Assignments
Assign specific training modules to individual users, teams, or your entire organization. Track completion, set deadlines, and enforce mandatory training.
Creating an Assignment
To create a new assignment, navigate to Assignments in the admin sidebar and click "New Assignment". Follow these steps:
1. Content Area
Choose Practice (code review challenges) or Learn (interactive attack scenarios).
2. Target
Select what to assign. The target hierarchy depends on the content area:
- Practice: Category → Module → Topic (e.g. "OWASP Web Top 10 > A03 Injection > SQL Injection")
- Learn: Course → Scenario
3. Assignee
Choose who receives the assignment: an Individual user, a Team, or the Entire Organization.
4. Deadline
Set an optional due date. Users will see overdue assignments highlighted in their dashboard.
5. Mandatory
Flag the assignment as required or optional. Mandatory assignments appear prominently in the user's training queue.
6. Note
Add an optional description or context for the assignment (e.g. "Complete before the Q2 security audit").
Create Assignment Form
Here's what the assignment creation form looks like:
Assignment Targets
You can assign training at different levels of granularity:
| Content Area | Target Level | Example |
|---|---|---|
| Practice | Category | All OWASP Web Top 10 challenges |
| Practice | Module | All A03 Injection challenges |
| Practice | Topic | SQL Injection challenges only |
| Learn | Course | All Web Security scenarios |
| Learn | Scenario | IDOR scenario only |
Tracking Progress
Click on any assignment to view its detail page, which shows:
- Overall completion rate — percentage of assigned users who have completed
- Per-user progress bars — individual progress for each assignee
- Overdue status — highlighted when past the deadline
- Individual scores — challenge scores per user
Assignment Detail
Here's what an assignment detail page looks like:
Editing & Deactivating
You can edit an assignment's deadline, note, and mandatory flag at any time. Changes apply immediately to all assignees.
To remove an assignment without losing data, use Deactivate. Deactivating soft-deletes the assignment — it retains all progress data but hides the assignment from users' dashboards. Deactivated assignments can be reactivated later.
Picking the right scope for an assignment
The same training content can be assigned at a single topic, a module of related topics, or an entire category. Picking the right level of granularity is the difference between an assignment your team finishes in a week and one that drags on for a quarter while everyone half-engages. As a rule of thumb, assign by topic when you are reacting to a specific incident or pen-test finding, assign by module when onboarding a new hire, and assign by full category only when you have a measured runway of weeks and a clear compliance reason.
Topic versus full-track assignments
A single-topic assignment is the right tool when a recent pen test surfaced an SQL injection in your codebase, when a CVE in a library you depend on uses a class of vulnerability your team has not seen, or when an engineer needs a targeted refresher. The scope is small, the connection to real risk is direct, and engineers finish in a sitting or two. Completion rates on topic-level assignments are typically much higher than on category-level ones because the goal is concrete.
A full-track assignment — say, the entire OWASP Web Top 10 category — works for onboarding cohorts and annual mandatory training cycles, but it needs a realistic deadline. Plan on six to ten weeks for a category-level track at a sustainable pace of two to three hours per week of training time. Shorter deadlines push engineers into clicking through content without absorbing it, which defeats the purpose and produces a clean dashboard with weak retention behind it.
Time-boxing and compliance evidence
Set a deadline on every assignment, even the optional ones. A deadline reframes the assignment as a commitment rather than a backlog item, and the overdue indicator on the user dashboard becomes a useful nudge for line managers during one-on-ones. For mandatory training, set the deadline thirty days before the compliance evidence cutoff so you have buffer to chase down stragglers.
For organizations subject to PCI DSS 6.2.2 — which requires that developers receive secure coding training relevant to their job role at least annually — assignments serve as the primary evidence artifact. The assignee list shows scope, the completion timestamps show when training occurred, and the individual scores show whether learners engaged with the material. The same artifacts satisfy ISO 27001 Annex A.14 requirements for secure development training. Keep deactivated assignments in the system rather than deleting them, since the audit window for both standards extends back through prior years.