Syllabus

University: Arizona State University
Course: CSE 365 — Introduction to Cybersecurity
Semester: Summer 2025

Course Staff

Instructor Connor Nelson — @kanak — connor.d.nelson@asu.edu
UGTA Justin Yen — @renegadepenguin
UGTA Ryan Hanover — @rh4hunnid

If you have a question related to the course, do not email the course staff directly; see the Course Communication section for more details.

Course Description

This course will introduce students to the fundamentals of cybersecurity. Security is a complicated thing: it is only as strong as its weakest link, and a small, single mistake can often bring down otherwise extremely secure software.

In this course, we will explore security from the perspective of the web, following the entire technology stack from the CPU, to the kernel, userspace, networking, cryptography, and finally, all the way up to the browser, http server, and web application. Each lecture will consist of an introduction to a new topic and an assignment for students to explore these concepts.

These assignments will be very thorough, and by the end, students will have an intuitive understanding of how to exploit these vulnerabilities, and will have the building blocks needed to prevent them, both in the lab and in the real world.

Course Philosophy and Expectations

In our experience, true learning emerges not from observation alone but from action—-purposeful, frequent, and unrelenting. To truly understand, one must engage fully and often: to experiment, to explore, to fail, and to try again.

In this course, you will learn by doing--and you will do a lot to learn a lot. The majority of your time in this course will be spent solving challenges, and a lot of the learning will come from the process of figuring out how to solve these challenges. Lecture videos will provide you with some background and context, but you may feel "underprepared" for the challenges at times: that is ok, and by design. You will learn by doing, and by failing, and by trying again: this course will challenge you, and the learning process may feel uncomfortable and frustrating, different from what you are probably used to.

This course is designed to teach you the fundamentals of cybersecurity, but also to teach you how to learn, how to think, how to analyze and solve problems. To master cybersecurity is to master computer science, and to master computer science is to master problem solving. This is the art of hacking--and it will be critical not only to your success in this course, but in your future career as a computer scientist--even if your future career feels completely unrelated to cybersecurity.

To do, in this course, is to complete challenges. At the end of each challenge, you will receive a "flag", which makes it very clear that you have completed the challenge. Within a module, there may be anywhere from 10 to 100 challenges, each exploring a different aspect of the module's topic. We strive to make the challenges clear, and to build on each other, so that with each challenge you only need to learn a little bit more, to reach a little bit further, than the last.

During this course, you should expect to run into many gaps in your knowledge and experience. This course will not only teach you the fundamentals of cybersecurity, but also help you identify and fill in these gaps. That's great: this means that you are learning.

Completing this course will require a significant amount of time and effort. In general, if there are more challenges in a module, each will take less time to solve, and if there are fewer challenges in a module, each will take more time to solve. Some challenges may take significantly more time than others. Start early.

Estimate how many hours you have spent so far in your computer science career, actually on the keyboard: writing code, solving problems. How many hours have you spent in your average computer science course; what about outside of the classroom? The Arizona Board of Regents requires that a minimum of of 45 hours of work per credit hour is expected for a course. This course is 3 credit hours, and so you should expect to spend at least 135 hours on this course over the semester. At 8 weeks, this is about 17 hours per week--minimum.

We do not take this lightly: this course is a significant time commitment, and you should plan accordingly. Many of you will, in fact, spend more time than this per week on this course depending on your background and experience, and how much time you have already invested into your computer science education up to this point. Many of you might find this course to be the most challenging course you have taken, and find this experience to be very uncomfortable.

Recognize that learning isn't supposed to be easy. In the moment, it may be difficult to see the value, it may be frustrating, you may feel discouraged. We ask you to trust us, and to trust the process: your job will be to put in the time, to make a serious effort, and our job will be to make sure that time and effort is well-spent--we're on your team even if it doesn't always feel like it. We hope that at the end you will look back on this course as one of the most valuable courses you have taken, and that you will be proud of the work you have done here. We want you to succeed not only in this course, but in your future computer science career: time spent here is a critical investment in your future.

Course Structure

This course will be delivered using the pwn.college platform.

All sections of this course will be treated as one big course. The section (and recitation) you signed up for with ASU will have zero-effect on how you take this course.

