50 simulations · 50 games · 50 tools · learning paths · certificatesLearn security
by breaking things
Interactive security simulations, score-based games, and hands-on learning paths. Exploit real vulnerabilities in your browser — then learn how to fix them.
Learn by doing
Hands-on simulations, not boring videos.
50 attack simulations
SQL injection, XSS, supply chain, ransomware, and more.
Free to start
No signup needed. Play any simulation or game.
Security Simulations21 available
Interactive attack demos — learn by doing, not by reading.
SQL Injection
Bypass authentication and extract database rows from a vulnerable login form.
Try it →
Cross-Site Scripting
Inject scripts into a comment board, steal cookies, and bypass CSP filters.
Try it →
Container Escape
Break out of a Docker container — exploit privileged mode.
Try it →
Security Games50 games
Score-based challenges — test your security instincts under pressure.
JWT Heist
Exploit JWT vulnerabilities to escalate privileges and steal admin access.
Play →
Log Hunter
Analyze server logs to detect attacks, anomalies, and IOCs.
Play →
Network Defense
Pick the right mitigation for each attack — WAF, rate limit, fail2ban.
Play →
Browser Tools50 tools
No signup, no server. Runs entirely in your browser — nothing leaves your device.
AES Encrypt / Decrypt
AES-256-GCM with PBKDF2 key derivation.
Open →
JWT Decoder + Auditor
Decode and security-audit JSON Web Tokens.
Open →
SSL Certificate Parser
Inspect X.509 cert fields, SANs, expiry, and fingerprint.
Open →
Hash Generator
SHA-256, SHA-512, MD5, and more. Real-time.
Open →
Base64 Encoder / Decoder
Standard and URL-safe Base64.
Open →
Random Secret Generator
Hex, Base64, or alphanumeric secure secrets.
Open →
The complete platform
Training, tools, API, blog, and certificates — everything in one place.
50 Simulations
Hands-on attack demos — SQL injection, XSS, SSRF, ransomware, prompt injection, and more.
Explore →
50 Games
Score-based challenges with leaderboards — JWT Heist, Security Jeopardy, Bug Bounty Rush.
Explore →
50 Browser Tools
AES, JWT, Base64, hash, YAML, regex, Nginx config — all browser-side, no signup.
Explore →
REST API
35+ endpoints for crypto, encoding, JWT, converters. Integrate into your apps programmatically.
Explore →
30 Blog Posts
Practical guides — supply chain security, CORS, Docker hardening, incident response.
Explore →
Certificates & Paths
5 learning paths. Earn verifiable certificates. Share on LinkedIn. Track your streak.
Explore →
From the Blog
Practical encryption and security guides for developers.
Clickjacking Attacks Explained — X-Frame-Options vs. frame-ancestors CSP
Clickjacking lets attackers trick users into clicking hidden iframes on your site. Here's exactly which headers to set and why frame-ancestors CSP beats X-Frame-Options.
Read →
OWASP Top 10 2025 Explained — With Real Code Examples for Developers
A practical breakdown of the OWASP Top 10 2025 for backend and fullstack developers, with code examples showing what vulnerable and fixed code actually looks like.
Read →
SQL Injection Prevention — A Practical Guide with Code Examples
Learn how to prevent SQL injection in Node.js, Python, Java, PHP, and more with parameterized queries, ORMs, and input validation patterns that actually work.
Read →