What is Cybersecurity?
Clear Explanation
What it is: What is Cybersecurity? is a core cybersecurity concept. Protect systems, networks, applications, cloud services, data, and people from unauthorized access, damage, fraud, or disruption.
Why it matters: These basics help you explain security decisions to technical teams, managers, auditors, and business users.
How to Understand / Apply It
- Define the asset or process clearly.
- Identify what could go wrong.
- Map the problem to confidentiality, integrity, availability, risk, and control concepts.
- Choose layered controls instead of depending on one protection.
- Review whether the control can be monitored and improved.
Example
Example:
Asset: Customer database
Confidentiality risk: unauthorized user reads records
Integrity risk: attacker changes account details
Availability risk: ransomware blocks access
Controls:
- MFA and least privilege
- Database backups
- Logging and alerting
- Patch management
- Incident response plan
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain What is Cybersecurity? in simple words.
- What risk does What is Cybersecurity? reduce?
- What evidence would prove this is working?
- What is one common mistake with What is Cybersecurity??
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for What is Cybersecurity?.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
CIA Triad
Clear Explanation
What it is: CIA Triad is a core cybersecurity concept. Understand confidentiality, integrity, and availability as the base model for explaining security goals.
Why it matters: These basics help you explain security decisions to technical teams, managers, auditors, and business users.
How to Understand / Apply It
- Define the asset or process clearly.
- Identify what could go wrong.
- Map the problem to confidentiality, integrity, availability, risk, and control concepts.
- Choose layered controls instead of depending on one protection.
- Review whether the control can be monitored and improved.
Example
Example:
Asset: Customer database
Confidentiality risk: unauthorized user reads records
Integrity risk: attacker changes account details
Availability risk: ransomware blocks access
Controls:
- MFA and least privilege
- Database backups
- Logging and alerting
- Patch management
- Incident response plan
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain CIA Triad in simple words.
- What risk does CIA Triad reduce?
- What evidence would prove this is working?
- What is one common mistake with CIA Triad?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for CIA Triad.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Threat, Vulnerability, Risk
Clear Explanation
What it is: Threat, Vulnerability, Risk is a core cybersecurity concept. Understand the difference between what can attack you, what weakness exists, and what business impact can happen.
Why it matters: These basics help you explain security decisions to technical teams, managers, auditors, and business users.
How to Understand / Apply It
- Define the asset or process clearly.
- Identify what could go wrong.
- Map the problem to confidentiality, integrity, availability, risk, and control concepts.
- Choose layered controls instead of depending on one protection.
- Review whether the control can be monitored and improved.
Example
Example:
Asset: Customer database
Confidentiality risk: unauthorized user reads records
Integrity risk: attacker changes account details
Availability risk: ransomware blocks access
Controls:
- MFA and least privilege
- Database backups
- Logging and alerting
- Patch management
- Incident response plan
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Threat, Vulnerability, Risk in simple words.
- What risk does Threat, Vulnerability, Risk reduce?
- What evidence would prove this is working?
- What is one common mistake with Threat, Vulnerability, Risk?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Threat, Vulnerability, Risk.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Security Controls
Clear Explanation
What it is: Security Controls is a core cybersecurity concept. Understand preventive, detective, corrective, deterrent, administrative, technical, and physical controls.
Why it matters: These basics help you explain security decisions to technical teams, managers, auditors, and business users.
How to Understand / Apply It
- Define the asset or process clearly.
- Identify what could go wrong.
- Map the problem to confidentiality, integrity, availability, risk, and control concepts.
- Choose layered controls instead of depending on one protection.
- Review whether the control can be monitored and improved.
Example
Example:
Asset: Customer database
Confidentiality risk: unauthorized user reads records
Integrity risk: attacker changes account details
Availability risk: ransomware blocks access
Controls:
- MFA and least privilege
- Database backups
- Logging and alerting
- Patch management
- Incident response plan
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Security Controls in simple words.
- What risk does Security Controls reduce?
- What evidence would prove this is working?
- What is one common mistake with Security Controls?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Security Controls.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Attack Surface
Clear Explanation
What it is: Attack Surface is a core cybersecurity concept. Identify all places where attackers could interact with systems, users, apps, APIs, networks, or cloud resources.
Why it matters: These basics help you explain security decisions to technical teams, managers, auditors, and business users.
How to Understand / Apply It
- Define the asset or process clearly.
- Identify what could go wrong.
- Map the problem to confidentiality, integrity, availability, risk, and control concepts.
- Choose layered controls instead of depending on one protection.
- Review whether the control can be monitored and improved.
Example
Example:
Asset: Customer database
Confidentiality risk: unauthorized user reads records
Integrity risk: attacker changes account details
Availability risk: ransomware blocks access
Controls:
- MFA and least privilege
- Database backups
- Logging and alerting
- Patch management
- Incident response plan
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Attack Surface in simple words.
- What risk does Attack Surface reduce?
- What evidence would prove this is working?
- What is one common mistake with Attack Surface?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Attack Surface.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Security Mindset
Clear Explanation
What it is: Security Mindset is a core cybersecurity concept. Learn how defenders think: assume failure, verify trust, reduce exposure, monitor behavior, and prepare response.
Why it matters: These basics help you explain security decisions to technical teams, managers, auditors, and business users.
How to Understand / Apply It
- Define the asset or process clearly.
- Identify what could go wrong.
- Map the problem to confidentiality, integrity, availability, risk, and control concepts.
- Choose layered controls instead of depending on one protection.
- Review whether the control can be monitored and improved.
Example
Example:
Asset: Customer database
Confidentiality risk: unauthorized user reads records
Integrity risk: attacker changes account details
Availability risk: ransomware blocks access
Controls:
- MFA and least privilege
- Database backups
- Logging and alerting
- Patch management
- Incident response plan
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Security Mindset in simple words.
- What risk does Security Mindset reduce?
- What evidence would prove this is working?
- What is one common mistake with Security Mindset?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Security Mindset.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Common Attack Lifecycle
Clear Explanation
What it is: Common Attack Lifecycle helps defenders understand attacker behavior and user-focused threats. Understand reconnaissance, initial access, execution, persistence, privilege escalation, lateral movement, exfiltration, and impact.
Why it matters: Security is not only technical. Attackers often target people, credentials, business process weaknesses, and trust relationships.
How to Understand / Apply It
- Identify attacker goal and likely entry method.
- Train users and define reporting paths.
- Monitor identity, email, endpoint, DNS, and network indicators.
- Use controls such as MFA, filtering, EDR, backups, and payment verification.
- Practice response steps with tabletop exercises.
Example
Phishing response example:
1. User reports suspicious email.
2. SOC reviews headers, links, attachments, and sender.
3. Search mailboxes for same message.
4. Remove message if malicious.
5. Reset credentials if user clicked and submitted password.
6. Add detection/block rule.
7. Document timeline and lesson learned.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Common Attack Lifecycle in simple words.
- What risk does Common Attack Lifecycle reduce?
- What evidence would prove this is working?
- What is one common mistake with Common Attack Lifecycle?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Common Attack Lifecycle.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Defense in Depth
Clear Explanation
What it is: Defense in Depth is a core cybersecurity concept. Use multiple layers of protection so one failed control does not create a full breach.
Why it matters: These basics help you explain security decisions to technical teams, managers, auditors, and business users.
How to Understand / Apply It
- Define the asset or process clearly.
- Identify what could go wrong.
- Map the problem to confidentiality, integrity, availability, risk, and control concepts.
- Choose layered controls instead of depending on one protection.
- Review whether the control can be monitored and improved.
Example
Example:
Asset: Customer database
Confidentiality risk: unauthorized user reads records
Integrity risk: attacker changes account details
Availability risk: ransomware blocks access
Controls:
- MFA and least privilege
- Database backups
- Logging and alerting
- Patch management
- Incident response plan
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Defense in Depth in simple words.
- What risk does Defense in Depth reduce?
- What evidence would prove this is working?
- What is one common mistake with Defense in Depth?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Defense in Depth.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Least Privilege
Clear Explanation
What it is: Least Privilege protects users, administrators, service accounts, and application access. Grant users, applications, and services only the access they need to perform their job.
Why it matters: Identity is often the main attack path. Stolen credentials can bypass network defenses unless MFA, least privilege, monitoring, and access reviews are in place.
How to Understand / Apply It
- Inventory users, administrators, service accounts, groups, and applications.
- Require MFA for sensitive access.
- Use least privilege and role-based access.
- Rotate or remove unused accounts and secrets.
- Monitor failed logins, impossible travel, privilege changes, and unusual token use.
Example
Identity review example:
User: contractor@example.com
Checks:
- Is the account still needed?
- Is MFA enabled?
- Which groups provide access?
- Does access match the contract role?
- When was last login?
Action:
- Remove unnecessary groups
- Set review date
- Disable account after contract end
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using shared admin accounts.
- Not enforcing MFA for privileged access.
- Leaving inactive users or service accounts enabled.
- Granting broad access through large groups.
- Not reviewing access after role changes.
Interview Questions
- Explain Least Privilege in simple words.
- What risk does Least Privilege reduce?
- What evidence would prove this is working?
- What is one common mistake with Least Privilege?
- How would you apply least privilege?
- How would you investigate a suspicious login?
Hands-on Practice
- Create an access review table for five users.
- Identify which accounts need MFA.
- Write a service account ownership checklist.
- Document removal steps for a terminated user.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Zero Trust Basics
Clear Explanation
What it is: Zero Trust Basics is a core cybersecurity concept. Never automatically trust a user, device, network, or workload; verify continuously and limit access.
Why it matters: These basics help you explain security decisions to technical teams, managers, auditors, and business users.
How to Understand / Apply It
- Define the asset or process clearly.
- Identify what could go wrong.
- Map the problem to confidentiality, integrity, availability, risk, and control concepts.
- Choose layered controls instead of depending on one protection.
- Review whether the control can be monitored and improved.
Example
Example:
Asset: Customer database
Confidentiality risk: unauthorized user reads records
Integrity risk: attacker changes account details
Availability risk: ransomware blocks access
Controls:
- MFA and least privilege
- Database backups
- Logging and alerting
- Patch management
- Incident response plan
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Zero Trust Basics in simple words.
- What risk does Zero Trust Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with Zero Trust Basics?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Zero Trust Basics.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Security Roles
Clear Explanation
What it is: Security Roles turns learning into proof of practical ability. Understand SOC analyst, security engineer, penetration tester, cloud security engineer, GRC analyst, incident responder, and architect roles.
Why it matters: A good portfolio shows that you can explain a problem, build or review a control safely, collect evidence, and communicate findings clearly.
How to Understand / Apply It
- Define the scenario and scope.
- Use only legal, safe lab systems or training apps.
- Create diagrams, screenshots, logs, and checklists.
- Write findings with risk and remediation.
- Prepare a short demo explanation for interviews.
Example
Portfolio report structure:
1. Objective
2. Scope and lab environment
3. Tools used
4. Steps performed
5. Evidence screenshots/logs
6. Findings
7. Risk rating
8. Recommendations
9. Lessons learned
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Security Roles in simple words.
- What risk does Security Roles reduce?
- What evidence would prove this is working?
- What is one common mistake with Security Roles?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Security Roles.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Cybersecurity Learning Roadmap
Clear Explanation
What it is: Cybersecurity Learning Roadmap turns learning into proof of practical ability. Follow a path from networking and OS basics to security operations, cloud, application security, incident response, and governance.
Why it matters: A good portfolio shows that you can explain a problem, build or review a control safely, collect evidence, and communicate findings clearly.
How to Understand / Apply It
- Define the scenario and scope.
- Use only legal, safe lab systems or training apps.
- Create diagrams, screenshots, logs, and checklists.
- Write findings with risk and remediation.
- Prepare a short demo explanation for interviews.
Example
Portfolio report structure:
1. Objective
2. Scope and lab environment
3. Tools used
4. Steps performed
5. Evidence screenshots/logs
6. Findings
7. Risk rating
8. Recommendations
9. Lessons learned
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Cybersecurity Learning Roadmap in simple words.
- What risk does Cybersecurity Learning Roadmap reduce?
- What evidence would prove this is working?
- What is one common mistake with Cybersecurity Learning Roadmap?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Cybersecurity Learning Roadmap.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
OSI Model for Security
Clear Explanation
What it is: OSI Model for Security protects communication between systems. Understand security risks and controls at physical, data link, network, transport, session, presentation, and application layers.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain OSI Model for Security in simple words.
- What risk does OSI Model for Security reduce?
- What evidence would prove this is working?
- What is one common mistake with OSI Model for Security?
- Which logs would you check first?
- How would you separate normal traffic from suspicious traffic?
Hands-on Practice
- Draw a small network diagram.
- List allowed ports and business purpose.
- Write three suspicious traffic examples and investigation steps.
- Create a firewall review checklist.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
TCP/IP Security Basics
Clear Explanation
What it is: TCP/IP Security Basics protects communication between systems. Understand IP, TCP, UDP, ports, sessions, and how attackers abuse open services.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain TCP/IP Security Basics in simple words.
- What risk does TCP/IP Security Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with TCP/IP Security Basics?
- Which logs would you check first?
- How would you separate normal traffic from suspicious traffic?
Hands-on Practice
- Draw a small network diagram.
- List allowed ports and business purpose.
- Write three suspicious traffic examples and investigation steps.
- Create a firewall review checklist.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Ports and Services
Clear Explanation
What it is: Ports and Services protects communication between systems. Recognize common ports such as 22, 53, 80, 443, 3389 and why unnecessary open ports increase risk.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain Ports and Services in simple words.
- What risk does Ports and Services reduce?
- What evidence would prove this is working?
- What is one common mistake with Ports and Services?
- Which logs would you check first?
- How would you separate normal traffic from suspicious traffic?
Hands-on Practice
- Draw a small network diagram.
- List allowed ports and business purpose.
- Write three suspicious traffic examples and investigation steps.
- Create a firewall review checklist.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
DNS Security
Clear Explanation
What it is: DNS Security protects communication between systems. Understand DNS spoofing, tunneling, malicious domains, DNS filtering, DNSSEC concepts, and logging.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain DNS Security in simple words.
- What risk does DNS Security reduce?
- What evidence would prove this is working?
- What is one common mistake with DNS Security?
- Which logs would you check first?
- How would you separate normal traffic from suspicious traffic?
Hands-on Practice
- Draw a small network diagram.
- List allowed ports and business purpose.
- Write three suspicious traffic examples and investigation steps.
- Create a firewall review checklist.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
DHCP and ARP Risks
Clear Explanation
What it is: DHCP and ARP Risks protects communication between systems. Understand rogue DHCP, ARP spoofing, and local network attacks.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain DHCP and ARP Risks in simple words.
- What risk does DHCP and ARP Risks reduce?
- What evidence would prove this is working?
- What is one common mistake with DHCP and ARP Risks?
- Which logs would you check first?
- How would you separate normal traffic from suspicious traffic?
Hands-on Practice
- Draw a small network diagram.
- List allowed ports and business purpose.
- Write three suspicious traffic examples and investigation steps.
- Create a firewall review checklist.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Firewalls
Clear Explanation
What it is: Firewalls protects communication between systems. Control inbound and outbound traffic using source, destination, port, protocol, and application context.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain Firewalls in simple words.
- What risk does Firewalls reduce?
- What evidence would prove this is working?
- What is one common mistake with Firewalls?
- Which logs would you check first?
- How would you separate normal traffic from suspicious traffic?
Hands-on Practice
- Draw a small network diagram.
- List allowed ports and business purpose.
- Write three suspicious traffic examples and investigation steps.
- Create a firewall review checklist.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Next-Generation Firewalls
Clear Explanation
What it is: Next-Generation Firewalls protects communication between systems. Understand application-aware filtering, IPS, URL filtering, threat intelligence, and identity-based rules.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain Next-Generation Firewalls in simple words.
- What risk does Next-Generation Firewalls reduce?
