Cybersecurity course
From foundations to practice
- FocusReal systems and real habits, not theory alone.
- ToolsIn browser labs you can reuse with a team.
- CPDAssessments and certificates fund keeping learning free.
This course has three core levels plus a summary and games page. Move through them at your own pace and revisit the labs whenever you need a reset.
⏱️CPD timing
CPD timing
Time estimate (transparent)
I publish time estimates because CPD needs to be defensible. The goal is honesty, not marketing.
Guided learning
56h
Core levels, structured learning
Practice and consolidation
3h
Summary, drills, revisits
Notional range
36 to 84 hours
Quick: core concepts + one exercise per module. Standard: exercises + reflections for CPD evidence. Deep: extra drills and portfolio artefacts.
How I estimate time
I use a notional learning hours approach and I keep the assumptions visible. Where modules are content heavy, I add practice so the hours are earned, not claimed.
- Reading: 225 words per minute, multiplied by 1.3 for note taking and checking understanding.
- Labs and practice: about 15 minutes per guided activity, including at least one retry.
- Reflection for CPD: about 8 minutes per module for a short defensible note and evidence link.
- Assessments: about 1.4 minutes per question for reading, thinking, and review.
If you study faster or slower, your hours will differ. What matters is that the method is consistent and the activities are real.
🧪Assessment blueprint
Assessment and practice assessment
Cybersecurity assessment blueprint
Assessments are designed for CPD evidence and skill building. They are not endorsed by certification bodies. Where exams exist, I make the marking and expectations explicit.
Foundations
mixedTerminology, safe habits, and correct reasoning about basic security decisions.
Applied
scenarioScenario based judgement, common failure modes, and trade-offs between controls.
Practice and Strategy
mixedGovernance, risk communication, and defensible decisions with evidence.
Design rules
- Every question must map to at least one learning outcome and one standards anchor (for example NIST CSF 2.0 or ISO 27001 controls).
- Wrong answers must represent a real misconception, not a silly trick.
- Feedback should explain what changed if you swap one assumption, not only state the correct option.
📚Standards and certifications
Standards and certifications
The map we anchor to
I map each course to reputable standards so your learning is defensible at work. I also show common certifications and how their language differs.
Important: This content aligns with these standards and certifications for learning purposes. This is guidance, not endorsement. We are not affiliated with certification providers unless explicitly stated.
Primary anchor standards
- NIST Cybersecurity Framework (CSF 2.0)NIST
A clean way to explain outcomes and maturity across govern, identify, protect, detect, respond, and recover.
Official reference - ISO/IEC 27001 and 27002ISO/IEC
Audit-friendly control thinking: governance, scope, evidence, and continuous improvement.
Official reference
Certification routes
This course is not endorsed by certification bodies. It is built to prepare you honestly, including where exams simplify reality.
- foundation(ISC)2 Certified in Cybersecurity (CC)(ISC)2
A sensible entry route that checks terminology, fundamentals, and basic judgement.
- foundationCompTIA Security+CompTIA
Common baseline for terminology and applied security concepts across industry.
- leadershipCISSP(ISC)2
Breadth and governance framing. Useful if you want senior roles, but do not confuse it with hands-on mastery.
- leadershipCISM and CRISCISACA
Management and risk framing. Helpful when you are expected to defend decisions, not just fix tickets.
Organisations and resources
These are the kinds of organisations professionals reference. If you learn how to use them properly, you become harder to mislead.
- OWASP
What it is: A global community that publishes practical application security guidance.
Why it matters: It gives you common failure patterns. It does not replace threat modelling or secure design.
- CVE and CWE ecosystem (NVD and MITRE)
What it is: Shared identifiers and taxonomies for known vulnerabilities and weakness classes.
Why it matters: It helps teams speak the same language about issues. It is not a strategy by itself.
- MITRE ATT and CK
What it is: A knowledge base of attacker tactics and techniques.
Why it matters: It helps you move from generic controls to threat-informed defence and realistic detection.
- CISA
What it is: US Cybersecurity and Infrastructure Security Agency guidance and alerts.
Why it matters: Often useful for real-world prioritisation and common exploited vulnerabilities.
