Introduction to Information Security

Coming into this course its important to understand 1) It is run by TAs 2) it is project based. The other reviews state this as well, so it should not be a surprise. It may definitely have been nice to have the professor more involved, and high-quality lectures related to the course content would have been amazing, but that is not part of the course.

The projects in the class are structured as a CTF style assignemnt - for the most part, you are working to identify flags hidden in an application. You will need to download a VM for this, so give yourself time to troubleshoot that if needed. The projects are each created and run by teams of 2-4 TAs (easier projects have 2, others have more). There may be more TAs in the background, but I only interacted with 2-4 on ed discussion/office hours. For about 60% of the projects (including the hardest ones), the TA who did the bulk of the work creating the project has long left the position.

My general gripes with the course -

1. The TAs are inconsistent - on one project, you may be actively corresponding with the TA who designed and built it, while on others, you are talking to TAs who are more "maintainers."

2. The quality of TAs - almost none of the TAs actually work in a cybersecurity role professionally - a lot of them are simply folks who took and completed the course previously. Some of them have been a TA for quite some time as well. A recurring theme, though, is that these TAs often have no professional cybersecurity experience, and cannot help/teach further than the projects. Most of these teams no longer have the creator of the project around, so a lot of answers to questions are "just figure it out" or "use your resources." It is pretty clear after the course that a lot of the TA's knowledge of cybersecurity does not go past what is taught in the course and is very surface-level.

3. Ed discussion moderation - as the 1 - 2 weeks you have for each project goes on, you notice TAs remove/redact less and less from posts (as the volume of posts naturally goes up). If I had just waited until closer to the deadline on a few projects, the answer is pretty clearly written on ed discussion.

You can find details on individual projects in the other reviews and I generally agree with those. The course heads really need to take a look at the overlap between projects (half of malware analysis just felt like the web exploitation project) and the usefulness of some projects (Machine learning was a complete waste of time). Many of the projects are at least 3-4 years old and may not be as relevant (the log4j project, while interesting, was little more than a wrapper around a hackthebox lab).

I achieved a solid A in this class and skipped doing the last assignment.

Pros: Some fascinating topics. You learn quite a bit about foundational programming and computing topics. Things you are guaranteed to never use in your job, but you feel more accomplished knowing them, and are more well-rounded.

Cons: If you find solving puzzles completely exciting, and being unable to solve some puzzles frustrating, this course will frustrate you. There were 2-3 assignments I couldn't figure out the final answer to, no matter what I did. I am confident that one of them was likely a bug in the assignment, but the TAs ARE NOT ALLOWED to help you. You either solve it, or you don't.

I cannot overstate, you need to go into this class expecting that no matter how intelligent or accomplished you are, you may not solve every puzzle; AND be okay with not knowing why. Ha.

This course felt more like a bunch of mini-courses, with most modules having a different set of TAs. It's entirely CTF based now. Most projects had flags that you'd submit, and the tasks that required code submissions ran it through an autograder. There's no subjective grading: you know your grade after each submission. There were some assignments with submission limits, but they were lenient and I never felt much pressure.

This course will tear you up if you don't have a decent coding background. I took two years of Python in undergrad and still had to take some time brushing up on things.

Some modules were better than others. MITM was easy and made for a good warmup. Malware analysis consisted almost entirely of reading reports and was kind of a letdown. Binary exploitation was tough for a lot of us (including me) but it was very informative.

Extra credit was available on some assignments. You can't depend on it being there, but they do offer it at least sometimes. I'd say about 3 extra points in total were available on your final grade if you went for all of it.

The professor was entirely absent. Not an announcement post, not a lecture video, nothing. The class was entirely run by TAs, at least from my perspective. That said, the TAs were helpful and the discussion boards will be your friend. You'll need to know how to do outside research (follow the syllabus) if something isn't familiar to you.

The workload varies a lot. MITM took me ~10 hours or less, whereas binary exploitation probably took me at least 40.

VM setup worked just fine on my Windows laptop. You'll want to know basic Linux commands (how to navigate the filesystem and run scripts, for example).

I'd suggest doing some practice on HTB Academy ($8 a month with your student email) and/or picoCTF (free). There's other resources out there as well, like DVWA if you want to practice Database Security before you start the course.

Overall, it was difficult but not unbearable. I got an A while working full time. I passed the OSCP in 2024 which helped a bit but there was still a lot of learning I had to do.

