Last Issue: Agentic AI Hacking Project 🤖

Next Issue: Claude Code for Cloud Security: What you should know 🌩️

Quick one this week…

I want to show you how to run Gemma 4, Google’s free open source model, locally.

This is cool enough on its own, and running local AI models is something you should definitely do at least once before you deploy them into the cloud. But for my use case here, it’s to avoid hitting those pesky Claude code limits every two minutes.

You don’t have to use Gemma 4 here, but if you take a look at the recent benchmarks compared to some of the bigger models, it’s really worth at least trying it out.

Step One: Install Claude Code

You’ll of course need to have Claude Code installed, follow this guide if you haven’t:

Step Two: Install Ollama

You can do this with the single command, here: https://ollama.com/

Once installed you should see a blank chat terminal with the model selector the bottom right

Step Three: Download Gemma 4

Now, the Gemma 4 model comes in quite a few sizes, and we want to get the right one for our machine. This will obviously depend on what hardware you’re running.

I have a Mac mini M4 Pro here, so I pasted my system specs into Claude and asked it to recommend the best model for my setup.

So all we need to run now is:

ollama run gemma4:26b

Step Four: Validation

You can now navigate back to Ollama and you should see the Gemma4 model we downloaded in the bottom right:"

Step Five: Running with Claude Code

We now want to configure this to be the default model with Claude Code. So open a new terminal and run:

ollama run gemma4:26b

Select the model from more and then start claude code and run /model selecting Gemma4

Congratulations 🎉

You are now running a local AI Model and you’ve got Claude Code using it as the default.

W J Pearce - Cyber Notes

Calm, practical & self paced training to help you break into Cloud Security & DevSecOps

👉 Pre-order here: techtwoforty.com

Last Issue: Deploy Faster on AWS: EC2 vs Lightsail (Hands On Guide)

Next Issue: How to run Gemma 4 Locally with Claude Code 🌟

I’ve recently covered two methods of AI hacking. Let’s go one step further today.

The first one was great but effectively a gpt wrapper.

The second got a little more complex: We set up an MCP server with Kali, but still pretty simple.

Cyber Notes

Easy AI Pentesting Project 💉

Last Issue: DevSecOps Course: 2026 🛣️…

Read more

3 months ago · 10 likes · 1 comment · W J Pearce

Cyber Notes

AI Hacking CV Project 🤖

Last Issue: 10,000 Readers Giveaway: AWS Cert 🚀…

Read more

4 months ago · 21 likes · 2 comments · W J Pearce

This time I want to take it up a notch.

AI is moving fast, and we’re slowly transitioning into agentic workflows. It’s no longer “user queries model, model maybe hits a database.” We’ve got a full blown ecosystem now: Agents talking to agents, running tools, chaining actions

So… we need to understand how attackers are going to use this shift against us.

Enter Strix: An open-source project that’s already pulled 20k+ stars on GitHub. It’s not a wrapper and it’s not just an MCP hookup. Strix is a team of autonomous AI agents that behave like actual hackers: they run your code dynamically, probe for vulnerabilities and validate findings with proof of concepts instead of dumping a pile of false positives on you.

Out of the box it ships with an HTTP proxy, browser automation, a terminal, a Python runtime for custom exploits and recon tooling. Multiple agents can run in parallel, share discoveries, and coordinate attacks across different pieces of your app.

Let’s set this up together and walk through how it works 👇

Prerequisites

• Docker

• Docker Compose

• An LLM (Running Locally or in the cloud with your API key)

• Two running Targets (I will show you how to set these up)

• An understanding of Github actions (Not 100% needed but handy)

Just Quickly…

One of the coolest things about Strix is its multi agent architecture. You’ve got a main agent acting as the coordinator, it does the initial recon, maps the attack surface, and decides what needs testing. From there, it spawns specialised sub agents, each tasked with a specific slice of the attack: one hunting for IDORs in the user endpoints, another fuzzing the search API for injection, another probing the auth and password reset flows. They run in parallel, share discoveries back to the main agent and you can monitor and manage each one individually.

It’s less “AI tool running a scan” and more “a small pentest team working your app at the same time” which is exactly why agentic workflows are such a step up from the wrapper and MCP approaches we looked at previously.

As usual, I reserve the Projects for community members…Come join the fun! 🌍

Read more

Last Issue: Become Cloud Security Engineer FASTER

Next Issue: Project: Claude Code Will 10x Your Cloud Security Career (Three Ways)

Both useful but one will give you the skills…

If you’re just starting out in cloud, this question comes up a lot.

Both run on AWS infrastructure. Both give you a Linux box in the cloud. So what’s the actual difference, and which one should you touch first?

Short version: it depends on why you’re here… 👀

If you’re here to learn Cloud Security or DevSecOps

Use EC2.

Every enterprise environment you’ll encounter, in a job, a lab, a CTF, or a pentest scope runs EC2 or something that behaves like it. Security groups, IAM roles, VPCs, instance metadata endpoints... these aren’t optional extras. They’re the attack surface. Lightsail hides most of that from you. Great for shipping a side project; bad for building the skills needed in this field.

The EC2 free tier gives you 750 hours/month of a t2.micro. Spin one up, SSH in, break it, rebuild it.

If you have an app idea and want it live this weekend…You’ve been messing about with Claude Code right??

Lightsail is super useful here. Pick a $5/month bundle, choose a one click stack (WordPress, LAMP, Node), and you’ll have something running in under ten minutes. The networking is pre-wired. The firewall has a simple UI. You get a fixed monthly bill with no surprise line items.

1. Navigate to the Lightsail Service

2. Choose an existing Blueprint APP Stack

   

   or if it’s a custom app choose OS only

   

3. Stick with General purpose here and upload an SSH Key (Or make one)

4. Connect using the Cloud Shell

5. Or locally with

 chmod 400 /Users/williampearce/Downloads/LightsailDefaultKey-eu-west-2.pem

ssh -i /Users/williampearce/Downloads/LightsailDefaultKey-eu-west-2.pem
      ubuntu@13.135.173.184

I’m not going to configure OpenClaw here, that’s not what this is about. I wanted to show you how blazingly quick you can set up a VPS and get stuck into new technology to run a quick test or learn.

