C - BLT-University: Security education platform with hands-on labs, quizzes & instructor review

[DonnieBLT]

Blt-education & Knowledge Sharing: Hands-On Code-Centric Security Labs & Community Intelligence (350 hr)

This idea transforms BLT's existing theory-heavy labs into hands-on, code-centric security exercises while establishing a community-driven knowledge sharing pipeline.

Learners analyze real vulnerable code and configurations, identify security flaws, reason about how they could be exploited, and then apply secure fixes. Anonymized vulnerability patterns are aggregated into public dashboards, monthly reports, and remediation playbooks—creating a feedback loop where learning informs intelligence sharing and vice versa.
The focus is on security thinking, inspired by OWASP Top 10, ethical hacking workflows, and CTF-style reasoning, but scoped for maintainability and learning depth.

Each lab follows a three-step workflow:

• Identify the vulnerability
  (What is wrong? Where is it?)

• Explain the exploitation scenario
  (How could this be abused? What is the impact?)

• Apply or select the secure fix
  (Correct remediation pattern + explanation)

Goals

• Deliver 6–8 hands-on labs that teach real security reasoning (OWASP Top 5 focus)
• Establish a safe, anonymized security intelligence pipeline for public sharing
• Create a feedback loop where real patterns improve labs and playbooks
• Maintain backward compatibility with existing theory-based labs
• Enable future gamification and integrations (BACON/badges, NetGuardian mapping)

Core Features (brief)

• Multi-step lab validation (Identify → Explain → Fix) with partial credit
• Lab schema, hints, difficulty ratings, and progress tracking
• Data anonymization + aggregation for BLT issues/PRs
• Public dashboard for trends and severity distribution
• Monthly/quarterly reports with two-person approval workflow
• Remediation playbooks converted into mini interactive challenges

Unified Architecture

graph LR
    A[BLT Vulnerability Data] --> B[Data Anonymization Pipeline]
    B --> C[Security Intelligence DB]
    C --> D[Public Dashboards]
    C --> E[Automated Reports]
    C --> F[Remediation Playbooks]
    F --> G[Interactive Security Labs]
    G --> H[Skill Tracking System]
    H --> I[Learning Dashboard]
    D --> I
    E --> I

Loading

Proposed Timeline

• Phase 1 (Weeks 1–4 | ~100 hours):
  Multi-step validation framework, content schema, data anonymization pipeline, and UI foundations

  • Implement multi-step validation (identify, explain, fix)
  • Define reusable content schema for security labs
  • Add UI support for step-wise progress and feedback
  • Maintain backward compatibility with existing labs
  • Implement data anonymization pipeline for BLT issues/PRs (strip PII, sanitize code snippets, aggregate patterns)
  • AI-assisted support:
    • Help draft concise explanations for vulnerabilities and fixes

• Phase 2 (Weeks 5–8 | ~120 hours):
  Core hands-on labs covering SQL Injection, XSS, and Configuration Security using the identify → explain → fix workflow

  • Create hands-on labs for:
    • SQL Injection
    • XSS
    • CSRF, IDOR, Authentication flaws
  • Include exploitation reasoning and secure remediation patterns
  • Add progress tracking, hints, and lab difficulty ratings

• Phase 3 (Weeks 9–11 | ~110 hours):

  • Create scheduled security challenges/puzzles and learning progress tracking
  • Build unified dashboard for labs, challenges, and skill coverage
  • Build public security intelligence dashboard from anonymized data (vulnerability trends, severity distribution, remediation metrics)
  • Create automated monthly/quarterly reporting system with two-person approval workflow
  • Transform top remediation patterns into playbooks and interactive content
  • Optional AI support:
    • Suggest next labs based on skill gaps

• Phase 4 (Week 12 | ~20 hours):

  • E2E testing (labs, dashboards, reports)
  • Documentation (lab creation guide, data anonymization policies, API reference)

Benefits

• Helps contributors learn how to think like security reviewers
• Improves quality of future vulnerability reports and PRs
• Transforms BLT data into actionable community intelligence
• Creates feedback loop: real vulnerability patterns → better labs → improved remediation guidance
• Builds community trust through transparent, anonymized security insights

Next-Steps

• Integrate with badges/BACON gamification for learning achievements
• Map NetGuardian findings to relevant learning labs automatically
• Enable two-person approval workflow for sensitive security content
• Establish public API for community access to security intelligence
• Can later evolve into a dedicated security learning playground, enabling richer lab types, additional vulnerability categories, and deeper practice

---

Last Updated: February 2026

[Nachiket-Roy]

We should combine B & C

[DonnieBLT]

I think B should go with the BLT-Bacon repo / project

[Nachiket-Roy]

I think we need a zero trust event repo to verify events which should be consumed by bacon and we can keep the bacon module in the main repo?

[Nachiket-Roy]

Also are we looking to build a full education platform or a lightweight reasoning and labs?

[e-esakman]

we do have labs but it has very basic stuff. I have been thinking of creating something like tryhackme, or advent of code. And like netguardian scans and shows vulnerabilities , those vulnerabilities can be served as education purpose things like that.

[Nachiket-Roy]

We can improve our existing labs instead of building a full standalone platform. C and D can be combined into a lightweight education + knowledge-sharing layer, and later we can plug in data from M + S (Project A) to make it fully data-driven.

[mdkaifansari04]

This could be extended with all the technical resources we use across multiple projects.

• people struggles a lot when they choose one project and juggle around resources to find the right one.
  why i say this: we are using some recent technology as using python cloudflare worker, having D1 support, how to integrate D1 in python worker, all docs are available in cloudflare but finding right one is kinda confusing.
  (useful for someone who folllow docs / tutorial before contributing to get the best pratices)