Asfela AI Security Engineering — Operational Launch Checklist¶

State as of 2026-05-19: course content (11 modules, ~155 lesson files, ~18.7K lines markdown) + companion code (M3–M7 labs, ~7.7K lines Python/Docker/CI) are both complete and pushed to GitHub. What's left is operational: turning the GitHub repos into a paid product that students can enroll in, complete, and certify against.

This checklist is the path from "content done" to "first paying cohort live." Each section ends with a status checkbox so this doc doubles as a progress tracker.

Decisions to make first (block everything else)¶

These six decisions cascade into the rest of the checklist. Resolve them in the next 1–2 weeks before committing to a recording schedule or signing platform contracts.

D1. Lab hosting model¶

Options: - (A) Kasm self-hosted — best UX, ~$200–800/mo hosting depending on concurrency; one-time setup ~1 week. Recommended in decisions/01-lab-platform-recommendation.md. - (B) Instruqt — best polish, ~$15–30/seat-month; less ops burden, no per-org image building. - (C) Learner-run local Docker — zero infra cost, much higher support burden ("my Docker isn't working"); kills the demo experience for non-technical buyers.

Recommendation: Start with (C) for the first ~20 paying students (manageable support load, zero infra cost, validates demand). Switch to (A) Kasm once you have 20+ enrollments and the per-student support cost exceeds Kasm's per-month cost.

Decision deadline: before recording videos that reference the lab platform's UI.

D2. LMS choice¶

Options: - (A) Thinkific (Pro plan, $199/mo) — original target. Certificates + drip + payments + cert verification built in. - (B) Teachable — similar feature set, slightly different pricing. - (C) Self-hosted on a Next.js/Stripe stack — full control, but ~3 weeks of work and you don't need that control yet.

Recommendation: Thinkific Pro. Decision is largely cosmetic at the $1,500 price point; Thinkific's certificate verification (auto-generated cert URL) matters for résumé claims.

D3. Pricing strategy¶

Locked: $1,500/seat target.

Open: payment terms. - (A) Single payment, $1,500. - (B) 3 × $550 split (total $1,650). - (C) Tiered: $1,500 individual / $4,500 team-of-5 / $12,000 team-of-15. - (D) Early-bird: $999 for first 25 enrollments, then $1,500.

Recommendation: (D) for launch (price discrimination + scarcity), with (C) added once you have a B2B sales motion.

D4. Video production model¶

Options: - (A) Talking-head + screen-share, recorded in OBS/ScreenFlow/Loom, no editor. ~50–100 hr total effort over 4–8 weeks part-time. - (B) Animated slides + voiceover (Camtasia / Descript). ~100–150 hr; better polish for the theory-heavy modules; harder to update. - (C) Outsource to a video producer. $30–80/finished minute → for ~12 hrs of finished video, $20–60K. Faster but capital-intensive.

Recommendation: (A) for v1. The market for $1,500 technical courses tolerates moderate production value when content quality is high. Re-record top-3 lessons in (B) style after first cohort feedback.

D5. Beta vs. full launch path¶

Options: - (A) Closed beta (10–20 students at $500) → revise based on feedback → public launch at $1,500. ~6–8 weeks. - (B) Public launch immediately at $1,500, accept first-cohort friction.

Recommendation: (A). Closed beta gives you (1) testimonials for the public launch landing page, (2) bug reports against the code while support volume is manageable, (3) real completion-rate data, (4) NPS to know whether the price holds.

D6. Course ownership & business entity¶

Open questions: - Is the course IP held by Asfela Ltd, an LLC, or personally? - Stripe/payment processor account in whose name? - Where do refunds come out of? - Tax handling (VAT for EU students, US sales tax nexus)?

Recommendation: Talk to your accountant before processing the first dollar. For most US-based indie course creators, single-member LLC + Stripe + Quaderno (for tax) is the standard stack.

Status: - [ ] D1 — Lab hosting model decided - [ ] D2 — LMS choice locked - [ ] D3 — Pricing strategy locked - [ ] D4 — Video production model decided - [ ] D5 — Beta vs. full launch path decided - [ ] D6 — Business entity + payment + tax stack confirmed

Phase 1 — Pre-launch (weeks 1–3)¶

Goal: have a course shell + landing page that can take a beta enrollment, even if no videos are recorded yet.

