Learn by Directing AI
Chat with Andres RamirezAsk questions, get feedback, discuss the project

The Brief

Andres Ramirez is the General Manager of Cooperativa Nubes del Tachira, a specialty coffee cooperative in the Venezuelan Andes. A hundred smallholder farmers grow high-altitude Arabica that the cooperative processes, roasts, and exports to buyers in the US, Japan, and Europe.

One of those buyers -- a Portland roaster representing 30% of export volume -- just told Andres that all their origin partners need to demonstrate cybersecurity due diligence. A competitor had a breach that exposed buyer pricing across their supply chain. Now everyone is auditing.

Andres does not know what systems he has. He knows there is an export tracking platform, a farmer member portal, fermentation monitoring sensors, and "other things the developer set up." The developer is in Caracas and communication is unreliable. Andres needs someone to map what exists, check whether it is secure, and produce evidence for the Portland buyer.

He sends you a WhatsApp voice note at 6:42 AM.

Your Role

You are conducting a multi-target security assessment for a coffee cooperative whose digital infrastructure was built over three years without security oversight. The buyer compliance deadline is the forcing function. The cooperative has eight staff and a remote developer -- whatever you recommend needs to be actionable with those resources.

This is the first project where nobody tells you how to approach the work. Templates give you structure for the scope document, threat model, and assessment report. But the guides that walked you through each phase are gone. You decide what to scan first, when to move from reconnaissance to exploitation, how deep to pursue each attack path, and how to structure the assessment. The threat model you build from reconnaissance drives everything downstream.

What's New

Last time you designed network segmentation for a 12-building property company, implemented default-deny firewall rules, tested your own architecture with lateral movement, and produced a multi-audience remediation plan with cost estimates.

Multi-target assessment. The cooperative has multiple systems that interact -- web applications, APIs, IoT sensors, payment processing, third-party integrations. The attack surface extends beyond what the client knows about. Cloud assets, forgotten environments, and supply chain connections are all terrain you need to map.

Cross-tool correlation. Nmap, ZAP, and Nuclei each tell you something different about the same target. Matching their findings to build a coherent picture -- and catching false positives where the tools disagree -- is a core discipline at this level.

Supply chain analysis. Semgrep finds vulnerabilities in code and dependencies that dynamic testing misses. But a finding in the source code is not the same as a finding you can exploit at runtime. The distinction matters for both the assessment and the report.

Remediation risk. Fixing a vulnerability might break the system it lives in. Compensating controls, rollback procedures, and the risk of the fix itself are now part of every remediation decision.

The hard part: you are designing the approach, not following one. When the voice note ends and the chat opens, the first question is yours to ask.

Tools

  • Nmap -- multi-target scanning and custom NSE scripts. Continuing.
  • ZAP -- web application scanning scoped to threat model. Continuing.
  • Nuclei -- template-based vulnerability scanning with false positive management. New.
  • Semgrep -- static analysis for code-level and supply chain vulnerabilities. New.
  • Trivy -- container and dependency vulnerability scanning. New.
  • Metasploit -- multi-layer exploitation. Continuing.
  • Docker -- lab environment running cooperative infrastructure. Continuing.
  • Grafana/Loki/Alloy -- logging and detection across targets. Continuing.
  • Sigma -- detection rules for multi-layer attack patterns. Continuing.
  • Claude Code -- AI agent directing the assessment.

Materials

  • Scope document template -- empty template you fill from client discovery. Rules of engagement are pre-filled; everything else comes from your conversation with Andres.
  • Threat model template -- STRIDE structure for you to populate from reconnaissance findings.
  • Assessment report template -- three-section structure (executive summary for Andres, compliance evidence for the Portland buyer, technical findings for the developer).
  • Docker environment -- cooperative infrastructure including export tracker, member portal, fermentation monitoring, payment processing, shipping integration, and the monitoring stack.

Materials

View all →
mdassessment-report-template.mdmdCLAUDE.mdyamlalloy-config.yamlymldocker-compose.ymljsapp.jsDockerfilejsonpackage.jsonejsindex.ejsejslogin.ejspyapp.pyDockerfiletxtrequirements.txtpyapp.pyDockerfiletxtrequirements.txtpyapp.pyDockerfiletxtrequirements.txtshipping-api-Dockerfilejsshipping-api-server.jsmdscope-document-template.mdmdthreat-model-template.md
Start: The Voice Note and the Discovery