GRC Analyst · Curriculum Developer · Technical Content Creator
10+ years at Apple & Verizon in compliance, documentation & operations —
now building a career at the intersection of security, governance, and human learning.
Who I Am
I'm a GRC Analyst, Curriculum Developer, and Technical Content Creator with 10+ years of enterprise experience at Apple and Verizon — and a passion for making security education creative, accessible, and portfolio-worthy.
At Apple, I served as a Technical Project Manager for Compliance & Process Documentation, where I developed SOPs, led compliance gap analyses, maintained audit-ready documentation across EMEA and APAC teams, and redesigned onboarding training that cut ramp-up time by 33% for 200+ employees. Before that, I spent years as a Genius and Senior Technical Specialist, building knowledge bases and translating complex technical content into clear, actionable guidance.
At Verizon, I managed retail operations and designed onboarding programs that reinforced regulatory procedures and performance standards across high-volume environments.
I'm currently completing Per Scholas' Cybersecurity AI Program (Charlotte, NC), building hands-on experience with NIST CSF/800-53, ISO 27001, SOC operations, Splunk, Cisco Packet Tracer, and security awareness training — and studying for CompTIA Security+ SY0-701.
My superpower is bridging the gap between technical rigor and human learning — whether that's building GRC documentation, designing instructional curricula, or creating cartoon-themed Security+ study hubs that actually make people want to study.
Technical PM, compliance documentation, SOPs, cross-functional ops across global teams
ADDIE methodology, curriculum development, UDL principles — reduced new hire ramp-up 33%
Cross-functional collaboration with EMEA & APAC teams at Apple
NIST CSF, 800-53, ISO 27001, risk registers, audit documentation, security awareness training
Human-led, AI-assisted development — portfolio, curricula, GRC deliverables, and this site
What I Bring
My Work
Network Lab
36 hands-on Cisco Packet Tracer simulations across two modules — covering network topology, routing, security hardening, access control, cryptography, and monitoring. Includes a full risk register mapped to NIST CSF.
View Full Lab Portfolio →Personal Project · In Progress
A fully self-directed Cisco Packet Tracer network simulation — a post-apocalyptic safe zone where network infrastructure is the difference between survival and collapse. Four live threat scenarios with full GRC documentation mapped to NIST CSF 2.0.
Explore New Hope City →GRC Work · Applied Portfolio
7 real-world GRC projects built around Rainbow Byte Bakery — a fictional growing company with no prior compliance program. As the company's first GRC Analyst, I built the program from scratch: ISO 27001 control mapping, a risk register with heat map, third-party vendor assessment, incident response plan & tabletop, SOC 2 cloud control mapping, an executive compliance dashboard, and a mock internal audit. Frameworks: NIST CSF 2.0 · ISO 27001 · NIST 800-53 · ISO 31000 · SOC 2 · ISO 27035.
View GRC Portfolio →Study Notes · CompTIA Security+ SY0-701
A fully interactive CompTIA Security+ SY0-701 study platform built around 15 cartoon-themed pages — SpongeBob, Ben 10, Avatar, Scooby-Doo, Gravity Falls, and more — each covering a Security+ domain through analogies, Leitner spaced-repetition flashcards, 10-question randomized quizzes, and interactive games. The hub includes an Acronym Blitz, a "Who Wants to Pass the CompTIA Security+?" millionaire-style game, and an ADDIE/GRC instructional design rationale section. Built using ADDIE methodology, retrieval practice, and UDL principles.
Explore the Study Hub →Interactive Quiz · CompTIA Security+ SY0-701
A standalone, cartoon-themed networking and Security+ quiz companion — covering core networking concepts mapped to CompTIA Security+ SY0-701 domains. Features randomized multiple-choice questions with instant feedback, score tracking, and a fun visual style designed to make exam prep feel less like studying and more like playing. Built as a supplement to the full Cartoon Network-ing Study Hub.
Launch the Quiz →Instructional Design
An 8-week, ADDIE-grounded professional development curriculum built for Per Scholas cybersecurity students — covering resume development, LinkedIn optimization, GitHub portfolio creation, AI-assisted career prep, elevator pitches, mock interviews, and a live capstone presentation. Includes a full instructional design portfolio breakdown with learning outcomes, curriculum map, assessment strategy, and adult learning theory documentation.
View Instructional Design Work →💡 Projects and labs are updated continuously as I progress through the Per Scholas program and personal projects.
Credentials
📄 Full Resume
GRC Analyst, Curriculum Developer, and Technical Content Creator with 10+ years of enterprise experience at Apple and Verizon, specializing in NIST CSF/800-53 compliance, policy development, and audit-ready documentation. Proven track record designing ADDIE-based training programs, compliance-aligned SOPs, and educational content that reduced onboarding time by 33% and supported 200+ employees across global environments. Currently completing Per Scholas Cybersecurity AI Program; CompTIA Security+ estimated July 2026.
Growth Mindset
Actively studying for CompTIA Security+ SY0-701 (est. July 2026) and Splunk Core Certified User, while completing Per Scholas' Cybersecurity AI Program.
What Drives My Work
I believe security education works best when it meets people where they are — culturally, cognitively, and creatively. Every curriculum I build is grounded in three principles:
Every deliverable — from training plans to cartoon study hubs — follows the Analyze, Design, Develop, Implement, Evaluate lifecycle. Learner needs first. Content second.
Leitner flashcard systems, 10-question randomized quizzes, and milestone games — not cramming. Learning that sticks is learning that comes back when you least expect it.
Multiple means of representation, engagement, and expression. Whether you're 8 or 80, a Scooby-Doo analogy or a NIST control table — there's a path in for every learner.
Giving Back
Provided volunteer IT support to faith-based organizations — hardware setup, email configuration, social media profile creation — enabling consistent digital outreach and community engagement.
Delivered hands-on technical support to clients ranging from children (age 8) to seniors (age 90), applying UDL principles to adapt instruction across diverse backgrounds, skill levels, and accessibility needs.
Developed structured group travel and event plans as operational planning documents — budgeted itineraries, venue options, and logistical coordination — applying curriculum development and project management skills in community service contexts.
Get In Touch
Open to GRC, compliance, instructional design, and security operations roles. I bring 10+ years of enterprise experience, an active CompTIA Security+ candidacy, and a portfolio that reflects both technical rigor and creative pedagogy.
Connect on LinkedIn or view my resume for direct contact details.
Per Scholas · Cisco NetAcad
36 hands-on network labs completed across Cisco Networking Basics and Network Defense — covering routing, security hardening, encryption, access control, and monitoring.
Full Overview
| Lab ID | Title | Module | Category | Est. Time |
|---|---|---|---|---|
| GLAB 123.4.1 | Configure a Wireless Router and Client | MOD 123 | Networking Basics | 45 min |
| GLAB 123.8.1 | Connect to a Web Server | MOD 123 | Networking Basics | 30 min |
| GLAB 123.11.1 | Configure DHCP on a Wireless Router | MOD 123 | Networking Basics | 30 min |
| GLAB 123.12.1 | Examine NAT on a Wireless Router | MOD 123 | Networking Basics | 30 min |
| ALAB 123.17.1 | Use the ipconfig Command | MOD 123 | Networking Basics | 20 min |
| GLAB 123.13.1 | Identify MAC and IP Addresses | MOD 123 | Networking Basics | 30 min |
| GLAB 123.14.1 | Observe Traffic Flow in a Routed Network | MOD 123 | Networking Basics | 35 min |
| GLAB 123.14.2 | Create a LAN | MOD 123 | Networking Basics | 40 min |
| GLAB 123.16.1 | The Client Interaction | MOD 123 | Networking Basics | 25 min |
| GLAB 123.16.2 | Observe Web Requests | MOD 123 | Networking Basics | 25 min |
| GLAB 123.16.2 | Use Telnet and SSH | MOD 123 | Networking Basics | 30 min |
| GLAB 123.16.3 | Use FTP Services | MOD 123 | Networking Basics | 25 min |
| GLAB 123.17.2 | Use the ping Command | MOD 123 | Networking Basics | 20 min |
| GLAB 125.1.1 | Document Enterprise Cybersecurity Issues | MOD 125 | Security | 45 min |
| GLAB 125.2.1 | Investigating OWASP | MOD 125 | Security | 40 min |
| GLAB 125.2.2 | Configure Wireless Router Hardening and Security | MOD 125 | Security | 45 min |
| GLAB 125.2.3 | Implement Physical Security with IoT Devices | MOD 125 | Security | 45 min |
| GLAB 125.3.1 | Configure Access Control | MOD 125 | Access Control | 40 min |
| GLAB 125.3.2 | Configure Authentication and Authorization in Linux | MOD 125 | Access Control | 45 min |
| GLAB 125.3.3 | Configure Server-Based Authentication with TACACS+ and RADIUS | MOD 125 | Access Control | 50 min |
| GLAB 125.4.1 | Configure Named Standard IPv4 ACLs | MOD 125 | Access Control | 40 min |
| GLAB 125.4.2 | Configure Numbered Standard IPv4 ACLs | MOD 125 | Access Control | 40 min |
| GLAB 125.4.3 | Configure Extended ACLs Scenario 1 | MOD 125 | Access Control | 45 min |
| GLAB 125.4.4 | Configure Extended ACLs Scenario 2 | MOD 125 | Access Control | 45 min |
| GLAB 125.4.5 | Configure IPv6 ACLs | MOD 125 | Access Control | 45 min |
| GLAB 125.8.1 | Use Classic and Modern Encryption Algorithms | MOD 125 | Cryptography | 40 min |
| GLAB 125.8.2 | Encrypting and Decrypting Data Using OpenSSL | MOD 125 | Cryptography | 45 min |
| GLAB 125.8.3 | Encrypting and Decrypting Data Using a Hacker Tool | MOD 125 | Cryptography | 40 min |
| GLAB 125.8.4 | Examining Telnet and SSH in Wireshark | MOD 125 | Cryptography | 40 min |
| GLAB 125.8.6 | Use Steganography to Hide Data | MOD 125 | Cryptography | 35 min |
| GLAB 125.8.7 | Hashing Things Out | MOD 125 | Cryptography | 35 min |
| GLAB 125.8.8 | Generate and Use a Digital Signature | MOD 125 | Cryptography | 40 min |
| GLAB 125.8.9 | Certificate Authority Stores | MOD 125 | Cryptography | 40 min |
| GLAB 125.10.1 | Explore a NetFlow Implementation | MOD 125 | Monitoring | 40 min |
| GLAB 125.10.2 | Logging from Multiple Sources | MOD 125 | Monitoring | 40 min |
Browse by Subject
GRC Application
The following risk analysis applies GRC principles — drawn from NIST CSF and ISO 27001 — to the network environment explored across these labs. Each risk is tied directly to lab findings.
