Day 01 · Lab 01 · 3-hour research exercise

Identifying Threats, Attack Vectors & Frameworks

An in-class research and writing lab for undergraduate cybersecurity students. You will choose a fictional organisation, profile its likely adversaries, map their most plausible attack paths, and recommend an incident-management framework that fits — all in the space of a tightly-written 4-page A4 report.

Duration

3 hours (in-class)

Deliverable

4-page A4 PDF

Weight

2 + 3 + 3 + 2 / 10

Work mode

Individual

The 2-3-3 weighting

Where your marks actually come from

Threats

2 / 10 · ~¾ page

Attack vectors

3 / 10 · ~1 page + figure

Frameworks

3 / 10 · ~1 page + table

Construction

2 / 10 · whole report

The three-hour clock

A suggested schedule. Do not let any section eat the others.

00:00 → 00:10

Read this brief. Choose your scenario. Skim the rubric. 10 min

00:10 → 00:40

Section A · Threats. Research and notes. 30 min

00:40 → 01:30

Section B · Attack vectors. Research plus one annotated diagram. 50 min

01:30 → 02:20

Section C · Frameworks. Research plus one comparison table. 50 min

02:20 → 02:40

Wrap prose. Write abstract, introduction, conclusion. 20 min

02:40 → 02:55

Proofread. Caption figures, verify every link is still live. 15 min

02:55 → 03:00

Export and submit. PDF, check page count ≤ 4, upload to LMS. 5 min

Timer 03:00:00

Step 1

Choose your scenario

Write the whole report in the context of one specific fictional organisation. This keeps the analysis concrete and makes grading fair across the cohort.

Pick one of the four scenarios below, or propose your own to the instructor in the first ten minutes. Everything you write — every threat, every vector, every framework recommendation — must be justified against that specific organisation. A threat that matters to AlpesPower (nation-state targeting of critical infrastructure) matters far less to MediCasa, and vice versa. The grader will reward contextual judgement and punish generic answers.

MediCasa

Healthcare

Regional hospital group, 1,400 staff, electronic patient records held on-premise, some cloud usage for email and HR.

Nuvoleta Banca

Fintech

Mobile-first retail bank with three million customers. Fully cloud-hosted across two providers. Heavy use of third-party APIs.

AlpesPower

Critical infrastructure

Operator of three hydro-electric dams. Industrial control systems (ICS), engineering workstations, 280 staff spread across remote sites.

LusAgora

Government

Municipal e-government portal for a city of 600,000 residents. Public-facing identity service, internal case-management system.

Name your chosen scenario on the cover page and in the abstract. Refer to it by name in every section — the grader should never have to guess which organisation you are writing about.

Weight 2 / 10 · Target ~¾ page

Threats

Identify and profile the adversaries your chosen organisation realistically faces.

Section A

Threats · 20% of the final mark

What to produce

Identify three distinct threat actor categories that are realistically relevant to your chosen organisation. For each one, give:

A short (2–3 sentence) description of who the actor is.
Their primary motivation — financial gain, espionage, hacktivism, disruption, insider grievance, or curiosity.
Their rough capability level (low, medium, high, nation-state) and why you placed them at that level.
One real-world incident in the public record where this actor category hit an organisation in your sector, with a clickable citation.

Primary sources

Use these as starting points, not as templates to copy:

MITRE Groups catalogue — profiles of known threat actors.
ENISA Threat Landscape (European Union Agency for Cybersecurity) — annual threat landscape report.
Verizon DBIR (Data Breach Investigations Report) — incident statistics by sector.
CISA KEV (Cybersecurity and Infrastructure Security Agency, Known Exploited Vulnerabilities).

Weight 3 / 10 · Target ~1 page + figure

Attack vectors

Map the paths each adversary would realistically use to reach your scenario organisation.

Section B

Attack vectors · 30% of the final mark

What to produce

An attack vector is the path an attacker uses to reach a target. For each of the three actors you identified in Section A, describe the two most likely attack vectors that actor would use against your scenario organisation. You will end up with six vectors in total. For each vector, state:

The name of the vector in standard terminology (e.g. spear-phishing with attachment, exposed RDP — Remote Desktop Protocol, supply-chain update compromise, credential stuffing against the customer portal).
The prerequisite for the vector to work — what the attacker must already know or have.
The control a defender would put in place to make this vector fail or become detectable.
Which of Confidentiality, Integrity, Availability the vector primarily targets (or which combination).

Required figure

Produce an attack-path diagram for one of the six vectors, showing the steps from initial access to objective. Draw it yourself using draw.io (free, no account), Excalidraw (free, no account), Mermaid, the built-in SmartArt in your word processor, or on paper and photograph it.

Do not screenshot somebody else's diagram. Your diagram, your caption, your credit — or it does not belong in your report.

Reference taxonomies

Use these for vocabulary — do not copy the columns:

MITRE ATT&CK Enterprise matrix.
OWASP Top 10 (Open Web Application Security Project) for web-facing vectors.