Course assets¶

Course landing page — single-page sales site. Sections: hero, who-it's-for, what-you'll-learn (the 11 modules from 00-curriculum-overview.md), capstone deliverable, instructor bio, FAQ, pricing, enrollment CTA.
Domain: asfela.com/ai-security or standalone aisec.asfela.com / professional.asfela.com.
Effort: 1–2 days if using a template (Carrd, Webflow, Framer); ~1 week from scratch.
Course thumbnail / cover image — for the LMS, social previews, certificate watermark.
Logo / wordmark — Asfela has one; confirm it works at certificate size + LinkedIn share preview size.
One-pager PDF — for B2B/team-sale leads. Coverage matrix (modules × frameworks), pricing, outcomes.
3–5 testimonial slots — if you have any past clients or colleagues willing to provide pre-launch endorsements, get the quote + headshot + title now.

LMS setup (Thinkific Pro assumed)¶

Companion repo polish¶

Top-level README rewrite — currently developer-internal; should be learner-facing. Cover: prereqs, uv sync, python scripts/sanity_check.py, "where do I go from here," lab platform setup.
Per-module README — short index in modules/<NN>/README.md mirroring the lab structure so learners cloning the repo know what each script is for. (M0 has one; M1–M9 don't.)
Troubleshooting doc (TROUBLESHOOTING.md) — top 20 expected gotchas: Ollama not running, llama-guard3 not pulled, port 8765/8766/8767 conflicts, Docker permissions, Python version mismatch, HuggingFace dataset acceptance, CIFAR-10 download size, opacus install failure, vec2text version drift.
CONTRIBUTING.md — even just "this repo is read-only for learners; report issues to support@asfela.com." Sets expectations.
Verify sanity_check.py covers M3–M7 deps — currently only checks M0–M1 stack. Extend to verify defenses/, defended/, observability/ import, presidio analyzer initializes, picklescan/modelscan/garak/textattack on PATH.
Companion repo licensing — currently "all-rights-reserved during course-build." Decide: keep proprietary (course buyers get access; not redistributable) vs. relicense MIT/Apache (turns it into a marketing asset; loses pure-IP value).

Recording infrastructure¶

Recording hardware — decent USB mic ($80–150 — Shure MV7 / Blue Yeti), webcam (built-in MBP is fine), quiet room. Reduce noise > look polished.
Recording software — OBS Studio (free) or ScreenFlow ($150 one-time). Test record one M0 lesson and play back; if it's unwatchable, fix this before recording 154 more.
Slide template — minimal, branded. Title slide + 3–5 content slides per lesson. Reuse across the course.
Naming + folder convention — recordings/raw/MX.Y-title.mp4 → recordings/edited/MX.Y-title.mp4. Don't change this mid-course.
Video host — Wistia / Vimeo Business / Bunny.net. Thinkific can host but Wistia gives you analytics + drop-off graphs that matter for iterating on weak lessons.

Phase 1 status: ___/N items complete

Phase 2 — Video production (weeks 3–10)¶

Goal: all 155 lesson videos recorded, edited, uploaded, and slotted into the LMS.

Recording approach¶

Recommended cadence: 2 modules per week in batches. - Week 3: M0 + M1 (orientation + foundations — most-watched lessons, get them right) - Week 4: M2 + M3 (security foundations + prompt injection) - Week 5: M4 + M5 (poisoning + extraction) - Week 6: M6 + M7 (adversarial + defenses) - Week 7: M8 + M9 (governance + capstone) - Week 8: M10 + retakes of weakest M0/M1 lessons after dogfooding - Week 9–10: editing + upload + LMS slotting

Each video lesson already has a script in 99-module-summary.md and the individual lesson markdown files. Read the script verbatim or paraphrase tightly — don't try to ad-lib 155 lessons.

Per-lesson workflow¶

For each lesson: 1. Record to recordings/raw/MX.Y-title.mp4 — straight read of the script + slide. 2. Edit lightly: trim dead air at start/end, cut any disastrous retake. Do not over-edit. A 5-min lesson should take ~10 min to edit, not 60. 3. Upload to Wistia / Vimeo. 4. Slot the embed code into the corresponding Thinkific lesson. 5. Mark complete in LAUNCH-CHECKLIST-RECORDINGS.md (create this as a per-lesson tracker).

