{
  "module": "S08 — SDLC Gate Harnesses",
  "course": "2A — Building AI Harnesses for Cybersecurity",
  "version": "1.0.0",
  "duration_minutes": 45,
  "total_questions": 20,
  "bloom_distribution": {
    "target": "20% recall / 40% application / 40% analysis-design",
    "actual": { "recall": 4, "application": 8, "analysis": 8 }
  },
  "passing_score_percent": 70,
  "questions": [
    { "id": "Q01", "bloom": "recall", "type": "multiple_choice", "prompt": "What is the control plane shift?", "options": ["Moving scans to a cloud control plane", "Moving security enforcement from review-time (post-commit) to creation-time (pre-commit/pre-merge/IDE) guardrails", "Moving security to the SOC team", "Moving scanners to a separate server"], "answer_index": 1, "rationale": "The shift moves the gate from after (review-time, days latency) to before (creation-time, seconds latency). Forced by AI coding agents that create code faster than review-time can process." },
    { "id": "Q02", "bloom": "recall", "type": "multiple_choice", "prompt": "What is EPSS, and what does it measure?", "options": ["A severity score like CVSS", "Exploit Prediction Scoring System — probability (0-1) a CVE will be exploited in the wild in the next 30 days", "A license compliance score", "A dependency count metric"], "answer_index": 1, "rationale": "EPSS (FIRST) measures exploitation PROBABILITY from real-world data. CVSS measures impact IF exploited. Together they prioritize correctly; CVSS-only is a failure mode." },
    { "id": "Q03", "bloom": "recall", "type": "multiple_choice", "prompt": "What is CISA KEV, and where does it sit in the priority queue?", "options": ["A low-priority info feed", "Known Exploited Vulnerabilities catalog — confirmed active exploitation. Top of the queue; fix in hours", "A CVSS calculator", "A license database"], "answer_index": 1, "rationale": "CISA KEV lists CVEs with confirmed active exploitation in the wild. Highest-confidence signal. KEV matches jump to the top of the remediation queue regardless of EPSS or CVSS." },
    { "id": "Q04", "bloom": "recall", "type": "multiple_choice", "prompt": "Name the 5 stages of the vulnerability triage pipeline.", "options": ["Scan, filter, report, archive, delete", "CVE feed ingestion → dependency matching → EPSS scoring → environment relevance → priority queue", "Detect, analyze, prioritize, remediate, verify", "Find, score, report, fix, close"], "answer_index": 1, "rationale": "NVD ingestion → manifest matching → EPSS exploitability → reachability filtering → prioritized queue. Each stage narrows the list; the queue turns hundreds of CVEs into a few actionable items." },
    { "id": "Q05", "bloom": "application", "type": "multiple_choice", "prompt": "A validated secret with high confidence is detected in a PR. What gate action?", "options": ["Soft warn", "Hard block — the PR cannot merge", "File in a dashboard for later", "Ignore"], "answer_index": 1, "rationale": "Validated secrets hard-block. A leaked credential is an active breach path. The matrix blocks the immediately dangerous; secrets qualify unconditionally." },
    { "id": "Q06", "bloom": "application", "type": "multiple_choice", "prompt": "A dependency has a CVE with CVSS 9.8 and EPSS 0.01. Another has CVSS 7.5 and EPSS 0.8. Which is more urgent?", "options": ["The CVSS 9.8 (higher severity)", "The CVSS 7.5 with EPSS 0.8 — likely being exploited now, despite lower severity score", "Both equally urgent", "Neither"], "answer_index": 1, "rationale": "EPSS inverts CVSS-only prioritization. CVSS 9.8/EPSS 0.01 is almost never exploited (low urgency). CVSS 7.5/EPSS 0.8 is likely exploited now (high urgency). Probability of exploitation, not just impact, drives priority." },
    { "id": "Q07", "bloom": "application", "type": "multiple_choice", "prompt": "SAST, SCA, secrets, and IaC scanners take 90s, 30s, 10s, and 15s respectively. Why run them in parallel?", "options": ["Parallel is more accurate", "Wall-clock is bounded by the slowest (~90s) not the sum (~145s). The difference is usable guardrail vs disabled guardrail", "Sequential is not possible", "Parallel uses less memory"], "answer_index": 1, "rationale": "The scanners analyze independent artifacts and can run concurrently. For a creation-time gate where seconds matter, parallel execution (90s) vs sequential (145s) is the difference between adoption and disablement." },
