diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 00000000..d18ed64e
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,22 @@
+## Goal
+<!-- What is the purpose of this PR? Link to the lab/task if relevant. -->
+- 
+
+## Changes
+<!-- What did you change? Keep it bullet-pointed and concrete. -->
+- 
+
+## Testing
+<!-- How did you verify it works? Commands, screenshots, manual checks. -->
+- 
+
+## Artifacts & Screenshots
+<!-- Links to files in the repo (e.g., labs/submission1.md) and any screenshots/API snippets. -->
+- 
+
+---
+
+### Checklist
+- [ ] PR title is clear and descriptive
+- [ ] Docs/readme updated if needed
+- [ ] No secrets, credentials, or large temporary files included
diff --git a/labs/submission2.md b/labs/submission2.md
new file mode 100644
index 00000000..d6d11bfd
--- /dev/null
+++ b/labs/submission2.md
@@ -0,0 +1,68 @@
+# Lab 2 --- Threat Modeling with Threagile (OWASP Juice Shop)
+
+## Task 1 --- Baseline Threat Model
+
+### Generation
+
+Threagile model was generated using Docker and the provided YAML model.
+
+Artifacts generated: - report.pdf - data-flow diagram - data-asset
+diagram - risks.json - stats.json
+
+### Risk Ranking Methodology
+
+Severity mapping: critical=5, elevated=4, high=3, medium=2, low=1\
+Likelihood mapping: very-likely=4, likely=3, possible=2, unlikely=1\
+Impact mapping: high=3, medium=2, low=1
+
+Composite score = Severity*100 + Likelihood*10 + Impact
+
+### Top Risks Summary
+
+Major baseline risks: - Unencrypted communication between browser, proxy
+and application - Lack of storage encryption - XSS / CSRF attack
+vectors - Missing security infrastructure (vault, WAF, identity store) -
+Weak hardening and missing build infrastructure
+
+------------------------------------------------------------------------
+
+## Task 2 --- Secure Variant
+
+### Model Changes
+
+-   Browser → App: protocol=https
+-   Reverse Proxy links: protocol=https
+-   Persistent Storage: encryption=transparent
+
+### Risk Category Delta Table
+
+  Category                                 Baseline   Secure    Δ
+  -------------------------------------- ---------- -------- ----
+  container-baseimage-backdooring                 1        1    0
+  cross-site-request-forgery                      2        2    0
+  cross-site-scripting                            1        1    0
+  missing-authentication                          1        1    0
+  missing-authentication-second-factor            2        2    0
+  missing-build-infrastructure                    1        1    0
+  missing-hardening                               2        2    0
+  missing-identity-store                          1        1    0
+  missing-vault                                   1        1    0
+  missing-waf                                     1        1    0
+  server-side-request-forgery                     2        2    0
+  unencrypted-asset                               2        1   -1
+  unencrypted-communication                       2        0   -2
+  unnecessary-data-transfer                       2        2    0
+  unnecessary-technical-asset                     2        2    0
+
+### Analysis
+
+Enabling TLS removed unencrypted communication risks and reduced risks
+related to unencrypted storage.\
+Application-layer and infrastructure risks remain because they require
+additional controls beyond encryption.
+
+## Conclusion
+
+The secure variant demonstrates how TLS and encryption-at-rest
+significantly reduce the threat landscape while leaving
+application-level vulnerabilities unchanged.