Coverage

Every major vulnerability category. Every language your team writes.

310+ vulnerability types and 1500+ challenges across 9 OWASP frameworks — app, cloud and AI security. Production-realistic patterns in 15 languages and frameworks.

310+

vulnerability types

1500+

challenges

languages & stacks

Nine pillars of application security.

App Security4

OWASP Web Top 10

80 topics

Injection, broken access control, cryptographic failures, SSRF, and the rest of the categories that dominate web app risk.

SQL InjectionXSSCSRFSSRFAuth Failures

OWASP API Top 10

25 topics

API-specific risks: object-level authorisation gaps, mass assignment, rate limiting, server-side request forgery on internal endpoints.

BOLAMass AssignmentRate LimitingSSRF

OWASP Mobile Top 10

30 topics

Insecure storage, biometric bypass, WebView injection, deep-link abuse — the failure modes that web-only training never covers.

Insecure StorageBiometric BypassWebView Injection

Client-Side Security

24 topics

DOM XSS, prototype pollution, LocalStorage leakage, postMessage abuse — the bugs that live in the browser, not on the server.

DOM XSSPrototype PollutionLocalStorage Leak

Cloud Security2

OWASP Cloud-Native Top 10

31 topics

CNAS — insecure cloud configuration, container injection, IAM misuse, secret management, network policies, IMDS exposure across AWS / GCP / Azure.

Public S3 BucketsIMDS ExposureIaC SecretsUntrusted Images

OWASP CI/CD Top 10

10 topics

CICDSEC — flow control bypass, poisoned pipeline execution, dependency chain abuse, secret leakage, artifact integrity, audit log gaps in the build pipeline.

Pipeline PoisoningDependency ConfusionSecrets in RepoRunner Risks

AI Security3

OWASP LLM Top 10

32 topics

Prompt injection, sensitive information disclosure, model supply chain, output handling vulnerabilities, system prompt leakage and unbounded consumption in LLM applications.

Prompt InjectionPII DisclosureRAG PoisoningRCE via Output

OWASP Agentic AI Top 10

30 topics

Memory poisoning, tool misuse, privilege compromise, cascading hallucinations, intent hijacking, identity spoofing, human-in-the-loop fatigue attacks for autonomous AI agents.

Memory PoisoningTool MisuseGoal HijackingHitL Fatigue

Secure AI-Assisted Development

23 topics

Secret exfiltration to AI tools, insecure code suggestions, prompt manipulation in dependencies, AI in PR review risks, license contamination, autonomous coding agent boundaries.

Code Paste LeakVulnerable PatternREADME PoisoningMCP Exposure

Languages & stacks

Production-realistic — not pseudocode.

Challenges are written for the language and framework your developers actually use. The same SQL injection looks different in a Spring Boot service, a Django view, an Express handler, or a .NET controller — and the platform reflects that.

Backend

JSJavaScript

TSTypeScript

PYPython

JAJava

C#C#

PHPPHP

GOGo

Mobile

SWSwift

KTKotlin

Frontend

Re/JSReact + JavaScript

Re/TSReact + TypeScript

Vu/JSVue + JavaScript

Vu/TSVue + TypeScript

Ng/JSAngular + JavaScript

Ng/TSAngular + TypeScript

1const query = `SELECT * FROM users
2  WHERE email = ${req.body.email}`
3// Vulnerable: string interpolation

Why it matters

Coverage is what makes training mandatory-able.

Compliance frameworks like PCI DSS 4.0.1 and the EU Cyber Resilience Act don't accept "we trained the team on OWASP Top 10." They expect coverage of the vulnerability classes that actually appear in your stack. Breadth across categories and depth across languages is what lets a security team mandate this training to their entire engineering org without leaving teams uncovered.

See it on your stack.

The interactive demo lets you pick your team's language and run challenges in that exact stack.

Try the Demo Contact Us