Secure by Design · Phase 3 · talking poster

The Cybersecurity project

In phase 3 you and a team of four or five solve a real cybersecurity problem for a company. The questions differ enormously — a pentest, a NIS2 advisory, a detection solution, an awareness programme — but the route underneath is universal. This poster is that route: an approach that fits any kind of cyber question, with markers showing where you decide the approach yourselves.

phase 3team of 4–5a real company as clientany kind of cyber questionuniversal routeproject planchoices justified

01 Why a cyber project runs differently

A cyber problem is not an ordinary software project. These differences shape your approach — don’t underestimate them.

A1Mandate before action

You need explicit permission, scope and rules of engagement before you touch anything. Without a mandate, testing is simply a criminal offence — this is not a formality.

A2Risk-driven, not feature-driven

You work from threat, risk and compliance, not from user stories. The compass is likelihood × impact, not a feature list.

A3Confidentiality is critical

You touch sensitive systems and data. Secrecy, secure storage and clean-up are part of the work from day one.

A4Evidence must hold up

Findings are reproducible and substantiated. You record what you did so someone else can retrace it — auditable, not ‘trust me’.

A5Not just straight into production

You test in a safe environment or strictly controlled and in consultation. You may not damage or take anything down.

A6Success = risk reduced

It is not ‘does the feature work’, but ‘is the organisation demonstrably safer’ or ‘has the question been answered with evidence’.

A7Handover counts too

The organisation must be able to carry on after you. Advice, a playbook or knowledge transfer is part of the result — not ‘done, good luck’.

02 The roadmap — a universal project approach

The content differs per question, the route does not · click a phase open · ◆ = this is where you make choices

Phase 0 · ◆ keuzepunt

Assignment & mandate

Understand the question and set the ground rules before you begin.

▸

Activiteiten

Intake conversation: sharpen the assignment, expectations and context
Determine which type of problem this is
Agreements on scope, mandate/permission, confidentiality (NDA) and data handling
Record rules of engagement, point of contact and escalation line

Anders dan software bouwenWithout explicit permission and a delineated scope you may do nothing. This is a legal and ethical precondition to start.

◆ Keuzes hierWhich type of assignment is it — assessment, advisory, build, test, detection or awareness? That choice steers everything that follows.

Opbrengst: Signed agreements, a clear assignment and clear lines of contact.

Wie trekt: The project lead drives it; the whole team reads along and understands the boundaries.

Phase 1 · ◆ keuzepunt

Explore & scope

Understand the context and sharpen the question.

▸

Activiteiten

Map assets, stakeholders and the current situation
Explore relevant threats and compliance requirements
Reformulate the central question into something researchable
Define success criteria and an initial risk estimate

Anders dan software bouwenYou map assets, threats and risk appetite instead of functional requirements — the question behind the question.

◆ Keuzes hierNarrow & deep or broad & high-level? And which framework becomes your anchor: NIST, ISO, OWASP, CIS or something sector-specific?

Opbrengst: A sharp problem definition, scope and measurable success criteria.

Wie trekt: Content lead + client contact.

Phase 2 · ◆ keuzepunt

Project plan & research design

Set out how you tackle it and how you arrive at evidence.

▸

Activiteiten

Choose and justify the approach and method
Planning, milestones and role division
Name deliverables, risks and assumptions
Work out ethics, data handling and rules of engagement; for testing also responsible disclosure

Anders dan software bouwenThe plan explicitly includes safety (break nothing), data handling and a fallback plan — parts a software plan often misses.

◆ Keuzes hierMethod (black/grey/white box, qualitative vs quantitative risk, phased vs iterative), environment (lab vs controlled production), and tooling (build your own vs existing).

Opbrengst: An approved project plan that the client has seen.

Wie trekt: The whole team; the project lead guards feasibility and planning.

Phase 3 · ◆ keuzepunt

Execute & investigate

Do the work: gather evidence, test, build, analyse.

▸

Activiteiten

Iterate in short cycles with regular check-ins
Record what you do and what you find
Coordinate with the client for anything touching live systems
Check along the way whether you are still answering the question

Anders dan software bouwenWork reproducibly and logged. If you touch sensitive systems, do so only in consultation and controlled — improvising can cause damage and liability.

◆ Keuzes hierDepth per finding, steering on time (time-boxed) or on coverage, and how much you automate.

Opbrengst: Substantiated findings or a working (partial) product, with evidence.

