Every major vulnerability category. Every language your team writes.
185+ vulnerability types and 900+ challenges across web, API, mobile, and client-side security. Production-realistic patterns in 15 languages and frameworks.
Four pillars of application security.
OWASP Web Top 10
Injection, broken access control, cryptographic failures, SSRF, and the rest of the categories that dominate web app risk.
OWASP API Top 10
API-specific risks: object-level authorisation gaps, mass assignment, rate limiting, server-side request forgery on internal endpoints.
OWASP Mobile Top 10
Insecure storage, biometric bypass, WebView injection, deep-link abuse — the failure modes that web-only training never covers.
Client-Side Security
DOM XSS, prototype pollution, LocalStorage leakage, postMessage abuse — the bugs that live in the browser, not on the server.
Production-realistic — not pseudocode.
Challenges are written for the language and framework your developers actually use. The same SQL injection looks different in a Spring Boot service, a Django view, an Express handler, or a .NET controller — and the platform reflects that.
Coverage is what makes training mandatory-able.
Compliance frameworks like PCI DSS 4.0.1 and the EU Cyber Resilience Act don't accept "we trained the team on OWASP Top 10." They expect coverage of the vulnerability classes that actually appear in your stack. Breadth across categories and depth across languages is what lets a security team mandate this training to their entire engineering org without leaving teams uncovered.
See it on your stack.
The interactive demo lets you pick your team's language and run challenges in that exact stack.