Job Paths
Explore role-based learning paths, then complete optional AI-marked scenario submissions for each job path.
GRC Analyst Job Path
Core progression for analysts building practical governance, risk, compliance, and control execution skills.
Free scenarios available
Path 1
GRC Fundamentals
Build your foundation in governance, risk, and compliance. Learn core concepts, key terminology, and how GRC frameworks work together.
Locked — Upgrade required
Path 2
GRC Primer Practice
A beginner-friendly path to practice core GRC concepts with short, practical rooms before moving into larger role-based tracks.
Locked — Upgrade required
Path 3
GRC Starter Labs
A second beginner track for building confidence with foundational governance, risk, control, and reporting workflows.
Locked — Upgrade required
Path 4
Beginner GRC Foundations Lab
A beginner path for mastering essential GRC terms, policy hierarchy, and practical risk-writing fundamentals.
Locked — Upgrade required
Path 5
Beginner Risk & Controls Workshop
An entry-level workshop path covering risk scoring, appetite basics, and understanding control outcomes vs activities.
Locked — Upgrade required
Path 6
Risk & Compliance Operations
An intermediate path focused on day-to-day risk analysis, treatment decisions, KRIs, and compliance operations execution.
Locked — Upgrade required
Path 7
Risk Management Professional
Master advanced risk assessment methods, treatment planning, monitoring, and executive reporting through practical scenarios.
Locked — Upgrade required
Path 8
Control Assurance Practice
Intermediate path focused on control evidence, audit readiness, and practical assurance execution across day-to-day programs.
Locked — Upgrade required
Path 9
Framework Mastery
Build fluency across major security and compliance frameworks, then map controls across standards for unified assurance.
Locked — Upgrade required
Path 10
Intermediate Risk Treatment Lab
Intermediate path focused on practical risk-treatment prioritization and decision quality in constrained environments.
Locked — Upgrade required
Path 11
Control Design & Operating Effectiveness Testing
Build practical GRC skills for evaluating whether controls are designed appropriately and operating effectively through realistic scenarios covering onboarding, daily operations, monitoring, exceptions, remediation, and reporting.
Locked — Upgrade required
Path 12
Issue Management Root Cause Analysis & Corrective Action Governance
Build practical GRC skills for identifying issues, analyzing root causes, governing corrective and preventive actions, managing ownership and evidence, and reporting remediation status across realistic operational, compliance, technology, and third-party scenarios.
Locked — Upgrade required
Path 13
Control Deficiency Rating & Materiality Governance
Develop advanced judgment for rating control deficiencies, determining materiality, governing aggregation decisions, and escalating nuanced risk scenarios across financial reporting, operational compliance, technology control environments, and executive oversight structures.
Locked — Upgrade required
Path 14
Issue Taxonomy Governance & Enterprise Loss Event Classification
Strengthen enterprise GRC decision-making by governing issue taxonomies and classifying loss events across operational risk, technology, compliance, third-party, model, conduct, and cyber scenarios. Practice nuanced classification choices, threshold design, cross-framework mapping, portfolio analytics, and executive reporting under ambiguous real-world conditions.
Locked — Upgrade required
Scenario Submissions
Free members: 1 AI-graded submission per week across the intro scenario tracks.
Open Scenario Submissions →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Recurring Vendor Due Diligence Failures and Weak Root Cause Governance
3 guided questions
Free preview
Case Study
Overdue Corrective Actions After a Vendor Risk Review
3 guided questions
Locked — Upgrade required
Case Study
Corrective Action Governance After a Recurring Access Review Failure
3 guided questions
Free preview
Case Study
Rationalize Overlapping Operational Controls in a Shared Services Environment
3 guided questions
Free preview
Case Study
Rationalize a Global Control Library After a Merger
3 guided questions
Free preview
Case Study
Rationalize Overlapping Controls Across Three Frameworks
3 guided questions
Locked — Upgrade required
Case Study
Operating Risk Appetite Limits During a Rapid Expansion
3 guided questions
Free preview
Case Study
Operating an Enterprise Risk Appetite, Tolerance, and Limit Framework
3 guided questions
Locked — Upgrade required
Case Study
Launching the Semiannual RCSA Cycle at Harborview Credit Union
3 guided questions
Locked — Upgrade required
Case Study
Refresh the RCSA Program for Third-Party Claims Operations
3 guided questions
Locked — Upgrade required
Job path certificate
GRC Analyst Job Path
Complete every lab, case study, and the scenario path above to unlock the GRC Analyst Job Path certificate.
