The Grid — Cybersecurity Training Program
6-month program · 15 tracks · 148 hands-on challenges
A structured, narrative-driven cybersecurity program. You are the operator. The breaches are real. Six months of hands-on exploitation in controlled lab environments — from SQL injection fundamentals to cloud breaches and a graduate capstone defending against rival hackers.
Product Sku: DOR-AWR-GRID · Cat: Awareness
The Grid is an immersive cybersecurity curriculum framed as an ongoing narrative: over six months you progress as an operator infiltrating fictional financial institutions. The program emphasises hands-on exploitation over lectures, recreating real-world attack scenarios in controlled lab environments — whether you're a seasoned developer or a security enthusiast, you finish as a skilled defender who thinks like a hacker.
| Month | Phase | Focus | Tracks | Challenges |
|---|---|---|---|---|
| 1 | Recruitment | Fundamentals: SQL injection, DoS, cryptography | 4 | 28 |
| 2 | Rookie | Breaking into Solstice Bank; OWASP Top 10 mapping | 2 | 35 |
| 3 | Novice | Live Vaulture Capital breach; mobile/web vulnerabilities | 2 | 14 |
| 4 | Intermediate | Social engineering, phishing, pretexting | 2 | 23 |
| 5 | Advanced | Cloud misconfigurations; cryptographic side-channels | 2 | 19 |
| 6 | Graduate | Final capstone: defending against rival hackers | 1 | 22 |
Featured tracks include Operation Bits n Bites (food-delivery app exploitation: access control, injectable endpoints, weak cryptography), The Human Factor (social engineering against Banco Maximus: reconnaissance, phishing, prompt injection) and Skyfall: Breach in the Cloud (metadata services, IAM roles, secrets management).
Every one of the 148 challenges is catalogued across four areas and mapped to the OWASP Top 10 (2025). Difficulty: 🟢 Beginner 68 🟡 Intermediate 73 🔴 Advanced 7
Coverage at a glance
OWASP Top 10 (2025) — web security
114 challenges- Included
- All ten 2025 categories: broken access control, injection (the largest track), cryptographic failures, authentication & MFA flaws, misconfiguration, insecure design, integrity/deserialization, supply chain, logging, and error-handling side-channels.
- You learn
- To find and exploit each flaw hands-on — IDOR & SSRF, blind SQL & XSS, padding and timing oracles, broken MFA, deserialization gadget chains — and then apply the server-side defence that closes it.
- Why it matters
- These are the vulnerabilities behind most real breaches; recognising them in your own stack is the core of secure development and the technical measures NIS2 expects.
OWASP LLM Top 10 — GenAI security
5 challenges- Included
- Prompt injection (direct and indirect) and sensitive-information disclosure for AI features.
- You learn
- That any surface feeding untrusted text into a model can be hijacked, and how indirect vectors — documents, tickets, emails — bypass every user-facing control.
- Why it matters
- As organisations add AI assistants, an injected model can exfiltrate data or act without the operator noticing — a fast-growing surface most teams have not yet secured.
Social Security — people-targeted attacks
9 challenges- Included
- Social engineering, spearphishing and phishing — attacks that target people, not systems.
- You learn
- To recognise pretexting, craft and spot a tailored lure, and understand why authority and rapport lower defences — plus the verification habits that stop it.
- Why it matters
- The human element appears in ~68% of breaches and phishing drives 40%+ of initial access; awareness is the control technical tools cannot provide.
Attack — offensive tradecraft
20 challenges- Included
- OSINT & reconnaissance, offensive tradecraft, and side-channel attacks — the adversary's playbook around the OWASP list.
- You learn
- How attackers build a target dossier from public data, weaponise CVEs within hours of disclosure, and reconstruct secrets from timing and behaviour without direct access.
- Why it matters
- Understanding how an attack begins and hides lets defenders shrink their footprint and detect intrusions far earlier.
OWASP Top 10 (2025) coverage
Each of the six phases ends with a concrete, demonstrable capability.
- Tell encoding from real encryption and reverse weak schemes (Base64, ROT13, ECB) with no key
- Run blind SQL injection using boolean-, error- and time-based oracles
- Trigger denial-of-service through catastrophic regex backtracking and resource abuse
- Exploit IDOR and broken access control, distinguishing horizontal from vertical escalation
- Extract data with UNION-based SQL injection and binary-search enumeration
- Map findings to the OWASP Top 10 and communicate risk to stakeholders
- Chain web and mobile vulnerabilities into an end-to-end breach
- Recover secrets stored in client storage, config files and misconfigured vaults
- Tamper with serialized objects and escalate over-posting toward code execution
- Assemble a target dossier from open-source reconnaissance
- Craft a tailored spearphishing lure that reads as a routine message
- Apply verification and out-of-band confirmation to defeat pretexting
- Abuse cloud metadata services, IAM roles and secrets management
- Execute padding- and timing-oracle attacks to recover plaintext and keys
- Manipulate LLM features through direct and indirect prompt injection
- Harden an application against the full attack chain you have practised
- Integrity-protect and centralise logs to detect and reconstruct intrusions
- Defend a live system against rival operators in the graduate capstone