Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
Intermediate · modules
Modules tagged Intermediate. Use the sidebar to narrow by track or topic.
Cleartext Is Forever
An adversary records your encrypted traffic today. Stores it. Years later, quantum computer breaks the key exchange. Decrypts. This isn’t hypothetical. Nation-state adversaries have been recording for years. Long-lifespan secrets — IP, state secrets, banking credentials — are exposed even when transmitted over modern TLS today. The mindset: data with multi-decade sensitivity needs post-quantum protection […]
The Cookie Confusion Cascade
Cookies are the most-misunderstood browser feature. Domain attribute, path, SameSite, Secure, HttpOnly, Partitioned — each affects when the browser sends the cookie. Combinations produce surprising behaviour. Examples that catch defenders off guard: cookie set on parent domain visible to subdomain (intentional, abuseable); SameSite=Lax allows top-level navigation cookies (CSRF window); Partitioned cookies behave differently per top-level […]
Authentication vs Authorization Split
Authentication: who are you. Authorization: what can you do. Most security education conflates them. Most bugs live in the gap. An authenticated user is not authorized for everything they ask. Authorization is per-resource, per-action, often per-attribute. IDOR exists because authn is correct but authz is missing. The mindset: at every endpoint, two questions: “is this […]
Browser Origin Boundaries
Same-Origin Policy is the bedrock of web security. But “origin” has nuances: scheme matters, port matters, path doesn’t. Subdomains aren’t same-origin (they’re same-site, different concept). CORS is opt-in cross-origin. It carries credentials only with explicit allow. Access-Control-Allow-Origin: * with credentials is invalid. Many implementations get this wrong. postMessage crosses origins by design. Receiver must validate […]
State Machines Have More Edges Than You Think
Every web app is a state machine. Order = pending → paid → shipped → delivered. State transitions have rules. The rules have gaps. Attackers enumerate edges adversarially: can I go from pending to delivered, skipping paid? Can I cancel after shipped? Can I trigger paid → paid (double payment processing)? The mindset: draw the […]
The Three Types of Web Sessions
“Session” is overloaded: browser session (open tabs), server session (data keyed by session ID), application session (the user’s logical workflow). Each has different lifetime; each has different invalidation rules. The bug pattern: developer thinks “user logged out, session ended.” Browser session ended. Server session may persist. JWT may still be valid. OAuth refresh token still […]
Why HTTP Headers Are Programmable Trust
Application code routinely trusts HTTP headers. X-Forwarded-For for client IP. Host for routing. Origin for CORS. Each is attacker-controllable in some path. If your code does if (request.headers["X-Admin-Override"] == "true"), you’ve created a backdoor. If your code trusts X-Forwarded-For without validating the immediate peer, you’ve created an IP-spoofing primitive. The mindset: each header your code […]
RAG Security
RAG combines vector search + LLM. Security model is hybrid. Threats specific to RAG Vector store data exposure — anyone with access reads embeddings (and retrieves originals) Indirect prompt injection via retrieved docs — adversary plants malicious doc; RAG retrieves and follows instructions IAM bypass via vector similarity — user query semantically matches private docs […]
AI Model Supply Chain
AI models are software you don’t see. Supply chain matters. Pickle deserialisation PyTorch models default to Python pickle format. Pickle = arbitrary code execution. Loading a malicious pickle = RCE. Defence: use SafeTensors format. Hugging Face migrated; PyTorch 2.6+ defaults to safer mode. Hugging Face hub trust Anyone can publish models. Imitating popular models with […]
AI Output Filtering
LLM outputs aren’t safe by default. Production systems filter. Filter categories PII redaction — outputs that mention real names, addresses, IDs Toxicity / harmful content — Perspective API, HuggingFace classifiers Hallucination detection — fact-checking against authoritative sources Code injection prevention — SQL, shell commands Prompt-leakage prevention — output containing system prompt Architecture pattern LLM generates […]
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.