Part 9: Capstone Projects

"Theory without practice is empty. Practice without theory is blind. The capstone is where they meet."

You have been building toward this.

Across forty-one chapters and eight parts, you have learned the foundations, mastered reconnaissance, exploited systems and applications, practiced post-exploitation and evasion, tested specialized domains, conducted advanced operations, and developed professional practices. Each chapter taught techniques in relative isolation -- a specific exploit here, a particular methodology there. The capstone projects are where isolation ends and integration begins.

Real penetration testing engagements do not come organized by chapter. When you sit down on day one of an engagement against a healthcare company, you do not think "today I will do Chapter 7 activities, and tomorrow I will move to Chapter 10." You think about the target, the scope, the objectives, and the constraints, and you draw on everything you know simultaneously. Reconnaissance flows into exploitation flows into post-exploitation. A web application finding leads to a server-side compromise that leads to an Active Directory attack chain. A social engineering pretext informed by OSINT opens a door that no technical exploit could. The skills interleave and compound in ways that are impossible to replicate in isolated exercises.

That is what these capstone projects demand. Each one presents a comprehensive, realistic scenario that requires you to plan, execute, document, and communicate an end-to-end security assessment. There are no step-by-step instructions. There is no single correct path. There are objectives, constraints, and the full weight of everything you have learned -- applied to scenarios complex enough to be genuinely challenging and realistic enough to prepare you for professional engagements.

The Three Capstone Projects

Capstone Project 1: Full-Scope Penetration Test -- MedSecure Health Systems

MedSecure has been with us since Chapter 1. You have seen its network architecture, its clinical systems, its Active Directory domain, its patient portal, its cloud migration, and its IoT medical devices through examples and case studies throughout the book. Now you are conducting a full-scope penetration test as if MedSecure were a real client.

This capstone provides a complete engagement package: a statement of work, network diagrams, scope documentation, rules of engagement, and a realistic environment specification. Your job is to execute the engagement from start to finish. You will conduct reconnaissance against MedSecure's external and internal attack surfaces. You will identify and exploit vulnerabilities across the network, system, web application, and cloud layers. You will escalate privileges, pivot through the clinical network, and demonstrate access to sensitive patient data. You will test the medical IoT devices that connect to the clinical VLAN. And critically, you will produce a professional penetration test report -- executive summary, technical findings, risk ratings, evidence, and remediation recommendations -- that would be deliverable to a real HIPAA-regulated healthcare organization.

This capstone tests everything: your technical depth across multiple domains, your ability to chain findings into meaningful attack paths, your understanding of healthcare-specific regulatory requirements, your documentation discipline, and your communication skills. It is the closest simulation to a real engagement that a textbook can provide.

Capstone Project 2: Bug Bounty Simulation -- ShopStack E-Commerce Platform

ShopStack has served as our web application target throughout the book. In this capstone, it becomes the focus of a simulated bug bounty engagement. You receive a program scope document modeled after real HackerOne and Bugcrowd programs, defining what is in scope (the web application, the API, the mobile app backend), what is out of scope (the underlying infrastructure, denial-of-service testing, social engineering), and the reward tiers for different severity levels.

Your objective is not just to find vulnerabilities but to find them the way a professional bug bounty hunter would. That means efficient reconnaissance, targeted testing based on your understanding of where high-severity bugs tend to live, careful scope compliance, and -- most importantly -- bug reports that are clear, reproducible, and compelling enough to earn payouts. You will submit multiple reports across different vulnerability classes, and each one must include a clear title, a step-by-step reproduction procedure, evidence of impact, and a severity assessment justified by real business risk.

This capstone tests a different set of skills than the MedSecure engagement. Bug bounty hunting rewards efficiency, breadth of knowledge, and communication quality. You are not writing a comprehensive report at the end -- you are writing individual, standalone vulnerability reports that must each stand on their own merits. The time pressure is different, the methodology is different, and the success criteria are different. If Capstone 1 is the marathon, Capstone 2 is the series of sprints.

Capstone Project 3: Red Team Campaign Design

The third capstone does not ask you to execute an attack. It asks you to design one. You are given a fictional organization profile and tasked with designing a comprehensive red team campaign that covers the full kill chain: initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and impact -- all mapped to MITRE ATT&CK.

You will develop threat models based on realistic adversaries, design multi-phase attack plans with contingencies, specify the tooling and infrastructure for each phase, plan physical security testing components, design the C2 infrastructure and communication plan, create deconfliction procedures to prevent operational conflicts with the client's security team, and produce the deliverable artifacts -- the campaign plan, the rules of engagement document, the threat model, and the ATT&CK navigator visualization.

This capstone tests strategic thinking, operational planning, and adversarial creativity. It also tests your writing and planning skills at a level that reflects what senior red team operators actually do. The best red team campaigns are won before the first payload is delivered, in the planning phase, and this capstone focuses squarely on that reality.

How to Approach the Capstones

We recommend completing the capstones in order, as they build in complexity and abstraction. Capstone 1 is the most hands-on and the most guided -- you have a specific target, specific objectives, and a well-defined deliverable format. Capstone 2 requires more independent judgment about where to focus your time and how to communicate findings individually. Capstone 3 is the most abstract and demands the broadest strategic perspective.

Each capstone includes evaluation criteria so you can assess your own work. We provide rubrics covering technical depth, methodology adherence, documentation quality, communication clarity, and professional presentation. We also provide partial solutions and discussion of expected findings, but we deliberately do not provide complete walkthroughs. The entire point of a capstone is to work through the ambiguity and make decisions that textbook exercises do not require.

If you are using this book in an academic setting, these capstones are designed to serve as major assessments -- individually or as a sequence. If you are studying independently, they serve as portfolio pieces that demonstrate your capabilities to potential employers. A well-executed Capstone 1 report, in particular, is the kind of artifact that speaks louder than any certification on a resume.

Key Themes

Integration over isolation. Every preceding chapter taught something specific. The capstones require you to combine those specifics into coherent, effective operations. The ability to integrate skills across domains is what employers value most.

Judgment under ambiguity. Real engagements do not have answer keys. The capstones present you with enough ambiguity that you must make judgment calls about prioritization, risk, scope, and communication. These judgment calls are where experience begins to form.

Deliverables define professionalism. In all three capstones, the written deliverable is as important as the technical work. A brilliant attack chain that is poorly documented is a failed engagement. The capstones reinforce that truth by weighting documentation and communication alongside technical execution.

This is the beginning, not the end. Completing these capstones does not make you a finished product. It makes you a prepared beginner -- someone with the technical depth, the professional skills, and the integrated perspective to start a career in ethical hacking and grow from there. The field will continue to evolve, and so will you.

You have the knowledge. You have the skills. You have the methodology.

Show us what you can do.

Chapters in This Part

• Capstone Project 1: Full-Scope Penetration Test — MedSecure Health Systems
• Capstone Project 2: Bug Bounty Simulation — ShopStack E-Commerce
• Capstone Project 3: Red Team Campaign Design — Adversary Emulation