This risk register identifies key vulnerabilities observed during lab exercises and maps them to likelihood, impact, and mitigation controls. It demonstrates the direct connection between hands-on network work and enterprise GRC practice.
| Risk ID | Risk Description | Source Lab | Likelihood | Impact | Rating | Mitigation Control |
|---|---|---|---|---|---|---|
| R-001 | Plaintext credential transmission via Telnet | 125.8.4 / 123.16.2 | High | High | Critical | Replace Telnet with SSH; enforce encrypted remote access policy |
| R-002 | Misconfigured or default wireless router credentials | 123.4.1 / 125.2.2 | High | High | Critical | Apply router hardening checklist; change defaults; enable WPA2/WPA3 |
| R-003 | Overly permissive network access (missing ACLs) | 125.4.1–125.4.5 | High | Medium | High | Implement named/numbered ACLs; apply least-privilege network segmentation |
| R-004 | Unauthorized access due to weak authentication | 125.3.1 / 125.3.2 | Medium | High | High | Deploy TACACS+/RADIUS centralized auth; enforce MFA where possible |
| R-005 | Weak or outdated encryption protecting sensitive data | 125.8.1 / 125.8.2 | Medium | High | High | Enforce AES-256 minimum standard; audit encryption across all data flows |
| R-006 | Data exfiltration via covert steganography channel | 125.8.6 | Low | High | Medium | Deploy DLP controls; monitor outbound file transfers; user awareness training |
| R-007 | Insufficient log aggregation limiting incident detection | 125.10.2 | Medium | Medium | Medium | Centralize logging via SIEM; define log retention policy per compliance requirements |
| R-008 | IoT devices introduced without security baseline | 125.2.3 | Medium | Medium | Medium | Establish IoT onboarding policy; segment IoT on isolated VLAN |
| R-009 | Untrusted certificate authorities in browser stores | 125.8.9 | Low | High | Medium | Audit CA trust stores; implement certificate pinning; PKI governance policy |
| R-010 | OWASP Top 10 vulnerabilities in web-facing services | 125.2.1 | High | High | Critical | Conduct regular DAST/SAST scans; align remediation to OWASP mitigation guidance |
Each lab category maps to one or more NIST CSF functions, demonstrating that this lab portfolio covers the full cybersecurity lifecycle — not just technical skills.
Personal Project
Cisco Packet Tracer · NIST CSF 2.0 · Self-Directed
New Hope City is a fully self-directed network simulation built from scratch in Cisco Packet Tracer — a post-apocalyptic safe zone where network infrastructure is the difference between survival and collapse. The project features six isolated VLANs, a perimeter ASA firewall, RADIUS authentication, a SIEM, and a full management network — all stress-tested across four live threat scenarios, each paired with enterprise GRC documentation mapped to NIST CSF 2.0.
Six zones. Eight VLANs. Four threat actors. One chance to keep the city alive — defended through Zero Trust, VLAN segmentation, and NIST CSF principles.
Mission Brief
New Hope City is a fully self-directed Cisco Packet Tracer network simulation built from scratch — a post-apocalyptic safe zone where network infrastructure is the difference between survival and collapse.
The city is divided into six physical zones, each isolated on its own VLAN. A Layer 3 core switch acts as the city's spine. A Cisco ASA firewall guards the perimeter. RADIUS handles authentication. A SIEM aggregates logs city-wide.
The lab demonstrates: VLAN segmentation, ACL design, Zero Trust architecture, IoT security, OT/ICS air gaps, wireless hardening, incident response, and GRC documentation — all mapped to NIST CSF functions.
Four playable threat scenarios — ranging from a zombie horde DDoS to a nation-state APT — stress-test every layer of the city's defenses. Each scenario is documented with Threat Actor Profile → Attack Vector → Defense Triggered → Outcome.
Network Architecture
Fig 1 — New Hope City Network Architecture · 6 Zones · 8 VLANs · Perimeter firewall + SIEM
Network Segmentation
Documentation
Threat Scenarios
GRC Context
Every New Hope City scenario maps directly to a real-world GRC control from NIST CSF 2.0. The post-apocalyptic setting strips away corporate jargon and forces clear thinking about why controls exist — because when resources are scarce and stakes are existential, only the essential security principles survive.
| Scenario | Real-World GRC Equivalent | NIST CSF 2.0 |
|---|---|---|
| 🧟 Zombie Horde | DDoS mitigation policy, network perimeter defence, port security standards, MAC address management | Detect · Respond DE.CM · RS.RP |
| 💀 Bad Guys Base | Firewall ACL design, brute-force lockout policy, VLAN isolation standards, perimeter access control | Protect · Detect PR.AC · DE.AE |
| 🕵️ The Shadow Within | Insider threat programme, least privilege enforcement, lateral movement detection, identity governance | Protect · Detect PR.AC · DE.CM |
| 🏴 Nation State APT | OT/ICS air-gap policy, wireless security standard, APT detection, threat intelligence integration | Identify · Detect · Respond ID.RA · DE.AE · RS.RP |
10+ zombie devices launch a coordinated ping flood against the city perimeter. A "mutated" variant rotates its MAC address to evade detection. IDS/IPS, port security, and the perimeter firewall are put to the test.
Scenario Overview
Undirected external botnet — "zombie horde" of compromised devices with no single command origin
Resource exhaustion; opportunistic disruption of perimeter communications and guard communications (VLAN 70)
Low-to-Medium. Base flood is unsophisticated; mutated MAC-rotating variant suggests semi-autonomous evasion capability
ICMP ping flood from 10+ external nodes; one "mutated" node employs dynamic MAC address rotation to evade port security blocks
External perimeter — outside the ASA 5505 firewall boundary. No internal VLAN breach achieved.
T1498 — Network Denial of Service; T1036.006 — Masquerading via MAC Address Spoofing
Attack Topology
Insert Packet Tracer topology screenshot or exported network diagram here.
Show: 10+ external zombie nodes → ASA 5505 firewall → VLAN 70 perimeter switch → IDS/IPS alert path → War Room (VLAN 10) notification.
Annotate the "mutated zombie" node and the port security block event.
Insert SIEM / Simulation Mode screenshot showing ICMP flood spike, IDS trigger point, and traffic drop-off after firewall block rule applied.
Label T0 (flood onset), T1 (IDS alert), T2 (firewall rule active), T3 (MAC spoof detected by port security).
Enterprise GRC · Risk Register
| Risk ID | Risk Description | Affected Asset | Threat Source | Likelihood | Impact | Severity | Current Controls | Residual Risk | Owner |
|---|---|---|---|---|---|---|---|---|---|
| NHC-R-001 | ICMP ping flood saturates VLAN 70 perimeter bandwidth, degrading guard patrol communications and camera feeds | VLAN 70 — Perimeter Switch, Camera Network | External botnet (zombie devices) | High | High — loss of situational awareness at city perimeter | HIGH | ASA 5505 rate-limiting; IDS/IPS ICMP threshold alert; VLAN segmentation isolates flood to VLAN 70 | LOW | War Room SOC |
| NHC-R-002 | MAC address rotation by mutated zombie node allows sustained port access after initial port security block, enabling continued flood participation | VLAN 70 perimeter switch ports | Mutated zombie node (semi-autonomous MAC spoofer) | Medium | Medium — extended flood duration if undetected; potential for partial perimeter disruption | HIGH | Port security sticky MAC; max MAC per port = 1; violation mode: shutdown; SIEM alert on rapid MAC change | LOW | Network Engineer / SOC Tier 2 |
| NHC-R-003 | Sustained flood may overwhelm IDS/IPS rule engine, causing alert fatigue or missed events on other VLANs during incident | IDS/IPS engine; SOC analyst capacity | Volume-based noise from flood | Medium | Medium — secondary threats could go undetected during active response | MEDIUM | IDS/IPS VLAN-scoped rules; SIEM event correlation; flood auto-block reduces alert volume; SOC escalation path defined | LOW | SOC Lead / War Room Commander |
| NHC-R-004 | Firewall ACL policy gap — ICMP not explicitly denied inbound on perimeter interface — allows flood packets to reach VLAN 70 switch before rate limit triggers | ASA 5505 inbound perimeter ACL | Unsophisticated external nodes exploiting permissive default policy | Low (if ACL properly configured) | High — root cause of initial flood impact | HIGH | Explicit deny ICMP inbound rule added post-incident; rate limit pre-configured on perimeter interface | LOW | Network Engineer |
| NHC-R-005 | No automated isolation playbook — initial manual intervention required before automated controls kicked in, creating a detection-to-containment gap | Incident Response Process | Operational gap — procedural | Medium | Medium — each minute of delay during a flood extends perimeter degradation | MEDIUM | Automated IPS block rule defined; SIEM playbook triggers auto-block after threshold; IRP documented | LOW | SOC Lead |
Incident Response Plan · NHC-INC-001
deny icmp any any inbound on perimeter interface. Traffic from all 10 zombie source IPs dropped at firewall edge. VLAN 70 switch port where mutated zombie was connected automatically shutdown via port security violation mode. SIEM alert suppression rule applied to prevent alert storm from continued blocked traffic. War Room confirms perimeter camera and guard comms restored within 3 minutes of containment action.
deny icmp any any added as first ACL entry on perimeter interface. Additional mitigation: ICMP echo-request fully disabled inbound on ASA perimeter interface for production; only echo-reply permitted for outbound diagnostic purposes. VLAN 70 rate limit reduced from 500 pps to 100 pps. All zombie source IPs added to threat intelligence blacklist.