It’s a good way to validate an idea before you care about infrastructure. Just don’t expect to learn much about how AWS actually works under the hood.

It’s a question I got last month…

Lightsail and EC2 live in separate AWS worlds. A Lightsail instance doesn’t automatically talk to your EC2 resources, RDS databases, or most other AWS services. If your app grows and you need to bring in Lambda, S3 permissions, or VPC peering, you’ll hit a wall and probably end up migrating anyway.

EC2 also has a steeper learning curve on billing. Data transfer costs, EBS volume charges, Elastic IP fees, they can catch you off guard if you’re not watching the cost

Calm, practical & self paced training to help you break into Cloud Security & DevSecOps

👉 Pre-order here: techtwoforty.com

Last Issue: Project: Get Started With Docker MCP 📦

Next Issue: AWS EC2 vs Lightsail - Which one to start with?

This Issue: Become Cloud Security Engineer FASTER

I’ve always looked up to Abed Hamdan (Unix Guy) and what he does in this space. Having the opportunity to sit down with him last week for a chat all things Cloud Security was a real honour!

Fare warning, I ramble a little. As a new Dad this year, sleep isn’t always guaranteed, I’d had a solid 4 the night before this!

- Will AI Steal Cloud Security Jobs?

- What is the most underserved area in Cloud Security Right Now?

- Where should Cloud Security Projects go on your resume?

- What’s the biggest mistake Cybersecurity Beginners make?

The “Yassified“ picture of me on the left here made me chuckle, totally my bad as I forgot to send Unix Guy a photo he could use.

Calm, practical & self paced training to help you break into Cloud Security & DevSecOps

👉 Pre-order here: techtwoforty.com

W J Pearce - Cyber Notes

Last Issue: DevSecOps Project Video Walkthrough 🚧

Next Issue: AWS EC2 vs Lightsail - Which one to start with?

This Issue: Get Started With Docker MCP Project 📦

By the End of This Post, You:

✅ Understand what MCP is and why it exists
✅ Have Docker MCP Toolkit running locally
✅ Connected Claude to an Obsidian MCP server
✅ Ran your first natural language tool calls
✅ Know where to go next

This is important to understand….

Talking to an LLM is easy. Getting an LLM to do something useful in the wild?

That’s where it’s a little more complicated and you need an “AI Agent.”

In cloud security, when you want one service or tool to communicate with another, you usually use an API. For example, a Lambda function might query NIST data and store the results in an S3 bucket.

However, as systems scale and every tool “speaks” a different API, integrating them with an AI becomes tangled. You end up writing custom code for each service, handling different authentication flows, and digging through inconsistent documentation every time. That approach doesn’t scale and is extremely difficult to maintain in an LLM driven setup.

That’s exactly the problem MCP is designed to solve.

Very Quickly, What is MCP?

MCP or Model Context Protocol is a standardised way to connect tools to LLMs.

Instead of writing code to call a tool’s API directly, you spin up an MCP server that sits in the middle. The server handles all the API calls, authentication and endpoint logic, so your LLM doesn’t need to know any of it.

All the LLM needs to do is ask the MCP server to perform a task. The server has the tools, the credentials and the knowledge of how to talk to the endpoint. The LLM stays clean.

This is why it matters: most major company is now exposing their tools via MCP, alongside their traditional API endpoints. It’s becoming the standard layer between AI and software.

The best way to learn is through projects

Here’s what you’ll need to set up your first MCP server locally with Docker

• Docker Desktop (latest version)

• An LLM app Claude Desktop, LM Studio or Cursor all work

• Claude Code (optional but recommended)

Project Time 🚀

I reserve the Projects for community members…Come join the fun! 🌍

Read more

Quick heads Up: The Pre Order pricing on my Cloud Security & DevSecOps Beginners Academy, is coming to an end soon….

🎓 The Full Course

🧭 Career Path Template

📄 CV / Portfolio Template (Built for Technical Roles)

💼 Portfolio Projects That Help Get You Hired

👉 Pre-order here: techtwoforty.com

Simple starter DevSecOps project…

I want to give you a complete walkthrough here and the kind of the content and teaching style that will be in Tech Two Forty.

Let me know what you think

Calm, practical & self paced training to help you break into Cloud Security & DevSecOps

👉 Pre-order here: techtwoforty.com

W J Pearce - Cyber Notes

Quick heads Up: The Pre Order pricing on Tech Two Forty: Cloud Security & DevSecOps Beginners Academy, is coming to an end soon….

✔ Build real Cloud Security & DevSecOps skills from scratch

✔ Follow a clear career roadmap (so you’re not guessing what to learn next)

✔ Create starter portfolio projects recruiters actually care about

✔ Use CV + portfolio templates built for technical roles

✔ Learn Linux, AWS, Containers, CI/CD security, Scripting, AI security and more

Designed for beginners and busy professionals who want a calmer, clearer way into Cloud Security & DevSecOps.

👉 Pre-order here: techtwoforty.com

What is AWS Security Agent?

At a high level, it does three things:

1. Architecture design reviews

2. Code review in pull requests

3. On demand penetration testing

The promise is simple: security feedback early, contextual and inside the workflow engineers already use.

It’s currently in public preview, and it’s AWS attempt at bringing AI assisted security across your entire SDLC.

This weekend I tested the Code Review capability.

Pen testing is powerful too, but that requires verified domains and a bit more setup, so i’ll cover that in a separate project

Project Time 🚀

I reserve the Projects for community members…Come join the fun! 🌍

Read more

Early bird pre-order is live (discounted) ⬇️

The people who understand Cloud Security & DevSecOps are more needed than ever. Reboot and start in Cloud Security & DevSecOps with projects you can do at home, through self paced visual learning.

👉 Pre-order here: techtwoforty.com

Cloud Security & DevSecOps for Beginners

Practical & self paced to help you:

🎓 Learn Linux, AWS, Containers, AI Security Workflows, Scripting, CI/CD Security and more.

🧭 Follow a clear Cloud Security & DevSecOps career roadmap

💼 Build starter portfolio projects

📄 Use CV + portfolio templates built for technical roles

Designed for beginners and busy professionals who want a calmer, clearer way into Cloud Security & DevSecOps.

