You're running the first comprehensive security engagement in the history of Société Nationale d'Énergie du Burkina, the national electric utility in Ouagadougou, across its corporate IT, its OT/SCADA grid-control environment, its billing platform, and its cross-border interconnection.
The discipline skills: authoring an engagement scope, methodology, and threat model from nothing and defending them to a client who challenges every boundary; running reconnaissance and an exploitation campaign across IT and an OT environment where an aggressive scan can disrupt a country's power supply; designing a detection strategy and a verification architecture that span every domain; building a prioritised, budget-aware, sustainable remediation and hardening programme with a real trust model; and delivering not a findings list but a programme framework an organization will build a security team around.
The AI-direction lesson: this is the convergence point. AI executes every step — reconnaissance, exploitation, rule drafting, report sections — but it holds none of the engagement. Across IT, OT, billing, and the interconnection it loses which domain it assessed, which finding belongs where, which path it abandoned. It does not know that OT is not IT, so it proposes scanning a grid-control system the way it would scan a web server. It optimizes detection for coverage instead of this utility's actual threat. It flattens a programme into a ranked list. You are the only continuity mechanism. Every artifact the platform used to hand you, you now author yourself. That is what the track was for.
Your Role
You're the engagement partner and the programme architect. You decide what a security assessment of a national electric utility even is, in what order, and why. You hold the whole engagement coherent in one head while AI executes each piece and tracks none of them.
Last time the problem was defined and the entities were named. This time the problem itself is withheld. The scaffolding is the thinnest the track has ever set: a client supplies a paragraph and refuses to write a scope, and everything after that — methodology, threat model, AI engagement architecture, detection strategy, verification coverage, remediation programme — is yours to design and defend. AI is an executor that cannot hold the engagement. No colleague review is staged at any point — a senior colleague is reachable on-demand but won't volunteer. The judgment in the room is yours alone.
What's New
Last time you ran a forward engagement across a network of interconnected organizations — a development bank, its mobile-banking vendor, donor portals, intermittently-connected branches — synthesizing findings across trust boundaries no single AI session could hold.
This time the engagement is one organization, but the broadest terrain the track has set: a national grid. The brief is one paragraph and it ends by refusing to give you a scope — it asks you for yours. The client is a peer who builds her own security programme; she answers questions but will not explain power-grid operations, and she challenges every scope decision to test your reasoning, not to expand the work.
The hard part: OT is not IT. A scan that is routine against a web server can disrupt the control system that keeps a country's lights on, and AI will not impose that caution on itself. The dangerous ground is the IT/OT boundary and the cross-border link. There is no template, no answer key, no staged colleague review, and no second chance to be the structure. This is working alone, for real.
Tools
- Claude Code — familiar. You author the engagement-memory
CLAUDE.mdand design the offensive, defensive, and reporting AI contexts upfront, because no single session can carry an engagement this large. - The purple-team toolkit — familiar reconnaissance, exploitation, and replay tooling, run across multiple domains and with explicit OT caution where the terrain is OT.
- A SIEM/log stack — the Wazuh, Loki, and Grafana family, sized to a national utility's real multi-site infrastructure.
- Sigma — familiar. Detection-as-code, aligned to this engagement's threat model rather than to coverage completeness.
- git/GitHub — for the scope, the methodology, the campaign records, and the programme framework.
No new tool installation is introduced; any domain-specific service arrives as a material.
Materials
- The brief — one paragraph, delivered in chat. It states the situation and explicitly refuses to give a scope. Not a methodology, not a priority order.
- The national-utility environment (
national-utility-environment/) — the lab standing the corporate IT segment, an OT/SCADA grid-control simulation, a billing platform with three mobile-money integrations, and a West African Power Pool interconnection data-exchange endpoint. Not a single target. - SNEB context (
sneb-context.md) — the operational reference: West African CFA Franc, ~2,000 employees, 600,000+ customer accounts, thermal/hydro/solar generation, and the real budget and grid-continuity constraints. - Project governance (
CLAUDE.md) — project context and verification targets.
There is no scope, methodology, threat model, entity list, detection strategy, remediation programme, report structure, AI engagement architecture, answer key, or staged colleague review. All of it is yours to produce.