All Mermaid validated in Mermaid Live Editor.
Type: Mermaid (flowchart) Purpose: Shows the two tracks and how each defines three modes. The C1 architecture ports; the modes and tools are domain-specific. A harness that only runs one mode is half a harness.
flowchart TD
ARCH["C1 architecture PORTS<br/>scope middleware · memory · tools · evidence · triage · report"]
SC["Smart contract track<br/>(EVMbench-aligned)"]
CL["Cloud track<br/>(posture + red team)"]
SC_D["DETECT<br/>Slither · Mythril · LLM reasoning<br/>Evidence: finding + location + class"]
SC_P["PATCH<br/>generate fix · verify (re-detect clean + tests pass)<br/>Evidence: diff + test results"]
SC_E["EXPLOIT<br/>working PoC on forked mainnet<br/>Evidence: PoC tx + state change"]
CL_D["DETECT<br/>config scanner (Prowler) · IAM analyzer<br/>Evidence: misconfigured resource + violated control"]
CL_R["REMEDIATE<br/>apply fix · verify (re-scan clean)<br/>Evidence: remediation action + post-fix state"]
CL_E["EXPLOIT<br/>controlled red-team action<br/>Evidence: exploit chain + access achieved"]
ARCH --> SC --> SC_D --> SC_P --> SC_E
ARCH --> CL --> CL_D --> CL_R --> CL_E
NOTE["Three modes together = the benchmark<br/>Detect-only = half a harness<br/>recall alone hides Patch/Remediate and Exploit weaknesses"]
SC_E -.-> NOTE
CL_E -.-> NOTE
style ARCH fill:#0d2818,stroke:#1e8449,color:#82e0aa
style SC fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style CL fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style SC_D fill:#14141f,stroke:#5eead4,color:#5eead4
style SC_P fill:#14141f,stroke:#5eead4,color:#5eead4
style SC_E fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_D fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_R fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_E fill:#14141f,stroke:#5eead4,color:#5eead4
style NOTE fill:#2a1810,stroke:#a04000,color:#f0a868
Reading the diagram: The C1 architecture — scope middleware, memory, tools, evidence, triage, report — ports directly to both domains. What changes is the three modes and their tool chains. Smart contract: Detect (Slither/Mythril/LLM), Patch (generate + verify), Exploit (PoC on forked mainnet). Cloud: Detect (Prowler/IAM analyzer), Remediate (apply + verify), Exploit (red-team action). The three modes together are the benchmark. A harness that only runs Detect is half a harness — recall alone hides weaknesses in Patch/Remediate and Exploit. All three must be scored and reported together.
Type: Mermaid (flowchart) Purpose: Shows the full pipeline for both tracks — load target, run three modes, triage, report — and where evidence is captured at each stage.
flowchart TD
subgraph SC_PIPE["Smart contract pipeline"]
SC_LOAD["Load target<br/>contract source + EVMbench metadata"]
SC_DETECT["Detect mode<br/>Slither · Mythril · LLM<br/>→ candidate findings"]
SC_PATCH["Patch mode<br/>for each finding: generate fix<br/>verify: re-detect clean + Foundry tests pass"]
SC_EXPLOIT["Exploit mode<br/>for each finding: build PoC on forked mainnet<br/>record success/failure"]
SC_TRIAGE["Triage<br/>filter FP · confirm with evidence"]
SC_REPORT["Audit report<br/>scope · methodology · findings · severity · PoC · roadmap"]
SC_LOAD --> SC_DETECT --> SC_PATCH --> SC_EXPLOIT --> SC_TRIAGE --> SC_REPORT
end
subgraph CL_PIPE["Cloud pipeline"]
CL_LOAD["Load target<br/>account + regions + control framework (CIS)"]
CL_DETECT["Detect mode<br/>Prowler · IAM analyzer · surface mapper<br/>→ posture violations"]
CL_REMED["Remediate mode<br/>for each finding: apply fix<br/>verify: re-scan clean"]
CL_EXPLOIT["Exploit mode<br/>for each exposure: red-team action<br/>(assume role · access data)"]
CL_TRIAGE["Triage<br/>filter FP · confirm with evidence"]
