[](https://git.io/typing-svg)
# 🛡️ Enterprise Security Assessment Lab
## ⚡ Project Overview
This repository documents a complete hands-on **Enterprise Security Assessment Lab** built to demonstrate practical cybersecurity capability across:
* 🌐 Web Application VAPT
* 🔌 API Security Testing
* 🏢 Internal Network and Active Directory Assessment
* ☁️ AWS Cloud Security
* 🔵 Azure Security and Cloud Lab Handling
* 🧾 Evidence-based documentation
* 🔐 Secret redaction and responsible cleanup
This project is designed as a recruiter-ready cybersecurity portfolio project. It does not only show tools being executed; it shows a complete security workflow:
Lab Design
→ Target Deployment
→ Reconnaissance
→ Enumeration
→ Vulnerability Validation
→ Attack Path Analysis
→ Evidence Capture
→ Redaction
→ Cleanup Verification
→ Professional Documentation
The strongest part of this lab is that every completed section is supported by real screenshots, terminal outputs, tool evidence, and cleanup checks.
# 🧭 Project Status
| Domain | Status | Summary |
| ------------------------ | -----------------------------------: | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 🌐 Web VAPT | ✅ Completed Practical Assessment | DVWA-based testing covering recon, enumeration, Burp, SQLi, sqlmap, XSS, command injection, file upload, CSRF, and hash cracking |
| 🔌 API Security | ✅ Completed Practical Assessment | crAPI, JWT analysis, BOLA/IDOR testing, excessive data exposure, rate-limit testing, mass assignment, hidden endpoint discovery, GraphQL, and OAuth request analysis |
| 🏢 Active Directory | ✅ Completed | Internal AD attack chain with Responder, Hashcat, Kerberoasting, BloodHound, DCSync, and Pass-the-Hash |
| ☁️ AWS Cloud Security | ✅ Completed | CloudGoat, Pacu, ScoutSuite, S3 public access test, IMDS credential exposure, IAM privilege escalation, cleanup, and billing verification |
| 🔵 Azure Security | ✅ Completed as Quota-Limited Attempt | AzureGoat attempted, quota limitation documented, Terraform cleanup completed, resource group deletion verified |
| 🟢 GCP | ✅ Deferred by Design | Deferred intentionally to avoid unnecessary billing and cleanup risk after AWS/Azure work |
|
# 🗺️ Lab Architecture
# 🧰 Complete Tools Arsenal
| Category |
Tools |
| 🌐 Web VAPT |
|
| 🔌 API Security |
|
| 🏢 Active Directory |
|
| ☁️ Cloud Security |
|
# 📁 Repository Structure
Enterprise-Security-Assessment-Lab/
│
├── README.md
├── .gitignore
│
├── 01-web-vapt/
│ ├── README.md
│ ├── screenshots/
│ ├── tool-outputs/
│ └── scripts/
│
├── 02-api-security/
│ ├── README.md
│ ├── screenshots/
│ ├── postman-collections/
│ ├── tools/
│ └── scripts/
│
├── 03-ad-network/
│ ├── README.md
│ ├── screenshots/
│ ├── reports/
│ └── notes/
│
├── 04-cloud-security/
├── README.md
├── screenshots/
├── reports/
└── scripts/
# 📌 Executive Summary
This lab demonstrates the ability to perform structured security testing across multiple enterprise security domains.
The project includes:
* Practical reconnaissance and enumeration
* Vulnerability validation in controlled environments
* Web application attack testing
* API security testing
* Active Directory attack path analysis
* AWS cloud privilege escalation testing
* Azure cloud deployment and cleanup discipline
* Evidence collection and professional documentation
* Responsible handling of secrets, tokens, hashes, and cloud resources
The project is intentionally evidence-based. Claims are supported with screenshots and outputs rather than exaggerated finding counts.
# 🌐 Sub-Project 1 — Web Application VAPT
## 🎯 Objective
The Web VAPT section demonstrates practical web application vulnerability assessment against intentionally vulnerable web applications, mainly DVWA.