    { "id": "Q08", "bloom": "application", "type": "multiple_choice", "prompt": "Semgrep and CodeQL both flag the same SQL injection at the same location. What does the orchestrator do?", "options": ["Report both as separate findings", "Dedup via dedup_key — present ONE finding, cross-referenced, not duplicates", "Delete one randomly", "Report only the Semgrep finding"], "answer_index": 1, "rationale": "Cross-scanner dedup. Duplicate findings erode trust — the developer assumes the bot is broken when it reports the same thing three times. dedup_key merges them into one." },
    { "id": "Q09", "bloom": "application", "type": "multiple_choice", "prompt": "An SCA finding (vulnerable library) exists, and SAST confirms the vulnerable code path is reachable in the app. What should cross-scanner triage do?", "options": ["Downgrade the SCA finding", "Upgrade the SCA finding severity — the theoretical vulnerability is an actual exploitable path in this application", "Delete the SAST finding", "Ignore both"], "answer_index": 1, "rationale": "Cross-scanner correlation: an SCA vulnerability is only real if reachable. SAST confirming reachability upgrades the SCA finding from theoretical to actual. This is insight no single scanner produces." },
    { "id": "Q10", "bloom": "application", "type": "multiple_choice", "prompt": "A PR's risk score is 45. What is the gate action?", "options": ["Pass automatically", "Requires a security reviewer's explicit approval (score is 30-60)", "Blocked until findings resolved", "Deleted"], "answer_index": 1, "rationale": "Risk thresholds: <30 pass, 30-60 requires security reviewer approval, >60 blocked. A score of 45 falls in the middle band — it needs a human security reviewer to approve before merge." },
    { "id": "Q11", "bloom": "application", "type": "multiple_choice", "prompt": "A PR introduces 5 critical findings but fixes 7 existing ones. What does net direction say about this PR?", "options": ["Net negative — codebase is worse", "Net positive — the codebase got safer (more fixed than introduced)", "Neutral", "Cannot be determined"], "answer_index": 1, "rationale": "Net direction = new introduced minus existing fixed. +5 introduced -7 fixed = net positive. The codebase improved. Net direction is a stronger signal than absolute count of new findings." },
    { "id": "Q12", "bloom": "application", "type": "multiple_choice", "prompt": "A manager wants to use per-author finding counts in performance reviews. What is the correct response?", "options": ["Agree — accountability improves security", "Refuse — attribution is for coaching, not punishment. Misuse destroys psychological safety and makes the gate ineffective. Visible to author + lead only", "Agree, but only for senior engineers", "Agree, but only annually"], "answer_index": 1, "rationale": "The framing guardrail: attribution is for coaching conversations. Using it as a punishment metric destroys psychological safety — developers disengage from the gate and stop reporting issues." },
    { "id": "Q13", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why is the review-time check model structurally too slow for AI coding agents?", "options": ["Reviewers are lazy", "Agents create code/deps/IaC in seconds; review-time latency is hours-days. By the time findings are reviewed, the code is in production. Defense must match creation speed", "Scanners are too expensive", "Dashboards are hard to build"], "answer_index": 1, "rationale": "The speed asymmetry: creation in seconds, review in hours/days. An agent introduces a vulnerable dependency, an over-broad IAM role, an unauthed endpoint in one session. Overnight scan = the code is in production before anyone sees the finding." },
    { "id": "Q14", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why does CVSS-only prioritization fail, and what fixes it?", "options": ["CVSS is wrong", "CVSS measures impact IF exploited, not probability of exploitation. A CVSS 9.8/EPSS 0.01 is less urgent than CVSS 7.5/EPSS 0.8. EPSS (probability) + CISA KEV (confirmed exploitation) fix it", "CVSS is too slow to compute", "CVSS requires internet access"], "answer_index": 1, "rationale": "CVSS measures impact, not exploitability. EPSS adds exploitation probability from real-world data. CISA KEV adds confirmed exploitation. Together they prioritize correctly; CVSS alone misleads." },