Lab labs (M3–M7) — special handling¶

The hands-on lab lessons (L3.6, L3.7, L3.8 etc.) need a different recording format than the theory videos: - Screen recording of the lab being executed end-to-end (~10–20 min per lab). - Voiceover narrating each step matching the lab markdown. - Output: one video per mandatory lab, used as the "show me how" companion to the written lab. Optional, but expect to record these eventually — most learners watch the lab demo before attempting it themselves.

Optional polish¶

Captions — auto-generate via Wistia / Descript; cleanup pass on first 5 lessons (M0 + first 4 of M1). Important for accessibility + SEO.
Lesson thumbnails — per-lesson thumbnail card with title text. Increases engagement; ~30 sec/each in Canva.
Lesson length verification — confirm every M2+ theory video is ≤ 5 min (the rule from feedback_video_length.md). Re-cut anything over.

Phase 2 status: /155 lessons recorded · /155 uploaded · ___/155 slotted in LMS

Phase 3 — Beta cohort (weeks 10–14)¶

Goal: validate the course end-to-end with 10–20 paying beta students.

Beta recruiting¶

Identify the beta cohort — target 10–20 students. Sources: your own network (security engineers + ML engineers in your professional circle), Twitter/X + LinkedIn announce, an offer to past colleagues / former clients.
Pricing for beta — $500 (1/3 of public price) in exchange for: complete the course, fill out the post-module feedback form, allow your testimonial to be used. Make this trade explicit in the beta application.
Beta application form — Typeform/Google Form. Filter for: AI/ML or security engineering role, time commitment (can they finish in 12 weeks?), willingness to provide feedback. Aim for 30–50 applications → pick 10–20.
Set the beta start date — 4 weeks out from "Phase 2 complete." Use the lead time for onboarding emails, expectation-setting, calendar holds.

Beta operations¶

Welcome sequence — 4 emails over 2 weeks before the beta starts. Set expectations, share prereqs, get them to do M0 setup before week 1 so they're not blocked on Docker on day one.
Weekly office hour — 60 min, recorded. Optional attendance, but the recording is part of the course value. Use Zoom + cloud recording.
Discord/Slack community — single channel for the beta. Acceptable to scale this back later, but for the first cohort the synchronous Q&A is part of the experience.
Post-module feedback form — short (3 questions): what was confusing, what was the most valuable, what would you change? Send after every module completion.
Capstone office hour — extra session for the capstone (M9) since it's the highest-effort artifact. Walk through the rubric, answer scoping questions.
Beta-only Slack/email for cohort cross-talk — peer review is a huge value driver.

Beta-driven iteration¶

After every 2 modules of beta progress, run this loop: - [ ] Read the feedback forms. - [ ] Identify the bottom-3 lessons by drop-off (Wistia analytics). - [ ] Either re-record, re-script, or add a clarifying paragraph to the markdown. - [ ] Patch the companion repo (most expected: lab scripts that worked locally but fail on a learner's machine).

Don't try to fix everything; fix the items that ≥30% of beta students flagged.

Phase 3 status: Beta complete · ___/N students passed · ___ testimonials collected · ___ priority issues identified for v1 release

Phase 4 — Public launch (week 14+)¶

Goal: open paid enrollment at $1,500.

Pre-launch checklist¶

Beta feedback incorporated — every priority issue from Phase 3 is closed or has a known workaround documented in TROUBLESHOOTING.md.
Landing page updated — 3+ testimonials from beta cohort (with their permission), updated curriculum copy reflecting any changes.
Price change effective — Thinkific course price set to $1,500.
Cert template stress-tested — issue 3 test certs, verify URL works, share preview looks good on LinkedIn.
Support email automated — support@asfela.com routes to your inbox with auto-acknowledge ("we respond within 1 business day").
Refund policy + ToS live on the landing page.

Launch marketing¶

Day -7: announce launch date on LinkedIn + X.
Day -3: pre-launch email to anyone who applied for beta but wasn't selected (highest-intent audience). Offer them the early-bird $999.
Day 0: launch posts — LinkedIn (longer, more professional, links the curriculum overview); X (shorter, hooks); HN Show (if you can write a non-cringe Show HN). Don't post to all simultaneously — stagger over 4 hours so you can engage with comments on each.
Day 0: outreach to 20 high-fit individuals — past colleagues, AI security practitioners in your network. Personal email is higher conversion than broadcast.
Day +7: case study post — write up "what one beta student learned" with their testimonial. Re-share.
Day +14: early-bird ends — close the $999 tier, raise to $1,500. Urgency.

