惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Latest
Security Latest
Recorded Future
Recorded Future
人人都是产品经理
人人都是产品经理
S
SegmentFault 最新的问题
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 三生石上(FineUI控件)
博客园 - 聂微东
P
Privacy & Cybersecurity Law Blog
WordPress大学
WordPress大学
Know Your Adversary
Know Your Adversary
Spread Privacy
Spread Privacy
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
量子位
L
LINUX DO - 热门话题
L
Lohrmann on Cybersecurity
博客园 - Franky
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Tor Project blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
雷峰网
雷峰网
阮一峰的网络日志
阮一峰的网络日志
V
Visual Studio Blog
T
Threatpost
T
Tenable Blog
有赞技术团队
有赞技术团队
大猫的无限游戏
大猫的无限游戏
Engineering at Meta
Engineering at Meta
GbyAI
GbyAI
C
Cisco Blogs
H
Heimdal Security Blog
Attack and Defense Labs
Attack and Defense Labs
A
About on SuperTechFans
Last Week in AI
Last Week in AI
N
News and Events Feed by Topic
T
Threat Research - Cisco Blogs
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
I
Intezer
V
V2EX
Cyberwarzone
Cyberwarzone
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
B
Blog RSS Feed
V
Vulnerabilities – Threatpost
N
Netflix TechBlog - Medium
T
The Blog of Author Tim Ferriss
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
U
Unit 42
PCI Perspectives
PCI Perspectives
P
Privacy International News Feed
D
Docker