There was nothing to work on for the first week of class. I made use of the extra time by learning how to use Wireshark more effectively. If you can learn how to filter and use the tool, it will help a lot with the Man in the Middle project. This class had no exams or quizzes; it was all projects. The hardest part of this class is the constant pressure of a new project due every week, especially if you are not familiar with the topic that week. Compared to classes with more traditional programming projects it can be frustrating. There often isn’t the ability to make incremental progress, you either get the solution or you don’t. Overall, I enjoyed the class. If taking in the Fall or Spring the relatively light workload would pair well with another class.

I will preface this by saying that this is my first OMSCS class and I actually took it fall 2025. Given that this is my first class and I have a non-CS background and also do not work in the CS field, I likely had to put more time in than most. I will give the good, the bad, and the ugly of the course for anyone who is new, experienced, or looking to learn.

The good: The class is definitely a class of very collaborative classmates and TA's who are willing to help when you get stuck. I felt like the TA's in this class were substantially more helpful than any I had in my undergraduate coursework. The assignments were often informative and helpful me in understanding the work. It is also entirely project based, so if you are willing to sit through the problems., you can mostly likely get an A. Also, I found office hours incredibly helpful and the discussion boards were the biggest lifesaver for me. The autograder allowing multiple tries lets you retry submissions and the CTF style of most assignments lets you know you got the right answer before you go onto the next project.

The bad: The professor for this class is a complete ghost, it's as if he does not exist. I do think this tends to potentially lead to a lack of consistency in some of the assignments and honestly some seemed a lot more valuable than others while others were not very valuable at all. It seems some groups of TA's put in a ton of effort to put together resources to help us and others didn't really seem to care as much. I can explain more in my comments below on each assignment. I think if the professor was active, maybe this could help some of the lacking areas. Also, the lectures are not very helpful in correlating to the assignments but teach general content. They are actually somewhat well written, but can often just be ignored as they don't clearly pertain to the assignments and it's a bunch of videos that are like 30 seconds long.

The ugly: As I mentioned above, the thing that varied wildly in this class was the quality of assignments. Each assignment has its own TA's who do their own office hours once a week and respond on the discussion boards. Some of the assignments were incredible with super active TA's who were responsive and helped me learn from all my mistakes while other assignments seemed like TA's who just wanted to give a nearly identical assignment to previous semesters and hardly helped me learn anything even a complete beginner.

Overall, I rated this course as a 3 because for me, it had some very good highs and some somewhat frustrating lows. It might prove useful for newer students or students who want what seems like an easier course to start off that as long as you commit the time, you can get a good grade. I have written some review of the assignments below:

MITM: Rating: 6/10. I definitely had fun with this one; however, it really did frustrate a lot of students finding the flags in this course. Personally, I think it acquaints you with the Wireshark program, but doesn't teach you any real world uses it might be helpful. Documentation to learn about the protocols provided were not helpful and I Googled everything. TA's and classmates saved my first project here. The KQL stuff was mildly interesting for extra credit, but fairly pointless (Grade: 105/100)

Machine Learning: Rating: 7.5/10. This is one that statistically people struggled with close to the most and I personally didn't feel that way. The Juypter notebooks provided are helpful an there are tons of resources available in the documentation that I supplemented online to get through this one. Hyperparamter tuning is long and annoying, but everything else was great. I didn't need a lot discussions boards or office hours for this one. (Grade: 100/100)

Binary Exploitation: Rating: 9/10. Hardest assignment in the course without a question and the statistics given on the GitHub definitely support this (like 40% of students get A's where most projects are in excess of 65-70%). I struggled immensely having no Assembly and taking a vacation during this assignment too didn't help. I learned so much and it was honestly probably my favorite project and the TA's on Ed were incredibly helpful and super knowledgeable. Start early and you'll likely do much better. I didn't learn on office hours for this one. I didn't attempt the extra credit as a I ran out of time (Grade: 100/100)

API Security: Rating: 5.5/10. Honestly found this one pretty easy after working to find what I was looking for and learned Postman is a pretty cool software. I didn't find the TA's posts super helpful here and had to figure it out myself, but honestly, one of the easier assignments so my comments on the Edboard posts are probably not too relevant. I suppose API's are important, but the specifics here didn't really seem to relevant to cybersecurity (Grade: 100/100)

Web Security: Rating: 8/10. Postman was another good software here and writing some Python code to interact with API's was fun and I liked the very interactive environment. To me, this seemed like the most obviously relevant project of them all as API's exist everywhere and writing code to interact with them and use them is abundant in real world applications and the XSS and CSRF is some of the most interesting content. It also introduced me to basic Javascript which was cool. I don't recall needing to lean on office hours for this, but the TA's and classmates were very helpful. (Grade: 100/100)

