In a sunlit Fisher Hall classroom, students at long tables bend intently over piles of golden keys, red plastic key molds, latch bypass tools, metal barrel tumblers, and handheld key cutters.
Instructor Victoria Walters, professor of practice in the Department of Applied Computing, roams the rows, offering advice. Special guests—students from the College of Computing's highly ranked MTU RedTeam—answer questions. The topic du jour is lock-picking.
These Huskies are learning the art of the break-in.
But no worries. They're the good guys.
Students in Walter's SAT4817 Security Penetration Test and Audit course tackle a variety of cybersecurity scenarios. Students learn the process of penetration testing, or "pen testing" for short, a procedure that looks a little different depending on the needs of each specific client. They learn and demonstrate methods to ensure prevention of security breaches, as well as offensive and defensive security concepts and audit best practices. They help develop safeguards to protect sensitive information and confidential data. And when the in-class assignments are completed, they partner with businesses to produce and present a professional penetration test or audit report consistent with industry standards.
All Security is Cybersecurity
There are a myriad of ways that companies expose themselves to entry, penetration, and theft. For example, a server is only as physically secure as the room where it's housed—and hopefully that's a room where the walls go all the way to the ceiling and the door is locked. As Walters explains, the location of windows and the direction that security cameras face can be as important to safety as sanitizing the code behind your web application to ensure no one can enter malicious code into fields on your website. The bad guys might sit outside your building to see if they can gain access to your Wi-Fi network. Or they might use the ladder you've conveniently left propped against an exterior wall to get up on the roof.
That's why cybersecurity professionals need to be as adept at cracking an entry lock as a password. They need to be as proficient with observing property features, like fences and shrubbery, as they are with using a pineapple—a fun name for a device cybersecurity pros use to scan networks, find vulnerabilities, and break in.
"I've noticed that people try to lump cybersecurity into its own field. But it's pervasive across an entire organization," says Walters, who has 25 years of experience in information technology, cybersecurity, and corporate security and compliance. "Cybersecurity is all-encompassing and not one thing. In order to be effective, it has to be in almost every single facet of an entire organization."
Break-in Tips from MTU RedTeam
The MTU RedTeam, a student organization based in the College, has been representing the University in national cybersecurity competitions since 2017. In addition to capturing flags and winning coveted black badges, team members focus on campus and community education. "I can teach students how to lock-pick," says Walters, laughing, "but the RedTeam can really teach them how to lock-pick."
Noah Holland, a nationally ranked RedTeam member and junior cybersecurity major taking the course, arranged for fellow team members to bring in their equipment and share a presentation focused on how physical security informs cybersecurity.
RedTeam member Dane Cucinelli '27, a mechanical engineering technology major, notes that doors, fixtures, and knowing who's in charge of locks are critical to eliminating vulnerabilities. "Not everything has to be high-tech," he says, mentioning latch loiding, the process of being able to open a door using a flat object like a credit card. Another low-tech security hazard happens when people don't want to lock a door behind them while they step outside and then forget to remove the door stopper when they head back in, providing easy entry. Ordering keys that can't be duplicated and replacing keying on new construction are among other no-brainer security choices. But they're also details people don't tend to consider.
After discussing pin-and-tumbler locks, magnets, card readers, and toggle modes on elevators with great animation, RedTeam members pass out the tools of the trade. The class, totally absorbed, gets to work.
It's Real Work. Really.
"It takes a special kind of person to want to come to Michigan Tech. The special people that we are attracting to this university are incredibly smart and incredibly passionate about what they're studying."
Not all of SAT4817 is as cool as the lockpicking session. Walters describes the majority of her course as "report hell." She's only semi-joking.
"It's a bit of a slog once they get going because I really, really push project management. The pen testing portion of the actual penetration test is probably the least of their worries because it's about two to three weeks of their time out of the semester," Walters says. The rest of the class is devoted to ensuring that the many steps of a pen test are carried out. The work includes reconnaissance, developing an attack plan, establishing client communications, handling necessary paperwork like nondisclosure agreements, and taking and presenting the many screenshots required in an industry-level report.
The nine teams assigned begin by setting up a time with their clients to run vulnerability scans. "This helps the students determine next steps for their attack plan, and then they have that brief two to three weeks where they actively get to try to find the vulnerabilities," says Walters. "They have to take all of that information and create a professional-level report. And then they have to set up a meeting and present that report, including recommendations on how clients can go about fixing things."
As their instructor and a cybersecurity industry pro, Walters puts as much focus on the communications piece as any other component of the course.
"We have lectures devoted to dressing professionally, what you need to do, and what you're allowed to say," she says. "This is the real thing."
Huskies Get Client Feedback
Walters has lined up nine clients for her SAT4817 students, a mix of local and online companies, at least three of whom are repeat customers. Alumnus Matt Black, a 2005 Tech graduate who is now director of information security at ContentStack, is one of those clients. He made the trip back to Houghton from Seattle, Washington, to attend the Applied Computing Industry Advisory Board meeting, visit Design Expo, and spend time with the Huskies pen test team. Black made things extra challenging for the team by planting Easter eggs in the infrastructure for students to find. Black says the team's testing scope, execution, and deliverables lived up to expectations.