Hacker News: Show HN

PurrrrrFocus: Pomodoro Timer App - App Store Workflow Engine — Multi-Step Orchestration for Bun RapidPhoto: Pro Photo Editor App - App Store GitHub - DheerG/swarms: Achieve extraordinary results with claude code across a variety of tasks SPICE simulation → oscilloscope → verification with Claude Code — Lucas Gerads Show HN: VCoding – A 5 MB native Windows IDE with no dynamic dependencies Show HN: LLMs don't hallucinate because they're bad at math, it's the format GitHub - Agent-FM/agentfm-core: AgentFM is a peer-to-peer network that turns everyday computers into a decentralized AI supercomputer. AgentFM lets you run massive AI workloads directly across a global mesh of idle CPUs and GPUs. Show HN: Tracking Top US Science Olympiad Alumni over Last 25 Years GitHub - Potarix/agent-hub: One place to talk to all your agents Show HN: Runtime security for AI agents(injection,tool abuse, data exfiltration) GitHub - dubeyKartikay/lazyspotify: Terminal Spotify client for macOS and Linux GitHub - the-banana-tool/king-louie: Easy to use GUI Personal AI Assistant. Win/Linux/Mac. Show HN I made my vacation rental bookable by AI agents–no Airbnb, 0% commission GitHub - basteez/jsf-autoreload: maven plugin to enable hot reload on jsf projects uvm32/hosts/host-gdbstub at main · ringtailsoftware/uvm32 GitHub - labsai/EDDI: Config-driven engine that turns JSON into production-grade AI agents. Multi-agent orchestration, 12+ LLM providers, MCP/A2A protocols, RAG, persistent memory, and enterprise compliance (EU AI Act, GDPR, HIPAA). Built on Quarkus. GitHub - glitchnsec/fortyone-oss: AI Executive Assistant Platform Quickstart | Alien GitHub - muxshed/shed: One stream in, or many. Every destination, simultaneously. No cloud middleman, no per-channel fees, no limits. GitHub - ocrbase-hq/ocrbase: 📄 PDF/IMG ->.MD/JSON Document OCR API for PaddleOCR and GLMOCR. Self-hostable. GitHub - impactjo/home-memory: MCP server that lets your AI assistant remember everything about your home. GitHub - Sets88/dbcls: DbCls is a powerful terminal database client that supports various databases GitHub - neptun2000/heor-agent-mcp GitHub - SeanFDZ/macmind: Single-layer transformer in HyperTalk for the classic Macintosh RollQuation: Math Puzzles - Apps on Google Play GitHub - dropbox/witchcraft Show HN: Agent-cache – Multi-tier LLM/tool/session caching for Valkey and Redis GitHub - opentalon/opentalon: OpenTalon is an open-source platform built from the ground up in Go as a robust alternative to OpenClaw LinkedIn™ 职位抓取工具 - Chrome 应用商店 GitHub - EdoardoBambini/Agent-Armor-Iaga: AI agents are getting tool access — shell, file system, databases, APIs, secrets. But **nobody is governing what they actually do with it**. Frameworks like LangChain, CrewAI, AutoGen, and Claude Code give agents the power to execute. Agent Armor gives you the power to control, audit, and approve every single action before it happens. HN Vibes — Week 15, Apr 7–13 2026 GitHub - chojs23/ec: Easy terminal-native 3-way git mergetool vim-like workflow GitHub - SethPyle376/hiraeth: Local AWS emulator focused on fast integration testing, with SQS support, SQLite-backed state, and a debug-friendly web UI. GitHub - JakOb-dotcom/cloud-sandbox-security-analysis: Technical analysis and Proof of Concept (PoC) regarding environment variable exfiltration in containerized cloud sandboxes via side-channel data leaks. Springboards - Flint Alpha Show HN: A simpler coding agent harness GitHub - audiodude/sudomake-friends GitHub - 256thFission/mini-mythos: OSS clone of Anthropic’s Mythos harness to locate C/C++ memory vulnerabilities Show HN: OpenParallax: OS-level privilege separation for AI agent execution Hacker News Sorted - Chrome 应用商店 Show HN: How to Install Docker on Ubuntu 24.04 LTS: Complete 2026 Guide GitHub - himanshudongre/smriti GitHub - sverrirsig/claude-control: macOS desktop dashboard for monitoring and managing multiple Claude Code sessions GitHub - ory/dockertest: Write better integration tests! Dockertest helps you boot up ephermal docker images for your Go tests with minimal work. Chiral - Chrome 应用商店 Show HN: Two Claudes collaborating through shared memory on a $100 mini-PC GitHub - pmichaillat/latex-cv: Minimalist LaTeX template for academic CVs GitHub - oguzbilgic/posse: A web UI for Anthropic Managed Agents. GitHub - sshiraz/depsly: Dependency risk analysis tool for npm packages ABI Add safari/agent-harness — Safari browser automation via safari-mcp by achiya-automation · Pull Request #212 · HKUDS/CLI-Anything GitHub - Halfblood-Prince/trustcheck: Verify PyPI package attestations and improve Python supply-chain security GitHub - oguzbilgic/kern-ai: Agents that do the work and show it. GitHub - bruits/satteri: High-performance Markdown and MDX processing for the JavaScript ecosystem GitHub - tylergibbs1/feedstock: High-performance web crawler and scraper for TypeScript, powered by Bun and Playwright GitHub - Grimm67123/grimmbot: The self-improving sandboxed and open-source AI agent. With persistent memory and scheduling. GitHub - whitevanillaskies/whitebloom: Local whiteboard that blooms. GitHub - hwdsl2/docker-whisper: Docker image for a self-hosted Whisper speech-to-text server with speaker diarization and OpenAI-compatible transcription and translation APIs. Powered by faster-whisper. Supports all Whisper models, NVIDIA GPU (CUDA) acceleration, JSON/SRT/VTT output, SSE streaming, offline mode, and multi-arch (amd64, arm64). GitHub - yisding/reviewwiggum GitHub - MarwanAlsoltany/serrors: Structured errors for Go: sentinel hierarchies, typed data, custom formatting, and slog integration. GitHub - soatok/age-php GitHub - Luthiraa/markitme GitHub - stagas/rtdiff: realtime git diff gui and AI-assisted commits GitHub - tombedor/excalicharts GitHub - wh1le/excalidraw-edit: Open and edit .excalidraw files from the terminal. Offline, auto-saves to disk. MalExt Sentry - Malicious Extension Scanner - Chrome 应用商店 GitHub - syi0808/asciianimesvg: Generate animated ASCII art SVGs from text. CLI, Rust library, WASM, and web editor. GitHub - zaina-ml/ml_forge: A visual-based graph node editor for training computer vision models. GitHub - anakin87/llm-rl-environments-lil-course: 🌱 A little course on Reinforcement Learning Environments for evaluating and training Language Models GitHub - takaakit/superpowers-uml: Superpowers-UML modifies Superpowers to ensure a software development workflow in which AI agents design through UML modeling. AdriByte Studio - Sviluppo Web e Soluzioni Digitali GitHub - chouligi/angel-copilot: Your personalized Angel Investment Advisor Show HN: MoodSense AI (ML and FastAPI and Gradio, Deployed on Hugging Face) Moodsense Ai - a Hugging Face Space by aman179102 GitHub - agenteractai/lodmem: Level Of Detail Context Management for Agents GitHub - ostefani/subnetlens: A fast, concurrent network scanner with a TUI and plain-text CLI, built in Go. It discovers live hosts on your network, scans their open ports, resolves hostnames, and fingerprints operating systems—delivered. Cyber Pulse: Agentic Intel - Apps on Google Play Whisper API: Self-Hostable Speech to Text Transcription The Agent-Web Protocol Stack: A Research Thesis GitHub - msmarkgu/RelayFreeLLM: A restful API designed to route user prompts to various AI model providers. Show HN: Provepy – A Python decorator that proves your code using Lean and LLMs Show HN: Pardonned.com – A searchable database of US Pardons GitHub - patrickdappollonio/dux: Dux is a terminal UI that lets you run multiple AI coding agents side by side, each in its own git worktree, with full companion terminals, macros, commit generation, and a command palette that knows more tricks than you do. kMC Crystal Simulator Show HN: HyperFlow – A self-improving agent framework built on LangGraph GitHub - stef41/vibescore: 🎵 Grade your vibe-coded project. One command, instant letter grade across security, quality, dependencies, and testing. GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. imgur.com GitHub - visionscaper/collabmem: Enabling long-term collaboration with Agentic AI - building up episodic and world model memory over time with in-context awareness 在 Steam 上购买 FriedrichAI: Offline AI 立省 10% GitHub - atripati/ark: AI Runtime Kernel — a context operating system for AI agents. Eliminates tool bloat, loads only what’s needed, and gives LLMs their reasoning space back. GitHub - nowork-studio/toprank: Open-source Claude Code skills for SEO, SEM, Google Ads GitHub - tacomanator/sash: Lightweight macOS menu bar app for reliably cycling through windows of the current application. Appents | Social Media Management for Product-First Teams GitHub - pnhoang/youtube-spam-blocker: Automatically detects and hides spam messages in YouTube Live chat. Set rate limits, keyword filters, and block repeat offenders. GitHub - decisionnode/DecisionNode: CLI + Local MCP - A shared structured memory store across Claude Code, Cursor, Windsurf, Antigravity, and every MCP client. Semantically queryable. GitHub - AvaCodeSolutions/django-email-learning: An open source Django app for creating email-based learning platforms with IMAP integration and React frontend components. The $100K Gap in Kubernetes Security Tooling Function Calling Harness: From 6.75% to 100%
GitHub - ransomleak/training-security-awareness: Free interactive training materials in SCORM format
dkozyatinski · 2026-06-26 · via Hacker News: Show HN

