The Forwarded Email and the Building Network

Step 1: Set up the project

Open a terminal, navigate to your development directory, and start Claude Code.

cd ~/dev

claude

Paste this setup prompt:

Create the folder ~/dev/cybersecurity/p6. Download the project materials from https://learnbydirectingai.dev/materials/cybersecurity/p6/materials.zip and extract them into that folder. Read CLAUDE.md -- it's the project governance file. Then start the Docker environment with docker compose up -d from the docker directory.

Claude creates the folder, downloads the materials, reads the governance file, and brings up the Docker containers. The environment simulates a multi-building network with containers representing tenant Wi-Fi, building management systems, CCTV, and access control.

Step 2: Verify the environment

Once the containers are running, check that all services are up.

docker compose ps

You should see nine services: tenant-wifi-1, tenant-wifi-2, bms-doha, bms-alwakra, cctv-manager, access-control, grafana, loki, and alloy. All running.

The two tenant Wi-Fi containers represent Wi-Fi access points in two different buildings -- one in Doha, one in Al Wakra. The BMS containers simulate building management systems. The CCTV manager handles surveillance across all buildings. The access control container simulates electronic door locks.

Open http://localhost:3001 in your browser. This is Grafana. Navigate to the Explore view, select the Loki data source, and run a broad query to see log entries flowing from the containers. Logs flowing means the monitoring stack is collecting data from the building network.

Step 3: Read the forwarded email

Open the living client interface. You have a forwarded email chain from Maskan Properties.

Ahmed Khalil, the Director of IT, arranged the engagement. Fatima Al-Sulaiti, the COO, follows up directly. She describes the situation: 12 buildings across Doha and Al Wakra, each with tenant Wi-Fi, building management systems (HVAC, fire suppression, elevators), CCTV, and electronic access control. Their insurance company flagged "insufficient segmentation" and gave them three months to fix it or face a 30% premium increase.

She wants four things: a thorough assessment across all properties, specific findings showing what can reach what, a remediation plan with cost estimates, and a timeline for implementation. Buildings must remain fully operational throughout.

Read what she says carefully. Notice what she does not say. She mentions the buildings and the insurance deadline, but she does not describe how the building systems connect to each other, whether anyone has remote access, or whether some buildings are different from others. Those gaps are where your questions start.

Step 4: Ask Fatima clarifying questions

Before you can assess the network, you need to understand the topology. Ask Fatima questions about:

• How the buildings connect to the internet -- dedicated connections per building, or shared infrastructure?
• Whether the building systems (BMS, CCTV, access control) share the same network as tenant Wi-Fi
• Who has remote access to the building systems -- internal IT team only, or third-party vendors?
• Whether all buildings use the same technology, or if some are older

The answers shape your assessment approach. If all buildings use identical infrastructure, one assessment methodology covers them all. If some are different -- older technology, shared connections, third-party access -- those differences create different risk profiles.

Fatima is professional and direct. She will answer what you ask, but she will not volunteer information you did not request. If you ask about the right things, she will reveal details that change how you approach the work.

Step 5: Read the scope document

Open materials/scope-document.md. This defines the assessment boundaries.

All 12 buildings are in scope. In-scope systems include tenant Wi-Fi, BMS, CCTV, access control, inter-building connectivity, and remote access arrangements. Out-of-scope items include individual tenant devices, cloud services, and mobile applications.

The rules of engagement are critical: buildings must remain fully operational. No service disruption. Testing during off-peak hours preferred. Any configuration changes require documentation and approval. Critical findings must be reported within 48 hours.

The timeline gives you seven weeks for the full assessment, well within the insurance deadline.