The goal was to practise a realistic web testing flow:
Environment Setup
→ Passive Recon
→ Service Discovery
→ Technology Fingerprinting
→ Directory Enumeration
→ Vulnerability Scanning
→ Manual Testing with Burp
→ SQL Injection Validation
→ XSS Validation
→ Command Injection Testing
→ File Upload Testing
→ CSRF Testing
→ Evidence Capture
## 🧰 Tools Used
| Tool | Purpose |
| ------------------ | ------------------------------------------------- |
| Kali Linux | Main attack environment |
| Docker | Running vulnerable lab targets |
| Nmap | Port and service scanning |
| Gobuster | Directory and file enumeration |
| Nikto | Web server vulnerability scanning |
| WhatWeb | Technology fingerprinting |
| Burp Suite | HTTP interception and repeater testing |
| SQLMap | SQL injection validation and database enumeration |
| John the Ripper | Hash cracking |
| Browser / DevTools | Manual validation and evidence capture |
## ✅ Completed Web VAPT Work
| Test Area | Status |
| --------------------------------------- | ----------: |
| Kali environment setup | ✅ Completed |
| Docker vulnerable target deployment | ✅ Completed |
| DVWA login/browser access | ✅ Completed |
| Tool version verification | ✅ Completed |
| Nmap full port scan | ✅ Completed |
| Gobuster directory enumeration | ✅ Completed |
| Nikto scan findings | ✅ Completed |
| WhatWeb technology fingerprinting | ✅ Completed |
| SQL Injection manual validation | ✅ Completed |
| SQLMap database enumeration | ✅ Completed |
| SQLMap users table dump | ✅ Completed |
| MD5 hash cracking with John | ✅ Completed |
| Burp intercepted request | ✅ Completed |
| Burp Repeater modified request/response | ✅ Completed |
| Reflected XSS validation | ✅ Completed |
| Stored XSS payload/source validation | ✅ Completed |
| Command injection validation | ✅ Completed |
| File upload webshell confirmation | ✅ Completed |
| CSRF forged request proof | ✅ Completed |
| Recon report file generation | ✅ Completed |
## 🖼️ Web Screenshot Gallery
## Kali Linux Set Up
## 
## DVWA Login Page
## 
## Tools
## 
## Nmap Full Port Scan
## 
## Gobuster Directory Results
## 
## Nikto Scan
## 
## Whatweb Tchnology
## 
## DVWA SQL Injection
## 
## SQLMap Database Enumeration
## 
## SQLMap User Table Dump
## BUrp Interception
## 
## Burp Repeayer
## 
## XSS Alert
## 
## XSS Payload
## 
## Command Injection
## 
## Webshell Confirmation
## 
## CSRF
## 🧠 Web Security Lessons
* Automated scanners help with coverage, but manual validation is essential.
* SQL injection can expose backend database structure and stored credentials.
* Hash dumps must be handled carefully and redacted before publication.
* Burp Suite is useful for validating and modifying requests safely.
* XSS testing should be performed only in authorized lab targets.
* Command injection and file upload issues can lead to severe compromise in real environments.
* CSRF testing demonstrates how state-changing requests can be abused when protections are weak.
# 🔌 Sub-Project 2 — API Security Testing
## 🎯 Objective
The API Security section demonstrates practical testing of REST APIs, JWT-based authentication, BOLA/IDOR-style access control, rate-limit behaviour, mass assignment behaviour, hidden endpoint discovery, GraphQL introspection, and OAuth request analysis.
The assessment was performed only against intentionally vulnerable or safe lab environments such as crAPI, DVGA/GraphQL labs, and OAuth-focused training labs.
## 🧰 Tools Used
| Tool | Purpose |
| ------------------ | ------------------------------------------------- |
| crAPI | Intentionally vulnerable API lab |
| Postman | API request building and collection management |
| Burp Suite | API request analysis and OAuth request inspection |
| JWT.io | JWT decoding and claim inspection |
| ffuf | Rate-limit and endpoint testing |
| Kiterunner | Hidden API endpoint discovery |
| DVGA | GraphQL testing lab |
| curl / jq | API response testing and parsing |
| Browser / DevTools | API observation and evidence capture |
## ✅ Completed API Security Work
| Test Area | Status |
| --------------------------------------- | ----------: |
| crAPI Docker containers running | ✅ Completed |
| crAPI homepage accessible | ✅ Completed |
| Postman login request and JWT workflow | ✅ Completed |
| JWT decoding and token claim inspection | ✅ Completed |
| Postman collection structure | ✅ Completed |
| API tools version check | ✅ Completed |
| BOLA/IDOR-style access test | ✅ Completed |
| JWT manipulation attempt | ✅ Completed |
| Excessive data exposure review | ✅ Completed |
| Rate-limit behaviour testing with ffuf | ✅ Completed |
| Mass assignment extra field test | ✅ Completed |
| Kiterunner hidden endpoint discovery | ✅ Completed |
| DVGA GraphQL lab running | ✅ Completed |
| GraphQL endpoint availability check | ✅ Completed |
| GraphQL introspection/schema discovery | ✅ Completed |
| GraphQL user data query test | ✅ Completed |
| OAuth request analysis in Burp | ✅ Completed |
## 🖼️ API Screenshot Gallery
## crAPI Docker Containers
## 
## crAPI Homepage
## 
## Postman
## 
## JWT Decoded Token
## 
## Postman
## 
## API Tools
## 
## BOLA
## 
## JWT Decoded Token Analysis
## 
## JWT Attack Attempt Rejection
## 
## Excessive Data Exposure Review
## 
## Rate Limit Testing with ffuf
## 
## Kiterunner Hidden Endpoints
## DVGA GraphQL Lab Running
## 
## GraphQL Endpoint Alive
## 
## GraphQL Introspection Schema Discovery
## 
## GraphQL User Data Query Test
## 
## OAuth Request Analysis
## 🧠 API Security Lessons
* JWT decoding is useful for analysis, but decoding alone does not mean compromise.