Free Security Awareness Training for Employees — Open Source Interactive SCORM Library

100+ free, open-source security awareness training exercises for employees — hands-on, interactive SCORM modules covering phishing awareness training, GDPR, AI security, and more. Built for people who want to retain what they learn and share it with others.

Interactive security awareness training demo — first-person phishing awareness exercise in a 3D office

👥 Talk to the Founders  |  🔗 Browse the Full Library  |  🎮 Try a live phishing awareness demo


Why this free security awareness training is different

Most security awareness training is forgettable: boring slide decks, soulless videos, and lately, AI-generated materials that turn people off. The problem isn't the content itself — it's the format, because passive learning doesn't build habits. People sit through a 10-minute video, click "Complete," and remember nothing when it matters.

This free, open-source security awareness training library takes a different approach.

Every exercise drops you into an interactive 3D office environment where you face realistic incidents in first-person. You interact with real objects — a phone, a PC running a live OS (browser, terminal, Zoom), a flipchart — and make decisions under pressure, just like you would at your desk.

Scenarios include things like:

  • Phishing awareness training for employees — spotting phishing indicators in a suspicious email
  • Vishing simulation — handling a scam phone call in real time
  • Malware response — downloading a malicious file and watching the consequences unfold
  • Smishing, MFA fatigue, and BEC — the social-engineering attacks employees face daily

The goal is to build muscle memory so that when something bad is about to happen at work, people remember having faced it before — and respond accordingly. Every exercise ends with a quiz at a 100% pass threshold to confirm the knowledge is stuck.


Format: SCORM security awareness training modules, ready for any LMS

Every exercise is a SCORM .zip file — ready to import into any LMS, embed into your existing training pipeline, or test on SCORM Cloud before rollout. That makes this one of the easiest free security awareness training options to deploy across a whole workforce.

The repo root contains full course packages. The Individual Exercises folder contains standalone exercises if you want to build a custom curriculum.

