Cybersecurity course
From foundations to practice
A clear route from zero to confident. No hidden prerequisites. Every module stays tied to a real decision so you can explain security, not just repeat it.
- FocusReal systems and real habits, not theory alone.
- ToolsIn browser labs you can reuse with a team.
- CPDAssessments and certificates are included with free access.
What you will learn
Overview
This course has three core levels plus a summary and games page. Move through them at your own pace and revisit the labs whenever you need a reset.
Your progress
0%0 of 16 sections complete
Time estimate
Move steadily. Depth comes from applying controls to real scenarios, not from rushing through concepts.
Security operations learning loop
Map every activity to a clear security function
This mirrors the NIST Cybersecurity Framework lifecycle in practical language.
Rendering diagram...
🛡️Core path
Cybersecurity Foundations
Friendly on-ramp for data, networks, passwords, phishing and everyday defences using in-browser labs.
Applied Cybersecurity
Think like attackers and defenders with threat modelling, web auth flows, common vulns, logs, and risk trade-offs.
Cybersecurity Practice and Strategy
Join up governance, secure design, DevSecOps, CVEs, incident response and business-focused risk thinking.
Summary and games
Recap key ideas, test yourself with scenarios, and keep your CPD evidence clean.
Getting started
How to use this course
How to work through cybersecurity
Treat each module as rehearsal for a real incident or design decision.
- 1
Start with foundations before applied topics
Build shared language first so later threat and control choices are evidence based.
- 2
Use labs when a concept feels uncertain
The aim is practical judgement, not memorisation of terms.
- 3
Keep concise CPD evidence after each session
Write what risk you noticed, what control you chose, and why.
- 4
Revisit capstones with a new scenario
Repeating with a different context is where depth and confidence grow.
Hands-on
Quick practice
Optional tool
Security habit drill
Pick one habit to reinforce this week.
Open this when you are ready. It reinforces learning rather than replaces it.
Open tool panel
Optional tool
Security habit drill
Pick one habit to reinforce this week.
Open this when you are ready. It reinforces learning rather than replaces it.
Read the explanation above, then try the tool, then compare your output with the example. If you are new, it is fine to skip and return later.
Quick check
Checkpoint
2 questions
For auditors and CPD
Reference and standards
These panels are for CPD defensibility, standards alignment, and audit evidence. Most learners can skip these entirely and return when they need formal documentation.
Show reference panels6 sections · timing, artefacts, assessment, terminology, standards, coverage
CPD timing
Time estimate (transparent)
I publish time estimates because CPD needs to be defensible. The goal is honesty, not marketing.
Guided learning
56h
Core levels, structured learning
Practice and consolidation
3h
Summary, drills, revisits
Notional range
36 to 84 hours
Quick: core concepts + one exercise per module. Standard: exercises + reflections for CPD evidence. Deep: extra drills and portfolio artefacts.
How I estimate time
I use a notional learning hours approach and I keep the assumptions visible. Where modules are content heavy, I add practice so the hours are earned, not claimed.
- Reading: 225 words per minute, multiplied by 1.3 for note taking and checking understanding.
- Labs and practice: about 15 minutes per guided activity, including at least one retry.
- Reflection for CPD: about 8 minutes per module for a short defensible note and evidence link.
- Assessments: about 1.4 minutes per question for reading, thinking, and review.
If you study faster or slower, your hours will differ. What matters is that the method is consistent and the activities are real.
Assessment and practice assessment
Cybersecurity assessment blueprint
Assessments are designed for CPD evidence and skill building. They are not endorsed by certification bodies. Where exams exist, I make the marking and expectations explicit.
Foundations
mixedTerminology, safe habits, and correct reasoning about basic security decisions.
Applied
scenarioScenario based judgement, common failure modes, and trade-offs between controls.
Practice and Strategy
mixedGovernance, risk communication, and defensible decisions with evidence.
Design rules
- Every question must map to at least one learning outcome and one standards anchor (for example NIST CSF 2.0 or ISO 27001 controls).
- Wrong answers must represent a real misconception, not a silly trick.
- Feedback should explain what changed if you swap one assumption, not only state the correct option.
Coverage matrix
Module-level coverage
This matrix makes the course defensible: each module is tied to an outcome focus, the anchor standards, and the evidence you can produce.
