Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
DevSecOps · modules
Security in the SDLC. SAST/DAST/SCA, IaC, CI/CD hardening, and software supply chain.
Module 8 · Pre-Commit Hooks for Security
Why this module. The cheapest security check is the one that runs on the developer’s laptop before code ever reaches CI. Pre-commit hooks catch ~60% of mistakes for ~5% of the operational cost of equivalent CI checks. What runs in pre-commit Linting + format — Ruff, Black, ESLint, Prettier. Reduces diff noise. Type checking — […]
Module 9 · Dependency Management & Renovate
Why this module. 80% of application code is third-party dependencies. Each is a CVE waiting to happen. Manual updates don’t scale; automated bots are non-negotiable in 2026. The two leading bots Dependabot (GitHub) — free, easy, default for GitHub repos. Limited customization. Renovate — open source, very flexible, multi-platform (GitHub, GitLab, Bitbucket). Industry favourite for […]
Module 10 · Threat Modelling for Engineers (STRIDE/LINDDUN)
Why this module. Threat modelling has a reputation as a heavyweight, consultant-driven exercise. It doesn’t have to be. Done right, it’s a 90-minute workshop that produces a list of design-time security improvements worth more than 100 hours of post-deployment patching. STRIDE in 60 seconds Microsoft’s mnemonic for categories of threats: Spoofing — impersonating someone Tampering […]
Module 11 · SLSA Levels & Build Provenance
Why this module. 2020 SolarWinds taught the industry that “we trust our build pipeline” is no longer enough. SLSA (Supply-chain Levels for Software Artifacts) is Google’s framework for hardening builds against supply-chain attacks. By 2026, several Indian regulated entities have begun requiring SLSA L2+ attestations from vendors. The four SLSA levels Level What’s required Roughly […]
Module 12 · Security Champions Programme
Why this module. A security team can’t be in every code review, every architecture meeting, every incident discussion. Security Champions are embedded engineers who carry the security mindset into their teams — multiplying the security team’s reach by 10-50x. Who is a Champion An engineer (not security professional) who: Volunteers (or is selected with consent) […]
Module 13 · Vulnerability Triage at Scale
Why this module. A typical enterprise scan returns 50,000+ CVEs across servers, containers, dependencies. Trying to “fix all critical/high” is mathematically impossible at that scale. Modern triage uses EPSS, KEV, reachability, and asset criticality to focus the 200 fixes that matter. The signals beyond CVSS CVSS — severity in theory. The original signal; loud and […]
Module 14 · Shift-Right Security — Runtime Defence
Why this module. “Shift-left” — find security issues earlier — became dogma. But shift-left has limits: bugs ship anyway, dependencies have CVEs you can’t anticipate, attackers find new exploits. Modern teams add “shift-right” — runtime detection and response — without abandoning shift-left. Where shift-left fails Zero-day exploits — by definition unknowable at build time Configuration […]
Module 15 · DevSecOps Metrics & Maturity
Why this module. Engineering teams measure DORA. Security teams measure CVE backlog. DevSecOps requires a unified metric set — measuring how secure software is delivered, not just secure or how fast. This module is the metrics blueprint. DORA — the engineering baseline Deployment Frequency — how often code reaches production Lead Time for Changes — […]
Module 6 · Container & Image Scanning
Why this module. Every container starts from a base image with hundreds of packages, most of which the application doesn’t use, all of which could have CVEs. Scanning is mandatory; scanning well is the differentiator. Where to scan Build time — fail PRs that introduce new critical CVEs. Trivy / Grype in CI. Registry — […]
Module 7 · Secret Scanning in Code Repos
Why this module. Engineers commit secrets. AWS keys, API tokens, database passwords end up in Git, often in .env.example files that were supposed to have placeholders. Once committed, secrets stay in Git history forever — and within minutes attackers find them via GitHub search. The tool stack git-secrets / detect-secrets / Gitleaks / TruffleHog — […]
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.