Docs/For Learners/Learn Mode

Learn Mode

Learn Mode provides interactive step-by-step attack scenarios in a simulated browser environment. Walk through real-world attack chains to understand how vulnerabilities are exploited and how to prevent them.

How It Works

Learn Mode uses a guided split-screen interface where you follow along with an interactive attack scenario:

Left Panel — Scenario Guide

Step-by-step instructions, scenario context, and a narrator that guides you through the entire attack chain. Each step tells you exactly what to do.

Right Panel — Simulated Environment

A fully interactive browser, mobile device, or proxy simulation where you perform actions — click buttons, fill forms, and observe responses in real time.

Learn Mode Interface

Here's what the split-screen learn mode looks like during a scenario:

app.securecodinghub.com/learn/owasp-top-10/idor
Step 3 / 12EXPLOITATION
Discover other user profiles

Change the id in the URL from /profile/1 to /profile/2. Note that the app serves the second user's data without checking ownership.

Narrator
Classic IDOR — the route handler trusts params.id as the source of truth instead of checking the session.
vulnerable-app.com/profile/2
Profile — Jane Doe
emailjane@example.comphone+1 555 0190roleadmin
⚠ leak — accessed without authorization

Scenario Structure

Every scenario follows a consistent five-stage pattern that mirrors real-world security assessments:

1
Introduction
Context about the target application, your role, and the vulnerability you will be exploring.
2
Discovery
Explore the application and identify the attack surface — observe how the app behaves normally.
3
Exploitation
Execute the attack step by step — inject payloads, manipulate requests, or bypass controls.
4
Impact
See the real consequences of the vulnerability — data leaks, privilege escalation, or session hijacking.
5
Prevention
Learn the correct code and configuration changes to fix the vulnerability and prevent future exploitation.

Simulated Environments

Learn Mode uses three types of simulation depending on the vulnerability category:

EnvironmentUsed ForDescription
SimBrowserWeb vulnerabilitiesA fully interactive web browser simulation with URL bar, navigation, forms, and dynamic responses. Used for XSS, CSRF, SQL Injection, and other web attacks.
SimMobilePhoneMobile vulnerabilitiesiOS and Android device simulation with native UI elements, status bar, and touch interactions. Used for insecure storage, WebView injection, and certificate pinning scenarios.
SimWebProxyAPI vulnerabilitiesHTTP request/response proxy that shows raw API calls, headers, and payloads. Used for BOLA, mass assignment, broken authentication, and other API security scenarios.

Progress Tracking

Each scenario tracks your progress so you can pick up right where you left off:

MetricDescription
Current step / Total stepsShows your position in the scenario — e.g. "Step 8 of 14"
Completion statusin_progress or completed
Resume supportYou can close a scenario and return later — it resumes from your last step

Scenario Progress

Your scenario list shows current progress at a glance:

app.securecodinghub.com/learn
Your scenarios
3 in progress · 1 completed
IDOR — Direct Object Reference
Step 8 / 14 · OWASP Web
IN PROGRESS
SQL Injection — Login Bypass
Step 11 / 11 · OWASP Web
COMPLETED
XSS — Stored Cross-Site Scripting
Step 3 / 16 · OWASP Web
IN PROGRESS
Next steps: Try Practice Mode to test your knowledge with code review challenges, or explore the full scenario catalog from the dashboard.

When a Guided Scenario Teaches What a Code-Review Challenge Cannot

A code review challenge in Practice Mode hands you a self-contained snippet. That is a fair representation of how vulnerabilities look on the line, but most real vulnerabilities are not on a single line. They live across files, across services, or across the boundary between client and server. IDOR is the canonical example: the bad code is not the database query, it is the missing authorization check three layers up the stack. Learn Mode is the format that can show you that gap, because it puts the entire application in front of you.

The same is true for any vulnerability where exploitation depends on session state, multi-step request flows, or attacker-controlled timing. Stored XSS only matters once the payload travels from one user to another. Mass assignment only matters when the model layer trusts request body keys it never should have exposed. A snippet cannot show that chain. A scenario can, because you log in, perform actions, observe responses, and watch a vulnerability turn into a breach in real time. The five-stage scenario structure above is designed around exactly that arc.

How to Use Learn Mode if You Are Already Senior

Senior developers and security engineers sometimes skip Learn Mode because the narrator and step-by-step instructions feel slow. That is fair for vulnerability classes you have personally exploited dozens of times. The right use of Learn for senior learners is targeted, not completionist. Skim the introduction, skim Discovery, and slow down at Exploitation only when the attack surface is unfamiliar. A backend engineer who has never written iOS code will learn more from a single mobile insecure-storage scenario than from twenty Practice challenges in the same category, because the unfamiliar part is the platform, not the concept.

The other senior use case is closing language gaps. If you joined a team using a stack you do not know well, Learn scenarios in that stack double as a fast tour of the application shape and the attack surface you will be reviewing. Combine that with stack-aligned Practice from Stack Preferences to ramp up on a new codebase faster than reading documentation alone.

Custom Courses bundle Learn and Practice together

Org admins can build named sequences that mix Learn scenarios and Practice topics into a single curated path — see Custom Courses for the build flow. When a custom course is assigned to you, you consume it at /learn/custom/<courseId> as if it were a built-in course, and the items appear in the order the admin defined. Practice items still score and reward XP the way they do in Practice Mode; Learn items still write per-scenario progress the way they do here.