Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
Web Application Penetration Testing · modules
From HTTP fundamentals to business-logic exploitation. The complete path.
Module 24 · WebSocket Security
Why this module exists. Real-time chat, live trading dashboards, multiplayer games, collaborative editors — all run on WebSockets. And every web pentester I know has found at least one critical WebSocket bug because developers treat the protocol as “HTTP-but-faster” without realising the security model is fundamentally different. How WebSockets differ from HTTP Single connection, bidirectional […]
Module 21 · NoSQL Injection
Why this module exists. Developers who learned about SQL injection often think NoSQL databases are safe by design. They aren’t — they have different injection patterns, often with even fewer guardrails. MongoDB powers half of Indian Node.js startups; nearly every one I’ve audited had at least one NoSQLi exposure. How NoSQL queries differ from SQL […]
Module 27 · Session Management — Beyond Cookies
Why this module exists. Every web app makes session decisions in the first month of development that they regret 18 months later. The wrong choice between cookies and tokens, the wrong refresh strategy, the wrong idle timeout — each is technical debt that becomes a breach footnote. This module is the playbook for getting it […]
Module 3 · GraphQL Security
Introspection, depth/complexity attacks, aliasing brute force, mutation safety, persisted queries, subscriptions.
Module 12 · File Upload Vulnerabilities
File upload features are everywhere — profile pictures, document uploads, attachments, imports. They’re also one of the most frequently-exploited vulnerability classes, capable of escalating from “user” to “RCE” in one click. This module covers the attack patterns and the layered defences. The attack surface Attacker uploads a file (malicious) Server saves file to disk Server […]
Module 11 · Cross-Site Request Forgery Deep Dive
Cross-Site Request Forgery (CSRF) tricks a user’s browser into submitting authenticated actions to a trusted site. Once ubiquitous, modern browsers and frameworks have made the baseline defence far stronger. But CSRF still appears — especially in legacy APIs and apps that mishandle authentication state. The core attack User is logged into bank.com (browser holds session […]
Module 6 · IDOR & Authorization Bypass
Horizontal and vertical IDOR, mass assignment, multi-tenant boundary violations, GraphQL authorization. The highest-yield SaaS bug class. Pro module.
Module 5 · Cross-Site Scripting (XSS) in 2026
Reflected, stored, and DOM-based XSS in 2026. Filter bypasses, CSP deep-dive, and the real impact beyond alert(1). Pro module.
Module 4 · SQL Injection in 2026
How SQLi works at the query level, UNION-based extraction, blind SQLi (boolean and time), out-of-band exfiltration, NoSQL injection, sqlmap practice.
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.