Security Controls Assessment
Framework Mapping
Post-Incident Review
All 10+ zombie flood sources blocked at the ASA 5505 perimeter firewall. The mutated MAC-rotating variant successfully identified via SIEM correlation and disabled via port security shutdown. VLAN 70 perimeter communications and camera feeds restored to full operation within 8 minutes of containment actions. No internal VLANs breached. War Room situational awareness maintained throughout via management VLAN 99 isolation. Risk register updated and IRP hardened with automated playbook for future flood events. New Hope City perimeter defense validated — the horde did not get in.
The Raider Camp has found your network. Brute force at the gate. Port scans in the dark. A VLAN hopping trick that almost works. Almost.
Intelligence Brief
Attack Sequence
admin/admin, cisco/cisco, enable/password). In the Packet Tracer simulation: place a Raider PC and use the CLI to ssh -l admin [ASA-outside-IP] repeatedly. The ASA's login retry lockout policy triggers after 3 failed attempts — connection dropped, source IP logged to SIEM.%ASA-4-106023: Deny syslog event forwarded to the War Room SIEM. Telnet port 23 is confirmed closed — the city disabled it city-wide.switchport nonegotiate), and unused ports shut down. The attack produces no forwarded frames — only a logged violation.switchport mode access and switchport nonegotiate are set on every access port, the switch ignores the DTP frame entirely. Port security violation counter increments — War Room is alerted.Visual Documentation
Technical Controls
! === New Hope City — ASA 5505 Outside Interface ACL === ! Block ALL inbound — permit only established return traffic access-list OUTSIDE_IN extended deny ip any any log access-list OUTSIDE_IN extended permit tcp any any established access-group OUTSIDE_IN in interface outside ! Explicit deny with logging — every probe hits this and logs to SIEM logging enable logging host inside 10.10.10.100 ! War Room SIEM IP logging trap informational
! Limit SSH login attempts — lock after 3 failures ssh timeout 5 aaa authentication ssh console LOCAL username nhc-admin password [REDACTED] privilege 15 ! Only allow SSH from management VLAN — not from outside ssh 10.99.99.0 255.255.255.0 inside no ssh 0.0.0.0 0.0.0.0 outside ! Disable Telnet entirely no telnet 0.0.0.0 0.0.0.0 outside
! === Applied to every access-mode port city-wide === interface range FastEthernet0/1 - 24 switchport mode access switchport nonegotiate ! Disables DTP — kills trunking negotiation attacks switchport port-security maximum 1 ! One device per port switchport port-security violation shutdown spanning-tree portfast spanning-tree bpduguard enable ! Change native VLAN from default VLAN 1 to unused VLAN 999 interface GigabitEthernet0/1 ! Trunk to building switches switchport trunk native vlan 999 switchport trunk allowed vlan 10,20,30,40,50,60,70,99 ! Shutdown all unused ports interface range FastEthernet0/20 - 24 shutdown
! Even if VLAN hopping succeeded — ACL stops lateral movement ! Block all external/unknown subnets from reaching VLAN 50 ip access-list extended PROTECT_WAREHOUSE deny ip 0.0.0.0 255.255.255.255 10.50.50.0 0.0.0.255 log permit ip any any interface Vlan50 ip access-group PROTECT_WAREHOUSE in
GRC Documentation
| Risk ID | Risk Description | Attack Vector | Likelihood | Impact | Inherent Risk | Control | Residual Risk | NIST CSF |
|---|---|---|---|---|---|---|---|---|
| S2-R001 | Unauthorized access via compromised firewall credentials | External brute-force SSH on ASA outside interface | High | Critical | Critical | SSH restricted to MGMT VLAN only; login lockout after 3 attempts; strong credential policy enforced | Low | PR.AC-3 |
| S2-R002 | Service exposure via open/unfiltered ports on perimeter | Port scanning from external Raider network | High | High | High | ASA deny-all inbound ACL; only explicitly permitted return traffic allowed; all probe events logged to SIEM | Low | PR.AC-5 |
| S2-R003 | VLAN hopping via double-tag 802.1Q encapsulation | Double-tagged frame from external network exploiting native VLAN 1 default | Medium | High | High | Native VLAN changed to 999; DTP disabled on all access ports (switchport nonegotiate); trunk ports use explicit VLAN allowlists |
Low | PR.AC-5 |
| S2-R004 | Unauthorized trunk negotiation via DTP exploitation | DTP frames sent to access port to negotiate trunk link | Medium | High | High | All access ports set switchport mode access + switchport nonegotiate; port security enabled; violations trigger shutdown and SIEM alert |
Low | PR.PT-4 |
| S2-R005 | Lateral movement to Warehouse supply data after VLAN pivot | Post-VLAN-hop access to VLAN 50 supply tracking server | Medium | Critical | High | Inter-VLAN ACL on VLAN 50 SVI blocks all traffic from non-authorized VLANs; SIEM monitors cross-VLAN traffic anomalies | Low | PR.AC-4 |
| S2-R006 | Delayed detection of sustained port scanning campaign | Low-rate port scan designed to evade threshold-based detection | Medium | Medium | Medium | SIEM log aggregation captures all ASA deny events; War Room reviews logs daily; IDS/IPS rate-limiting trigger regardless of scan speed | Medium | DE.AE-3 |
| S2-R007 | Telnet credentials intercepted in plaintext | Passive network eavesdropping on management traffic | Low | High | Medium | Telnet disabled city-wide; all management via SSH with strong keys; management traffic restricted to VLAN 99 only | Low | PR.DS-2 |
GRC Documentation
%ASA-4-106023: Deny tcp src outside: [RAIDER-IP] dst inside: [ASA-IP]/22 — repeated within 60 seconds triggers brute-force threshold alert.%ASA-4-106023 events across multiple destination ports from same source IP — classified as port scan in progress.ip route [RAIDER-IP] 255.255.255.255 Null0 on the edge router — all traffic from that IP silently dropped at the routing layer before reaching the ASA.show interfaces trunk — only approved uplinks should appear.show port-security on all building switches. Any port in err-disabled state is investigated before re-enabling.show dtp interface [int] on all access ports to confirm DTP is fully disabled. Re-apply switchport nonegotiate where any deviation is found.Framework Alignment
Scenario Result
The threat didn't come from outside the wall. It came from inside. A Warehouse worker. A compromised device. A slow walk toward the War Room.
Intelligence Brief
A legitimate Warehouse employee whose workstation (IP 10.50.50.23) has been compromised — either by social engineering, a malicious USB device, or a phishing link smuggled in with a supply delivery. The attacker now controls this endpoint from within an authorized VLAN, with a valid authenticated session on the network.
Attack Sequence
warehouse-user role. From here, the network looks different than from outside: same physical cables, same switch, same VLAN — but you're already past the perimeter.10.10.10.1 (War Room gateway) times out — the inter-VLAN ACL drops it and logs the attempt. A ping to 10.99.99.50 (RADIUS server) also fails. The attacker can see other VLAN 50 devices but nothing beyond. In Packet Tracer Simulation Mode, you can watch the ICMP packets hit the VLAN 10 SVI interface and get dropped by the ACL.10.10.10.100:443). The inter-VLAN extended ACL on the VLAN 10 SVI — which denies all traffic from 10.50.50.0/24 — drops the packet before it reaches any War Room device. A deny log entry is generated for each attempt. Three attempts in 30 seconds trip the SIEM's brute-access threshold.warehouse-user credentials but request a higher privilege attribute — attempting to re-authenticate as privilege 15 (full admin). RADIUS evaluates the request against the role policy: warehouse-user is hard-mapped to privilege 1 with supply-log access only. The escalation request is rejected. The failed privilege-change attempt is logged as a RADIUS authentication anomaly.10.50.50.23 as Warehouse Station 3. The RADIUS account is suspended. On the core switch, the port connected to Station 3 is manually shut down (interface shutdown). Physical security is dispatched to the Warehouse. The compromised device is seized for forensic analysis.Zero Trust Architecture
This matrix defines exactly what each role can access. The Warehouse Worker role is highlighted — demonstrating why the attacker's privilege escalation attempt was structurally impossible.
| Role / Zone | War Room VLAN 10 |
Armory VLAN 20 |
Energy/Water VLAN 30 |
Greenhouse VLAN 40 |
Warehouse VLAN 50 |
Residential VLAN 60 |
Mgmt (VLAN 99) RADIUS / SIEM |
|---|---|---|---|---|---|---|---|
| War Room Commander | FULL | FULL | READ | READ | READ | READ | ADMIN |
| Armory Clerk | DENY | R/W | DENY | DENY | READ | DENY | DENY |
| Energy Operator | DENY | DENY | R/W | DENY | DENY | DENY | DENY |
| Greenhouse Manager | DENY | DENY | DENY | R/W | DENY | DENY | DENY |
| ⚠ Warehouse Worker ← ATTACKER | DENY | DENY | DENY | DENY | LOG ONLY | DENY | DENY |
| Residential Survivor | DENY | DENY | DENY | READ | DENY | HOME | DENY |
The Warehouse Worker role has exactly one permission: write access to the supply log on VLAN 50. It cannot query other VLANs, cannot authenticate to the RADIUS server at a higher privilege tier, and cannot reach the War Room — not because of a single firewall rule, but because every layer of the architecture assumes the role will never need those resources. Zero Trust means that even if the attacker obtains a valid credential, the credential itself is scoped so narrowly that it provides almost no attack surface.