CL_REPORT["Posture report<br/>scope · controls · findings by category · evidence · roadmap"]
CL_LOAD --> CL_DETECT --> CL_REMED --> CL_EXPLOIT --> CL_TRIAGE --> CL_REPORT
end
EV["Evidence captured at every stage<br/>finding → evidence (sha256) → tool call → trace ID<br/>tamper-evident chain (from C1)"]
SC_EXPLOIT -.-> EV
CL_EXPLOIT -.-> EV
style SC_PIPE fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style CL_PIPE fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style SC_DETECT fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_DETECT fill:#14141f,stroke:#5eead4,color:#5eead4
style SC_REPORT fill:#0d2818,stroke:#1e8449,color:#82e0aa
style CL_REPORT fill:#0d2818,stroke:#1e8449,color:#82e0aa
style EV fill:#2a1810,stroke:#a04000,color:#f0a868
Reading the diagram: Both pipelines follow the same shape: load the target, run three modes in sequence, triage, report. The smart contract pipeline loads contract source and EVMbench metadata, runs Detect (Slither/Mythril/LLM), Patch (generate + verify via re-detect and Foundry tests), and Exploit (PoC on forked mainnet). The cloud pipeline loads the account and control framework, runs Detect (Prowler/IAM analyzer), Remediate (apply + re-scan), and Exploit (red-team action). Evidence is captured at every stage using the same tamper-evident chain from C1 — finding links to evidence (sha256) links to tool call links to trace ID. The report is domain-specific but the evidence shape is identical.
Type: Mermaid (flowchart) Purpose: Shows the three benchmark scores for each domain and why all three must be reported together. A high Detect score with low Patch/Exploit is a detection engine, not a harness.
flowchart LR
subgraph SC_BENCH["Smart contract (EVMbench subset)"]
SC_D["Detect recall<br/>of N known vulns, how many found?"]
SC_P["Patch quality<br/>fix removes vuln AND preserves behavior?"]
SC_E["Exploit success<br/>working PoC on forked mainnet?"]
end
subgraph CL_BENCH["Cloud (posture benchmark)"]
CL_D["Detect recall<br/>of N seeded misconfigs, how many found?"]
CL_R["Remediation success<br/>fix resolves it (re-scan clean) without breaking app?"]
CL_E["Exploit success<br/>red-team objective achieved?"]
end
RULE["Report all three together<br/>85% Detect / 30% Patch / 30% Exploit = detection engine<br/>80% across all three = genuine harness"]
SC_E --> RULE
CL_E --> RULE
PUBLISH["Scores are falsifiable<br/>anyone can run the same target and compare<br/>→ this is the publishable claim"]
RULE --> PUBLISH
style SC_BENCH fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style CL_BENCH fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style SC_D fill:#14141f,stroke:#5eead4,color:#5eead4
style SC_P fill:#14141f,stroke:#5eead4,color:#5eead4
style SC_E fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_D fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_R fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_E fill:#14141f,stroke:#5eead4,color:#5eead4
style RULE fill:#2a0d0d,stroke:#a00000,color:#f08080
style PUBLISH fill:#0d2818,stroke:#1e8449,color:#82e0aa
Reading the diagram: Each domain has three independent benchmark scores. Smart contract: Detect recall, Patch quality, Exploit success rate. Cloud: Detect recall, Remediation success, Exploit success. All three must be reported together. A harness scoring 85% Detect but 30% Patch and 30% Exploit is a detection engine, not a harness — it finds bugs but cannot fix or exploit them. A harness scoring 80% across all three is a genuine tool. The scores are falsifiable: anyone can run the same target (DVD challenge, forked mainnet, isolated AWS) and compare. That falsifiability is what makes the score publishable.
