VCA-SEC-101: Cybersecurity Principles

Course Overview

VCA-SEC-101 is the first Virtus Academy course where the security in cybersecurity is the explicit subject. Prior courses treated the adversarial framing as background (ethics, authorization). This course moves it to the foreground: students build threat models, reason about what could go wrong, study disclosed vulnerabilities as the professional literature of the field, and practice offensive and defensive thinking in a structured, ethical environment. The course does not produce graduates who can do a penetration test (that is VCA-PEN-101) but it produces graduates who understand the discipline well enough to take the next step.

SEC-101 also establishes professional ethics as central curriculum, not as a footnote. Coordinated Vulnerability Disclosure (CVD) per CERT/CC's published guide and ISO/IEC 29147 + 30111; the U.S. Computer Fraud and Abuse Act (CFAA) and what authorization actually means legally; the safe-harbour language in modern bug-bounty programs; the codes of professional conduct that ISC², EC-Council, OffSec, and SANS each require their certificate-holders to attest to. Every offensive Virtus course that follows (PEN-101, WIR-101, RE-101, ADV-101, ADV-102) assumes the student has internalised the ethics SEC-101 makes explicit. Operating without authorization is not just unprofessional in this field; it is criminal in most jurisdictions. SEC-101 is where the student learns to articulate that line cleanly enough to never accidentally cross it.

How the Course Teaches: Cross-Track Readings

SEC-101 does not have a single foundational anchor in the way CSA-101 has Petzold. It is a security-literacy gateway course that draws vocabulary from the RE, AI-ML, and PT track anchors that downstream courses build on. Three cross-track anchor threads run through the course: the RE-track narrative anchor (Erickson) establishes the practitioner's mental model behind the vulnerability-class vocabulary; the AI-ML-track taxonomy (OWASP LLM Top 10 + OWASP ASI Top 10) opens the AI-strand forward pointer; and the academy's agentic sandbox-escape multi-lab (built around CVE-2026-34971) demonstrates that these categories are operational, not theoretical.

Learning Objectives

Listed in Bloom's-taxonomy order. Each is measurable against a specific lab or written deliverable.

1. Remember. State the CIA triad, the OWASP Top 10 (current 2021 list, with the 2025 update flagged), the STRIDE threat-categories (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege), and the elements of a coordinated-disclosure timeline (vendor notification, embargo, advisory publication, CVE assignment). (Assessed: closed-book quiz; Lab 1 worksheet.)
2. Understand. Explain why "don't roll your own crypto" is professional advice rather than gatekeeping; why password hashes need salts and slow KDFs (bcrypt / argon2 / scrypt) rather than fast hashes (MD5 / SHA-1); why two-factor authentication mitigates phishing but not session-hijacking after authentication; why TLS's certificate chain is a working public-key infrastructure even though TLS itself is mostly symmetric crypto post-handshake. (Assessed: written reflection D2; Lab 4 hash-and-crypto-misuse exercise.)
3. Understand. Distinguish authentication from authorization, and authorization from access control. Explain why JWTs are credentials (not just identifiers) and why "stateless sessions" have specific failure modes around revocation. (Assessed: Lab 5 broken-auth lab walk on OWASP Juice Shop.)
4. Apply. Build a STRIDE threat model for a small student-chosen system (a personal web application, a SaaS tool the student uses, a smart-home device the student owns). Document the data flow diagram, the trust boundaries, the threat enumeration per STRIDE category, and the proposed mitigations. (Assessed: Lab 6 threat-modeling exercise with diagram + 3-page write-up.)
5. Apply. Walk through OWASP Juice Shop, completing at least 12 challenges across the Top-10 categories (Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities, Broken Access Control, Security Misconfiguration, XSS, Insecure Deserialization, Components with Known Vulnerabilities, Insufficient Logging). Document each technique used and the underlying vulnerability class. (Assessed: Lab 7 Juice Shop walkthrough.)
6. Analyze. Given a CVE record, identify the vulnerable component, the affected versions, the CVSS v3.1 base-score breakdown (Attack Vector / Complexity / Privileges Required / User Interaction / Scope / CIA impacts), and the public proof-of-concept availability. Cross-reference against the NVD, MITRE CVE record, and at least one independent advisory (e.g., Project Zero blog, vendor security bulletin, CISA Known Exploited Vulnerabilities catalogue). (Assessed: Lab 8 CVE-record-walk worksheet.)
7. Evaluate. Articulate, in writing, the legal and ethical boundary between authorized security research (against systems the researcher owns or has explicit permission to test) and unauthorized access (everything else). Cite CFAA §1030, the relevant safe-harbour language from two real bug-bounty programs (HackerOne policy + a vendor program of the student's choosing), and the ISO/IEC 29147 + 30111 CVD process. (Assessed: deliverable D3 ethics-framework reflection, ~600 words.)
8. Create. Reconstruct, in writing, a significant historical CVE chosen from an instructor-curated list (Heartbleed CVE-2014-0160, Shellshock CVE-2014-6271, Log4Shell CVE-2021-44228, Spectre/Meltdown 2018, EternalBlue CVE-2017-0144, or comparable scope). Document the technical detail, timeline, disclosure handling, and impact in a 5-8 page report pitched at the educated non-specialist level. (Assessed: Lab 9, the capstone.)

