding; plan for carry-over or extended lab sessions.
• Intensive (full-time, ~3 weeks): 116 hours at ~7 hours/day = 17 working days.

Per-week pacing notes and common stumbling blocks

Week 1: Security mindset

Pacing: The CIA triad and Saltzer-Schroeder principles section is conceptual and goes quickly. Spend more time on the authorization discussion: "operating without authorization is not just unprofessional; it is criminal" is the course's foundational statement and should be covered seriously, not rushed.

Common blocks:

• Students conflate "security" with "privacy." Clarify: security is about controls; privacy is about data minimization and purpose limitation. Both are important; they are different concerns.
• Students ask "what's the point of CTF if real attacks are illegal?" Reinforce: CTF platforms are explicitly authorized environments designed for this training. The authorization is the whole point.

What to watch: Students who struggle with the ethical framing in Week 1 will struggle with the CVD content in Weeks 11-12. Address the mindset early.

Week 2: Threat modeling I

Pacing: The STRIDE mnemonic needs to be drilled, not just mentioned. Have students recite the six categories from memory at the end of class. The DREAD historical discussion should be brief (10 min max); it is context, not content.

Common blocks:

• Students generate only Spoofing and Denial of Service threats, missing Repudiation, Tampering, Information Disclosure, and Elevation of Privilege. Prompt: "For this element, what would happen if the audit log was missing?" (Repudiation) and "who is authorized to modify this data, and what if someone else modifies it?" (Tampering).
• Students list every conceivable threat regardless of likelihood. Guide them to threats that are plausible given the threat model's context, not theoretical worst cases.

Week 3: Threat modeling II

Pacing: The "exists vs. enforced" distinction is the week's key insight. Spend at least 20 minutes on concrete examples. The workshop is where students discover their own threat models have enforcement gaps; this discovery is more valuable than the lecture.

Common blocks:

• Students draw trust boundaries that enclose the entire internet. Clarify: the boundary is where your control ends, not where the internet begins. A CDN you use is inside your operational trust boundary even though it is someone else's infrastructure; user input is always outside.
• Students are confused by the Lab 6 timeline: Lab 6 is in Week 3 even though it is numbered Lab 6. The numbering reflects domain grouping (Labs 1-3 cover security fundamentals; Lab 6 is the threat-model deliverable), not week order. This is normal; explain it explicitly.

Weeks 4-5: Cryptography I and II

Pacing: Weeks 4 and 5 are conceptually dense. Do not try to cover every cipher; focus on the properties (AEAD, pre-image resistance, slow KDF) rather than the implementations. Students who understand WHY bcrypt is better than MD5 are better served than students who can name every parameter of argon2id.

Common blocks:

• Students confuse hashing with encryption. Drill: "Can you get the original data back from a hash?" No. "Can you get the original data back from encryption with the key?" Yes. These are fundamentally different operations.
• Nonce reuse in AES-GCM: students have trouble internalizing why this is catastrophic. Lab 3 Part C (observing AES-GCM vs. AES-ECB) helps; the ECB penguin analogy is also useful.

What to watch: Students who cannot explain the difference between a password hash and an encryption key by the end of Week 5 will struggle with the authentication content in Week 6.

Week 6: Authentication and authorization

Pacing: The "authentication vs. authorization" distinction needs to be made concrete with examples, not just definitions. The IDOR example in Week 8 is a good forward reference.

Common blocks:

• Students think MFA is "very secure" and cannot be bypassed. Clarify: TOTP does not protect against real-time relay attacks (AiTM phishing). WebAuthn does. These are different threat models.
• JWT misconceptions are common: students think JWTs are encrypted. A signed JWT is only signed, not encrypted. The payload is Base64-encoded and readable by anyone. Only the signature is verified. Students should base64-decode a JWT from a public demo to see this directly.

Weeks 7-9: OWASP Top 10

Pacing: Three weeks on the OWASP Top 10 can feel repetitive. Anchor each week to the Juice Shop lab for that week's categories. The lab is where the categories become concrete.

Common blocks:

• Students are intimidated by SQL injection. Reinforce: the goal in SEC-101 is to understand the mechanism, not to master it. The instructor-led sqlmap demo in Week 7 is intentionally "wow, that was easy" -- the defensive lesson lands because the attack is simple.
• XSS confusion between reflected, stored, and DOM-based variants. The clearest distinction: where is the malicious script stored? (In the URL, in the database, or in the page's own JavaScript.) Lab 7 forces students through all three; the Juice Shop score board distinguishes them.

Dual-use posture: Week 7 includes a sqlmap demonstration. This is appropriate at SEC-101's level (understanding injection mechanics, not mastering the tool). Instruct students to run sqlmap ONLY against their Juice Shop localhost instance. Any student who runs sqlmap against a system they don't own or control is outside the course's scope and potentially violating CFAA. Address this explicitly before the demo.

Week 10: Blue-team operations

Pacing: The MITRE ATT&CK section needs to be paced as "reading literacy," not memorization. Students do not need to memorize technique numbers; they need to be able to navigate the ATT&CK site and understand what they find.

Common blocks:

• Students feel overwhelmed by the breadth of ATT&CK (hundreds of techniques). Reinforce: you are learning to read a reference document, not memorize a textbook. The navigation skill is the deliverable.

Weeks 11-12: CVD I and II

Pacing: These two weeks are where the course's ethical framing is formalized. Students who rushed past the Week 1 authorization discussion need to engage with it here. Deliverable D3 (ethics reflection, Week 12) is not an afterthought; grade it seriously.