- What evidence would prove this is working?
- What is one common mistake with Next-Generation Firewalls?
- Which logs would you check first?
- How would you separate normal traffic from suspicious traffic?
Hands-on Practice
- Draw a small network diagram.
- List allowed ports and business purpose.
- Write three suspicious traffic examples and investigation steps.
- Create a firewall review checklist.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Network Segmentation
Clear Explanation
What it is: Network Segmentation protects communication between systems. Separate systems into zones so compromise in one area does not expose the whole network.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain Network Segmentation in simple words.
- What risk does Network Segmentation reduce?
- What evidence would prove this is working?
- What is one common mistake with Network Segmentation?
- Which logs would you check first?
- How would you separate normal traffic from suspicious traffic?
Hands-on Practice
- Draw a small network diagram.
- List allowed ports and business purpose.
- Write three suspicious traffic examples and investigation steps.
- Create a firewall review checklist.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
VLAN Security
Clear Explanation
What it is: VLAN Security protects communication between systems. Use VLANs to separate broadcast domains while still enforcing routing and firewall controls.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain VLAN Security in simple words.
- What risk does VLAN Security reduce?
- What evidence would prove this is working?
- What is one common mistake with VLAN Security?
- Which logs would you check first?
- How would you separate normal traffic from suspicious traffic?
Hands-on Practice
- Draw a small network diagram.
- List allowed ports and business purpose.
- Write three suspicious traffic examples and investigation steps.
- Create a firewall review checklist.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
VPN Security
Clear Explanation
What it is: VPN Security protects communication between systems. Secure remote access using encrypted tunnels, strong authentication, device checks, and limited access.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain VPN Security in simple words.
- What risk does VPN Security reduce?
- What evidence would prove this is working?
- What is one common mistake with VPN Security?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for VPN Security.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
IDS and IPS
Clear Explanation
What it is: IDS and IPS protects communication between systems. Detect or block suspicious traffic using signatures, anomaly detection, and tuned rules.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain IDS and IPS in simple words.
- What risk does IDS and IPS reduce?
- What evidence would prove this is working?
- What is one common mistake with IDS and IPS?
- Which logs would you check first?
- How would you separate normal traffic from suspicious traffic?
Hands-on Practice
- Draw a small network diagram.
- List allowed ports and business purpose.
- Write three suspicious traffic examples and investigation steps.
- Create a firewall review checklist.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Packet Capture Basics
Clear Explanation
What it is: Packet Capture Basics protects communication between systems. Use packet captures to inspect network behavior, confirm alerts, and troubleshoot suspicious activity.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain Packet Capture Basics in simple words.
- What risk does Packet Capture Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with Packet Capture Basics?
- Which logs would you check first?
- How would you separate normal traffic from suspicious traffic?
Hands-on Practice
- Draw a small network diagram.
- List allowed ports and business purpose.
- Write three suspicious traffic examples and investigation steps.
- Create a firewall review checklist.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Wireshark Basics
Clear Explanation
What it is: Wireshark Basics protects communication between systems. Analyze protocols, conversations, DNS queries, TCP handshakes, TLS metadata, and suspicious traffic patterns.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain Wireshark Basics in simple words.
- What risk does Wireshark Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with Wireshark Basics?
- Which logs would you check first?
- How would you separate normal traffic from suspicious traffic?
Hands-on Practice
- Draw a small network diagram.
- List allowed ports and business purpose.
- Write three suspicious traffic examples and investigation steps.
- Create a firewall review checklist.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Network Hardening
Clear Explanation
What it is: Network Hardening protects communication between systems. Disable unnecessary services, restrict management access, log network events, and patch network devices.
Why it matters: Most attacks rely on network access at some point. Good network security reduces exposure, limits movement, and gives defenders useful evidence.
How to Understand / Apply It
- Identify required traffic: source, destination, port, protocol, and business purpose.
- Block unnecessary inbound and outbound traffic.
- Segment sensitive systems away from general user networks.
- Log firewall, DNS, VPN, proxy, and network detection events.
- Review alerts and packet evidence during investigations.
Example
Safe network review example:
Goal: Verify only required ports are open.
Steps:
1. Review firewall rules.
2. Confirm business owner for each allowed service.
3. Remove unused rules.
4. Check VPN access groups.
5. Review DNS/firewall logs for unusual destinations.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Leaving management ports open to the internet.
- Allowing broad rules without business justification.
- Creating VLANs but not enforcing firewall rules.
- Not logging DNS, VPN, and firewall activity.
- Assuming encryption means traffic is automatically safe.
Interview Questions
- Explain Network Hardening in simple words.
- What risk does Network Hardening reduce?
- What evidence would prove this is working?
- What is one common mistake with Network Hardening?
- Which logs would you check first?
- How would you separate normal traffic from suspicious traffic?
Hands-on Practice
- Draw a small network diagram.
- List allowed ports and business purpose.
- Write three suspicious traffic examples and investigation steps.
- Create a firewall review checklist.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Linux Security Basics
Clear Explanation
What it is: Linux Security Basics protects laptops, servers, and workstations. Understand Linux users, groups, permissions, sudo, services, logs, SSH, and package updates.
Why it matters: Endpoints are where users work and where many attacks start. Hardening, patching, logging, and EDR reduce compromise and improve response.
How to Understand / Apply It
- Apply secure configuration baselines.
- Patch operating systems and applications.
- Restrict admin rights and remote access.
- Enable host firewall, antivirus/EDR, and logging.
- Review suspicious processes, services, accounts, and login activity.
Example
Endpoint hardening checklist:
- OS patched
- Local admin access limited
- Disk encryption enabled
- Host firewall enabled
- EDR/antivirus active
- Unused services disabled
- Logs forwarded to monitoring
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Giving users local admin access by default.
- Delaying critical patches without a documented exception.
- Not forwarding important logs to central monitoring.
- Installing EDR but not tuning response.
- Hardening manually without a repeatable baseline.
Interview Questions
- Explain Linux Security Basics in simple words.
- What risk does Linux Security Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with Linux Security Basics?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a secure workstation/server checklist.
- Identify five useful logs.
- Write patch review steps.
- Document before/after hardening evidence.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Linux File Permissions
Clear Explanation
What it is: Linux File Permissions protects laptops, servers, and workstations. Read and set owner, group, permission bits, and secure sensitive files.
Why it matters: Endpoints are where users work and where many attacks start. Hardening, patching, logging, and EDR reduce compromise and improve response.
How to Understand / Apply It
- Apply secure configuration baselines.
- Patch operating systems and applications.
- Restrict admin rights and remote access.
- Enable host firewall, antivirus/EDR, and logging.
- Review suspicious processes, services, accounts, and login activity.
Example
Endpoint hardening checklist:
- OS patched
- Local admin access limited
- Disk encryption enabled
- Host firewall enabled
- EDR/antivirus active
- Unused services disabled
- Logs forwarded to monitoring
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Giving users local admin access by default.
- Delaying critical patches without a documented exception.
- Not forwarding important logs to central monitoring.
- Installing EDR but not tuning response.
- Hardening manually without a repeatable baseline.
Interview Questions
- Explain Linux File Permissions in simple words.
- What risk does Linux File Permissions reduce?
- What evidence would prove this is working?
- What is one common mistake with Linux File Permissions?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a secure workstation/server checklist.
- Identify five useful logs.
- Write patch review steps.
- Document before/after hardening evidence.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Linux Logs
Clear Explanation
What it is: Linux Logs means: Review auth logs, system logs, service logs, and audit logs for security events.
Why it matters: It matters because weak security design, missing controls, poor monitoring, or unclear ownership can turn a small weakness into a business incident.
How to Understand / Apply It
- Identify the asset, data, user, network, app, or cloud service being protected.
- Identify likely threats and weaknesses.
- Choose controls that reduce risk without breaking business operations.
- Collect logs or evidence so the control can be tested.
- Document owner, frequency, exceptions, and response steps.
Example
Example: If remote access is required, use MFA, device checks, least privilege, logging, and clear offboarding instead of simply opening a public port.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Linux Logs in simple words.
- What risk does Linux Logs reduce?
- What evidence would prove this is working?
- What is one common mistake with Linux Logs?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Linux Logs.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
SSH Hardening
Clear Explanation
What it is: SSH Hardening protects laptops, servers, and workstations. Secure SSH using key-based login, disabled root login, limited users, and logging.
Why it matters: Endpoints are where users work and where many attacks start. Hardening, patching, logging, and EDR reduce compromise and improve response.
How to Understand / Apply It
- Apply secure configuration baselines.
- Patch operating systems and applications.
- Restrict admin rights and remote access.
- Enable host firewall, antivirus/EDR, and logging.
- Review suspicious processes, services, accounts, and login activity.
Example
Endpoint hardening checklist:
- OS patched
- Local admin access limited
- Disk encryption enabled
- Host firewall enabled
- EDR/antivirus active
- Unused services disabled
- Logs forwarded to monitoring
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Giving users local admin access by default.
- Delaying critical patches without a documented exception.
- Not forwarding important logs to central monitoring.
- Installing EDR but not tuning response.
- Hardening manually without a repeatable baseline.
Interview Questions
- Explain SSH Hardening in simple words.
- What risk does SSH Hardening reduce?
- What evidence would prove this is working?
- What is one common mistake with SSH Hardening?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a secure workstation/server checklist.
- Identify five useful logs.
- Write patch review steps.
- Document before/after hardening evidence.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Linux Firewall
Clear Explanation
What it is: Linux Firewall protects laptops, servers, and workstations. Use host firewall rules to restrict inbound and outbound traffic.
Why it matters: Endpoints are where users work and where many attacks start. Hardening, patching, logging, and EDR reduce compromise and improve response.
How to Understand / Apply It
- Apply secure configuration baselines.
- Patch operating systems and applications.
- Restrict admin rights and remote access.
- Enable host firewall, antivirus/EDR, and logging.
- Review suspicious processes, services, accounts, and login activity.
Example
Endpoint hardening checklist:
- OS patched
- Local admin access limited
- Disk encryption enabled
- Host firewall enabled
- EDR/antivirus active
- Unused services disabled
- Logs forwarded to monitoring
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Giving users local admin access by default.
- Delaying critical patches without a documented exception.
- Not forwarding important logs to central monitoring.
- Installing EDR but not tuning response.
- Hardening manually without a repeatable baseline.
Interview Questions
- Explain Linux Firewall in simple words.
- What risk does Linux Firewall reduce?
- What evidence would prove this is working?
- What is one common mistake with Linux Firewall?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a secure workstation/server checklist.
- Identify five useful logs.
- Write patch review steps.
- Document before/after hardening evidence.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Windows Security Basics
Clear Explanation
What it is: Windows Security Basics protects laptops, servers, and workstations. Understand users, groups, services, registry, event logs, Defender, firewall, and update management.
Why it matters: Endpoints are where users work and where many attacks start. Hardening, patching, logging, and EDR reduce compromise and improve response.
How to Understand / Apply It
- Apply secure configuration baselines.
- Patch operating systems and applications.
- Restrict admin rights and remote access.
- Enable host firewall, antivirus/EDR, and logging.
- Review suspicious processes, services, accounts, and login activity.
Example
Endpoint hardening checklist:
- OS patched
- Local admin access limited
- Disk encryption enabled
- Host firewall enabled
- EDR/antivirus active
- Unused services disabled
- Logs forwarded to monitoring
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Giving users local admin access by default.
- Delaying critical patches without a documented exception.
- Not forwarding important logs to central monitoring.
- Installing EDR but not tuning response.
- Hardening manually without a repeatable baseline.
Interview Questions
- Explain Windows Security Basics in simple words.
- What risk does Windows Security Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with Windows Security Basics?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a secure workstation/server checklist.
- Identify five useful logs.
- Write patch review steps.
- Document before/after hardening evidence.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Windows Event Logs
Clear Explanation
What it is: Windows Event Logs means: Review Security, System, Application, PowerShell, and Defender logs for suspicious activity.
Why it matters: It matters because weak security design, missing controls, poor monitoring, or unclear ownership can turn a small weakness into a business incident.
How to Understand / Apply It
- Identify the asset, data, user, network, app, or cloud service being protected.
- Identify likely threats and weaknesses.
- Choose controls that reduce risk without breaking business operations.
- Collect logs or evidence so the control can be tested.
- Document owner, frequency, exceptions, and response steps.
Example
Example: If remote access is required, use MFA, device checks, least privilege, logging, and clear offboarding instead of simply opening a public port.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Windows Event Logs in simple words.
- What risk does Windows Event Logs reduce?
- What evidence would prove this is working?
- What is one common mistake with Windows Event Logs?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Windows Event Logs.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Active Directory Basics
Clear Explanation
What it is: Active Directory Basics protects users, administrators, service accounts, and application access. Understand domains, domain controllers, users, groups, computers, Kerberos, LDAP, and Group Policy.
Why it matters: Identity is often the main attack path. Stolen credentials can bypass network defenses unless MFA, least privilege, monitoring, and access reviews are in place.
How to Understand / Apply It
- Inventory users, administrators, service accounts, groups, and applications.
- Require MFA for sensitive access.
- Use least privilege and role-based access.
- Rotate or remove unused accounts and secrets.
- Monitor failed logins, impossible travel, privilege changes, and unusual token use.
Example
Identity review example:
User: contractor@example.com
Checks:
- Is the account still needed?
- Is MFA enabled?
- Which groups provide access?
- Does access match the contract role?
- When was last login?
Action:
- Remove unnecessary groups
- Set review date
- Disable account after contract end
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using shared admin accounts.
- Not enforcing MFA for privileged access.
- Leaving inactive users or service accounts enabled.
- Granting broad access through large groups.
- Not reviewing access after role changes.
Interview Questions
- Explain Active Directory Basics in simple words.
- What risk does Active Directory Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with Active Directory Basics?
- How would you apply least privilege?
- How would you investigate a suspicious login?
Hands-on Practice
- Create an access review table for five users.
- Identify which accounts need MFA.
- Write a service account ownership checklist.
- Document removal steps for a terminated user.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Group Policy Security
Clear Explanation
What it is: Group Policy Security protects laptops, servers, and workstations. Use Group Policy to enforce password policy, audit policy, firewall settings, software restrictions, and endpoint controls.
Why it matters: Endpoints are where users work and where many attacks start. Hardening, patching, logging, and EDR reduce compromise and improve response.
How to Understand / Apply It
- Apply secure configuration baselines.
- Patch operating systems and applications.
- Restrict admin rights and remote access.
- Enable host firewall, antivirus/EDR, and logging.
- Review suspicious processes, services, accounts, and login activity.
Example
Endpoint hardening checklist:
- OS patched
- Local admin access limited
- Disk encryption enabled
- Host firewall enabled
- EDR/antivirus active
- Unused services disabled
- Logs forwarded to monitoring
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Giving users local admin access by default.
- Delaying critical patches without a documented exception.
- Not forwarding important logs to central monitoring.
- Installing EDR but not tuning response.
- Hardening manually without a repeatable baseline.
Interview Questions
- Explain Group Policy Security in simple words.
- What risk does Group Policy Security reduce?
- What evidence would prove this is working?
- What is one common mistake with Group Policy Security?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a secure workstation/server checklist.
- Identify five useful logs.
- Write patch review steps.
- Document before/after hardening evidence.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Endpoint Detection and Response
Clear Explanation
What it is: Endpoint Detection and Response protects laptops, servers, and workstations. Use EDR tools to detect malicious behavior, isolate endpoints, collect evidence, and support investigation.
Why it matters: Endpoints are where users work and where many attacks start. Hardening, patching, logging, and EDR reduce compromise and improve response.
How to Understand / Apply It
- Apply secure configuration baselines.
- Patch operating systems and applications.
- Restrict admin rights and remote access.
- Enable host firewall, antivirus/EDR, and logging.
- Review suspicious processes, services, accounts, and login activity.
