sec-school — A 21-Week, Hands-On, AI-Augmented Security Curriculum¶
(~5 months at 15–20 hrs/week. Grew 12 → 16 → 21 weeks: added vuln knowledge + investigation, Containers & Kubernetes (Wk5), Zero Trust (Wk6), and a 5-week Enterprise Defender Breadth phase — Active Directory, endpoint hardening, DFIR, malware analysis, crypto/PKI/secrets/email (Weeks 9–13) — to balance out the SoC-heavy detection track.)
A "CISSP down in the dirt." No multiple-choice theater. Every week ends with something real committed to git: infrastructure, detections, tooling, or code.
North Star¶
Who I'm becoming: a broad, hands-on, AI-augmented enterprise defender — "GCED on crack" — who can build, attack, detect, and respond across the whole defensive stack, with automation and AI as the force multiplier.
My 25 years of firewall + network automation depth stays the spine. I bolt on breadth:
- Cloud & infrastructure — VPCs, cloud firewalls, IAM attack paths, CSPM, Kubernetes, Zero Trust.
- Enterprise defender breadth — Active Directory, endpoint hardening, DFIR/forensics, malware analysis, crypto/PKI/secrets/email — the GCED-style domains, in the dirt.
- Detection engineering / SoC tooling — telemetry, SIEM, detection-as-code, hunting, cloud D&R, SOAR.
- AI woven through everything — local models (18 GB M-series Mac), MCP, RAG, and a lot of me writing code and infrastructure, not just prompting.
Not a full-time red teamer. Not a slides-and-policy generalist. A buildable, broad defender.
Rules of Engagement¶
- Everything lands in git. If it isn't committed, it didn't happen. Each week
produces a project directory (see
projects/). - AI accelerates, it doesn't replace understanding. Use AI to go faster on the 80% you already grok, and to tutor you through the 20% you don't — then prove you learned it by building without it.
- Lab everything against real-ish data. Simulate attacks (Atomic Red Team, stratus-red-team), generate traffic, break your own stuff.
- Write it up. Each project gets a README explaining the threat, the build, and what you'd do differently. This is your portfolio and your interview material.
- Time box: ~15–20 hrs/week. If a week runs long, push the stretch goal, never the core project.
The Hybrid AI Pattern (and why your 18 GB is fine)¶
You will deliberately build the production-correct pattern:
- Small local model (7–8B, quantized) via Ollama for cheap, private, high-volume work: log-line classification, IOC extraction, routing/triage, "is this interesting?"
- Hosted frontier model (Claude) for the hard reasoning: incident narratives, detection authoring, code generation, multi-step agentic tasks.
- MCP as the universal connector between your models and your security tools.
- RAG to ground answers in your corpus (runbooks, detections, cloud docs, configs).
The 18 GB ceiling forces you to learn when local is good enough vs. when to spend a token on a frontier model — which is exactly the judgment the job requires. The full hybrid "what runs where" table + 18 GB model picks are inlined in Week 1.
Automation & Infrastructure Threads (run through every week)¶
Three skills are standing threads, not one-off topics — reinforced week over week:
- Infrastructure as Code (Terraform): if it's infra, it's Terraform. The cloud network, the cluster, the SIEM, the response Lambdas — defined as code, peer-reviewable, reproducible from zero.
- Containers & orchestration (Docker / Kubernetes): if it's a service, it's containerized and, where it matters, runs on a secured K8s cluster (Week 5). Image hygiene + scanning are non-negotiable.
- Automation (Python first, PowerShell where native): Python is the spine (tooling, pipelines, SOAR, MCP servers). PowerShell is woven in where it's the right tool — Active Directory & host hardening (Weeks 9–10), Windows/PowerShell detection (Week 15), and Azure + Windows response (Week 19).
The AI twist — and the actual skill. You won't hand-write most of this; AI will. So the competency
isn't typing YAML/HCL/Python — it's directing the AI to generate it and rigorously reviewing what it
produced. Generated IaC, K8s manifests, and automation are exactly where misconfigurations hide
(over-broad RBAC, 0.0.0.0/0, privileged containers, wildcard IAM). The pattern, every week:
AI authors → you review → scanners gate (Week 4 / Week 5) → you own it.
"I don't write the YAML, I own the YAML" is the senior posture this whole curriculum builds.
Repo Map¶
sec-school/
├── README.md # you are here
├── TRACKER.md # weekly progress checklist
├── weeks/ # week-01 … week-21 — the whole curriculum (Learn links, Do steps,
│ # and Projects with success criteria all inline, per week)
└── projects/ # one subdir per weekly build (your portfolio)
Everything you need for a given week — what to watch/read, what to do, and what "done" means — lives in that week's file. There are no separate resource pages to chase.
The Arc (21 weeks, 4 phases)¶
| Phase | Weeks | Theme | Capstone artifact |
|---|---|---|---|
| 1 — Cloud, Container & AI Foundations | 1–6 | Lab, local AI stack, cloud networking, IAM, IaC security, Kubernetes, Zero Trust | A CI pipeline that scans your Terraform and AI-triages findings |
| 2 — Enterprise Defender Breadth | 7–13 | Vuln mechanics & mgmt, Active Directory, endpoint hardening, DFIR, malware analysis, crypto/PKI/secrets/email | An AD attack path found, exploited, and closed as code |
| 3 — Detection & SoC | 14–17 | Telemetry, detection-as-code, network + cloud detection & response | Cloud attack simulation → detections → automated response |
| 4 — AI-Augmented Ops | 18–21 | SoC copilot, SOAR automation, AI security, capstone | End-to-end AI-augmented enterprise-defender lab |
| Wk | Title |
|---|---|
| 01 | Foundation: Lab, Local AI Stack & MCP |
| 02 | Cloud Networking & Cloud-Native Firewalls |
| 03 | Cloud IAM & Attack Paths |
| 04 | IaC Security & CSPM Automation (Phase 1 capstone) |
| 05 | Containers & Kubernetes Security |
| 06 | Zero Trust Network Access (ZTNA) |
| 07 | Vulnerability Fundamentals & Exploitation Mechanics |
| 08 | Vulnerability Management & Investigation |
| 09 | Active Directory & Windows Security |
| 10 | Endpoint & Host Hardening (Windows + Linux) |
| 11 | DFIR: Digital Forensics & Incident Response |
| 12 | Malware Analysis Fundamentals |
| 13 | Cryptography, PKI, Secrets & Email/Data Defense |
| 14 | Logging & Telemetry: the SoC Data Plane |
| 15 | Detection Engineering Fundamentals (detection-as-code) |
| 16 | Network Detection & Threat Hunting |
| 17 | Cloud Detection & Response (Phase 3 capstone) |
| 18 | Building SoC Tooling with AI (MCP + RAG copilot) |
| 19 | SOAR: Automation Meets Security Ops |
| 20 | AI Security: Securing the AI You Now Run |
| 21 | Capstone Integration & Portfolio |
How To Use a Week File¶
Each weeks/week-NN.md has the same shape:
- Why this matters — the 90-second "so what."
- Learn — video-first, with real inline links (docs, labs, courses, channels), time-boxed.
- Do — an ordered checkbox task list (the hands-on reps); each step feeds the next.
- Project — what gets committed, with Success Criteria (measurable "you're done when…"), Deliverables (exact files/dirs), and Connects forward (where it gets reused).
- AI Acceleration — the specific local-model / MCP / RAG / coding move for the week.
- Marketable Proof — the résumé bullet / interview story you can now tell.
Start each week by copying its Do + Success Criteria into TRACKER.md.