    { "id": "Q15", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why is the siloed-scanners anti-pattern harmful?", "options": ["It costs more", "Each scanner in its own dashboard with its own severity scale. The developer sees 3 reports of the same finding from 3 tools and assumes the bot is broken. No dedup, no normalization", "It is slower", "It uses too much memory"], "answer_index": 1, "rationale": "Siloed scanners produce duplicate findings in separate dashboards with inconsistent severity vocabularies. The orchestrator normalizes and deduplicates across scanners, presenting one unified finding list. Without it, trust erodes." },
    { "id": "Q16", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why does environment-relevance filtering matter in vulnerability triage?", "options": ["It reduces scanner cost", "A CVE in a dependency is only exploitable if the vulnerable code path is REACHABLE in the application. Filtering removes theoretical risks and focuses remediation on actual exposures", "It is required by EPSS", "It speeds up the build"], "answer_index": 1, "rationale": "Many CVEs exist in code paths the application never uses. Reachability filtering removes theoretical risks, narrowing the list to actual exposures. This is why SAST reachability data feeds SCA triage." },
    { "id": "Q17", "bloom": "analysis", "type": "multiple_choice", "prompt": "Compare a PR with risk score 25 (5 new medium findings) vs score 65 (1 new critical, rising trend). Which gates how?", "options": ["Both pass", "Score 25 passes (<30). Score 65 is blocked (>60) until findings resolved — the critical finding plus rising trend pushed it over the threshold", "Both blocked", "Score 25 blocked, score 65 passes"], "answer_index": 1, "rationale": "The score is severity-weighted (critical=25, high=10, med=3, low=1) plus a trend modifier (rising ×1.2). One critical (25) on a rising trend (×1.2 = 30) plus context can exceed 60 → blocked. Five mediums (15) stays under 30 → passes. The score captures both severity and trajectory." },
    { "id": "Q18", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why must the severity normalization mapping be documented policy, not improvisation?", "options": ["For legal reasons", "Different scanners use different vocabularies (Semgrep ERROR/WARNING/INFO; Snyk crit/high/med/low; Checkov FAILED/PASSED). Ad-hoc mapping is inconsistent and non-auditable. Documented mapping = consistent gating", "To save tokens", "It is required by EPSS"], "answer_index": 1, "rationale": "The severity reconciliation maps each scanner's vocabulary to the unified scale. Without a documented mapping, the same finding severity varies run-to-run, making the gate non-deterministic. The mapping is policy — consistent, reviewable, auditable." },
    { "id": "Q19", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why does cross-scanner triage operate under a token budget, prioritizing high-severity findings?", "options": ["To save money", "Multi-scanner contexts are token-heavy (40 findings × context). High-severity findings are the ones that BLOCK, so they get priority. Low-sev/low-conf may be truncated — they wouldn't block regardless", "The model cannot handle large contexts", "It is faster"], "answer_index": 1, "rationale": "Token budget management: high-severity findings first because they drive gate decisions. Low-severity, low-confidence findings may be truncated entirely — spending tokens on them provides no gating value. The budget goes where the decisions are." },
    { "id": "Q20", "bloom": "analysis", "type": "multiple_choice", "prompt": "How does the bug report intake pipeline ensure a critical external report is not lost in a queue?", "options": ["It doesn't — manual review only", "Parse → dedup against existing findings (duplicates common) → detect via semantic similarity → auto-route P1 findings (critical, confirmed, in scope) to immediate response", "Email all reports to the team", "Post reports to a dashboard weekly"], "answer_index": 1, "rationale": "External reports (HackerOne, Bugcrowd, researchers) get the same triage discipline as scanner output: structured parsing, dedup against known findings, semantic similarity for duplicate detection, and auto-routing of P1 findings to immediate response. A critical report never sits unread." }
  ]
}