Type: Mermaid (flowchart) Purpose: Shows how the benchmark and client report distill into a single publishable page that becomes the portfolio asset across three platforms.
flowchart TD
BENCH["Benchmark scores<br/>Detect / Patch or Remediate / Exploit"]
REPORT["Client report<br/>HTML + JSON · full evidence chain"]
ONE_PAGE["One-page summary<br/>Harness name · target · date<br/>3-mode score table<br/>link to report · link to evidence repo"]
BENCH --> ONE_PAGE
REPORT --> ONE_PAGE
GITHUB["GitHub README<br/>full report + evidence linked<br/>repo with harness code"]
LINKEDIN["LinkedIn post<br/>benchmark + client report<br/>positioning as falsifiable claim"]
DEEPTHREAT["Deepthreat.ai<br/>demonstration asset<br/>harness running vs real target"]
ONE_PAGE --> GITHUB
ONE_PAGE --> LINKEDIN
ONE_PAGE --> DEEPTHREAT
PORTFOLIO["Public portfolio artifact<br/>the harness is the engine<br/>the benchmark is the proof<br/>the published summary is the portfolio"]
GITHUB --> PORTFOLIO
LINKEDIN --> PORTFOLIO
DEEPTHREAT --> PORTFOLIO
style BENCH fill:#14141f,stroke:#5eead4,color:#5eead4
style REPORT fill:#14141f,stroke:#5eead4,color:#5eead4
style ONE_PAGE fill:#0d2818,stroke:#1e8449,color:#82e0aa
style GITHUB fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style LINKEDIN fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style DEEPTHREAT fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style PORTFOLIO fill:#2a1810,stroke:#a04000,color:#f0a868
Reading the diagram: The benchmark scores and the client report distill into a single one-page summary: harness name, target, date, a three-mode score table, and links to the full report and the evidence repository. This one page is published to three platforms. On GitHub, it is the README for the harness repository, with the full report and evidence chain linked. On LinkedIn, it is a post showcasing the benchmark and client report, positioning the work as a falsifiable security claim. On Deepthreat.ai, it is a demonstration asset showing the harness running against a real target with scored results. The harness is the engine; the benchmark is the proof; the published summary is the portfolio. This is the culmination of Course 2A.
# Diagrams — Capstone C2: Build a Smart Contract or Cloud Security Harness
> All Mermaid validated in Mermaid Live Editor.
---
## Diagram 1 — Domain Choice and the Three Modes
**Type**: Mermaid (flowchart)
**Purpose**: Shows the two tracks and how each defines three modes. The C1 architecture ports; the modes and tools are domain-specific. A harness that only runs one mode is half a harness.
```mermaid
flowchart TD
ARCH["C1 architecture PORTS<br/>scope middleware · memory · tools · evidence · triage · report"]
SC["Smart contract track<br/>(EVMbench-aligned)"]
CL["Cloud track<br/>(posture + red team)"]
SC_D["DETECT<br/>Slither · Mythril · LLM reasoning<br/>Evidence: finding + location + class"]
SC_P["PATCH<br/>generate fix · verify (re-detect clean + tests pass)<br/>Evidence: diff + test results"]
SC_E["EXPLOIT<br/>working PoC on forked mainnet<br/>Evidence: PoC tx + state change"]
CL_D["DETECT<br/>config scanner (Prowler) · IAM analyzer<br/>Evidence: misconfigured resource + violated control"]
CL_R["REMEDIATE<br/>apply fix · verify (re-scan clean)<br/>Evidence: remediation action + post-fix state"]
CL_E["EXPLOIT<br/>controlled red-team action<br/>Evidence: exploit chain + access achieved"]
ARCH --> SC --> SC_D --> SC_P --> SC_E
ARCH --> CL --> CL_D --> CL_R --> CL_E
NOTE["Three modes together = the benchmark<br/>Detect-only = half a harness<br/>recall alone hides Patch/Remediate and Exploit weaknesses"]
SC_E -.-> NOTE
CL_E -.-> NOTE
style ARCH fill:#0d2818,stroke:#1e8449,color:#82e0aa
style SC fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style CL fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style SC_D fill:#14141f,stroke:#5eead4,color:#5eead4
style SC_P fill:#14141f,stroke:#5eead4,color:#5eead4
style SC_E fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_D fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_R fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_E fill:#14141f,stroke:#5eead4,color:#5eead4
style NOTE fill:#2a1810,stroke:#a04000,color:#f0a868
```
**Reading the diagram**: The C1 architecture — scope middleware, memory, tools, evidence, triage, report — ports directly to both domains. What changes is the three modes and their tool chains. Smart contract: Detect (Slither/Mythril/LLM), Patch (generate + verify), Exploit (PoC on forked mainnet). Cloud: Detect (Prowler/IAM analyzer), Remediate (apply + verify), Exploit (red-team action). The three modes together are the benchmark. A harness that only runs Detect is half a harness — recall alone hides weaknesses in Patch/Remediate and Exploit. All three must be scored and reported together.