Week-by-Week Topic Flow

Fourteen weeks. picoCTF runs as the weekly lab spine throughout, ~3 hours per week of structured CTF challenges in addition to the topic-specific lab.

1. Week 1. What "security" means professionally. CIA triad. The Saltzer & Schroeder design principles (least privilege, fail-safe defaults, open design, separation of privilege, etc.). picoCTF intro week. Lab 1, CIA-triad worksheet on a student-chosen system.
2. Week 2. Threat modelling I. STRIDE, attack trees, the data flow diagram. DREAD as historical reference (acknowledged for completeness; not used as a serious quantitative tool today). Lab walk, STRIDE the same system from Week 1.
3. Week 3. Threat modelling II. Trust boundaries; the difference between "a security control exists" and "a security control is enforced." Workshop on student-chosen systems with peer review. Lab 6. Full threat model with diagram.
4. Week 4. Cryptography literacy I. Symmetric (AES-GCM, ChaCha20-Poly1305 as the modern AEAD ciphers); asymmetric (RSA + the move to elliptic curves Ed25519 / X25519). Why "don't roll your own crypto" is technical, not gatekeeping.
5. Week 5. Cryptography literacy II. Hashing (SHA-2, SHA-3, BLAKE2/3); digital signatures; TLS at the handshake level (ClientHello, certificate chain, ephemeral key exchange). Common mistakes: nonce reuse, ECB mode, fast hashes for passwords. Lab 4. Hash-and-crypto-misuse exercise.
6. Week 6. Authentication and authorization. Passwords (storage discipline: salt + slow KDF; the bcrypt / argon2 / scrypt family); MFA (TOTP, WebAuthn / passkeys); session management; OAuth 2.0 / OIDC at conceptual depth; JWTs as credentials. Lab 5. Broken-auth lab walk on OWASP Juice Shop.
7. Week 7. OWASP Top 10 I. Injection, broken authentication, sensitive data exposure. Real-world CVE examples for each category (e.g., the Equifax breach for sensitive data exposure; SQLi reference cases). Lab walk. Sqlmap against a deliberately-vulnerable lab application; show then defend.
8. Week 8. OWASP Top 10 II, XML external entities, broken access control, security misconfiguration, cross-site scripting. Lab walk, XSS variants on Juice Shop (reflected, stored, DOM-based).
9. Week 9. OWASP Top 10 III. Insecure deserialization, components with known vulnerabilities (the Log4Shell story as the canonical 2021 case), insufficient logging and monitoring. Lab 7, Juice Shop walkthrough capstone.
10. Week 10. Operational security and the blue-team vocabulary. SIEM concepts; log retention; the incident-response lifecycle (preparation, identification, containment, eradication, recovery, lessons-learned); the MITRE ATT&CK framework as a shared reference vocabulary for adversary behaviour.
11. Week 11. Coordinated Vulnerability Disclosure I. CERT/CC's published CVD guide; ISO/IEC 29147 (vulnerability disclosure) and 30111 (vulnerability handling processes); the role of CVE numbering authorities (CNAs); CVSS v3.1 scoring breakdown. Lab 8, CVE-record-walk worksheet.
12. Week 12. Coordinated Vulnerability Disclosure II. The legal landscape: CFAA §1030 in the U.S.; the EU NIS2 Directive's coordinated-disclosure mandate; the safe-harbour language modern bug-bounty programs use (HackerOne, Bugcrowd, vendor programs). The ISC², OffSec, EC-Council, SANS codes of professional conduct. Deliverable D3. Ethics-framework reflection.
13. Week 13. Capstone scoping. Each student selects their CVE from the curated list, drafts an outline, and gets instructor sign-off before drafting begins.
14. Week 14. Capstone delivery, CVE explainer report submitted. Lab 9 due.

