Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Security work is fundamentally about disagreement: every attacker has read the same docs as you, and they're looking for the cases the docs didn't cover. The defender's mindset is the discipline of imagining what an adversary would do with your system before they do it, then writing code (and policies) so that the adversary's best move is still a loss.
Same login form, two readings: a developer sees 'username and password'; a defender sees 'two input fields whose contents I can't trust, an auth function with timing characteristics, and an error surface that may leak account existence'.
' OR 1=1 -- in the email field'), not vague ('inject SQL').Use these three in order. Each builds on the one before.
In one paragraph, explain why the defender's mindset is its own skill, distinct from being a good developer.
Walk me through threat-modelling a login form: what does an adversary try, in what order, and what fails?
Pick a security control you implemented. Describe two attacks it doesn't stop and explain whether you should care.