Secure by Design · Phase 2 · plate
The Professional Profile
Phase 1 brought everyone to one shared foundation. In phase 2 you step off at a station and go deep: you pick one or more cybersecurity topics, carry out practical research on them for a fictional client, and deliver a prototype or report. Your portfolio and final presentation form the assessment.
phase 2free choice of topic1 or more topicspractical researchprototype or reportfictional clientportfolio + final presentationtech & non-tech
01 The assignment
You are free in your choice, but these boundaries apply to everyone — tech and non-tech alike.
K1Free choice
Pick one topic or combine a few. Inventing your own topic is allowed, as long as it fits within cybersecurity and the Secure-by-Design mindset.
K2Practical research
It's about doing: not just reading, but researching, testing, building or validating. A demonstrable practical core is required.
K3Prototype or report
Your deliverable is a working prototype, or a well-founded report/advice. What fits your topic and your angle is up to you.
K4Fictional client
Aim your work at a fictional client with a real problem. That forces scope, relevance and professional communication.
K5Assessment = portfolio + presentation
You are assessed on your portfolio (process, choices, evidence) and a final presentation in which you defend your work to the client.
K6Tech and non-tech
Every topic can be approached technically (building) or organisationally/research-wise. Choose the angle that suits you.
02 Choose your deep dive
Inspiration, not a menu to pick-and-be-done with: feel free to combine, or come up with your own topic. The topics hang under the same stations as in phase 1. Click a topic for a build angle and a research angle plus a possible client.
Show
S1
Product & baseline security
Secure IoT / embedded devices
Secure firmware on cheap hardware
- About
- Securing devices with limited computing power (ESP32/RP2040): communication, updates, storage.
- build
- Prototype with encrypted communication, a secure boot concept and signed OTA updates.
- research
- Research into the biggest IoT risks + design guideline for a product line.
- Client
- Hardware startup launching a smart device.
Cryptography in practice
Managing keys and secrets well
- About
- Not the maths, but correct application: key management, secrets, certificates, common mistakes.
- build
- Set up secrets management in an application + demonstrate wrong vs. right.
- research
- Policy and guideline for key and certificate management in an organisation.
- Client
- Scale-up that grew fast and has no secrets policy.
Secure-by-default product design
Secure as the default setting
- About
- How to design defaults, configuration and user flows so that secure is the easy path.
- build
- Redesign an insecure flow into a working prototype.
- research
- Design guidelines + review checklist for a product team.
- Client
- SaaS company with complaints about insecure default settings.
S2
Mindset, culture & awareness
Security awareness campaign
Change behaviour, not scare people
- About
- Designing a campaign that really sticks: audiences, message, channels, measuring impact.
- build
- Build an interactive training module or microlearning.
- research
- Campaign plan with audience analysis, materials and a measurement setup.
- Client
- Organisation after a data breach caused by human action.
Phishing simulation & training
Learning from a safe fake attack
- About
- The setup and ethics of phishing simulations and the follow-up training.
- build
- Your own (ethical) simulation setup + landing page and measurement dashboard.
- research
- Playbook + ethical framework + training approach for HR/IT.
- Client
- Educational institution that wants to make staff more resilient.
Measure & improve security culture
How securely does an organisation really think?
- About
- Mapping culture and improving it on purpose: measurement instruments, interventions, resistance.
- build
- Dashboard/survey tool to track culture indicators.
- research
- Baseline measurement + intervention plan based on a culture model.
- Client
- SME that mostly sees 'security' as an IT party trick.
S3
Hacker mindset & offensive
Ethical hacking of a web app
Attack to learn to defend
- About
- Finding vulnerabilities in a (own or test) application in a structured way, within clear boundaries.
- build
- Pentest on a test environment + reproducible exploits and fixes.
- research
- Methodical test report with findings, risks and recommendations.
- Client
- Web agency that wants assurance about a new application.
OSINT research
What can be found publicly?
- About
- Using open sources to map the exposure of an organisation or product.
- build
- Tooling/script that gathers and summarises public information.
- research
- OSINT report on the digital footprint + reduction advice.
- Client
- Company that wants to know what attackers already know about them.
Social engineering (within bounds)
The human as an attack vector
- About
- How manipulation works and how to defend against it — strictly ethical and with consent.
- build
- Controlled test setup (e.g. a vishing script) with a measurable outcome.
- research
- Analysis of techniques + resilience advice and behavioural rules.
- Client
- Reception/service-desk organisation that gets called a lot.
S4
Governance, compliance & supply chain
NIS2 readiness assessment
Ready for the new duty of care
- About
- What an organisation must arrange to comply with NIS2 and actually become more secure.
- build
- Self-assessment tool that scores NIS2 readiness.
- research
- Gap analysis + prioritised roadmap towards compliance.
- Client
- Healthcare or utility organisation newly in scope of NIS2.
Privacy by design / GDPR
Privacy as a design choice
- About
- Data protection from the design onward: data minimisation, legal bases, DPIA thinking.