Wie trekt: Specialists out front; documentation/quality records the evidence.

Phase 4 · ◆ keuzepunt

Analyse, prioritise & advise

From loose findings to usable, prioritised advice.

▸

Activiteiten

Weigh risks on likelihood × impact
Prioritise and cluster findings
Weigh feasibility and trade-offs for this organisation
Draw up recommendations and a roadmap for the client

Anders dan software bouwenYou deliver not a bare list of findings, but prioritised and actionable advice that fits the organisation’s risk appetite and resources.

◆ Keuzes hierPrioritisation method (risk matrix, CVSS, business impact) and how far you advise: quick wins or a strategic line.

Opbrengst: Prioritised recommendations with substantiation.

Wie trekt: Content lead + project lead.

Phase 5 · ◆ keuzepunt

Deliver & hand over

Deliver so the organisation can carry on by itself.

▸

Activiteiten

Deliver the end product: report, prototype, policy, playbook or training
Presentation to the client
Knowledge transfer and — where needed — responsible disclosure
Return or delete sensitive data properly, revoke access

Anders dan software bouwenHandover and safely settling data and access are part of delivery. In cyber the project does not stop at ‘delivered’.

◆ Keuzes hierDelivery form and the degree of handover: advise only, or help set up/implement.

Opbrengst: A delivered and handed-over result with the client’s sign-off.

Wie trekt: Communication/presentation out front; the whole team presents.

Phase 6

Reflection & closure

Learn from the project and close it off properly.

▸

Activiteiten

Evaluate process, collaboration and result
Individual reflection
Formal closure with the client
Verify that all access and data copies have been cleaned up

Anders dan software bouwen‘Closing’ in cyber also means demonstrably revoking all access and deleting copies of client data.

Opbrengst: An evaluation and a tidy, accountable closure.

Wie trekt: The whole team.

03 Continuous tracks

In a cyber project these are not separate phases but lines that run the entire journey. Neglect one and the project stalls — or worse.

runs through every phase

Ethics & law

Stay within the law and your mandate: permission, GDPR, no harm. In doubt? Coordinate first, don’t act.

Confidentiality & data handling

Secure storage, secrecy, and clean-up at the end. Treat client data as if it were your own secrets.

Stakeholders & communication

Manage expectations and coordinate regularly. No surprises for the client — a cyber project is political too.

Risk-driven working

Tie everything back to likelihood × impact and the original question. That keeps you away from fun-but-irrelevant side paths.

Evidence & reproducibility

Record, substantiate, make traceable. A finding without evidence is an opinion.

Team process & role division

Tasks, planning, quality and roles that may rotate. A good process carries the substantive work.

04 Decision points — where you set your own approach

The route is fixed, but at these points the team chooses deliberately. Justify every choice in your project plan — that is where the professional judgement lies.

F1Type of assignment

assessmentadvisorybuild / prototypetest / pentestdetection & responseawareness

F2Framing

risk-drivencompliance-drivencombination

F3Framework as anchor

NIST CSFISO 27001OWASPCIS Controlssector-specific

F4Scope

narrow & deepbroad & high-level

F5Research / test form

black boxgrey boxwhite boxqualitative riskquantitative risk

F6Environment

lab / test environmentcontrolled production

F7Building

build your ownexisting tooling

F8Process

phased (waterfall-like)iterative / agile

F9Delivery form

reportprototypepolicy / playbooktrainingcombination

F10Handover

advice onlyhelp set up / implement

05 Team & project plan

Roles in a team of 4–5

With four people you combine roles. Feel free to rotate them per phase.

Project lead / client contact

Planning, stakeholders and scope control. The single face towards the client.

Content lead (researcher / architect)

Guards the substantive depth and direction of the work.

Specialist(s)

Technical or governance, depending on the problem — the executing force.

Documentation & quality

Guards evidence, substantiation and traceability. The ‘evidence keeper’.

Communication & presentation

Reporting, final presentation and the throughline of the story.

In your project plan

The backbone of phase 2 stays in place, with cyber-specific additions (mandate, law, data handling).

Rationale & context (client and question)
Objective and problem statement + research question
Scope & delineation — including what is out of scope
Mandate, permission & rules of engagement
Ethics, law (GDPR) & data handling
Approach & method, with justified choices
Planning & milestones
Role division within the team
Deliverables & success criteria
Risks, assumptions & fallback plan
Communication & coordination agreements