diff --git a/jenkins/exposedui/Dockerfile b/jenkins/exposedui/Dockerfile
new file mode 100644
index 00000000..b6bd3755
--- /dev/null
+++ b/jenkins/exposedui/Dockerfile
@@ -0,0 +1,13 @@
+FROM jenkins/jenkins:2.562
+
+# Switch to root to modify files if needed
+USER root
+
+# Copy your custom config.xml into Jenkins home
+COPY config.xml /var/jenkins_home/config.xml
+
+# Fix permissions (important!)
+RUN chown jenkins:jenkins /var/jenkins_home/config.xml
+
+# Switch back to Jenkins user
+USER jenkins
diff --git a/jenkins/exposedui/README.md b/jenkins/exposedui/README.md
new file mode 100644
index 00000000..ef114dd7
--- /dev/null
+++ b/jenkins/exposedui/README.md
@@ -0,0 +1,40 @@
+# Jenkins Exposed UI
+
+This testbed creates two Jenkins 2.562 instances, one with the setup wizard disabled and anyone allowed to do anything (http://localhost:8081/), and one with default config (http://localhost:8082/).
+
+The default config, with the setup screen, requires a password which is output to the terminal on first boot, and allows configuring authentication during setup (or makes a default admin user with the same password).
+
+## Confirming the vulnerability
+
+```
+docker compose up
+```
+
+### Vulnerable
+```
+curl http://localhost:8081/
+```
+
+```
+...
+<title>Dashboard - Jenkins</title>
+...
+```
+
+### Safe
+```
+curl http://localhost:8082/
+```
+
+Response:
+```
+...
+Authentication required
+<!--
+You are authenticated as: anonymous
+Groups that you are in:
+  anonymous
+Permission you need to have (but didn't): hudson.model.Hudson.Administer
+-->
+...
+```
diff --git a/jenkins/exposedui/config.xml b/jenkins/exposedui/config.xml
new file mode 100644
index 00000000..ba2dc4b8
--- /dev/null
+++ b/jenkins/exposedui/config.xml
@@ -0,0 +1,36 @@
+<?xml version='1.1' encoding='UTF-8'?>
+<hudson>
+  <disabledAdministrativeMonitors/>
+  <version>2.562</version>
+  <numExecutors>2</numExecutors>
+  <mode>NORMAL</mode>
+  <useSecurity>true</useSecurity>
+  <authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
+  <securityRealm class="hudson.security.SecurityRealm$None"/>
+  <disableRememberMe>false</disableRememberMe>
+  <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
+  <workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}</workspaceDir>
+  <buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
+  <markupFormatter class="hudson.markup.EscapedMarkupFormatter"/>
+  <jdks/>
+  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
+  <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
+  <clouds/>
+  <scmCheckoutRetryCount>0</scmCheckoutRetryCount>
+  <views>
+    <hudson.model.AllView>
+      <owner class="hudson" reference="../../.."/>
+      <name>all</name>
+      <filterExecutors>false</filterExecutors>
+      <filterQueue>false</filterQueue>
+      <properties class="hudson.model.View$PropertyList"/>
+    </hudson.model.AllView>
+  </views>
+  <primaryView>all</primaryView>
+  <slaveAgentPort>50000</slaveAgentPort>
+  <label></label>
+  <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer"/>
+  <nodeProperties/>
+  <globalNodeProperties/>
+  <nodeRenameMigrationNeeded>false</nodeRenameMigrationNeeded>
+</hudson>
diff --git a/jenkins/exposedui/docker-compose.yml b/jenkins/exposedui/docker-compose.yml
new file mode 100644
index 00000000..2c1c24a8
--- /dev/null
+++ b/jenkins/exposedui/docker-compose.yml
@@ -0,0 +1,16 @@
+version: "3.8"
+
+services:
+  jenkins-vuln:
+    build: .
+    container_name: jenkins-vuln
+    ports:
+      - "8081:8080"
+    environment:
+      - JAVA_OPTS=-Djenkins.install.runSetupWizard=false
+
+  jenkins-safe:
+    image: jenkins/jenkins:2.562
+    container_name: jenkins-safe
+    ports:
+      - "8082:8080"