Scenario prompts in this job path
- Scenario 1Draft an enterprise risk statement and identify the top three business drivers.
- Scenario 2Build a control map linking key risks to preventive and detective controls.
- Scenario 3Create a short evidence checklist for a monthly control health review.
- Scenario 4Run a mock issue triage and assign owners with due dates.
- Scenario 5Prepare a one-page leadership summary of risk posture and control gaps.
- Scenario 6Design a control testing calendar using risk-weighted prioritization criteria.
- Scenario 7Define testing procedures with objective evidence requirements and pass/fail rules.
- Scenario 8Review sample quality and identify where sample expansion is warranted.
- Scenario 9Create a QA checklist for consistency, traceability, and reviewer sign-off.
- Scenario 10Summarize recurring control failure themes and preventive action proposals.
IT Audit & Assurance Job Path
Role-based track for internal audit, control testing, and external assurance readiness.
Locked for free members
Path 1
Beginner Audit & Risk Basics
Beginner path for practical incident classification and evidence quality fundamentals used in day-to-day GRC work.
Locked — Upgrade required
Path 2
Intermediate Audit & Assurance Lab
Intermediate practice path for control testing sampling, findings calibration, and remediation tracking discipline.
Locked — Upgrade required
Path 3
Intermediate Audit Scoping Lab
Intermediate path focused on scope definition and evidence traceability for stronger assurance outcomes.
Locked — Upgrade required
Path 4
Audit Analytics & Assurance
Hands-on advanced training to design, govern, and operate audit analytics & assurance programs.
Locked — Upgrade required
Path 5
Audit Ready
Prepare for audits end-to-end: planning, control testing, findings management, and simulated audit execution.
Locked — Upgrade required
Path 6
ITGC & SOX Financial Controls: Scope, Access & Testing
Build practical skills for evaluating IT general controls and their impact on financial reporting through realistic scenarios involving access, change, operations, interfaces, evidence, and deficiencies.
Locked — Upgrade required
Path 7
ITGC & SOX Financial Controls: Provisioning & Evidence
Build practical skills for operating and assessing IT general controls that support reliable financial reporting, with scenario-driven exercises across access, change, operations, interfaces, evidence, and deficiency handling.
Locked — Upgrade required
Path 8
ITGC & SOX Financial Controls: System Inventory & Execution
Practice scenario-driven governance, risk, and compliance work for IT general controls that support reliable financial reporting, with emphasis on SOX-scoped systems, evidence quality, and control operation.
Locked — Upgrade required
Path 9
ITGC & SOX Financial Controls: Financial Close & Audit Readiness
Build practical skills for designing, operating, and assessing IT general controls that support reliable financial reporting, with scenario-driven exercises across access, change, operations, interfaces, evidence, and deficiency handling.
Locked — Upgrade required
Path 10
SOX ITGC Access Recertification & SoD Exception Governance
Build practical SOX ITGC skills through realistic access recertification and segregation of duties exception governance scenarios covering reviewer preparation, quarterly certification, privileged access, ERP conflicts, temporary exceptions, remediation tracking, and audit-ready reporting.
Locked — Upgrade required
Path 11
SOC 2: Scoping, Controls & Vendor Risk
A scenario-driven learning path focused on practical SOC 2 work across scoping, controls, evidence, vendor risk, and incident response in a growing SaaS company.
Locked — Upgrade required
Path 12
SOC 2: Communication and Information
A practical path focused on SOC 2 Common Criteria 2, covering internal communication, external communication, policy awareness, incident reporting, and evidence gathering through scenario-driven GRC exercises.