The content is fully white-labeled — no logos, no backlinks, no strings attached. Use it however you like; more on this below.


Usage & License: free to use for employee security awareness training

You're free to use, embed, and teach with this content — personally, professionally, or commercially in workshops. Redistributing or reselling the content as a standalone product is prohibited.

CC BY-NC 4.0

This open-source security awareness training library is licensed under CC BY-NC 4.0. Free to use and share with attribution. Commercial resale of the content is prohibited.


The Complete Security Awareness Training Stack

For Your Company

We also ship an enterprise-grade cloud LMS with all the security awareness training content on board. So if you'd like to get the training without the headache of installing / managing your LMS, drop us a line. LMS functionality includes, but is not limited to:

  • Campaigns & automation — recurring training programs, auto-enrollment by role or risk level, custom learning paths, and automated reminders that escalate to managers
  • Phishing & smishing simulations — direct mailbox injection via the M365 Graph API and Google Workspace (no spam-filter fights), full-funnel tracking from delivery to report, and auto-remediation that assigns targeted phishing awareness training on failure
  • Human Risk Score & analytics — a 0–100 risk score per employee, real-time dashboards, and risk-based automation to remediate your riskiest users first
  • Compliance reporting — audit-ready reports for SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, NIS2, and the EU AI Act, exportable to PDF, CSV, or Excel on a schedule
  • Enterprise integrations — SSO (SAML 2.0, OAuth 2.0, OIDC — works with Okta, Azure AD, Google Workspace) with SCIM provisioning from your IdP, plus Slack & Teams notifications, calendar sync, SIEM export (Splunk, Sentinel, QRadar), and a full API with webhooks
  • Your content too — upload PDFs, videos, slides alongside RansomLeak exercises, or have scenarios custom-built around your industry and policies

For MSPs

The LMS is multi-tenant by design, built for delivering security awareness training across an entire book of business from one place:

  • Sub-tenant provisioning — spin up isolated tenants for each client, with per-tenant license management and consolidated reporting across your whole portfolio
  • White-labeling & distribution — your logo, custom domain, client's branding. Deliver via per-tenant SCORM packages or hosted tenants
  • MSP-grade content — phishing awareness training and exercises calibrated for the threats MSPs face: RMM/PSA credential phishing, help-desk vishing, MFA push fatigue, ransomware first-hour response, and BEC
  • Compliance leverage — per-employee completion records that satisfy CIS Controls 4.4, CMMC 2.0, SOC 2, and the evidence cyber-insurance carriers now demand at renewal

If you're interested, please feel free to reach out to us


Table of Contents

OWASP Top 10 for Agentic Applications

  1. AI Agent Goal Hijacking — Stop an autonomous AI agent from being redirected by a poisoned email containing hidden instructions by detecting hidden instructions embedded in incoming data that redirect agent objectives, tracing how a goal-hijacked agent pivots from legitimate tasks to data exfiltration, and applying input validation strategies that prevent agents from treating data as instructions.

  2. AI Agent Tool Exploitation — Prevent an AI agent from being manipulated into using its legitimate tools to delete files and send unauthorized messages by identifying how ambiguous prompts cause agents to misuse legitimate tool access, tracing destructive tool calls triggered by manipulated input parameters, and applying least-privilege tool access policies to contain agent tool exploitation.

  3. Agent Identity and Privilege Abuse — Prevent an AI agent from reusing inherited high-privilege credentials to access systems beyond its authorized scope by tracing how agents inherit and propagate user credentials across different system contexts, identifying confused deputy vulnerabilities where agent privilege exceeds intended scope, and applying scoped credential delegation to prevent cross-context privilege escalation.

  4. Agentic AI Supply Chain Attack — Investigate a backdoored third-party AI plugin that silently modifies agent behavior and exfiltrates sensitive data by detecting behavioral anomalies indicating a compromised third-party AI component, tracing data exfiltration pathways through backdoored plugins and MCP servers, and applying supply chain verification practices before integrating external AI tools.

  5. AI Agent Code Injection — Catch an AI coding assistant before it executes a shell script containing injected commands that compromise your system by detecting injected commands hidden within AI-generated code and shell scripts, tracing how user input flows through code generation into unsandboxed execution, and applying code review and sandboxing practices to AI-generated scripts before execution.