Example
Endpoint hardening checklist:
- OS patched
- Local admin access limited
- Disk encryption enabled
- Host firewall enabled
- EDR/antivirus active
- Unused services disabled
- Logs forwarded to monitoring
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Giving users local admin access by default.
- Delaying critical patches without a documented exception.
- Not forwarding important logs to central monitoring.
- Installing EDR but not tuning response.
- Hardening manually without a repeatable baseline.
Interview Questions
- Explain Endpoint Detection and Response in simple words.
- What risk does Endpoint Detection and Response reduce?
- What evidence would prove this is working?
- What is one common mistake with Endpoint Detection and Response?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a secure workstation/server checklist.
- Identify five useful logs.
- Write patch review steps.
- Document before/after hardening evidence.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Patch Management
Clear Explanation
What it is: Patch Management protects laptops, servers, and workstations. Keep operating systems, applications, libraries, and firmware updated to reduce exploitable weaknesses.
Why it matters: Endpoints are where users work and where many attacks start. Hardening, patching, logging, and EDR reduce compromise and improve response.
How to Understand / Apply It
- Apply secure configuration baselines.
- Patch operating systems and applications.
- Restrict admin rights and remote access.
- Enable host firewall, antivirus/EDR, and logging.
- Review suspicious processes, services, accounts, and login activity.
Example
Endpoint hardening checklist:
- OS patched
- Local admin access limited
- Disk encryption enabled
- Host firewall enabled
- EDR/antivirus active
- Unused services disabled
- Logs forwarded to monitoring
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Giving users local admin access by default.
- Delaying critical patches without a documented exception.
- Not forwarding important logs to central monitoring.
- Installing EDR but not tuning response.
- Hardening manually without a repeatable baseline.
Interview Questions
- Explain Patch Management in simple words.
- What risk does Patch Management reduce?
- What evidence would prove this is working?
- What is one common mistake with Patch Management?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a secure workstation/server checklist.
- Identify five useful logs.
- Write patch review steps.
- Document before/after hardening evidence.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Secure Configuration Baselines
Clear Explanation
What it is: Secure Configuration Baselines protects laptops, servers, and workstations. Use standard secure baselines so servers, endpoints, and cloud resources are configured consistently.
Why it matters: Endpoints are where users work and where many attacks start. Hardening, patching, logging, and EDR reduce compromise and improve response.
How to Understand / Apply It
- Apply secure configuration baselines.
- Patch operating systems and applications.
- Restrict admin rights and remote access.
- Enable host firewall, antivirus/EDR, and logging.
- Review suspicious processes, services, accounts, and login activity.
Example
Endpoint hardening checklist:
- OS patched
- Local admin access limited
- Disk encryption enabled
- Host firewall enabled
- EDR/antivirus active
- Unused services disabled
- Logs forwarded to monitoring
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Giving users local admin access by default.
- Delaying critical patches without a documented exception.
- Not forwarding important logs to central monitoring.
- Installing EDR but not tuning response.
- Hardening manually without a repeatable baseline.
Interview Questions
- Explain Secure Configuration Baselines in simple words.
- What risk does Secure Configuration Baselines reduce?
- What evidence would prove this is working?
- What is one common mistake with Secure Configuration Baselines?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a secure workstation/server checklist.
- Identify five useful logs.
- Write patch review steps.
- Document before/after hardening evidence.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Authentication vs Authorization
Clear Explanation
What it is: Authentication vs Authorization protects users, administrators, service accounts, and application access. Understand proving who you are versus what you are allowed to do.
Why it matters: Identity is often the main attack path. Stolen credentials can bypass network defenses unless MFA, least privilege, monitoring, and access reviews are in place.
How to Understand / Apply It
- Inventory users, administrators, service accounts, groups, and applications.
- Require MFA for sensitive access.
- Use least privilege and role-based access.
- Rotate or remove unused accounts and secrets.
- Monitor failed logins, impossible travel, privilege changes, and unusual token use.
Example
Identity review example:
User: contractor@example.com
Checks:
- Is the account still needed?
- Is MFA enabled?
- Which groups provide access?
- Does access match the contract role?
- When was last login?
Action:
- Remove unnecessary groups
- Set review date
- Disable account after contract end
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using shared admin accounts.
- Not enforcing MFA for privileged access.
- Leaving inactive users or service accounts enabled.
- Granting broad access through large groups.
- Not reviewing access after role changes.
Interview Questions
- Explain Authentication vs Authorization in simple words.
- What risk does Authentication vs Authorization reduce?
- What evidence would prove this is working?
- What is one common mistake with Authentication vs Authorization?
- How would you apply least privilege?
- How would you investigate a suspicious login?
Hands-on Practice
- Create an access review table for five users.
- Identify which accounts need MFA.
- Write a service account ownership checklist.
- Document removal steps for a terminated user.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Password Security
Clear Explanation
What it is: Password Security protects users, administrators, service accounts, and application access. Use strong password policies, password managers, breach checks, and user education.
Why it matters: Identity is often the main attack path. Stolen credentials can bypass network defenses unless MFA, least privilege, monitoring, and access reviews are in place.
How to Understand / Apply It
- Inventory users, administrators, service accounts, groups, and applications.
- Require MFA for sensitive access.
- Use least privilege and role-based access.
- Rotate or remove unused accounts and secrets.
- Monitor failed logins, impossible travel, privilege changes, and unusual token use.
Example
Identity review example:
User: contractor@example.com
Checks:
- Is the account still needed?
- Is MFA enabled?
- Which groups provide access?
- Does access match the contract role?
- When was last login?
Action:
- Remove unnecessary groups
- Set review date
- Disable account after contract end
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using shared admin accounts.
- Not enforcing MFA for privileged access.
- Leaving inactive users or service accounts enabled.
- Granting broad access through large groups.
- Not reviewing access after role changes.
Interview Questions
- Explain Password Security in simple words.
- What risk does Password Security reduce?
- What evidence would prove this is working?
- What is one common mistake with Password Security?
- How would you apply least privilege?
- How would you investigate a suspicious login?
Hands-on Practice
- Create an access review table for five users.
- Identify which accounts need MFA.
- Write a service account ownership checklist.
- Document removal steps for a terminated user.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Multi-Factor Authentication
Clear Explanation
What it is: Multi-Factor Authentication protects users, administrators, service accounts, and application access. Add another verification factor to reduce risk from stolen passwords.
Why it matters: Identity is often the main attack path. Stolen credentials can bypass network defenses unless MFA, least privilege, monitoring, and access reviews are in place.
How to Understand / Apply It
- Inventory users, administrators, service accounts, groups, and applications.
- Require MFA for sensitive access.
- Use least privilege and role-based access.
- Rotate or remove unused accounts and secrets.
- Monitor failed logins, impossible travel, privilege changes, and unusual token use.
Example
Identity review example:
User: contractor@example.com
Checks:
- Is the account still needed?
- Is MFA enabled?
- Which groups provide access?
- Does access match the contract role?
- When was last login?
Action:
- Remove unnecessary groups
- Set review date
- Disable account after contract end
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using shared admin accounts.
- Not enforcing MFA for privileged access.
- Leaving inactive users or service accounts enabled.
- Granting broad access through large groups.
- Not reviewing access after role changes.
Interview Questions
- Explain Multi-Factor Authentication in simple words.
- What risk does Multi-Factor Authentication reduce?
- What evidence would prove this is working?
- What is one common mistake with Multi-Factor Authentication?
- How would you apply least privilege?
- How would you investigate a suspicious login?
Hands-on Practice
- Create an access review table for five users.
- Identify which accounts need MFA.
- Write a service account ownership checklist.
- Document removal steps for a terminated user.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Single Sign-On
Clear Explanation
What it is: Single Sign-On protects users, administrators, service accounts, and application access. Use centralized login with SAML, OAuth, or OIDC patterns to reduce password sprawl.
Why it matters: Identity is often the main attack path. Stolen credentials can bypass network defenses unless MFA, least privilege, monitoring, and access reviews are in place.
How to Understand / Apply It
- Inventory users, administrators, service accounts, groups, and applications.
- Require MFA for sensitive access.
- Use least privilege and role-based access.
- Rotate or remove unused accounts and secrets.
- Monitor failed logins, impossible travel, privilege changes, and unusual token use.
Example
Identity review example:
User: contractor@example.com
Checks:
- Is the account still needed?
- Is MFA enabled?
- Which groups provide access?
- Does access match the contract role?
- When was last login?
Action:
- Remove unnecessary groups
- Set review date
- Disable account after contract end
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using shared admin accounts.
- Not enforcing MFA for privileged access.
- Leaving inactive users or service accounts enabled.
- Granting broad access through large groups.
- Not reviewing access after role changes.
Interview Questions
- Explain Single Sign-On in simple words.
- What risk does Single Sign-On reduce?
- What evidence would prove this is working?
- What is one common mistake with Single Sign-On?
- How would you apply least privilege?
- How would you investigate a suspicious login?
Hands-on Practice
- Create an access review table for five users.
- Identify which accounts need MFA.
- Write a service account ownership checklist.
- Document removal steps for a terminated user.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
OAuth Basics
Clear Explanation
What it is: OAuth Basics protects users, administrators, service accounts, and application access. Understand delegated authorization, scopes, tokens, consent, and application access.
Why it matters: Identity is often the main attack path. Stolen credentials can bypass network defenses unless MFA, least privilege, monitoring, and access reviews are in place.
How to Understand / Apply It
- Inventory users, administrators, service accounts, groups, and applications.
- Require MFA for sensitive access.
- Use least privilege and role-based access.
- Rotate or remove unused accounts and secrets.
- Monitor failed logins, impossible travel, privilege changes, and unusual token use.
Example
Identity review example:
User: contractor@example.com
Checks:
- Is the account still needed?
- Is MFA enabled?
- Which groups provide access?
- Does access match the contract role?
- When was last login?
Action:
- Remove unnecessary groups
- Set review date
- Disable account after contract end
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using shared admin accounts.
- Not enforcing MFA for privileged access.
- Leaving inactive users or service accounts enabled.
- Granting broad access through large groups.
- Not reviewing access after role changes.
Interview Questions
- Explain OAuth Basics in simple words.
- What risk does OAuth Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with OAuth Basics?
- How would you apply least privilege?
- How would you investigate a suspicious login?
Hands-on Practice
- Create an access review table for five users.
- Identify which accounts need MFA.
- Write a service account ownership checklist.
- Document removal steps for a terminated user.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
SAML Basics
Clear Explanation
What it is: SAML Basics protects users, administrators, service accounts, and application access. Understand enterprise web SSO using identity provider, service provider, assertions, and certificates.
Why it matters: Identity is often the main attack path. Stolen credentials can bypass network defenses unless MFA, least privilege, monitoring, and access reviews are in place.
How to Understand / Apply It
- Inventory users, administrators, service accounts, groups, and applications.
- Require MFA for sensitive access.
- Use least privilege and role-based access.
- Rotate or remove unused accounts and secrets.
- Monitor failed logins, impossible travel, privilege changes, and unusual token use.
Example
Identity review example:
User: contractor@example.com
Checks:
- Is the account still needed?
- Is MFA enabled?
- Which groups provide access?
- Does access match the contract role?
- When was last login?
Action:
- Remove unnecessary groups
- Set review date
- Disable account after contract end
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using shared admin accounts.
- Not enforcing MFA for privileged access.
- Leaving inactive users or service accounts enabled.
- Granting broad access through large groups.
- Not reviewing access after role changes.
Interview Questions
- Explain SAML Basics in simple words.
- What risk does SAML Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with SAML Basics?
- How would you apply least privilege?
- How would you investigate a suspicious login?
Hands-on Practice
- Create an access review table for five users.
- Identify which accounts need MFA.
- Write a service account ownership checklist.
- Document removal steps for a terminated user.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Privileged Access Management
Clear Explanation
What it is: Privileged Access Management protects users, administrators, service accounts, and application access. Control administrator accounts with approval, vaulting, rotation, session recording, and just-in-time access.
Why it matters: Identity is often the main attack path. Stolen credentials can bypass network defenses unless MFA, least privilege, monitoring, and access reviews are in place.
How to Understand / Apply It
- Inventory users, administrators, service accounts, groups, and applications.
- Require MFA for sensitive access.
- Use least privilege and role-based access.
- Rotate or remove unused accounts and secrets.
- Monitor failed logins, impossible travel, privilege changes, and unusual token use.
Example
Identity review example:
User: contractor@example.com
Checks:
- Is the account still needed?
- Is MFA enabled?
- Which groups provide access?
- Does access match the contract role?
- When was last login?
Action:
- Remove unnecessary groups
- Set review date
- Disable account after contract end
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using shared admin accounts.
- Not enforcing MFA for privileged access.
- Leaving inactive users or service accounts enabled.
- Granting broad access through large groups.
- Not reviewing access after role changes.
Interview Questions
- Explain Privileged Access Management in simple words.
- What risk does Privileged Access Management reduce?
- What evidence would prove this is working?
- What is one common mistake with Privileged Access Management?
- How would you apply least privilege?
- How would you investigate a suspicious login?
Hands-on Practice
- Create an access review table for five users.
- Identify which accounts need MFA.
- Write a service account ownership checklist.
- Document removal steps for a terminated user.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Service Account Security
Clear Explanation
What it is: Service Account Security protects users, administrators, service accounts, and application access. Secure non-human accounts with least privilege, rotation, monitoring, and ownership.
Why it matters: Identity is often the main attack path. Stolen credentials can bypass network defenses unless MFA, least privilege, monitoring, and access reviews are in place.
How to Understand / Apply It
- Inventory users, administrators, service accounts, groups, and applications.
- Require MFA for sensitive access.
- Use least privilege and role-based access.
- Rotate or remove unused accounts and secrets.
- Monitor failed logins, impossible travel, privilege changes, and unusual token use.
Example
Identity review example:
User: contractor@example.com
Checks:
- Is the account still needed?
- Is MFA enabled?
- Which groups provide access?
- Does access match the contract role?
- When was last login?
Action:
- Remove unnecessary groups
- Set review date
- Disable account after contract end
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using shared admin accounts.
- Not enforcing MFA for privileged access.
- Leaving inactive users or service accounts enabled.
- Granting broad access through large groups.
- Not reviewing access after role changes.
Interview Questions
- Explain Service Account Security in simple words.
- What risk does Service Account Security reduce?
- What evidence would prove this is working?
- What is one common mistake with Service Account Security?
- How would you apply least privilege?
- How would you investigate a suspicious login?
Hands-on Practice
- Create an access review table for five users.
- Identify which accounts need MFA.
- Write a service account ownership checklist.
- Document removal steps for a terminated user.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Access Reviews
Clear Explanation
What it is: Access Reviews connects security work to business accountability, policies, controls, audits, and risk decisions. Periodically verify that user and service access is still required and appropriate.
Why it matters: Security programs need governance so risks are visible, owners are assigned, and controls are tested instead of assumed.
How to Understand / Apply It
- Define policy or control requirement.
- Map assets, owners, risks, and applicable obligations.
- Collect evidence that the control exists and works.
- Track exceptions and remediation plans.
- Report risk to the right decision-makers.
Example
Risk register example:
Risk: Public exposure of sensitive cloud storage
Likelihood: Medium
Impact: High
Controls:
- Block public access
- IAM review
- Encryption
- Cloud monitoring
Treatment: Mitigate
Owner: Cloud platform team
Review: Monthly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Writing policies nobody follows.
- Collecting evidence only during audits.
- Accepting risk without owner approval.
- Treating compliance as the same thing as security.
- Not tracking remediation owners and dates.
Interview Questions
- Explain Access Reviews in simple words.
- What risk does Access Reviews reduce?
- What evidence would prove this is working?
- What is one common mistake with Access Reviews?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Access Reviews.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Identity Attack Techniques
Clear Explanation
What it is: Identity Attack Techniques helps defenders understand attacker behavior and user-focused threats. Understand credential theft, phishing, password spraying, token theft, privilege escalation, and lateral movement.