Weight 3 / 10 · Target ~1 page + table

Frameworks

Compare two incident-management frameworks and defend one as a recommendation for your scenario.

Section C

Frameworks · 30% of the final mark

What to produce

Compare two incident-management frameworks and recommend which one best suits your chosen organisation, with justification. Your comparison must include all of the following dimensions:

Dimension	What to write
Authoring body	Who produced the framework and why
Phases or functions	The core structure (e.g. NIST SP 800-61's six phases)
Scope	Is it prescriptive, voluntary, or sector-specific?
Fit for your organisation	Why it does or does not suit your chosen scenario
Cost and effort	Realistic implementation burden for the organisation

Framework candidates

You are free to pick any two. Common choices:

NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide.
NIST Cybersecurity Framework 2.0.
ISO/IEC 27035.
SANS PICERL (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned).
ENISA Good Practice Guide for Incident Management.
HITRUST CSF for healthcare.

An unusual-but-valid choice (a national-CERT framework from your home country, for example) is encouraged and scores extra on originality in Section D.

Required table

Render the comparison as a clean two-column table, not as prose. Mention the framework names verbatim with their version or revision numbers so the grader can verify you used the current edition.

Weight 2 / 10 · Applies to whole report

How to construct the report

A correct analysis presented badly loses half of Section D; a decent analysis presented well can claw back marks from elsewhere.

Section D

Construction quality · 20% of the final mark

Mandatory chapter structure

Cover page — title, your name, student ID, date, name of your scenario. Does not count toward the 4-page limit.
Abstract — 80 to 120 words summarising the whole report. Write it last.
Introduction — one paragraph establishing the scenario and what the report will cover. Half a page maximum.
Section A — Threats
Section B — Attack vectors
Section C — Frameworks
Conclusion — short paragraph answering: if this organisation could only implement one change next Monday, what should it be, and why?
References — numbered list of every source cited. Does not count toward the 4-page limit.

Page limit & layout

Four A4 pages, strict ceiling. Cover page and references sit outside this budget.
11-point font for body text. Serif or sans-serif — pick one and stick to it.
1.15 line spacing, 2.5 cm margins on all sides.
Justified body text with hyphenation enabled. Justified text without hyphenation produces ugly rivers.

Citations & IP hygiene

Every factual claim that is not common knowledge must be cited. A citation is a bracketed number [1], [2], … matching an entry in your References chapter. When you paraphrase a source, do so in your own words and add the citation. If you must quote, use quotation marks and keep it short — typically under 15 words.

A generic rule that will serve you for life: if you did not write it, draw it, or photograph it yourself, treat it as somebody else's property and cite it.

Screenshot rules — specific

Captions are mandatory

Every screenshot needs a caption of the form: “Figure N. Brief description. Source: [hyperlink or 'own work'], captured on YYYY-MM-DD.” The date matters — web pages change.

Annotate where it supports the argument

Arrows, boxes, callouts. A raw screenshot without annotation is rarely worth its page space.

Formats

PNG for UI screenshots, JPEG for photographs, SVG for diagrams you drew. Keep images under 400 KB each.

Hyperlinks

Every organisation, framework, report, or tool mentioned by name should be hyperlinked on its first occurrence, to that organisation's own official URL. Never link to a paywalled aggregator when the official URL is one click further. Do not link to Wikipedia unless it is the only surviving source of a specific historical fact — prefer the primary sources Wikipedia itself cites.

Writing tone

Write like a working analyst, not like a student trying to fill a page. Short sentences. Active voice where possible. Concrete nouns. No phrases like “in today's ever-evolving threat landscape” or “cybercriminals are becoming increasingly sophisticated” — the grader has read a thousand of those. Prefer “attackers against Nuvoleta Banca will most plausibly be financially motivated ransomware affiliates” to “the threat landscape is evolving”.

Pre-submission checklist

Click each item as you complete it. State is local to this page — printing works too.

Complete: 0 / 16

Cover page with name, student ID, date, and scenario name
Abstract 80–120 words, written last
Introduction names the scenario organisation
Section A: three distinct threat actors with motivations, capabilities, and real-world cites
Section B: six attack vectors (two per actor) with prerequisites, controls, and CIA target
Section B: one original attack-path diagram, captioned
Section C: two frameworks compared across all five dimensions
Section C: comparison rendered as a table, version numbers included
Conclusion answers the “one change next Monday” question
Every claim cited with a numbered reference
Every hyperlink points to the organisation's own official URL
Every figure has caption, date, and source credit
No direct quotes longer than ~15 words
Body text is 11-point, 1.15 line spacing, 2.5 cm margins, justified + hyphenated
Body content fits in exactly 4 A4 pages (cover and references sit outside)
File named surname_initial_day01_lab.pdf and .md / .docx

Tools

Tools you can use — and the rule about them

Every tool named below is a suggestion, not a requirement. All are freely available in at least a community edition.