* Rejected JWT manipulation attempts are still valuable evidence because they show control validation.
* BOLA/IDOR testing must be performed carefully against authorized lab targets.
* Excessive data exposure can reveal fields that should not be returned to users.
* Rate-limit behaviour should be tested and documented clearly.
* Rejected mass assignment attempts demonstrate defensive behaviour.
* Kiterunner and ffuf can help discover hidden or undocumented endpoints.
* GraphQL introspection may reveal schema details if exposed.
* OAuth request analysis requires careful redaction of tokens, client data, and authorization values.
# 🏢 Sub-Project 3 — Internal Network & Active Directory Pentest
## 🎯 Objective
The Active Directory section demonstrates a complete internal network attack path in a private Windows domain environment. The focus was to understand how weak passwords, excessive privileges, exposed authentication protocols, and misconfigured domain permissions can lead to domain compromise.
## 🏗️ Lab Environment
| Component | Details |
| ----------------- | -------------------------------------------------- |
| Attack Machine | Kali Linux |
| Domain Controller | Windows Server |
| Workstation | Windows 10 domain-joined endpoint |
| Domain | `corp.local` |
| Network | Private lab network |
| Purpose | Controlled Active Directory attack path validation |
## 🧰 Tools Used
| Tool | Purpose |
| ------------------------- | ------------------------------------------ |
| Nmap | Network and service discovery |
| enum4linux-ng / SMB tools | SMB and domain enumeration |
| Responder | NTLMv2 hash capture |
| Hashcat | Offline hash cracking |
| NetExec / CrackMapExec | SMB validation and enumeration |
| Impacket | Kerberoasting, DCSync, Pass-the-Hash |
| BloodHound | Active Directory attack path visualization |
| Neo4j | BloodHound graph database |
## 🔗 Completed AD Attack Chain
Network Discovery
→ SMB Enumeration
→ NTLMv2 Hash Capture
→ Offline Hash Cracking
→ Credential Validation
→ Kerberoasting
→ Kerberoast Hash Cracking
→ BloodHound Collection
→ Attack Path Analysis
→ DCSync Testing
→ Pass-the-Hash Validation
→ Privileged Access Evidence
## 🖼️ AD Screenshot Gallery
## Responder NTLMv2 Hash Captured
## 
## Hashcat NTLMv2 Cracked
## 
## SMB Enumeration Credential Validation
## 
## Kerberoasting SPN Ticket Requested
## 
## Kerberoast Hash Cracked
## 
## BloodHound Attack Path
## 
## BloodHound Domain Overview Graph
## 
## Pass-the-Hash SYSTEM Shell
## 
## DCSync Domain Hashes Dumped
## 🧠 AD Security Lessons
* Weak passwords can turn captured hashes into valid credentials.
* LLMNR/NBT-NS poisoning can expose NTLMv2 hashes.
* Kerberoastable service accounts require long and complex passwords.
* BloodHound reveals privilege paths that are difficult to identify manually.
* DCSync permissions can expose domain credential material.
* Pass-the-Hash demonstrates why hashes must be protected like passwords.
* krbtgt material could enable Golden Ticket-style attacks if misused.
* Hashes, passwords, tickets, and secrets must never be published unredacted.
