Capstone: Red Team Your Friend's Startup ======================================== Slide 1: Capstone: Red Team Your Friend's Startup Narration Anna: This section sets up Capstone: Red Team Your Friend's Startup. Treat it as the frame for the decisions, handoffs, and evidence that appear in the next slides. Greg: The practical question is simple: by the end, what should a junior IT professional be able to explain, check, or document in a real workplace? On-screen text Capstone: Red Team Your Friend's Startup Group exercise structure and maturity mapping Slide 2: Capstone objectives Narration Anna: [energized] This capstone is your chance to break things safely. We pressure-test a 15-person startup without touching their production stack. Greg: The goal is to practice red-team curiosity, blue-team calm and facilitation skills that keep stakeholders engaged instead of defensive. Anna: We finish by translating every insight into a maturity score and a backlog leaders can actually fund. Greg: And along the way we highlight the cross-functional cast—fractional CTOs, success managers, ops leads—who make improvements stick. On-screen text Capstone objectives - Stress-test a 15-person startup's toolchain, culture and vendor choices without breaking production. - Practice red-team thinking, blue-team response and facilitation skills in a psychologically safe setting. - Map findings to an actionable maturity model so leaders leave with a prioritized remediation backlog. - Showcase cross-functional roles—from fractional CTO to customer success—needed to sustain improvements. Slide 3: Scenario setup Narration Anna: Our scenario centers on Sarah's marketplace startup—fifteen people juggling weekly releases, contractors and a global customer base. Greg: Their stack is modern but stitched together: managed Kubernetes, GitHub Actions, Google Workspace, Notion, HubSpot, Stripe. Anna: They lean on a fractional SOC, an MSP for laptops and an offshore labeling partner, so third-party trust boundaries really matter. Greg: Pain points are already on the table: ad-hoc onboarding, shadow SaaS creep, almost no incident rehearsal and compliance debt chasing them into every sales call. On-screen text Scenario setup - Sarah's marketplace startup: 15 staff, a mix of contractors and founders shipping weekly product updates. - Stack: managed Kubernetes cluster, GitHub Actions CI/CD, Google Workspace, Notion, HubSpot and Stripe. - Third parties: fractional SOC provider, MSP handling endpoints, offshore data labeling partner. - Known pain points: ad-hoc onboarding, shadow SaaS, limited incident rehearsal and compliance debt. Slide 4: Team structure & logistics Narration Anna: We split into pods of five or six—red-team analysts, blue-team responders, a business voice and a scribe. Greg: Ninety minutes goes fast, so the facilitator guards the timeboxes: twenty for recon, thirty for the live drill, twenty-five to debrief, fifteen to prep the share-out. Anna: Injects keep everyone honest, but the tone stays curious, not accusatory. Greg: Everything you need lives in the shared workspace—architecture map, SaaS inventory, contract snippets, customer personas—so no one is guessing. On-screen text Team structure & logistics - Participants form pods of 5–6: red-team analysts, blue-team responders, a business stakeholder and a scribe. - 90-minute block: 20-minute recon, 30-minute incident drill, 25-minute debrief, 15-minute report-out prep. - Facilitator provides injects, timeboxes discussions and keeps the tone curious rather than accusatory. - Shared workspace includes architecture diagram, SaaS inventory, contract excerpts and customer personas. Slide 5: Phase 1 — Recon & hypothesis building Narration Anna: Phase one is pure recon. The red team maps assets, data flows and every third-party touchpoint they can spot. Greg: We ask for the top three attack vectors—with evidence. Credential reuse? Misconfigured S3 buckets? Vendor breach cascading into production? Anna: Each threat must tie back to business impact so sales, support and engineering leaders understand the stakes. Greg: The scribe logs unanswered questions to keep momentum while still capturing gaps for later homework. On-screen text Phase 1 — Recon & hypothesis building - Red team maps the startup's assets, data flows, trust boundaries and third-party dependencies. - Identify top three attack vectors (credential reuse, misconfigured S3, vendor breach) with supporting evidence. - Draft "assume breach" scenarios that articulate the business impact for sales, support and engineering leaders. - Scribe captures questions for the facilitator to answer or park for later research. Slide 6: Phase 2 — Simulated incident drill Narration Anna: In phase two, the facilitator picks a scenario—maybe a compromised GitHub token that poisons container images. Greg: Blue-team responders narrate how they'd spot it, contain it, communicate with customers and loop in legal or finance. Anna: Injects keep tension high: a product launch collides with the incident, the MSP contact is offline, the SOC queue is overflowing. Greg: We encourage teams to draft customer updates, board brief talking points and even postmortem outlines while the adrenaline is still flowing. On-screen text Phase 2 — Simulated incident drill - Facilitator triggers a chosen scenario: e.g., compromised GitHub token leading to tampered container images. - Blue team walks through detection sources, containment steps, communication cadences and legal escalations. - Injects add twists: incident overlaps with product