What’s Included 🚀

🎓 The Full Course

Step by step Cloud Security & DevSecOps training covering:

🖥️ Linux – system administration & hardening

🐍 Automation – Bash and Python scripting

☁️ Cloud – AWS security architecture

📦 IaC – Terraform / Ansible

🐳 Containers – Docker security

🔁 CI/CD – GitHub Actions with SAST/SCA

🔐 Secrets – production secrets management

📋 Compliance – CIS benchmarks

🤖 AI – securing AI in production

All taught through practical examples and projects.

🧭 Career Path Template

A clear roadmap showing:

• Which skills to build first

• How to sequence your projects

• What roles you’re realistically targeting at each stage

So you’re not guessing what comes next.

📄 CV / Portfolio Template (Built for Technical Roles)

Learn exactly how to present your work:

• How to document projects properly

• What to put on your CV (and what to cut)

• How to explain architecture decisions, security controls, and tooling

• Example write ups you can reuse for GitHub, LinkedIn, and applications

💼 Portfolio Projects That Help You Get Hired

You’ll build projects recruiters actually care about:

• Secure automated environments using IaC

• CI/CD pipelines with security gates

• End to end deployments that show you can hit the ground running

I’ll show you:

• What hiring managers look for

• How to structure projects

• How to communicate impact clearly

⬇️ Early bird pre-order is live (discounted) ⬇️

👉 Pre-order here: techtwoforty.com

Meet the Lecturer 👨‍🏫

I built Tech Two Forty because I’m done with “cyber gurus” shouting about the hustle.

Eight years ago, I began my security journey, and it changed my life. It took me from feeling lost to becoming a Senior Cloud Security Engineer, but the road there was unnecessarily lonely and tough.

I’m dyslexic, and growing up I really struggled with traditional academic learning. Most tech education just didn’t work for how my brain works. Things only clicked once I found a clearer, more practical way to learn.

That’s exactly why I built Tech Two Forty. I’ve worked with neurodivergent experienced teachers to make it neurodivergent friendly, especially for ADHD and dyslexia, but it’s designed for anyone who wants learning to feel simpler, calmer and more human.

A content creator (still pondering that title), and the author behind TechOneTwenty and Cyber Notes, dedicated to being the guide I once needed. No gatekeeping.

Just a clear, practical path into Cloud Security & DevSecOps.

You’ve got this. Let’s go.

Frequently Asked Questions❓

How can you charge so little?

Education should be accessible to everyone. Charging £500+ for bootcamps is bs and simply not fair.

My passion is teaching, and I’ve chosen to keep this affordable so more people can break into cloud security without financial pressure.

Is this beginner friendly?

Yes. No prior experience required just commitment.

Will this help me get hired?

Yes. This course is built around portfolio projects recruiters actually care about. You’ll learn how to document your work, explain architectural decisions, and present projects professionally on your CV and LinkedIn.

Any influencer saying they will get you a job is lying to you, but will this course really really help? Yes, 100% it will.

Can I do this alongside a full time job?

Absolutely. The course is self paced and designed for evenings and weekends.

“No Stress” Guarantee 😌

I understand you have options. If you decide this isn’t the right fit for you within the first 72 hours, I’ll refund you in full, no questions asked.

I’m here to help you succeed, and that starts with making sure you feel confident in your purchase. Any questions, just ask.

⬇️ Early bird pre-order is live (discounted) ⬇️

Build real Cloud Security projects at home

👉 Pre-order here: techtwoforty.com

W J Pearce - Cyber Notes

Last Issue: DevSecOps Course: 2026 🛣️

Next Issue: I’m launching a world first project…

This Issue: AI Pentesting Project

This week we are setting up and testing PentestGPT, i’m going to assume you can guess what this one does already.

PentestGPT can

• Perform end to end automatic penetration testing without
  human expert knowledge

• Exploit the vulnerabilities and generate PoCs

• Automatically generate reports

To be clear: this is a fun project for the weekend, not necessarily something that’s going to redefine your CV. However, it is a pretty cool case study in how AI can speed up, not replace, the penetration testing process. It handles the "grunt work" of parsing scan results and suggesting the next logical command.

While tools like this are 100% going to be (and already are) being used in workflows, it still lacks adversarial intuition. It struggles with the contextual nuance. It might find a vulnerability but miss the “business logic” flaw that makes it critical.

The approach

As you probably know from using ChatGPT, LLMs tend to prioritise the most recent instruction you gave them, often losing sight of the broader objective. In a penetration test, where you might be juggling three different open ports while trying to maintain your initial foothold it’s not ideal. The AI literally “forgets the mission” while focusing on a single terminal error.

To combat this, the research team (who presented this at USENIX Security) split the process into three distinct modules to keep the “brain” on track:

You can read more here: https://pentestgpt.com/paper.html

Project Time…. 🚀

As usual, I reserve the Projects for community members…Come join the fun! 🌍

Read more

Last Issue: AI Hacking CV Project 🤖

Next Issue: 🚧 Secret Project 🚧

This Issue: DevSecOps Course: 2026 🛣️

Buying a course can make you feel like you’ve done the work, without actually putting in the work.

I understand the psychology of paying for a course, you are paying for curation and accountability. I’ve bought courses thinking, “I’ve paid for this, so I’ll do it.” And I still think buying courses is a great way to support your favourite creators. If you like the a particular teaching style, then that’s a great reason.

I imagine that, like most of my readers, you’re right at the start of your career. The best thing you can do right now is pick a lane and study it properly. However, since you aren’t paying money, you must pay with discipline.

So here is my free, custom DevSecOps course, pieced together from tools, resources, and free courses you can put together yourself.

Courses:

• AWS Skill Builder (Free Tier) - Filter by “Free” and “Fundamentals”. The “AWS Cloud Quest: Cloud Practitioner” is a role playing game that actually teaches you the platform.

• Microsoft Learn: Azure Fundamentals - The official text based learning path. It is better than most paid Udemy courses.

Repos:

jassics/awesome-aws-security - A massive curated list of resources specifically for AWS security.