Lab Manifest

Nine numbered labs across the course, with a continuous picoCTF spine running underneath. Labs 1-8 are graded on correctness and lab-notebook quality; Lab 9 is the capstone, two-tier-graded against the rubric below.

• picoCTF spine. Approximately 3 hours per week of structured picoCTF challenges, working up the difficulty ladder from General Skills through Cryptography, Web Exploitation, Forensics, and Binary Exploitation. Per-week minima are graded on submission rather than absolute solve count; a student who attempts seriously and documents their approach passes the spine even on hard challenges they cannot solve.
• Lab 1. CIA triad worksheet on a student-chosen system. Identify confidentiality, integrity, and availability concerns; rate priority for the chosen system.
• Lab 4. Hash-and-crypto-misuse exercise. Crack a small set of MD5- and SHA-1-hashed passwords with hashcat or John the Ripper; observe how unsalted hashes fall to rainbow tables; demonstrate that the same passwords salted + bcrypt'd resist the same attack.
• Lab 5. Broken-auth lab walk on OWASP Juice Shop. Complete the broken-authentication challenge category (at least 4 challenges); document each technique.
• Lab 6. Full STRIDE threat model with data flow diagram on a student-chosen system. 3-page write-up with diagram, threat enumeration, and proposed mitigations.
• Lab 7. OWASP Juice Shop walkthrough capstone. Complete at least 12 challenges across the Top-10 categories; document each.
• Lab 8. CVE-record-walk. Pick a CVE from the past 24 months; trace it through MITRE CVE record, NVD entry, vendor advisory, and at least one independent technical write-up. Score the CVSS v3.1 by hand and compare against NVD's assigned score.
• Lab 9, Capstone. Historical-CVE explainer report. See Capstone section below for full rubric.

Optional advanced extension, 5G-AKA Identity-Privacy Analysis lab seed. Students wanting to walk a contemporary protocol at the implementation set - bridging Week 5's cryptographic-primitive vocabulary, Weeks 11-12's CVD discipline, and Lab 8's CVE-walk catalog against an in-deployment 5G protocol - can take the optional advanced-extension lab. The lab pulls forward from vca-net-301 Ch 8 §8.8.2 (the canonical primary 5G-AKA prose) and runs through three phases: experience the IMSI-catcher attack surface against 4G LTE captures (Phase A); implement the SUCI computation chain in Python against 3GPP TS 33.501 Annex C test vectors (Phase B); analyze 5G-AKA's residual attack surface at SEC-101's CVE-walk catalog (Phase C). ~6-8 hr indep practice; Bloom L3 Apply + L4 Analyze. See handouts/lab-sec-101-5g-aka-identity-privacy-analysis.md for the full lab seed. Not part of the required lab manifest; not graded against the SEC-101 final-grade rubric.

