You're conducting a multi-target security assessment for a coffee cooperative in the Venezuelan Andes — mapping an attack surface that includes an export tracker, a farmer portal, fermentation sensors, payment processing, and infrastructure nobody fully documented.
The discipline skills: attack surface mapping across systems the client doesn't fully know about, cross-tool correlation between Nmap, ZAP, and Nuclei findings, supply chain analysis with Semgrep and Trivy, custom Nmap NSE scripts, and remediation planning that accounts for rollback risk and compensating controls.
The AI-direction lesson: the guides are gone. Nobody tells you what to scan first, when to move from reconnaissance to exploitation, or how deep to pursue each attack path. When you ask AI to "assess this system," it will produce a complete-looking plan — but completeness is not correctness. The skill is designing the approach yourself, using meta-prompting to ask AI for verification strategies you haven't thought of, rather than accepting AI's default engagement structure. This is the difference between directing AI through a provided workflow and directing AI through a workflow you design.
Your Role
You are conducting a multi-target assessment for a cooperative with eight staff and a remote developer. Whatever you recommend needs to be actionable with those resources.
Templates give you structure for the scope document, threat model, and assessment report. The guides that walked you through each phase are gone. You decide the assessment approach. The threat model you build from reconnaissance drives everything downstream.
What's New
Last time you designed network segmentation for a 12-building property company, implemented default-deny firewall rules, tested your own architecture with lateral movement, and produced a multi-audience remediation plan with cost estimates.
Multi-target assessment. The cooperative has multiple systems that interact — web applications, APIs, IoT sensors, payment processing, third-party integrations. The attack surface extends beyond what the client knows about. Cloud assets, forgotten environments, and supply chain connections are all terrain you need to map.
Cross-tool correlation. Nmap, ZAP, and Nuclei each tell you something different about the same target. Matching their findings to build a coherent picture — and catching false positives where the tools disagree — is a core discipline at this level.
Supply chain analysis. Semgrep finds vulnerabilities in code and dependencies that dynamic testing misses. But a finding in the source code is not the same as a finding you can exploit at runtime. The distinction matters for both the assessment and the report.
Remediation risk. Fixing a vulnerability might break the system it lives in. Compensating controls, rollback procedures, and the risk of the fix itself are now part of every remediation decision.
The hard part: you are designing the approach, not following one. When the voice note ends and the chat opens, the first question is yours to ask.
Tools
- Nmap — multi-target scanning and custom NSE scripts. Continuing.
- ZAP — web application scanning scoped to threat model. Continuing.
- Nuclei — template-based vulnerability scanning with false positive management. New.
- Semgrep — static analysis for code-level and supply chain vulnerabilities. New.
- Trivy — container and dependency vulnerability scanning. New.
- Metasploit — multi-layer exploitation. Continuing.
- Docker — lab environment running cooperative infrastructure. Continuing.
- Grafana/Loki/Alloy — logging and detection across targets. Continuing.
- Sigma — detection rules for multi-layer attack patterns. Continuing.
- Claude Code — AI agent directing the assessment.
Materials
- Scope document template — empty template you fill from client discovery. Rules of engagement are pre-filled; everything else comes from your conversation with Andres.
- Threat model template — STRIDE structure for you to populate from reconnaissance findings.
- Assessment report template — three-section structure (executive summary for Andres, compliance evidence for the Portland buyer, technical findings for the developer).
- Docker environment — cooperative infrastructure including export tracker, member portal, fermentation monitoring, payment processing, shipping integration, and the monitoring stack.