Why it matters: Security is not only technical. Attackers often target people, credentials, business process weaknesses, and trust relationships.
How to Understand / Apply It
- Identify attacker goal and likely entry method.
- Train users and define reporting paths.
- Monitor identity, email, endpoint, DNS, and network indicators.
- Use controls such as MFA, filtering, EDR, backups, and payment verification.
- Practice response steps with tabletop exercises.
Example
Phishing response example:
1. User reports suspicious email.
2. SOC reviews headers, links, attachments, and sender.
3. Search mailboxes for same message.
4. Remove message if malicious.
5. Reset credentials if user clicked and submitted password.
6. Add detection/block rule.
7. Document timeline and lesson learned.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Identity Attack Techniques in simple words.
- What risk does Identity Attack Techniques reduce?
- What evidence would prove this is working?
- What is one common mistake with Identity Attack Techniques?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Identity Attack Techniques.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Cryptography Basics
Clear Explanation
What it is: Cryptography Basics protects sensitive information and business continuity. Understand encryption, hashing, keys, certificates, digital signatures, and secure protocols.
Why it matters: Data is usually the business asset attackers want. Data protection reduces breach impact, supports privacy, and improves recovery from incidents.
How to Understand / Apply It
- Classify data by sensitivity.
- Encrypt data at rest and in transit where appropriate.
- Restrict access using least privilege.
- Monitor data movement and unusual downloads.
- Test backups and restore procedures.
Example
Data protection example:
Data type: Employee personal data
Classification: Confidential
Controls:
- Role-based access
- MFA for HR systems
- Encryption at rest
- TLS in transit
- DLP monitoring
- Retention and deletion policy
- Tested backups
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Cryptography Basics in simple words.
- What risk does Cryptography Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with Cryptography Basics?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Cryptography Basics.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Symmetric Encryption
Clear Explanation
What it is: Symmetric Encryption protects sensitive information and business continuity. Use one shared key for encryption and decryption, commonly for fast bulk data protection.
Why it matters: Data is usually the business asset attackers want. Data protection reduces breach impact, supports privacy, and improves recovery from incidents.
How to Understand / Apply It
- Classify data by sensitivity.
- Encrypt data at rest and in transit where appropriate.
- Restrict access using least privilege.
- Monitor data movement and unusual downloads.
- Test backups and restore procedures.
Example
Data protection example:
Data type: Employee personal data
Classification: Confidential
Controls:
- Role-based access
- MFA for HR systems
- Encryption at rest
- TLS in transit
- DLP monitoring
- Retention and deletion policy
- Tested backups
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Symmetric Encryption in simple words.
- What risk does Symmetric Encryption reduce?
- What evidence would prove this is working?
- What is one common mistake with Symmetric Encryption?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Symmetric Encryption.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Asymmetric Encryption
Clear Explanation
What it is: Asymmetric Encryption protects sensitive information and business continuity. Use public/private key pairs for secure exchange, signatures, and certificates.
Why it matters: Data is usually the business asset attackers want. Data protection reduces breach impact, supports privacy, and improves recovery from incidents.
How to Understand / Apply It
- Classify data by sensitivity.
- Encrypt data at rest and in transit where appropriate.
- Restrict access using least privilege.
- Monitor data movement and unusual downloads.
- Test backups and restore procedures.
Example
Data protection example:
Data type: Employee personal data
Classification: Confidential
Controls:
- Role-based access
- MFA for HR systems
- Encryption at rest
- TLS in transit
- DLP monitoring
- Retention and deletion policy
- Tested backups
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Asymmetric Encryption in simple words.
- What risk does Asymmetric Encryption reduce?
- What evidence would prove this is working?
- What is one common mistake with Asymmetric Encryption?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Asymmetric Encryption.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Hashing
Clear Explanation
What it is: Hashing protects sensitive information and business continuity. Use one-way hashing to verify integrity and store password representations safely with salts.
Why it matters: Data is usually the business asset attackers want. Data protection reduces breach impact, supports privacy, and improves recovery from incidents.
How to Understand / Apply It
- Classify data by sensitivity.
- Encrypt data at rest and in transit where appropriate.
- Restrict access using least privilege.
- Monitor data movement and unusual downloads.
- Test backups and restore procedures.
Example
Data protection example:
Data type: Employee personal data
Classification: Confidential
Controls:
- Role-based access
- MFA for HR systems
- Encryption at rest
- TLS in transit
- DLP monitoring
- Retention and deletion policy
- Tested backups
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Hashing in simple words.
- What risk does Hashing reduce?
- What evidence would prove this is working?
- What is one common mistake with Hashing?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Hashing.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Digital Signatures
Clear Explanation
What it is: Digital Signatures protects sensitive information and business continuity. Verify authenticity and integrity using private signing keys and public verification keys.
Why it matters: Data is usually the business asset attackers want. Data protection reduces breach impact, supports privacy, and improves recovery from incidents.
How to Understand / Apply It
- Classify data by sensitivity.
- Encrypt data at rest and in transit where appropriate.
- Restrict access using least privilege.
- Monitor data movement and unusual downloads.
- Test backups and restore procedures.
Example
Data protection example:
Data type: Employee personal data
Classification: Confidential
Controls:
- Role-based access
- MFA for HR systems
- Encryption at rest
- TLS in transit
- DLP monitoring
- Retention and deletion policy
- Tested backups
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Digital Signatures in simple words.
- What risk does Digital Signatures reduce?
- What evidence would prove this is working?
- What is one common mistake with Digital Signatures?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Digital Signatures.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
TLS and HTTPS
Clear Explanation
What it is: TLS and HTTPS protects sensitive information and business continuity. Protect data in transit using certificates, negotiation, encryption, and integrity checks.
Why it matters: Data is usually the business asset attackers want. Data protection reduces breach impact, supports privacy, and improves recovery from incidents.
How to Understand / Apply It
- Classify data by sensitivity.
- Encrypt data at rest and in transit where appropriate.
- Restrict access using least privilege.
- Monitor data movement and unusual downloads.
- Test backups and restore procedures.
Example
Data protection example:
Data type: Employee personal data
Classification: Confidential
Controls:
- Role-based access
- MFA for HR systems
- Encryption at rest
- TLS in transit
- DLP monitoring
- Retention and deletion policy
- Tested backups
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain TLS and HTTPS in simple words.
- What risk does TLS and HTTPS reduce?
- What evidence would prove this is working?
- What is one common mistake with TLS and HTTPS?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for TLS and HTTPS.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Certificate Management
Clear Explanation
What it is: Certificate Management protects sensitive information and business continuity. Manage certificate issuance, renewal, trust chains, expiration, and private key protection.
Why it matters: Data is usually the business asset attackers want. Data protection reduces breach impact, supports privacy, and improves recovery from incidents.
How to Understand / Apply It
- Classify data by sensitivity.
- Encrypt data at rest and in transit where appropriate.
- Restrict access using least privilege.
- Monitor data movement and unusual downloads.
- Test backups and restore procedures.
Example
Data protection example:
Data type: Employee personal data
Classification: Confidential
Controls:
- Role-based access
- MFA for HR systems
- Encryption at rest
- TLS in transit
- DLP monitoring
- Retention and deletion policy
- Tested backups
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Certificate Management in simple words.
- What risk does Certificate Management reduce?
- What evidence would prove this is working?
- What is one common mistake with Certificate Management?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Certificate Management.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Data Classification
Clear Explanation
What it is: Data Classification protects sensitive information and business continuity. Classify data by sensitivity so controls match business and regulatory impact.
Why it matters: Data is usually the business asset attackers want. Data protection reduces breach impact, supports privacy, and improves recovery from incidents.
How to Understand / Apply It
- Classify data by sensitivity.
- Encrypt data at rest and in transit where appropriate.
- Restrict access using least privilege.
- Monitor data movement and unusual downloads.
- Test backups and restore procedures.
Example
Data protection example:
Data type: Employee personal data
Classification: Confidential
Controls:
- Role-based access
- MFA for HR systems
- Encryption at rest
- TLS in transit
- DLP monitoring
- Retention and deletion policy
- Tested backups
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Data Classification in simple words.
- What risk does Data Classification reduce?
- What evidence would prove this is working?
- What is one common mistake with Data Classification?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Data Classification.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Data Loss Prevention
Clear Explanation
What it is: Data Loss Prevention protects sensitive information and business continuity. Detect or block sensitive data leaving approved locations through email, web, endpoint, or cloud channels.
Why it matters: Data is usually the business asset attackers want. Data protection reduces breach impact, supports privacy, and improves recovery from incidents.
How to Understand / Apply It
- Classify data by sensitivity.
- Encrypt data at rest and in transit where appropriate.
- Restrict access using least privilege.
- Monitor data movement and unusual downloads.
- Test backups and restore procedures.
Example
Data protection example:
Data type: Employee personal data
Classification: Confidential
Controls:
- Role-based access
- MFA for HR systems
- Encryption at rest
- TLS in transit
- DLP monitoring
- Retention and deletion policy
- Tested backups
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Data Loss Prevention in simple words.
- What risk does Data Loss Prevention reduce?
- What evidence would prove this is working?
- What is one common mistake with Data Loss Prevention?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Data Loss Prevention.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Backup and Recovery
Clear Explanation
What it is: Backup and Recovery protects sensitive information and business continuity. Protect data and operations with tested backups, restore procedures, and recovery objectives.
Why it matters: Data is usually the business asset attackers want. Data protection reduces breach impact, supports privacy, and improves recovery from incidents.
How to Understand / Apply It
- Classify data by sensitivity.
- Encrypt data at rest and in transit where appropriate.
- Restrict access using least privilege.
- Monitor data movement and unusual downloads.
- Test backups and restore procedures.
Example
Data protection example:
Data type: Employee personal data
Classification: Confidential
Controls:
- Role-based access
- MFA for HR systems
- Encryption at rest
- TLS in transit
- DLP monitoring
- Retention and deletion policy
- Tested backups
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Backup and Recovery in simple words.
- What risk does Backup and Recovery reduce?
- What evidence would prove this is working?
- What is one common mistake with Backup and Recovery?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Backup and Recovery.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Web Security Basics
Clear Explanation
What it is: Web Security Basics protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Understand how browsers, servers, sessions, cookies, forms, APIs, and databases interact.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain Web Security Basics in simple words.
- What risk does Web Security Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with Web Security Basics?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
OWASP Top 10 Overview
Clear Explanation
What it is: OWASP Top 10 Overview protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Use common web application risk categories to guide secure design and testing.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain OWASP Top 10 Overview in simple words.
- What risk does OWASP Top 10 Overview reduce?
- What evidence would prove this is working?
- What is one common mistake with OWASP Top 10 Overview?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Injection Attacks
Clear Explanation
What it is: Injection Attacks protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Understand SQL injection, command injection, LDAP injection, and how input reaches interpreters.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain Injection Attacks in simple words.
- What risk does Injection Attacks reduce?
- What evidence would prove this is working?
- What is one common mistake with Injection Attacks?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Cross-Site Scripting
Clear Explanation
What it is: Cross-Site Scripting protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Understand reflected, stored, and DOM XSS and how output encoding and sanitization reduce risk.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain Cross-Site Scripting in simple words.
- What risk does Cross-Site Scripting reduce?
- What evidence would prove this is working?
- What is one common mistake with Cross-Site Scripting?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Broken Authentication
Clear Explanation
What it is: Broken Authentication protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Identify weak login, session, reset, token, and credential handling patterns.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain Broken Authentication in simple words.
- What risk does Broken Authentication reduce?
- What evidence would prove this is working?
- What is one common mistake with Broken Authentication?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Broken Access Control
Clear Explanation
What it is: Broken Access Control protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Prevent users from accessing records, functions, APIs, or files they are not allowed to use.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain Broken Access Control in simple words.
- What risk does Broken Access Control reduce?
- What evidence would prove this is working?
- What is one common mistake with Broken Access Control?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Security Misconfiguration
Clear Explanation
What it is: Security Misconfiguration protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Avoid insecure defaults, exposed admin panels, verbose errors, weak headers, and unnecessary services.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain Security Misconfiguration in simple words.
- What risk does Security Misconfiguration reduce?
- What evidence would prove this is working?
- What is one common mistake with Security Misconfiguration?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Vulnerable Components
Clear Explanation
What it is: Vulnerable Components protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Manage dependency risk from outdated libraries, frameworks, containers, and plugins.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain Vulnerable Components in simple words.
- What risk does Vulnerable Components reduce?
- What evidence would prove this is working?
- What is one common mistake with Vulnerable Components?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
API Security Basics
Clear Explanation
What it is: API Security Basics protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Protect APIs using authentication, authorization, input validation, rate limiting, logging, and schema validation.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain API Security Basics in simple words.
- What risk does API Security Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with API Security Basics?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
JWT Security
Clear Explanation
What it is: JWT Security protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Handle JSON Web Tokens safely, including signing, validation, expiration, issuer, audience, and key rotation.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain JWT Security in simple words.
- What risk does JWT Security reduce?
- What evidence would prove this is working?
- What is one common mistake with JWT Security?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Secure SDLC
Clear Explanation
What it is: Secure SDLC protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Add security into requirements, design, coding, testing, release, and maintenance.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain Secure SDLC in simple words.
- What risk does Secure SDLC reduce?
- What evidence would prove this is working?
- What is one common mistake with Secure SDLC?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Threat Modeling
Clear Explanation
What it is: Threat Modeling protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Identify threats early by mapping assets, trust boundaries, data flows, attackers, and mitigations.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain Threat Modeling in simple words.
- What risk does Threat Modeling reduce?
- What evidence would prove this is working?
- What is one common mistake with Threat Modeling?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Secure Code Review
Clear Explanation
What it is: Secure Code Review protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Review code for authorization, validation, secrets, crypto use, error handling, and business logic flaws.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain Secure Code Review in simple words.
- What risk does Secure Code Review reduce?
- What evidence would prove this is working?
- What is one common mistake with Secure Code Review?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
SAST DAST and SCA
Clear Explanation
What it is: SAST DAST and SCA protects software and APIs from design, coding, authentication, authorization, and data-handling weaknesses. Use static analysis, dynamic testing, and software composition analysis to find application risks.
Why it matters: Applications are exposed to users and attackers. A single broken access control or injection bug can expose sensitive records or allow system takeover.
How to Understand / Apply It
- Map users, roles, data flows, trust boundaries, and entry points.
- Validate input and encode output.
- Enforce authentication and authorization on the server side.
- Use secure session, token, and error handling.
- Test with code review, SAST, DAST, SCA, and manual abuse cases.
Example
Secure API checklist:
Endpoint: GET /customers/{id}
Controls:
- User must be authenticated
- User can access only assigned customer records
- id parameter is validated
- Response excludes sensitive fields
- Rate limiting is enabled
- Access is logged
- Tests cover unauthorized access
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Checking authorization only in the UI.
- Trusting user input without validation.
- Returning sensitive fields in API responses.
- Using verbose errors that reveal system details.
- Ignoring dependency vulnerabilities.
Interview Questions
- Explain SAST DAST and SCA in simple words.
- What risk does SAST DAST and SCA reduce?
- What evidence would prove this is working?
- What is one common mistake with SAST DAST and SCA?
- How would you test authorization safely?
- How would you explain the issue to a developer?
Hands-on Practice
- Use a safe training app or local demo app.
- Write expected roles and access rules.
- Document one safe test for broken access control.
- Write remediation guidance for developers.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Cloud Security Basics
Clear Explanation
What it is: Cloud Security Basics protects cloud resources, identities, networks, data, and services. Understand shared responsibility, identity, network controls, encryption, logging, and configuration management in cloud.
Why it matters: Cloud incidents often come from misconfiguration, excessive permissions, exposed storage, weak logging, or public network exposure.
How to Understand / Apply It
- Apply least privilege IAM.
- Keep storage private unless public access is required and approved.
- Use encryption, key management, and logging.
