Foundations
Zero to Defender I.
Homelab, first server, anyone who says 'I'll do security someday.'
You just took over a couple of servers. A homelab. A first VPS. A weekend project that accidentally became production. Nothing is on fire yet — but you can already feel that if someone looks too hard, things will break. You don't need a university course. You need to stop the five most common ways self-hosted boxes get owned.
90 % of real-world self-hosted compromises exploit three things: default credentials, missing TLS hardening, and open ports nobody knew were listening. This track shuts all three down in under an hour — and teaches you to read a security scan the way an operator does, not the way a textbook does.
- M-001
Ship HSTS before the crawler comes
A compliance crawler hits hodlberg.ag in 60s. Add Strict-Transport-Security, verify, reload — without breaking production.
⏱️ 5 min⚡ 120 XP🎯 5 goalsLaunch → - M-002
Lock down SSH before the bots find you
Fresh Ubuntu box, sshd still wide open. Disable root login + password auth, reload sshd. The scans are already inbound.
⏱️ 6 min⚡ 140 XP🎯 5 goalsLaunch → - M-003
Firewall: only what you actually need
An exposed DB host listening on seven ports. Configure UFW to allow only SSH, enable, confirm.
⏱️ 5 min⚡ 130 XP🎯 5 goalsLaunch → - M-004
TLS in three commands
hodlberg.ag still serves plaintext HTTP. Press demo in 10 minutes. Issue a cert, flip to HTTPS, verify.
⏱️ 7 min⚡ 150 XP🎯 6 goalsLaunch → - M-005
Misconfig Hunt — fix the top three
Claw Score dropped to D overnight. Three critical findings. Fix them all and rescan to A.
⏱️ 8 min⚡ 160 XP🎯 5 goalsLaunch → - M-006
Fail2ban: protect SSH from brute-force attacks
Your SSH server is under brute-force attack. Configure fail2ban: enable sshd jail, reduce bantime to 3600s, maxretry to 3, harden port.
⏱️ 10 min⚡ 200 XP🎯 7 goalsLaunch →
Concrete outcomes. No lecture notes.
- 01A server that scores A on a real security scan, not a theoretical one
- 02TLS with Strict-Transport-Security, CSP, and the headers Google actually checks
- 03A UFW firewall where SSH is the only open door
- 04An SSH config that refuses root login, refuses passwords, and accepts keys only
- 05Your first nginx hardening patch — typed into a real simulated shell, verified by a real audit
- 06The reflex to never `sudo anything` from a shell whose history you can't explain
- ▸Indie developers shipping their first side project to a public domain
- ▸Homelab operators who just got burned by a bot scan
- ▸DevOps engineers pivoting into security without wanting to sit through 20 hours of video
- ▸Anyone who just read "self-hosted" in a job description and got nervous
Every mission in this track maps to at least one control in BSI-Grundschutz, ISO 27001 Annex A, and NIS2 Article 21. You won't graduate with a certificate you can show to an auditor — but you'll recognise the controls when the auditor names them.
I have 8 VPS boxes. I ran the Foundations track on a Sunday afternoon. By Monday morning all 8 had an A-grade SSL Labs score and a clean security audit. My old life is over.
Defender I
Complete all 5 missions end-to-end. Final goal in each mission must be verified by the simulator (not just skipped).
- ✓W3C Verifiable Credential signed with `did:web:clawguru.org`
- ✓LinkedIn certification badge — shareable, recruiter-recognised
- ✓Unlocks the Stack Hardening track
- ✓Access to the Defender Guild Discord (invite-only, opt-in)
Questions we already got.
Do I need Linux experience?+
No. The first two missions assume you have never opened a terminal. You type, things happen, we explain. If you already know your way around bash, you'll blow through this track in under an hour.
Is the terminal real?+
It's a fully simulated shell — xterm.js running a state machine in your browser. No real server is touched, no credentials needed, nothing reaches the network. You can also copy the commands and run them against your actual box after.
What happens if I skip a mission?+
Each mission is self-contained. Missions 1 and 2 set up context (HSTS, SSH), but you can jump straight to UFW or the Misconfig Hunt if that matches your urgency. No gates.
Does this replace a proper security audit?+
No. This is self-assessment and operator-grade hygiene. It will raise your score from 'easy target' to 'not worth the attacker's time'. For formal audits, you still want a human.
What do I get when I finish?+
A downloadable Defender I credential — a W3C Verifiable Credential signed by ClawGuru. LinkedIn-shareable. Recruiters can verify it without contacting us.
Weekly Security Report
Critical CVEs, fix guides, and hardening tips — free, every week.