Certs:

• Oracle Cloud Infrastructure Foundations Associate - Oracle frequently offers this certification exam for free (check their “Race to Certification” challenges). It covers the same core cloud concepts as AWS/Azure.

Courses:

Linux Foundation: Intro to Linux (LFS101x) - Hosted on edX. It is the gold standard for beginners. Audit the course for free.

Repos:

jlevy/the-art-of-command-line - A single README file that will teach you more practical Linux than a 4 year degree.

Certs:

HackerRank Linux Shell Badge - Complete their challenges and earn a skill badge to display on your profile.

Courses:

• GitLab Academy (CI/CD Fundamentals) - GitLab offers free self paced training on building pipelines.

• GitHub Actions: Hello World - An interactive bot guided course inside a real GitHub repo.

Repos:

cicdops/awesome-ciandcd - A collection of tools, best practices, and pipeline examples.

Certs:

GitHub Foundations Learning Path Badge - Finish the MS Learn path for GitHub and you get a digital badge of completion (The actual exam is paid, the badge for the course is free).

Courses:

Exercism: Bash Track - Mentored learning. You write a script, and automated tests (and sometimes humans) check your work.

Repos:

awesome-lists/awesome-bash - Scripts, tutorials, and snippets to steal for your own work.

Certs:

freeCodeCamp: Relational Database Certification - Don't let the name fool you; the first half is an intense, interactive Bash scripting bootcamp.

Courses:

• HashiCorp Vault: Getting Started - Interactive browser based labs. You don’t even need to install Vault to learn it.

• GitHub Security Lab: Secrets Scanning - Learn how to prevent credential leaks directly from the source.

Repos:

• OWASP/CheatSheetSeries - Specifically the “Secrets Management Cheat Sheet”.

Certs:

Snyk: Secrets Management Badge - Snyk offers free "lessons" that grant badges upon completion.

Courses:

• Wiz Academy: Container Security - High production value video courses on container vulnerabilities.

Repos:

aquasecurity/trivy - Go straight to the docs. Trivy is the industry standard open source scanner. The best way to learn is to read their "Getting Started".

Certs:

• None. (I can’t find any reputable “Free” cert for just image scanning. Build the Capstone Project I mentioned earlier instead; that is your proof.)

Courses:

• CodeQL U-Drive - Learn to query code like a database to find security errors.

• Secure Code Warrior (Public Tournaments) - Join their free public tournaments to learn secure coding patterns gamified.

Repos:

analysis-tools-dev/static-analysis - A giant list of static analysis tools for every programming language.

Certs:

Veracode Security Labs Community Edition - Free hands on labs that offer completion tracking.

Courses:

Snyk Learn: Open Source Security - Bite sized lessons on how supply chain attacks work and how SCA prevents them.

Repos:

google/osv-scanner - A free vulnerability scanner by Google for open source developers.

Certs:

Synopsys Academy - They often have free "community" training paths for Black Duck/SCA concepts.

Courses:

Qualys Training & Certification - This is the holy grail of free training. Qualys offers their full "Vulnerability Management Detection and Response (VMDR)" course AND certification exam for free.

Repos:

DefectDojo/django-DefectDojo - The industry standard open source tool for managing vulnerability data. Spin it up in Docker and learn it.

Certs:

Qualys Certified Specialist (VMDR) - Real industry certification. 100% Free. This is the highest value item on this entire list.

AI Hacking CV Project 🤖

Hacking Project 101: Reverse Shells with AWS & Ncat

AWS Security Project: STS 🔑

DevSecOps AWS Project

Supply Chain Security Project 📦 ⚔️

You should learn AWS Security Hub CSPM

The Ultimate Docker Project🐋

Part Two: The Ultimate Docker Project 🐋

The AWS Starter Pack

Easy Cloud DevOps Project🔧

New AWS Account Step-by-Step Guide✔️

Beginner AI Cloud CV Project📝

SQL Injection: Made Simple 💉

The Ultimate Cloud Project ☁️

Easy Cloud Automation Project ⚙️

I haven’t included the literal 1000s of free YouTube resources on this list because you don’t need me to tell you YouTube is a good resource in 2026

Have fun! 😉

WJPearce - Cyber Notes

Last Issue: 10,000 Readers Giveaway: AWS Cert 🚀

Next Issue: DevSecOps Course 2026

This Issue: AI Hacking Project: Metasploit MCP + Claude 🤖

Project Prerequisites

Before starting this project, ensure you have the following in place. This walkthrough assumes a local, authorised lab environment that you fully control.

Required environment and tools:

• Kali Linux: VM

• Claude Code: Account

• Python 3.10 or higher

• Network isolated vulnerable target: For example, Metasploitable 2 running locally.

• A Basic understanding of Metasploit: A penetration testing tool/framework that allows you to write, do testing, and execute exploit payloads/code

• Let me know in the comments if you need help with the above ⬆️

This project is intended strictly for educational and lab based security testing. Do not apply these techniques to systems you do not own or explicitly have permission to test

Project Time…. 🚀

As usual, I reserve the Projects for community members…Come join the fun! 🌍

Read more

I’ll keep this short and sweet, I’d like to give something back.

I’m giving away a free AWS Certified Cloud Practitioner exam voucher. It was the first exam I took, and it’s the one that really set me on my cloud security journey.

To enter, just reply to this post and share what your goals for this year are.

Thanks again to all of you! for signing up, and to the community members who trusted me with their money. Especially in times like these, it’s hard to ascertain real value in the landscape, and I hope that’s something I can continue to provide.