- Restrict network exposure using security groups, NACLs, private subnets, and endpoints.
- Continuously monitor configuration drift and suspicious activity.
Example
Cloud baseline example:
- MFA for administrators
- No public storage by default
- Cloud audit logs enabled
- Security findings reviewed
- Encryption enabled for sensitive data
- Network access restricted
- IAM policies reviewed quarterly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Public storage by mistake.
- Overly broad IAM permissions.
- Missing audit logs or short log retention.
- Exposing SSH/RDP to the internet.
- No alerting for risky configuration changes.
Interview Questions
- Explain Cloud Security Basics in simple words.
- What risk does Cloud Security Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with Cloud Security Basics?
- Which misconfiguration would you check first?
- How would you prevent recurrence in CI/CD?
Hands-on Practice
- Create a cloud baseline checklist.
- Review IAM, network, storage, logging, and encryption.
- Write a sample finding with risk and remediation.
- Add a prevention step for CI/CD or policy-as-code.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
AWS Security Basics
Clear Explanation
What it is: AWS Security Basics protects cloud resources, identities, networks, data, and services. Understand IAM, VPC, Security Groups, NACLs, KMS, CloudTrail, CloudWatch, Config, GuardDuty, and S3 security.
Why it matters: Cloud incidents often come from misconfiguration, excessive permissions, exposed storage, weak logging, or public network exposure.
How to Understand / Apply It
- Apply least privilege IAM.
- Keep storage private unless public access is required and approved.
- Use encryption, key management, and logging.
- Restrict network exposure using security groups, NACLs, private subnets, and endpoints.
- Continuously monitor configuration drift and suspicious activity.
Example
Cloud baseline example:
- MFA for administrators
- No public storage by default
- Cloud audit logs enabled
- Security findings reviewed
- Encryption enabled for sensitive data
- Network access restricted
- IAM policies reviewed quarterly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Public storage by mistake.
- Overly broad IAM permissions.
- Missing audit logs or short log retention.
- Exposing SSH/RDP to the internet.
- No alerting for risky configuration changes.
Interview Questions
- Explain AWS Security Basics in simple words.
- What risk does AWS Security Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with AWS Security Basics?
- Which misconfiguration would you check first?
- How would you prevent recurrence in CI/CD?
Hands-on Practice
- Create a cloud baseline checklist.
- Review IAM, network, storage, logging, and encryption.
- Write a sample finding with risk and remediation.
- Add a prevention step for CI/CD or policy-as-code.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
IAM Policies
Clear Explanation
What it is: IAM Policies protects cloud resources, identities, networks, data, and services. Write least-privilege permissions using actions, resources, conditions, and explicit deny logic.
Why it matters: Cloud incidents often come from misconfiguration, excessive permissions, exposed storage, weak logging, or public network exposure.
How to Understand / Apply It
- Apply least privilege IAM.
- Keep storage private unless public access is required and approved.
- Use encryption, key management, and logging.
- Restrict network exposure using security groups, NACLs, private subnets, and endpoints.
- Continuously monitor configuration drift and suspicious activity.
Example
Cloud baseline example:
- MFA for administrators
- No public storage by default
- Cloud audit logs enabled
- Security findings reviewed
- Encryption enabled for sensitive data
- Network access restricted
- IAM policies reviewed quarterly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Public storage by mistake.
- Overly broad IAM permissions.
- Missing audit logs or short log retention.
- Exposing SSH/RDP to the internet.
- No alerting for risky configuration changes.
Interview Questions
- Explain IAM Policies in simple words.
- What risk does IAM Policies reduce?
- What evidence would prove this is working?
- What is one common mistake with IAM Policies?
- Which misconfiguration would you check first?
- How would you prevent recurrence in CI/CD?
Hands-on Practice
- Create a cloud baseline checklist.
- Review IAM, network, storage, logging, and encryption.
- Write a sample finding with risk and remediation.
- Add a prevention step for CI/CD or policy-as-code.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
S3 Security
Clear Explanation
What it is: S3 Security protects cloud resources, identities, networks, data, and services. Secure buckets with block public access, bucket policies, encryption, versioning, logging, and access review.
Why it matters: Cloud incidents often come from misconfiguration, excessive permissions, exposed storage, weak logging, or public network exposure.
How to Understand / Apply It
- Apply least privilege IAM.
- Keep storage private unless public access is required and approved.
- Use encryption, key management, and logging.
- Restrict network exposure using security groups, NACLs, private subnets, and endpoints.
- Continuously monitor configuration drift and suspicious activity.
Example
Cloud baseline example:
- MFA for administrators
- No public storage by default
- Cloud audit logs enabled
- Security findings reviewed
- Encryption enabled for sensitive data
- Network access restricted
- IAM policies reviewed quarterly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Public storage by mistake.
- Overly broad IAM permissions.
- Missing audit logs or short log retention.
- Exposing SSH/RDP to the internet.
- No alerting for risky configuration changes.
Interview Questions
- Explain S3 Security in simple words.
- What risk does S3 Security reduce?
- What evidence would prove this is working?
- What is one common mistake with S3 Security?
- Which misconfiguration would you check first?
- How would you prevent recurrence in CI/CD?
Hands-on Practice
- Create a cloud baseline checklist.
- Review IAM, network, storage, logging, and encryption.
- Write a sample finding with risk and remediation.
- Add a prevention step for CI/CD or policy-as-code.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
VPC Security
Clear Explanation
What it is: VPC Security protects cloud resources, identities, networks, data, and services. Use subnets, route tables, security groups, NACLs, NAT, endpoints, and flow logs to control network access.
Why it matters: Cloud incidents often come from misconfiguration, excessive permissions, exposed storage, weak logging, or public network exposure.
How to Understand / Apply It
- Apply least privilege IAM.
- Keep storage private unless public access is required and approved.
- Use encryption, key management, and logging.
- Restrict network exposure using security groups, NACLs, private subnets, and endpoints.
- Continuously monitor configuration drift and suspicious activity.
Example
Cloud baseline example:
- MFA for administrators
- No public storage by default
- Cloud audit logs enabled
- Security findings reviewed
- Encryption enabled for sensitive data
- Network access restricted
- IAM policies reviewed quarterly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Public storage by mistake.
- Overly broad IAM permissions.
- Missing audit logs or short log retention.
- Exposing SSH/RDP to the internet.
- No alerting for risky configuration changes.
Interview Questions
- Explain VPC Security in simple words.
- What risk does VPC Security reduce?
- What evidence would prove this is working?
- What is one common mistake with VPC Security?
- Which misconfiguration would you check first?
- How would you prevent recurrence in CI/CD?
Hands-on Practice
- Create a cloud baseline checklist.
- Review IAM, network, storage, logging, and encryption.
- Write a sample finding with risk and remediation.
- Add a prevention step for CI/CD or policy-as-code.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Cloud Logging and Monitoring
Clear Explanation
What it is: Cloud Logging and Monitoring protects cloud resources, identities, networks, data, and services. Collect and review cloud audit logs, service logs, metrics, alerts, and detection findings.
Why it matters: Cloud incidents often come from misconfiguration, excessive permissions, exposed storage, weak logging, or public network exposure.
How to Understand / Apply It
- Apply least privilege IAM.
- Keep storage private unless public access is required and approved.
- Use encryption, key management, and logging.
- Restrict network exposure using security groups, NACLs, private subnets, and endpoints.
- Continuously monitor configuration drift and suspicious activity.
Example
Cloud baseline example:
- MFA for administrators
- No public storage by default
- Cloud audit logs enabled
- Security findings reviewed
- Encryption enabled for sensitive data
- Network access restricted
- IAM policies reviewed quarterly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Public storage by mistake.
- Overly broad IAM permissions.
- Missing audit logs or short log retention.
- Exposing SSH/RDP to the internet.
- No alerting for risky configuration changes.
Interview Questions
- Explain Cloud Logging and Monitoring in simple words.
- What risk does Cloud Logging and Monitoring reduce?
- What evidence would prove this is working?
- What is one common mistake with Cloud Logging and Monitoring?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Cloud Logging and Monitoring.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Cloud Misconfiguration
Clear Explanation
What it is: Cloud Misconfiguration protects cloud resources, identities, networks, data, and services. Detect and fix public storage, excessive IAM, exposed management ports, missing encryption, and weak logging.
Why it matters: Cloud incidents often come from misconfiguration, excessive permissions, exposed storage, weak logging, or public network exposure.
How to Understand / Apply It
- Apply least privilege IAM.
- Keep storage private unless public access is required and approved.
- Use encryption, key management, and logging.
- Restrict network exposure using security groups, NACLs, private subnets, and endpoints.
- Continuously monitor configuration drift and suspicious activity.
Example
Cloud baseline example:
- MFA for administrators
- No public storage by default
- Cloud audit logs enabled
- Security findings reviewed
- Encryption enabled for sensitive data
- Network access restricted
- IAM policies reviewed quarterly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Public storage by mistake.
- Overly broad IAM permissions.
- Missing audit logs or short log retention.
- Exposing SSH/RDP to the internet.
- No alerting for risky configuration changes.
Interview Questions
- Explain Cloud Misconfiguration in simple words.
- What risk does Cloud Misconfiguration reduce?
- What evidence would prove this is working?
- What is one common mistake with Cloud Misconfiguration?
- Which misconfiguration would you check first?
- How would you prevent recurrence in CI/CD?
Hands-on Practice
- Create a cloud baseline checklist.
- Review IAM, network, storage, logging, and encryption.
- Write a sample finding with risk and remediation.
- Add a prevention step for CI/CD or policy-as-code.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Container Security
Clear Explanation
What it is: Container Security adds security into development, build, deployment, and infrastructure workflows. Secure images, registries, runtime, secrets, base images, vulnerabilities, and Kubernetes workloads.
Why it matters: Finding issues before production is cheaper and safer than reacting after deployment.
How to Understand / Apply It
- Scan code, dependencies, containers, and infrastructure templates.
- Protect CI/CD secrets and deployment credentials.
- Require code review and approval for risky changes.
- Use least-privilege pipeline permissions.
- Fail builds for critical security issues where policy requires it.
Example
CI/CD security example:
Pipeline checks:
- Secret scan
- Dependency scan
- Static code scan
- IaC misconfiguration scan
- Container image scan
- Approval for production deploy
- Artifact signing or integrity check
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Container Security in simple words.
- What risk does Container Security reduce?
- What evidence would prove this is working?
- What is one common mistake with Container Security?
- Which misconfiguration would you check first?
- How would you prevent recurrence in CI/CD?
Hands-on Practice
- Create a cloud baseline checklist.
- Review IAM, network, storage, logging, and encryption.
- Write a sample finding with risk and remediation.
- Add a prevention step for CI/CD or policy-as-code.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Kubernetes Security
Clear Explanation
What it is: Kubernetes Security adds security into development, build, deployment, and infrastructure workflows. Control RBAC, namespaces, network policies, secrets, admission controls, and cluster logging.
Why it matters: Finding issues before production is cheaper and safer than reacting after deployment.
How to Understand / Apply It
- Scan code, dependencies, containers, and infrastructure templates.
- Protect CI/CD secrets and deployment credentials.
- Require code review and approval for risky changes.
- Use least-privilege pipeline permissions.
- Fail builds for critical security issues where policy requires it.
Example
CI/CD security example:
Pipeline checks:
- Secret scan
- Dependency scan
- Static code scan
- IaC misconfiguration scan
- Container image scan
- Approval for production deploy
- Artifact signing or integrity check
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Kubernetes Security in simple words.
- What risk does Kubernetes Security reduce?
- What evidence would prove this is working?
- What is one common mistake with Kubernetes Security?
- Which misconfiguration would you check first?
- How would you prevent recurrence in CI/CD?
Hands-on Practice
- Create a cloud baseline checklist.
- Review IAM, network, storage, logging, and encryption.
- Write a sample finding with risk and remediation.
- Add a prevention step for CI/CD or policy-as-code.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
CI/CD Security
Clear Explanation
What it is: CI/CD Security adds security into development, build, deployment, and infrastructure workflows. Protect source code, build pipelines, secrets, artifacts, approvals, and deployment credentials.
Why it matters: Finding issues before production is cheaper and safer than reacting after deployment.
How to Understand / Apply It
- Scan code, dependencies, containers, and infrastructure templates.
- Protect CI/CD secrets and deployment credentials.
- Require code review and approval for risky changes.
- Use least-privilege pipeline permissions.
- Fail builds for critical security issues where policy requires it.
Example
CI/CD security example:
Pipeline checks:
- Secret scan
- Dependency scan
- Static code scan
- IaC misconfiguration scan
- Container image scan
- Approval for production deploy
- Artifact signing or integrity check
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain CI/CD Security in simple words.
- What risk does CI/CD Security reduce?
- What evidence would prove this is working?
- What is one common mistake with CI/CD Security?
- Which misconfiguration would you check first?
- How would you prevent recurrence in CI/CD?
Hands-on Practice
- Create a cloud baseline checklist.
- Review IAM, network, storage, logging, and encryption.
- Write a sample finding with risk and remediation.
- Add a prevention step for CI/CD or policy-as-code.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Secrets Management
Clear Explanation
What it is: Secrets Management adds security into development, build, deployment, and infrastructure workflows. Store credentials in secure secret managers instead of code, config files, tickets, or chat messages.
Why it matters: Finding issues before production is cheaper and safer than reacting after deployment.
How to Understand / Apply It
- Scan code, dependencies, containers, and infrastructure templates.
- Protect CI/CD secrets and deployment credentials.
- Require code review and approval for risky changes.
- Use least-privilege pipeline permissions.
- Fail builds for critical security issues where policy requires it.
Example
CI/CD security example:
Pipeline checks:
- Secret scan
- Dependency scan
- Static code scan
- IaC misconfiguration scan
- Container image scan
- Approval for production deploy
- Artifact signing or integrity check
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Secrets Management in simple words.
- What risk does Secrets Management reduce?
- What evidence would prove this is working?
- What is one common mistake with Secrets Management?
- Which misconfiguration would you check first?
- How would you prevent recurrence in CI/CD?
Hands-on Practice
- Create a cloud baseline checklist.
- Review IAM, network, storage, logging, and encryption.
- Write a sample finding with risk and remediation.
- Add a prevention step for CI/CD or policy-as-code.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Infrastructure as Code Security
Clear Explanation
What it is: Infrastructure as Code Security adds security into development, build, deployment, and infrastructure workflows. Scan Terraform, CloudFormation, Kubernetes YAML, and pipeline templates before deployment.
Why it matters: Finding issues before production is cheaper and safer than reacting after deployment.
How to Understand / Apply It
- Scan code, dependencies, containers, and infrastructure templates.
- Protect CI/CD secrets and deployment credentials.
- Require code review and approval for risky changes.
- Use least-privilege pipeline permissions.
- Fail builds for critical security issues where policy requires it.
Example
CI/CD security example:
Pipeline checks:
- Secret scan
- Dependency scan
- Static code scan
- IaC misconfiguration scan
- Container image scan
- Approval for production deploy
- Artifact signing or integrity check
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Infrastructure as Code Security in simple words.
- What risk does Infrastructure as Code Security reduce?
- What evidence would prove this is working?
- What is one common mistake with Infrastructure as Code Security?
- Which misconfiguration would you check first?
- How would you prevent recurrence in CI/CD?
Hands-on Practice
- Create a cloud baseline checklist.
- Review IAM, network, storage, logging, and encryption.
- Write a sample finding with risk and remediation.
- Add a prevention step for CI/CD or policy-as-code.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Malware Basics
Clear Explanation
What it is: Malware Basics helps defenders understand attacker behavior and user-focused threats. Understand viruses, worms, trojans, ransomware, spyware, rootkits, loaders, and backdoors.
Why it matters: Security is not only technical. Attackers often target people, credentials, business process weaknesses, and trust relationships.
How to Understand / Apply It
- Identify attacker goal and likely entry method.
- Train users and define reporting paths.
