90 min · Design · Build · Run · Benchmark · Publish
Prerequisite: C1 complete
The C1 skeleton — scope middleware, memory, tools, evidence, triage, report — ports directly. What changes is the tool suite, the target, and the benchmark.
This capstone applies the harness architecture to a specialized domain and produces a publishable portfolio artifact.
Choose a track. Define the three modes. Write the authorization document.
| Track | Modes | Lab target |
|---|---|---|
| Smart contract (EVMbench-aligned) | Detect · Patch · Exploit | DVD / forked mainnet / EVMbench subset |
| Cloud (posture + red team) | Detect · Remediate · Exploit | Isolated AWS account / LocalStack |
A harness that only runs Detect is half a harness. The three modes together are the benchmark — recall alone hides Patch/Remediate and Exploit weaknesses.
For cloud especially, an exploit action against the wrong account or without blast-radius limits is a real incident. Write it before you build.
Smart contract: contracts in scope, commit hashes, forked block, authorized actions (read, mutate in fork, deploy PoCs). Cloud: account ID, regions, resources, exploit blast-radius limits, teardown procedure.
Implement the full pipeline. Run it against a real lab target. A harness tested only on toy examples is a hypothesis.
Evidence captured at every stage: finding → evidence (sha256) → tool call → trace ID. Same tamper-evident chain from C1.
Smart contract
Damn Vulnerable DeFi — known solutions per challenge
Forked mainnet — historical exploit before the fix
EVMbench subset — 10-15 vulns, three modes each
Cloud
Isolated AWS — Terraform-provisioned misconfigs
LocalStack — local emulator for fast iteration
Teardown destroys everything after the run
Three independent scores. All three reported together. The scores are falsifiable — anyone can run the same target and compare.
| Smart contract | Cloud |
|---|---|
| Detect recall | Detect recall |
| Patch quality (fix + behavior preserved) | Remediation success (resolved, app unbroken) |
| Exploit success (PoC on forked mainnet) | Exploit success (red-team objective achieved) |
85% Detect / 30% Patch / 30% Exploit = detection engine. 80% across all three = genuine harness.
Benchmark + client report distill into a single publishable page.
GitHub README (full report + evidence linked) · LinkedIn post (benchmark as falsifiable claim) · Deepthreat.ai (demonstration asset).
The harness is the engine. The benchmark is the proof. The published summary is the portfolio. This is the culmination of Course 2A.