$ cd ../workshops
MODULE_02Saturday, 08 Aug 2026 | 0930-1730 (08 hours)

AppSec Vulnerability Hunting

Build an automated, zero-bottleneck DevSecOps pipeline (SAST & DAST)

$ cat curriculum.md

Workshop Overview

Your source code is one of the biggest attack surfaces and most teams simply don't know where the doors are left open. This hands-on workshop bridges the gap between source code and production security by building an automated, zero-bottleneck DevSecOps pipeline. Instead of relying on manual reviews, you will spend the session building a fully operational security workflow.

Session 1: SAST

Module 1: Code Security & Secret Discovery Analyze your source code for critical vulnerabilities and exposed secrets before the code ever leaves the developer's machine. Tools: Semgrep, CodeQL, Gitleaks, OWASP Noir. Lab: Scan source code and historical git commits to uncover hidden structural flaws, architectural weak points, and credentials forgotten years ago.

Module 2: Supply Chain Security & SBOM Generation Deconstruct your software's dependencies to eliminate blind spots in your open-source supply chain. Tools: Trivy, OSV-Scanner, Syft. Lab: Generate verified SBOMs in SPDX and CycloneDX formats, and cross-reference active libraries against a live, real-time CVE database.

Module 3: Event-Driven Automation & Real-Time Alerts Transform isolated CLI scanners into a continuous, automated security pipeline that reacts instantly to code changes. Git Hooks/CI Triggers -> Event Bus -> Server-Sent Events (SSE). Lab: Engineer a git push workflow that instantly routes high-severity findings to a real-time web dashboard.

Module 4: Context-Engineered AI Triage Stop drowning in false positives by building a smart validation layer that leverages AI without guesswork. Local Context Assembly & Confidence Scoring. Lab: Package raw scanner outputs into structured case files for the LLM, enabling accurate, automated risk verdicts with explicit confidence ratings.

Session 2: DAST

Module 5: Whitebox & Blackbox Web Security Testing Configure authenticated and unauthenticated web application scans. Tools: OWASP ZAP, SQLMap, Dalfox, Wapiti, Nuclei. Lab: Launch end-to-end scans against vulnerable web apps and identify SQLi, XSS, SSRF, XXE, IDOR, exposed files, and server misconfigurations.

Module 6: Intelligent Correlation & Risk Prioritization Correlate SAST findings with DAST evidence to classify vulnerabilities as Verified, Probable, or Observed using confidence scoring. Lab: Import SAST findings, validate them dynamically, and generate confidence-ranked vulnerability reports.

Module 7: Real-Time Scan Orchestration & Monitoring Build automated scanning workflows with configurable scan profiles, authentication handling, and WebSocket-based progress tracking. Lab: Configure scan modules, execute real-time assessments, and monitor findings through an interactive dashboard.

Module 8: AI-Assisted Security Analysis & Reporting Leverage LLMs for adaptive scan planning, false-positive reduction, attack-chain generation, executive summaries, and compliance mapping. Lab: Generate AI-assisted analysis and prioritized remediation reports; export in PDF, SARIF, JSON, and CSV.