I have more giveaways and some great projects planned for this year, so keep your eyes peeled 👀 🚀

WJPearce - Cyber Notes

Enjoyed this? Why not check out my other reads…

Hacking Project 101: Reverse Shells with AWS & Ncat

AWS Security Project: STS 🔑

DevSecOps AWS Project

Supply Chain Security Project 📦 ⚔️

You should learn AWS Security Hub CSPM

The Ultimate Docker Project🐋

Part Two: The Ultimate Docker Project 🐋

The AWS Starter Pack

Easy Cloud DevOps Project🔧

New AWS Account Step-by-Step Guide✔️

Beginner AI Cloud CV Project📝

SQL Injection: Made Simple 💉

The Ultimate Cloud Project ☁️

Easy Cloud Automation Project ⚙️

Last Issue: Hacking Project 101: Reverse Shells with Netcat

Next Issue: AI Hacking Project: Atomic Red Team MCP

This Issue: Learn this Container Security Tool… 📦⚔️

“Two projects in one month. Not bad! Cyber Notes is my favourite newsletter!”
I can hear you all now say 📣

Jokes aside, I wanted to squeeze this one in before New Year. It will be slightly less “handholdy” than usual, but it sets you up with a practical understanding of Docker Scout and modern container security. Keep an eye out for the January project, AI Hacking Project: Atomic Red Team MCP. That one is going to be a standout.

There is no grand end goal today other than learning the tool and internalising the core concepts. By the end of this walkthrough, you will be able to:

• Understand how Docker Scout fits into a secure container pipeline

• Evaluate base image vulnerabilities and compare images effectively

• Integrate Scout into a GitHub Actions workflow for automated scanning

• Use gating policies to block releases

• Apply container security principles across your own projects

Docker Scout

At its core, Docker Scout is a container security solution that focuses on the software supply chain. Unlike other tools that simply grep a manifest file for versions, Scout digs into the SBOM (More on that here) to identify packages and match them against CVE databases.

It operates in two main modes:

1. Agentless Registry Scanning (Basically, they handle the compute and you don’t need to deploy anything into your registry): It hooks into your registries like Docker Hub, AWS ECR, etc. and analyses images “at rest.” It pulls metadata (not the full image) to monitor for new vulnerabilities in old images.

2. CI/CD & CLI (Active): A lightweight CLI tool that developers run locally or inside a pipeline to block builds before an image is ever pushed.

Features (Why You Should Give a Shit)

Chances are, if you read Cyber Notes, you either want to work in Cloud Security or already do. Below are the main ways I personally use Docker Scout at work, and I recommend you learn to employ it in the same way.

1. Managed Environments This is one of the standout features for organising policy. Instead of treating every image equally, you can assign images to specific “Environments” (Dev, Staging, Prod) - trust me, learn this.

• Why it matters: It mirrors the label/tagging systems you might see in tools like Prisma Cloud or Port IO. It allows you to align vulnerability policies with your application lifecycle. You can be lenient in Dev but strict in Prod.

2. Comparison & Diffing Scout includes an experimental compare command. This allows you to diff two images to see exactly what changed, not just in terms of layers, but in terms of vulnerability posture.

• Use case: “My build failed today but passed yesterday. What changed?”

3. Vulnerability Management & Exceptions Scout uses a pretty cool exception system (VEX) to handle false positives or accepted risks.

• Scopes: You can scope exceptions to a specific image, a whole repository, or the entire organisation.

• The Catch: From my testing, exceptions are metadata-heavy. If you scope an exception to a specific image digest, it won’t automatically propagate to a new tag of that image unless you scope it to the Repository or Organisation. It requires a deliberate strategy to ensure you aren’t re-ignoring the same CVE every week.

4. Developer Ecosystem Integration

• SARIF Support: It outputs results in .sarif format, making it easy to upload findings directly into GitHub Advanced Security or other dashboards.

• Policy Gating: You can define thresholds (“Block on Critical”) to break the build if criteria aren’t met.

How To

There is no grand end goal today other than internalising the core concepts. Below is the practical workflow I used to get up and running.

1. Authenticate & Setup

• First, you need to authenticate your local Docker CLI with your Scout organisation.

• Open the Docker Dashboard locally and navigate to the Scout tab > Sign in.

• You’ll be taken to the Scout onboarding page.

• Go through it all, or open the demo version if you don’t have your own registry yet

  

From the account settings page you can now create a personal access token which you should use to auth from the CLI, like so:

docker login -u <YOUR_ORG_USER>
# Enter PAT Token as password

2. Local Scanning

Before you even push your image, you can run a quick scan. This is great for “shifting left” without leaving the terminal.

Basic CVE Scan: I will use the Juice Shop image here

docker scout cves bkimminich/juice-shop:latest

Pretty easy right?

Simulate a Gate: You can run the command with arguments that mirror your build pipeline gates to see if you would pass or fail.

docker scout cves bkimminich/juice-shop:latest --only-severity critical,high

3. Working with Managed Environments

This was the most interesting part of the basics. You don’t just push images, you assign them to a stage in your lifecycle.

Assigning an image to ‘Dev’:

docker scout environment dev cybernotes-org/bkimminich/juice-shop:latest --platform linux/arm64

Remember, this ^ is what we would expect when using these tools in an actual company.

3. Next Steps for You

• Fix the easy stuff: Run docker scout recommendations <image> . It will tell you if simply swapping the base image (from node:16 to node:16-alpine) will instantly kill 50% of your CVEs.

• Spot the Difference Challenge: Push a new version of an image and use the experimental comparison command: docker scout compare <new-image> --to <old-image> This is the fastest way to answer your dev teams question question: “We didn’t change the code, so why is security flagging it now?”

• Add it to GitHub: If you have a test repository, add the docker/scout-action to your workflow yaml. Seeing the security report appear automatically in your Pull Request comments is usually the moment the tool “clicks” for developers.

Hopefully you’ve seen how simple it is to get up and running with image security and Docker Scout 🐋

WJPearce - Cyber Notes

Enjoyed this? Why not check out my other reads…

Hacking Project 101: Reverse Shells with AWS & Ncat

AWS Security Project: STS 🔑

DevSecOps AWS Project

Supply Chain Security Project 📦 ⚔️

You should learn AWS Security Hub CSPM

The Ultimate Docker Project🐋

Part Two: The Ultimate Docker Project 🐋

The AWS Starter Pack

Easy Cloud DevOps Project🔧

New AWS Account Step-by-Step Guide✔️

Beginner AI Cloud CV Project📝

SQL Injection: Made Simple 💉

The Ultimate Cloud Project ☁️

Easy Cloud Automation Project ⚙️

Last Issue: 5 x Entry Level Cloud Security Interview Questions

Next Issue: Learn this Container Security Tool… 📦⚔️

This Issue: Hacking Project 101: Reverse Shells with Netcat

I recently had a Cyber Notes reader reach out to share that they had landed an entry level cloud role in a FinTech company and they used some of the projects here as inspiration for their interview prep!!!!