All students are able to take this course completely online (and asyncronously):

• Watching pre-recorded lectures (YouTube)
• Working on and completing assignments (pwn.college)
• Seeking guidance and participating in demos (Twitch)
• Asking questions and collaborating (Discord)

At a high level, the course will be broken down into 10 modules, 9 of which will be a deep dive into a specific area of cybersecurity, and 1 final cumulative module. When one module ends, the next will begin, and so on until the end of the semester. The majority of your time will be spent solving challenges in these modules, but you will also be expected to watch lectures and complete reflections.

Challenges will often build on each other, and so in general you are encouraged to solve them in order; however, this is not required. In some cases, we may introduce new concepts in later challenges that do not rely on earlier challenges, and you may find to actually be easier to solve. And so, it may be a good strategy to pay attention to the solve counts of each challenge, as this may give you an indication of the difficulty of the challenge, and help you better prioritize your time as each challenge is worth the same amount of points.

Course Communication

Communication will primarily take place on the pwn.college Discord. As part of the course setup, you will be given a role on the Discord, which will give you access to the course-specific channels. All announcements will be made here, and you are expected to be on this Discord and regularly monitor for new announcements.

Student may use the Discord to ask questions or clarifications, and the TA, Instructor, or other students can answer. Note that sharing full solution scripts or answers is expressly prohibited, but otherwise, collaboration on the way to the solution is allowed. See the Getting Help section for more details.

Other questions should be emailed to the course mailing list at cse365@pwn.college. Before emailing your question, please consider asking it on the Discord instead. This way, the entire class will benefit from your question.

Do not email the course staff directly, or your email will likely be ignored.

Course Content

• Module 1: Getting Started and Linux Luminarium
• Module 2: Dealing with Data and Access Control
• Module 3: Talking Web and SQL Playground
• Module 4: Web Security
• Module 5: Computing 101
• Module 6: Intercepting Communication
• Module 7: Cryptography
• Module 8: Reverse Engineering
• Module 9: Binary Security
• Module 10: Integrated Security

Course Grading

This course will be graded on a 100-point scale: earn all 100 points and you have a 100% (A+) in the course. There will be 10 modules, each worth 10 points. Each module will have 1 participation point, 3 checkpoint points, 5 challenge points, and 1 reflection point, for a total of 10 points.

Deadlines will be staggered throughout the semester, both for the modules, and also separately for the components within each module, and will always be at 11:59pm UTC-7 (end of day). You will be able to see your current grade and these deadlines on the grades page of the course platform.

Challenges (50%)

The majority of your grade will come from solving challenges.

Each module will have a set of challenges that you must solve. Within a module, each challenge will be worth the same amount of points. At the end of a challenge, you will receive a "flag", which makes it very clear that you have completed the challenge. You must submit these flags to receive credit for the challenge.

Partial credit will be given for partial completion of the challenges. For example, if you solve 7 out of 10 challenges in a module, you will receive 70% of the available Challenges points.

Late credit will be given for challenges, but at a reduced rate: 80% per late solve, or in other words, a 20% penalty for solving a challenge late. Challenges solved on-time will not be negatively impacted by late solves: late solves can only help your grade. For example, if you solve 7 out of 10 challenges in a module on-time, and then solve 3 more challenges late, you will receive 94% of the available Challenges points; or, if you solve 3 out of 10 challenges in a module on-time, and then solve 7 more challenges late, you will receive 86% of the available Challenges points. As a reminder, there is always an active module, and so counting on having time to complete challenges after the module deadline is not a good strategy.

Checkpoints (30%)

The second largest portion of your grade will come from checkpoints, which you also earn by solving challenges.

The checkpoint is designed to ensure that you are making steady progress throughout the semester. Instead of solving all of the challenges in a module, you can solve half of the challenges in a module to receive full credit for the checkpoint--rounded down, in your favor. Additionally, you must solve these challenges by the Checkpoint deadline, which may be earlier than the Challenges deadline.

Partial credit will be given for partial completion of the checkpoint. For example, if a module has 11 challenges, then the checkpoint is 5 challenges, and if you solve 4 of them, you will receive 80% of the available Checkpoint points.