Visual Documentation
Technical Controls
! === Protect War Room from all unauthorized VLANs === ! Applied inbound on VLAN 10 SVI (packets arriving destined for War Room) ip access-list extended PROTECT_WARROOM deny ip 10.50.50.0 0.0.0.255 10.10.10.0 0.0.0.255 log ! Warehouse → War Room DENY deny ip 10.40.40.0 0.0.0.255 10.10.10.0 0.0.0.255 log ! Greenhouse → War Room DENY deny ip 10.60.60.0 0.0.0.255 10.10.10.0 0.0.0.255 log ! Residential → War Room DENY permit ip 10.99.99.0 0.0.0.255 any ! MGMT VLAN permitted permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 ! Armory permitted (approved) interface Vlan10 ip access-group PROTECT_WARROOM in
! === AAA Configuration on Core Router / L3 Switch === aaa new-model aaa authentication login default group radius local aaa authorization exec default group radius local radius-server host 10.99.99.50 key [REDACTED] ! RADIUS server assigns privilege level per role: ! war-room-admin → privilege 15 (full) ! armory-clerk → privilege 3 (limited) ! warehouse-user → privilege 1 (supply log only) ! greenhouse-mgr → privilege 1 (IoT read only) ! Privilege level is HARD-ASSIGNED server-side — client cannot override. ! Any authentication request containing a privilege mismatch = Access-Reject.
! === Executed by War Room operator after SIEM alert confirmed === ! Identifies the port connected to Warehouse Station 3 (10.50.50.23) show arp | include 10.50.50.23 ! Resolves MAC address show mac address-table | include [MAC] ! Finds physical port interface FastEthernet0/23 ! Port connected to WH-Station-3 shutdown ! Isolates compromised endpoint immediately description COMPROMISED-ISOLATED-$(date) ! RADIUS account suspended — executed on RADIUS server console: ! Set user warehouse-user status=DISABLED pending security investigation
! === SIEM Correlation Logic (pseudo-rule format) === ! Fires when BOTH conditions occur from same source IP within 5 minutes: RULE: INSIDER_THREAT_INDICATOR condition_1: ACL_DENY event from src_ip AND dst_vlan = 10 (War Room) condition_2: RADIUS_REJECT event from same src_ip (privilege escalation) time_window: 300 seconds threshold: condition_1 count >= 3 OR condition_2 count >= 1 action: ALERT severity=CRITICAL → War Room console LOG all events to VLAN99:/forensics/$(incident_id) NOTIFY war-room-commander via IP Phone VLAN 10
GRC Documentation
| Risk ID | Risk Description | Attack Vector | Likelihood | Impact | Inherent Risk | Control | Residual Risk | NIST CSF |
|---|---|---|---|---|---|---|---|---|
| S3-R001 | Unauthorized cross-VLAN access from compromised insider endpoint | TCP connection from VLAN 50 toward VLAN 10 War Room | High | Critical | Critical | Inter-VLAN extended ACL on VLAN 10 SVI denies all traffic from VLAN 50; deny events logged to SIEM with threshold alerting | Low | PR.AC-4 |
| S3-R002 | Privilege escalation via RADIUS authentication manipulation | Attacker requests higher privilege tier via existing credential session | Medium | Critical | High | RADIUS role hard-assigned server-side; privilege 1 for warehouse-user is non-negotiable; any mismatched request triggers Access-Reject and SIEM event | Low | PR.AC-3 |
| S3-R003 | Delayed detection of slow/low-frequency lateral movement attempts | Attacker makes one attempt per hour to stay below alert thresholds | Medium | High | High | SIEM logs ALL ACL deny events regardless of frequency; War Room daily log review catches outliers; any cross-VLAN-10 attempt from VLAN 50 is treated as critical regardless of count | Medium | DE.AE-3 |
| S3-R004 | Endpoint compromise via physical media (USB / rogue device) | Malicious USB device or unauthorized hardware introduced at Warehouse | High | Critical | Critical | Port security limits one device per switch port; USB policy covered in Acceptable Use Policy; physical security monitors Warehouse building entry (VLAN 70 cameras) | Medium | PR.AC-2 |
| S3-R005 | Account persistence after compromise (backdoor user creation) | Attacker creates hidden admin account on RADIUS server before detection | Low | Critical | High | Warehouse-user role has no write access to RADIUS server or VLAN 99; account creation requires privilege 15; ACL blocks VLAN 50 from reaching VLAN 99 management network | Low | PR.AC-1 |
| S3-R006 | Data exfiltration of Warehouse supply inventory data | Insider exports FIFO supply log before isolation | Medium | Medium | Medium | Data Loss Prevention (DLP) policy covers outbound file transfers; Warehouse server access-logged; all outbound traffic to perimeter blocked by ASA unless explicitly permitted | Medium | PR.DS-5 |
| S3-R007 | Forensic evidence loss due to delayed endpoint seizure | Attacker wipes logs before physical security arrives | Medium | High | High | SIEM captures and stores all log events on VLAN 99 server — independent of endpoint state; port shutdown removes network access before local log manipulation is possible | Low | RS.AN-1 |
GRC Documentation
show arp to get MAC, then show mac address-table to find the physical switch port. Immediately: interface FastEthernet0/23 → shutdown. Station 3 loses all network access within 60 seconds of the decision.warehouse-user credential. All active sessions are terminated. New sessions with this credential are rejected.Framework Alignment
Scenario Result
The most sophisticated threat. A nation-state actor launches a slow, persistent probe against Energy & Water (VLAN 30) and deploys a rogue evil-twin access point. OT air gap holds. WLAN monitoring detects the fake SSID. War Room null-routes the source.
Scenario Overview
Nation-state advanced persistent threat (APT) — highly resourced, patient, and technically sophisticated; operates outside the perimeter over extended periods without triggering volume-based alerts
Strategic disruption and intelligence collection — targeting Energy & Water (VLAN 30) to gain leverage over city survival infrastructure; radio communications interception for intelligence on city operations
Very High — slow, low-volume probe designed to evade IDS/IPS thresholds; rogue AP is a precision wireless attack requiring knowledge of city SSID; multi-vector, multi-phase campaign
1) Slow persistent port probe of Energy & Water VLAN 30 (OT/SCADA zone); 2) Rogue evil-twin access point broadcasting SSID "NHC-MESH" to intercept city wireless communications
External perimeter; no internal VLAN breach achieved due to OT air gap on VLAN 30 and WPA2-Enterprise + RADIUS authentication preventing evil-twin association
T1595 — Active Scanning; T1583.002 — Compromise Infrastructure (AP); T0867 — Lateral Movement (ICS); T1498.002 — Reflection Amplification
APT Kill Chain
ROGUE_AP_EVIL_TWIN_001. Separately, SIEM slow-probe detection rule (cumulative port scan correlation over 4-hour window) identifies probe activity: SLOW_PROBE_VLAN30_001. Both incidents escalated to War Room Commander.Attack Topology
Insert Packet Tracer topology screenshot. Show external APT node → ASA 5505 perimeter → attempted reach of VLAN 30 Energy & Water OT/SCADA air-gap segment. Annotate OT ACL block point, SIEM slow-probe correlation detection trigger, and War Room null-route action. Show zero penetration of OT air gap.
PLACEHOLDER · Export from Packet Tracer → Logical ViewInsert wireless topology diagram showing legitimate NHC-MESH access points vs. rogue evil-twin AP outside perimeter. Show WPA2-Enterprise + RADIUS authentication flow blocking association to evil twin. Annotate WLAN monitoring detection event (duplicate SSID, unauthorized BSSID) and SIEM alert ROGUE_AP_EVIL_TWIN_001.
PLACEHOLDER · Export from Packet Tracer → Wireless Topology ViewInsert SIEM screenshot showing the cumulative port-scan correlation rule firing. Contrast with standard IDS/IPS threshold rule (not triggered by slow probe). Demonstrate the time-window correlation capability that caught the APT activity that volume-based detection would have missed entirely.