Log4Shell: Rating: 6/10. This is based on a very important but mostly obsolete exploit. It was a cool project though getting to write some Java code. That said, I don't think it focused much on the Log4J vulnerabilities as much as actually finding a spot that the flag could be exploited through navigating weird filtering parameters that seemed strange. TA's were helpful here and this is the only assignment that even touches Java and gives very few resources to navigate, but it wasn't hard and I never coded Java before. (Grade: 100/100)

Malware Analysis: Rating: 2/10. Honestly, I thought is project was almost totally pointless and probably the biggest let down of the entire course from my expectations. There was no information given on malware, how to interpret the Joe Sandbox reports which is half the grade, and all the other stuff is a lot of random stuff for running scripts. I found the TA's not helpful here and this assignment really only taught me a few Linux shell commands I had to Google due to lack of content provided by the TA's.(Grade: 89/100)

Cryptography: Rating: 6.5/10. I found this one both interesting and frustrating in some ways. The stuff on how to crack RSA was pretty interesting, but I found myself mostly Googling ways to crack the encryption rather than actually understanding the math behind what was going on. The office hours were the BEST for this one. It explained a ton about the breakdown of the problem and why it worked how it did. The Vigenere cipher code was also definitely fun to generate as well. I will say though that large numbers in Python can be annoying to work with and will frustrate you at times unless you've worked with it before and you'll have to do your own researching. (Grade: 100/100)

Database Security: Rating: 7.5/10. I could have realistically only did like half this assignment an still got an A, but I did as much as I could until I got bored and just wanted to give up. I thought the office hours were okay and the TA's were decent enough. The content was definitely good and the feedback on the SQL injections portion were really good and the interference attack definitely made me tinker with data to see what I could pull from it. The office hours was not super helpful, maybe a little bit and I was irritated it was a 2 week assignment and they only had 1 office hours session rather than 2. Student engagement was low because it was the last project and many students hardly had to do anything to get an A. I did appreciate the environment provided, it was actually pretty helpful.

This review is for Fall 2025, which isn't currently a selectable option.

Background:

• 6th course in program. have taken GIOS, SAT, AI4R, CN, AOS
• non-CS engineering degree for undergrad
• work as a devops eng

Time: No lectures, no quizzes or exams. Just CTF-style mini projects.

• Man-in-the-Middle: 7h, 104/100; wireshark and knowledge of IP/TCP; fun intro. Feel like a detective.

• ML: 20h, 92.5/100; first time with pandas, numpy, sklearn. didn't want to tune params for last points. unspectacular. was just a "hello world" type intro to these libraries for a cybersec-related data set.

• Binary Exploit: 22h, 100/100; very fun and rewarding. no real exposure to ASM before this; did not attempt EC. The overflow attacks and ROP chain attacks were cool to learn about. Even though I'll likely never use in industry and mat'l is pretty niche, this was probably the funnest project in the course, and I was tempted to take the BinExp lab class.

• API: 7h, 100/100

• Web: 10h, 100/100; learned some XSS and CSRF

• Log4j: 14h, 100/100; did spend 4h half-heartedly trying the EC

• Malware: 6h, 89/100; only tried 1 runthrough for the T/F Joe Sandbox Reports and didn't want to bother

• Cryptography: 13h, 92.5/100; python scripting for crypto related stuff. Vigenere cipher code was kinda fun. Working with really large numbers for RSA was interesting. Got bored at end

• DB: 7h, 42.5/100; just did what I needed to squeak out an A in the course. Skipped some of the inference problems to work on SQL injection

Experience: I enjoyed the course, mainly because I am avoiding courses that are exam-heavy or have a group project component.

The professor was nowhere to be found. In other courses, they'll usually even make a single intro announcement at the beginning of the course, or have pre-recorded, decade-old lectures to watch. Nada from Lee. Entirely TA run.

The TAs were excellent, managed the Ed discussion board well, responded very quickly to questions, and tried their best to give hints while not giving away too much.

Overall, class feels more MOOC-y, as there were no lectures, and assignments just had some links for reading up on the subject for that project, but these were usually pretty good references.

Class has definitely changed since Summer 2024, where more projects were added. Only wish all projects could just be released all at once at the start.

Let me start with my TLDR: Its a fun course to learn surface level security knowledge. Be suspect of the difficulty and time commitments it currently shows. The class used to be much easier and less rigorous in the past. Advice: START THE PROJECTS EARLY!