Locked — Upgrade required
Path 13
SOC 2: Risk Assessment & Monitoring
A practical, scenario-driven path focused on SOC 2 common criteria Path 3, teaching learners how to identify risks, evaluate control changes, assess vendor exposure, and maintain effective risk monitoring in a GRC program.
Locked — Upgrade required
Path 14
Framework Mastery
Build fluency across major security and compliance frameworks, then map controls across standards for unified assurance.
Locked — Upgrade required
Path 15
Integrated Assurance Mapping & Control Rationalization
Learn how to map overlapping compliance requirements, rationalize duplicate controls, assign evidence owners, and manage exceptions through practical GRC scenarios across onboarding, operations, monitoring, incidents, and reporting.
Locked — Upgrade required
Path 16
COBIT Governance & Management Foundations
Build practical COBIT skills through realistic governance, risk, control, assurance, and performance management scenarios across planning, operations, monitoring, exceptions, and reporting.
Locked — Upgrade required
Path 17
COSO Internal Control Foundations
Build practical COSO internal control skills through realistic business scenarios involving control design, risk assessment, control activities, information flows, monitoring, exceptions, and remediation across common enterprise processes.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Internal Control Deficiency Evaluation and CAPA Governance at Northbridge Fulfillment
3 guided questions
Locked — Upgrade required
Case Study
Quarter-End Management Review Governance Breakdown
3 guided questions
Locked — Upgrade required
Case Study
Strengthening SOX Entity-Level Controls and Management Review Governance at Alder Ridge Health
3 guided questions
Locked — Upgrade required
Case Study
Strengthening Management Review Governance for Quarterly SOX Certifications
3 guided questions
Locked — Upgrade required
Case Study
Stabilize Management Review Governance for Quarter-End SOX Certification
3 guided questions
Locked — Upgrade required
Case Study
Segregation of Duties Governance for Enterprise Business Processes
3 guided questions
Locked — Upgrade required
Case Study
Segregation of Duties Governance for Grant-Funded Procurement
3 guided questions
Locked — Upgrade required
Case Study
Segregation of Duties Governance Beyond SOX in a Global ERP Program
3 guided questions
Locked — Upgrade required
Job path certificate
IT Audit & Assurance Job Path
Complete every lab, case study, and the scenario path above to unlock the IT Audit & Assurance Job Path certificate.
Scenario prompts in this job path
- Scenario 1Define an audit scope for a high-risk business process.
- Scenario 2Select a sample strategy and justify why it is risk-based.
- Scenario 3Document one control test with clear pass/fail criteria.
- Scenario 4Write a finding with condition, criteria, cause, and impact.
- Scenario 5Build a remediation tracker with owner, date, and verification step.
- Scenario 6Select key risk indicators and data sources to test control performance at scale.
- Scenario 7Design an analytic test to detect segregation-of-duties conflicts in transactional data.
- Scenario 8Evaluate false positives and tune thresholds while preserving assurance quality.
- Scenario 9Document reproducibility requirements for scripts, queries, and evidence snapshots.
- Scenario 10Present actionable findings that connect analytic results to remediation priorities.
Privacy Operations Analyst Job Path
For privacy analysts and privacy program operators handling governance, rights workflows, and regulatory compliance.
Locked for free members
Path 1
Data Security & Privacy Operations
Operationalize data classification, retention, privacy workflows, and control assurance across regulated datasets.
Locked — Upgrade required
Path 2
Privacy Governance Foundations — Track C
Alternate practice track for the Privacy Governance Foundations chapter. Covers ROPA operations, lawful basis design, vendor due diligence, retention controls, data subject rights, and breach coordination. Track A, B, and C cover the same learning objectives with different rooms — pick any one to complete the chapter.