PLACEHOLDER · Export from Splunk Correlation Rule ViewEnterprise GRC · Risk Register
| Risk ID | Risk Description | Affected Asset | Threat Source | Likelihood | Impact | Severity | Current Controls | Residual Risk | Owner |
|---|---|---|---|---|---|---|---|---|---|
| NHC-R-016 | Slow persistent probe of VLAN 30 OT/SCADA segment evades volume-based IDS/IPS detection; may map infrastructure before triggering alert | VLAN 30 — Energy & Water OT/SCADA | Nation-state APT actor (external) | Medium | Critical — SCADA compromise could shut down city power and water, threatening all survivor life functions | CRITICAL | OT air-gap ACL blocks all access; SIEM time-window correlation rule detects low-rate probe over 4-hour window; ASA null-route on detection | LOW | War Room Commander · OT Security Lead |
| NHC-R-017 | Evil-twin AP with SSID "NHC-MESH" could intercept radio communications from patrol units if they associate to the rogue AP | NHC-MESH Wireless Network; Patrol Unit Devices | Nation-state APT (physical proximity rogue AP) | Medium | High — patrol comms interception could expose city patrol routes, headcount, and operational plans to adversary | HIGH | WPA2-Enterprise + RADIUS — devices cannot associate without valid certificate; WLAN monitoring detects duplicate SSID on unauthorized BSSID | LOW | Wireless Engineer · War Room Commander |
| NHC-R-018 | OT air-gap misconfiguration (e.g., ACL rule drift or a temporary maintenance bypass) could allow APT probe to reach SCADA systems during the engagement window | VLAN 30 OT ACL; SCADA devices | APT exploiting configuration gap during probe | Low | Critical — SCADA access could enable physical infrastructure sabotage | CRITICAL | OT ACL reviewed quarterly; maintenance windows require dual-approval; no ACL bypass permitted without War Room Commander sign-off | MEDIUM | Network Engineer · OT Security Lead |
| NHC-R-019 | SIEM time-window correlation rule may not detect APT probes operating over periods longer than the 4-hour detection window | SIEM detection capability; War Room SOC | Ultra-low-rate APT probe variant | Low | High — undetected long-duration probe could complete full port mapping without triggering any alert | HIGH | Multiple time-window correlation rules: 4-hour, 24-hour, 7-day. Threat intel feed integration for known APT source IP ranges. ASA flow logging to SIEM for long-baseline analysis | LOW | SOC Lead · SIEM Engineer |
| NHC-R-020 | Physical rogue AP deployment outside perimeter requires physical security response capability — SOC-only response is insufficient if no physical sweep team exists | City physical perimeter; wireless security | Nation-state actor with physical access to perimeter vicinity | Medium | Medium — rogue AP remains active until physically removed; sustained association attempts continue while device is present | HIGH | WLAN monitoring triggers rogue AP alert with estimated location data; physical sweep team protocol defined; alert response SLA: sweep within 30 min of detection | LOW | Physical Security Lead · SOC Lead |
| NHC-R-021 | Multi-vector simultaneous attack (probe + evil twin) may split SOC analyst attention, creating a window where one vector is inadequately monitored | SOC operational capacity; incident triage process | APT deliberate multi-vector strategy | Medium | Medium — delayed response to either vector extends exposure window | MEDIUM | SIEM triage dashboard auto-groups related events; Tier 2 escalation for multi-vector incidents; War Room Commander briefed immediately; parallel response playbooks activated | LOW | SOC Lead · War Room Commander |
Incident Response Plan · NHC-INC-004
SLOW_PROBE_VLAN30_001. SOC Tier 1 reviews ASA flow logs — confirms systematic port enumeration against the VLAN 30 perimeter interface. No OT systems reached due to air-gap ACL. Source IP not on existing blacklist — new actor identified.ROGUE_AP_EVIL_TWIN_001 — duplicate SSID "NHC-MESH" detected on unauthorized BSSID. Signal strength analysis indicates AP is positioned 50–100m outside city perimeter. No patrol unit has associated — WPA2-Enterprise RADIUS pre-auth blocks all association attempts. Both incidents correlated in SIEM as single multi-vector campaign. Severity: CRITICAL. War Room Commander notified immediately.
ip route [APT-IP] 255.255.255.255 Null0 — all probe traffic silently dropped. ASA logging confirmed: zero packets from source IP reaching VLAN 30 interface post-null-route. OT air-gap ACL reviewed and confirmed intact — no rule drift detected.Security Controls Assessment
Framework Mapping
Post-Incident Review
The slow persistent probe of Energy & Water (VLAN 30) was detected by SIEM time-window correlation and neutralized via ASA null route. The rogue evil-twin access point was detected by WLAN monitoring, physically located, and removed within 22 minutes. WPA2-Enterprise + RADIUS authentication prevented any city device from associating to the evil-twin AP throughout the engagement. The OT air gap held — no SCADA systems were reached or compromised. All city zones remained fully operational. Energy generation and water treatment continued at normal parameters throughout the incident. A full 12-page APT incident report was compiled. Threat intelligence was updated and shared. New Hope City's most critical infrastructure survived contact with its most sophisticated adversary.
Instructional Design · Featured Work
An 8-week, instructor-ready professional development curriculum built for adult learners entering the cybersecurity field — designed to be taught, handed off, and scaled across classes without losing structure or quality.
The Per Scholas Cybersecurity PD Plan is a complete, week-by-week instructional framework that takes students from zero professional presence to fully job-ready in 8 structured sessions. Every week has a clear objective, timed activities, teacher notes, and student deliverables that connect directly to real employment outcomes.
It is designed so any instructor can pick it up, follow it, and deliver a consistent, high-quality experience — whether it is their first class or their tenth.
Consistent outcomes across instructors. Any teacher can run this curriculum and deliver the same experience — the structure, timing, and teacher notes remove guesswork and ensure quality does not depend on a single person.
Employment outcomes that reflect on the school. Students graduate with six complete, employer-ready deliverables — more placements, stronger alumni outcomes, and a measurable return on the program investment.
Built-in flexibility without losing structure. The curriculum accommodates different class schedules, instructor teaching styles, and student experience levels without requiring the teacher to rebuild anything from scratch.
Scales without rework. Designed to be reused across classes with minor updates — new class, same strong program. Setup takes minutes, not weeks.
Ready to See It In Full
Week-by-week curriculum, teacher guides, timing breakdowns, student deliverables, tool setup instructions, and built-in resources — all in one document.
Open Full PD PlanOpens in a new tab · Interactive HTML document
Want to see the instructional design strategy behind this curriculum?
View ID Portfolio BreakdownAn 8-week supplemental professional development curriculum I designed to help Per Scholas cybersecurity students organize, deepen, and extend their career readiness journey — inspired by what I observed and experienced as a student in the program.
This curriculum started as a personal project during my time in the Per Scholas Cybersecurity AI program. I used what I was learning — both in cybersecurity and in the PD portion of the course — as raw material to build a structured instructional design artifact that could serve as a teacher planning tool, a student progression guide, or a reusable program framework.
The program is designed as a blended format, combining synchronous workshop sessions, asynchronous independent practice, peer review, and individual coaching feedback.
Adult learners in the Per Scholas Cybersecurity program — many of whom are career-changers from underrepresented communities entering the technology sector for the first time. This curriculum supplements their technical training with a structured, week-by-week framework for building the professional tools and confidence employers look for.
| Duration | 8 Weeks |
| Format | Blended (Sync + Async) |
| Sessions/Week | 1–2 Workshops + Independent Practice |
| Framework | ADDIE + Experiential Learning |
| Assessment Model | Authentic / Performance-Based |
| AI Integration | Embedded across all modules |
This curriculum was developed using the ADDIE framework — a systematic instructional design process ensuring alignment between learner needs, program goals, and measurable outcomes. Each phase directly informed specific design decisions within this project.
Drawing on my own experience as a Per Scholas student — and observing my cohort — I identified opportunities to add more structure around GitHub portfolio creation, organized job tracking, and a formal capstone presentation. These additions complement the program's existing resume, LinkedIn, and interview preparation support.
Objectives were written using Bloom's Taxonomy action verbs (construct, demonstrate, evaluate, synthesize). Each week targets a discrete, stackable skill set. Backward design ensured every activity traced directly to a real employment outcome.
Materials include facilitator guides, learner workbooks, AI prompt libraries, grading rubrics with defined success criteria, peer review templates, and alumni speaker frameworks — all developed to be scalable and reusable by any facilitator.
The blended delivery model accounts for adult learner schedules and varied access needs. Continuous improvement is built in via mid-program check-ins, end-of-session feedback forms, and post-placement employment tracking that feeds back into future curriculum iterations.
Effective instructional design begins with a deep understanding of the learner. The following analysis informed every design decision in this curriculum — written from the perspective of someone who experienced this program as a student.
Adult career-changers and re-entry professionals (primarily ages 22–45) completing the Per Scholas Cybersecurity program. Many are first-generation college students or individuals from communities historically underrepresented in the tech sector — bringing significant life experience and motivation into the classroom.
Learners enter with developing cybersecurity technical competency and participate in existing professional development sessions. This curriculum adds extended scaffolding — particularly around GitHub portfolio documentation and structured job tracking — for students who want to go further in building their professional presence.
Computer with internet connection required. All platforms used are freely accessible: LinkedIn, GitHub, Google Docs, AI tools (Azari AI, ChatGPT, Claude), and video conferencing. No paid software required — a deliberate choice to remove access barriers.