Channel partnerships (optional, later)¶

Sponsor a relevant newsletter (Last Week in AI / TLDR Sec / SoftSec / similar). $1–3K for 1 sponsored slot; viable if even 2 enrollments come from it.
Guest podcast appearances — Risky Biz, Open Security Summit, Talos, etc. Higher conversion than ads.
B2B outreach — once you have 30+ individuals enrolled, start outreach to AI-security-curious enterprises (banks, healthcare SaaS) with the team-of-5 pricing.

Phase 4 status: Launched · ___ enrolled in first 14 days · ___ enrolled by day 30

Phase 5 — Ongoing operations¶

Per-cohort operations¶

Onboarding email auto-sent on enrollment. Set expectations, link M0 setup, link Discord/Slack.
Weekly office hour — keep going. This is where retention is built.
Capstone reviews — for the "Capstone with distinction" tier, you need to actually review submitted capstones. Budget ~30 min per capstone you mark with distinction.
Cert issuance — Thinkific handles automatically; you should manually check the first 10 issued certs for typos / formatting.

Content maintenance¶

The course is timely (frameworks, tools, products are all changing fast). Expect to maintain it: - [ ] Quarterly review — read every theory video script for "this changed since 2026-05," update the markdown, re-record any lesson with material drift. - [ ] Tool version pinning — pin pyproject.toml versions to avoid 6-month-old courses breaking on uv sync. - [ ] Framework refreshes — OWASP LLM Top 10 revises annually; NIST AI RMF profiles are rolling out; EU AI Act enforcement milestones land throughout 2026–2027. Track in a CHANGELOG.md. - [ ] New module candidates — agent security deserves its own module by 2027; multi-modal injection deserves its own module; new regulatory regimes (UK, India) will need module-level coverage.

Metrics that matter¶

Track these monthly (Thinkific provides most directly): - Enrollments (new + cumulative). - Completion rate — % of enrollments that finish M10. Industry standard for high-tier technical courses is 20–40%; aim for 50%+ given price + cohort model. - Cert issuance rate — % of completions that pass M10. - NPS post-course. - Time-to-completion — median weeks from enrollment to cert. - Refund rate — should be < 5%. - Support tickets per cohort — flag if rising linearly with enrollments (= scale issue) vs sub-linearly (= maturing).

Things that will break¶

Likely failure modes to plan for: - Ollama / Llama Guard model version drift — Ollama models get re-tagged. Pin specific versions in pyproject.toml-equivalent (Ollama manifest hash where possible). - HuggingFace dataset gating — Jigsaw, IMDB, sometimes CIFAR — datasets get gated retroactively. The L4.6 / L6.8 generators have fallbacks; monitor for new ones needed. - PyRIT / Garak API drift — both move fast. The L3.10 wrapper has a fallback; expect to update the wrapper every 6 months. - Anthropic / OpenAI API surface changes — chat.py is the seam. One file to patch when the SDKs version-bump. - Cert verification URL stability — if you migrate LMS, old certs break. Plan for permanence here (custom domain you control, not Thinkific's verify URL).

Status snapshot (update as you progress)¶

Last updated: 2026-05-19

Phase	Status	Notes
Decisions (D1–D6)	⏳ pending	All six open; decide before Phase 2
Phase 1 — Pre-launch	⏳ pending	Landing + LMS + repo polish
Phase 2 — Video production	⏳ pending	Estimated 4–8 weeks part-time
Phase 3 — Beta cohort	⏳ pending	10–20 students at $500
Phase 4 — Public launch	⏳ pending	$1,500 with $999 early-bird
Phase 5 — Ongoing ops	⏳ pending	Quarterly review cadence

Realistic timeline¶

If decisions resolve in 1 week + Phase 1 takes 2 weeks + Phase 2 (recording) takes 6 weeks + Phase 3 (beta cohort) takes 12 weeks + Phase 4 (public launch) takes 2 weeks of prep → ~5 months from today to public launch.

That's the long path. The short path: skip the beta, launch publicly with the first 10 students at $999, iterate live → ~3 months to public launch but with more first-cohort friction.

Both are defensible. The beta path is the one I'd recommend for a first paid course.