More in depth:

This is my second course in the OMSCS program, with the first being ML4T. I also work full time as a Data Engineer.

I imagine that when the TA's put together the course content, they did so with the vision of 'if i was training a jr cyber analyst, what should they know?'. If you are interested in learning that material than you will enjoy the content and projects.

Overall I would say that this class is not 'easy' but 'straightforward'. Its 100% project based, so if you put in the effort you should get an A. This is a class with a wide breadth of topics, that are totally unrelated to each other. So, you can spend 8 hours on the API project but 50 on the binary exploitation project (yes, that was me). I would assume that for at least one project, you will have knowledge gaps and have to spend more time than you think.

How it worked (for summer 25): Projects would open and you would have until Sunday midnight est to complete them. Usually the next project would open on Friday so if you got ahead of the game, you can have up to 9 days to finish each project. If you are not confident in binary exploitation, I would HIGHLY recommend working hard to make sure you have the 9 days for this project.

What I liked:

• You will use a decent amount of tools, languages and techniques that will assist you in a jr. software/security career.

• Finding the flags is a nice dopamine rush :)

• TA's really go above and beyond in creating some helpful tutorials and relevant sources for research.

• All the projects are 'do-able'. I really had no assembly and computer architecture knowledge. But I was able to finish the binary exploitation project with an A. But to do so, I had to do a crash course in all of the above, along with the C debugger and was able to complete the project. Again, its all about the effort/time you put in.

• Once you finished your project, you were 'done'. Nothing else to worry about until the next project opens.

What I didn't like:

No relevant lecture content provided by the professor. I think that relying on the TA's for 100% of the content is shameful. For a supposed expert in the field, why is there no learning content for the projects? It seems very lazy and it's obvious the professor does not care at all about this class. Relevant lectures/overview on the topic for each project should be a bare MINIMUM for a professor. This would GREATLY improve the learning experience. I left the class getting an A, but honestly if you don't take diligent notes during your research into the topic and review them, its very easy to just brute force projects and not learn anything.

I also think it is a huge waste that the database security project was 'last' because it was one of the better projects in my opinion.

Time spent:

For average hours per week I calculated the time from the day the semester started to the end, so there was 2 weeks where we didn't have any work because there was no final.

I put together a list of time projects took me to get an A on all of them. Keep in mind, i'm a slow worker and liked to take my time to go in depth on the topics taking notes to learn more. If just 'getting the A' is your goal, you can probably cut these times in half because you can definitely game this class.

(Man in the Middle): 30 hours (ML): 20 hours (Binary Exploitation): ~50 hours (API Security): 8 hours (Web Security): 20 hours (Log4Shell): 25 hours (Database Security): 20 hours (Cryptography): 20 hours (Malware Analysis): 15 hours

IIS was my second course in the program (after ML4T), and I took it as an exploration of computing systems. I had heard it was a good first/early course in the program.

In one way, I strongly disagree that it's a good first course in the program. Your grade is entirely based on your project grades, which are a collection of capture the flag challenges that require you to learn the basics of various types of exploitation at various levels of modern computing systems. This means that your grade is not at all based on whether you do any reading or watch any lectures or can pass any exams. So in the sense that a first course in the program is intended to acclimate you to the kinds of work you are going to need to do as an online student throughout the graduate program, this one absolutely does not do that.

But I think the reason that the course is sometimes recommended as a first course in the program is that it is a wide survey of topics that you can dive much deeper on, and I think that is actually a great reason to take it as a first course or an early course in the program. One week you're diving into javascript XSS attacks, and the next you're looking at buffer overflow exploits in C. You have to learn a lot on the fly, the challenges are really clever and fun, and you get exposure to lots of technologies and ideas of modern computing through the projects.

I don't recommend this as a summer class if you've got plans for your summer. The turns are very tight for the projects (1 week each), and in particular, the binary exploitation project gave a lot of people headaches that would be worth at least two weeks in a spring/fall semester. I spent ~30 hours on it and went in with some C experience. But most of the projects are doable in more like 10-15 hours.

Ed discussions for this course can bring out the best and worst in classmates and TAs. Some of the challenges are hard to hint without giving too much away, so sometimes folks are giving really useful and thoughtful insights in their responses about how to think about a flag. But TAs have to redact a lot, which makes some folks who are lost fairly snippy and unprofessional. And collaboration outside of Ed/Slack is strictly prohibited, which can be jarring for folks used to forming study groups or Discord servers to figure things out.