"What are the two tracks for Capstone C2?" "Smart contract audit harness (EVMbench-aligned — Detect/Patch/Exploit vs DVD or forked mainnet, scored against EVMbench subset) OR cloud posture + red team harness (Detect/Remediate/Exploit vs isolated AWS, scored against CIS/posture benchmark). Same C1 architecture, different domain." c2a::c2::recall "What are the three sub-sections of C2 and their durations?" "C2.1 Design and Scoping (15 min) — choose track, define 3 modes, tools, evidence, report, authorization doc. C2.2 Build and Run (60 min) — full pipeline vs real lab target, structured findings, client report. C2.3 Benchmark and Publish (15 min) — score vs domain benchmark, one-page summary for LinkedIn/GitHub/Deepthreat.ai." c2a::c2::recall "What are the three modes for each C2 track?" "Smart contract: Detect (Slither/Mythril/LLM) / Patch (generate fix, verify re-detect clean + tests pass) / Exploit (working PoC on forked mainnet). Cloud: Detect (Prowler/IAM analyzer) / Remediate (apply fix, verify re-scan clean) / Exploit (controlled red-team action)." c2a::c2::recall "Why does the C1 architecture port to C2's domains?" "The skeleton — scope middleware, memory, tools, evidence, triage, report — is domain-independent. What changes is the tool suite, the target, and the benchmark. The skills transfer directly. Each tool still has Pydantic schema + scope-check + high_impact flag + run. The evidence chain (finding → evidence sha256 → tool call → trace_id) is identical." c2a::c2::analysis "Why is a harness that only runs Detect 'half a harness'?" "The three modes together are the benchmark. Recall alone hides weaknesses in Patch/Remediate and Exploit. A harness scoring 85% Detect / 30% Patch / 30% Exploit is a detection engine — it finds bugs but cannot fix or exploit them. 80% across all three is a genuine harness. All three must be scored and reported together." c2a::c2::analysis "Why is the authorization document not a formality, especially for cloud?" "For cloud, an exploit action against the wrong account or without blast-radius limits is a REAL INCIDENT. The auth doc defines: account ID, regions, resources, actions in Exploit mode, blast-radius limits, teardown procedure. For smart contracts: contracts in scope, commit hashes, forked block, authorized actions. Write it BEFORE you build." c2a::c2::analysis "What are the smart contract lab target options?" "Three: (1) Damn Vulnerable DeFi — deliberately vulnerable DeFi challenges with known solutions. (2) Forked mainnet via Foundry — target a historical exploit before the fix. (3) EVMbench subset — 10-15 vulnerabilities, run three modes against each. A real lab target is non-negotiable — a toy example is a hypothesis." c2a::c2::recall "What are the cloud lab target options?" "Two: (1) Isolated AWS account — Terraform-provisioned misconfigs (public S3, over-permissive IAM, exposed security groups). Harness detects/remediates/exploits in isolation. Teardown destroys everything. (2) LocalStack — local AWS emulator for fast iteration, though some services imperfectly emulated." c2a::c2::recall "What are the three EVMbench scores and what does each measure?" "(1) Detect recall — of N known vulns, how many found? (2) Patch quality — for each detected finding, does the fix remove the vuln AND preserve behavior (tests pass)? (3) Exploit success rate — for each detected finding, did the harness build a working PoC on forked mainnet? All three measured independently, reported together." c2a::c2::recall "What are the three cloud posture benchmark scores?" "(1) Detect recall — of N seeded misconfigs, how many found? (2) Remediation success — for each finding, did the fix resolve it (re-scan clean) without breaking the application? (3) Exploit success — for each exposure, did the red-team objective get achieved (e.g., assumed role, accessed data)?" c2a::c2::recall "What is the one-page publishable summary and where does it go?" "Distills benchmark + client report into a single page: harness name, target, date, 3-mode score table, links to report + evidence repo. Published to: GitHub (README with full report + evidence linked), LinkedIn (post positioning benchmark as falsifiable claim), Deepthreat.ai (demonstration asset showing harness vs real target)." c2a::c2::recall "Why are the benchmark scores described as 'falsifiable'?" "Anyone can run the same target — the same DVD challenge, forked mainnet block, or isolated AWS account — and compare their scores. 'Our harness scores 80% Detect / 72% Patch / 68% Exploit' is a claim competitors can verify or refute. This converts 'trust us' into 'here is the scored evidence, run it yourself.' Falsifiability is what makes it publishable." c2a::c2::analysis "How does the smart contract pipeline verify a patch?" "Two gates: (1) re-run detection on the patched code — the finding must be gone (no new findings introduced). (2) run the Foundry test suite — behavior must be preserved (all tests pass). A patch that removes the bug but breaks a test fails. A patch that fixes the specific PoC but leaves the underlying flaw fails. Both gates must pass." c2a::c2::analysis "How does the cloud pipeline verify a remediation?" "Re-run the detection scan after applying the fix — the finding must be resolved (re-scan clean). AND the application must still function (the remediation did not break it — e.g., tightening an IAM policy did not break the app's ability to access needed resources). Both: control satisfied + app unbroken." c2a::c2::analysis "What is the 'portfolio artifact' that C2 produces and why does it matter?" "A shippable, measurable, publishable security harness with a falsifiable benchmark score. Not a prompt, not a script. A tool a client could receive (the report), a benchmark a competitor could verify (the scores), and a portfolio piece you can publish (the one-page summary). The harness is the engine, the benchmark is the proof, the published summary is the portfolio. This is the culmination of Course 2A." c2a::c2::analysis