The build list

Thirty-six projects. One defended capstone.

Every project ships to a real environment, gets a written review by a senior engineer, and goes on your portfolio. Here is the full list and what each one proves to a hiring manager.

36: Projects
12: Categories
01: Capstone

01Foundations
Cloud account baseline across AWS, Azure, and GCP
Stand up a hardened multi-cloud baseline from zero.
Foundations
02Network
Network segmentation lab with VPCs and peering
Design and defend cloud network boundaries.
Network
03Crypto
TLS everywhere with private CA
Roll out and rotate certs without breaking workloads.
Crypto
04IAM
Least-privilege IAM rewrite for a sample app
Replace wildcard policies with safe scoped roles.
IAM
05IAM
Federated identity with SSO and SCIM
Plug an IdP into a cloud tenant the right way.
IAM
06Azure
Conditional access policy pack for Entra ID
Ship risk-based access controls in production.
Azure
07AWS
AWS landing zone with Control Tower guardrails
Stand up a compliant multi-account org.
AWS
08AWS
GuardDuty and Security Hub detection pipeline
Wire AWS findings into a real workflow.
AWS
09AWS
S3 hardening and public access audit
Prevent the most common cloud data leak.
AWS
10Crypto
KMS key lifecycle and envelope encryption
Design and rotate keys without breaking apps.
Crypto
11Azure
Azure Defender for Cloud rollout
Deploy Defender across a multi-subscription tenant.
Azure
12SecOps
Sentinel SIEM with cloud control plane detections
Write and tune real cloud detections.
SecOps
13GCP
GCP Security Command Center and Org Policy
Lock down a GCP org with guardrails.
GCP
14GCP
VPC Service Controls perimeter for sensitive data
Stop data exfiltration at the network edge.
GCP
15SecOps
Chronicle SIEM detection pack
Ship Chronicle detections that catch real attacks.
SecOps
16SecOps
Cloud log pipeline to a central data lake
Move logs cheaply and queryably at scale.
SecOps
17SecOps
MITRE ATT&CK cloud detection coverage map
Measure and close detection gaps.
SecOps
18IR
Public S3 leak incident response runbook
Lead a real cloud incident end to end.
IR
19IR
Forensic snapshot and triage for a compromised VM
Pull evidence from cloud without losing chain of custody.
IR
20IR
Post-incident review and corrective action plan
Turn an incident into durable improvements.
IR
21Governance
Org policy pack with tagging and guardrails
Govern a cloud org at scale.
Governance
22Compliance
SOC 2 control mapping for a cloud workload
Pass an audit without slowing the team down.
Compliance
23Compliance
HIPAA architecture for a healthcare API
Ship regulated workloads in cloud.
Compliance
24Compliance
PCI DSS scoped network for a payments service
Shrink PCI scope to almost nothing.
Compliance
25AI
LLM threat model for a customer chatbot
Apply OWASP LLM Top 10 to a real product.
AI
26AI
Prompt injection defense pack with guardrails
Stop prompt injection and data exfil.
AI
27AI
Bedrock access boundary and audit
Secure access to AWS foundation models.
AI
28AI
Azure AI Foundry deployment with private endpoints
Lock down an Azure AI workload.
AI
29AI
Vertex AI access controls and audit logging
Secure a GCP AI workload end to end.
AI
30AI
Model governance and red team playbook
Run AI red team and governance reviews.
AI
31Platform
Policy as code with OPA and Conftest
Enforce security in the build pipeline.
Platform
32Platform
Container image signing and admission control
Stop unsigned images from running in production.
Platform
33Platform
Secrets sprawl audit and remediation
Find and rotate leaked secrets across an org.
Platform
34Architecture
Zero-trust reference architecture for a SaaS
Design a zero-trust environment top to bottom.
Architecture
35Architecture
Multi-cloud reference architecture with shared identity
Design durable multi-cloud security.
Architecture
36Resilience
Disaster recovery and ransomware containment plan
Recover a cloud business after a destructive attack.
Resilience

Capstone · Weeks 17 – 18

Defend a real workload in front of senior engineers.

In the final phase you design, deploy, and defend a production-grade secure cloud and AI workload. Pass it and you graduate with a project you can walk through in every interview for the rest of your career.

Enroll now

Thirty-six projects. One defended capstone.

Cloud account baseline across AWS, Azure, and GCP

Network segmentation lab with VPCs and peering

TLS everywhere with private CA

Least-privilege IAM rewrite for a sample app

Federated identity with SSO and SCIM

Conditional access policy pack for Entra ID

AWS landing zone with Control Tower guardrails

GuardDuty and Security Hub detection pipeline

S3 hardening and public access audit

KMS key lifecycle and envelope encryption

Azure Defender for Cloud rollout

Sentinel SIEM with cloud control plane detections

GCP Security Command Center and Org Policy

VPC Service Controls perimeter for sensitive data

Chronicle SIEM detection pack

Cloud log pipeline to a central data lake

MITRE ATT&CK cloud detection coverage map

Public S3 leak incident response runbook

Forensic snapshot and triage for a compromised VM

Post-incident review and corrective action plan

Org policy pack with tagging and guardrails

SOC 2 control mapping for a cloud workload

HIPAA architecture for a healthcare API

PCI DSS scoped network for a payments service

LLM threat model for a customer chatbot

Prompt injection defense pack with guardrails

Bedrock access boundary and audit

Azure AI Foundry deployment with private endpoints

Vertex AI access controls and audit logging

Model governance and red team playbook

Policy as code with OPA and Conftest

Container image signing and admission control

Secrets sprawl audit and remediation

Zero-trust reference architecture for a SaaS

Multi-cloud reference architecture with shared identity

Disaster recovery and ransomware containment plan

Defend a real workload in front of senior engineers.