First we setup a Windows attack VM called Commando. Next we perform several web attacks like attacking the newer OWASP WebGoat.NET web page and some small apps that demonstrate specific weaknesses like XXS, APIs, etc. Lastly we attack a Thick Client (fancy name for desktop app) which communicates with a backend FTP and database.
I attempt to go through the attacks in a non-methodical way, as an introduction to security geared toward developers, later a formal methodology is developed.