Purpose	A tool you might use	Where to find it
Diagrams	draw.io · Excalidraw · Mermaid	drawio · excalidraw · mermaid-js
Word processor	LibreOffice · Word · Google Docs · Typst · LaTeX	your choice
Markdown → PDF	Pandoc · Typora · VS Code + extension	pandoc.org
Screenshot annotation	ShareX · Flameshot · Preview · Snipping Tool	your choice
Threat research	MITRE ATT&CK · CISA KEV · NVD	attack.mitre.org · cisa.gov · nvd.nist.gov
Reference management	Zotero · or a plain numbered list	zotero.org

Rubric

What the grader will look for

The condensed rubric. Print it if you want to pin it to your monitor for the three hours.

Criterion	Excellent	Acceptable	Weak
Threats realistic for scenario	Specifically justified	Plausible but generic	Cut-and-paste from MITRE
Vectors named with correct vocabulary	Precise industry terms, cites taxonomy	Correct but loose	Vague or wrong
Controls proposed	Specific, measurable, cost-aware	Generic	Absent
Framework comparison	Two frameworks, all five dimensions	Comparison incomplete	One framework only
Recommendation defended	Defence references the scenario directly	Generic	No defence
Figures & tables	Original, annotated, captioned, credited	Present and captioned	Missing or uncredited
Citations	Every claim cited, sources live	Most claims cited	Plagiarism risk
Writing tone	Analyst voice, active, concrete	Competent student voice	Filler phrases, clichés
Page discipline	≤ 4 pages, structure followed	4 pages, layout off	Over 4 pages
Originality	Contains something new	Competent but standard	Indistinguishable from peers

Submission

How and where to submit

Two files. One deadline. Follow the naming convention.

Submit both the source markdown or .docx file and a PDF export on the course LMS (Learning Management System).
Name the files surname_initial_day01_lab.pdf and surname_initial_day01_lab.md.
Deadline: Midnight EST on April 26, 2026.
Late submissions lose 10% per started 24-hour period; submissions more than 72 hours late will not be graded.
If your submission accidentally names a real organisation, rename it before submission. No real-world references to real organisations except as examples in cited research.

Read carefully

Disclaimers

These protect everyone — instructor, students, and Cyber.SoHo Educational Hub alike.

Instructor protection

This exercise is an educational research-only lab. Students work inside their own laptops, their own virtual machines, or provided-by-instructor sandbox environments. No student, at any point in this exercise, is authorised to perform reconnaissance, scanning, exploitation, or any active action against a live, production, or third-party system they do not personally own.

The instructor, the Cyber.SoHo Educational Hub, the host institution, and any affiliated staff disclaim any and all responsibility for misuse of the knowledge presented in this brief. Deliberate misuse by a student is the sole responsibility of that student and will result in immediate academic and, where applicable, legal consequences.

Tools and techniques — openness and substitutability

Every tool and technique referenced in this brief is named as a working example only. Each is one of many possible choices, freely substitutable with any equivalent open-source, commercial, or custom alternative. Students are actively encouraged to research their own tools, to try alternatives, and to build their own small utilities where it serves the learning goal. The naming of a specific product or open-source project is not an endorsement and implies no relationship of any kind with the named provider.

No affiliation, trademarks, and copyright

Cyber.SoHo Educational Hub is not affiliated with, sponsored by, or endorsed by any of the organisations, vendors, regulators, or publications named in this brief — including but not limited to MITRE, NIST, ENISA, ISO, SANS, OWASP, CISA, FIRST, Verizon, IBM, HITRUST, Microsoft, Google, or any other organisation referenced. All trademarks, service marks, regulatory designations, and publication titles remain the property of their respective owners. This brief cites these organisations purely for educational illustration under fair-use principles.

Ethics, legality, and personal accountability

Cybersecurity knowledge is dual-use. A technique that defends a hospital can also harm it, and the line between the two is almost always authorisation. Every student taking this lab undertakes, as a condition of participation, to:

Only exercise offensive techniques against systems they personally own or for which they hold written authorisation from the owner;
Report vulnerabilities responsibly, through the vendor's published disclosure process;
Respect the privacy, dignity, and property rights of everyone — students, staff, strangers, and organisations named in cited sources alike;
Comply with all applicable laws in their jurisdiction, including but not limited to computer misuse, data protection, and privacy statutes.

The intellectual content of this brief — the structure, the scenarios, the rubric, the disclaimer text — is the original work of Cyber.SoHo Educational Hub and is released to students enrolled in the course under an internal educational-use licence. Redistribution outside the course, or use for any commercial purpose, requires prior written permission.

Final word, before the clock starts

Three hours is enough time to produce a four-page analyst-style report if you use it well. It is not enough time if you spend the first hour reading, the second hour drifting between tabs, and the third hour panicking.

Skim this brief, choose your scenario, and start the timer. The work is more interesting than the worrying.

— Cyber.SoHo Educational Hub