Bridge to PEN-101 / RE-101 / ADV-101 / ADV-102 / RE-201: the Security-Literacy Foundation

SEC-101's deliberate forward-pointer is its position as the security-literacy gate for every offensive Virtus course downstream. Three things SEC-101 establishes that the offensive courses assume:

• Vocabulary. CIA triad, STRIDE, OWASP Top 10, MITRE ATT&CK, CVSS, CWE, CVE, CNA, CVD, the shorthand of professional security work. Every offensive course conducts itself in this vocabulary; SEC-101 is where the student becomes fluent.
• Threat-modeling discipline. Before attacking a system, the practitioner models it. Before defending a system, the engineer models it. Same skill, two directions. PEN-101's engagement scoping, ADV-101's CVE-reproduction work, RE-101's SB6141 teardown all begin with a threat model whose vocabulary SEC-101 establishes.
• Ethics, legally and professionally. CFAA, CVD, CERT/CC, ISO 29147 + 30111, the bug-bounty safe-harbour conventions. Every Virtus offensive course operates within these constraints. Students who internalise them in SEC-101 do not need them re-taught downstream; students who skip the framing arrive at PEN-101 unprepared to scope an authorized engagement.

Per-course skill-transfer:

• VCA-PEN-101 (penetration testing). The threat model SEC-101 builds becomes the engagement scoping the pentester uses. The OWASP Top 10 fluency becomes the web-app pentest playbook. The CVD discipline becomes the engagement reporting standard.
• VCA-RE-101 (reverse engineering of embedded systems). The CVE-record-reading skill from Lab 8 becomes the SB6141 vulnerability-research workflow. RE-101 students who completed SEC-101 know how to read a vendor advisory and find the vulnerability described in disassembly.
• VCA-ADV-101 (adversarial techniques) and VCA-ADV-102 (LLM-CVE variant). ADV courses are CVE-reproduction work; SEC-101's CVE-walk literacy is the table-stakes skill. The Log4Shell case study introduced in Week 9 is the structural cousin of the ADV-102 LangChain Jinja2 work (CVE-2025-65106).
• VCA-RE-201 (RE of burst radio signals). Even at the RF/SDR layer, the practitioner reads vulnerability research. SEC-101's reading discipline transfers.
• VCA-WIR-101 (wireless penetration testing). 802.11 vulnerabilities (KRACK, Dragonblood, FragAttacks) are read as CVE records first; SEC-101's CVE-walk skill applies directly. ▸ See also the cross-track-shared sidebar handouts/cross-chapter-wireless-aka-progression.md, KRACK and Dragonblood are read there as protocol-design-driving attack classes (the attack class that broke WPA2-SAE; the side-channel class against early WPA3-SAE implementations); the SEC-101 CVE-walk catalog and the cross-track AKA-progression material are the two halves of the same skill. Students wanting to operationalise the cellular-side endpoint of that progression at the implementation set can take the optional advanced-extension lab. See handouts/lab-sec-101-5g-aka-identity-privacy-analysis.md for the SEC-101 5G-AKA Identity-Privacy Analysis lab seed (Phase A/B/C arc; ~6-8 hr indep; Bloom L3 Apply + L4 Analyze).
• The future vca-ai-* AI-security strand. OWASP's LLM Top 10 and the OWASP Top 10 for Agentic Applications (per Findings §3) are the AI-strand's threat-categorisation vocabulary. The same threat-modeling discipline SEC-101 teaches against classical web applications applies, with adapted categories, against agentic systems.

Topical mini-module cross-cut: VCA-MINI-WIRESHARK-CVES-2026-05 (Wireshark RCE quartet, May 2026). SEC-101 references all four CVEs at Module 4 Vulnerability Landscape sidebars: integer-arithmetic class (CVE-2026-5402 TLS), loop-accounting class (CVE-2026-5403 SBC), asymmetric-validation class (CVE-2026-5405 RDP), zip-slip class (CVE-2026-5656 Profile import). The mini-module catalog page distils the companion handout for vocabulary-level recognition; the deep walkthrough lives in the handout.

The course's closing message: SEC-101 is where you stop being a programmer-with-some-security-awareness and start being a practitioner-with-formal-vocabulary. The vocabulary is the entry ticket to the rest of the field.

