Cybersecurity, learned like a practitioner .

API Logging & Anomaly Detection

Why this module. APIs generate massive log volume; most teams collect it and never query it. Anomaly detection at the API layer catches account takeover, scraping, and business-logic abuse that WAFs miss. What to log per API call Timestamp, request ID Authenticated user / API key Source IP, ASN, country Method + path + query […]

WebAuthn & Passkeys for APIs

Why this module. Phishing-resistant auth is the only auth that holds up against modern proxy-phishing attacks (EvilGinx and similar). WebAuthn / Passkeys are the standard. Apple, Google, Microsoft all default-support; Indian banks are following. Why TOTP isn’t enough anymore EvilGinx-style proxy phishing intercepts the TOTP at login time. User enters TOTP on phishing page → […]

API Mocking & Contract Testing

Why this module. APIs evolve; consumers break. Contract testing catches it before production. From a security view, contract testing also catches “we accidentally exposed an internal field” and “auth was removed from this endpoint.” Two patterns Schema-first — OpenAPI spec is the contract. Validate every request/response. Consumer-driven (Pact) — consumers declare expectations; provider validates them. […]

SDKs as Attack Surface

Why this module. If you publish an SDK (Python, JS, mobile native), attackers analyse it to learn about your API’s structure, undocumented endpoints, and assumptions. Plus: SDK becomes part of customer’s supply chain — your bugs become their problems. The SDK threat model Attacker reverse-engineers SDK to learn API structure Attacker finds hardcoded endpoints, debug […]

API Discovery & Inventory

Why this module. Most enterprises have 30-60% more APIs than their security team knows about. Shadow APIs (unauthorised), zombie APIs (deprecated but still listening), partner APIs nobody documented. Each is an attacker’s entry point. The four classes of unknown APIs Shadow API — not on your inventory, exposed anyway. Often a developer’s “quick fix” that […]

DevSecOps Beginner Free

Pre-Commit Hooks for Security

Why this module. The cheapest security check is the one that runs on the developer’s laptop before code ever reaches CI. Pre-commit hooks catch ~60% of mistakes for ~5% of the operational cost of equivalent CI checks. What runs in pre-commit Linting + format — Ruff, Black, ESLint, Prettier. Reduces diff noise. Type checking — […]

DevSecOps Intermediate Free

Dependency Management & Renovate

Why this module. 80% of application code is third-party dependencies. Each is a CVE waiting to happen. Manual updates don’t scale; automated bots are non-negotiable in 2026. The two leading bots Dependabot (GitHub) — free, easy, default for GitHub repos. Limited customization. Renovate — open source, very flexible, multi-platform (GitHub, GitLab, Bitbucket). Industry favourite for […]

DevSecOps Intermediate Free

Threat Modelling for Engineers (STRIDE/LINDDUN)

Why this module. Threat modelling has a reputation as a heavyweight, consultant-driven exercise. It doesn’t have to be. Done right, it’s a 90-minute workshop that produces a list of design-time security improvements worth more than 100 hours of post-deployment patching. STRIDE in 60 seconds Microsoft’s mnemonic for categories of threats: Spoofing — impersonating someone Tampering […]

Apr 27, 2026 30 min Open

DevSecOps Advanced Free

SLSA Levels & Build Provenance

Why this module. 2020 SolarWinds taught the industry that “we trust our build pipeline” is no longer enough. SLSA (Supply-chain Levels for Software Artifacts) is Google’s framework for hardening builds against supply-chain attacks. By 2026, several Indian regulated entities have begun requiring SLSA L2+ attestations from vendors. The four SLSA levels Level What’s required Roughly […]