  6. AI Agent Memory Poisoning — Detect adversarial content injected into an AI agent's persistent memory that corrupts all future decisions by identifying poisoned entries in an agent's persistent memory and retrieval context, tracing how corrupted memory influences downstream agent decisions across sessions, and applying memory integrity verification to detect and remove adversarial content.

  7. Agent-to-Agent Communication Spoofing — Intercept and identify spoofed messages between AI agents in a multi-agent workflow before fabricated instructions cause damage by detecting spoofed agent identities and fabricated messages in multi-agent communication channels, tracing how unauthenticated inter-agent messages enable man-in-the-middle attacks, and applying message authentication and agent identity verification to secure multi-agent systems.

  8. Multi-Agent Cascading Failure — Contain a minor AI hallucination before it cascades through downstream agents into a catastrophic system-wide failure by tracing error propagation from a single agent hallucination through multiple downstream systems, identifying amplification points where small errors compound into catastrophic outcomes, and applying circuit breaker patterns and human checkpoints to interrupt cascading agent failures.

  9. Over-Trusting AI Agent Recommendations — Catch a series of compromised AI agent recommendations that exploit your trust to approve a fraudulent transfer and a backdoored code change by recognizing automation bias patterns where consistent AI accuracy creates false confidence, identifying subtle anomalies in AI recommendations that indicate manipulation or compromise, and applying structured verification workflows that resist social engineering through AI interfaces.

  10. Detecting a Rogue AI Agent — Investigate a compromised AI agent that appears functional while silently performing unauthorized actions and evading monitoring by detecting covert unauthorized actions performed by an agent that appears to be operating normally, tracing persistence mechanisms that allow rogue agents to survive restarts and monitoring sweeps, and applying behavioral analysis and anomaly detection to distinguish rogue agents from legitimate ones.

OWASP Top 10 for LLM Applications

  1. OpenClaw Prompt Injection — Stop an AI assistant from leaking data via hidden prompts by identifying hidden instructions in documents, preventing data exfiltration through AI tools, and recognizing prompt injection patterns.

  2. Sensitive Data Exposure Through AI — See what happens when confidential data enters a consumer AI tool by recognizing sensitive data categories that should never enter AI prompts, tracing how pasted content persists in AI training data and logs, and applying data classification policies before using AI tools.

  3. AI Supply Chain Compromise — Deploy an AI plugin that hides a backdoor in plain sight by identifying supply chain risks in third-party AI models and plugins, detecting behavioral anomalies in AI components from external sources, and applying vetting procedures before deploying marketplace AI tools.

  4. AI Training Data Poisoning — Watch poisoned documents corrupt your AI's answers in real time by tracing how manipulated documents alter AI-generated outputs, identifying signs of data poisoning in AI responses, and applying content integrity controls to knowledge base inputs.

  5. Unsafe AI Output Handling — Exploit an AI whose outputs flow unchecked into live systems by identifying injection risks when AI outputs feed into downstream systems, tracing how unsanitized AI output enables code execution, and applying output validation controls between AI and connected systems.

  6. Over-Permissioned AI Agent — Manipulate an AI assistant into misusing its own permissions by identifying excessive permissions granted to AI agents, tracing unauthorized actions performed by manipulated AI tools, and applying least-privilege principles to AI agent configurations.

  7. AI System Prompt Extraction — Extract hidden instructions from a customer-facing AI chatbot by executing prompt extraction techniques against a live AI chatbot, identifying sensitive information exposed through leaked system prompts, and applying prompt hardening techniques to prevent system instruction disclosure.

  8. RAG Pipeline Exploitation — Exploit a RAG pipeline to access documents beyond your clearance by identifying access control failures in vector database retrieval, tracing how adversarial embeddings corrupt search results, and applying authorization checks at the retrieval layer of RAG systems.

  9. AI Hallucination and Misinformation — Catch fabricated statistics and fake citations in an AI report by detecting hallucinated facts and fabricated sources in AI outputs, verifying AI-generated claims against authoritative references, and applying fact-checking workflows to AI-assisted business content.

  10. AI Denial-of-Service Attack — Launch a denial-of-wallet attack against an unprotected AI API by identifying resource exhaustion vectors in AI API endpoints, tracing how crafted prompts escalate compute costs exponentially, and applying rate limiting and budget controls to AI service deployments.


Web & Browser Safety

  1. HTTPS & Website Security — Learn why the padlock icon is not proof of safety by evaluating real-world certificate warnings, expired certs, and mismatched TLS certificates across simulated websites.

