Web, system, device — defend and authorized-test like a senior.
Threat modeling, attack mechanics for defenders, and authorized testing across web, systems, devices, and infrastructure. Every module bridges the attacker's and defender's view: the same mechanism that lets you write a hardened cookie also lets you spot a forgery. Anchored in OWASP, MITRE ATT&CK, CIS Benchmarks, and NIST — with hands-on labs in DVWA, Juice Shop, HackTheBox, and TryHackMe.
Threat modeling, AuthN/AuthZ, injection, XSS, CSRF/SSRF, TLS/headers, crypto pitfalls, modern web threats, detection + IR. Defender-first, anchored in OWASP, MITRE ATT&CK, and real CVEs.
Linux + Windows + cloud hardening, network defence, memory corruption, kernel sandboxing, K8s security, SIEM + detection engineering. From host config to SOC ops.
Mobile (iOS + Android), hardware roots of trust, IoT (BLE/WiFi/Matter), firmware analysis, anti-tampering, DRM, fleet OTA. From threat model to production OTA.
Authorized penetration testing: methodology, recon, scanning, web + network + AD + cloud pentesting, phishing, reporting, continuous pentest programs.
Smart contract security from threat model to audit report. Every task: REPRODUCE the bug → PATCH the contract → VERIFY with a Foundry invariant.
Security as a product feature for fintechs. Threat modeling, KYC/AML, payments, customer data, banking operations, vendors, security engineering, compliance, audits — with explicit **Recommendation** + **Try to hack** sections in every task.
Build a pentest machine from Pi/Arduino/ESP32, master Flipper/Proxmark/HackRF/JTAG, learn 0-day research + responsible disclosure, and graduate CTF mastery — culminating in red-team field operations.