Locked — Upgrade required
Path 3
Privacy Operations & Compliance — Track C
Alternate practice track for the Privacy Operations & Compliance chapter. Covers data inventory, lawful basis decisions, DSAR triage, retention and disposal, vendor transfer governance, and incident coordination. Track A, B, and C cover the same learning objectives with different rooms — pick any one to complete the chapter.
Locked — Upgrade required
Path 4
Advanced Privacy Program Operations — Track C
Alternate practice track for the Advanced Privacy Program Operations chapter. Covers governance operating model, records mapping, impact assessments, data subject rights center, transfers, and incident retention. Track A, B, and C cover the same learning objectives with different rooms — pick any one to complete the chapter.
Locked — Upgrade required
Path 5
US State Privacy Law Compliance Operations
Build practical operating skills for managing US state privacy law obligations through intake, classification, consumer rights handling, vendor oversight, assessments, and incident-driven response workflows.
Locked — Upgrade required
Path 6
Enterprise Data Retention Governance & Legal Hold Operations
Build practical GRC skills for designing, operating, and improving enterprise data retention and legal hold processes across collaboration platforms, HR systems, finance records, messaging, backups, and cross-functional investigations.
Locked — Upgrade required
Path 7
DSAR Governance & Case Operations
Advance DSAR governance and case operations through complex scenarios involving intake triage, identity assurance, search defensibility, legal exceptions, cross-border coordination, deadline risk management, and executive reporting across multi-system privacy operations.
Locked — Upgrade required
Path 8
Enterprise Data Deletion Governance & Erasure Operations
Execute advanced data deletion governance through realistic cross-border, multi-system erasure scenarios involving retention conflicts, legal holds, backup constraints, processor oversight, identity resolution, exception handling, metrics, and executive reporting.
Locked — Upgrade required
Path 9
Enterprise Data Inventory & Records of Processing Governance
Develop advanced, scenario-driven governance skills for building and sustaining defensible enterprise data inventories and Records of Processing Activities across complex operating models, including M&A, shadow IT, AI use cases, vendor ecosystems, international transfers, incident response, and executive reporting.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Freeze the Right Records During a Product Safety Lawsuit
3 guided questions
Locked — Upgrade required
Case Study
Legal Hold Breakdown During a Cross-Border Records Disposal Freeze
3 guided questions
Locked — Upgrade required
Case Study
Control the Lifecycle of Regulated Research Records
3 guided questions
Locked — Upgrade required
Case Study
Align the Retention Schedule with Legal Hold Governance
3 guided questions
Locked — Upgrade required
Case Study
Govern Data Retention and Disposition for Claims Operations
3 guided questions
Locked — Upgrade required
Case Study
Stabilize Data Classification and Handling Operations After a Product Launch
3 guided questions
Locked — Upgrade required
Case Study
Contain a Vendor Oversight Gap for a HIPAA Business Associate
3 guided questions
Locked — Upgrade required
Case Study
Business Associate Oversight for a Cloud Transcription Vendor
3 guided questions
Locked — Upgrade required
Case Study
Preserve HR and Procurement Records During a Cross-Border Vendor Dispute
3 guided questions
Locked — Upgrade required
Job path certificate
Privacy Operations Analyst Job Path
Complete every lab, case study, and the scenario path above to unlock the Privacy Operations Analyst Job Path certificate.
Scenario prompts in this job path
- Scenario 1Map a data flow and identify controller/processor roles.
- Scenario 2Evaluate lawful basis and notice requirements for one processing activity.
- Scenario 3Create a DSAR handling checklist with SLA milestones.
- Scenario 4Assess vendor transfer risk and define required safeguards.
- Scenario 5Draft a privacy incident escalation note with required stakeholders.
- Scenario 6Define data ownership roles for critical datasets used in risk and compliance reporting.
- Scenario 7Create quality rules for completeness, accuracy, timeliness, and consistency checks.
- Scenario 8Design exception handling workflows for failed data controls and unresolved defects.
- Scenario 9Assess lineage documentation gaps and prioritize remediation for audit-relevant flows.
- Scenario 10Prepare a governance dashboard for quality trend monitoring and accountability.
