Security for Beginners taught you what "secure" means. This chapter hands you the lens a working defender actually uses: model the threat before it arrives, find the attack surface, rank the risk, and know how the intruder in later chapters will think. Everything else in the book is a control built on the foundation this chapter lays.
6 topics
Meet Meridian — a mid-size SaaS company whose scheduling and analytics product runs at app.meridian.example, backed by an API at api.meridian.example and a PostgreSQL database full of customer data. You will attack and defend Meridian for the rest of this book, the same way a real security team does. Your point of view is Priya, Meridian's security engineer; your adversary is the intruder, who runs a full campaign against these exact systems in later chapters.
This first chapter is the mindset the rest of the book runs on. Six topics build it: the attacker-defender asymmetry that makes perfection impossible, threat modeling with STRIDE, the attack surface and trust boundaries you are actually defending, risk as likelihood times impact, the design principles that recur in every control, and the kill chain and MITRE ATT&CK — the shared map of how attacks unfold. None of it is hands-on yet. All of it is the reason the hands-on chapters are organized the way they are.
The loop this book runs on — every chapter is one of these four moves