Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
Latest modules
Most recent practitioner playbooks across every track. Filter by topic, level, or search in the sidebar.
GCP Organisation Hierarchy
GCP’s hierarchy is the foundation of multi-project security. Levels Organisation — top; tied to your Google Workspace / Cloud Identity domain Folders — group projects (by environment, business unit) Projects — workload boundary; resources live here Resources — buckets, instances, etc. IAM inheritance Roles granted at higher levels apply to all child resources. Org-level Owner […]
VPC Service Controls
VPC Service Controls = GCP’s data-exfiltration defence. Define a perimeter; data can’t leave it even with valid credentials. The model Perimeter wraps GCP services + projects Inside perimeter: free communication Outside attempting to access services inside: blocked unless explicit ingress rule Inside attempting to send to outside: blocked unless explicit egress rule Common patterns Lock […]
Quantum-Safe Cryptography Readiness
Quantum computers will break RSA and elliptic curve crypto. NIST published post-quantum standards in 2024. Migration is a multi-year project. The NIST winners ML-KEM (Kyber) — key encapsulation; replaces RSA-KEM and ECDH ML-DSA (Dilithium) — digital signatures; replaces RSA-PSS, ECDSA SLH-DSA (SPHINCS+) — alternative signature; stateless hash-based FN-DSA (Falcon) — compact lattice signatures “Harvest now, […]
Secret Management Platforms
Module 7 (DevSecOps track) covered secret-leak prevention. This is the platform comparison. Comparison Platform Strengths Weaknesses HashiCorp Vault Open source; flexible; rich auth methods; dynamic secrets Operational complexity AWS Secrets Manager AWS-native; rotation built-in; KMS integration AWS-only; per-secret cost Azure Key Vault Azure-native Azure-only GCP Secret Manager GCP-native; simple GCP-only; fewer features Doppler Modern UX; […]
Hashing — Passwords & Integrity
“How do we hash passwords?” is the most-asked question. The answer evolved. 2026 password-hashing recommendations Argon2id — first choice; OWASP recommended bcrypt — second choice; widely supported scrypt — third; less library support PBKDF2 — only when FIPS 140 compliance forced NEVER — MD5, SHA-1, SHA-256/512 alone, plain hashing without salt Argon2id parameters (OWASP 2026) […]
TLS/PKI Incidents — What Happens When Crypto Breaks
Crypto breaks rarely; when it does, it’s catastrophic. Notable incidents DigiNotar 2011 — CA compromised; rogue certs for Google. Browser distrust = company death. Heartbleed 2014 — OpenSSL bug exposed memory to attacker. Remediation involved rotating every cert. POODLE 2014 — SSL 3.0 padding-oracle. End of SSL 3.0. Logjam 2015 — DH key-exchange weakness. End […]
Crypto Compliance Mapping
Auditors ask “is your encryption FIPS 140-2/3 compliant?” Industry answers vary by sector. FIPS 140 levels Level 1 — software-only crypto module; algorithms tested Level 2 — physical tamper-evidence (HSM with seal) Level 3 — physical tamper-resistance (HSM strong enclosure) Level 4 — full environmental protection (HSM with auto-zeroize) Indian sectoral requirements Sector Requirement RBI […]
GRC Metrics for Executives
Operational SOC metrics (Module 13 Blue Team) inform analysts. Executive metrics inform decision-making. Executive metrics Risk trend — total risk score, top-5 risks, treatment status Control coverage — % of controls implemented + tested Audit results — findings count by severity, time-to-remediation Vendor risk — % of tier-1 vendors with current SOC 2/ISO Incident metrics […]
Reporting Security to the Board
Board members aren’t security experts. They are fiduciaries who need to discharge oversight responsibility. What boards want to know What’s our risk posture? How does it compare to peers? What’s our biggest exposure? Are we investing the right amount? What incidents have happened? What’s coming up regulatorily? The 15-minute briefing Heat-map of top risks (1 […]
Regulatory Tracking Process
Indian + international regulations evolve constantly. Missing a notification = compliance failure. Establish process for tracking. Sources to monitor MeitY — DPDP, IT Act amendments RBI — for financial services SEBI — for capital markets IRDAI — for insurance CERT-In — directions, advisories NCIIPC — for critical infrastructure TRAI / DoT — telecom International — […]
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.