I built a small security lab to teach the failure modes I see most often in client work. The first real test was running it against my own production site.