Learning Paths and Labs
Section focus: Learning Paths and Labs.
Best use: start with the section map below, then move into the deeper pages that match your role or stack.
Design note: this index was refreshed to act as a cleaner GitBook landing page instead of a plain directory listing.
Start with these pages
| Page | Why open it first |
|---|---|
| ๐บ๏ธ Product Security Ramp-Up Tracks | High-value page inside Learning Paths and Labs. |
| ๐งช Break-Fix Labs and Tabletop Scenarios | High-value page inside Learning Paths and Labs. |
| โ๏ธ Hands-On Attack-to-Defense Playbooks | Bridges attack understanding, detection, containment, and hardening in one practice loop. |
| ๐ Security Review Checklists and Cheat Sheets | High-value page inside Learning Paths and Labs. |
| ๐ Vulnerable Learning Labs and Goat Environments | High-value page inside Learning Paths and Labs. |
| โ๏ธ AWSGoat โ AWS Cloud Lab | High-value page inside Learning Paths and Labs. |
| ๐งญ CloudGoat โ Scenario-Based Cloud Lab | High-value page inside Learning Paths and Labs. |
| ๐๏ธ CI/CD Goat โ Pipeline Security Lab | High-value page inside Learning Paths and Labs. |
| ๐ง OWASP Juice Shop โ Web and API Lab | High-value page inside Learning Paths and Labs. |
| ๐งฐ Product Security Tooling Landscape and Inventory | Broad map of the tooling universe plus a companion workbook with 100 tools. |
| ๐ฃ๏ธ DevSecOps Engineer Learning Roadmap (2026) | Gives a clearer newcomer-to-junior DevSecOps learning order beyond raw tool lists. |
| ๐ฃ๏ธ Application Security Engineer Learning Roadmap (2026) | Gives a realistic AppSec development path from fundamentals to design and review work. |
| ๐งฐ Online Validators, Linters, Generators, and Visual Tools | Collects fast browser-based and CI-friendly tools for YAML, OpenAPI, Docker, Kubernetes, IaC, CSP, tokens, and policy authoring. |
Related sections
Intro: A knowledge base becomes far more valuable when it teaches not only what to read, but what to practice. This section turns the archive into a workbook with role-based tracks, scored exercises, and incident tabletops.
What this page includes
- role-based learning tracks
- break-fix and tabletop scenarios
- review checklists and cheat sheets
- worked examples for common Product Security judgment calls
- secure coding training platforms for developer upskilling and onboarding
Section map
| Page | Why it belongs here |
|---|---|
| Product Security Ramp-Up Tracks | Gives structured learning paths for different roles. |
| DevSecOps Engineer Learning Roadmap (2026) | Adds a more explicit beginner-to-junior DevSecOps progression with a visual roadmap and 12-week plan. |
| Application Security Engineer Learning Roadmap (2026) | Adds a more explicit beginner-to-junior AppSec progression with a visual roadmap and 12-week plan. |
| Break-Fix Labs and Tabletop Scenarios | Turns the archive into a workbook, not only a reference. |
| Security Review Checklists and Cheat Sheets | Creates practical one-page review aids. |
| Newcomer Ramp-Up and Review Checklists | Adds role-based newcomer tracks, from-zero pages, and reusable review checklists. |
| Worked Example Lab: API Review and Tenant Boundary Failure | Trains reviewers to distinguish route auth from object-level authorization. |
| Worked Example Lab: Frontend Session Review | Builds intuition about browser-held authority and token risk. |
| Worked Example Lab: Business Logic Abuse in Trial and Promo Flows | Trains economic and workflow-focused abuse reasoning. |
| Worked Example Tabletop: CI Runner Compromise Before Release | Adds a realistic tabletop around build trust and release pressure. |
| Mobile Security Lab Track โ NowSecure, iOS, and Android Learning Flow | Adds a practical mobile learning path with training workflow plus Android and iOS targets. |
| API Definition Conformance Lab โ OpenAPI, Contract Linting, AuthZ Checks, and CI Validation | Teaches how to treat the API contract itself as a security control. |
| Cloud Compliance Scan Lab โ Scan โ Triage โ Fix โ Codify | Turns posture findings into engineering feedback and policy codification. |
| Containment and Eradication Automation Lab | Builds safe response automation and postmortem-to-IaC discipline. |
| Secure Coding Training Platforms for Developers | Adds a practical short-list of enterprise and self-serve platforms for secure coding enablement. |
| Awesome GitHub Repositories for DevSecOps, AppSec, and Cloud Security | Adds a curated discovery layer for engineers who want to keep learning beyond the portal. |
| DevSecOps-Studio โ Virtual Lab Environment for Learning DevSecOps | Adds a broad local training distribution and explains how to use it safely as a legacy-to-modern bridge. |
| Developer Workstation Hardening for AppSec and DevSecOps | Gives a practical workstation baseline for local tooling, signing, Docker safety, and sandboxing. |
| Essential AWS DevSecOps Self-Study Path | Converts a compact AWS DevSecOps course outline into a practical self-study route with KB cross-links and labs. |
| Curated Conference Talks 2021โ2025 | Turns high-signal conference content into a reusable learning track instead of a random watchlist. |
| ๐ Product Security Ecosystem Projects, Communities, and Learning Hubs | Curates the major open communities, projects, and official hubs worth following across Product Security. |
| ๐ Top Books for Product Security by Domain and Role | Gives a curated 2026 reading shelf with Amazon links and why each book matters. |
| ๐๏ธ Three-Month Product Security Self-Study Plan | Turns the KB into a sequenced reading-plus-lab path instead of only a reference portal. |
| ๐งฐ Product Security Tooling Landscape and Inventory | Gives a reference map of 100 tools across AppSec, DevSecOps, cloud, Kubernetes, and evidence workflows. |
| ๐งฐ Online Validators, Linters, Generators, and Visual Tools | Adds a fast practical catalog of browser-based validators, policy playgrounds, cloud GUI builders, and CI-friendly linters. |
Learning bias
People retain more when they review, explain, and debug a scenario than when they only read a page once.
These environments complement the lighter break-fix labs already in this section. Use the worked-example labs for judgment practice, and use the goat environments for environment practice.
Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.