---
## Diagram 2 — The Build Pipeline (Smart Contract and Cloud)
**Type**: Mermaid (flowchart)
**Purpose**: Shows the full pipeline for both tracks — load target, run three modes, triage, report — and where evidence is captured at each stage.
```mermaid
flowchart TD
subgraph SC_PIPE["Smart contract pipeline"]
SC_LOAD["Load target<br/>contract source + EVMbench metadata"]
SC_DETECT["Detect mode<br/>Slither · Mythril · LLM<br/>→ candidate findings"]
SC_PATCH["Patch mode<br/>for each finding: generate fix<br/>verify: re-detect clean + Foundry tests pass"]
SC_EXPLOIT["Exploit mode<br/>for each finding: build PoC on forked mainnet<br/>record success/failure"]
SC_TRIAGE["Triage<br/>filter FP · confirm with evidence"]
SC_REPORT["Audit report<br/>scope · methodology · findings · severity · PoC · roadmap"]
SC_LOAD --> SC_DETECT --> SC_PATCH --> SC_EXPLOIT --> SC_TRIAGE --> SC_REPORT
end
subgraph CL_PIPE["Cloud pipeline"]
CL_LOAD["Load target<br/>account + regions + control framework (CIS)"]
CL_DETECT["Detect mode<br/>Prowler · IAM analyzer · surface mapper<br/>→ posture violations"]
CL_REMED["Remediate mode<br/>for each finding: apply fix<br/>verify: re-scan clean"]
CL_EXPLOIT["Exploit mode<br/>for each exposure: red-team action<br/>(assume role · access data)"]
CL_TRIAGE["Triage<br/>filter FP · confirm with evidence"]
CL_REPORT["Posture report<br/>scope · controls · findings by category · evidence · roadmap"]
CL_LOAD --> CL_DETECT --> CL_REMED --> CL_EXPLOIT --> CL_TRIAGE --> CL_REPORT
end
EV["Evidence captured at every stage<br/>finding → evidence (sha256) → tool call → trace ID<br/>tamper-evident chain (from C1)"]
SC_EXPLOIT -.-> EV
CL_EXPLOIT -.-> EV
style SC_PIPE fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style CL_PIPE fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style SC_DETECT fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_DETECT fill:#14141f,stroke:#5eead4,color:#5eead4
style SC_REPORT fill:#0d2818,stroke:#1e8449,color:#82e0aa
style CL_REPORT fill:#0d2818,stroke:#1e8449,color:#82e0aa
style EV fill:#2a1810,stroke:#a04000,color:#f0a868
```
**Reading the diagram**: Both pipelines follow the same shape: load the target, run three modes in sequence, triage, report. The smart contract pipeline loads contract source and EVMbench metadata, runs Detect (Slither/Mythril/LLM), Patch (generate + verify via re-detect and Foundry tests), and Exploit (PoC on forked mainnet). The cloud pipeline loads the account and control framework, runs Detect (Prowler/IAM analyzer), Remediate (apply + re-scan), and Exploit (red-team action). Evidence is captured at every stage using the same tamper-evident chain from C1 — finding links to evidence (sha256) links to tool call links to trace ID. The report is domain-specific but the evidence shape is identical.
---
## Diagram 3 — Benchmark Scoring: Three Independent Scores
**Type**: Mermaid (flowchart)
**Purpose**: Shows the three benchmark scores for each domain and why all three must be reported together. A high Detect score with low Patch/Exploit is a detection engine, not a harness.
```mermaid
flowchart LR
subgraph SC_BENCH["Smart contract (EVMbench subset)"]
SC_D["Detect recall<br/>of N known vulns, how many found?"]
SC_P["Patch quality<br/>fix removes vuln AND preserves behavior?"]
