Cybersecurity, learned like a practitioner.

24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.

24
Learning paths
398+
Live modules
0
You've completed
Free
Your tier
Browse the academy

Latest modules

Most recent practitioner playbooks across every track. Filter by topic, level, or search in the sidebar.

538 results · Page 35/54
Active Directory Security Expert Free

Kerberos Delegation Abuse — Unconstrained, Constrained, RBCD

Why this module exists. Kerberos delegation is one of the most-misunderstood AD features and one of the most-abused. Three flavours, all dangerous when misconfigured: Unconstrained (legacy, terrifying), Constrained (better, still bad), and Resource-Based Constrained Delegation (the new one, with its own attack class). Every red team checks all three. Why delegation exists Tiered apps need […]

Apr 27, 2026 40 min Open
Active Directory Security Advanced Free

DCSync — Domain Replication Abuse

Why this module exists. DCSync is the technique that lets an attacker dump every credential in your domain — without ever touching a domain controller’s filesystem. It’s not an exploit; it’s a feature being abused. Most AD environments have multiple non-DC accounts that can DCSync, and most defenders don’t know who. The mechanic Active Directory […]

Apr 27, 2026 30 min Open
Active Directory Security Advanced Free

Pass-the-Hash & Pass-the-Ticket

Why this module exists. Pass-the-Hash was first published in 1997. Microsoft has shipped 28 years of mitigations and the technique still works on most enterprise networks. Understanding why it persists, and what actually stops it, is foundational to defending AD. NTLM in 30 seconds NTLM authentication doesn’t transmit the password. The client transmits the NT […]

Apr 27, 2026 35 min Open
Active Directory Security Advanced Free

AS-REP Roasting — The Quiet Cousin of Kerberoasting

Why this module exists. Every AD pentester checks Kerberoasting first. Most check AS-REP Roasting second. The astonishing thing is how often it works in 2026 — accounts with DONT_REQ_PREAUTH set, often “temporarily” by an admin in 2014 and never unset. One vulnerable account is enough to crack a domain user’s password offline. The bug, structurally […]

Apr 27, 2026 30 min Open
Web Application Penetration Testing Advanced Free

Server-Side Template Injection (SSTI)

Why this module exists. SSTI almost always becomes RCE. The bug looks innocent — user input ends up in a template — and the impact is full server takeover. Modern frameworks make it harder, but every Indian SaaS that does email templating, custom report rendering, or user-customisable dashboards is exposed. The bug class in one […]

Apr 27, 2026 40 min Open
Web Application Penetration Testing Intermediate Free

Session Management — Beyond Cookies

Why this module exists. Every web app makes session decisions in the first month of development that they regret 18 months later. The wrong choice between cookies and tokens, the wrong refresh strategy, the wrong idle timeout — each is technical debt that becomes a breach footnote. This module is the playbook for getting it […]

Apr 27, 2026 30 min Open
Web Application Penetration Testing Advanced Free

Web Cache Poisoning & Deception

Why this module exists. James Kettle’s 2018 “Practical Web Cache Poisoning” Black Hat talk made cache poisoning the bug that goes from “weird HTTP behaviour” to “CDN-served XSS to every user in the country.” The bug class hasn’t gone away; if anything it’s gotten worse with the proliferation of CDNs and edge caching. The mental […]

Apr 27, 2026 40 min Open
Web Application Penetration Testing Intermediate Free

WebSocket Security

Why this module exists. Real-time chat, live trading dashboards, multiplayer games, collaborative editors — all run on WebSockets. And every web pentester I know has found at least one critical WebSocket bug because developers treat the protocol as “HTTP-but-faster” without realising the security model is fundamentally different. How WebSockets differ from HTTP Single connection, bidirectional […]

Apr 27, 2026 30 min Open
Web Application Penetration Testing Advanced Free

OAuth & SSO Authentication Flaws

Why this module exists. OAuth 2.0 and OIDC are the universal authentication layer of the modern web — and the most-misunderstood spec in the industry. The protocol is fine; the implementations are catastrophic. “Sign in with Google”, “Sign in with Apple”, “Sign in with Facebook” — every one of these has had account-takeover bugs in […]

Apr 27, 2026 40 min Open
Web Application Penetration Testing Intermediate Free

NoSQL Injection

Why this module exists. Developers who learned about SQL injection often think NoSQL databases are safe by design. They aren’t — they have different injection patterns, often with even fewer guardrails. MongoDB powers half of Indian Node.js startups; nearly every one I’ve audited had at least one NoSQLi exposure. How NoSQL queries differ from SQL […]

Apr 27, 2026 30 min Open
02 / Why learn here

Practitioners who've
shipped the controls.

Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.

Why learn here

01

Practitioner-written.

Each lesson is authored by someone who has shipped the control or run the engagement in production.

02

Quiz after every module.

20+ questions with explanations. 70%+ to mark complete. Unlimited retries.

03

Progress tracked.

Completions, scores and streaks saved automatically. Resume exactly where you left off.

04

India-priced.

Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.

Pick a path, get to work.

Browse all 398 modules View skill map