  2. Safe Browsing & Downloads — Spot malicious downloads before they run by navigating fake vendor sites, deceptive update prompts, and drive-by download traps that disguise malware as legitimate software.

  3. Typosquatting Awareness — Catch the domain tricks attackers use against you by identifying lookalike URLs, character-swap domains, and homograph attacks that are nearly pixel-perfect in your browser's address bar.

  4. Browser Autofill Risks — Hidden form fields silently steal your autofilled data, as demonstrated through a realistic scenario where a colleague unknowingly submits credit card and home address details to an attacker-controlled page.

  5. Browser Extension Safety — That helpful extension might be stealing everything, as shown by tracing a forensic timeline of how a highly-rated productivity extension exfiltrated data from an unsuspecting user's device.

  6. Browser Notification Abuse — Recognize fake CAPTCHA prompts designed to hijack notification permissions and learn to revoke malicious push notification access before attackers escalate to credential phishing.


Passwords & Account Security

  1. Password Manager Habits — Build strong habits with your password manager by migrating weak and reused passwords into a vault, generating unique replacements, and using autofill as a phishing detection tool.

  2. Least Privilege Awareness — Keep access to the minimum your job requires by auditing realistic permission assignments, revoking stale admin rights, and flagging shared service accounts and expired contractor credentials.

  3. Joiner-Mover-Leaver Awareness — Manage access rights through role transitions by working through onboarding, lateral moves, and offboarding scenarios that include manager exceptions, forwarded files, and emergency access requests.

  4. MFA Setup & Best Practices — Set up multi-factor authentication the right way by comparing SMS, authenticator apps, and hardware keys, and learning to recognize and resist MFA fatigue push notification attacks.

  5. Credential Stuffing Awareness — See how breached passwords fuel automated attacks by tracing a live credential stuffing incident, identifying compromised accounts, and breaking the password reuse cycle.

  6. Account Recovery Security — Defend account recovery from social engineering by practicing identity verification procedures under pressure from a convincing caller impersonating a locked-out employee.

  7. Privileged Access Basics — Learn why admin accounts need special handling by contrasting a just-in-time access workflow with an incident where everyday use of a privileged account gave an attacker immediate infrastructure access.


Device Security

  1. Ransomware — Survive a ransomware attack in real time by making rapid containment decisions as files encrypt, programs fail, and the malware spreads across shared drives and mapped network resources.

  2. USB Drop Attack — Think twice before plugging in that USB drive by experiencing a simulated autorun attack, including Rubber Ducky payloads that compromise a system in under 10 seconds.

  3. Backup Best Practices — Build a backup plan that survives ransomware by learning the 3-2-1 rule, understanding the difference between sync and true backup, and discovering the real consequences of common backup failures.

  4. Encryption & Lock Discipline — Practice the habits that protect unattended devices by seeing what an attacker can accomplish in 90 seconds on an unlocked laptop, then configuring auto-lock and verifying full disk encryption.

  5. OS Updates & Patching Basics — See why skipping updates opens real attack paths by tracing what a deferred security patch was fixing and how quickly attackers weaponize newly published CVEs.

  6. Endpoint Patching & EDR Alerts — Know what your EDR alert means and what to do next by triaging live process anomalies, registry changes, and unusual network connections to decide whether to ignore, investigate, or escalate.

  7. Safe Bluetooth Practices — Your headphones are broadcasting more than music — audit paired devices, configure non-discoverable mode, and understand the BlueBorne, KNOB, and BLUFFS vulnerability families that exploit discoverable Bluetooth connections.

  8. File Extension Awareness — It looks like a PDF but runs like malware — learn to spot double-extension tricks, reveal true file types, and identify dangerous extensions like .scr, .cmd, .vbs, and .ps1.


Protecting Sensitive Information

  1. Data Leakage — Stop sensitive data from leaving your organization by walking through misdirected emails, hidden document metadata, unsecured file shares, and less obvious leakage channels like AI tools and screen sharing.

  2. Data Classification Basics — Label data correctly by sensitivity level by sorting real-world documents into Public, Internal, Confidential, and Restricted categories and applying the correct storage, sharing, and disposal rules for each.

  3. Identity Theft Prevention — Spot identity theft tactics targeting employees by recognizing convincing HR impersonation emails, unattended personnel files, and phone callers armed with enough personal detail to sound legitimate.

  4. Secure Sharing Practices — Share files safely without creating security gaps by evaluating common sharing scenarios and learning why a password-protected expiring link differs from an unencrypted email attachment.