- build
- Prototype that implements data minimisation and consent properly.
- research
- DPIA-light + privacy-by-design guideline for a product.
- Client
- App builder processing minors' personal data.
Introduce ISO 27001-light
Structure in information security
- About
- The core of a management system: policy, risks, controls, improvement cycle.
- build
- Simple register/tool for risks and controls.
- research
- Concise ISMS starter kit: policy, risk analysis, control set.
- Client
- Growing company that needs to offer clients ISO assurance.
Supply chain & SBOM management
Do you trust your suppliers blindly?
- About
- Controlling dependencies on software, suppliers and services; SBOM in practice.
- build
- Pipeline that automatically generates an SBOM and reports vulnerabilities.
- research
- Supplier risk policy + process for dependency management.
- Client
- Company that uses a lot of third-party open source and SaaS.
CRA product conformity
Secure products on the EU market
- About
- What the Cyber Resilience Act requires of digital products and how you demonstrate it.
- build
- Conformity checklist tool linked to product characteristics.
- research
- Conformity analysis + step-by-step plan towards CRA compliance.
- Client
- Manufacturer of a product with digital components.
S5
Threat modelling, detection & blue team
Threat model + detection strategy
Know where it goes wrong and see it
- About
- Modelling a system for threats and determining how you would detect attacks.
- build
- Work out a threat model and build matching detection rules.
- research
- Threat model report + monitoring/detection advice.
- Client
- Fintech startup with a new payment integration.
Set up logging & SIEM
From raw logs to alarm
- About
- Setting up central logging and detection with open-source tooling (e.g. Wazuh/ELK).
- build
- Working SIEM setup with dashboards and a few use cases.
- research
- Logging strategy + use-case catalogue for a SOC.
- Client
- Hosting company that wants to spot attacks sooner.
Build & analyse a honeypot
Bait for attackers
- About
- Luring attackers into a decoy environment and analysing their behaviour.
- build
- Set up a honeypot, collect attack data and visualise it.
- research
- Analysis of observed attack patterns + defence advice.
- Client
- Research lab that wants to monitor current threats.
Design SOC processes
Detection is also organisation
- About
- How a Security Operations team works: roles, triage, escalation, playbooks.
- build
- Tooling/template for alert triage and playbook execution.
- research
- SOC setup plan with processes, roles and playbooks.
- Client
- Organisation that wants to professionalise detection.
S6
Architecture & requirements
Zero trust architecture
Trust nothing, verify everything
- About
- Basing access on continuous verification instead of a secure inside.
- build
- Reference setup with identity-based access.
- research
- Zero-trust migration plan + principles for a network.
- Client
- Company that no longer has a 'safe office network' after remote working.
Identity & Access Management
The right person, the right access
- About
- Designing and managing identities, roles and permissions across systems.
- build
- Prototype with role-based access and SSO/MFA.
- research
- IAM design + roles/permissions model and governance.
- Client
- Organisation where former employees turn out to still have access.
API security
The back door of modern apps
- About
- Securing APIs: authentication, authorisation, rate limiting, abuse resistance.
- build
- Build a secured API + show how an insecure variant breaks.
- research
- API security guideline + review checklist for developers.
- Client
- Platform that opens up its API to partners.
S7
SDLC, DevSecOps & CI/CD
Secure CI/CD pipeline
Security baked into the build line
- About
- Automating security controls along the path from code to production.
- build
- Pipeline with security gates that stop insecure builds.
- research
- Adoption plan + measurable gates for a DevOps team.
- Client
- Scale-up that wants to keep releasing fast and securely.
Automate SAST / DAST / SCA
Let tools find the first mistakes
- About
- Setting up static, dynamic and dependency scanning and taming the noise.
- build
- Integrated scanning with triaged, actionable output.
- research
- Tooling choice + process to follow up on findings.
- Client
- Team drowning in security alerts.
Infrastructure-as-Code security
Secure infra, in code
- About
- Preventing misconfigurations in cloud/infra code and testing them automatically.
- build
- IaC with policy-as-code that blocks insecure configurations.
- research
- Hardening baseline + review process for infra code.
- Client
- Company that rolls out its cloud entirely via code.
S8
Testing, pentest & incident response
Pentest + report
Find it before someone else does
- About
- Testing an application or environment in a structured way and reporting professionally.
- build
- Carry out a pentest on a test target + reproducible findings.
- research
- Full pentest report with risks, evidence and advice.
- Client
- Company having a security test done for the first time.
Incident response plan + tabletop
Rehearse the worst day
- About
- Drawing up a response plan and testing it via a tabletop exercise.
- build
- Tooling/checklist that guides the team through an incident.
- research
- IR plan + worked-out tabletop with evaluation.
- Client
- SME without any playbook for a ransomware attack.
Digital forensics mini-investigation
Reconstruct what happened
- About
- Securing and analysing traces after a (simulated) incident.