| Level | Module | Outcome focus | Domains | Alignment | Assessment | Evidence |
|---|---|---|---|---|---|---|
| Foundations | Security Is foundations-f0-what-security-is Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Explain security as risk management (not fear), and define what you are protecting. | basics | NIST CSF 2.0: Govern | Practice + timed | Template + rubric |
| Foundations | And Outcomes foundations-f1-risk-and-outcomes Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Describe risk using likelihood and impact, and connect controls to outcomes. | basics, governance | NIST CSF 2.0: Govern · NIST CSF 2.0: Identify | Practice + timed | Template + rubric |
| Foundations | And Integrity foundations-f2-data-and-integrity Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Reason about data handling, integrity, and common tampering/validation failure modes. | basics, web | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Foundations | And Transport foundations-f3-networks-and-transport Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Explain how network assumptions affect security decisions (transport, exposure, trust boundaries). | network | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Foundations | And Simple Attacks foundations-f4-cia-and-simple-attacks Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Apply CIA triad to real decisions and spot basic attack patterns and misconceptions. | basics | NIST CSF 2.0: Identify · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Foundations | And Access foundations-f5-identity-and-access Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Make defensible identity and access decisions (MFA, least privilege, authn vs authz). | identity | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Foundations | Factors And Phishing foundations-f6-human-factors-and-phishing Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Reduce human-factor risk with practical habits and anti-phishing controls. | phishing | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Foundations | And Everyday Data Protection foundations-f7-privacy-and-everyday-data-protection Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Protect personal data with clear handling rules and realistic privacy trade-offs. | privacy | NIST CSF 2.0: Govern · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Foundations | Capstone foundations-f8-foundations-capstone Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Produce a simple, sustainable personal security baseline and evidence that you applied it. | basics, governance | NIST CSF 2.0: Govern · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Applied | Modelling As Design applied-a1-threat-modelling-as-design Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Use threat modelling to improve design decisions and prioritise realistic mitigations. | threat-models | NIST CSF 2.0: Identify · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Applied | And Access Control applied-a2-identity-and-access-control Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Apply authorisation patterns and access controls to real systems and failure modes. | identity, web | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Applied | App Security applied-a3-web-app-security Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Recognise and prevent common web app failures (IDOR, injection classes, session risks). | web | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Applied | And Service Security applied-a4-api-and-service-security Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Secure services and APIs with correct boundaries, authz, and verification discipline. | web, identity | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Applied | And Release Gates applied-a5-verification-and-release-gates Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Build verification and release gates that catch failures before production. | governance | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Applied | And Detection Basics applied-a6-logging-and-detection-basics Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Design logging that creates detection signal without leaking secrets, and know what good looks like. | detection | NIST CSF 2.0: Detect | Practice + timed | Template + rubric |
| Applied | Capstone applied-a7-applied-capstone Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Produce a feature security review pack: risks, controls, verification, and evidence choices. | threat-models, governance | NIST CSF 2.0: Govern · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Practice & Strategy | Sdlc practice-p1-secure-sdlc Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Run security as part of delivery: roles, SDLC, and evidence-based quality gates. | governance | NIST CSF 2.0: Govern · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Practice & Strategy | Reduction Zero Trust practice-p2-exposure-reduction-zero-trust Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Reduce exposure using segmentation, least privilege, and zero-trust-style thinking. | network, identity | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Practice & Strategy | And Cloud Security practice-p3-runtime-and-cloud-security Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Reason about runtime and cloud risks and choose controls you can evidence. | cloud, governance | NIST CSF 2.0: Protect · NIST CSF 2.0: Detect | Practice + timed | Template + rubric |
| Practice & Strategy | Chain Security practice-p4-supply-chain-security Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Manage supply chain risk with practical controls and verification. | supply-chain | NIST CSF 2.0: Identify · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Practice & Strategy | Management practice-p5-vulnerability-management Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Prioritise and remediate vulnerabilities using exploitability, exposure, and business impact. | vuln-mgmt | NIST CSF 2.0: Identify · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Practice & Strategy | And Incident Response practice-p6-detection-and-incident-response Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Contain, investigate, and recover with evidence-first incident response discipline. | response, detection | NIST CSF 2.0: Detect · NIST CSF 2.0: Respond · NIST CSF 2.0: Recover | Practice + timed | Template + rubric |
| Practice & Strategy | Ethics Auditability practice-p7-privacy-ethics-auditability Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Make privacy and ethics decisions with audit-friendly evidence and retention discipline. | privacy, governance | NIST CSF 2.0: Govern | Practice + timed | Template + rubric |
| Practice & Strategy | Ilities practice-p8-system-ilities Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Design for resilience and operational safety: you assume failure and plan accordingly. | reliability | NIST CSF 2.0: Protect · NIST CSF 2.0: Recover | Practice + timed | Template + rubric |
| Practice & Strategy | Professional Practice practice-p9-capstone-professional-practice Anchors: NIST Cybersecurity Framework (CSF 2.0), Cyber Essentials technical controls, OWASP Top 10:2021, OWASP API Security Top 10 (2023), ISO/IEC 27001 and 27002 | Produce an operational security pack you can defend: scope, risks, controls, runbooks, evidence. | governance, response | NIST CSF 2.0: Govern · NIST CSF 2.0: Respond | Practice + timed | Template + rubric |
Prove your knowledge
Certification assessment
Each level has a timed assessment with detailed feedback after submission. You need an account to start so your attempts and certificate can carry your name. Assessments and certificates are free to use.
All content is protected. By enrolling, you agree to our terms.
View Course Terms & IP Policy