diff --git a/doc/exercises/01-static-analysis-with-breakman.md b/doc/exercises/01-static-analysis-with-breakman.md
new file mode 100644
index 0000000..500c4c8
--- /dev/null
+++ b/doc/exercises/01-static-analysis-with-breakman.md
@@ -0,0 +1,49 @@
+# Static Analysis: Brakeman
+
+Brakeman is a static source code analyser for Ruby on Rails applications and can
+be used at any stage of development, as it does not rely on any code being
+executed. It finds many different types of security vulnerabilities. In the
+following exercises, you will run Brakeman on DVGM and inspect three findings
+more closely.
+
+## Running Brakeman
+
+Running Brakeman is simple. Navigate to the source code directory of DVGM and
+call `brakeman` without any arguments.
+
+Brakeman should return withing a few seconds and produce 7 security warnings. We
+will have a closer look at the SQL Injection and Cross-Site Scripting findings.
+
+### SQL Injection
+
+Brakeman will report one possible SQL injection.
+
+1. In which file and line is the possible SQL Injection located?
+2. What action in what part of the app triggers the SQL query?
+3. Is the vulnerability exploitable? If yes, write an exploit and test it.
+4. If it is exploitable, how would a possible fix look like? Try the fix by
+   changing the source code of DVGM (the changes are automatically picked up).
+   See if your exploit still works. Do not forget to revert all changes afterwards,
+   as we will also use other tools.
+
+### Cross-Site Scripting (XSS)
+
+Brakeman will report two possible cross-site scripting vulnerabilities *in DVGM
+itself*. We will look more closely at the one that possibly affects logged-in
+lecturers.
+
+1. In which file and line is the possible XSS vulnerability located?
+2. What action in what part of the app triggers the flagged line?
+3. Is the vulnerability exploitable? If yes, write an exploit and test it.
+4. If it is exploitable, how would a possible fix look like? Try the fix by
+   changing the source code of DVGM (the changes are automatically picked up).
+   See if your exploit still works. Do not forget to revert all changes afterwards,
+   as we will also use other tools.
+
+### Vulnerable Dependencies
+
+Brakeman will also report (at least) two possible Cross-Site Scripting
+vulnerabilities in dependencies.
+
+1. Which dependencies are affected?
+2. Is DVGM likely to be affected by the reported CVEs?