Learn by Directing AI
Chat with Fatima Al-SulaitiAsk questions, get feedback, discuss the project

The Brief

Fatima Al-Sulaiti is the COO of Maskan Properties, a property management company in Doha, Qatar. They operate 12 buildings across Doha and Al Wakra -- residential towers, an office complex, and a mixed-use development. Each building runs tenant Wi-Fi, building management systems that control HVAC, fire suppression, and elevators, CCTV surveillance, and electronic access control. All of it shares network infrastructure.

Their insurance company conducted an IT audit. The finding: building networks are "insufficiently segmented." The concern: if someone compromises tenant Wi-Fi, they could reach the systems that control whether doors lock and air conditioning runs. In August. In Qatar. The insurance company gave them three months to fix this or face a 30% premium increase.

Fatima needs someone to assess the segmentation across all 12 buildings, show her exactly what can reach what, and deliver a remediation plan with costs she can present to the board.

Your Role

You are assessing and hardening network segmentation for a multi-building property management company. This is defense-focused work. You already know how to exploit network services and web applications. Now you are designing the controls that would have stopped those attacks -- and verifying them by attempting the same techniques against your own architecture.

The scaffolding continues with templates and guides for the assessment and segmentation design. Your judgment within those templates is growing -- you are making architectural decisions about which systems belong in which network zones, which traffic should flow between zones, and how to balance security with operational continuity. The threat model is yours to build, not a template to fill.

What's New

Last time you assessed a dual-surface platform, ran vulnerability scanners, exploited APIs, applied CIS Benchmarks, and authored a STRIDE threat model from scratch. You triaged automated findings against manual verification and wrote prevention-plus-detection pairings.

Network segmentation. Dividing a flat network into isolated zones based on trust and function. A tenant's compromised laptop should not be able to reach the building management system that controls fire suppression. The segmentation must be tested from the attacker's position -- not by reading the firewall configuration, but by scanning from inside each zone to prove the boundaries hold.

Defense-in-depth. Controls at multiple layers so that failure at one layer does not mean failure everywhere. Network segmentation prevents lateral movement. Application authentication prevents unauthorized access. Monitoring detects what prevention misses. Each layer addresses a different failure scenario.

Default-deny firewall design. Start with nothing allowed. Add only the specific connections with a documented business justification. AI defaults to the opposite approach -- allow everything, then try to block the bad things. The difference matters.

The hard part: you are testing your own work. The same lateral movement techniques you used in previous projects become your verification method. If your segmentation does not stop what you already know how to do, it does not work.

Tools

  • Nmap -- scanning from the attacker's position to verify segmentation. Continuing.
  • Metasploit -- lateral movement testing against your own segmentation. Continuing.
  • Docker -- multi-network container architecture simulating building infrastructure. Continuing with new network configurations.
  • Grafana/Loki/Alloy -- monitoring and detection across network segments. Continuing.
  • Sigma -- detection rules for lateral movement attempts. Continuing.
  • iptables -- firewall rule implementation. New at this level of detail.
  • Claude Code -- AI agent directing assessment, hardening, and documentation.
  • Git/GitHub -- version control and project submission.

Materials

  • Scope document -- assessment boundaries for all 12 buildings, rules of engagement, timeline, and points of contact.
  • Network assessment guide -- structured approach for connectivity testing, matrix template, and findings classification.
  • Segmentation design template -- zone definitions, traffic policy matrix, implementation checklist, and verification criteria.
  • Docker environment -- multi-building network with tenant Wi-Fi, BMS, CCTV, and access control containers, plus the monitoring stack.

Materials

View all →
mdCLAUDE.mdyamlalloy-config.yamlymldocker-compose.ymlmdnetwork-assessment-guide.mdmdscope-document.mdmdsegmentation-design-template.md
Start: The Forwarded Email and the Building Network