Before Lab 4.1 — From Security Gates to Runtime Visibility
Before Lab 4.1 — From Security Gates to Runtime Visibility
Day 3 taught you how to prevent bad code from reaching your infrastructure — including security scanning with Checkov (IaC), Semgrep (code), and Trivy (dependencies). Day 4 teaches you how to observe and detect what is happening inside the application while it runs, continuously.
The observability gap
Pipelines and point-in-time scans (like OWASP ZAP) are powerful, but they only see the application at specific moments. Once deployed, their job is done. This creates an observability gap: you know your code was clean at scan time, but you have no visibility into what happens after that point — or what attackers are doing right now.
Pipeline scans and runtime monitoring catch different problems. Neither is sufficient alone.
Pipeline vs. runtime: what each catches
| What pipelines catch (before deploy) | What runtime catches (after deploy) |
|---|---|
| Vulnerable dependencies | Exploitation of unknown vulnerabilities |
| Misconfigured Terraform | Runtime configuration drift |
| Hardcoded secrets | Credential stuffing and leaked keys |
| Unprotected endpoints | Active attacks in production |
| Missing input validation | SQL injection in production |
Both are essential. The pipeline stops known problems from reaching production. Runtime monitoring catches what the pipeline missed, what was unknown at scan time, and what attackers are doing right now.
What you will learn in this lab
Lab 4.1 starts with a fresh repository containing only the Day 4 infrastructure files. You'll run Terraform against the Day 4 configuration to deploy all resources with monitoring enabled from the start. Focus on understanding where the telemetry comes from and why each source matters.
Lab 4.1 goals
This lab starts at the observe phase of the security lifecycle — telemetry feeds detection, which triggers incidents that feed back into your pipeline to prevent recurrence.
Key questions before starting
- Why start with a fresh repository for Day 4 instead of continuing from Day 3?
- How do security scan reports (Checkov, Semgrep, Trivy) complement runtime monitoring?
- What information does a correlation ID carry, and why is it passed as an HTTP header?
Lab File
Download Lab 4.1 — Pipeline Baseline PDF