Tool Journal: SEC-101 Originating Entries

The Tool Journal continues. SEC-101 originates the diary's security-tooling roots; HW-101 originated the bench-electronics tools, FND-102 the Python and shell tools, NET-101 the network-analysis tools, and CSA-101 will originate the toolchain-build tools. By the close of SEC-101 the student's diary contains roughly 25 practitioner-tool entries.

SEC-101 originates the following diary entries:

• OWASP Juice Shop. First met Week 6. The standard-issue deliberately-vulnerable web application for security education. Ships as a Docker container, runs locally, scores the student's exploits automatically. The same target every web-app pentest course begins with.
• OWASP ZAP. First met Week 7. The free, open-source web-app proxy. Intercepts and modifies HTTP traffic between browser and server; the entry-level cousin of Burp Suite. Continues into PEN-101.
• Burp Suite Community. First met Week 7 (alternative to ZAP). The industry-standard web-app proxy; Community Edition is free with rate-limited active scanning. The professional version is the daily-driver instrument of every web-app pentester. Continues into PEN-101 as primary.
• hashcat. First met Week 5. The GPU-accelerated password-cracker; reads hash files and dictionaries, runs through hash-modes and attack-modes. The defensive lesson is "watch your unsalted MD5s fall in seconds."
• John the Ripper. First met Week 5 (alternative to hashcat for CPU-only environments). The classic password cracker; smaller scope than hashcat, simpler invocation.
• sqlmap. First met Week 7 (instructor-led demo). The automated SQL-injection tool. Used in lab-walk to demonstrate how trivial classical SQLi is, the defensive lesson sticks once the student watches an unprotected web form fall in 30 seconds.
• OWASP Threat Dragon. First met Week 3. Free, open-source threat-modeling tool. Diagrams data flow, marks trust boundaries, suggests STRIDE categories per element. The lighter-weight cousin of Microsoft Threat Modeling Tool and IriusRisk.
• CVSS v3.1 calculator (FIRST.org). First met Week 11. The web-based calculator that walks the practitioner through Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and CIA impacts. The output score is the industry-standard severity rating.
• NVD search and the MITRE CVE database. First met Week 11. The two reference databases for CVE records. The student learns to move through both and cross-reference vendor advisories.
• CISA Known Exploited Vulnerabilities (KEV) catalogue. First met Week 11. The U.S. CISA's curated list of CVEs known to be exploited in the wild. The pragmatic sub-set of NVD that practitioners actually prioritise.
• picoCTF platform. First met Week 1, used continuously. CMU's free CTF platform; the de-facto entry-level CTF training ground. The same platform many entry-level cybersecurity programs use as their CTF spine.

Roughly eleven tool entries originate in SEC-101. PEN-101 promotes Burp Suite to daily-driver, adds nmap + metasploit + the wider exploitation toolchain. ADV-101 adds CVE-reproduction tooling (Docker labs, vulnerable-software pinned versions). RE-101 adds Ghidra (already in the diary from CSA-101) at the firmware scale.

Capstone: Historical-CVE Explainer Report

The course capstone. The student selects a significant historical CVE from an instructor-curated list (Heartbleed CVE-2014-0160, Shellshock CVE-2014-6271, Log4Shell CVE-2021-44228, Spectre/Meltdown 2018, EternalBlue CVE-2017-0144, ImageTragick CVE-2016-3714, Dirty COW CVE-2016-5195, BlueKeep CVE-2019-0708, or a comparable-scope alternative with instructor approval) and writes a 5-8 page report reconstructing the technical detail, the timeline, the disclosure handling, and the impact.

Required artifacts

• The 5-8 page report itself, pitched at the "educated non-specialist" level. A smart friend who is not a security professional should be able to understand what happened and why it mattered.
• A timeline diagram (vendor notification → patch release → advisory publication → CVE assignment → mass exploitation if applicable).
• The CVSS v3.1 score with each metric's value justified against the vulnerability's actual properties (not just transcribed from NVD).
• At least three primary sources cited: the original CVE record, at least one vendor advisory, and at least one independent technical write-up (Project Zero blog, security researcher's post, conference talk).
• A "what would we do differently" reflection: in 200-400 words, what does the student propose the affected vendor or the broader industry should do to prevent the next vulnerability of this class.

