Practice mode

Code Review Challenges

Developers review real vulnerable code, identify the security flaw, and select the correct fix from multiple options. A two-phase flow that builds both detection and remediation skills.

How a challenge runs

Two phases. One challenge.

01
Detection

Find the vulnerable block

Developer is shown a real-world code snippet with one or more vulnerable lines. They click the block they believe contains the security flaw. No multiple choice — they have to read the code and reason about what's wrong.

  • Production-realistic code patterns
  • Click-to-select on the actual code line
  • Multiple attempts allowed
02
Remediation

Choose the correct fix

Once the vulnerable block is identified, the developer picks the right fix from a set of plausible alternatives. Distractor options include common-but-wrong fixes — the kind that pass code review and still leave the bug in production.

  • Multiple-choice fix selection
  • Plausible-wrong distractors
  • Explanation revealed after answer
Live preview

A challenge, mid-flow.

auth-controller.js
1const express = require('express')
2const db = require('./db')
3 
4const q = `SELECT * FROM users WHERE email = '${email}'`
5const rows = await db.execute(q)
6return rows[0]
Phase 1 — Find the vulnerability
Mechanics

Tuned for learning, not gatekeeping.

Hints without penalty

Developers can request a hint at any point. Hints don't reduce the final score — the goal is comprehension, not punishment.

Attempt-based scoring

Score is calculated from the number of attempts taken in each phase. Fewer attempts = higher score. First-try success on both phases earns the maximum.

Explanation after every answer

Once the fix is selected — right or wrong — the platform shows why each option is safe or unsafe. Distractors aren't just labelled wrong; the failure mode is explained.

Why it works

Reading vulnerable code is the actual job.

Most developer security training asks engineers to watch a video about SQL injection and answer a multiple-choice quiz. Code Review Challenges flip that: they put the developer in front of code first, and force the same kind of reasoning a code review demands. Detection and fix are scored separately because in real reviews, knowing something is wrong and knowing how to fix it are two different skills — and engineers can be strong at one without the other.

Try a challenge yourself.

The interactive demo runs three full Code Review Challenges so you can see the two-phase flow end-to-end before talking to our team.

Try the Demo Contact Us