# ☁️ Sub-Project 4 — AWS Cloud Security Assessment
## 🎯 Objective
The AWS section demonstrates practical cloud security testing using intentionally vulnerable AWS lab environments. The focus was IAM enumeration, privilege escalation analysis, S3 exposure testing, ScoutSuite auditing, IMDS credential exposure, and responsible cleanup.
## ✅ AWS Safety Controls
| Control | Status |
| ----------------------------------- | ----------: |
| Root MFA enabled | ✅ Completed |
| Budget/free-tier monitoring checked | ✅ Completed |
| Dedicated lab IAM user used | ✅ Completed |
| CloudGoat deployed temporarily | ✅ Completed |
| Sensitive credentials redacted | ✅ Completed |
| CloudGoat destroyed after testing | ✅ Completed |
| EC2 cleanup verified | ✅ Completed |
| Billing/free-tier checked | ✅ Completed |
## 🧰 Tools Used
| Tool | Purpose |
| ----------- | -------------------------------------- |
| AWS CLI | AWS authentication and enumeration |
| CloudGoat | Intentionally vulnerable AWS scenarios |
| Pacu | IAM privilege escalation scan |
| ScoutSuite | AWS security audit |
| Terraform | CloudGoat deployment/destruction |
| curl / jq | IMDS and metadata testing |
| AWS Console | Billing, free-tier, and cleanup checks |
## ✅ Completed AWS Work
| Test Area | Status |
| ------------------------------------------------- | ----------: |
| AWS CLI authentication | ✅ Completed |
| IAM permissions enumeration | ✅ Completed |
| Pacu privilege escalation scan | ✅ Completed |
| S3 unauthenticated access test | ✅ Completed |
| ScoutSuite HTML report overview | ✅ Completed |
| ScoutSuite detailed finding review | ✅ Completed |
| IMDS credential exposure through vulnerable proxy | ✅ Completed |
| IAM instance profile privilege escalation | ✅ Completed |
| Target EC2 objective completed | ✅ Completed |
| EC2 cleanup verification | ✅ Completed |
| Free-tier/billing verification | ✅ Completed |
## 🖼️ AWS Screenshot Gallery
## IAM Permissions Enumeration
## 
## Pacu Privilege Escalation Scan
## 
## Bucket
## 
## ScoutSuite Overviwe
## 
## ScoutSuite Specific Finding
## 
## IMDS
## 
## CloudGoat EC2 Cleanup Verified
## 
## AWS Free Tier Cleanup Check
## 🔗 AWS Attack Path Summary
Low-Privileged CloudGoat User
→ IAM Permission Enumeration
→ Pacu Privilege Escalation Scan
→ Instance Profile Role Manipulation
→ Privileged EC2 Role Assumption
→ Metadata Credential Exposure
→ Target EC2 Objective Completed
→ CloudGoat Destroy
→ Billing and Cleanup Verification
## 🧠 AWS Security Lessons
* IAM permissions should follow least privilege.
* Public S3 access must be reviewed and restricted.
* Instance metadata exposure can leak temporary role credentials.
* IMDSv2 should be enforced where possible.
* IAM instance profiles can create privilege escalation paths.
* Automated auditing tools such as ScoutSuite help identify misconfigurations.
* Cloud cleanup and billing verification are part of responsible cloud security work.
# 🔵 Sub-Project 5 — Azure Security Assessment
## 🎯 Objective
The Azure section demonstrates safe Azure cloud lab handling using Azure Portal, Azure Cloud Shell, Azure CLI, and Terraform.
AzureGoat was attempted in a private Azure subscription. The deployment was blocked by quota restrictions, documented clearly, and cleaned up responsibly.
## 🧰 Tools Used
| Tool | Purpose |
| --------------------- | ---------------------------------------- |
| Azure Portal | Subscription, cost, and resource review |
| Azure Cost Management | Budget setup and monitoring |
| Azure Cloud Shell | Authenticated browser-based CLI |
| Azure CLI | Azure resource operations |
| Terraform | AzureGoat deployment attempt and cleanup |
## ✅ Completed Azure Work
| Step | Status |
| -------------------------------------- | ----------: |
| Azure account login | ✅ Completed |
| Budget setup | ✅ Completed |
| Azure Cloud Shell authentication | ✅ Completed |
| AzureGoat Terraform deployment attempt | ✅ Completed |
| Quota limitation identified | ✅ Completed |
| Terraform destroy completed | ✅ Completed |
| `azuregoat_app` resource group deleted | ✅ Completed |
| Portal cleanup verification | ✅ Completed |
## ⚠️ AzureGoat Result
AzureGoat deployment was attempted, but the subscription blocked the required resources due to quota restrictions.