Two-tier grading rubric

First, your project must work. The report covers a real, significant CVE with technical accuracy. Reports with material technical errors do not pass. No rubric scoring is performed on incorrect reconstructions. Plagiarised content (per the standard plagiarism check; see Findings §20.7 / OPEN QUESTIONS §12) is grounds for course failure.

Then we score the report on three dimensions. Once the report passes Tier 1, it is scored on three dimensions:

• Technical accuracy and depth (40%). Does the technical reconstruction match the public record? Are the mechanics of the vulnerability explained correctly at the byte/protocol level?
• Audience-appropriate clarity (30%). Can a smart friend who is not a security professional understand the report? Is jargon explained on first use? Are analogies used responsibly?
• Disclosure-and-ethics handling (30%). Does the report engage seriously with the CVD process the vulnerability followed? Does it identify what the affected vendor did well and what they did poorly? Does the "what would we do differently" reflection show genuine engagement with the policy and engineering trade-offs?

There is no curve. There is no participation credit. This is the student's first long-form security-writing deliverable, the structural precursor to the PEN-101 engagement report, the RE-101 SB6141 vulnerability write-up, and every subsequent professional disclosure the student will author. The audience-appropriate clarity discipline established here is what makes a security professional's technical writing valuable to the non-specialists who fund security work.

Prerequisite Map

What SEC-101 depends on, and what depends on SEC-101:

• Depends on: VCA-NET-101 (Wireshark and pcap-reading fluency, SEC-101 walks TLS handshakes and OAuth flows in capture; broken-auth labs require reading session cookies on the wire) + VCA-FND-102 (Python and command-line fluency, the Juice Shop walkthroughs and CVE-research labs assume comfortable shell + scripting work).
• Feeds into VCA-PEN-101: Threat modelling is engagement scoping; OWASP Top 10 fluency is the web-app pentest playbook; CVD discipline is the engagement reporting standard. PEN-101 students who skip SEC-101 are referred back.
• Feeds into VCA-RE-011: The vulnerability-class vocabulary (buffer overflow, use-after-free, integer overflow, type confusion) is introduced abstractly in SEC-101 and then traced through assembly in RE-011.
• Feeds into VCA-RE-101: CVE-reading discipline and threat-modelling vocabulary are central for SB6141 vulnerability research. RE-101 assumes SEC-101 fluency.
• Feeds into VCA-ADV-101 (CVE-to-tool engineering) and VCA-ADV-102 (LLM-CVE variant): Both ADV courses begin with the CVE record, SEC-101's CVE-walk skill is the entrance ticket. The Log4Shell case from Week 9 is the structural cousin of ADV-102's LangChain Jinja2 (CVE-2025-65106) work.
• Feeds into VCA-WIR-101: Wireless vulnerabilities are read as CVE records first; SEC-101's reading discipline applies. Threat modelling for an 802.11 network reuses STRIDE categories.
• Feeds into the future vca-ai-* strand: OWASP Top 10 for LLM Applications and OWASP Top 10 for Agentic Applications adapt the SEC-101 OWASP-Top-10 framing for AI systems. The threat-modelling discipline transfers structurally.

Certification Alignment

ISC2 CC (free) CompTIA Security+

Primary: ISC² Certified in Cybersecurity (CC), free via the ISC² One Million Certified in Cybersecurity program. The credential covers exactly the conceptual scope SEC-101 teaches; every student should sit it. ISC²'s code of ethics is one of the codes of professional conduct examined in Week 12.

Secondary: CompTIA Security+, the industry baseline, widely recognized by employers, current cycle is SY0-701. VCA-SEC-101 covers the substantive Security+ domains at greater depth than the exam requires on threat modelling, OWASP Top 10, and CVD; lighter than Security+ on governance/risk/compliance content (which Security+ covers more broadly than SEC-101's technical focus). Students who want the credential should sit Security+ within three months of completion.

