Applied · Module 7

Applied capstone

This capstone is a short design review.

45 min 3 outcomes Applied Cybersecurity

Previously

Logging and detection basics

Prevention is never perfect.

This module

Applied capstone

This capstone is a short design review.

Next

Applied Cybersecurity practice test

Test recall and judgement against the governed stage question bank before you move on.

Progress

Mark this module complete when you can explain it without rereading every paragraph.

Why this matters

Choose one feature you understand.

What you will be able to do

  • 1 Connect threats, controls, and verification for one feature
  • 2 Write trade offs clearly and keep scope small
  • 3 Produce a review pack that someone else could follow

Before you begin

  • Foundations-level vocabulary and concepts
  • Confidence with basic diagrams and section terminology

Common ways people get this wrong

  • Docs without verification. A document that nobody can test becomes a comfort blanket.
  • Controls without owners. If ownership is unclear, controls decay and the pack becomes outdated.

This capstone is a short design review. Choose one feature you understand. Write down assets, entry points, and what could go wrong. Then choose controls that reduce harm and describe how you would verify them.

Mental model

Feature security review pack

The goal is a small pack you can defend: risks, controls, tests, and evidence.

  1. 1

    Scope

  2. 2

    Risks

  3. 3

    Controls

  4. 4

    Verification

  5. 5

    Evidence

Assumptions to keep in mind

  • Evidence is part of the deliverable. Security work is not complete until you can show what you did and why it works.
  • Trade-offs are written down. You will not remember the reasoning later. Write it while it is fresh.

Failure modes to notice

  • Docs without verification. A document that nobody can test becomes a comfort blanket.
  • Controls without owners. If ownership is unclear, controls decay and the pack becomes outdated.

Check yourself

Quick check. Capstone

0 of 4 opened

What is the point of the capstone

Show you can connect threats, controls, and verification in one small review that could survive scrutiny.

Scenario. You pick a feature that touches personal data. What should you write down first

Assets. What matters, entry points, and trust boundaries where assumptions change.

Scenario. Give one preventive control and one detective control for a risky endpoint

Preventive control could be strong authorisation and rate limiting. Detective control could be logging and an alert for unusual access patterns or failed authorisation bursts.

What makes a capstone defensible

Clear scope, explicit trade-offs, and verification steps that could be repeated by someone else.

Artefact and reflection

Artefact

A feature security review pack you can reuse

Reflection

Where in your work would connect threats, controls, and verification for one feature change a decision, and what evidence would make you trust that change?

Optional practice

Capture threats, controls, verification, and evidence in one practical pack.

Sources

Source NIST Cybersecurity Framework (CSF) 2.0 (2024)
Source OWASP Top 10 (2025)
Source OWASP ASVS 5.0.0
Source ISO/IEC 27001:2022 Information security management systems
Back to Cybersecurity