Security Engineering & Operations Job Path
Hands-on track for security engineers and operators: cloud security architecture, identity, application security, vulnerability management, incident response, operational technology, and ransomware readiness.
Locked for free members
Path 1
Cloud Security & Architecture
Build practical cloud governance and security architecture skills across IAM, network design, workloads, and resilience.
Locked — Upgrade required
Path 2
Cloud Governance, FinOps & Risk
Hands-on advanced training to design, govern, and operate cloud governance, finops & risk programs.
Locked — Upgrade required
Path 3
Identity Security Engineering
Design resilient IAM controls across joiner-mover-leaver lifecycle, privileged access, federation, and access reviews.
Locked — Upgrade required
Path 4
Application Security Assurance
Strengthen secure SDLC outcomes with threat modeling, code review governance, and release security controls.
Locked — Upgrade required
Path 5
Security Operations Engineering
Build practical SOC engineering capability across alerting quality, investigations, automation, and detection tuning.
Locked — Upgrade required
Path 6
Incident Response Operations
Train for real incident response: triage, containment, communications, and leadership decisions under pressure.
Locked — Upgrade required
Path 7
Cyber Resilience & Continuity
Hands-on advanced training to design, govern, and operate cyber resilience & continuity programs.
Locked — Upgrade required
Path 8
Vulnerability Management Operations
Hands-on advanced training to design, govern, and operate vulnerability management operations programs.
Locked — Upgrade required
Path 9
Zero Trust Implementation
Hands-on advanced training to design, govern, and operate zero trust implementation programs.
Locked — Upgrade required
Path 10
Operational Technology Security Governance
Build practical OT security governance skills through realistic scenarios covering asset governance, vendor and remote access oversight, maintenance and change control, monitoring and incident coordination, and remediation reporting across industrial environments.
Locked — Upgrade required
Path 11
Ransomware Readiness Governance
Build practical ransomware readiness governance skills through realistic GRC scenarios covering asset visibility, backup governance, third-party oversight, decision-making during incidents, and post-event remediation reporting.
Locked — Upgrade required
Path 12
CIS Controls Foundations in Practice
Practice applying CIS Controls v8 through realistic GRC scenarios covering asset visibility, software governance, data protection, secure configuration, access control, logging, vulnerabilities, and response-oriented compliance workflows.
Locked — Upgrade required
Path 13
Cryptographic Key Management Governance & Key Lifecycle Oversight
Work through advanced GRC scenarios that test governance over cryptographic key inventories, ownership, generation, distribution, storage, rotation, retirement, exception handling, third-party dependencies, and executive reporting across complex enterprise environments.
Locked — Upgrade required
Path 14
SBOM Consumer Governance & Vulnerability Response
Develop advanced, scenario-driven governance skills for consuming supplier SBOMs at scale, validating quality and trust, triaging vulnerability exposure, managing exceptions, and steering executive decisions across procurement, engineering, legal, and incident response workflows.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Quarterly Access Review for a Clinical Research Platform
3 guided questions
Locked — Upgrade required
Case Study
Identity and Access Review Governance for JML and Privileged Access Oversight
3 guided questions
Locked — Upgrade required
Case Study
Govern KMS Key Rotation and Retirement for Regulated Analytics Workloads
3 guided questions
Locked — Upgrade required
Case Study
Govern DevSecOps Controls for a Regulated Product Release
3 guided questions
Locked — Upgrade required
Case Study
Architecture Review Board Escalation for an Unapproved Customer Analytics Integration
3 guided questions
Locked — Upgrade required
Case Study
ARB Governance for a Regional CRM Modernization
3 guided questions
Locked — Upgrade required
Case Study
Stabilize Baseline Drift in a Regional Lending Platform
3 guided questions
Locked — Upgrade required
Case Study
Prioritize Intelligence-Led Risk Action After Vendor Credential Abuse
3 guided questions
Locked — Upgrade required
Case Study
Govern a New Vulnerability Disclosure Program After an Uncoordinated Researcher Report
3 guided questions
Locked — Upgrade required
Case Study
Triage Rules for a Public Vulnerability Reporting Channel
3 guided questions
Locked — Upgrade required
Case Study
Open Source Release Governance and SBOM Assurance for a Telehealth Platform
3 guided questions
Locked — Upgrade required
Case Study
Stabilizing SBOM Assurance for an Open Source Release Pipeline
3 guided questions
Locked — Upgrade required
Case Study
Govern SBOM Quality for a Critical Vendor Release
3 guided questions
Locked — Upgrade required
Case Study
Governing Remote Vendor Access for a Water Treatment OT Environment
3 guided questions
Locked — Upgrade required
Job path certificate
Security Engineering & Operations Job Path
Complete every lab, case study, and the scenario path above to unlock the Security Engineering & Operations Job Path certificate.
