Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
API Security Deep Dive · modules
OWASP API Top 10, JWT/OAuth, GraphQL, rate limiting, gateways and zero-trust at scale.
Module 14 · API DDoS & Bot Mitigation
Why this module. APIs are bot magnets. Credential stuffing against /login, scraping of /products, account creation abuse, comment spam. Volumetric DDoS is solved at the edge; L7 abuse is a per-API battle. Bot patterns by endpoint /login — credential stuffing, brute force /signup — fake account creation for fraud / spam /api/search — scraping / […]
Module 6 · API Discovery & Inventory
Why this module. Most enterprises have 30-60% more APIs than their security team knows about. Shadow APIs (unauthorised), zombie APIs (deprecated but still listening), partner APIs nobody documented. Each is an attacker’s entry point. The four classes of unknown APIs Shadow API — not on your inventory, exposed anyway. Often a developer’s “quick fix” that […]
Module 7 · API Versioning & Deprecation Security
Why this module. Old API versions are where security debt accumulates. v1 was insecure by 2019 standards; it’s still serving 5% of traffic in 2026 because retiring it requires customer coordination. Most teams underestimate the security cost of supporting old versions. Versioning patterns URL versioning — /v1/users vs /v2/users. Visible, easy to route. Most common. […]
Module 9 · API Logging & Anomaly Detection
Why this module. APIs generate massive log volume; most teams collect it and never query it. Anomaly detection at the API layer catches account takeover, scraping, and business-logic abuse that WAFs miss. What to log per API call Timestamp, request ID Authenticated user / API key Source IP, ASN, country Method + path + query […]
Module 10 · WebAuthn & Passkeys for APIs
Why this module. Phishing-resistant auth is the only auth that holds up against modern proxy-phishing attacks (EvilGinx and similar). WebAuthn / Passkeys are the standard. Apple, Google, Microsoft all default-support; Indian banks are following. Why TOTP isn’t enough anymore EvilGinx-style proxy phishing intercepts the TOTP at login time. User enters TOTP on phishing page → […]
Module 11 · API Mocking & Contract Testing
Why this module. APIs evolve; consumers break. Contract testing catches it before production. From a security view, contract testing also catches “we accidentally exposed an internal field” and “auth was removed from this endpoint.” Two patterns Schema-first — OpenAPI spec is the contract. Validate every request/response. Consumer-driven (Pact) — consumers declare expectations; provider validates them. […]
Module 12 · SDKs as Attack Surface
Why this module. If you publish an SDK (Python, JS, mobile native), attackers analyse it to learn about your API’s structure, undocumented endpoints, and assumptions. Plus: SDK becomes part of customer’s supply chain — your bugs become their problems. The SDK threat model Attacker reverse-engineers SDK to learn API structure Attacker finds hardcoded endpoints, debug […]
Module 2 · API Authentication & Authorization Patterns
JWT pitfalls, OAuth flows for APIs, session management, mTLS, RBAC vs ABAC vs ReBAC, authz testing at scale.
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.