The Directive and the Infrastructure

Step 1: Set up the project

Open a terminal, navigate to your development directory, and start Claude Code.

cd ~/dev

claude

Paste this setup prompt:

Create the folder ~/dev/cybersecurity/p8. Download the project materials from https://learnbydirectingai.dev/materials/cybersecurity/p8/materials.zip and extract them into that folder. Read CLAUDE.md -- it's the project governance file. Then start the Docker environment with docker compose up -d from the docker directory.

Claude creates the folder, downloads the materials, reads the governance file, and brings up the Docker containers. The environment simulates the Bhutan Tourism Council's three-portal infrastructure -- the Tourism Services Portal, the Guide Management System, and the Internal Operations Platform -- along with the Grafana/Loki/Alloy monitoring stack.

Step 2: Verify the environment

Once the containers are running, confirm all services are up.

docker compose ps

Six services should be running: tourism-portal on port 3000, guide-system on port 5000, operations-platform on port 8080, grafana on port 3001, loki on port 3100, and alloy.

Open each portal in your browser. The Tourism Services Portal on http://localhost:3000 is the tourist-facing site -- booking coordination and information. The Guide Management System on http://localhost:5000 handles guide licensing and credential verification. The Internal Operations Platform on http://localhost:8080 manages staff communications and documents. Each portal has a different look because different vendors built them at different times.

Open Grafana at http://localhost:3001. Navigate to the Explore view, select the Loki data source, and run a broad query. Logs should be flowing from all three portals. The Alloy collector labels each service -- tourism-portal, guide-system, operations-platform -- so you can filter by source.

Step 3: Read Tshering's memorandum

Open the living client interface. Tshering Pem, Director of Digital Services at the Bhutan Tourism Council, has sent a formal memorandum.

The memo references Directive 2026/CS-04 -- a Royal Government cybersecurity directive requiring all agencies with public-facing digital services to implement continuous security monitoring and undergo an independent assessment. The deadline is the end of the current fiscal quarter.

Read the memo carefully. Notice what it provides: the three portal names, the directive requirement, the deadline, the constraint that portals must stay operational. Notice what it omits: how the portals connect to each other, who built them, what security controls exist, what data flows between systems. The technical architecture is not in the memo. That comes from conversation.

Step 4: Run client discovery

Tshering knows her portals exist. She knows they store sensitive data -- tourist passport numbers, guide credentials, internal communications. She does not know the technical details of how they interact.

Start asking questions. Pursue at least three lines:

• System history. When were the portals built? By whom? Were they built together or separately? Tshering will mention that different vendors built different systems -- a fact that has security implications she has not considered.
• How systems connect. Do the portals talk to each other? Does the Guide Management System need tourist data? Does the Operations Platform pull information from the other two? If you ask how the portals communicate, she will describe the internal APIs that were added after the initial builds.
• Access and personnel. Who has accounts? Has anyone left the organization recently? Are there shared credentials? Staff turnover and access management questions reveal gaps Tshering has not connected to security risk.

Each thread can uncover something the memo did not mention. AI can help structure follow-up questions, but AI commonly misses the security implications of conversational details. When Tshering says "a different vendor built that one," AI may not flag that different vendors means different codebases, different authentication models, and potentially inconsistent security standards. Read her responses and decide which threads to pursue.

Step 5: Start the scope document

Open materials/scope-document-template.md. The Rules of Engagement and Regulatory Context sections are pre-filled. Everything else is empty.

Based on what your discovery conversation revealed, begin filling in the scope. List the in-scope targets -- at least four: the three portals and the API interconnections between them. For each target, note what you know and what still needs technical verification.

The scope document captures the engagement boundaries derived from the client conversation. It will grow as you discover more through technical reconnaissance. For now, it reflects what Tshering told you and what your questions uncovered.