Learn by Directing AI
Chat with Dimitar TodorovAsk questions, get feedback, discuss the project

The Brief

Dimitar Todorov runs Todorovi Wines, a family winery in the Thracian Valley of Bulgaria. Fifteen hectares of vineyards, 25 employees, and a two-year-old online platform. The platform has two sides: a consumer ordering website and a REST API that 12 restaurant partners use for wholesale orders. The API accounts for 40% of revenue.

Last month a restaurant partner in Sofia reported that their system flagged "unusual activity" from the API. Their IT person mentioned "injection attacks." Dimitar knows fermentation curves, not firewall rules. He needs someone to check the whole platform and tell him -- in language he understands -- whether he has a real problem.

The platform handles customer data, order histories, and partner-specific wholesale pricing. The API authenticates restaurant partners with API keys. The consumer side processes payments through Stripe. Dimitar sends late-night Slack messages after checking fermentation tanks and compares security concepts to winemaking.

Your Role

You are assessing two attack surfaces: the consumer web platform and the restaurant API. These are different doors into the same building. A web form that accepts customer orders and an API that processes wholesale requests from restaurant partners are architecturally different targets. The tools, the vulnerabilities, and the remediation patterns differ between them.

The scaffolding continues to thin. The STRIDE threat model template from last time is gone -- you author the model yourself from the business brief and your own reconnaissance. The TTP selection guide narrows further. You decide which ATT&CK techniques to test based on what you find, not from a provided list. You manage your AI context deliberately -- deciding what to include in each session, planning the engagement decomposition before starting, and writing constraints before work begins.

What's New

Last time you exploited network services with Metasploit, wrote Sigma rules from scratch, designed Alloy labels, built your first threat model from a template, and used CVSS for prioritisation. You know the assessment layers connect and that skipping one weakens the rest.

Vulnerability scanning. ZAP and Nuclei produce severity-rated findings, but not every "High" finding is real. Some are false positives. Scanner output is a hypothesis, not a conclusion. The professional skill is triage -- separating confirmed findings from noise.

API exploitation. The restaurant API has different vulnerabilities than the web forms. BOLA, mass assignment, and JWT tampering are authorisation architecture flaws, not input validation failures. AI applies web exploitation techniques to APIs and misses the structural difference.

CIS Benchmarks and OWASP ASVS. Formal compliance frameworks replace ad-hoc hardening. Not every benchmark item applies to every system. Your job is interpreting which items matter -- and compliance language makes your recommendations carry more weight.

The hard part is that each surface requires a different approach. The payload that works against a web form fails against an API. The detection rule that catches web exploitation misses API attacks. The remediation pattern for input validation does not fix an authorisation flaw. Understanding the terrain before you move determines everything downstream.

Tools

  • ZAP -- web application vulnerability scanner. New.
  • Nuclei -- template-based vulnerability scanner. New.
  • ffuf -- directory and content discovery. New.
  • Juice Shop -- modern web application with API endpoints. New target.
  • DVWA (Medium/High) -- web application at higher difficulty. Continuing at raised difficulty.
  • Nmap -- network scanning. Continuing.
  • Grafana/Loki -- log viewing and dashboard refinement. Continuing.
  • Alloy -- log collection pipeline. Continuing.
  • pySigma -- Sigma rule conversion. Continuing.
  • Docker -- running the applications and monitoring stack.
  • Claude Code -- AI agent directing all tool execution.
  • Git/GitHub -- version control and project submission.

Materials

  • Scope document -- assessment boundaries covering the consumer platform, restaurant API, monitoring stack, and Docker infrastructure.
  • CIS Docker Benchmark reference -- curated subset of benchmark items relevant to the lab environment.
  • OWASP ASVS reference -- curated Level 1 requirements for the web platform and API.
  • Report template -- assessment report structure with API findings, exploit chains, EPSS/CVSS dual-scoring, and compliance mapping sections.
  • Docker environment -- Juice Shop, DVWA, Grafana, Loki, and Alloy running in containers.

Materials

View all →
mdcis-docker-reference.mdmdCLAUDE.mdalloyconfig.alloyymldocker-compose.ymlymlloki.ymlymlcustom-config.ymlmdowasp-asvs-reference.mdmdreport-template.mdmdscope-document.md
Start: The Late-Night Messages and the Two Doors