Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
GRC, ISO 27001 & SOC 2 · modules
Governance, risk, compliance. ISO 27001, SOC 2, vendor risk, internal audits.
Module 13 · GRC Metrics for Executives
Operational SOC metrics (Module 13 Blue Team) inform analysts. Executive metrics inform decision-making. Executive metrics Risk trend — total risk score, top-5 risks, treatment status Control coverage — % of controls implemented + tested Audit results — findings count by severity, time-to-remediation Vendor risk — % of tier-1 vendors with current SOC 2/ISO Incident metrics […]
Module 14 · Reporting Security to the Board
Board members aren’t security experts. They are fiduciaries who need to discharge oversight responsibility. What boards want to know What’s our risk posture? How does it compare to peers? What’s our biggest exposure? Are we investing the right amount? What incidents have happened? What’s coming up regulatorily? The 15-minute briefing Heat-map of top risks (1 […]
Module 15 · Regulatory Tracking Process
Indian + international regulations evolve constantly. Missing a notification = compliance failure. Establish process for tracking. Sources to monitor MeitY — DPDP, IT Act amendments RBI — for financial services SEBI — for capital markets IRDAI — for insurance CERT-In — directions, advisories NCIIPC — for critical infrastructure TRAI / DoT — telecom International — […]
Module 6 · ISO 27001:2022 Implementation
ISO 27001:2022 is the global infosec standard. Indian SaaS that sells to enterprise customers needs it. The ISMS lifecycle Define scope (which systems, departments, locations) Risk assessment (assets, threats, vulnerabilities, risk treatment) Statement of Applicability (SoA) — which Annex A controls apply Implement controls Internal audit Management review External audit (Stage 1 + Stage 2) […]
Module 7 · SOC 2 Type II — Indian SaaS Reality
SOC 2 isn’t a certification — it’s an attestation. CPA opines on your controls. Indian SaaS selling to US customers will have it requested. Trust Services Criteria (TSC) Security — required Availability — for SLA-bound services Confidentiality — when handling sensitive customer data Processing Integrity — for transaction processors Privacy — when handling PII Most […]
Module 8 · Policy Architecture
Most security policies are written, ignored, retrieved only for audits. The structure that actually drives behaviour: Three layers Policy — what we believe (high level, stable, board-approved) Standard — how we comply (specific, technical, refreshed annually) Procedure — step-by-step (operational, refreshed as systems change) Hierarchy example Information Security Policy (the umbrella) ↳ Access Control Standard […]
Module 9 · Enterprise Risk Register
Risk register = single source of truth for organisational security risks. Too often a spreadsheet that nobody reads. Done right, drives quarterly executive conversation. Risk record fields Risk description Likelihood (1-5) Impact (1-5) Inherent score Existing controls Residual likelihood + impact Residual score Owner Treatment (accept / mitigate / transfer / avoid) Action items + […]
Module 10 · Vendor Risk Management Programme
Module 7 (DPDP track) covered DPA-specific. This is the broader vendor-risk programme. Programme components Vendor classification (tier 1/2/3 by data sensitivity, criticality) Onboarding due diligence (questionnaire, contracts, SOC 2/ISO collection) Continuous monitoring Periodic reassessment (annual for tier 1; biannual for tier 2) Offboarding (data return / deletion) The classification matrix Tier Criteria Treatment 1 Handles […]
Module 12 · Security Awareness Training
Annual click-through training is theatre. Modern awareness is continuous, simulated, measured. The programme Onboarding — security 101 within first week Quarterly refresh — short, role-specific Phishing simulation — monthly Just-in-time — real incident → relevant training Specialised tracks — engineers, finance, executives have role-specific content Tools KnowBe4 — most-used; large content library Cofense — phishing-focused […]
Security Policy Architecture — A Working Hierarchy
The four-tier policy hierarchy (charter, policies, standards, procedures), the minimum 17-policy set for Indian mid-market organisations, how to write policies people actually follow, exception management, and the realistic review cadence.
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.