You're delivering a full security assessment for Coastal Transit Authority in Vancouver — a regional public transit authority under a BC Office of the Privacy Commissioner audit request. The perimeter covers a public rider app (trip planning, Compass Card top-ups, concessional-fare enrolment with income-verification uploads), an internal dispatch and ops console across three operations centres, a fleet and station IoT estate (GPS telematics, fareboxes, CCTV, digital signage), and a legacy scheduling mainframe that was supposed to be decommissioned in 2022 and is still running.
The discipline skills: intelligence-grade passive reconnaissance (historical WHOIS, Wayback Machine, breach exposure checks), complex environment active reconnaissance across multiple subnets, strategic remediation planning as a document that specifies who fixes what, when, with what rollback plan, and compliance mapping to CIS Benchmarks, NIST CSF, and BC privacy-commissioner alignment that carries institutional weight.
The AI-direction lesson: AI ranks findings by technical severity. A Critical vulnerability on a forgotten mainframe and a High vulnerability on the system handling concessional-rider income-verification documents get scored and listed in that order. But business risk and technical severity are different things. The remediation plan is where your judgment overrides AI's default prioritisation — reordering by what actually matters to the people who depend on these systems, deciding what gets deferred with compensating controls, and writing handoff documentation specific enough for someone who was not in the assessment to implement the fixes.
Your Role
You are delivering a full assessment: passive reconnaissance through a risk-prioritised remediation plan. The Privacy Commissioner's submission needs a report their team can reformat for audit review. Priya Ramachandran — IT Security Manager with a capable but small team — needs a remediation plan she can execute in four months inside transit's 24/7 operational windows.
The assessment ends with a strategic document — not a findings list.
What's New
Last time you built evasion-aware detection rules for a financial cooperative in Eswatini, wrote correlation rules across multiple log sources, and built your first custom skill, hooks, and delegated agent.
Intelligence-grade reconnaissance. Historical WHOIS, Wayback Machine captures, breach exposure checks. Past data is intelligence about the past — a hypothesis, not a confirmed finding. And leaked credential databases present a genuine ethical line you will need to hold.
Strategic remediation planning. AI generates severity-ordered lists. You will reorganise by business risk. A Critical finding on the forgotten scheduling mainframe matters less than a High finding on the system handling income-verification documents for concessional riders — tax slips, pension statements, disability-support correspondence — whose service depends on the fare system actually working. The plan must be specific enough for someone who was not in the assessment to implement the fixes, and realistic for maintenance windows that live between the last bus and the first.
Compliance mapping as communication. Mapping findings to CIS Benchmarks and NIST CSF gives recommendations institutional weight. But mapping indiscriminately — citing HIPAA for a public transit authority — undermines credibility with the Privacy Commissioner's reviewers.
The hard part: the remediation plan is the deliverable that determines whether your assessment produces action or sits in a filing cabinet. Business risk, not technical severity, determines the priority order.
Tools
- Wayback Machine / web.archive.org — historical web intelligence. New for this context.
- Have I Been Pwned — breach exposure checking. New.
- Nmap, ZAP, sqlmap, Nuclei, Metasploit — reconnaissance and exploitation. Continuing.
- Sigma, Grafana, Loki, Alloy, Wazuh, Suricata — detection and monitoring. Continuing.
- Docker — lab environment simulating the full infrastructure. Continuing.
- Claude Code — skills, hooks, delegated agents, MCP connections. Continuing.
Materials
- Docker environment — rider app, ops console, fleet telemetry with a device simulator, scheduling mainframe (the one that should have been decommissioned), plus the Grafana/Loki/Alloy/Wazuh/Suricata monitoring stack. Four isolated network segments.
- Reconnaissance targets — scope boundaries, target list, ethical OSINT boundaries (concessional-enrolment document attachments flagged as highest-sensitivity data class).
- Network topology reference — subnet layout, service map, expected dependencies.
- CLAUDE.md — project governance with engagement memory, assessment phases, detection naming convention.