Incident Reporting

  1. General Incident Reporting — Know when and how to report a security incident. Recognize what qualifies as an incident, complete a security report correctly, understand reporting timelines and thresholds.

  2. Reporting Culture — Build a team that reports without fear. Practice blameless incident reporting, understand psychological safety principles,apply the aviation CRM framework


Phishing & Impersonation Attacks

  1. Vishing — Handle a realistic voice phishing call by detecting caller ID spoofing, practicing callback verification through official numbers, and resisting urgency and authority pressure from a convincing impersonator.

  2. Phishing — Spot a phishing email before you click by examining spoofed sender addresses, hovering over mismatched URLs, and identifying the emotional pressure tactics that drive credential theft.

  3. Double Barrel Phishing — Recognize the two-email trust trap by identifying the harmless setup message and the malicious follow-up that exploits the trust established in the first exchange.

  4. Whaling With A Deepfake — Spot an AI-generated executive on a video call by detecting deepfake indicators during a live meeting and verifying identity before authorizing an irreversible financial transfer.

  5. Social Engineering — Recognize manipulation before you comply by holding your ground against a caller using authority, reciprocity, and artificial urgency, then redirecting verification through official channels.

  6. Business Email Compromise — Stop a CEO impersonation wire fraud by detecting executive impersonation emails, verifying payment requests out-of-band, and understanding why BEC causes billions in annual losses.

  7. Smishing — Detect fraud hiding in your text messages by slowing down on urgent delivery alerts and banking notifications, verifying through official channels, and never tapping shortened URLs.

  8. Callback Phishing — Handle a fake invoice designed to make you call by identifying TOAD attack patterns, spotting fake invoices with callback numbers, and responding without clicking any links.

  9. Spear Phishing — Your public LinkedIn profile is an attacker's playbook — trace how a single social media post enables a fully personalized phishing email complete with credential-harvesting collaboration portal.

  10. QR Code Phishing (Quishing) — That QR code skips every email filter you have — walk through a realistic quishing attack chain and learn to preview QR code destinations before scanning on your mobile device.

  11. Tech Support Scams — That virus warning is the actual attack — recognize fake browser-based system alerts, refuse remote access requests from unsolicited callers, and learn why Ctrl+Alt+Delete is the correct first response.

  12. WhatsApp Social Engineering — Your "boss" on WhatsApp isn't your boss — experience a real-time impersonation conversation that escalates into a gift card scam and learn why messaging apps are a preferred attack channel.

  13. SEO Poisoning Awareness — Top search results aren't always trustworthy — detect a poisoned software download page, verify authenticity through publisher signatures and file hashes, and navigate directly to official vendor sites.


GDPR Compliance

  1. Marketing Consent Management — Build compliant opt-in flows that regulators accept by designing consent flows that meet GDPR Article 7 standards, building a consent record system, and handling live withdrawal requests.

  2. Fraudulent DSAR Detection — Spot fake data access requests used for social engineering by evaluating incoming DSARs for identity inconsistencies, urgency language, and mismatched contact details before responding.

  3. Data Breach Response — Triage a breach and meet the 72-hour notification clock by assessing incident severity, drafting a supervisory authority notification, and making judgment calls about what qualifies as notifiable under Article 33.

  4. Third-Party Data Processor Vetting — Evaluate a vendor's data processing controls before signing by reviewing security certifications, sub-processor arrangements, breach notification procedures, and DPA clauses that fall short of Article 28.

  5. Security Incident Response — Coordinate security and privacy teams during a live breach by running parallel workstreams that balance containment priorities with personal data assessment and Article 33 notification deadlines.

  6. Privacy by Design Review — Evaluate a product feature through a privacy-first lens by applying Article 25 data minimization checks and navigating real tradeoffs between functionality and privacy in behavioral tracking requests.

  7. Legitimate DSAR Processing — Process a data subject access request end to end by verifying requester identity, searching across CRM, email archives, analytics, and backups, then compiling and redacting the response within 30 days.

  8. Cross-Border Data Transfers — Navigate transfer mechanisms for data leaving the EEA by assessing adequacy decisions, selecting Standard Contractual Clauses, and conducting a Transfer Impact Assessment following the Schrems II ruling.

  9. PII Document Redaction — Redact personal data from documents before disclosure by learning why black-box overlays and unstripped metadata can expose what you thought you removed.