Late credit will be given for checkpoints, but at a reduced rate: 50% per late solve, or in other words, a 50% penalty for solving a checkpoint late. Notice that this is a much larger penalty than the Challenges penalty: this is by design; do not delay your checkpoint solves. For example, if a module has 11 challenges, then the checkpoint is 5 challenges, and if you solve 4 of them on-time, and then solve 1 more challenge late, you will receive 90% of the available Checkpoint points; or, if you solve 3 of them on-time, and then solve 2 more challenges late, you will recieve 80% of the available Checkpoint points.

You may solve additional late solves beyond the required 50% to make up your missed Checkpoint points on a module. For example, if a module has 11 challenges, then the checkpoint is 5 challenges, and if you solve 4 of them on-time, and then solve 2 more challenges late, you will receive 100% of the available Checkpoint points; or, if you solve 3 of them on-time, and then solve 3 more challenges late, you will receive 90% of the available Checkpoint points; or, if you solve 0 challenges on-time, and then solve 10 challenges late, you will receive 100% of the available Checkpoint points. Notice that the less you solve on-time, the more you will need to solve late to make up for it. Depending on this additional late solves policy to make up for missed Checkpoints points is not a good strategy; falling behind will quickly snowball into a much larger problem than you may expect.

Participation (10%)

Your participation grade will be based on watching lectures.

Each module will have lectures that you are required to watch. These lectures will be available online, allowing you to watch them at your own pace.

We will use various methods throughout the semester to ensure that you are watching the lectures. It will be clear to you whether or not you are receiving credit.

Partial credit will be given for partial completion of the lectures.

Late credit will be given for participation, but at a reduced rate of 50%.

Reflections (10%)

Each module will have a "reflection", which is a set of questions that you must answer and a technical writeup of your approach to and takeaways from the challenges. You may also optionally provide feedback on the module. This is your opportunity to reflect on what you learned in the module, and to provide us with feedback and an understanding of how things are going for you.

Partial credit is not possible for reflections.

Late credit will be given for reflections, but at a reduced rate of 50%.

Early Progress

We run the pwn.college platform, and make all of the content publicly available to the world. You may decide to work on challenges before (or after) the semester, or work on challenges not-yet-assigned throughout the semester. If you solve a challenge that ends up being part of an assignment in this course, that challenge is solved, and you will receive course credit for that (however, you may not receive leaderboard credit in the course dojo). This includes the situation where you decide to retake the course. You may prefer to make a new account, to get a fresh slate, or simply solve already-solved challenges again to make sure you are adequately prepared for later challenges; however, this is not required, unless you have prior academic integrity violations on the platform (or are concerned some of your progress may be due to academic integrity violations). All of this being said, we make no guarantees on which challenges will or will not be included in an assignment, until that assignment is released: if you work ahead, you do so at your own risk (hopefully you still learn something useful!). You should assume that things will change, as we continue to iterate and improve this course over time. Furthermore, while we hold this policy this semester, there are no guarantees that this policy will hold in future semesters.

Extension Requests

Please understand that we believe deadlines to be an important mechanism for ensuring success in this class. There is always an active module, and so an extension on one module can negatively impact the next. And so, in our experience, extensions often hurt students. Steady progress in the course is critical to success.

That being said, we understand that things come up, and we aren't unreasonable people.

Our extension policy will allow exceptions (of up to 7 days) for the following:

• Personal Health
• Family Health/Obligations
• Professional Obligations
• Official ASU Team/Club/Course Activity
• SAILS

In addition, every student may request and use up to a total of 7 days of no-questions-asked extensions throughout the entire semester. The maximum extension available on any assignment is 7 days, and extensions will be granted in 1-day increments (if you want a 1-hour extension, that is a 1-day extension). Extensions will impact all parts of a module. For example, if you receive a 1-day extension on the checkpoint, you will also receive a 1-day extension on the challenges, participation, and reflection deadlines (and vice versa); this would use 1-day of your no-questions-asked extensions (if you did not have a specified, allowed reason). Once you have used all of your no-questions-asked extension request days, you may not ask for more, or try to trade-in past days to optimize your grade. All requests to use no-questions-asked extension days are final, and it is your responsibility to keep track of how many days you have requested. We are trying our best to be reasonable and help you out--this policy is "our best offer" and we will not negotiate, argue, or make exceptions.