Scenario prompts in this job path
- Scenario 1Prioritize attack scenarios by impact and likelihood.
- Scenario 2Map detection coverage to a chosen threat scenario.
- Scenario 3Define incident command roles for a simulated outage.
- Scenario 4Document business continuity dependencies for one critical service.
- Scenario 5Create a post-incident improvement plan with measurable outcomes.
- Scenario 6Classify a security event and determine escalation based on impact and confidence.
- Scenario 7Draft an incident timeline capturing detection, containment, eradication, and recovery.
- Scenario 8Define communications for legal, executive, customer, and regulator stakeholders.
- Scenario 9Evaluate evidence preservation and chain-of-custody requirements for investigation.
- Scenario 10Write a post-incident review with root cause, lessons learned, and prioritized actions.
Security Compliance Engineer Job Path
Framework-focused track for security compliance engineers: NIST CSF 2.0, ISO 27001, multi-framework mapping, control baselines, exception governance, and security metrics.
Locked for free members
Path 1
NIST CSF 2.0 Core Functions in Practice
Apply the NIST Cybersecurity Framework 2.0 through practical GRC scenarios across Govern, Identify, Protect, Detect, Respond, and Recover activities.
Locked — Upgrade required
Path 2
NIST CSF 2.0 Govern Function
A practical, scenario-driven path focused on the Govern function in NIST Cybersecurity Framework 2.0, helping learners apply governance, policy, risk oversight, roles, and supply chain expectations in realistic GRC situations.
Locked — Upgrade required
Path 3
NIST CSF 2.0: Governance & Incident Response
A scenario-driven learning path focused on applying NIST Cybersecurity Framework 2.0 concepts to practical governance, risk, and compliance situations. Learners analyze policies, asset inventories, third-party risks, incident workflows, and improvement planning through hands-on GRC tasks.
Locked — Upgrade required
Path 4
NIST CSF 2.0: Risk Assessment & Executive Communication
A hands-on learning path focused on practical governance, risk, and compliance scenarios using NIST CSF 2.0. Learners work through realistic situations involving governance, asset understanding, risk assessment, control improvement, and communication with leadership.
Locked — Upgrade required
Path 5
ISO 27001: ISMS Foundations & Certification Readiness
A scenario-driven learning path covering core ISO 27001 concepts, implementation steps, risk treatment, documentation, internal audit, and continual improvement in practical GRC contexts.
Locked — Upgrade required
Path 6
ISO 27001: Control Implementation & Operations
A practical, scenario-driven path focused on implementing, operating, and evidencing ISO 27001 controls in real-world GRC environments.
Locked — Upgrade required
Path 7
ISO 27001: Scope, Controls & Continual Improvement
A practical, scenario-driven path for learning how to apply ISO 27001 concepts in real GRC situations, from scope and risk assessment to controls, incidents, audits, and continual improvement.
Locked — Upgrade required
Path 8
ISO 27001: Risk Assessment & Corrective Actions
A practical, scenario-driven path for learning how to apply ISO 27001 concepts in real GRC situations, from scoping and risk assessment to controls, incidents, audits, and continual improvement.