  10. Data Protection Impact Assessment — Run a DPIA for a high-risk data processing activity by working through Article 35 triggers, risk mapping, proportionality assessment, and producing documentation that meets statutory content requirements.

  11. Data Mapping and Records of Processing — Build an Article 30 processing register from scratch by conducting data flow interviews across departments and connecting fragmented data practices into a coherent, compliant RoPA.


Safe Communication & Sharing

  1. Social Media Oversharing — See how attackers exploit your public profiles by discovering how a vacation photo, birthday post, and conference check-in can be combined into a profile enabling highly personalized attacks.

  2. Cloud Sharing Controls — Audit who can see your shared files right now by reviewing a tangled permissions history, tightening access to minimum required levels, and setting expiration dates under time pressure.

  3. Guest Access Management — Control what external users can reach and for how long by auditing dormant guest accounts, revoking access from vendors whose projects have ended, and creating a structured offboarding checklist.

  4. Secure Messaging Practices — Stop sensitive data from leaking through chat apps by recognizing when passwords, customer PII, or whiteboard photos have been shared carelessly and learning the correct channels for sensitive information.

  5. Social Media Policy — Learn what not to post on corporate accounts by evaluating real scenarios where LinkedIn posts and office photos inadvertently leaked deal details, client data, and internal system information.

  6. Third-Party App OAuth Risks — Check what you gave permission to access by evaluating whether a new app's requested permissions match its actual function and auditing OAuth-connected apps for excessive or unnecessary access.


Workplace Security

  1. Insider Threat (Intentional) — Recognize the warning signs of a malicious insider by spotting the pattern of after-hours file access and large USB transfers before the damage reaches a point of no return.

  2. Shadow IT Awareness — Find out what happens when teams use unapproved apps by tracing what occurred behind the scenes when a confidential spreadsheet was uploaded to a free online converter with no data agreement.

  3. Image-Based Attacks (Stegosploit) — That image file might be carrying more than pixels — investigate a contractor's portfolio that hides a JavaScript payload inside a JPEG and learn three steganographic attack methods and their detection approaches.

  4. Insider Threat (Accidental) — One wrong attachment and forty-seven salaries are exposed — experience a misdirected email incident from the DLP flag through the full incident reporting workflow.

  5. Collaboration Tool Hygiene — One shortcut in Slack and credentials are everywhere — audit channel integrations and ex-employee access after discovering that pasted database credentials were exfiltrated through a stale webhook.


Remote & Home Office Security

  1. VPN Usage & Safety — Configure and use your VPN without leaving gaps by experiencing the real consequences of a mid-session disconnect on public Wi-Fi, including exposed credentials and unencrypted file transfers.

  2. Home Router Security — Find out who else is on your home network by identifying unauthorized connected devices, changing default admin credentials, disabling WPS, enabling WPA3, and recognizing signs of DNS hijacking.


Real-World Incidents

  1. MGM Resorts Breach — Relive the 10-minute helpdesk call that cost $100M by tracing the Scattered Spider attack chain from LinkedIn reconnaissance through a vishing call to ALPHV/BlackCat ransomware deployment.

  2. OneNote Email Attack — Trace a real BEC scam built on weeks of inbox surveillance by receiving a lookalike-domain invoice redirect that uses real project details and the exact right amount to defeat scrutiny.


Security Policies & Your Role

  1. Audit Mindset Basics — Think like an auditor to find compliance gaps before external reviewers do by checking whether password policies match real behavior, verifying access reviews, and identifying gaps between written procedures and daily operations.

  2. Audit Portal Training — Navigate GRC portals and submit audit evidence. Upload and tag compliance evidence correctly, track remediation tasks to closure, avoid common portal submission errors

  3. Employee Security Responsibilities — Know your personal security duties at work. Recognize tailgating and credential sharing risks, report incidents through the right channels, protect physical and digital access points

  4. ISMS Policy Awareness — Connect ISO 27001 policies to your daily work. Match ISMS policies to real work situations, understand the ISO 27001 policy structure, spot gaps between policy and daily practice.

  5. Internet & Email Acceptable Use — Stay within corporate internet and email policies. Recognize risky email forwarding behaviors, understand personal device boundaries at work, avoid common acceptable use violations

Topics: security awareness training · free security awareness training · free security awareness training for employees · open source security awareness training · phishing awareness training for employees · free phishing awareness training · security awareness training for employees · cyber security awareness training · employee security awareness training · SCORM security awareness training · phishing simulation · GDPR training · human risk management