By the end of this 8-week program, learners will be able to:
| Domain | Bloom's Level | Learning Outcome | Bloom's Verb |
|---|---|---|---|
| Resume Development | Create | Construct an ATS-optimized resume that highlights cybersecurity skills, certifications, and measurable accomplishments | Construct |
| LinkedIn Optimization | Apply | Develop a complete, recruiter-facing LinkedIn profile incorporating industry-relevant keywords and a compelling professional summary | Develop |
| GitHub Portfolio | Create | Build a professional GitHub portfolio with a structured README, project documentation, and evidence of technical coursework | Build |
| Elevator Pitch | Apply | Deliver a polished 30-second elevator pitch that clearly communicates professional identity, skills, and career goals | Deliver |
| Interview Readiness | Evaluate | Demonstrate competency in behavioral and technical interview formats by responding to structured questions using the STAR method | Demonstrate |
| AI Tools | Analyze | Evaluate AI-generated career content for accuracy, tone, and authenticity, applying responsible editing practices before use | Evaluate |
| Job Search Strategy | Apply | Organize an active job search using a structured tracking system documenting applications, follow-ups, and outcomes | Organize |
| Professional Branding | Synthesize | Synthesize a cohesive personal brand narrative that is consistent across resume, LinkedIn, GitHub, and verbal communication | Synthesize |
| Capstone | Create + Evaluate | Present a complete career readiness portfolio to an audience of workforce professionals, incorporating peer and facilitator feedback | Present |
The 8-week sequence is scaffolded from foundational branding through to an integrated, employer-facing capstone presentation. Each week builds on the last, ensuring learners develop skills progressively before synthesizing them in a final showcase.
| Week | Topic | Skills Developed | Deliverable | Assessment Method |
|---|---|---|---|---|
| Week 1 | Resume Development | ATS formatting, keyword integration, accomplishment-based language, transferable skills articulation | Polished, ATS-optimized resume | Rubric-based peer + facilitator review |
| Week 2 | LinkedIn Optimization | Professional summary writing, headline crafting, skills section, recruiter discoverability | Complete LinkedIn profile | Profile audit checklist + peer feedback |
| Week 3 | GitHub Portfolio | README documentation, project organization, technical writing, portfolio curation | GitHub portfolio with README and 2+ projects | Portfolio review rubric |
| Week 4 | AI-Assisted Career Prep | Prompt engineering, AI content review and editing, responsible AI use, efficiency tools | AI-assisted resume + cover letter drafts with edits documented | Reflection on editing process; before/after comparison |
| Week 5 | Elevator Pitch | Verbal self-marketing, concise storytelling, professional presence, audience awareness | Recorded 30-second elevator pitch | Peer evaluation rubric + facilitator feedback |
| Week 6 | Mock Interviews | STAR method, behavioral questioning, technical Q&A, active listening, professional composure | Completed mock interview (recorded or live) | Structured interview rubric + self-assessment |
| Week 7 | Workforce Integration & Job Tracking | Job search strategy, networking, application tracking, alumni engagement | Job tracker with 5+ active applications documented | Tracker review + networking activity log |
| Week 8 | Capstone Presentation | Portfolio synthesis, professional presentation, audience engagement, self-advocacy | Full career readiness portfolio + live capstone presentation | Capstone rubric evaluated by facilitators and workforce partners |
| Assessment | Type | Learning Objective Measured | Success Criteria |
|---|---|---|---|
| Resume Review | Authentic / Product | Construct an ATS-optimized resume reflecting cybersecurity competencies | Passes ATS scan; includes quantified accomplishments; rubric score ≥ 80% |
| LinkedIn Review | Authentic / Product | Develop a complete, recruiter-facing LinkedIn profile | All required sections complete; professional headshot; 500+ character summary; industry keywords present |
| GitHub Portfolio | Portfolio / Product | Build a professional GitHub portfolio with documented projects | Profile README complete; 2+ projects with descriptions; consistent formatting; accessible to public |
| Elevator Pitch | Performance | Deliver a polished 30-second professional self-introduction | Stays within 30–45 seconds; clearly states name, role, skills, and goal; confident delivery; peer rubric ≥ 75% |
| Mock Interviews | Performance / Simulation | Demonstrate behavioral and technical interview competency using STAR method | STAR structure used in ≥ 3 responses; maintains professional composure; facilitator rubric score ≥ 75% |
| Job Tracker | Process / Documentation | Organize a structured, active job search strategy | Minimum 5 applications documented; includes company, role, date, status, and follow-up notes |
| Capstone Presentation | Summative / Portfolio Defense | Synthesize and present a complete career readiness portfolio to workforce stakeholders | All 6 core artifacts present; 8–10 minute presentation; audience Q&A navigated confidently; overall rubric ≥ 80% |
This curriculum is grounded in Malcolm Knowles' theory of Andragogy and Kolb's Experiential Learning Cycle. Every module was designed with the following adult learning principles explicitly in mind:
Learners choose their own job search targets, write their own career narratives, and make independent decisions about their professional brand. Facilitators guide rather than dictate. Asynchronous modules allow learners to pace their work around their lives.
Every activity produces something learners will actually use in their job search — not hypothetical exercises. This immediate relevance is the core motivator for adult engagement and program completion.
Skills are applied the same week they are introduced. Resume week produces a real resume. Pitch week produces a recorded pitch. There is no lag between learning and doing — a key principle of adult motivation.
Self-assessments, written reflections on AI tool use, and post-interview debriefs build metacognitive awareness. Learners are explicitly asked: "What worked? What would you change?" — connecting experience to growth.
Structured peer review activities occur in Weeks 1, 2, 5, and 6. Learners practice giving and receiving professional feedback — a critical workplace skill that also deepens their own understanding of quality standards.
Mock interviews simulate real interview conditions. Capstone presentations replicate workforce panel presentations. Alumni and employer guests provide authentic industry context. Scenarios mirror real hiring events, not classroom exercises.
Week 4 introduces learners to structured prompt writing. Students practice crafting specific, role-targeted prompts that produce relevant career content — a transferable skill valued by modern employers across all sectors.
Learners are explicitly taught to review AI output for accuracy, tone, cultural fit, and authenticity. A "before and after" reflection documents what they changed and why — building critical evaluation skills alongside efficiency.
No AI-generated content is submitted unedited. Learners are required to personalize, fact-check, and revise all AI outputs to reflect their authentic voice. This process makes the final product stronger, not just faster.
AI is framed as a first-draft accelerator, not a thinking replacement. Learners use it to overcome blank-page paralysis and generate options — then apply their own expertise to select, refine, and personalize the content.
Employers increasingly expect new hires to be AI-literate. By integrating AI tools with explicit guidance on responsible use, this curriculum ensures graduates can speak confidently about how and when they use these tools professionally.
Learners document their AI use and editing decisions. This creates accountability while normalizing the responsible, disclosed use of AI — a professional standard being adopted across industries.
This curriculum was designed with Universal Design for Learning (UDL) principles as a guiding framework, ensuring all learners can access, engage with, and demonstrate learning regardless of background or circumstance.
Program effectiveness is measured using a Kirkpatrick Four-Level Evaluation Model, with additional workforce development metrics aligned to Per Scholas' organizational outcomes.
| Kirkpatrick Level | Metric | How Measured | Target |
|---|---|---|---|
| Level 1 — Reaction | Learner satisfaction | End-of-session feedback surveys; post-program NPS | ≥ 80% positive response rate |
| Level 2 — Learning | Skill acquisition | Pre/post rubric scores on resume, pitch, and interview assessments | Measurable improvement from Week 1 to Week 8 |
| Level 3 — Behavior | Portfolio completion rate | % of learners who complete all 6 core deliverables | ≥ 85% completion |
| Level 3 — Behavior | Mock interview performance | Facilitator rubric scores across cohort | ≥ 75% of learners score proficient or above |
| Level 4 — Results | Employment outcomes | 90-day and 6-month placement tracking via alumni follow-up | Increased placement rate vs. prior cohorts |
| WFD Metrics | Workforce development KPIs | Per Scholas alumni engagement rates; employer satisfaction surveys | Aligns with organizational reporting requirements |
This curriculum project demonstrates a comprehensive range of instructional design, curriculum development, and workforce training competencies applicable to corporate L&D, EdTech, workforce development, and higher education settings.
| Competency Area | Evidence in This Project | Industry Application |
|---|---|---|
| Curriculum Development | 8-week scaffolded program with logical skill progression and backward-designed objectives | L&D teams, training departments, academic institutions |
| Instructional Design (ADDIE) | Full ADDIE lifecycle documented with phase-specific examples from this program | All ID roles |
| Learning Experience Design | Learner-centered design with empathy-driven barrier analysis and UDL principles | EdTech, corporate training, bootcamps |
| Facilitation Design | Workshop structures, facilitator guides, peer review protocols, mock interview frameworks | Training facilitation, coaching, workshop design |
| Assessment Design | Authentic, performance-based assessments with rubrics tied directly to Bloom's objectives | K-12, higher ed, workforce training |
| Workforce Development | Employer-aligned outcomes, Kirkpatrick evaluation, placement tracking, alumni integration | WFD organizations, nonprofit training, career services |
| Project Management | Sequenced 8-week timeline, milestone deliverables, iterative feedback cycles | Program management, L&D project leadership |
| AI Integration | Structured AI learning module with prompt engineering, responsible use, and workforce rationale | EdTech, corporate innovation teams, training modernization |
| Technical Documentation | GitHub portfolio, structured rubrics, curriculum maps, program evaluation frameworks | Technical writing, instructional materials development |
| Adult Learning Theory | Andragogy, experiential learning, and UDL explicitly applied throughout design | All adult learning contexts |
| Career Readiness Training | Resume, LinkedIn, GitHub, interview, and job search strategy all developed to industry standards | Career services, bootcamps, workforce development |
Each learner exits this program with eight production-quality artifacts they own, keep, and deploy immediately in their job search. These deliverables represent the tangible output of the program and serve as the evidence base for capstone evaluation.
