Feedback for Security Portfolio Part 1 & Part 2:

• For every part you complete, the report you produce should include the previous parts. Please refer to the guidelines.
• Well written introduction, to the point and complete.
• Some of you diagnostic tools could be better defined. When one thinks of an "arsenal of tools", each tool generally has a purpose. Categorising these tools helps with organising your attacks, setting scope to tool use, and aligning yourself industry standards as some aspects of tools are better than others. Knowing which tool to go to for a given task is what you should strive for. You do this well for Burp suite.
• What is ideal is if you have a table of vulnerabilities with a ranking of priority -> feasibility of attack, impact, effort. This prioritises where you spend your time investigating what parts of the system. We must assume that our resources are scarce (security specialists are expensive!)
• Structuring your information is also good practice. For example, your information gathering could have been tabulated in which it's a puzzle of "filling in the blanks". This lays out what information you have to work with and what information you don't have which requires further investigation.
• Your understanding of Cloud Security Restrictions is commendable and indepth. Always keep this in mind as white-hat pen testers.
• What a blunder by the walk-with-kid system! You already have access to their admin backend, huge red flag! Great work. There are different ways you can exploit this, a seek and destroy approach is the most obvious but the least rewarding. Think of ways to plant backdoors and other means of re-access to ensure you have your way if security measures are implemented.

Great work overall, keep it up!

Feedback for Security Portfolio Part 3, 4 & 5:

• The table of contents seems to be incomplete, refer to the subsections under 3.1. The pages are not numbered which makes the table of contents not as useful as it could be.
• As for structure, it is lacking in parts 3, 4 & 5 as opposed to the earlier parts of the Security Portfolio. Categorising the exploits conducted in later sections would have been beneficial. 
• I appreciate the use of bullet points throughout section 3.1 as you avoided walls of text.
• With regards to your first attack, some elaboration on what other exploits could have been done such as implementing another backdoor if your user was to be removed, would have been a good idea. And perhaps, tailoring your malicious modifications to what the purpose of the website is may have been less obvious. For example, tempering with data that is being shown to throw off statistics.
• You cover some of what is mentioned in the previous point in the next attack, explaining implications of the vulnerability. Well done.
• Good practice would be to ultimately tabulate your successes and failures as a summary of what worked and what didn't. This is useful for future tests on similar systems. 
• Excellent reflection overall and well thought out!

Great work overall, you should be proud of yourselves!