In order to collect all extension requests into a single location, please use the course extension request form, which can be found on the main course page. Do not make your request over email, Canvas, or Discord--doing so will not be considered a valid request, and you will be redirected to review this syllabus. You will specify the module, reason, and the number of days to extend the module past the original deadline. For example, if a deadline is Sunday at 11:59pm, and you specify "2", it will be extended to Tuesday at 11:59pm. If you request multiple extensions for the same module, only the most recent will be considered (they will not add together).

You must request the extension within 72 hours after the last deadline for the module. Your request will be automatically provisionally granted: you should see see this reflected within 24 hours. If, after manually reviewing your request, we determine your request to be unreasonable, we will remove your extension. Please do not be unreasonable with your requests. Do not abuse this semi-automated system.

Extra Credit

You should not expect any extra credit in this course. That being said, there is a bug bounty program that you may participate in if you find any security issues in the course infrastructure, for which you may earn extra credit. In general, you should probably expect that earning points through the bug bounty program will be more difficult than earning points through the regular course assignments, but you may find it to be a fun and rewarding challenge.

pwn.college Bug Bounty Program

Any responsibly-disclosed serious security issues in the course platform will be eligible for extra credit.

For example, a bug that allows you to bypass the "intended" solution for a few challenges within a module, may be worth 1-5% exta credit; a bug that allows you to bypass the "intended" solution for all challenges within a module, may be worth 5-10% extra credit. To qualify, this bug must truly bypass the intended solution. In some cases there may be multiple intended solutions, or you might arrive at the intended solution for a later challenge, which works for multiple challenges: this is not eligible for the bug bounty program. In general, if it feels like you're able to solve challenges without using and exploring the concepts discussed in the module, you may have found a bug that is eligible for the bug bounty program. Feel free to ask and we'll let you know, but some challenges may have an intentionally "clever" solution that we are aware of, and are fine with.

A bug that allows you to bypass the "intended" solution for all challenges within the course, leak sensitive user data, escape your workspace, or otherwise have a significantly serious impact on the platform, may be worth 10-20% extra credit--and maybe even a job if you're interested. Boring denial-of-service bugs are not eligible for the bug bounty program, but there may some exceptions for particularly interesting or creative denial-of-service bugs that we might not have considered, and may be able to actually fix. If there's a threat model we haven't considered here, and you find a bug that abuses that threat model, let us know and we'll consider it.

We appreciate when you let us know about typos and grammatical errors, or other minor issues in the course platform, but please do not report them as security issues. Instead, please create a pull request on the appropriate pwn.college GitHub repository. If you spam us with minor non-security issues, trying to qualify them as part of this bug bounty program, you may earn yourself a penalty of up to 5% negative extra credit. Allowances will be made for honest mistakes leading to a spurious bug bounty filing, but please don't waste our time on purpose.

Abusing security issues without responsibly disclosing them will be considered an Academic Integrity Violation: don't do it. Instead, earn yourself some extra credit, help us improve the platform, learn something new, and maybe even get a job!

Letter Grade Calculation

The final grade percentage will be translated to letter grades with the following cutoffs:

Percentage Grade	Letter Grade
>= 97	A+
>= 93	A
>= 90	A-
>= 87	B+
>= 83	B
>= 80	B-
>= 77	C+
>= 70	C
>= 60	D
< 60	E

The course will end at 12:00pm UTC-7 (noon, middle of day), the day that Final Grades are due to ASU (see the ASU academic calendar), at which point final grades will be submitted to ASU. There will be no exceptions to this deadline: ASU requires that grades be submitted on this day, and so no further extensions can be granted.

Curves

If necessary, we will curve on an individual module basis. We will decide on these curves promptly. There will be no course-wide curve.

"Academic Dishonesty includes ... [a]ttempting to influence or change any Academic Evaluation, or academic record for reasons having no relevance to academic achievement." Do not ask us to curve or "round up" your grade: doing so is an Academic Integrity Violation. The grading policy is very clear and very explicit; you should always know what your grade is and what you can do to improve your grade--through your own achievements.

Getting Help

The majority of your time in this course will be spent solving challenges, on your own. Inevitably, you may run into problems that have you feeling truly stuck. When this happens, we encourage you to take a break, review the course resources, and then try again. But if you're still stuck, we encourage you to ask for help.

Students are also encouraged to help each other: one of the final ways to master a concept is to teach it to someone else. But, there is a delicate balance between being excessively "helpful", and learning.

