🗺️ Product Security Ramp-Up Tracks

Intro: New people do not need a random reading pile. They need a path that builds judgment in an order that makes sense for the role.

What this page includes

• 30-day and 90-day learning ideas
• different tracks for engineers, platform specialists, and managers
• how to mix reading, review, and labs
• how to know the learner is progressing

Example tracks

Product Security engineer, first 30 days

1. threat modeling basics and API security;
2. CI/CD trust boundaries and secret scanning;
3. cloud identity and workload federation;
4. runtime investigation basics and one tabletop.

Platform security engineer, first 30 days

1. runner isolation, OIDC, and deployment trust;
2. Terraform and policy-as-code pages;
3. Kubernetes baseline and runtime investigation;
4. provider-specific attack chains.

Product Security manager, first 60-90 days

1. operating model, metrics, and exception governance;
2. architecture review and threat modeling;
3. incident playbooks and detection engineering basics;
4. stakeholder communication and roadmap planning.

Progress signals

Learners should be able to:

• review a design and identify trust boundaries;
• explain why a machine identity is risky;
• spot one or two real release-gate gaps;
• walk through the first 15 minutes of a product incident.

Related pages

• Reading Paths

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.

Additional guided lab tracks

• Mobile Security Lab Track — NowSecure, iOS, and Android Learning Flow
• API Definition Conformance Lab — OpenAPI, Contract Linting, AuthZ Checks, and CI Validation
• Cloud Compliance Scan Lab — Scan → Triage → Fix → Codify
• Containment and Eradication Automation Lab