- Monitor identity, email, endpoint, DNS, and network indicators.
- Use controls such as MFA, filtering, EDR, backups, and payment verification.
- Practice response steps with tabletop exercises.
Example
Phishing response example:
1. User reports suspicious email.
2. SOC reviews headers, links, attachments, and sender.
3. Search mailboxes for same message.
4. Remove message if malicious.
5. Reset credentials if user clicked and submitted password.
6. Add detection/block rule.
7. Document timeline and lesson learned.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Malware Basics in simple words.
- What risk does Malware Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with Malware Basics?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Malware Basics.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Ransomware
Clear Explanation
What it is: Ransomware helps defenders understand attacker behavior and user-focused threats. Understand ransomware entry, lateral movement, encryption, data theft, extortion, backup impact, and recovery planning.
Why it matters: Security is not only technical. Attackers often target people, credentials, business process weaknesses, and trust relationships.
How to Understand / Apply It
- Identify attacker goal and likely entry method.
- Train users and define reporting paths.
- Monitor identity, email, endpoint, DNS, and network indicators.
- Use controls such as MFA, filtering, EDR, backups, and payment verification.
- Practice response steps with tabletop exercises.
Example
Phishing response example:
1. User reports suspicious email.
2. SOC reviews headers, links, attachments, and sender.
3. Search mailboxes for same message.
4. Remove message if malicious.
5. Reset credentials if user clicked and submitted password.
6. Add detection/block rule.
7. Document timeline and lesson learned.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Ransomware in simple words.
- What risk does Ransomware reduce?
- What evidence would prove this is working?
- What is one common mistake with Ransomware?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Ransomware.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Phishing
Clear Explanation
What it is: Phishing helps defenders understand attacker behavior and user-focused threats. Identify fraudulent messages designed to steal credentials, money, or sensitive information.
Why it matters: Security is not only technical. Attackers often target people, credentials, business process weaknesses, and trust relationships.
How to Understand / Apply It
- Identify attacker goal and likely entry method.
- Train users and define reporting paths.
- Monitor identity, email, endpoint, DNS, and network indicators.
- Use controls such as MFA, filtering, EDR, backups, and payment verification.
- Practice response steps with tabletop exercises.
Example
Phishing response example:
1. User reports suspicious email.
2. SOC reviews headers, links, attachments, and sender.
3. Search mailboxes for same message.
4. Remove message if malicious.
5. Reset credentials if user clicked and submitted password.
6. Add detection/block rule.
7. Document timeline and lesson learned.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Phishing in simple words.
- What risk does Phishing reduce?
- What evidence would prove this is working?
- What is one common mistake with Phishing?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Phishing.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Business Email Compromise
Clear Explanation
What it is: Business Email Compromise helps defenders understand attacker behavior and user-focused threats. Understand invoice fraud, executive impersonation, vendor payment changes, and mailbox compromise.
Why it matters: Security is not only technical. Attackers often target people, credentials, business process weaknesses, and trust relationships.
How to Understand / Apply It
- Identify attacker goal and likely entry method.
- Train users and define reporting paths.
- Monitor identity, email, endpoint, DNS, and network indicators.
- Use controls such as MFA, filtering, EDR, backups, and payment verification.
- Practice response steps with tabletop exercises.
Example
Phishing response example:
1. User reports suspicious email.
2. SOC reviews headers, links, attachments, and sender.
3. Search mailboxes for same message.
4. Remove message if malicious.
5. Reset credentials if user clicked and submitted password.
6. Add detection/block rule.
7. Document timeline and lesson learned.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Business Email Compromise in simple words.
- What risk does Business Email Compromise reduce?
- What evidence would prove this is working?
- What is one common mistake with Business Email Compromise?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Business Email Compromise.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Social Engineering
Clear Explanation
What it is: Social Engineering helps defenders understand attacker behavior and user-focused threats. Understand manipulation techniques such as urgency, authority, fear, reward, curiosity, and trust abuse.
Why it matters: Security is not only technical. Attackers often target people, credentials, business process weaknesses, and trust relationships.
How to Understand / Apply It
- Identify attacker goal and likely entry method.
- Train users and define reporting paths.
- Monitor identity, email, endpoint, DNS, and network indicators.
- Use controls such as MFA, filtering, EDR, backups, and payment verification.
- Practice response steps with tabletop exercises.
Example
Phishing response example:
1. User reports suspicious email.
2. SOC reviews headers, links, attachments, and sender.
3. Search mailboxes for same message.
4. Remove message if malicious.
5. Reset credentials if user clicked and submitted password.
6. Add detection/block rule.
7. Document timeline and lesson learned.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Social Engineering in simple words.
- What risk does Social Engineering reduce?
- What evidence would prove this is working?
- What is one common mistake with Social Engineering?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Social Engineering.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Insider Threat
Clear Explanation
What it is: Insider Threat helps defenders understand attacker behavior and user-focused threats. Detect and reduce risk from negligent, compromised, or malicious insiders.
Why it matters: Security is not only technical. Attackers often target people, credentials, business process weaknesses, and trust relationships.
How to Understand / Apply It
- Identify attacker goal and likely entry method.
- Train users and define reporting paths.
- Monitor identity, email, endpoint, DNS, and network indicators.
- Use controls such as MFA, filtering, EDR, backups, and payment verification.
- Practice response steps with tabletop exercises.
Example
Phishing response example:
1. User reports suspicious email.
2. SOC reviews headers, links, attachments, and sender.
3. Search mailboxes for same message.
4. Remove message if malicious.
5. Reset credentials if user clicked and submitted password.
6. Add detection/block rule.
7. Document timeline and lesson learned.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Insider Threat in simple words.
- What risk does Insider Threat reduce?
- What evidence would prove this is working?
- What is one common mistake with Insider Threat?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Insider Threat.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Threat Intelligence
Clear Explanation
What it is: Threat Intelligence helps defenders understand attacker behavior and user-focused threats. Use indicators, tactics, techniques, procedures, actor behavior, and context to improve defense.
Why it matters: Security is not only technical. Attackers often target people, credentials, business process weaknesses, and trust relationships.
How to Understand / Apply It
- Identify attacker goal and likely entry method.
- Train users and define reporting paths.
- Monitor identity, email, endpoint, DNS, and network indicators.
- Use controls such as MFA, filtering, EDR, backups, and payment verification.
- Practice response steps with tabletop exercises.
Example
Phishing response example:
1. User reports suspicious email.
2. SOC reviews headers, links, attachments, and sender.
3. Search mailboxes for same message.
4. Remove message if malicious.
5. Reset credentials if user clicked and submitted password.
6. Add detection/block rule.
7. Document timeline and lesson learned.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Threat Intelligence in simple words.
- What risk does Threat Intelligence reduce?
- What evidence would prove this is working?
- What is one common mistake with Threat Intelligence?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Threat Intelligence.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
MITRE ATT&CK Basics
Clear Explanation
What it is: MITRE ATT&CK Basics helps defenders understand attacker behavior and user-focused threats. Use attacker tactics and techniques as a map for detection engineering and control assessment.
Why it matters: Security is not only technical. Attackers often target people, credentials, business process weaknesses, and trust relationships.
How to Understand / Apply It
- Identify attacker goal and likely entry method.
- Train users and define reporting paths.
- Monitor identity, email, endpoint, DNS, and network indicators.
- Use controls such as MFA, filtering, EDR, backups, and payment verification.
- Practice response steps with tabletop exercises.
Example
Phishing response example:
1. User reports suspicious email.
2. SOC reviews headers, links, attachments, and sender.
3. Search mailboxes for same message.
4. Remove message if malicious.
5. Reset credentials if user clicked and submitted password.
6. Add detection/block rule.
7. Document timeline and lesson learned.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain MITRE ATT&CK Basics in simple words.
- What risk does MITRE ATT&CK Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with MITRE ATT&CK Basics?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for MITRE ATT&CK Basics.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Indicators of Compromise
Clear Explanation
What it is: Indicators of Compromise helps defenders understand attacker behavior and user-focused threats. Recognize suspicious IPs, domains, hashes, filenames, registry keys, processes, and behaviors.
Why it matters: Security is not only technical. Attackers often target people, credentials, business process weaknesses, and trust relationships.
How to Understand / Apply It
- Identify attacker goal and likely entry method.
- Train users and define reporting paths.
- Monitor identity, email, endpoint, DNS, and network indicators.
- Use controls such as MFA, filtering, EDR, backups, and payment verification.
- Practice response steps with tabletop exercises.
Example
Phishing response example:
1. User reports suspicious email.
2. SOC reviews headers, links, attachments, and sender.
3. Search mailboxes for same message.
4. Remove message if malicious.
5. Reset credentials if user clicked and submitted password.
6. Add detection/block rule.
7. Document timeline and lesson learned.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Indicators of Compromise in simple words.
- What risk does Indicators of Compromise reduce?
- What evidence would prove this is working?
- What is one common mistake with Indicators of Compromise?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Indicators of Compromise.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Indicators of Attack
Clear Explanation
What it is: Indicators of Attack helps defenders understand attacker behavior and user-focused threats. Focus on behavior patterns such as credential abuse, privilege escalation, and lateral movement.
Why it matters: Security is not only technical. Attackers often target people, credentials, business process weaknesses, and trust relationships.
How to Understand / Apply It
- Identify attacker goal and likely entry method.
- Train users and define reporting paths.
- Monitor identity, email, endpoint, DNS, and network indicators.
- Use controls such as MFA, filtering, EDR, backups, and payment verification.
- Practice response steps with tabletop exercises.
Example
Phishing response example:
1. User reports suspicious email.
2. SOC reviews headers, links, attachments, and sender.
3. Search mailboxes for same message.
4. Remove message if malicious.
5. Reset credentials if user clicked and submitted password.
6. Add detection/block rule.
7. Document timeline and lesson learned.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Indicators of Attack in simple words.
- What risk does Indicators of Attack reduce?
- What evidence would prove this is working?
- What is one common mistake with Indicators of Attack?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Indicators of Attack.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
SOC Overview
Clear Explanation
What it is: SOC Overview supports detection, investigation, containment, and recovery. Understand how a Security Operations Center monitors, triages, investigates, escalates, and improves detection.
Why it matters: Even strong controls fail sometimes. Security teams need logs, playbooks, evidence, and decision-making discipline to reduce impact.
How to Understand / Apply It
- Confirm alert source, affected asset, user, time, and evidence.
- Classify severity based on impact and scope.
- Contain the threat without destroying evidence unnecessarily.
- Remove root cause and recover cleanly.
- Document timeline, decisions, and improvement actions.
Example
Alert triage note example:
Alert: Multiple failed logins then successful login
User: finance.user@example.com
Evidence:
- 37 failures from unusual country
- Successful login after failures
- MFA prompt accepted
Decision:
- Suspicious true positive
Actions:
- Disable session
- Reset password
- Review mailbox rules
- Open incident ticket
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Closing alerts without documenting evidence.
- Deleting or rebooting systems before evidence is collected.
- Treating every alert with the same severity.
- No containment decision log.
- No post-incident improvement actions.
Interview Questions
- Explain SOC Overview in simple words.
- What risk does SOC Overview reduce?
- What evidence would prove this is working?
- What is one common mistake with SOC Overview?
- How would you triage severity?
- What containment step would you choose and why?
Hands-on Practice
- Create a sample alert ticket.
- List evidence, timeline, severity, and containment decision.
- Write communication notes.
- Add lessons learned and detection improvement.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
SIEM Basics
Clear Explanation
What it is: SIEM Basics means: Collect and correlate logs from endpoints, identity, network, cloud, applications, and security tools.
Why it matters: It matters because weak security design, missing controls, poor monitoring, or unclear ownership can turn a small weakness into a business incident.
How to Understand / Apply It
- Identify the asset, data, user, network, app, or cloud service being protected.
- Identify likely threats and weaknesses.
- Choose controls that reduce risk without breaking business operations.
- Collect logs or evidence so the control can be tested.
- Document owner, frequency, exceptions, and response steps.
Example
Example: If remote access is required, use MFA, device checks, least privilege, logging, and clear offboarding instead of simply opening a public port.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain SIEM Basics in simple words.
- What risk does SIEM Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with SIEM Basics?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for SIEM Basics.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Log Sources
Clear Explanation
What it is: Log Sources means: Identify important log sources such as authentication, endpoint, firewall, DNS, proxy, EDR, cloud, and application logs.
Why it matters: It matters because weak security design, missing controls, poor monitoring, or unclear ownership can turn a small weakness into a business incident.
How to Understand / Apply It
- Identify the asset, data, user, network, app, or cloud service being protected.
- Identify likely threats and weaknesses.
- Choose controls that reduce risk without breaking business operations.
- Collect logs or evidence so the control can be tested.
- Document owner, frequency, exceptions, and response steps.
Example
Example: If remote access is required, use MFA, device checks, least privilege, logging, and clear offboarding instead of simply opening a public port.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Log Sources in simple words.
- What risk does Log Sources reduce?
- What evidence would prove this is working?
- What is one common mistake with Log Sources?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Log Sources.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Alert Triage
Clear Explanation
What it is: Alert Triage supports detection, investigation, containment, and recovery. Decide whether an alert is false positive, benign true positive, suspicious, or confirmed incident.
Why it matters: Even strong controls fail sometimes. Security teams need logs, playbooks, evidence, and decision-making discipline to reduce impact.
How to Understand / Apply It
- Confirm alert source, affected asset, user, time, and evidence.
- Classify severity based on impact and scope.
- Contain the threat without destroying evidence unnecessarily.
- Remove root cause and recover cleanly.
- Document timeline, decisions, and improvement actions.
Example
Alert triage note example:
Alert: Multiple failed logins then successful login
User: finance.user@example.com
Evidence:
- 37 failures from unusual country
- Successful login after failures
- MFA prompt accepted
Decision:
- Suspicious true positive
Actions:
- Disable session
- Reset password
- Review mailbox rules
- Open incident ticket
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Closing alerts without documenting evidence.
- Deleting or rebooting systems before evidence is collected.
- Treating every alert with the same severity.
- No containment decision log.
- No post-incident improvement actions.
Interview Questions
- Explain Alert Triage in simple words.
- What risk does Alert Triage reduce?
- What evidence would prove this is working?
- What is one common mistake with Alert Triage?
- How would you triage severity?
- What containment step would you choose and why?
Hands-on Practice
- Create a sample alert ticket.
- List evidence, timeline, severity, and containment decision.
- Write communication notes.
- Add lessons learned and detection improvement.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Detection Engineering
Clear Explanation
What it is: Detection Engineering means: Create useful detections with clear logic, data sources, severity, false positive handling, and response steps.
Why it matters: It matters because weak security design, missing controls, poor monitoring, or unclear ownership can turn a small weakness into a business incident.
How to Understand / Apply It
- Identify the asset, data, user, network, app, or cloud service being protected.
- Identify likely threats and weaknesses.
- Choose controls that reduce risk without breaking business operations.
- Collect logs or evidence so the control can be tested.
- Document owner, frequency, exceptions, and response steps.
Example
Example: If remote access is required, use MFA, device checks, least privilege, logging, and clear offboarding instead of simply opening a public port.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Detection Engineering in simple words.
- What risk does Detection Engineering reduce?
- What evidence would prove this is working?
- What is one common mistake with Detection Engineering?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Detection Engineering.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Incident Response Lifecycle
Clear Explanation
What it is: Incident Response Lifecycle supports detection, investigation, containment, and recovery. Prepare, identify, contain, eradicate, recover, and learn from security incidents.
Why it matters: Even strong controls fail sometimes. Security teams need logs, playbooks, evidence, and decision-making discipline to reduce impact.
How to Understand / Apply It
- Confirm alert source, affected asset, user, time, and evidence.
- Classify severity based on impact and scope.
- Contain the threat without destroying evidence unnecessarily.
- Remove root cause and recover cleanly.
- Document timeline, decisions, and improvement actions.