🧾Terminology translation
Terminology translation
Incident triage and response
If you want to be calm under pressure, you need shared words. This is where teams usually talk past each other.
Event, alert, incident, breach
Plain English
An event is something that happened. An alert is a tool shouting. An incident is when it matters. A breach is a specific kind of incident with confirmed loss of confidentiality, integrity, or availability, often with reporting implications.
How standards use it
NIST CSF 2.0
Pushes governance and outcomes. Classification thresholds belong in the govern function, then they drive detect and respond behaviour.
Incident response guidance (NIST SP 800-61 style)
Treats event versus incident as a practical decision boundary so the team can prioritise properly.
ISO/IEC 27001 and incident management practice
Focuses on managed process, evidence, and continual improvement, including post incident learning.
Common mistake
Calling everything an incident, then burning out the team and missing the real fire.
My take
Treat incident as a decision, not a feeling. Define the promotion criteria and train them. If you cannot explain why it is an incident, it is still an event.
Quick check
You see a suspicious process. What two facts would you require before you call it an incident?
Signal versus noise
Plain English
Signal is evidence that changes what you do. Noise is everything else.
How standards use it
NIST CSF 2.0
Detection is about outcomes, not alert counts. The goal is decision quality.
Common mistake
Buying a tool and assuming it creates signal automatically.
My take
If your system produces 10,000 alerts and no decisions, you have built an expensive anxiety machine.
Quick check
Name one signal you would trust and one type of noise you would suppress first.
Containment, eradication, recovery
Plain English
Stop the bleeding, remove the cause, restore normal service.
How standards use it
Incident response playbooks
A common lifecycle used to keep response orderly and evidence-friendly.
Common mistake
Jumping to eradication before containment and accidentally deleting evidence.
My take
Evidence first, panic never. You can be fast without being chaotic.
Quick check
Why can eradication too early make the incident worse?
🛡️Core path
Cybersecurity Foundations
Friendly on-ramp for data, networks, passwords, phishing and everyday defences using in-browser labs.
Applied Cybersecurity
Think like attackers and defenders with threat modelling, web auth flows, common vulns, logs, and risk trade-offs.
Cybersecurity Practice and Strategy
Join up governance, secure design, DevSecOps, CVEs, incident response and business-focused risk thinking.
Summary and games
Recap key ideas, test yourself with scenarios, and keep your CPD evidence clean.
📦What you will build
You will produce three small artefacts that you can reuse at work. They are designed to be defensible, practical, and easy to explain.
🧩Module coverage matrix
Coverage matrix
Module-level coverage
This matrix makes the course defensible: each module is tied to an outcome focus, the anchor standards, and the evidence you can produce.
| Level | Module | Outcome focus | Domains | Alignment | Assessment | Evidence |
|---|---|---|---|---|---|---|
| Foundations | Security Is foundations-f0-what-security-is Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Explain security as risk management (not fear), and define what you are protecting. | basics | NIST CSF 2.0: Govern | Practice + timed | Template + rubric |
| Foundations | And Outcomes foundations-f1-risk-and-outcomes Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Describe risk using likelihood and impact, and connect controls to outcomes. | basics, governance | NIST CSF 2.0: Govern · NIST CSF 2.0: Identify | Practice + timed | Template + rubric |
| Foundations | And Integrity foundations-f2-data-and-integrity Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Reason about data handling, integrity, and common tampering/validation failure modes. | basics, web | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Foundations | And Transport foundations-f3-networks-and-transport Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Explain how network assumptions affect security decisions (transport, exposure, trust boundaries). | network | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Foundations | And Simple Attacks foundations-f4-cia-and-simple-attacks Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Apply CIA triad to real decisions and spot basic attack patterns and misconceptions. | basics | NIST CSF 2.0: Identify · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Foundations | And Access foundations-f5-identity-and-access Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Make defensible identity and access decisions (MFA, least privilege, authn vs authz). | identity | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Foundations | Factors And Phishing foundations-f6-human-factors-and-phishing Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Reduce human-factor risk with practical habits and anti-phishing controls. | phishing | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Foundations | And Everyday Data Protection foundations-f7-privacy-and-everyday-data-protection Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Protect personal data with clear handling rules and realistic privacy trade-offs. | privacy | NIST CSF 2.0: Govern · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Foundations | Capstone foundations-f8-foundations-capstone Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Produce