This is incredible 💥 So, a huge shout out to them! And thank you for reading.

As promised, the projects are now bigger and better, and I’m spending a lot more time explaining the fundamentals 🤝

Let’s begin.

Read This > Then do the project…

Cloud fundamentals? Check. DevOps Skills? Check. AWS Certs? Check.

Hacking demo? That’s where things get interesting.

I keep seeing the same pattern in the cloud security beginner space: there’s almost no real showcase of what attackers actually do.

That’s exactly where I want to take Cyber Notes in the months ahead. Understanding the processes threat actors follow, the steps they take, and how they think is absolutely something you should know if you want to secure the cloud. To be honest, it is also way more interesting than configuring yet another Cloud Service.

This is where you are going to learn the fundamentals.

What’s a shell? In simple terms, it is the user interface that allows you to “talk” to the computer’s operating system. When you open your terminal and type commands, that’s you interacting with the shell. I’m guessing you’ve used one of these:

Bash (Linux / macOS): The industry standard for decades. Most Linux servers run this.

Zsh (macOS / Linux): Similar to Bash but with more user friendly features (themes, better autocomplete). It is now the default on Macs.

PowerShell (Windows): A powerful shell designed for system administration, treating outputs as objects rather than just text (a distinction I actually just learnt while researching this project).

If you’re really interested in learning more here, I recommend taking a basic Computer Architecture course, specifically one that covers the Kernel, how the shell wraps around it, and how the user interacts with the hardware through the OS.

So, why does this matter for hacking? We know that opening a “Shell” on a user’s device acts as a gateway, letting us run commands to do whatever we want (so long as we have the authorisation)

If you’re an attacker, this sounds ideal, right? You are rarely going to get physical access to a target’s device, but what if you could open a shell over a network?

Congrats! That’s the basis of every attacker’s end goal.

What are the two ways they do this?

What’s a Bind Shell?

This is where the target machine is made or forced, however you want to word it to open a specific port and listen for an incoming connection from the attacker.

Basically, thinking like a hacker, we want to turn the target device into a server that we connect to.

We can do this with a number of tools (like Netcat), and we will take a proper look at them in the project.

But wait… what about Firewalls? Aren’t they supposed to block this kind of incoming connection?

Correct.

Most corporate environments and even home routers have strict Inbound firewall rules. They are designed to stop random people on the internet (you) from initiating a connection to their internal computers (the target).

If you try to connect to that open port from the outside, the firewall will see an unsolicited incoming request and simply drop it.

Which is why…..We should learn….

What’s a Reverse Shell?

If the Bind Shell is us trying to push our way in, the Reverse Shell is us convincing the target to “phone home.”

Instead of the attacker trying to connect to the target (which the firewall blocks), we execute a payload on the target machine that tells it to connect back to us.

Why does this work?

Firewalls are strict on what traffic they let in (Inbound traffic), they are usually much more relaxed about what they let out (Outbound traffic). After all, the employees inside the network need to visit websites, send emails, and download updates. The firewall assumes that traffic leaving the building is generally safe.

So, in a Reverse Shell scenario:

1. The Attacker sets up a “Listener” on their own machine (waiting for a call).

2. The Target (victim) initiates the connection outbound to the attacker.

3. The Firewall sees an employee trying to connect to the internet and lets them through.

Sweet. We have a shell.

Let’s build.

As usual, I reserve the Projects for community members… come join the fun!

Read more

Last Issue: Cyber Notes is Changing…

Next Issue: Hacking Project 101: Reverse Shells with Netcat

This Issue: AWS Project: Security Token Service 🔑

I recently did a collab with Abed Hamdanm or as you might know him…UnixGuy!

Each challenge presents a key question, a common misconception (the wrong answer), and the correct, detailed explanation. Test yourself and see how well you know the fundamentals!

Skip to 29:00 for my section on 5 x Common Entry Level Cloud Security Interview Questions

Question #1: Role-Based Access Control (RBAC)

• Question: “What is role-based access control and how is it implemented in a cloud platform?”

• ❌ Wrong Answer (Misconception): “RBAC means each user has their own custom role with specific permissions. That’s incorrect because RBAC is about shared, standardised roles based on job functions, not user customisation, and direct user permissions don’t scale well.”

• ✅ Correct Answer: “RBAC is a security model where permissions are assigned to roles rather than individual users, and users are then added to those roles based on their job function. In cloud platforms like AWS IAM, RBAC is implemented by creating roles such as developer, security auditor, or database administrator, assigning specific permissions to each, and then attaching users or service accounts to those roles.”

Question #2: Encryption

• Question: “What’s the difference between Encryption at Rest and Encryption in Transit?”

• ❌ Wrong Answer (Misconception): “Encryption in transit is only needed for public internet traffic and not internal cloud traffic. That’s wrong because even traffic inside a cloud environment should be encrypted to prevent interception by attackers.”

• ✅ Correct Answer: “Encryption at rest protects data while it’s stored on a disk or in a database so that if someone gains access to the storage, they can’t read the data without encryption keys. Encryption in transit protects data while it’s moving between two points, such as from a user’s browser to a server or between two cloud services, preventing eavesdropping during transmission.”

Question #3: Security Groups

• Question: “What is a Security Group (or Network Security Group), and how does it work in the cloud?”

• ❌ Wrong Answer (Misconception): “A security group encrypts traffic that passes through it. That’s wrong because security groups only control whether traffic is allowed or denied; they do not encrypt, decrypt, or inspect the contents of the traffic.”

• ✅ Correct Answer: “A security group is a virtual firewall that controls inbound and outbound traffic to cloud resources such as virtual machines or containers. It works by defining rules that specify which traffic is allowed based on protocol, port, and source or destination IP addresses. Security groups are stateful, meaning if inbound traffic is allowed, the return traffic is automatically allowed without needing a separate outbound rule.”

Question #4: Infrastructure as Code (IaC)

• Question: “What is Infrastructure as Code (IaC) and what are the security benefits?”