Observed issues included:
* App Service Plan quota restriction
* Basic Public IP quota restriction
* Subscription-level limitations on lab deployment
The deployment was not forced. Partial resources were destroyed with Terraform, and the `azuregoat_app` resource group deletion was verified.
## 🖼️ Azure Screenshot Gallery
## Azure CLI Authenticated
## 
## AzureGoat Cleanup Confirmed
## 🧠 Azure Security Lessons
* Cloud subscription quotas can affect security lab deployment.
* Failed deployments still require cleanup.
* Azure Cloud Shell can be more reliable than a broken local CLI environment.
* Terraform destroy should always be verified.
* Resource group deletion should be confirmed after cleanup.
* Budget monitoring is essential for real cloud labs.
# 🟢 GCP Status — Deferred by Design
GCPGoat was intentionally deferred.
## Reason
* AWS CloudGoat was already completed.
* AzureGoat reached real subscription quota limitations.
* Running multiple vulnerable cloud labs at once increases billing and cleanup risk.
* The current project already demonstrates strong AWS and Azure cloud security practice.
## Future GCP Plan
Create isolated GCP project
→ Configure budget alert
→ Authenticate with gcloud
→ Enumerate IAM and service accounts
→ Review Cloud Storage permissions
→ Practise safer GCP labs
→ Attempt GCPGoat later only after billing workflow is mature
This is a deliberate risk-management decision, not an unfinished lab.
# 📊 Evidence Matrix
| Area | Evidence Type | Status |
| ---------------------------------- | ----------------------------------------------- | -----------: |
| Web environment setup | Docker/Kali screenshots | ✅ Completed |
| Web recon | Passive recon, WhatWeb, Nmap | ✅ Completed |
| Web enumeration | Gobuster, Nikto | ✅ Completed |
| Web exploitation validation | SQLi, XSS, command injection, file upload, CSRF | ✅ Completed |
| Web tooling | Burp, SQLMap, John | ✅ Completed |
| API lab setup | crAPI Docker and browser evidence | ✅ Completed |
| API authentication | Postman login/JWT evidence | ✅ Completed |
| API access control | BOLA/IDOR-style testing | ✅ Completed |
| API token testing | JWT analysis and rejected attack attempt | ✅ Completed |
| API discovery | ffuf and Kiterunner evidence | ✅ Completed |
| GraphQL testing | DVGA, endpoint, introspection, query testing | ✅ Completed |
| OAuth testing | Burp request analysis | ✅ Completed |
| AD credential attacks | Responder, Hashcat, Kerberoasting | ✅ Completed |
| AD privilege analysis | BloodHound attack paths | ✅ Completed |
| AD domain compromise simulation | DCSync and Pass-the-Hash | ✅ Completed |
| AWS IAM testing | IAM enumeration and Pacu | ✅ Completed |
| AWS cloud misconfiguration testing | S3, ScoutSuite, IMDS | ✅ Completed |
| AWS cleanup | EC2 and billing checks | ✅ Completed |
| Azure lab handling | Auth, quota limitation, cleanup | ✅ Completed |
| GCP | Deferred by design | ✅ Documented |
# 📚 Methodology and Standards
| Framework / Standard | How It Applies |
| ------------------------- | ------------------------------------------------------------------------------------- |
| OWASP Top 10 | Web application vulnerability testing |
| OWASP API Security Top 10 | API authentication, authorization, data exposure, rate limit, mass assignment testing |
| MITRE ATT&CK | AD and cloud attack technique mapping |
| PTES | General penetration testing workflow |
| NIST SP 800-115 | Technical security testing guidance |
| CIS Benchmarks | Cloud and configuration review reference |
| CVSS v3.1 | Severity scoring reference for future formal reports |
# 🎓 Skills Demonstrated
┌───────────────────────────────────────────────┬───────────────────────────────────────────────┐
│ Skill Area │ Evidence │
├───────────────────────────────────────────────┼───────────────────────────────────────────────┤
│ Web reconnaissance │ Passive recon, Nmap, WhatWeb │
│ Web enumeration │ Gobuster, Nikto │
│ Web vulnerability validation │ SQLi, XSS, command injection, file upload │
│ HTTP request analysis │ Burp intercept and repeater │
│ API authentication testing │ Postman login and JWT workflow │
│ API authorization testing │ BOLA/IDOR-style testing │
│ API discovery │ ffuf and Kiterunner │