Example
Alert triage note example:
Alert: Multiple failed logins then successful login
User: finance.user@example.com
Evidence:
- 37 failures from unusual country
- Successful login after failures
- MFA prompt accepted
Decision:
- Suspicious true positive
Actions:
- Disable session
- Reset password
- Review mailbox rules
- Open incident ticket
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Closing alerts without documenting evidence.
- Deleting or rebooting systems before evidence is collected.
- Treating every alert with the same severity.
- No containment decision log.
- No post-incident improvement actions.
Interview Questions
- Explain Incident Response Lifecycle in simple words.
- What risk does Incident Response Lifecycle reduce?
- What evidence would prove this is working?
- What is one common mistake with Incident Response Lifecycle?
- How would you triage severity?
- What containment step would you choose and why?
Hands-on Practice
- Create a sample alert ticket.
- List evidence, timeline, severity, and containment decision.
- Write communication notes.
- Add lessons learned and detection improvement.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Incident Severity
Clear Explanation
What it is: Incident Severity supports detection, investigation, containment, and recovery. Classify incidents based on business impact, scope, data sensitivity, active threat, and operational disruption.
Why it matters: Even strong controls fail sometimes. Security teams need logs, playbooks, evidence, and decision-making discipline to reduce impact.
How to Understand / Apply It
- Confirm alert source, affected asset, user, time, and evidence.
- Classify severity based on impact and scope.
- Contain the threat without destroying evidence unnecessarily.
- Remove root cause and recover cleanly.
- Document timeline, decisions, and improvement actions.
Example
Alert triage note example:
Alert: Multiple failed logins then successful login
User: finance.user@example.com
Evidence:
- 37 failures from unusual country
- Successful login after failures
- MFA prompt accepted
Decision:
- Suspicious true positive
Actions:
- Disable session
- Reset password
- Review mailbox rules
- Open incident ticket
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Closing alerts without documenting evidence.
- Deleting or rebooting systems before evidence is collected.
- Treating every alert with the same severity.
- No containment decision log.
- No post-incident improvement actions.
Interview Questions
- Explain Incident Severity in simple words.
- What risk does Incident Severity reduce?
- What evidence would prove this is working?
- What is one common mistake with Incident Severity?
- How would you triage severity?
- What containment step would you choose and why?
Hands-on Practice
- Create a sample alert ticket.
- List evidence, timeline, severity, and containment decision.
- Write communication notes.
- Add lessons learned and detection improvement.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Containment
Clear Explanation
What it is: Containment supports detection, investigation, containment, and recovery. Limit damage by isolating systems, disabling accounts, blocking indicators, or restricting access.
Why it matters: Even strong controls fail sometimes. Security teams need logs, playbooks, evidence, and decision-making discipline to reduce impact.
How to Understand / Apply It
- Confirm alert source, affected asset, user, time, and evidence.
- Classify severity based on impact and scope.
- Contain the threat without destroying evidence unnecessarily.
- Remove root cause and recover cleanly.
- Document timeline, decisions, and improvement actions.
Example
Alert triage note example:
Alert: Multiple failed logins then successful login
User: finance.user@example.com
Evidence:
- 37 failures from unusual country
- Successful login after failures
- MFA prompt accepted
Decision:
- Suspicious true positive
Actions:
- Disable session
- Reset password
- Review mailbox rules
- Open incident ticket
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Closing alerts without documenting evidence.
- Deleting or rebooting systems before evidence is collected.
- Treating every alert with the same severity.
- No containment decision log.
- No post-incident improvement actions.
Interview Questions
- Explain Containment in simple words.
- What risk does Containment reduce?
- What evidence would prove this is working?
- What is one common mistake with Containment?
- How would you triage severity?
- What containment step would you choose and why?
Hands-on Practice
- Create a sample alert ticket.
- List evidence, timeline, severity, and containment decision.
- Write communication notes.
- Add lessons learned and detection improvement.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Eradication and Recovery
Clear Explanation
What it is: Eradication and Recovery supports detection, investigation, containment, and recovery. Remove attacker access, fix root cause, restore clean systems, and validate normal operations.
Why it matters: Even strong controls fail sometimes. Security teams need logs, playbooks, evidence, and decision-making discipline to reduce impact.
How to Understand / Apply It
- Confirm alert source, affected asset, user, time, and evidence.
- Classify severity based on impact and scope.
- Contain the threat without destroying evidence unnecessarily.
- Remove root cause and recover cleanly.
- Document timeline, decisions, and improvement actions.
Example
Alert triage note example:
Alert: Multiple failed logins then successful login
User: finance.user@example.com
Evidence:
- 37 failures from unusual country
- Successful login after failures
- MFA prompt accepted
Decision:
- Suspicious true positive
Actions:
- Disable session
- Reset password
- Review mailbox rules
- Open incident ticket
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Closing alerts without documenting evidence.
- Deleting or rebooting systems before evidence is collected.
- Treating every alert with the same severity.
- No containment decision log.
- No post-incident improvement actions.
Interview Questions
- Explain Eradication and Recovery in simple words.
- What risk does Eradication and Recovery reduce?
- What evidence would prove this is working?
- What is one common mistake with Eradication and Recovery?
- How would you triage severity?
- What containment step would you choose and why?
Hands-on Practice
- Create a sample alert ticket.
- List evidence, timeline, severity, and containment decision.
- Write communication notes.
- Add lessons learned and detection improvement.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Post-Incident Review
Clear Explanation
What it is: Post-Incident Review supports detection, investigation, containment, and recovery. Document timeline, root cause, impact, actions, evidence, gaps, and improvement plan.
Why it matters: Even strong controls fail sometimes. Security teams need logs, playbooks, evidence, and decision-making discipline to reduce impact.
How to Understand / Apply It
- Confirm alert source, affected asset, user, time, and evidence.
- Classify severity based on impact and scope.
- Contain the threat without destroying evidence unnecessarily.
- Remove root cause and recover cleanly.
- Document timeline, decisions, and improvement actions.
Example
Alert triage note example:
Alert: Multiple failed logins then successful login
User: finance.user@example.com
Evidence:
- 37 failures from unusual country
- Successful login after failures
- MFA prompt accepted
Decision:
- Suspicious true positive
Actions:
- Disable session
- Reset password
- Review mailbox rules
- Open incident ticket
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Closing alerts without documenting evidence.
- Deleting or rebooting systems before evidence is collected.
- Treating every alert with the same severity.
- No containment decision log.
- No post-incident improvement actions.
Interview Questions
- Explain Post-Incident Review in simple words.
- What risk does Post-Incident Review reduce?
- What evidence would prove this is working?
- What is one common mistake with Post-Incident Review?
- How would you triage severity?
- What containment step would you choose and why?
Hands-on Practice
- Create a sample alert ticket.
- List evidence, timeline, severity, and containment decision.
- Write communication notes.
- Add lessons learned and detection improvement.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Digital Forensics Basics
Clear Explanation
What it is: Digital Forensics Basics supports detection, investigation, containment, and recovery. Preserve evidence, maintain chain of custody, collect artifacts, and avoid changing evidence unnecessarily.
Why it matters: Even strong controls fail sometimes. Security teams need logs, playbooks, evidence, and decision-making discipline to reduce impact.
How to Understand / Apply It
- Confirm alert source, affected asset, user, time, and evidence.
- Classify severity based on impact and scope.
- Contain the threat without destroying evidence unnecessarily.
- Remove root cause and recover cleanly.
- Document timeline, decisions, and improvement actions.
Example
Alert triage note example:
Alert: Multiple failed logins then successful login
User: finance.user@example.com
Evidence:
- 37 failures from unusual country
- Successful login after failures
- MFA prompt accepted
Decision:
- Suspicious true positive
Actions:
- Disable session
- Reset password
- Review mailbox rules
- Open incident ticket
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Closing alerts without documenting evidence.
- Deleting or rebooting systems before evidence is collected.
- Treating every alert with the same severity.
- No containment decision log.
- No post-incident improvement actions.
Interview Questions
- Explain Digital Forensics Basics in simple words.
- What risk does Digital Forensics Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with Digital Forensics Basics?
- How would you triage severity?
- What containment step would you choose and why?
Hands-on Practice
- Create a sample alert ticket.
- List evidence, timeline, severity, and containment decision.
- Write communication notes.
- Add lessons learned and detection improvement.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Memory and Disk Evidence
Clear Explanation
What it is: Memory and Disk Evidence supports detection, investigation, containment, and recovery. Understand volatile memory, disk images, filesystem artifacts, logs, registry, and timeline reconstruction.
Why it matters: Even strong controls fail sometimes. Security teams need logs, playbooks, evidence, and decision-making discipline to reduce impact.
How to Understand / Apply It
- Confirm alert source, affected asset, user, time, and evidence.
- Classify severity based on impact and scope.
- Contain the threat without destroying evidence unnecessarily.
- Remove root cause and recover cleanly.
- Document timeline, decisions, and improvement actions.
Example
Alert triage note example:
Alert: Multiple failed logins then successful login
User: finance.user@example.com
Evidence:
- 37 failures from unusual country
- Successful login after failures
- MFA prompt accepted
Decision:
- Suspicious true positive
Actions:
- Disable session
- Reset password
- Review mailbox rules
- Open incident ticket
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Closing alerts without documenting evidence.
- Deleting or rebooting systems before evidence is collected.
- Treating every alert with the same severity.
- No containment decision log.
- No post-incident improvement actions.
Interview Questions
- Explain Memory and Disk Evidence in simple words.
- What risk does Memory and Disk Evidence reduce?
- What evidence would prove this is working?
- What is one common mistake with Memory and Disk Evidence?
- How would you triage severity?
- What containment step would you choose and why?
Hands-on Practice
- Create a sample alert ticket.
- List evidence, timeline, severity, and containment decision.
- Write communication notes.
- Add lessons learned and detection improvement.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
GRC Overview
Clear Explanation
What it is: GRC Overview connects security work to business accountability, policies, controls, audits, and risk decisions. Understand how governance, risk management, compliance, policies, standards, and audits support cybersecurity.
Why it matters: Security programs need governance so risks are visible, owners are assigned, and controls are tested instead of assumed.
How to Understand / Apply It
- Define policy or control requirement.
- Map assets, owners, risks, and applicable obligations.
- Collect evidence that the control exists and works.
- Track exceptions and remediation plans.
- Report risk to the right decision-makers.
Example
Risk register example:
Risk: Public exposure of sensitive cloud storage
Likelihood: Medium
Impact: High
Controls:
- Block public access
- IAM review
- Encryption
- Cloud monitoring
Treatment: Mitigate
Owner: Cloud platform team
Review: Monthly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Writing policies nobody follows.
- Collecting evidence only during audits.
- Accepting risk without owner approval.
- Treating compliance as the same thing as security.
- Not tracking remediation owners and dates.
Interview Questions
- Explain GRC Overview in simple words.
- What risk does GRC Overview reduce?
- What evidence would prove this is working?
- What is one common mistake with GRC Overview?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for GRC Overview.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Security Policies
Clear Explanation
What it is: Security Policies connects security work to business accountability, policies, controls, audits, and risk decisions. Create rules for acceptable use, access, data handling, incident response, remote work, and vendor security.
Why it matters: Security programs need governance so risks are visible, owners are assigned, and controls are tested instead of assumed.
How to Understand / Apply It
- Define policy or control requirement.
- Map assets, owners, risks, and applicable obligations.
- Collect evidence that the control exists and works.
- Track exceptions and remediation plans.
- Report risk to the right decision-makers.
Example
Risk register example:
Risk: Public exposure of sensitive cloud storage
Likelihood: Medium
Impact: High
Controls:
- Block public access
- IAM review
- Encryption
- Cloud monitoring
Treatment: Mitigate
Owner: Cloud platform team
Review: Monthly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Writing policies nobody follows.
- Collecting evidence only during audits.
- Accepting risk without owner approval.
- Treating compliance as the same thing as security.
- Not tracking remediation owners and dates.
Interview Questions
- Explain Security Policies in simple words.
- What risk does Security Policies reduce?
- What evidence would prove this is working?
- What is one common mistake with Security Policies?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Security Policies.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Risk Assessment
Clear Explanation
What it is: Risk Assessment connects security work to business accountability, policies, controls, audits, and risk decisions. Identify assets, threats, vulnerabilities, likelihood, impact, controls, residual risk, and treatment plans.
Why it matters: Security programs need governance so risks are visible, owners are assigned, and controls are tested instead of assumed.
How to Understand / Apply It
- Define policy or control requirement.
- Map assets, owners, risks, and applicable obligations.
- Collect evidence that the control exists and works.
- Track exceptions and remediation plans.
- Report risk to the right decision-makers.
Example
Risk register example:
Risk: Public exposure of sensitive cloud storage
Likelihood: Medium
Impact: High
Controls:
- Block public access
- IAM review
- Encryption
- Cloud monitoring
Treatment: Mitigate
Owner: Cloud platform team
Review: Monthly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Writing policies nobody follows.
- Collecting evidence only during audits.
- Accepting risk without owner approval.
- Treating compliance as the same thing as security.
- Not tracking remediation owners and dates.
Interview Questions
- Explain Risk Assessment in simple words.
- What risk does Risk Assessment reduce?
- What evidence would prove this is working?
- What is one common mistake with Risk Assessment?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Risk Assessment.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Risk Treatment
Clear Explanation
What it is: Risk Treatment connects security work to business accountability, policies, controls, audits, and risk decisions. Choose to mitigate, transfer, avoid, or accept risk with proper approval.
Why it matters: Security programs need governance so risks are visible, owners are assigned, and controls are tested instead of assumed.
How to Understand / Apply It
- Define policy or control requirement.
- Map assets, owners, risks, and applicable obligations.
- Collect evidence that the control exists and works.
- Track exceptions and remediation plans.
- Report risk to the right decision-makers.
Example
Risk register example:
Risk: Public exposure of sensitive cloud storage
Likelihood: Medium
Impact: High
Controls:
- Block public access
- IAM review
- Encryption
- Cloud monitoring
Treatment: Mitigate
Owner: Cloud platform team
Review: Monthly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Writing policies nobody follows.
- Collecting evidence only during audits.
- Accepting risk without owner approval.
- Treating compliance as the same thing as security.
- Not tracking remediation owners and dates.
Interview Questions
- Explain Risk Treatment in simple words.
- What risk does Risk Treatment reduce?
- What evidence would prove this is working?
- What is one common mistake with Risk Treatment?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Risk Treatment.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Third-Party Risk
Clear Explanation
What it is: Third-Party Risk connects security work to business accountability, policies, controls, audits, and risk decisions. Assess vendor access, data sharing, contracts, security controls, incidents, and monitoring.
Why it matters: Security programs need governance so risks are visible, owners are assigned, and controls are tested instead of assumed.
How to Understand / Apply It
- Define policy or control requirement.
- Map assets, owners, risks, and applicable obligations.
- Collect evidence that the control exists and works.
- Track exceptions and remediation plans.
- Report risk to the right decision-makers.
Example
Risk register example:
Risk: Public exposure of sensitive cloud storage
Likelihood: Medium
Impact: High
Controls:
- Block public access
- IAM review
- Encryption
- Cloud monitoring
Treatment: Mitigate
Owner: Cloud platform team
Review: Monthly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Writing policies nobody follows.
- Collecting evidence only during audits.
- Accepting risk without owner approval.
- Treating compliance as the same thing as security.
- Not tracking remediation owners and dates.
Interview Questions
- Explain Third-Party Risk in simple words.
- What risk does Third-Party Risk reduce?
- What evidence would prove this is working?
- What is one common mistake with Third-Party Risk?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Third-Party Risk.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Security Awareness
Clear Explanation
What it is: Security Awareness helps defenders understand attacker behavior and user-focused threats. Train users to recognize phishing, protect data, report incidents, and follow secure behavior.
Why it matters: Security is not only technical. Attackers often target people, credentials, business process weaknesses, and trust relationships.
How to Understand / Apply It
- Identify attacker goal and likely entry method.
