You're running a cybersecurity engagement for a national port authority subject to IMO ISPS Code requirements — and the methodology document itself is the project's central deliverable, written before any reconnaissance begins.
The discipline skills: authoring an engagement methodology end-to-end against a 10-section template — scope, threat model, tool strategy, AI architecture, verification plan, SIEM architecture, detection coverage, remediation programme, reporting frame, methodology-update commitment; running the engagement against that methodology; designing a maritime-critical-infrastructure threat model across three converging adversary classes (organised crime, nation-state, ransomware) using ATT&CK Enterprise and ICS together; bounding a SIEM architecture at a cross-entity data boundary; designing a remediation programme for repeatable annual cadence; and updating the methodology at engagement close so the next annual assessor inherits the post-execution version.
The AI-direction lesson: at this altitude, the four AI columns are not background practice — they are named design choices in the methodology deliverable. Context strategy per agent per phase, with explicit archive points. Connectivity per phase, with "when NOT to connect" written down — Loki only during SIEM design and detection replay; Wazuh only during detection authoring; no write access to the shared-database fixture at any phase. Portability infrastructure across a three-layer durability model so the next annual assessor is productive on day one regardless of their AI tool. Decomposition designed to be robust to agent failure, with fallbacks and verification at composition boundaries named upfront. AI fills the methodology-shaped gap with a generic security-assessment template if you don't author the methodology first; the value of this project is the design reasoning AI cannot produce.
Your Role
You're the assessor. The methodology, the verification plan annex, the per-phase context and connectivity strategies, the portability infrastructure, the decomposition-with-failure-robustness design, the IMO ISPS Code crosswalk, the threat model, the cross-entity scope-decision framing, the methodology-update at engagement close — yours.
Scaffolding is thin. The first contact is a formal memorandum with a reference number. There is no engagement-methodology template for critical-infrastructure ports, no IMO-ISPS-Code-to-frameworks crosswalk pre-filled, no shared-database boundary primer, no port-authority formal-memo voice guide. The methodology is written end-to-end in Unit 1 before reconnaissance begins; the Port Security Committee reviews it before execution. Communication runs in formal-memo register throughout — reference numbers, section numbering, two-business-day response cadence — categorically slower than anything earlier in the track.
What's New
Last time, the engagement approach was the implicit framing behind a hybrid campaign with three threat-model versions; the methodology was load-bearing but not itself a named deliverable.
The methodology is now the central deliverable. Written end-to-end before reconnaissance, revised post-discovery, and updated at engagement close. v2 supersedes v1 with the diff auditable. The Port Security Committee reviews it; the next annual assessor executes against it.
Critical national infrastructure. A 48-hour cargo-tracking outage at this port affects every import and export in the country. Findings framed as office-IT problems will be corrected. The IMO ISPS Code wants a documented, repeatable methodology for annual execution — not just a one-time report.
A cross-entity data boundary. The container terminal is operated by a private concessionaire under a PPP agreement. Their systems share a database with the port authority. The boundary is blurred at the data layer, and the scoping decisions about it are not delegable.
Formal memorandum throughout. PA/SEC/2026-047 thread. Section-numbered. Reference-numbered. Two-business-day response cadence. "I will submit your proposal to the committee." If your reply drifts conversational, the client reads it as unserious.
A senior colleague returns for one beat. Marcus Webb (last seen at P15) reviews the methodology around the shared-database boundary before execution and asks the question that surfaces the blurred-boundary judgment.
The hard part: AI fills the methodology-shaped gap with a generic template if you don't author it first. The cross-entity scope-creep moment mid-engagement requires diplomatic handling — neither silent inclusion nor refusal. The methodology-v2 diff at engagement close captures what the engagement actually taught you against what the design assumed; it does not delegate.
Tools
- Claude Code, Codex CLI — driving the seven engagement-scoped agents and the explicit "do not delegate" boundaries for the cross-entity scoping, the IMO ISPS Code regulatory voice, the formal-memo correspondence rhythm, and the methodology-v2 diff framing.
- Toamasina port authority lab (Docker fixture set) — vessel scheduling (legacy unmaintained), customs clearance (IP-whitelisting-only access control), container cargo tracking, the shared-database fixture (read-write asymmetry enforced at the database layer), port security CCTV + access control, administrative systems, and out-of-scope simulators for the national customs and shipping-line interfaces.
- IMO ISPS Code cybersecurity guidelines — new at this depth. The annual-cadence intent and the documented-methodology requirement are operative.
- NIST CSF v2.0 — familiar from P16-P18. Crosswalked into the IMO ISPS Code mapping for the executive narrative.
- ATT&CK Enterprise + ATT&CK ICS — used together. Enterprise for administrative systems and customs clearance; ICS for the port operational technology surfaces.
- Wazuh + Loki + Grafana + Suricata + osquery — defender stack carried forward. P19 designs the SIEM architecture for the port-authority surface and bounds it at the shared-database boundary.
- Engagement-memory infrastructure — carries the engagement-methodology, verification-plan, correspondence, campaign-plan, SIEM, remediation, and exception templates plus the seven agent specs. CLAUDE.md, AGENTS.md, and SKILL.md carry forward with the three-layer durability split.
- Python, Markdown, YAML, Mermaid, GitHub — methodology document, IMO ISPS Code report, remediation programme, Sigma rules, port-authority topology diagrams, formal-memo correspondence record. Methodology versions tagged in the repository so the v1 -> v2 diff is auditable.
Materials
- Formal memorandum (
first-contact.md) — PA/SEC/2026-047 from Hery Ramaroson. Five numbered sections. Read it for register as carefully as for content. - Regulatory-context brief (
regulatory-context.md) — IMO ISPS Code + NIST CSF v2.0 + ATT&CK Enterprise + ICS working brief. - Toamasina port authority lab (
toamasina-port-lab/) — Docker fixtures for the five port-authority systems, the shared-database fixture with the read-write boundary annotated, the IP-whitelisting customs-clearance API, the legacy unmaintained vessel-scheduling system, the out-of-scope national-customs and shipping-line simulators, and the post-remediation snapshots. - Engagement-memory templates (
engagement-memory/) — methodology, verification-plan, correspondence, campaign-plan, SIEM architecture, remediation programme, and exception templates, plus the seven agent specs underengagement-memory/agents/. The MICTSL COO out-of-band scope-creep message is staged for Unit 4. - Detection-rule templates (
detection-rules/sigma-templates/) — organised-crime, nation-state, ransomware, cross-system correlation, and shared-database boundary templates. - Report template (
reports/imo-isps-code-report-template.md) — Port Security Committee structure. AGENTS.md,CLAUDE.md,SKILL.md— carried forward and refined for the methodology-as-deliverable register at engagement close.
Everything else — the methodology itself, the verification plan, the per-phase context and connectivity strategies, the threat model, the SIEM architecture, the campaign plan, the findings, the detection rules, the remediation programme, the exception documents, the cross-entity scope-decision record, the IMO ISPS Code report, the methodology v2 — is yours.