Track 00 — Foundations¶
The bedrock — learned by autopsying the breaches that make each fundamental matter. Every module opens on a real, public incident, has you build the actual skill (set up a lab, read a packet, use git), and ends with you explaining what failed and turning the work into a small reviewable script. Set up a safe lab, work on Linux and Windows, read the network and the web, handle data and crypto, automate with Python, and work in the open with git. Build this floor solid and everything above it gets easier.
How this track works¶
This is the beginner track, so it's skill-first: the breach is the hook and the stakes, not a horror story. The recurring move, lightened for beginners:
- Predict — only where a beginner's intuition is reliably wrong (base64 is not encryption; deleting a secret in the next commit does not remove it). Those wrong guesses are the best teaching moments here.
- Do — build the actual skill against a real-shaped artifact (a real log, a real capture, a real password-dump scheme).
- Explain — say in your own words what happened and which principle or control failed.
- Own it — turn the manual steps into a small reviewable script: AI drafts → you review every line → you own it.
What you'll be able to do¶
- Set up an isolated, reproducible lab and work fluently with containers.
- Operate both Linux and Windows from the command line for security tasks.
- Read network traffic, HTTP, and the encodings security data actually shows up in.
- Explain the cryptographic primitives that secure modern systems — and where they fail.
- Automate with Python, work in the open with git, and threat-model before you touch a tool.
Modules¶
| # | Module | Real anchor | What you'll build / explain | OSS tools |
|---|---|---|---|---|
| 01 | Security First Principles | Equifax 2017 | a "principle autopsy" mapping each failure to CIA/AAA/defense-in-depth | — |
| 02 | Building a Safe Lab | VENOM / malware-lab discipline | an isolated lab, captured as a rebuild-from-zero script | VirtualBox, Docker |
| 03 | Docker & Containers | exposed Docker-API cryptojacking | run/build/inspect; the isolation model and its limits | docker |
| 04 | Linux for Security | Mirai 2016 / SSH brute-force | investigate a compromised host from its logs | bash, coreutils |
| 05 | Windows for Security | Emotet-style persistence | triage an intrusion from event logs, registry, services | powershell |
| 06 | Networking Fundamentals | SUNBURST DNS C2 | walk a capture; spot the beacon hiding in DNS | tcpdump, wireshark |
| 07 | Web & HTTP Fundamentals | Firesheep 2010 | sessions, cookies, and the header that stops the hijack | curl |
| 08 | Data & Encoding | base64 PowerShell malware | decode a layered blob — and learn encoding ≠ encryption | cyberchef, jq |
| 09 | Cryptography Basics | Adobe 2013 | hashing vs encryption, salt, why "encrypted" wasn't safe | openssl |
| 10 | Scripting & Automation | a real IOC list / log at scale | turn manual analysis into a reviewable Python tool | python3 |
| 11 | Version Control & Working in the Open | Toyota 2022 key leak | git history, and why deleting a secret doesn't remove it | git |
| 12 | Threat Modeling | Target 2013 | trust boundaries + STRIDE on the lab you built | — |
Anchors are real, public incidents and primary sources.
Phases & projects¶
Twelve modules in three phases; each ends in a project that integrates its modules.
- Phase 1 · Lab & first principles (01–03) — Project: stand up your isolated, reproducible lab (VM + containers), captured as a rebuild-from-zero script, and threat-model it.
- Phase 2 · Hosts & networks (04–07) — Project: a scripted triage toolkit that profiles a Linux and a Windows host (users, SUID/services, logon events) and pulls the DNS + handshake from a real capture.
- Phase 3 · Data, crypto, automation & git (08–12) — Project (the capstone): a Python "foundations toolkit" repo that decodes a real artifact, checks crypto the right way, and parses a real log, committed with secret hygiene and a STRIDE model.
Who this is for¶
Complete beginners and anyone solidifying fundamentals before a specialisation track. No prior security experience assumed.
Capstone — "Prove the literacy on real artifacts"¶
Stand up your isolated lab and a portfolio repo, then prove the core literacy in one committed artifact:
capture and walk an HTTP exchange end to end (DNS → TCP handshake → TLS), decode a real layered encoded
blob by committed script (not just CyberChef clicks), check crypto the right way (a salted hash, not
ECB), parse a real log, and threat-model the little system you built. Deliverable: a foundations/
folder in your git repo with the capture write-up, the decode script, the crypto check, and a one-page
STRIDE model — your first portfolio piece.
The starter scaffold and acceptance checks live in
plaintext-labs/foundations/capstone/.
Capstone rubric¶
Grade your foundations/ folder against this. Proficient is the bar to ship; exemplary is the portfolio piece.
| Dimension | Developing | Proficient | Exemplary |
|---|---|---|---|
| Packet-capture walk-through | layers conflated (DNS/TCP/TLS) | DNS, the handshake, and the TLS hello each identified by packet number and explained in your words | adds the why — SNI, cleartext-vs-encrypted after ClientHello, one security header — tied to the RFC |
| Decoding the blob | one layer peeled; tool used as a black box | all layers decoded, each encoding named in order | decoded by a committed script, with how you recognised each layer (encoding ≠ encryption) |
| Crypto checked right | uses a bare/unsalted hash, or conflates hashing & encryption | a salted hash + a verify step, with why ECB/unsalted fails (the Adobe lesson) | also verifies a cert/TLS chain and explains it |
| STRIDE model | assets only, or generic threats | one page mapping your lab's trust boundaries to STRIDE with a concrete threat each | threats ranked, each with a mitigation, referencing components you built (the Target lesson) |
| Secret & git hygiene | .pcap/keys committed, or history dirty |
no captures/keys/secrets in history; .gitignore; clean commits |
pre-commit secret scan wired in; commits tell the build story |
| Reproducibility | steps not written down | a reader can reproduce each result | one make/script rebuilds the lab and re-runs the decode from zero |
AI & automation¶
Automation and AI are assumed from day one — but as accelerators, not substitutes for understanding. Use a model to explain a capture, draft a parsing script, or quiz you on a concept; then verify it against the primary source (the RFC, the man page, the breach report). The standing posture: AI drafts → you review → you own it.
Standards & further reading¶
- The relevant RFCs (TCP, DNS, HTTP, TLS) and
manpages — the primary sources this track curates - MITRE ATT&CK (for the techniques behind each anchor breach)
- Breach anchors: Equifax 2017, Adobe 2013, Target 2013, SolarWinds/SUNBURST, Mirai, Firesheep, Toyota 2022
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).