The Brief and the Lab

Step 1: Set Up the Project

Open your terminal and start Claude Code:

cd ~/dev
claude

Paste this prompt:

Set up my project:
1. Create ~/dev/cybersecurity/p1
2. Download the project materials from https://learnbydirectingai.dev/materials/cybersecurity/p1/materials.zip and extract them into that folder
3. Read CLAUDE.md — it's the project governance file

That one prompt does everything: creates the folder, pulls the materials, and reads the governance file so Claude knows what this project is. What you type is everything Claude knows about the task — if you'd just said "set up a security project," Claude would fill in the blanks from its training, and the result might have nothing to do with Jean-Marc's booking page.

Once Claude finishes, look at what's in materials/. You should see CLAUDE.md, docker-compose.yml, scope-document.md, ttp-selection.md, client-email.md, and several other files. These are your working inputs for the entire assessment.

Step 2: Launch the Lab Environment

The materials include a docker-compose.yml that runs two things: DVWA (the web application you're assessing) and a monitoring stack (Grafana, Loki, and Alloy for collecting and viewing logs).

Docker runs isolated applications on your machine -- like separate computers inside your computer, each with its own software and settings. The docker-compose.yml file tells Docker which applications to run and how to connect them.

Direct Claude to start the environment:

Run docker compose up -d using the docker-compose.yml in the materials folder. Wait for all containers to be healthy, then tell me which containers are running.

Claude will pull the images and start the containers. This takes a minute the first time.

Once Claude confirms the containers are running, open a browser and go to http://localhost:8080. You should see the DVWA login page -- DVWA stands for Damn Vulnerable Web Application. It's a deliberately insecure web application built for security training, not a real system. The vulnerabilities in it are intentional, placed there so people can practice finding and exploiting them safely. Log in with the default credentials: username admin, password password.

Now open a second browser tab and go to http://localhost:3000. This is Grafana — the monitoring dashboard where defenders watch for suspicious activity. Navigate to the Explore view, select the Loki data source, and run a query like {container="dvwa"}. You should see log entries streaming in from the DVWA container. HTTP requests, timestamps, status codes — this is what the defender sees.

Both views are live. The application you'll be assessing is running in one tab. The log stream where your assessment activity will appear is running in the other. Keep both open.

Step 3: Read the Client Email

Open materials/client-email.md. This is from Jean-Marc Rasoanaivo, who owns Baobab Bay Lodge — an eco-lodge on Nosy Be, Madagascar. A friend's hotel in Mauritius was hacked through their booking system. Jean-Marc doesn't know if his site is safe. He wants someone to check, and he wants the answer in language he can understand.

Pay attention to the details. He mentions that the booking page stores guest passport numbers. That changes the stakes — this isn't just a broken form, it's personal data at risk. His developer built the site but has since moved to France. Jean-Marc can't check the code himself.

Everything you do in this project is for this person. The tools, the scans, the logs, the report — all of it exists to answer Jean-Marc's question: is my guests' data safe?

Step 4: Read the Scope Document

Open materials/scope-document.md. This defines the boundary of the assessment — what you're authorized to test and what you're not.

The scope is the single most important document in a security assessment. It separates legitimate testing from unauthorized access. Everything inside the boundary is your job. Everything outside it is off-limits, no matter how interesting it looks. If Claude suggests scanning a target or service that isn't listed in this document, that suggestion is a professional violation, not a helpful idea.

Read the target definition, the authorized testing methods, and the exclusions. Know what's in scope before you touch anything.

Step 5: Read the TTP Selection

Open materials/ttp-selection.md. TTPs — Tactics, Techniques, and Procedures — describe how an attack works: the goal (tactic), the method (technique), and the specific steps (procedure). This document describes what you'll be testing for and how: SQL injection against the DVWA web interface using sqlmap.

The TTP selection connects the reconnaissance and exploitation phases. It tells you which attack techniques apply to this target and why they were chosen. For this assessment, the focus is on SQL injection — a vulnerability where someone types a crafted string into a web form and the database executes it as a command instead of treating it as text.

You don't need to memorize this document. You need to understand what it says: what the target is, what the attack is, and what a successful result looks like. The next units will walk through the actual work.