A polished, keyword-rich resume formatted for Applicant Tracking Systems with accomplishment-based bullet points.
A complete, recruiter-facing LinkedIn profile with professional summary, skills, headline, and project highlights.
A curated GitHub profile with a professional README, documented cybersecurity projects, and consistent formatting.
A 30-second recorded professional introduction ready for networking events, career fairs, and virtual interviews.
A completed mock interview session demonstrating STAR method responses to behavioral and technical questions.
A structured spreadsheet documenting active applications, company research, follow-ups, and status updates.
A personalized cover letter produced using AI-assisted drafting with documented learner edits and customization.
An 8–10 minute presentation to workforce stakeholders showcasing the complete career readiness portfolio with Q&A.
The following reflection documents the rationale behind key design choices in this curriculum — demonstrating the intentionality that distinguishes instructional design from content delivery.
Eight weeks allows sufficient time to build, practice, receive feedback, and revise each core competency. Shorter programs sacrifice depth; longer programs risk attrition among working adults. The 8-week arc mirrors the real timeline of an active job search, giving learners immediately relevant milestones rather than front-loaded theory.
Quizzes and tests do not produce employable graduates — portfolios do. Authentic assessments are evidence-based, immediately transferable, and deeply motivating for adult learners because the "grade" is a job-search tool they actually need. Every rubric was designed to simulate how an employer or recruiter would evaluate the same artifact.
Excluding AI from a workforce training program would be a disservice to learners entering organizations that are actively adopting these tools. Rather than ignoring AI or treating it as off-limits, this curriculum teaches ethical, strategic AI use — with critical editing as the core skill. Learners leave with demonstrated AI literacy, not just AI access.
Per Scholas' mission centers on measurable employment outcomes for underrepresented learners. Every design decision was filtered through this lens: Does this activity move learners closer to a job offer? Does this assessment produce an artifact that matters to employers? Workforce development is not just a context — it is the core design constraint.
Adult learners bring significant prior experience to the cohort. Peer review structures honor that expertise while building a professional network that outlasts the program itself. Cohort bonds formed during peer feedback sessions can become future referral networks — a real and lasting outcome of the program.
Future iterations could include a dedicated module on salary negotiation and offer evaluation, expanded employer participation in mock interviews, and a structured alumni check-in at 6 and 12 months. Each cohort's feedback should formally feed back into the next iteration through the ADDIE continuous improvement loop.
An 8-week supplemental professional development curriculum I designed to help Per Scholas cybersecurity students organize, deepen, and extend their career readiness journey — inspired by what I observed and experienced as a student in the program.
This curriculum started as a personal project during my time in the Per Scholas Cybersecurity AI program. I used what I was learning — both in cybersecurity and in the PD portion of the course — as raw material to build a structured instructional design artifact that could serve as a teacher planning tool, a student progression guide, or a reusable program framework.
The program is designed as a blended format, combining synchronous workshop sessions, asynchronous independent practice, peer review, and individual coaching feedback.
Adult learners in the Per Scholas Cybersecurity program — many of whom are career-changers from underrepresented communities entering the technology sector for the first time. This curriculum supplements their technical training with a structured, week-by-week framework for building the professional tools and confidence employers look for.
| Duration | 8 Weeks |
| Format | Blended (Sync + Async) |
| Sessions/Week | 1–2 Workshops + Independent Practice |
| Framework | ADDIE + Experiential Learning |
| Assessment Model | Authentic / Performance-Based |
| AI Integration | Embedded across all modules |
This curriculum was developed using the ADDIE framework — a systematic instructional design process ensuring alignment between learner needs, program goals, and measurable outcomes. Each phase directly informed specific design decisions within this project.
Drawing on my own experience as a Per Scholas student — and observing my cohort — I identified opportunities to add more structure around GitHub portfolio creation, organized job tracking, and a formal capstone presentation. These additions complement the program's existing resume, LinkedIn, and interview preparation support.
Objectives were written using Bloom's Taxonomy action verbs (construct, demonstrate, evaluate, synthesize). Each week targets a discrete, stackable skill set. Backward design ensured every activity traced directly to a real employment outcome.
Materials include facilitator guides, learner workbooks, AI prompt libraries, grading rubrics with defined success criteria, peer review templates, and alumni speaker frameworks — all developed to be scalable and reusable by any facilitator.
The blended delivery model accounts for adult learner schedules and varied access needs. Continuous improvement is built in via mid-program check-ins, end-of-session feedback forms, and post-placement employment tracking that feeds back into future curriculum iterations.
Effective instructional design begins with a deep understanding of the learner. The following analysis informed every design decision in this curriculum — written from the perspective of someone who experienced this program as a student.
Adult career-changers and re-entry professionals (primarily ages 22–45) completing the Per Scholas Cybersecurity program. Many are first-generation college students or individuals from communities historically underrepresented in the tech sector — bringing significant life experience and motivation into the classroom.
Learners enter with developing cybersecurity technical competency and participate in existing professional development sessions. This curriculum adds extended scaffolding — particularly around GitHub portfolio documentation and structured job tracking — for students who want to go further in building their professional presence.
Computer with internet connection required. All platforms used are freely accessible: LinkedIn, GitHub, Google Docs, AI tools (Azari AI, ChatGPT, Claude), and video conferencing. No paid software required — a deliberate choice to remove access barriers.
By the end of this 8-week program, learners will be able to:
| Domain | Bloom's Level | Learning Outcome | Bloom's Verb |
|---|---|---|---|
| Resume Development | Create | Construct an ATS-optimized resume that highlights cybersecurity skills, certifications, and measurable accomplishments | Construct |
| LinkedIn Optimization | Apply | Develop a complete, recruiter-facing LinkedIn profile incorporating industry-relevant keywords and a compelling professional summary | Develop |
| GitHub Portfolio | Create | Build a professional GitHub portfolio with a structured README, project documentation, and evidence of technical coursework | Build |
| Elevator Pitch | Apply | Deliver a polished 30-second elevator pitch that clearly communicates professional identity, skills, and career goals | Deliver |
| Interview Readiness | Evaluate | Demonstrate competency in behavioral and technical interview formats by responding to structured questions using the STAR method | Demonstrate |
| AI Tools | Analyze | Evaluate AI-generated career content for accuracy, tone, and authenticity, applying responsible editing practices before use | Evaluate |
| Job Search Strategy | Apply | Organize an active job search using a structured tracking system documenting applications, follow-ups, and outcomes | Organize |
| Professional Branding | Synthesize | Synthesize a cohesive personal brand narrative that is consistent across resume, LinkedIn, GitHub, and verbal communication | Synthesize |
| Capstone | Create + Evaluate | Present a complete career readiness portfolio to an audience of workforce professionals, incorporating peer and facilitator feedback | Present |
The 8-week sequence is scaffolded from foundational branding through to an integrated, employer-facing capstone presentation. Each week builds on the last, ensuring learners develop skills progressively before synthesizing them in a final showcase.
| Week | Topic | Skills Developed | Deliverable | Assessment Method |
|---|---|---|---|---|
| Week 1 | Resume Development | ATS formatting, keyword integration, accomplishment-based language, transferable skills articulation | Polished, ATS-optimized resume | Rubric-based peer + facilitator review |
| Week 2 | LinkedIn Optimization | Professional summary writing, headline crafting, skills section, recruiter discoverability | Complete LinkedIn profile | Profile audit checklist + peer feedback |
| Week 3 | GitHub Portfolio | README documentation, project organization, technical writing, portfolio curation | GitHub portfolio with README and 2+ projects | Portfolio review rubric |
| Week 4 | AI-Assisted Career Prep | Prompt engineering, AI content review and editing, responsible AI use, efficiency tools | AI-assisted resume + cover letter drafts with edits documented | Reflection on editing process; before/after comparison |
| Week 5 | Elevator Pitch | Verbal self-marketing, concise storytelling, professional presence, audience awareness | Recorded 30-second elevator pitch | Peer evaluation rubric + facilitator feedback |
| Week 6 | Mock Interviews | STAR method, behavioral questioning, technical Q&A, active listening, professional composure | Completed mock interview (recorded or live) | Structured interview rubric + self-assessment |
| Week 7 | Workforce Integration & Job Tracking | Job search strategy, networking, application tracking, alumni engagement | Job tracker with 5+ active applications documented | Tracker review + networking activity log |
| Week 8 | Capstone Presentation | Portfolio synthesis, professional presentation, audience engagement, self-advocacy | Full career readiness portfolio + live capstone presentation | Capstone rubric evaluated by facilitators and workforce partners |
| Assessment | Type | Learning Objective Measured | Success Criteria |
|---|---|---|---|
| Resume Review | Authentic / Product | Construct an ATS-optimized resume reflecting cybersecurity competencies | Passes ATS scan; includes quantified accomplishments; rubric score ≥ 80% |
| LinkedIn Review | Authentic / Product | Develop a complete, recruiter-facing LinkedIn profile | All required sections complete; professional headshot; 500+ character summary; industry keywords present |
| GitHub Portfolio | Portfolio / Product | Build a professional GitHub portfolio with documented projects | Profile README complete; 2+ projects with descriptions; consistent formatting; accessible to public |
| Elevator Pitch | Performance | Deliver a polished 30-second professional self-introduction | Stays within 30–45 seconds; clearly states name, role, skills, and goal; confident delivery; peer rubric ≥ 75% |
| Mock Interviews | Performance / Simulation | Demonstrate behavioral and technical interview competency using STAR method | STAR structure used in ≥ 3 responses; maintains professional composure; facilitator rubric score ≥ 75% |
| Job Tracker | Process / Documentation | Organize a structured, active job search strategy | Minimum 5 applications documented; includes company, role, date, status, and follow-up notes |
| Capstone Presentation | Summative / Portfolio Defense | Synthesize and present a complete career readiness portfolio to workforce stakeholders | All 6 core artifacts present; 8–10 minute presentation; audience Q&A navigated confidently; overall rubric ≥ 80% |
This curriculum is grounded in Malcolm Knowles' theory of Andragogy and Kolb's Experiential Learning Cycle. Every module was designed with the following adult learning principles explicitly in mind:
Learners choose their own job search targets, write their own career narratives, and make independent decisions about their professional brand. Facilitators guide rather than dictate. Asynchronous modules allow learners to pace their work around their lives.