Forward-pointer: SEC-101 is the prerequisite-skill base for any subsequent security certification, CompTIA CySA+ (~120 hr study) for defensive analyst work; CEH (~80 hr) for the credential itself; PenTest+ as the natural follow-on after PEN-101. SANS GSEC and ISC² SSCP are the next-tier credentials students continuing into a security career commonly target.

Recommended Readings

RE-track cross-cut anchors

• Erickson, Hacking: The Art of Exploitation, 2nd ed. (No Starch Press, 2008; ISBN 978-1-59327-144-2). The practitioner narrative behind SEC-101's vulnerability-class taxonomy. Erickson's mechanism-first approach to buffer overflows, format strings, and heap exploitation is the bridge between the OWASP Top 10 category names SEC-101 introduces and the assembly-level detail RE-011 + RE-101 work through. Strongly recommended between SEC-101 and RE-011.
• Yurichev, Reverse Engineering for Beginners (beginners.re; free CC-BY-SA 4.0; 1052 pp). The free companion reference for the vulnerability-class vocabulary at the instruction level. Yurichev opens with x86 assembly from first principles; students who begin reading during SEC-101 arrive at RE-011 with a meaningful head start. Available free in PDF and HTML.

AI-ML-track cross-cut anchors (free)

• OWASP Top 10 for Large Language Model Applications (owasp.org; updated annually). The AI-strand threat taxonomy that SEC-101's Week 14 forward pointer points toward. LLM01 through LLM10 adapt the classical OWASP threat categories to LLM-based systems. Read alongside the classical OWASP Top 10 to see the structural correspondence.
• OWASP Top 10 for Agentic AI Applications (ASI Top 10) (owasp.org; 2025 release). The extension of the LLM taxonomy to multi-step, tool-calling agentic systems. The academy's agentic sandbox-escape multi-lab (CVE-2026-34971) maps directly onto this taxonomy. ADV-102 is where the OWASP ASI framing becomes the working analytical vocabulary.

Supplementary

• OWASP Testing Guide v4.2 (free; owasp.org), the web-application testing reference underlying Lab 7's Juice Shop walkthrough and the PEN-101 engagement methodology.
• CERT/CC CVD Guide (free; cert.org) + ISO/IEC 29147, the coordinated-disclosure standards underlying Week 11-12 and the capstone report's disclosure-handling section.
• MITRE ATT&CK Framework (free; attack.mitre.org), the adversary-behavior reference vocabulary introduced in Week 10; used throughout PEN-101 and ADV-101.

Format Prescriptions

Hour budget: ~20 lec hr + ~28 lab hr + ~68 indep hr (= ~116 hr total; includes ~42 hr picoCTF spine + capstone).

Live (standard cadence)

2 sessions/wk × 90 min each (45 min lecture + 45 min hands-on per session) + 30 min stay-after office time. 14 weeks total. Best for college-elective + adult-learning + homeschool-co-op cadence.

Night class (working-adult cadence)

1-2 sessions/wk in evenings; spread over ~28 weeks. Best for community-college + vocational-tech students with day jobs.

Bootcamp

8 hr/day × 5 days/wk = 40 hr/wk; total ~3 weeks. SEC-101's 116 hr lands at ~3 weeks. Best for adults / age-irrelevant students with prereq comfort + dedicated learning time.

Async self-paced

Lecture hours via recorded video; lab hours via picoCTF + OWASP Juice Shop self-hosted; indep hours = student pace. Includes Discord-group access (1-2 days/wk instructor-advertised availability). AI-assistant tier add-on. Live 1:1 tutoring premium tier add-on.

High school / homeschool co-op

Adapted live cadence over a school year (~18 weeks at typical school cadence) OR semester (14 weeks at college cadence). Detailed per-syllabus planning available on request.

Classroom

Full course content (weekly modules, labs, capstone packet, instructor guide) lives in the Virtus Cyber Academy classroom, which is in active build. The public preview is on the way.

Open in classroom

Interested in VCA-SEC-101?

Email interested@virtuscyberacademy.org with your background and interest.

Email interested@virtuscyberacademy.org