Classroom Public page

SEC-101 Week 14: Capstone Delivery

901 words

Lab 9 due. Capstone report submitted. Course close. Forward pointers to PEN-101, RE-011, RE-101, ADV-101, ADV-102, WIR-101.

Reading

No new reading this week. Any remaining reading is for capstone research and revision.

Lecture outline (~30 min)

Course close: from security-aware programmer to practitioner-with-vocabulary (30 min)

SEC-101's closing message, delivered in lecture and built into the capstone deliverable, is the transition it marks.

What you had when you arrived: You could read a packet capture, write a Python script, and work at a bash shell. You were a programmer-with-some-security-awareness. Security was something that happened to systems you built; the adversarial framing was background texture.

What you have now:

  • A vocabulary: CIA triad, STRIDE, OWASP Top 10, MITRE ATT&CK, CVSS, CWE, CVE, CNA, CVD, TLS, JNDI, IDOR, XSS, XXE, SQLi, SSTI, bcrypt, argon2, WebAuthn, TOTP, SIEM, CFAA, NIS2. These are the terms every downstream Virtus course assumes you know. You can read a threat-intelligence report, a vendor advisory, a CVE record, and a bug-bounty scope statement without a glossary.

  • A mental model: you know to ask "what could go wrong for whom under what assumptions?" before asking "what tool do I run?" Threat modeling is how you approach unfamiliar systems; STRIDE is the checklist that keeps you from missing categories.

  • A disciplinary grounding: you know the legal line (CFAA, authorization), the professional line (CVD, codes of conduct), and the ethical line (Canon 1: society's welfare first). Every offensive course downstream operates within these constraints. Students who skip this framing arrive at PEN-101 unprepared.

The transition: You stop being a programmer-with-some-security-awareness and start being a practitioner-with-formal-vocabulary. The vocabulary is the entry ticket to the rest of the field.

Lab: Capstone delivery (graded)

Lab 9: Historical-CVE explainer report

See labs/lab-9-capstone.md and CAPSTONE.md for the full specification.

Submission:

Push your capstone repository to GitHub or GitLab. The repository contains:

  • report.md: the 5-8 page report.
  • timeline-diagram.png or timeline-diagram.svg: the disclosure timeline diagram.
  • At least 3 commits in the git history.

Email the repository URL to interested@virtuscyberacademy.org with subject SEC-101 capstone, [your name]. The course team replies within 7 days with the grade and brief feedback.

Forward pointers

After SEC-101, the pipeline's offensive and RE tracks open up. Each requires SEC-101 as a prerequisite; each extends a specific part of what SEC-101 introduced.

VCA-PEN-101: Intro to Penetration Testing

PEN-101 is where the threat model becomes the engagement scope. The OWASP Top 10 fluency you built in Weeks 7-9 becomes the web-app pentest playbook. The CVD discipline from Weeks 11-12 becomes the engagement reporting standard. PEN-101 introduces nmap, Metasploit, Burp Suite Pro, and the full penetration-testing methodology. The ethical foundation from SEC-101 is assumed; PEN-101 does not re-teach it.

Skill transfer: OWASP Top 10 -> web-app pentest playbook; STRIDE -> engagement scope; CVD -> engagement report.

VCA-RE-011: Intro to Reverse Engineering

RE-011 takes the vulnerability-class vocabulary SEC-101 introduced (buffer overflow, format string, use-after-free) and traces it through assembly code. Erickson's Hacking: The Art of Exploitation is the bridge reading between SEC-101 and RE-011. Students who read it between the two courses arrive prepared.

Skill transfer: vulnerability-class vocabulary -> assembly-level analysis; CVE record reading -> identifying the vulnerable code.

VCA-RE-101: Reverse Engineering of Embedded Systems

RE-101 applies CVE-reading discipline to embedded firmware. The SB6141 cable modem is the lab target. The CVE-record-walk skill from Lab 8 is the research workflow RE-101 uses to select vulnerability candidates for firmware analysis.

Skill transfer: Lab 8 CVE-walk discipline -> SB6141 firmware vulnerability selection.

VCA-ADV-101: Adversarial Techniques

ADV-101 is CVE-reproduction work: given a published vulnerability, reproduce the exploit in a controlled environment and build a detection. SEC-101's CVE-walk literacy is the table-stakes entry skill. The Log4Shell case study from Week 9 is the structural pattern ADV-101 applies at greater depth.

Skill transfer: CVSS v3.1 scoring -> severity triage; CVE reading -> reproduction target selection.

VCA-ADV-102: LLM-CVE Variant

ADV-102 applies the CVE-reproduction methodology to LLM and agentic security vulnerabilities. The OWASP LLM Top 10 and OWASP ASI Top 10 forward pointers from SEC-101's Week 1 readings become the working analytical vocabulary. CVE-2025-65106 (LangChain Jinja2 template injection) and CVE-2026-34971 (agentic sandbox escape) are the first-semester lab targets.

Skill transfer: OWASP Top 10 framing -> OWASP LLM Top 10 + ASI Top 10 analysis; SEC-101 injection vocabulary -> prompt injection attack class.

VCA-WIR-101: Wireless Penetration Testing

WIR-101 applies STRIDE threat modeling and CVE-record reading to 802.11 wireless networks. KRACK, Dragonblood, and FragAttacks are read as CVE records first; the SEC-101 CVE-walk skill applies directly. The optional advanced-extension 5G-AKA lab from the SEC-101 Lab Manifest (not part of the required course) is the entry point for the cellular security track.

Skill transfer: STRIDE categories -> 802.11 threat model; CVE-walk skill -> wireless CVE research.

Reflection prompts (final, not submitted)

  1. Look back at Lab 1, the CIA-triad worksheet on the system you chose in Week 1. With fourteen weeks of additional vocabulary, what threats did you identify in Lab 1 that you would now describe more precisely? What threats did you miss entirely that you can now name?

  2. The course's closing message says you are now a "practitioner-with-formal-vocabulary." What does the vocabulary give you that intuition alone does not? Describe one conversation you could now have with a security professional that you could not have had at the start of Week 1.

  3. Which downstream course interests you most, and why? What specific skill from SEC-101 do you think you'll rely on most in that course?

Week 14 of 14. SEC-101 complete. Next steps: VCA-PEN-101, VCA-RE-011, VCA-RE-101, VCA-ADV-101, VCA-ADV-102, or VCA-WIR-101.