The pipeline's security-literacy gate. Students leave with the CIA triad, STRIDE threat modeling, OWASP Top 10, working cryptography vocabulary, CVE-reading discipline, and the professional ethics of coordinated vulnerability disclosure. Required before every downstream offensive or RE course.
Course mission and audience
SEC-101 is the first Virtus Academy course where security is the explicit subject, not background texture. Prior courses (FND-101, NET-101, FND-102) treated the adversarial framing as context. This course moves it to the center.
The audience is students who have completed NET-101 and FND-102: they can read a packet capture, write a Python script, and work comfortably at a bash shell. They are not yet security practitioners. This course bridges that gap.
By the end, the student is not ready to conduct a penetration test. That is VCA-PEN-101. But the student understands the discipline well enough to take the next step, and they know the vocabulary every downstream course assumes.
Position in the pipeline: After VCA-NET-101 + VCA-FND-102. Gates VCA-PEN-101, VCA-RE-011, VCA-RE-101, VCA-ADV-101, VCA-ADV-102, VCA-RE-201, VCA-WIR-101.
What you will know at the end
Listed in Bloom's-taxonomy order:
-
Remember -- State the CIA triad; recite the OWASP Top 10 (2021 list, 2025 update flagged); name all six STRIDE threat categories; describe the coordinated-disclosure timeline (vendor notification, embargo, advisory publication, CVE assignment).
-
Understand (crypto) -- Explain why "don't roll your own crypto" is technical advice rather than gatekeeping; why password hashes need salts and slow KDFs (bcrypt / argon2 / scrypt) rather than fast hashes (MD5 / SHA-1); why two-factor authentication stops phishing but not post-authentication session hijacking.
-
Understand (auth) -- Distinguish authentication from authorization; explain why JWTs are credentials rather than opaque identifiers; identify specific failure modes of stateless sessions around revocation.
-
Apply (threat modeling) -- Build a STRIDE threat model for a student-chosen system: data flow diagram, trust boundaries, threat enumeration per STRIDE category, proposed mitigations. (Lab 6.)
-
Apply (web vulns) -- Walk through OWASP Juice Shop completing at least 12 challenges across the Top-10 categories; document each technique and the underlying vulnerability class. (Lab 7.)
-
Analyze (CVE reading) -- Given a CVE record, identify the vulnerable component, affected versions, CVSS v3.1 base-score breakdown (Attack Vector / Complexity / Privileges Required / User Interaction / Scope / CIA impacts), and proof-of-concept availability; cross-reference NVD, MITRE, and one independent advisory. (Lab 8.)
-
Evaluate (ethics) -- Articulate in writing the legal and ethical boundary between authorized security research and unauthorized access; cite CFAA, two real bug-bounty safe-harbour statements, and the CVD process per ISO/IEC 29147 + 30111. (Deliverable D3.)
-
Create (capstone) -- Reconstruct a significant historical CVE in a 5-8 page report pitched at the educated non-specialist level, covering technical detail, timeline, disclosure handling, and "what would we do differently." (Lab 9, capstone.)
Course shape table
| Week | Theme | Topic-specific lab | picoCTF challenge family |
|---|---|---|---|
| 1 | Security mindset | Lab 1: CIA triad worksheet | General Skills (orientation) |
| 2 | Threat modeling I | Lab 2: STRIDE sketch | General Skills + intro Forensics |
| 3 | Threat modeling II | Lab 6: Full STRIDE model with diagram | Forensics (file metadata) |
| 4 | Cryptography I | Lab 3: Crypto warm-up | Cryptography (encoding + ciphers) |
| 5 | Cryptography II | Lab 4: Hash cracking | Cryptography (hashing + XOR) |
| 6 | Authentication and authorization | Lab 5: Broken-auth on Juice Shop | Web Exploitation I (cookies) |
| 7 | OWASP Top 10 I | Lab walk: sqlmap demo (ungraded) | Web Exploitation II (injection) |
| 8 | OWASP Top 10 II | Lab walk: XSS on Juice Shop (ungraded) | Web Exploitation III (XSS) |
| 9 | OWASP Top 10 III | Lab 7: Juice Shop walkthrough | Web Exploitation IV (advanced) |
| 10 | Blue-team operations | (picoCTF + MITRE ATT&CK exercise) | Forensics + Binary Exploitation intro |
| 11 | CVD I | Lab 8: CVE-record-walk | Binary Exploitation I |
| 12 | CVD II | Deliverable D3: ethics reflection | Multi-category challenge set |
| 13 | Capstone scoping | Capstone outline + sign-off | Student choice |
| 14 | Capstone delivery | Lab 9 due | Challenge review / reflection |
Anchor readings
SEC-101 does not have a single foundational anchor in the way CSA-101 has Petzold. Three cross-track reading threads run through the course:
RE-track cross-cut (practitioner narrative)
Jon Erickson, Hacking: The Art of Exploitation, 2nd ed. (No Starch Press, 2008; ISBN 978-1-59327-144-2)
SEC-101 introduces vulnerability classes (injection, memory corruption, deserialization) as named OWASP categories. Erickson explains the mechanism underneath the name. The buffer overflow is not a category label; it is a specific consequence of a specific memory layout. This book is the bridge reading between the OWASP category vocabulary SEC-101 teaches and the assembly-level detail RE-011 + RE-101 work through. Students should begin reading it between SEC-101 and RE-011.
