Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
Latest modules
Most recent practitioner playbooks across every track. Filter by topic, level, or search in the sidebar.
Browser Origin Boundaries
Same-Origin Policy is the bedrock of web security. But “origin” has nuances: scheme matters, port matters, path doesn’t. Subdomains aren’t same-origin (they’re same-site, different concept). CORS is opt-in cross-origin. It carries credentials only with explicit allow. Access-Control-Allow-Origin: * with credentials is invalid. Many implementations get this wrong. postMessage crosses origins by design. Receiver must validate […]
The Cookie Confusion Cascade
Cookies are the most-misunderstood browser feature. Domain attribute, path, SameSite, Secure, HttpOnly, Partitioned — each affects when the browser sends the cookie. Combinations produce surprising behaviour. Examples that catch defenders off guard: cookie set on parent domain visible to subdomain (intentional, abuseable); SameSite=Lax allows top-level navigation cookies (CSRF window); Partitioned cookies behave differently per top-level […]
RAG Security
RAG combines vector search + LLM. Security model is hybrid. Threats specific to RAG Vector store data exposure — anyone with access reads embeddings (and retrieves originals) Indirect prompt injection via retrieved docs — adversary plants malicious doc; RAG retrieves and follows instructions IAM bypass via vector similarity — user query semantically matches private docs […]
AI Agent Security
Agents are LLMs that call tools. Permissions matter exponentially. The threat model An agent compromised via prompt injection in any input source (user query, retrieved doc, tool output) executes attacker’s instructions with the agent’s permissions. Defences Least privilege per agent — only the minimum tools needed for its purpose Read-only by default — write actions […]
AI Model Supply Chain
AI models are software you don’t see. Supply chain matters. Pickle deserialisation PyTorch models default to Python pickle format. Pickle = arbitrary code execution. Loading a malicious pickle = RCE. Defence: use SafeTensors format. Hugging Face migrated; PyTorch 2.6+ defaults to safer mode. Hugging Face hub trust Anyone can publish models. Imitating popular models with […]
AI Output Filtering
LLM outputs aren’t safe by default. Production systems filter. Filter categories PII redaction — outputs that mention real names, addresses, IDs Toxicity / harmful content — Perspective API, HuggingFace classifiers Hallucination detection — fact-checking against authoritative sources Code injection prevention — SQL, shell commands Prompt-leakage prevention — output containing system prompt Architecture pattern LLM generates […]
LLM Jailbreak Defence
Jailbreaks bypass model safety training. New variants constant. Common patterns Roleplay — “Pretend you are DAN (Do Anything Now)” Encoding — base64, ROT13, leetspeak Multi-turn — gradually shift context away from policy Character set tricks — Unicode confusables Adversarial suffixes (GCG) — discovered tokens that flip safety Crescendo — multi-turn gradient toward sensitive content Defences […]
AI Security Evaluations
How do you know if your AI is safe enough? Structured evaluation. Eval categories Adversarial robustness — does it resist attacks? Toxicity — does it produce harmful content? Bias — does it discriminate? Privacy — does it leak training data? Reliability — does it hallucinate? Capability — what can the model do that’s sensitive? Tools […]
AI Governance Frameworks
AI governance is the regulatory frame around technical safety. Major frameworks NIST AI RMF — voluntary US framework; maps risks across lifecycle EU AI Act — risk-tiered (banned, high-risk, limited-risk, minimal); 2024 effective UK pro-innovation — sector-by-sector approach China — algorithm filing, content moderation requirements India — DPDP applies to AI processing PII; specific AI […]
Production AI Deployment Patterns
Production AI is engineering. Choices have security and cost implications. Hosting choices Pattern Privacy Cost Quality OpenAI / Anthropic / Google managed Lowest (data leaves) Pay-per-token; scales Highest Azure OpenAI Moderate (Microsoft tenant; opt-out training) Same as OpenAI Same AWS Bedrock Moderate (your AWS account) Higher Same Self-hosted (Llama, Qwen, Mistral) Highest GPU-rental; ops effort […]
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.