If you are asking for help, you should be asking for help on a concept, not on how to solve a specific challenge. The ultimate goal here is to learn, not for someone to help you improve your grade.

If you are providing help, you should be helping someone understand a concept, not how to solve a specific challenge. The ultimate goal here is to learn, not to help someone improve their grade or to show off that you already understand the concept. Guiding someone is a difficult skill--it can even be frustrating at times. "Why don't you just..." or "It's easy, just..." or "Just run this command..." are not helpful.

Instead, help should be about uncovering misunderstandings--about invalidating hypotheses. Presumably the student has tried to do something, and it doesn't work--there is a hypothesis that is objectively incorrect, even if it might feel correct. Why is it incorrect? Ideally, you shouldn't provide the answer to that question, but instead guide the student towards invalidating the hypothesis for themselves. Put yourself in the student's shoes: if you had that misunderstanding--that hypothesis--how would you go about invalidating it? Is there a command you might run? Some documentation you might read? You're the expert here, you have some thought process that allowed you to succeed where the student is currently failing. Or maybe you never had that misunderstanding--now you have the opportunity to invalidate a hypothesis you may have never considered or thought about. Reveal your thought process to them so that they may replicate it in the future without your help.

If you're asking for help, it is important to remember that you should be putting in the effort that makes you deserving of help. Low effort requests for help are a good way to get low effort responses. This includes blindly regergitating what an LLM has told you without making an effort to understand it.

As part of the process of asking for help, and providing help, you may not discuss full or significant portions of a challenge's solution. The challenges explore important concepts, and so it is fine to discuss the challenges--but you must focus on the concepts, not the solutions. The challenges must still be solved individually, and providing a solution--for example, asking someone to debug your buggy solution script--is an Academic Integrity Violation. Feel free to discuss ideas important to the challenge, or tools which may be useful.

If there is any confusion, just ask! We try to assume good intentions, but egregious violations are an Academic Integrity Violation. Note that, in the entire history of pwn.college, no one has received an AIV for any public activity or help on our discord. Don't worry, be reasonable, and help your peers!

Discord

You can always ask for help on the pwn.college Discord at any time asynchronously, and anyone can help you, whether they are a member of the course staff, fellow student, or even a member of the public pwn.college community. You might get a quick response, it might take a while, or, unfortunately, you might not get a response at all. If you are asking for help, please be patient and respectful of the time of others. Ask good, clear, thoughtful questions in order to get good, clear, thoughtful answers.

Throughout the week there will also be a number of office hours hosted on Discord, where you can ask questions in something resembling a more synchronous one-to-one format. Teaching Assistants will be available during this time to provide you with assistance and answer questions.

Twitch

From time to time, we may also hold live office hours on Twitch in a one-to-many format. Each time might look a little different, but in general you can expect to see a mix of live problem solving, Q&A, general discussion--and good vibes. The hope is to provide you with a more interactive experience, and give you an understanding of how an expert might approach a problem. You are encouraged to attend/watch office hours, but they are not required, and you can catch up on office hours you may have missed after the fact. You might find it useful to at least spend a few minutes every week jumping around the videos after the fact looking to see if there are any interesting problems or discussions that you might find valuable--there can be a lot of valuable nuggets in there.

SENSAI and Other Generative AI

This course allows you to use generative AI.

It seems clear to us that generative AI can be an incredibly powerful tool for learning, and will likely be a critical part of the future of education. However, as a warning, we have already seen generative AI be extremely detrimental to many students' success in this course. If the LLM is doing more thinking than you, you may be on a fast-track to fail this course. There are a lot of concepts to learn, and many concepts build on each other. While an LLM may trivially solve some of the earlier challenges, doing so will rob you of the experience and understanding necessary to complete later challenges, when the LLM may not as easily come to your rescue. Furthermore, we have instructed our TAs to not help you debug partial-solutions that are obviously LLM-generated, which you clearly have little-to-no understanding of, and so the TAs will not come to your rescue either. Earlier (easier) challenges provide the foundation necessary for you to make progress on the later (harder) challenges; if you are missing an understanding developed in prior challenges, you will be expected to return to those earlier challenges to develop that understanding. Do not let the LLMs dig your educational-grave.