• ❌ Wrong Answer (Misconception): “IaC is mainly for automation and faster deployment; it doesn’t improve security.”

• ✅ Correct Answer: “Infrastructure as Code (IaC) is the practice of managing and provisioning infrastructure through code instead of manual setup. It improves security by ensuring consistency across environments, minimising human error, enabling version control to track and review changes, and supporting automated security scanning to detect misconfigurations before deployment.”

Question #5: Secrets Management

• Question: “What is the purpose of Secrets Management in a cloud-based environment?”

• ❌ Wrong Answer (Misconception): “Secrets management is just about encrypting passwords in a database.”

• ✅ Correct Answer: “Secrets management is the practice of securely storing, accessing, and managing sensitive information such as passwords, API keys, database credentials, and tokens. Its purpose is to prevent secrets from being hardcoded into application code or configuration files and instead store them in a centralised, secure location that allows automatic rotation of credentials.”

WJPearce - Cyber Notes

Enjoyed this? Why not check out my other reads…

DevSecOps AWS Project

Supply Chain Security Project 📦 ⚔️

You should learn AWS Security Hub CSPM

The Ultimate Docker Project🐋

Part Two: The Ultimate Docker Project 🐋

The AWS Starter Pack

Easy Cloud DevOps Project🔧

New AWS Account Step-by-Step Guide✔️

Beginner AI Cloud CV Project📝

SQL Injection: Made Simple 💉

The Ultimate Cloud Project ☁️

Easy Cloud Automation Project ⚙️

Last Issue: Cyber Notes is Changing…

Next Issue: 5 x Common Entry Level Cyber Security Interview Questions

This Issue: AWS Project: Security Token Service 🔑

House Keeping:

Hopefully you’ll enjoy this week’s project, I feel it’s a really fundamental Cloud skill to know about from a security point of view. Let me know if you get stuck.

I wanted to drop a quick note to say Cyber Notes now has its own domain…cybernotes.tech 🎉

AWS STS

What is it and why is it so important? Okay, basically at a high level, AWS STS lets you request temporary credentials so a service in one account can safely take action another account.

Cross account access gets messy fast if you don’t structure it properly, so here’s the secure version of how it should work and what we are going to build today.

Account A
Runs something like:

• Lambda

• ECS task

It has a single IAM policy that says: I am allowed to call sts:AssumeRole on a role in

Account B
Contains the actual IAM role. This role has two things:

A trust policy that says: I trust Account A to assume me.

A permission policy that says: Here’s what I can do in Account B (example: write to S3, deploy to ECS, read Secrets Manager etc ).

Done.

Account B exposes a role.
Account A gets permission to assume it.

This is cool because, it means no permanent credentials and no giant list of access keys floating around.

Project Time

Okay, now you understand what’s going on here. Let’s build it out in action!

As usual, I reserve the Projects for community members… come join the fun!

Read more

Last Week: Cloud Security Cheat Code ⌨️

Next Week: AWS Project: Security Token Service 🔑

This Week: Cyber Notes is Changing…

Housekeeping: I made a small mistake last week with Cloud Security Cheat Code ⌨️ I had the introduction in twice, one draft version and one final version. Apologies for that; it was a long week!

I have written this newsletter once a week… for 87 weeks in a row.

We are nearly at 10,000 subscribers.

Thank you, you have shown me the work I do in making Cloud Security clear, visual and practical is extremely valued ❤️

Change is coming…

Fewer emails, more value.

Over the next month, you’ll start seeing fewer Cyber Notes in your inbox, but each one will pack a lot more punch.

Here’s what’s changing:
Right now, you get four reads a month, three focused on news, thoughts, guides, and roadmaps, plus one project (exclusive to paid readers).

Lately, I’ve felt like I’m rushing to publish something instead of putting that time into creating better, more meaningful projects. So going forward, Cyber Notes will go out twice a month instead of four times.

You’ll still get:

• 1 project per month (for paid readers - no change here, with access to all previous projects)

• 1 deep guide, roadmap, or opinion piece etc

Why this is better:
This shift means I can spend more time building bigger, better projects. You’ll get more value from each issue instead of quick updates.

To summarise:
Old > 4 issues/month
New > 2 issues/month (1 project + 1 guide)

Quality over quantity. I get more time to create better projects. You’ll get less noise and more substance. Everyone wins.

WJPearce - Cyber Notes

Enjoyed this? Why not check out my other reads…

DevSecOps AWS Project

Supply Chain Security Project 📦 ⚔️

You should learn AWS Security Hub CSPM

The Ultimate Docker Project🐋

Part Two: The Ultimate Docker Project 🐋

The AWS Starter Pack

Easy Cloud DevOps Project🔧

New AWS Account Step-by-Step Guide✔️

Beginner AI Cloud CV Project📝

SQL Injection: Made Simple 💉

The Ultimate Cloud Project ☁️

Easy Cloud Automation Project ⚙️

Last Week: DevSecOps AWS Project

Next Week: Cyber Notes is Changing…

This Week: Cloud Security Cheat Code ⌨️

You want to stand out > This is how

I get asked constantly a variation of the same question when it comes to Cloud Security:

• I am total beginner where can I start?

• I am Junior Cloud Engineer, how do I transition into Security?

• What should I study for Cloud Security?

⬆️ If the above resonates….read on! ⬆️

Here’s a cheat code for learning Cloud Security and hopefully a blanket answer to the above questions.

Nice, what does that even mean. Okay bare with me here, but this is a method I’ve used in the past and it really works!

When starting out it’s impossible to know where to start and what to study buuuuut the news is literally going to tell what areas in Cloud Security need attention right now.

Example 1: NPM Supply Chain Attack → Learn SCA

Take for example the news a few weeks ago about the NPM package compromise. The headlines screamed “WE NEED MORE SCA SKILLS!”