- build
- Investigation on a prepared image + a well-founded timeline.
- research
- Forensic report + chain-of-custody procedure.
- Client
- Organisation that wants to know how an attacker got in.
Responsible disclosure process
Give researchers a safe route
- About
- How to properly handle vulnerability reports from third parties.
- build
- Working report page + internal handling-workflow prototype.
- research
- Disclosure policy + internal procedure and SLAs.
- Client
- Company that increasingly gets 'we found a vulnerability' emails.
SO
Current & other themes
AI security
Attacks on and with AI
- About
- Risks of AI systems (prompt injection, data leaks, model abuse) and AI as a defence.
- build
- Prototype that demonstrably abuses an AI application and mitigates it.
- research
- Risk analysis + guideline for safe use of AI tools.
- Client
- Company hastily putting an AI chatbot on customer data.
Cloud security posture
Misconfiguration is the #1 cloud mistake
- About
- Configuring cloud environments securely and testing them continuously.
- build
- Posture scan + hardening of a test environment.
- research
- Cloud baseline + control plan for a team.
- Client
- Company with a fast-grown, messy cloud.
OT / ICS security
When IT and the physical world meet
- About
- Securing industrial systems, where safety and availability come first.
- build
- Test setup/simulation of an industrial protocol.
- research
- Risk analysis + segmentation advice for a production environment.
- Client
- Manufacturer with old, connected machines.
Post-quantum / quantum-safe crypto
Preparing for tomorrow
- About
- What the arrival of quantum computers means for current cryptography.
- build
- Comparative test of post-quantum algorithms in a demo.
- research
- Migration impact analysis + advice for the coming years.
- Client
- Organisation with data that must stay confidential 10 years from now.
Deepfakes & disinformation
Seeing is no longer believing
- About
- Synthetic media as a threat and how organisations arm themselves.
- build
- Detection demo or awareness tool around fake media.
- research
- Resilience analysis + protocol against CEO fraud/deepfakes.
- Client
- Organisation with public spokespeople and payment authority.
03 Two example routes
Two worked-out approaches to give direction — one build-focused, one research-focused.
Same backbone — both routes follow the same steps: topic → client → research question → practical research → deliverable → portfolio → presentation. Use that order as a template for your own route.
Example route A · building
Secure smart doorbell
- Topic(s)
- Secure IoT/embedded devices + Cryptography in practice (S1)
- Fictional client
- Hardware startup 'BelVeilig' wanting to launch a smart video doorbell.
- Research question
- How do you design the doorbell's firmware and communication secure-by-design, within the limits of cheap hardware?
- Practical research
- Threat model on the device and the data flows; comparison of crypto libraries on an ESP32; measuring the performance impact of encryption.
- Deliverable
- Working prototype: encrypted communication, signed OTA updates and a secure-boot concept, with technical justification.
- Portfolio
- Threat model, design decisions with trade-offs, test results, source code and reflection.
- Final presentation
- Live demo for the 'client' explaining the key trade-offs and residual risks.
Example route B · research
Making a healthcare organisation NIS2-ready
- Topic(s)
- NIS2 readiness assessment + Security awareness campaign (S4 + S2)
- Fictional client
- Mid-sized home-care organisation 'ThuisZorg Brabant' newly in scope of NIS2.
- Research question
- What must the organisation arrange to comply with NIS2 and genuinely become more secure, and how do you get the staff on board?
- Practical research
- Gap analysis against the NIS2 obligations; risk assessment of core processes; (fictional) personas and interviews; benchmark of awareness approaches.
- Deliverable
- Advisory report with a prioritised roadmap, plus a worked-out awareness campaign concept with sample material.
- Portfolio
- Gap analysis, risk matrix, roadmap, campaign plan, substantiation with sources and reflection.
- Final presentation
- Executive advice to the 'board' with clear choices and a cost/benefit consideration.
04 From choice to assessment
Here's how the track runs, and this is what goes into your portfolio and final presentation.
Choose & explore
Pick one or more topics that genuinely draw you in.
Scope & client
Choose a fictional client and demarcate the problem.
Research question
Formulate a sharp, practical question you can answer.
Practical research
Build a prototype or do focused research — deliver evidence.
Portfolio
Record context, choices, process and results.
Final presentation
Defend your work and advice to the client.
In your portfolio
- Problem & context — who the client is and why this topic
- Research question & scope — what exactly you investigate, and what not
- Approach & method — how you went about it
- The work — the prototype or report itself
- Substantiation & sources — choices justified with reliable sources
- Testing & validation — how you know it works / is correct
- Reflection & next steps — what you learned, what you would do differently
What is assessed
- Depth — how far you went into the topic
- Practical research — quality and relevance of what you did or built
- Secure-by-design thinking — do you visibly apply the phase 1 foundation
- Substantiation — are choices argued and source-backed
- Professional communication — does your story land with the client
- Reflection — do you look critically at your own work and process