Common blocks:

• Students struggle with the CFAA because the language is ambiguous ("without authorization" has been interpreted inconsistently). Acknowledge the ambiguity, then reinforce the practical rule: explicit written permission before testing, every time.
• Students find ISO 29147 dense. Summarize: it says "vendors, have a process for receiving vulnerability reports and responding to them in a reasonable time." The CERT/CC guide is more readable.

How to handle the dual-use sensitivity: Weeks 11-12 are where students learn CVD and safe-harbour language. Some students ask whether they should start filing bug reports on real services now that they know how. Guidance: if a bug-bounty program is in scope for a service you use, and you find a vulnerability through normal use of that service (not active testing), reading the program's disclosure process is appropriate. Active testing of any service without being in scope is not within SEC-101's authorization. PEN-101 covers engagement scoping.

Week 13: Capstone scoping

Pacing: The Week 13 workshop's outline sign-off is the most important gate in the capstone process. Students who start drafting without sign-off often choose topics they cannot adequately research or frame their report at the wrong audience level. Check three things: (1) does the CVE have three adequate primary sources? (2) does the student understand the mechanism at the level needed for Section 2? (3) is the student actually writing for the non-specialist audience?

Common blocks:

• Students pick a CVE they find emotionally interesting rather than one they can explain well. Dirty COW and Spectre/Meltdown are exciting but technically demanding. Students who are less comfortable with operating-system internals will write better capstones on Heartbleed (a network protocol vulnerability) or Log4Shell (a logging configuration vulnerability).

Week 14: Capstone delivery

Pacing: Week 14 is submission week. Do not add new lecture content. Use any class time for questions and capstone polishing.

Common blocks:

• Undersized Section 2 (why it worked): students summarize rather than explain. Check that the mechanism is actually explained, not just named. "The buffer was overflowed" is naming. "The Heartbleed extension handler allocated the response buffer based on the length value in the client's HeartbeatRequest without verifying that the client actually sent that many bytes" is explaining.
• Missing timeline diagram: students write the report but forget the diagram. Remind explicitly in Week 13.
• Single-commit repositories: check that the repo has three commits before accepting the submission.

Grading rubric for the capstone

Tier 1: Pass/fail gate

Before scoring, verify:

• The report covers a real CVE from the curated list or an approved alternative.
• The technical mechanism described is accurate. Check the Section 2 description against the CVE record and at least one primary source.
• No paragraph-level copying (plagiarism check; use any standard plagiarism tool).

Reports that fail Tier 1 are returned for revision with specific feedback. Students who pass Tier 1 proceed to Tier 2 scoring.

Tier 2: Scored rubric

Dual-use sensitivity and scope

SEC-101 is a broad literacy course. The offensive content -- sqlmap, Juice Shop exploitation, CVE analysis -- is at the vocabulary level, not the operational level. PEN-101 and ADV-101 take the operational step.

Guidelines for handling dual-use content:

1. Juice Shop labs: All exploitation is against localhost or an instructor-provided authorized URL. Review this constraint at the start of Labs 5 and 7.

2. sqlmap demonstration (Week 7): Instructor-led, against a deliberately-vulnerable target. Students watch; they do not run sqlmap against any target they don't own. This is the appropriate level for SEC-101.

3. CVE research and capstone: Reading CVE records, public advisories, and security researcher blogs is legal and appropriate. Reproducing the exploit against a real target is not within SEC-101's scope (that is ADV-101 and PEN-101).

4. picoCTF: Explicitly authorized by the platform design. Students operate within picoCTF's terms at all times.

If a student asks "can I test this against [real website]?" the answer is: not in this course. PEN-101 covers how to obtain written authorization for authorized penetration testing engagements. Until then, the answer is always "only against systems you own or systems in a bug-bounty scope where you are within the stated scope."

Forward pointers for instructors

When students ask "what comes next?":

• PEN-101 entry: The OWASP Top 10 fluency (Weeks 7-9) and STRIDE threat modeling (Weeks 2-3) are the PEN-101 foundations. Students who cannot explain at least five OWASP Top 10 categories and produce a STRIDE model should review before starting PEN-101.
• RE-011 entry: The vulnerability-class vocabulary (buffer overflow, format string, use-after-free, injection) introduced in Weeks 7-9 is the RE-011 prerequisite vocabulary. Students who have begun reading Erickson's Hacking: The Art of Exploitation during SEC-101 arrive at RE-011 prepared.
• ADV-101 entry: The CVE-walk skill from Lab 8 and the Log4Shell case study from Week 9 are the ADV-101 foundation. Students who can independently read an NVD entry, score CVSS v3.1, and find independent write-ups are prepared.
• WIR-101 entry: STRIDE's Spoofing and Elevation of Privilege categories apply to 802.11 attacks; the CVE-walk skill from Lab 8 applies to wireless CVE research (KRACK, Dragonblood). Students ready for WIR-101 can read a wireless security advisory without a glossary.

What SEC-101 does NOT teach

• Penetration testing methodology: The methodology, scoping, and reporting of authorized penetration tests is PEN-101. SEC-101 teaches the vocabulary that scoping uses, not the engagement itself.
• Binary exploitation depth: Buffer overflow mechanics are named in Week 7 and referenced in picoCTF challenges; RE-011 and RE-101 work through them at the assembly level. SEC-101 introduces the category name and the OWASP framing.
• Malware analysis: SEC-101's MITRE ATT&CK week introduces the adversary-behavior vocabulary; malware analysis is ADV-101 and RE-101.
• Wireless attack tools: WIR-101's aircrack-ng, airodump-ng, etc. are out of scope for SEC-101. The SEC-101 wireless forward pointer is vocabulary-level (KRACK as an OWASP-style CVE case study, not a tool walk-through).

Instructor guide v0.1. Revise after first pilot cohort runs.