Every activity produces something learners will actually use in their job search — not hypothetical exercises. This immediate relevance is the core motivator for adult engagement and program completion.
Skills are applied the same week they are introduced. Resume week produces a real resume. Pitch week produces a recorded pitch. There is no lag between learning and doing — a key principle of adult motivation.
Self-assessments, written reflections on AI tool use, and post-interview debriefs build metacognitive awareness. Learners are explicitly asked: "What worked? What would you change?" — connecting experience to growth.
Structured peer review activities occur in Weeks 1, 2, 5, and 6. Learners practice giving and receiving professional feedback — a critical workplace skill that also deepens their own understanding of quality standards.
Mock interviews simulate real interview conditions. Capstone presentations replicate workforce panel presentations. Alumni and employer guests provide authentic industry context. Scenarios mirror real hiring events, not classroom exercises.
Week 4 introduces learners to structured prompt writing. Students practice crafting specific, role-targeted prompts that produce relevant career content — a transferable skill valued by modern employers across all sectors.
Learners are explicitly taught to review AI output for accuracy, tone, cultural fit, and authenticity. A "before and after" reflection documents what they changed and why — building critical evaluation skills alongside efficiency.
No AI-generated content is submitted unedited. Learners are required to personalize, fact-check, and revise all AI outputs to reflect their authentic voice. This process makes the final product stronger, not just faster.
AI is framed as a first-draft accelerator, not a thinking replacement. Learners use it to overcome blank-page paralysis and generate options — then apply their own expertise to select, refine, and personalize the content.
Employers increasingly expect new hires to be AI-literate. By integrating AI tools with explicit guidance on responsible use, this curriculum ensures graduates can speak confidently about how and when they use these tools professionally.
Learners document their AI use and editing decisions. This creates accountability while normalizing the responsible, disclosed use of AI — a professional standard being adopted across industries.
This curriculum was designed with Universal Design for Learning (UDL) principles as a guiding framework, ensuring all learners can access, engage with, and demonstrate learning regardless of background or circumstance.
Program effectiveness is measured using a Kirkpatrick Four-Level Evaluation Model, with additional workforce development metrics aligned to Per Scholas' organizational outcomes.
| Kirkpatrick Level | Metric | How Measured | Target |
|---|---|---|---|
| Level 1 — Reaction | Learner satisfaction | End-of-session feedback surveys; post-program NPS | ≥ 80% positive response rate |
| Level 2 — Learning | Skill acquisition | Pre/post rubric scores on resume, pitch, and interview assessments | Measurable improvement from Week 1 to Week 8 |
| Level 3 — Behavior | Portfolio completion rate | % of learners who complete all 6 core deliverables | ≥ 85% completion |
| Level 3 — Behavior | Mock interview performance | Facilitator rubric scores across cohort | ≥ 75% of learners score proficient or above |
| Level 4 — Results | Employment outcomes | 90-day and 6-month placement tracking via alumni follow-up | Increased placement rate vs. prior cohorts |
| WFD Metrics | Workforce development KPIs | Per Scholas alumni engagement rates; employer satisfaction surveys | Aligns with organizational reporting requirements |
This curriculum project demonstrates a comprehensive range of instructional design, curriculum development, and workforce training competencies applicable to corporate L&D, EdTech, workforce development, and higher education settings.
| Competency Area | Evidence in This Project | Industry Application |
|---|---|---|
| Curriculum Development | 8-week scaffolded program with logical skill progression and backward-designed objectives | L&D teams, training departments, academic institutions |
| Instructional Design (ADDIE) | Full ADDIE lifecycle documented with phase-specific examples from this program | All ID roles |
| Learning Experience Design | Learner-centered design with empathy-driven barrier analysis and UDL principles | EdTech, corporate training, bootcamps |
| Facilitation Design | Workshop structures, facilitator guides, peer review protocols, mock interview frameworks | Training facilitation, coaching, workshop design |
| Assessment Design | Authentic, performance-based assessments with rubrics tied directly to Bloom's objectives | K-12, higher ed, workforce training |
| Workforce Development | Employer-aligned outcomes, Kirkpatrick evaluation, placement tracking, alumni integration | WFD organizations, nonprofit training, career services |
| Project Management | Sequenced 8-week timeline, milestone deliverables, iterative feedback cycles | Program management, L&D project leadership |
| AI Integration | Structured AI learning module with prompt engineering, responsible use, and workforce rationale | EdTech, corporate innovation teams, training modernization |
| Technical Documentation | GitHub portfolio, structured rubrics, curriculum maps, program evaluation frameworks | Technical writing, instructional materials development |
| Adult Learning Theory | Andragogy, experiential learning, and UDL explicitly applied throughout design | All adult learning contexts |
| Career Readiness Training | Resume, LinkedIn, GitHub, interview, and job search strategy all developed to industry standards | Career services, bootcamps, workforce development |
Each learner exits this program with eight production-quality artifacts they own, keep, and deploy immediately in their job search. These deliverables represent the tangible output of the program and serve as the evidence base for capstone evaluation.
A polished, keyword-rich resume formatted for Applicant Tracking Systems with accomplishment-based bullet points.
A complete, recruiter-facing LinkedIn profile with professional summary, skills, headline, and project highlights.
A curated GitHub profile with a professional README, documented cybersecurity projects, and consistent formatting.
A 30-second recorded professional introduction ready for networking events, career fairs, and virtual interviews.
A completed mock interview session demonstrating STAR method responses to behavioral and technical questions.
A structured spreadsheet documenting active applications, company research, follow-ups, and status updates.
A personalized cover letter produced using AI-assisted drafting with documented learner edits and customization.
An 8–10 minute presentation to workforce stakeholders showcasing the complete career readiness portfolio with Q&A.
The following reflection documents the rationale behind key design choices in this curriculum — demonstrating the intentionality that distinguishes instructional design from content delivery.
Eight weeks allows sufficient time to build, practice, receive feedback, and revise each core competency. Shorter programs sacrifice depth; longer programs risk attrition among working adults. The 8-week arc mirrors the real timeline of an active job search, giving learners immediately relevant milestones rather than front-loaded theory.
Quizzes and tests do not produce employable graduates — portfolios do. Authentic assessments are evidence-based, immediately transferable, and deeply motivating for adult learners because the "grade" is a job-search tool they actually need. Every rubric was designed to simulate how an employer or recruiter would evaluate the same artifact.
Excluding AI from a workforce training program would be a disservice to learners entering organizations that are actively adopting these tools. Rather than ignoring AI or treating it as off-limits, this curriculum teaches ethical, strategic AI use — with critical editing as the core skill. Learners leave with demonstrated AI literacy, not just AI access.
Per Scholas' mission centers on measurable employment outcomes for underrepresented learners. Every design decision was filtered through this lens: Does this activity move learners closer to a job offer? Does this assessment produce an artifact that matters to employers? Workforce development is not just a context — it is the core design constraint.
Adult learners bring significant prior experience to the cohort. Peer review structures honor that expertise while building a professional network that outlasts the program itself. Cohort bonds formed during peer feedback sessions can become future referral networks — a real and lasting outcome of the program.
Future iterations could include a dedicated module on salary negotiation and offer evaluation, expanded employer participation in mock interviews, and a structured alumni check-in at 6 and 12 months. Each cohort's feedback should formally feed back into the next iteration through the ADDIE continuous improvement loop.
This section has moved to its own dedicated page for the full interactive experience.
Open GRC Projects →A growing collection of hands-on Governance, Risk & Compliance projects — each one built to simulate real GRC analyst work and produce a portfolio-ready deliverable. Projects are being completed and documented here as they are finished.
Seven self-directed GRC projects that mirror actual work performed inside security and compliance teams — from building compliance frameworks to running mock internal audits.
Every project maps to one or more industry-recognized frameworks — the same ones referenced in GRC analyst job postings.
Each completed project will be linked here with full documentation, evidence artifacts, and a resume bullet. Check back as work progresses.
← Back to Portfolio47 must-know acronyms, studied with spaced repetition. Cards move through 5 Leitner boxes — progress is saved in your browser.
Space flip · ←→ navigate · 1 wrong · 2 right