Denis Yurichev, Reverse Engineering for Beginners (beginners.re; free CC-BY-SA 4.0). Companion reference for the vulnerability-class vocabulary at the instruction level. Students who begin reading during SEC-101 arrive at RE-011 with a head start.
AI-ML-track cross-cut (threat taxonomy)
OWASP Top 10 for Large Language Model Applications (owasp.org; updated annually). Applies the same threat-categorization discipline SEC-101 teaches for classical web applications to LLM-based systems. LLM01 (Prompt Injection) maps structurally onto SEC-101's injection module; LLM02 (Insecure Output Handling) maps onto the deserialization concept.
OWASP Top 10 for Agentic AI Applications (ASI Top 10) (owasp.org; 2025 release). Extends the LLM taxonomy to multi-step, tool-calling agentic systems. Forward pointer to ADV-102.
Supplementary reference
- OWASP Testing Guide v4.2 (free; owasp.org) -- the web-app testing reference underlying Lab 7 and the PEN-101 methodology.
- CERT/CC CVD Guide (free; cert.org) + ISO/IEC 29147 -- the coordinated-disclosure standards for Weeks 11-12 and the capstone report.
- MITRE ATT&CK Framework (free; attack.mitre.org) -- the adversary-behavior reference introduced in Week 10.
Per-week time budget
| Week | Lecture | Lab | picoCTF spine | Other indep | Total |
|---|---|---|---|---|---|
| 1 | 1.5 hr | 1.5 hr | 3 hr | 1.5 hr | 7.5 hr |
| 2 | 1.5 hr | 1.5 hr | 3 hr | 1.5 hr | 7.5 hr |
| 3 | 1.5 hr | 1.5 hr | 3 hr | 1.5 hr | 7.5 hr |
| 4 | 1.5 hr | 1.5 hr | 3 hr | 1.5 hr | 7.5 hr |
| 5 | 1.5 hr | 1.5 hr | 3 hr | 1.5 hr | 7.5 hr |
| 6 | 1.5 hr | 1.5 hr | 3 hr | 1.5 hr | 7.5 hr |
| 7 | 1.5 hr | 1.5 hr | 3 hr | 1.5 hr | 7.5 hr |
| 8 | 1.5 hr | 1.5 hr | 3 hr | 1.5 hr | 7.5 hr |
| 9 | 1.5 hr | 1.5 hr | 3 hr | 1.5 hr | 7.5 hr |
| 10 | 1.5 hr | 1.5 hr | 3 hr | 1.5 hr | 7.5 hr |
| 11 | 1.5 hr | 1.5 hr | 3 hr | 1.5 hr | 7.5 hr |
| 12 | 1.5 hr | 1.5 hr (D3) | 3 hr | 1.5 hr | 7.5 hr |
| 13 | 1.5 hr | 1.5 hr | 3 hr | 3 hr | 9 hr |
| 14 | 0.5 hr | 3 hr (capstone) | 1 hr | 3 hr | 7.5 hr |
| Total | ~20 hr | ~22 hr | ~41 hr | ~23 hr | ~106 hr |
Public page target: ~116 hr total (includes ~42 hr picoCTF spine + capstone). Capstone week adds ~10 hr across Weeks 13-14 for the report research and writing.
Lab index
| Lab | Title | Week | Tool(s) |
|---|---|---|---|
| Lab 1 | CIA-triad worksheet | 1 | Browser (worksheet) |
| Lab 2 | STRIDE sketch exercise | 2 | Browser (worksheet) |
| Lab 3 | Crypto warm-up | 4 | Browser (CyberChef + picoCTF) |
| Lab 4 | Hash-and-crypto-misuse | 5 | hashcat or John the Ripper |
| Lab 5 | Broken-auth on Juice Shop | 6 | OWASP Juice Shop (Docker) |
| Lab 6 | Full STRIDE threat model | 3 | OWASP Threat Dragon (browser) |
| Lab 7 | Juice Shop OWASP walkthrough | 9 | OWASP Juice Shop + OWASP ZAP / Burp |
| Lab 8 | CVE-record-walk | 11 | Browser (NVD, MITRE, FIRST.org CVSS) |
| Lab 9 | Capstone: historical CVE report | 13-14 | Browser + research + writing |
SEC-101-OUTLINE.md v0.1.