Use that as your starting anchor, your north star if you will, then walk backwards:

1. Start with the headline: NPM packages were compromised

2. Ask yourself: Cool, I don’t know what a package is and how it’s used

3. Learn that first: Understand package managers, dependencies, and how developers use them

4. Then go deeper: Okay, how can packages be taken advantage of?

5. Finally: What tools and processes prevent this? (SCA, SBOM, dependency scanning, version pinning)

By the time you’ve walked backwards through this chain, you understand:

• Package management systems

• Supply chain vulnerabilities

• Software Composition Analysis tools

• Real world mitigation strategies, that Security Engineers are actually using

Example 2: Salesloft API Keys Exposed → Learn Secret Scanning

Let’s say you see news about exposed Salesforce credentials causing a breach. The solution? “WE NEED SECRET SCANNING!”

Walk it backwards again:

1. The incident: API keys were exposed in public repos

2. Question: I don’t know what an API key is

3. Learn: What are API keys? How do they authenticate systems?

4. Next layer: How does Git work? Why would secrets end up in repos?

5. Prevention: What is secret scanning? How do tools like GitGuardian or GitHub Secret Scanning work?

6. Best practices: What are secrets management solutions? (AWS Secrets Manager, HashiCorp Vault )

Now you understand authentication, version control security, and secrets management, all from one news story.

This Works…

It’s relevant. You’re learning what matters right now in the industry.

It builds context. Walking backwards forces you to understand the fundamentals without getting lost in theory.

You’ll stand out. When everyone else is grinding through generic courses, you’re learning from active threats. In interviews, you can discuss current security incidents and demonstrate you understand the why behind the tools.

But What About Fundamentals?

I’m not saying don’t learn the fundamentals. I’m guessing if you’re reading this you already know a bit about Linux, networking, the cloud, etc., and you want to get stuck in and stand out.

You learn the fundamentals in context. Instead of learning about authentication in a vacuum, you learn it because you need to understand how an API key breach happened.

I’d hire someone who had done this 100 times over a generic understanding from a course.

WJPearce - Cyber Notes

Enjoyed this? Why not check out my other reads…

DevSecOps AWS Project

Supply Chain Security Project 📦 ⚔️

You should learn AWS Security Hub CSPM

The Ultimate Docker Project🐋

Part Two: The Ultimate Docker Project 🐋

The AWS Starter Pack

Easy Cloud DevOps Project🔧

New AWS Account Step-by-Step Guide✔️

Beginner AI Cloud CV Project📝

SQL Injection: Made Simple 💉

The Ultimate Cloud Project ☁️

Easy Cloud Automation Project ⚙️

Last Week: Cloud & Security Courses I recommend for beginners 📖

Next Week: Cloud Security Cheat Code ⌨️

This Week: DevSecOps AWS Project

This project was my first step into DevSecOps and it’s a super easy one to get your head around.

We are going to use Terraform to deploy some simple AWS Resources using a Github Actions as our Pipeline, with an additional security step to scan for misconfigurations in our IaC.

I’ve already build the basic foundations for this which you can find here: LINK

I really recommend following along with the above project before going ahead, it’s going to walk you through how to get setup with deploying Terraform in your AWS Account

What we are doing here :

Let’s begin…. ⬇️

I spend my evenings and weekends creating these projects to help you launch a career in Cloud Security. It’s all made possible by your support, and it keeps me caffeinated with flat whites!

If you’re searching for the perfect starting point in DevSecOps or cloud security, this is it. Consider becoming a paid subscriber to unlock this project and dozens more.

Read more

Last Week: The Best Games for learning Cloud Security 🎮

Next Week: Weekend Project: Terraform Security

This Week: Cloud & Security Courses I recommend for beginners 📖

Courses are neat

If you’re just getting started, courses are cool. They offer insight into what a profession might include and a well trodden path of areas you should focus on to get where you need to be.

However…

Try not to indulge too much. You’ve heard the phrase “tutorial hell”! Basically, get what you need to know and start doing.

No self taught engineer got to where they are without getting stuck and breaking things first.

Here are some courses I would take (and have taken) if I was just starting out in Cloud Security.

Note: These are not affiliate links, I earn $0 commission from these. Unless it’s my own resource.

A great starting point for anyone wanting to learn AWS and tbh and the only resource, besides a study app I used to pass my AWS SAA

A solid walkthrough that goes over everything you need to get started with Terraform. Some say Terraform is on the way out, I disagree, I think it will evolve, regardless the core concepts of IaC are still worth learning.

Kubernetes: Link

KodeKloud is a great resource as it has a good mix of videos and hands on labs. This specific course teaches Kubernetes first principles, ideal for beginners.

Google Cloud Cyber: Link

Googles CompTIA Sec+ Rival…

“This is the first of five courses in the Google Cloud Cybersecurity Certificate. In this course, you’ll explore the essentials of cybersecurity, including the security lifecycle, digital transformation, and key cloud computing concepts. You’ll identify common tools used by entry-level”

HTB: Link

The Hack The Box CDSA certification path for learning defensive security, threat hunting, SOC operations. It’s super hands on! Letting you spin up dummy target environment etc so you can get a proper feel for how a role might look. You get a cert also which is nice for LinkedIn, if you’re into that.

Udemy: Link

The very first course I completed! The AWS Cloud Practitioner course helps build foundational cloud knowledge. It’s usually on sale so I wouldn’t pay full price here. Stepahne Maarek covers absolutely every last thing you would need for the AWS CCP Exam.

The single best starting point for learning Docker…Nana is an amazing teacher and explains things in way I try and emulate with my own stuff.

GHAS: Link

One I have completed recently. It will help you become familiar with GitHub’s Advanced Security features and best practices. As you learn about these features, you’ll identify critical areas for eliminating security gaps. If you’re interested in DevSecOps, this is a fantastic starting place.

TechOneTwenty: My very own resource and a fantastic starting place covering the following:

It’s actually on sale right now 💸 Click the image to check it out🖱️

WJPearce - Cyber Notes

Enjoyed this? Why not check out my other reads…

The Ultimate Docker Project🐋

Part Two: The Ultimate Docker Project 🐋

The AWS Starter Pack

Easy Cloud DevOps Project🔧

New AWS Account Step-by-Step Guide✔️

Beginner AI Cloud CV Project📝

SQL Injection: Made Simple 💉

The Ultimate Cloud Project ☁️

Easy Cloud Automation Project ⚙️