It seems equally clear to us that generative AI will be an incredibly powerful tool in your future career as a computer scientist. So it makes sense to learn how to use it effectively now. But just because it can solve a challenge with minimal effort for you, doesn't mean that you should let it. There's a reason students learn to add and multiply numbers without a calculator before they learn to use a calculator--even when most professionals will end up using a calculator for most of their number-crunching. It's about building a foundation of understanding that you can continue to build on--when the problems aren't small toy problems anymore. If the LLM is more important to solving problems than you are, you may be on a fast-track to fail in the job market. Do not let the LLMs dig your professional-grave.

Your goal while using generative AI in this course should always be to learn, not simply to improve your grade. Asking an LLM to just solve the challenge for you is bad. However, asking it insightful questions to better understand a concept or to clarify the syntax for an idea you have already conceptualized can be incredibly beneficial to your learning and success.

We provide SENSAI, a GPT-4 instance augmented with data from your running challenge. If you find it useful, feel free to use it to your heart's content, or until you get rate-limited.

Please keep Academic Integrity principles in mind while using generative AI. If your solution is unreasonably similar to another student's and you blame it on AI, your argument will be rejected. Using SENSAI may allow us to investigate your claims; using other AI platforms definitely will not. It is your responsibility to generate your own solution. If you're concerned about generative AI producing the same solution for another student, consider this a warning against copying your solution from an LLM. We are reasonable people here, but LLMs will not be your "Get Out of Jail Free" card.

Peer Collaboration

As discussed above, you are encouraged to collaborate with your peers. However, you may only collaborate in the official pwn.college Discord. Any discussion of course material on any other Discord, in direct messages, or elsewhere, will be considered an Academic Integrity Violation.

Honors Contracts

This course offers honors contracts! Honors students must create a custom pwn.college module on a computing topic of their choice, and submit it as a contribution to the Honors Dojo. There should be 4-10 challenges progressively teaching the concept, as well as either accompanying text or lecture videos (at least 10 minutes per challenge) to help explain ideas. Interested students should contact the instructors over email.

Recommended Textbook

There is no recommended textbook for this course. Any reading material assigned will be from publicly-available sources on the internet.

Plagiarism and Cheating

Plagiarism or any form of cheating in assignments or projects is subject to serious academic penalty. To understand your responsibilities as a student read: ASU Student Code of Conduct and ASU Student Academic Integrity Policy. There is a zero tolerance policy in this class: any violation of the academic integrity policy will result in a zero on the assignment and the violation will be reported to the Dean’s office. Plagiarism is taken very seriously in this course.

Examples of academic integrity violations include (but are not limited to):

• Solving challenges as a group.
• Using or referencing someone else's solution to solve a challenge.
• Sharing any amount of solution code with another student, even if it is just a few lines.
• Using external online resources which specifically reference pwn.college, CSE 365, or directly address an assignment challenge.
• Copying significant portions of a solution from an LLM or other generative AI.
• Sharing a flag with another student.

Posting your assignment solutions online is expressly forbidden, and will be considered a violation of the academic integrity policy. Note that this includes working out of a public Github repository. The Github Student Developer Pack provides unlimited private repositories while you are a student, making it easy to begin with a private GitHub repository.

If you are ever even slightly unsure, just ask us!

Additional Information

Information in the syllabus may be subject to change with reasonable advance notice.

Students requesting disability accommodations should register with the Disability Resource Center (DRC) and present the instructor with appropriate documentation from the DRC.

Title IX is a federal law that provides that no person be excluded on the basis of sex from participation in, be denied benefits of, or be subjected to discrimination under any education program or activity. Both Title IX and university policy make clear that sexual violence and harassment based on sex is prohibited. An individual who believes they have been subjected to sexual violence or harassed on the basis of sex can seek support, including counseling and academic support, from the university. If you or someone you know has been harassed on the basis of sex or sexually assaulted, you can find information and resources at https://sexualviolenceprevention.asu.edu/faqs.

As mandated reporters, we are obligated to report any information we become aware of regarding alleged acts of sexual discrimination, including sexual violence and dating violence. ASU Counseling Services, https://eoss.asu.edu/counseling, is available if you wish discuss any concerns confidentially and privately.

Syllabus copyright 2025, along with all lectures and course-related written materials. During this course students are prohibited from making audio, video, digital, or other recordings during class, or selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of the faculty member teaching this course. Be reasonable.