- Train users and define reporting paths.
- Monitor identity, email, endpoint, DNS, and network indicators.
- Use controls such as MFA, filtering, EDR, backups, and payment verification.
- Practice response steps with tabletop exercises.
Example
Phishing response example:
1. User reports suspicious email.
2. SOC reviews headers, links, attachments, and sender.
3. Search mailboxes for same message.
4. Remove message if malicious.
5. Reset credentials if user clicked and submitted password.
6. Add detection/block rule.
7. Document timeline and lesson learned.
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Security Awareness in simple words.
- What risk does Security Awareness reduce?
- What evidence would prove this is working?
- What is one common mistake with Security Awareness?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Security Awareness.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Privacy Basics
Clear Explanation
What it is: Privacy Basics protects sensitive information and business continuity. Protect personal data with collection limits, purpose, consent where applicable, access control, retention, and deletion.
Why it matters: Data is usually the business asset attackers want. Data protection reduces breach impact, supports privacy, and improves recovery from incidents.
How to Understand / Apply It
- Classify data by sensitivity.
- Encrypt data at rest and in transit where appropriate.
- Restrict access using least privilege.
- Monitor data movement and unusual downloads.
- Test backups and restore procedures.
Example
Data protection example:
Data type: Employee personal data
Classification: Confidential
Controls:
- Role-based access
- MFA for HR systems
- Encryption at rest
- TLS in transit
- DLP monitoring
- Retention and deletion policy
- Tested backups
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Privacy Basics in simple words.
- What risk does Privacy Basics reduce?
- What evidence would prove this is working?
- What is one common mistake with Privacy Basics?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Privacy Basics.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Audit Evidence
Clear Explanation
What it is: Audit Evidence connects security work to business accountability, policies, controls, audits, and risk decisions. Collect proof that controls are designed, implemented, and operating effectively.
Why it matters: Security programs need governance so risks are visible, owners are assigned, and controls are tested instead of assumed.
How to Understand / Apply It
- Define policy or control requirement.
- Map assets, owners, risks, and applicable obligations.
- Collect evidence that the control exists and works.
- Track exceptions and remediation plans.
- Report risk to the right decision-makers.
Example
Risk register example:
Risk: Public exposure of sensitive cloud storage
Likelihood: Medium
Impact: High
Controls:
- Block public access
- IAM review
- Encryption
- Cloud monitoring
Treatment: Mitigate
Owner: Cloud platform team
Review: Monthly
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Writing policies nobody follows.
- Collecting evidence only during audits.
- Accepting risk without owner approval.
- Treating compliance as the same thing as security.
- Not tracking remediation owners and dates.
Interview Questions
- Explain Audit Evidence in simple words.
- What risk does Audit Evidence reduce?
- What evidence would prove this is working?
- What is one common mistake with Audit Evidence?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Audit Evidence.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Business Continuity
Clear Explanation
What it is: Business Continuity protects sensitive information and business continuity. Plan how critical operations continue during cyber incidents, outages, disasters, or vendor failures.
Why it matters: Data is usually the business asset attackers want. Data protection reduces breach impact, supports privacy, and improves recovery from incidents.
How to Understand / Apply It
- Classify data by sensitivity.
- Encrypt data at rest and in transit where appropriate.
- Restrict access using least privilege.
- Monitor data movement and unusual downloads.
- Test backups and restore procedures.
Example
Data protection example:
Data type: Employee personal data
Classification: Confidential
Controls:
- Role-based access
- MFA for HR systems
- Encryption at rest
- TLS in transit
- DLP monitoring
- Retention and deletion policy
- Tested backups
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Business Continuity in simple words.
- What risk does Business Continuity reduce?
- What evidence would prove this is working?
- What is one common mistake with Business Continuity?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Business Continuity.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Disaster Recovery
Clear Explanation
What it is: Disaster Recovery protects sensitive information and business continuity. Plan technology recovery with RTO, RPO, backups, failover, testing, and communication.
Why it matters: Data is usually the business asset attackers want. Data protection reduces breach impact, supports privacy, and improves recovery from incidents.
How to Understand / Apply It
- Classify data by sensitivity.
- Encrypt data at rest and in transit where appropriate.
- Restrict access using least privilege.
- Monitor data movement and unusual downloads.
- Test backups and restore procedures.
Example
Data protection example:
Data type: Employee personal data
Classification: Confidential
Controls:
- Role-based access
- MFA for HR systems
- Encryption at rest
- TLS in transit
- DLP monitoring
- Retention and deletion policy
- Tested backups
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Disaster Recovery in simple words.
- What risk does Disaster Recovery reduce?
- What evidence would prove this is working?
- What is one common mistake with Disaster Recovery?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Disaster Recovery.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Project 1: Home Lab Security
Clear Explanation
What it is: Project 1: Home Lab Security turns learning into proof of practical ability. Build a safe lab with a VM, host firewall, patching, secure SSH/RDP settings, and basic monitoring evidence.
Why it matters: A good portfolio shows that you can explain a problem, build or review a control safely, collect evidence, and communicate findings clearly.
How to Understand / Apply It
- Define the scenario and scope.
- Use only legal, safe lab systems or training apps.
- Create diagrams, screenshots, logs, and checklists.
- Write findings with risk and remediation.
- Prepare a short demo explanation for interviews.
Example
Portfolio report structure:
1. Objective
2. Scope and lab environment
3. Tools used
4. Steps performed
5. Evidence screenshots/logs
6. Findings
7. Risk rating
8. Recommendations
9. Lessons learned
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Project 1: Home Lab Security in simple words.
- What risk does Project 1: Home Lab Security reduce?
- What evidence would prove this is working?
- What is one common mistake with Project 1: Home Lab Security?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Project 1: Home Lab Security.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Project 2: Small Business Security Plan
Clear Explanation
What it is: Project 2: Small Business Security Plan turns learning into proof of practical ability. Create a practical security program for a small company covering identity, endpoints, backups, cloud, awareness, monitoring, and incident response.
Why it matters: A good portfolio shows that you can explain a problem, build or review a control safely, collect evidence, and communicate findings clearly.
How to Understand / Apply It
- Define the scenario and scope.
- Use only legal, safe lab systems or training apps.
- Create diagrams, screenshots, logs, and checklists.
- Write findings with risk and remediation.
- Prepare a short demo explanation for interviews.
Example
Portfolio report structure:
1. Objective
2. Scope and lab environment
3. Tools used
4. Steps performed
5. Evidence screenshots/logs
6. Findings
7. Risk rating
8. Recommendations
9. Lessons learned
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Project 2: Small Business Security Plan in simple words.
- What risk does Project 2: Small Business Security Plan reduce?
- What evidence would prove this is working?
- What is one common mistake with Project 2: Small Business Security Plan?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Project 2: Small Business Security Plan.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Project 3: SOC Alert Triage Lab
Clear Explanation
What it is: Project 3: SOC Alert Triage Lab turns learning into proof of practical ability. Create sample alerts, review logs, classify severity, write investigation notes, and recommend containment actions.
Why it matters: A good portfolio shows that you can explain a problem, build or review a control safely, collect evidence, and communicate findings clearly.
How to Understand / Apply It
- Define the scenario and scope.
- Use only legal, safe lab systems or training apps.
- Create diagrams, screenshots, logs, and checklists.
- Write findings with risk and remediation.
- Prepare a short demo explanation for interviews.
Example
Portfolio report structure:
1. Objective
2. Scope and lab environment
3. Tools used
4. Steps performed
5. Evidence screenshots/logs
6. Findings
7. Risk rating
8. Recommendations
9. Lessons learned
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Project 3: SOC Alert Triage Lab in simple words.
- What risk does Project 3: SOC Alert Triage Lab reduce?
- What evidence would prove this is working?
- What is one common mistake with Project 3: SOC Alert Triage Lab?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Project 3: SOC Alert Triage Lab.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Project 4: Web App Security Review
Clear Explanation
What it is: Project 4: Web App Security Review turns learning into proof of practical ability. Review a deliberately vulnerable local app or training app safely and document findings, risk, and remediation.
Why it matters: A good portfolio shows that you can explain a problem, build or review a control safely, collect evidence, and communicate findings clearly.
How to Understand / Apply It
- Define the scenario and scope.
- Use only legal, safe lab systems or training apps.
- Create diagrams, screenshots, logs, and checklists.
- Write findings with risk and remediation.
- Prepare a short demo explanation for interviews.
Example
Portfolio report structure:
1. Objective
2. Scope and lab environment
3. Tools used
4. Steps performed
5. Evidence screenshots/logs
6. Findings
7. Risk rating
8. Recommendations
9. Lessons learned
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Project 4: Web App Security Review in simple words.
- What risk does Project 4: Web App Security Review reduce?
- What evidence would prove this is working?
- What is one common mistake with Project 4: Web App Security Review?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Project 4: Web App Security Review.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Project 5: Cloud Security Baseline
Clear Explanation
What it is: Project 5: Cloud Security Baseline turns learning into proof of practical ability. Create a cloud security checklist for IAM, network, storage, logging, encryption, and monitoring.
Why it matters: A good portfolio shows that you can explain a problem, build or review a control safely, collect evidence, and communicate findings clearly.
How to Understand / Apply It
- Define the scenario and scope.
- Use only legal, safe lab systems or training apps.
- Create diagrams, screenshots, logs, and checklists.
- Write findings with risk and remediation.
- Prepare a short demo explanation for interviews.
Example
Portfolio report structure:
1. Objective
2. Scope and lab environment
3. Tools used
4. Steps performed
5. Evidence screenshots/logs
6. Findings
7. Risk rating
8. Recommendations
9. Lessons learned
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Project 5: Cloud Security Baseline in simple words.
- What risk does Project 5: Cloud Security Baseline reduce?
- What evidence would prove this is working?
- What is one common mistake with Project 5: Cloud Security Baseline?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Project 5: Cloud Security Baseline.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Project 6: Incident Response Playbook
Clear Explanation
What it is: Project 6: Incident Response Playbook turns learning into proof of practical ability. Write a playbook for phishing, malware, lost device, credential compromise, and ransomware.
Why it matters: A good portfolio shows that you can explain a problem, build or review a control safely, collect evidence, and communicate findings clearly.
How to Understand / Apply It
- Define the scenario and scope.
- Use only legal, safe lab systems or training apps.
- Create diagrams, screenshots, logs, and checklists.
- Write findings with risk and remediation.
- Prepare a short demo explanation for interviews.
Example
Portfolio report structure:
1. Objective
2. Scope and lab environment
3. Tools used
4. Steps performed
5. Evidence screenshots/logs
6. Findings
7. Risk rating
8. Recommendations
9. Lessons learned
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Project 6: Incident Response Playbook in simple words.
- What risk does Project 6: Incident Response Playbook reduce?
- What evidence would prove this is working?
- What is one common mistake with Project 6: Incident Response Playbook?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Project 6: Incident Response Playbook.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Security Analyst Interview Prep
Clear Explanation
What it is: Security Analyst Interview Prep turns learning into proof of practical ability. Practice SOC, SIEM, networking, endpoint, incident response, and log-analysis questions.
Why it matters: A good portfolio shows that you can explain a problem, build or review a control safely, collect evidence, and communicate findings clearly.
How to Understand / Apply It
- Define the scenario and scope.
- Use only legal, safe lab systems or training apps.
- Create diagrams, screenshots, logs, and checklists.
- Write findings with risk and remediation.
- Prepare a short demo explanation for interviews.
Example
Portfolio report structure:
1. Objective
2. Scope and lab environment
3. Tools used
4. Steps performed
5. Evidence screenshots/logs
6. Findings
7. Risk rating
8. Recommendations
9. Lessons learned
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Security Analyst Interview Prep in simple words.
- What risk does Security Analyst Interview Prep reduce?
- What evidence would prove this is working?
- What is one common mistake with Security Analyst Interview Prep?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Security Analyst Interview Prep.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Security Engineer Interview Prep
Clear Explanation
What it is: Security Engineer Interview Prep turns learning into proof of practical ability. Practice IAM, cloud, hardening, detection, secure design, vulnerability management, and automation questions.
Why it matters: A good portfolio shows that you can explain a problem, build or review a control safely, collect evidence, and communicate findings clearly.
How to Understand / Apply It
- Define the scenario and scope.
- Use only legal, safe lab systems or training apps.
- Create diagrams, screenshots, logs, and checklists.
- Write findings with risk and remediation.
- Prepare a short demo explanation for interviews.
Example
Portfolio report structure:
1. Objective
2. Scope and lab environment
3. Tools used
4. Steps performed
5. Evidence screenshots/logs
6. Findings
7. Risk rating
8. Recommendations
9. Lessons learned
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Security Engineer Interview Prep in simple words.
- What risk does Security Engineer Interview Prep reduce?
- What evidence would prove this is working?
- What is one common mistake with Security Engineer Interview Prep?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Security Engineer Interview Prep.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
GRC Interview Prep
Clear Explanation
What it is: GRC Interview Prep turns learning into proof of practical ability. Practice risk, policies, audits, evidence, third-party risk, privacy, and compliance scenario questions.
Why it matters: A good portfolio shows that you can explain a problem, build or review a control safely, collect evidence, and communicate findings clearly.
How to Understand / Apply It
- Define the scenario and scope.
- Use only legal, safe lab systems or training apps.
- Create diagrams, screenshots, logs, and checklists.
- Write findings with risk and remediation.
- Prepare a short demo explanation for interviews.
Example
Portfolio report structure:
1. Objective
2. Scope and lab environment
3. Tools used
4. Steps performed
5. Evidence screenshots/logs
6. Findings
7. Risk rating
8. Recommendations
9. Lessons learned
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain GRC Interview Prep in simple words.
- What risk does GRC Interview Prep reduce?
- What evidence would prove this is working?
- What is one common mistake with GRC Interview Prep?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for GRC Interview Prep.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |
Cybersecurity Resume Portfolio
Clear Explanation
What it is: Cybersecurity Resume Portfolio turns learning into proof of practical ability. Prepare proof of practical work: labs, reports, diagrams, playbooks, checklists, and clear explanations.
Why it matters: A good portfolio shows that you can explain a problem, build or review a control safely, collect evidence, and communicate findings clearly.
How to Understand / Apply It
- Define the scenario and scope.
- Use only legal, safe lab systems or training apps.
- Create diagrams, screenshots, logs, and checklists.
- Write findings with risk and remediation.
- Prepare a short demo explanation for interviews.
Example
Portfolio report structure:
1. Objective
2. Scope and lab environment
3. Tools used
4. Steps performed
5. Evidence screenshots/logs
6. Findings
7. Risk rating
8. Recommendations
9. Lessons learned
Real Project Checklist
- Asset is identified.
- Threat and weakness are clear.
- Control owner is assigned.
- Logs or evidence are available.
- Response process is documented.
Common Mistakes
- Using tools without understanding the security goal.
- Skipping documentation and evidence.
- Depending on one control only.
- Ignoring business process impact.
- Not testing recovery or response steps.
Interview Questions
- Explain Cybersecurity Resume Portfolio in simple words.
- What risk does Cybersecurity Resume Portfolio reduce?
- What evidence would prove this is working?
- What is one common mistake with Cybersecurity Resume Portfolio?
- How would you implement it in a small business?
- How would you document it for audit or handover?
Hands-on Practice
- Create a one-page note for Cybersecurity Resume Portfolio.
- Include definition, risk, control, evidence, mistakes, and response steps.
- Add one diagram, table, or checklist.
- Prepare a two-minute interview explanation.
Portfolio Evidence
| Technical evidence | Configuration screenshots, logs, alerts, packet capture notes, command output from your own lab, diagrams, or cloud configuration evidence. |
|---|---|
| Risk evidence | Asset, threat, vulnerability, likelihood, impact, control, owner, remediation date, and residual risk notes. |
| Documentation | Objective, scope, safe lab statement, steps, findings, recommended fixes, limitations, and lessons learned. |