a simple, sustainable personal security baseline and evidence that you applied it. | basics, governance | NIST CSF 2.0: Govern · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Applied | Modelling As Design applied-a1-threat-modelling-as-design Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Use threat modelling to improve design decisions and prioritise realistic mitigations. | threat-models | NIST CSF 2.0: Identify · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Applied | And Access Control applied-a2-identity-and-access-control Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Apply authorisation patterns and access controls to real systems and failure modes. | identity, web | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Applied | App Security applied-a3-web-app-security Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Recognise and prevent common web app failures (IDOR, injection classes, session risks). | web | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Applied | And Service Security applied-a4-api-and-service-security Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Secure services and APIs with correct boundaries, authz, and verification discipline. | web, identity | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Applied | And Release Gates applied-a5-verification-and-release-gates Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Build verification and release gates that catch failures before production. | governance | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Applied | And Detection Basics applied-a6-logging-and-detection-basics Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Design logging that creates detection signal without leaking secrets, and know what good looks like. | detection | NIST CSF 2.0: Detect | Practice + timed | Template + rubric |
| Applied | Capstone applied-a7-applied-capstone Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Produce a feature security review pack: risks, controls, verification, and evidence choices. | threat-models, governance | NIST CSF 2.0: Govern · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Practice | Sdlc practice-p1-secure-sdlc Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Run security as part of delivery: roles, SDLC, and evidence-based quality gates. | governance | NIST CSF 2.0: Govern · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Practice | And Cloud Security practice-p3-runtime-and-cloud-security Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Reason about runtime and cloud risks and choose controls you can evidence. | cloud, governance | NIST CSF 2.0: Protect · NIST CSF 2.0: Detect | Practice + timed | Template + rubric |
| Practice | Reduction Zero Trust practice-p2-exposure-reduction-zero-trust Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Reduce exposure using segmentation, least privilege, and zero-trust-style thinking. | network, identity | NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Practice | Management practice-p5-vulnerability-management Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Prioritise and remediate vulnerabilities using exploitability, exposure, and business impact. | vuln-mgmt | NIST CSF 2.0: Identify · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Practice | And Incident Response practice-p6-detection-and-incident-response Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Contain, investigate, and recover with evidence-first incident response discipline. | response, detection | NIST CSF 2.0: Detect · NIST CSF 2.0: Respond · NIST CSF 2.0: Recover | Practice + timed | Template + rubric |
| Practice | Chain Security practice-p4-supply-chain-security Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Manage supply chain risk with practical controls and verification. | supply-chain | NIST CSF 2.0: Identify · NIST CSF 2.0: Protect | Practice + timed | Template + rubric |
| Practice | Ethics Auditability practice-p7-privacy-ethics-auditability Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Make privacy and ethics decisions with audit-friendly evidence and retention discipline. | privacy, governance | NIST CSF 2.0: Govern | Practice + timed | Template + rubric |
| Practice | Ilities practice-p8-system-ilities Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Design for resilience and operational safety: you assume failure and plan accordingly. | reliability | NIST CSF 2.0: Protect · NIST CSF 2.0: Recover | Practice + timed | Template + rubric |
| Practice | Professional Practice practice-p9-capstone-professional-practice Anchors: NIST Cybersecurity Framework (CSF 2.0), ISO/IEC 27001 and 27002 | Produce an operational security pack you can defend: scope, risks, controls, runbooks, evidence. | governance, response | NIST CSF 2.0: Govern · NIST CSF 2.0: Respond | Practice + timed | Template + rubric |
📚How to use this course
- Move through Foundations, Applied, and Practice in order for the cleanest progress.
- Use the labs when a concept feels fuzzy. The goal is judgement, not memorisation.
- Record a few minutes when you practise so your CPD record stays honest and useful.
- Come back later and redo the capstones on a new system. That is where depth builds.
🏁Certification assessment
Each level has a timed assessment with detailed feedback after submission. You need an account and credits to start. Certificates help your career and help keep this site free.
🛠️Quick practice
Checkpoint
Why keep the course plain and structured
How many core levels does the course have