SC_E["Exploit success<br/>working PoC on forked mainnet?"]
end
subgraph CL_BENCH["Cloud (posture benchmark)"]
CL_D["Detect recall<br/>of N seeded misconfigs, how many found?"]
CL_R["Remediation success<br/>fix resolves it (re-scan clean) without breaking app?"]
CL_E["Exploit success<br/>red-team objective achieved?"]
end
RULE["Report all three together<br/>85% Detect / 30% Patch / 30% Exploit = detection engine<br/>80% across all three = genuine harness"]
SC_E --> RULE
CL_E --> RULE
PUBLISH["Scores are falsifiable<br/>anyone can run the same target and compare<br/>→ this is the publishable claim"]
RULE --> PUBLISH
style SC_BENCH fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style CL_BENCH fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style SC_D fill:#14141f,stroke:#5eead4,color:#5eead4
style SC_P fill:#14141f,stroke:#5eead4,color:#5eead4
style SC_E fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_D fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_R fill:#14141f,stroke:#5eead4,color:#5eead4
style CL_E fill:#14141f,stroke:#5eead4,color:#5eead4
style RULE fill:#2a0d0d,stroke:#a00000,color:#f08080
style PUBLISH fill:#0d2818,stroke:#1e8449,color:#82e0aa
```
**Reading the diagram**: Each domain has three independent benchmark scores. Smart contract: Detect recall, Patch quality, Exploit success rate. Cloud: Detect recall, Remediation success, Exploit success. All three must be reported together. A harness scoring 85% Detect but 30% Patch and 30% Exploit is a detection engine, not a harness — it finds bugs but cannot fix or exploit them. A harness scoring 80% across all three is a genuine tool. The scores are falsifiable: anyone can run the same target (DVD challenge, forked mainnet, isolated AWS) and compare. That falsifiability is what makes the score publishable.
---
## Diagram 4 — The One-Page Publishable Summary
**Type**: Mermaid (flowchart)
**Purpose**: Shows how the benchmark and client report distill into a single publishable page that becomes the portfolio asset across three platforms.
```mermaid
flowchart TD
BENCH["Benchmark scores<br/>Detect / Patch or Remediate / Exploit"]
REPORT["Client report<br/>HTML + JSON · full evidence chain"]
ONE_PAGE["One-page summary<br/>Harness name · target · date<br/>3-mode score table<br/>link to report · link to evidence repo"]
BENCH --> ONE_PAGE
REPORT --> ONE_PAGE
GITHUB["GitHub README<br/>full report + evidence linked<br/>repo with harness code"]
LINKEDIN["LinkedIn post<br/>benchmark + client report<br/>positioning as falsifiable claim"]
DEEPTHREAT["Deepthreat.ai<br/>demonstration asset<br/>harness running vs real target"]
ONE_PAGE --> GITHUB
ONE_PAGE --> LINKEDIN
ONE_PAGE --> DEEPTHREAT
PORTFOLIO["Public portfolio artifact<br/>the harness is the engine<br/>the benchmark is the proof<br/>the published summary is the portfolio"]
GITHUB --> PORTFOLIO
LINKEDIN --> PORTFOLIO
DEEPTHREAT --> PORTFOLIO
style BENCH fill:#14141f,stroke:#5eead4,color:#5eead4
style REPORT fill:#14141f,stroke:#5eead4,color:#5eead4
style ONE_PAGE fill:#0d2818,stroke:#1e8449,color:#82e0aa
style GITHUB fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style LINKEDIN fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style DEEPTHREAT fill:#0d1b2a,stroke:#1b4f72,color:#e4e4e8
style PORTFOLIO fill:#2a1810,stroke:#a04000,color:#f0a868
```
**Reading the diagram**: The benchmark scores and the client report distill into a single one-page summary: harness name, target, date, a three-mode score table, and links to the full report and the evidence repository. This one page is published to three platforms. On GitHub, it is the README for the harness repository, with the full report and evidence chain linked. On LinkedIn, it is a post showcasing the benchmark and client report, positioning the work as a falsifiable security claim. On Deepthreat.ai, it is a demonstration asset showing the harness running against a real target with scored results. The harness is the engine; the benchmark is the proof; the published summary is the portfolio. This is the culmination of Course 2A.