"They found an interesting way to use some of the AI tools in the system," he said. "Overall, it helped validate a lot of what we thought was in place and gave us some reassurance on the existing posture. Isabella, Joe, Nate, and Austin were all incredible to work with. I'm glad we got the opportunity to do this."
Ryan Higbie, director of health information management and technology at Pathways Community Mental Health, was also happy with the results. Testing did not uncover any issues—which is exactly what he was hoping for, as his group is expecting to increase its online presence in the next couple years. Higbie offered some communications and presentation feedback to students, as well as an enthusiastic "yes" to participating in the future. "Nothing short of a win-win for both sides," Higbie wrote in his evaluation. "We get visibility into our security, and the students get some real-world training. I would be thrilled if this is a long-term relationship."
Joshua Neece at GS Engineering said his company would also consider participating again in the future. "It was an enjoyable experience and interesting to interact with such intelligent students," he said.
The praise is what Walters was aiming to hear from clients. "Their willingness to provide real-world experiences ensures that students leave this institution prepared to successfully take on the threats that businesses face every day," she said. "it's so valuable for our students."
Participating businesses aren't the only ones who have a lock on giving Huskies the experiences that will make a difference in their careers. Walters is giving students the tools. But she's also learning from them, seeing them learn from each other, and watching their progress with admiration. "We are super lucky to have these young adults here," she says.
"Every student I've worked with here is brilliant in their own way," says Walters. "They will fill your ears with their great ideas. They are so confident in what they know but they are humble. They all find their own niches and passions and it's like an exploding can of pop—you can't stop it!"
Huskies Get Ready to Roam the Range
Some College of Computing faculty were sitting around earlier this year talking about what to do with several donated servers.
"Just off the cuff I said we should build a cyber range," says Walters. "Did I ever imagine we would? No." But the next thing she knew, she had nine servers and a student working on the buildout. When word got out, students lined up at her office door asking to work on the project. "I had to create an independent study section for both graduate and undergraduate students," she says.
Cyber ranges are banks of servers that can be configured to run offensive and defensive scenarios. Both test beds and educational tools, they show organizations how to protect themselves and students how to put the theories they're learning into practice. A database of easily launched scenarios can be run. When the exercise is done, the range resets, with the scenario templates cleared and ready for the next practice.
Cyber ranges can be dauntingly expensive and fiendishly complicated. The MTU Superior Cyber Range aims to address those challenges. "We're doing something drastically different than what has been done," says Walters, adding that the effort is an important way to elevate cybersecurity education and outreach at Michigan Tech.
"When we talk to the students about what it means to move laterally across a network or in an infrastructure after they've infiltrated it, we want them to be able to experience what that actually looks like, which is a lot different than just hearing about it in the classroom," says Walters. "We want them to be able to run authentic scenarios where they're performing digital forensics as part of a class and they're able to follow the breadcrumb trails and uncover what really happened during the course of, say, a criminal investigation into a bad actor infiltrating a network and stealing money or intellectual property."
Though the range is still in development, Senior Design project teams and the IT Oxygen Enterprise (ITO), for which Walters is a faculty advisor, are already working on cyber range-related projects. "We have scenarios being built out on the infrastructure that can be run because they were demoed at ITO," she says.
One of the Senior Design project teams is working on educational training for area high school and middle school students in the area. They're focused on helping kids understand cybersecurity best practices. As the team explains, impulsively clicking links or downloading questionable apps spans generations. Younger digital natives are just as vulnerable.
The Basic Cybersecurity Education Modules team presented components of their Superior Cyber Range Education project to Hancock Middle School students this year. Team member Jayden Anderson, who earned his cybersecurity degree in spring 2025, said the students showed a 25.4 percent improvement in understanding basic concepts. Other educational modules address topics like domain networks and how data travels without wires.
The second Senior Design project team, Superior Cyber Range Attack and Defense Surface, is developing a web-based virtual environment to assist in educating users on common cybersecurity pitfalls, including password cracking and man-in-the-middle attacks. Both teams are advised by College of Engineering Coordinator Kevin Meyers.
Cyber rangers expect to complete their initial work by the end of January 2026. "What we have right now is an early working version. We're close to finishing proof of concept," says Walters. "The infrastructure is running with a few little kinks to work out. I hope that everybody around the University will want to use it for one thing or another."
Michigan Technological University is an R1 public research university founded in 1885 in Houghton, and is home to nearly 7,500 students from more than 60 countries around the world. Consistently ranked among the best universities in the country for return on investment, Michigan's flagship technological university offers more than 185 undergraduate and graduate degree programs in science and technology, engineering, computing, forestry, business, health professions, humanities, mathematics, social sciences, and the arts. The rural campus is situated just miles from Lake Superior in Michigan's Upper Peninsula, offering year-round opportunities for outdoor adventure.