│ GraphQL testing │ DVGA, endpoint, introspection, query testing │
│ OAuth request analysis │ Burp-based OAuth lab evidence │
│ Active Directory enumeration │ SMB, BloodHound, domain recon │
│ Credential attack validation │ Responder, Hashcat, Kerberoasting │
│ AD privilege path analysis │ BloodHound attack path evidence │
│ Domain compromise simulation │ DCSync and Pass-the-Hash in private lab │
│ AWS IAM security testing │ CloudGoat and Pacu │
│ AWS cloud misconfiguration review │ S3, IMDS, ScoutSuite │
│ Azure cloud operations │ Cloud Shell, CLI, Terraform │
│ Cloud cleanup and billing awareness │ AWS/Azure cleanup verification │
│ Evidence handling │ Redaction, screenshots, structured reporting │
└───────────────────────────────────────────────┴───────────────────────────────────────────────┘
# 🔐 Redaction and Secret Handling
Before publishing any screenshot or output, the following must be redacted:
* AWS account IDs
* Azure subscription IDs
* Azure tenant IDs
* Email addresses
* Public IPs if privacy is required
* Access keys
* Secret access keys
* Session tokens
* JWT tokens
* Authorization headers
* Cookies
* OAuth authorization codes
* OAuth access tokens
* OAuth refresh tokens
* NTLM hashes
* Kerberos hashes
* Cracked passwords
* Private keys
* `.pem` files
* Terraform state data
* DCSync raw secrets
This repository must never include:
.env files
.pem files
Terraform state files
AWS credential files
Azure profile files
Full hash dumps
Raw DCSync dumps
Session tokens
Cloud secret keys
Private keys
Unredacted JWTs
Unredacted OAuth tokens
# ✅ Cleanup Verification
## AWS Cleanup
AWS cleanup included:
CloudGoat destroy
EC2 instance termination check
S3 bucket cleanup check
IAM role cleanup check
Free Tier / billing check
Budget status check
## Azure Cleanup
Azure cleanup included:
Terraform destroy
azuregoat_app resource group deletion
Azure Portal cleanup verification
Budget and billing review
## Local Lab Cleanup
Local Docker-based labs can be stopped after evidence capture:
docker ps
docker stop
# 🧾 Documentation Status
Current documentation is maintained through Markdown, screenshot evidence, and structured notes.
| Document | Purpose | Status |
| ----------------------------------------------------- | -------------------------------- | --------------------------------: |
| [Project README](README.md) | Main project overview | ✅ Completed |
| [VAPT README](01-web-vapt/README.md) | Web VAPT documentation | ✅ Completed / Evidence available |
| [API README](02-api-security/README.md) | API Security documentation | ✅ Completed / Evidence available |
| [AD README](03-ad-network/README.md) | Active Directory documentation | ✅ Completed / Evidence available |
| [Cloud Security](04-cloud-security/README.md) | Cloud Security documentation | ✅ Completed / Evidence available |
# 🚀 Future Improvements
Planned improvements include:
* Add final executive summary document
* Add formal Markdown-based reports for each sub-project
* Add CVSS scoring only for confirmed findings
* Add remediation sections for each confirmed issue
* Add MITRE ATT&CK mapping for AD and cloud techniques
* Add defensive recommendations for every attack path
* Add detection engineering section with Wazuh/SOC alerts
* Add GCP mini-lab only after billing and cleanup workflow is mature
# 📬 Contact & Connect
[](https://github.com/Jazz00001)
[](https://www.linkedin.com/in/jagriti-banerjee/)
[](mailto:banerjeej100@gmail.com)
# ⚖️ Legal and Ethical Disclaimer
┌─────────────────────────────────────────────────────────────────────────────┐
│ IMPORTANT NOTICE │
│ │
│ All security testing activities documented in this repository were │
│ performed exclusively in private, self-owned, or intentionally vulnerable │
│ lab environments created for cybersecurity education and portfolio work. │
│ │
│ This project does not include testing against third-party systems, │
│ production systems, or any environment without authorization. │
│ │
│ Techniques shown here must only be used where explicit permission has │
│ been granted. Unauthorized security testing is illegal and unethical. │
└─────────────────────────────────────────────────────────────────────────────┘
### Built with discipline. Documented with evidence. Practised ethically.
