learntodriveai.dev/Cybersecurity/Exploitation Campaign Management and Sufficient-Finding Judgment
Cybersecurity·Project 15·7 units

Exploitation Campaign Management and Sufficient-Finding Judgment

**Track:** Cybersecurity

§ Brief

You're running the first SOCI-required penetration test for Pilbara Energy Services, a Western Australian petroleum-services contractor whose CISO Cassie Armitage needs a campaign report for Woodside's critical-infrastructure security review panel.

The discipline skills: managing a multi-target engagement across three offices and a brittle field network; abandoning paths that won't yield; stopping at proof of concept; diagnosing tool failures rather than retrying through them; updating the threat model when exploitation reveals what reconnaissance missed; producing three audience-specific artifacts; and naming which decisions are not for AI to make.

The AI-direction lesson: AI executes individual exploitation steps competently but will not manage the campaign. It pursues every path to maximum depth because it has no model of "sufficient," retries failed commands rather than diagnosing them, and stacks an executive paragraph on technical documentation rather than restructuring for a different audience. The mature register here is partly knowing when to set AI aside — the abandonment calls, the stop conditions, the SOCI-panel voice, and the Woodside-tunnel conversation with Cassie are yours.

Your Role

You're the lead practitioner. You design the methodology, the abandonment policy, the stop conditions, the three-audience report split, the tool-failure discipline, the remediation programme map, and the AI-boundary statement next year's assessor inherits.

Scaffolding is thin. No campaign-management template, no abandonment heuristic, no stop-condition checklist, no multi-audience report skeleton, no AI-boundary table. The brief is a meeting transcript with two voices on the record: Cassie's strategic framing and IT director Daniel Whitford's operational detail. The first move is recognising which questions go to which person.

The AI relationship is phase-scoped and multi-agent — a headquarters reconnaissance agent, a client-portal exploitation agent, a field-network reconnaissance agent, and a multi-audience writer agent — each connected only to the tools its phase needs. The shared target-ID and finding-ID conventions are yours, so their outputs compose rather than contradict.

What's New

Last time you designed a detection strategy for a medical university in Grenada — a written commitment to detection rates with a SIEM architecture you chose.

The campaign as a unit of work. Earlier projects produced full assessments. P15 is the campaign — multiple targets, multiple paths, decisions across days about where to push and where to stop. The engagement state lives in your head and in the engagement memory.

Sufficient finding and path abandonment. Earlier projects exploited until exploitation succeeded. Mid-campaign here, "you proved you can read the database; why are you still going?" lands, and the right answer is "I shouldn't be." The Karratha field network is intermittently reachable; the Woodside tunnels are off-limits beyond proof of concept. Some paths you start and stop on the record.

Three audiences, structurally. The technical team needs reproduction guidance and ATT&CK IDs. Management needs business-impact ranking with cost estimates. The SOCI panel needs ATT&CK-mapped findings with control-gap assessments in Woodside's risk language. Three artifacts, not one document with three covers.

Tool failure as information. When sqlmap crashes against the binary-patched client portal, the failure is telling you something. The response is diagnosis, not a retry.

The hard part: mid-campaign, you have proven you can read the customer database. AI will not stop. Marcus Webb appears once with the calibrating question; your job is to recognise the answer and write down which decisions are not AI's to make.

Tools

  • Claude Code, Codex CLI — driving the phase-scoped agents and the explicit "not for AI" decisions.
  • Nmap, Burp Suite, ZAP, Metasploit, sqlmap — reconnaissance and exploitation. sqlmap against the binary-patched client portal is a likely source of tool-failure diagnostic work.
  • Hashcat, John the Ripper, Responder, Impacket — password and network-exploitation primitives.
  • Wazuh, Loki, Grafana, Suricata, osquery — defender stack. Used for the "did detection fire?" finding per TTP.
  • ATT&CK Navigator — coverage mapping and TTP selection for the SOCI-panel artifact.
  • Engagement-memory infrastructure — scope, abandonment policy, stop conditions, AI-boundary statement, per-phase MCP manifest.
  • Python, Markdown, YAML, Mermaid, GitHub — campaign report, audience artifacts, ATT&CK heatmaps, attack-path diagrams; engagement repo with findings as issues.

Materials

  • First-contact meeting transcript — Cassie and Daniel's kickoff with the "stop and call me" non-negotiable on operational impact.
  • Rules-of-engagement email — Cassie's confirmation of scope and the SOCI-panel reporting requirement.
  • Network and architecture brief — headquarters, client portal, Karratha VPN, and the bi-directional Woodside tunnels.
  • Regulatory-context brief — the SOCI Act, Woodside's supply-chain panel expectations, and the APPEA Cyber Security Framework.
  • Petroleum-services Docker lab — corporate network, client portal deployed without source (binary patches only), Karratha segment with simulated intermittent connectivity, Woodside-tunnel segment out-of-scope-beyond-proof-of-concept, and the existing defender stack.
  • Agent-spec template and CLAUDE.md — familiar; CLAUDE.md carries the "stop at proof of concept" policy.

The methodology, abandonment policy, stop conditions, three audience artifacts, remediation programme map, AI-boundary statement, and handoff packet are yours.