launch, MSP lead is on leave, or SOC ticket queue is full. - Encourage practicing customer updates, board briefs and postmortem draft outlines in real time. Slide 7: Phase 3 — Debrief & maturity mapping Narration Anna: Debrief time means switching to evidence-based grading. Each pod scores people, process, technology and governance on a one-to-five scale. Greg: We tie every score to artifacts—outdated runbooks, missing tabletop cadence, a single approver on critical releases. Anna: Then we prioritize the backlog: lightning fixes like closing MFA gaps, medium-term plays like renegotiating vendor contracts, strategic bets like observability upgrades. Greg: Finally, we capture what leadership must unlock—budget, headcount, or policy—to sustain momentum. On-screen text Phase 3 — Debrief & maturity mapping - Teams grade the startup across people, process, technology and governance dimensions using 1–5 scale. - Tie observations to evidence: outdated runbooks, missing tabletop cadence, single approver for releases. - Prioritize remediation backlog: quick wins (MFA gaps), medium-term (vendor contract reviews), strategic plays (platform observability). - Capture leadership asks: budget, headcount or policy changes needed to support improvements. Slide 8: Maturity model cheat sheet Narration Anna: The maturity model keeps scoring consistent. Level one is ad hoc—heroics, no playbooks, barely any logging. Greg: Level two is emerging: some runbooks, partial MFA, retros that happen but rarely translate into change. Anna: Level three is scaling—quarterly tabletops, defined SLAs, vendor scorecards, baseline observability. Greg: Level four is measured with automated controls, resilience OKRs and real budgets; level five is optimized, where purple teaming and partner collaboration are business as usual. On-screen text Maturity model cheat sheet - Level 1 — Ad hoc: hero-driven fixes, no defined playbooks, limited logging or third-party oversight. - Level 2 — Emerging: basic runbooks, partial MFA rollout, informal retros but inconsistent follow-through. - Level 3 — Scaling: quarterly tabletop drills, defined SLAs, vendor scorecards, baseline observability. - Level 4 — Measured: automated controls, resilience OKRs, integrated risk dashboards, dedicated budget. - Level 5 — Optimized: continuous assurance, proactive purple teaming, shared outcomes with partners. Slide 9: Deliverables & facilitation cues Narration Anna: Each pod leaves with tangible artifacts: a risk map, attack narrative, maturity scores and a remediation backlog with owners and timelines. Greg: Visuals help—journey maps, swimlanes, heat maps make executive conversations concrete rather than theoretical. Anna: We use a "start, stop, continue" debrief to surface cultural shifts alongside technical fixes. Greg: And everyone closes with a commitment statement so momentum carries beyond the classroom. On-screen text Deliverables & facilitation cues - Pod outputs: risk map, attack narrative, maturity scores, top-five remediation backlog with owners and timelines. - Encourage visual artifacts—journey maps, swimlanes, heat maps—to anchor executive conversations. - Debrief using "start, stop, continue" format to surface culture shifts alongside technical fixes. - Close with commitment round: each role states the next concrete action they will champion post-session. Slide 10: Roles, traits & progression Narration Anna: The exercise spotlights multiple roles: fractional CTOs, security leads, product managers, customer success managers, operations analysts. Greg: Entry points vary—support engineers stepping into incident command, consultants shifting into virtual CISO work, operations generalists owning vendor programs. Anna: The standout traits are facilitation under pressure, systems thinking, empathy for non-technical teammates and curiosity about adversary tradecraft. Greg: Nail this capstone and you're charting a path toward security program management, resilience leadership or platform engineering direction. On-screen text Roles, traits & progression - Roles represented: fractional CTO, security lead, product manager, customer success manager, operations analyst. - Entry pathways include support engineers stepping into incident command, consultants pivoting into vCISO roles and ops generalists leading vendor management. - Standout traits: facilitation under pressure, systems thinking, empathy for non-technical stakeholders and curiosity about adversary tradecraft. - Career progression: red-team exercise leads can grow into security program managers, heads of resilience or platform engineering directors. Slide 11: Key takeaway Narration Anna: The takeaway is simple: rehearsal builds muscle memory faster than policy memos ever could. Greg: By red-teaming Sarah's startup together, we generate evidence-backed maturity scores and a sequenced roadmap that leaders can champion. Anna: Treat the session like prep for the next diligence meeting—you want answers ready before investors or auditors ask. Greg: And the real win is renewed shared accountability before the inevitable real-world incident arrives. On-screen text Key takeaway A well-structured capstone turns abstract resilience talk into muscle memory. By stress-testing Sarah's startup collaboratively, teams leave with evidence-backed maturity scores, a sequenced roadmap and renewed respect for cross-functional partnership. Treat the exercise as a rehearsal for the next funding round diligence meeting—and an invitation to invest in shared accountability before the real incident hits.