Locked — Upgrade required
Path 9
ISO 27001: Access Management & Supplier Assurance
A practical, scenario-driven learning path covering core ISO 27001 concepts through a Path 5-focused GRC lens, including scope, risk assessment, controls, incident response, supplier management, and audit readiness.
Locked — Upgrade required
Path 10
ISO 27001: Clause 6 Planning & Objectives
A practical, scenario-driven path focused on ISO 27001 Clause 6 planning activities, including risks and opportunities, information security objectives, and planning changes within an ISMS.
Locked — Upgrade required
Path 11
Framework Mastery
Build fluency across major security and compliance frameworks, then map controls across standards for unified assurance.
Locked — Upgrade required
Path 12
Security Metrics & KRI Design
Build the skills to design, govern, and operationalise security metrics and key risk indicators — from taxonomy and data quality through to threshold calibration and escalation governance.
Locked — Upgrade required
Path 13
NIST RMF Foundations Through Practical GRC Scenarios
Build hands-on NIST Risk Management Framework skills through realistic scenarios covering system categorization, control selection, implementation planning, assessment readiness, authorization support, and continuous monitoring across public sector and regulated environments.
Locked — Upgrade required
Path 14
CIS Controls Foundations in Practice
Practice applying CIS Controls v8 through realistic GRC scenarios covering asset visibility, software governance, data protection, secure configuration, access control, logging, vulnerabilities, and response-oriented compliance workflows.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Govern a Firewall Logging Exception with Compensating Controls
3 guided questions
Locked — Upgrade required
Case Study
Govern a Time-Bound Security Exception for Vendor Access
3 guided questions
Locked — Upgrade required
Case Study
Executive KRI Governance for a Rapidly Expanding SaaS Business
3 guided questions
Locked — Upgrade required
Job path certificate
Security Compliance Engineer Job Path
Complete every lab, case study, and the scenario path above to unlock the Security Compliance Engineer Job Path certificate.
Third-Party Risk Analyst Job Path
For analysts managing vendor onboarding, due diligence, assurance, and ongoing third-party oversight.
Locked for free members
Path 1
Third-Party Risk Management
Build practical vendor risk workflows from assessment and due diligence through contracting and ongoing monitoring.
Locked — Upgrade required
Path 2
Third-Party Assurance Programs
Hands-on advanced training to design, govern, and operate third-party assurance programs programs.
Locked — Upgrade required
Path 3
Intermediate Vendor Assurance Lab
Intermediate path for vendor risk scoring and remediation governance with practical assurance workflows.
Locked — Upgrade required
Path 4
Third-Party Anti-Bribery Due Diligence
Build practical skills to evaluate, onboard, monitor, and escalate bribery and corruption risks involving agents, distributors, consultants, and other third parties through scenario-driven GRC workflows.
Locked — Upgrade required
Path 5
DORA ICT Third-Party Oversight Operating Model
Build a practical operating model for oversight of ICT third-party providers under DORA, using scenario-driven governance, monitoring, contracting, testing, incident coordination, and exit planning activities.
Locked — Upgrade required
Path 6
Third-Party Risk Issue Management & Exit Readiness
Practice managing third-party risk issues from identification through remediation, escalation, contingency planning, and exit readiness using realistic vendor oversight scenarios across onboarding, operations, monitoring, incidents, and termination planning.
Locked — Upgrade required
Path 7
Sanctions Compliance Governance & Screening Operations
Build practical sanctions compliance skills through realistic GRC scenarios involving governance design, customer and payment screening, alert handling, escalation, investigations, remediation, and reporting across global operations.
Locked — Upgrade required
Path 8
HIPAA Business Associate Oversight & Monitoring
Build practical HIPAA third-party governance skills through realistic scenarios involving vendor classification, BAAs, onboarding reviews, ongoing monitoring, incident coordination, exceptions, and remediation across healthcare business associate relationships.
Locked — Upgrade required
Path 9
HIPAA Business Associate Lifecycle Governance
Build practical HIPAA third-party governance skills through realistic scenarios involving vendor classification, business associate agreements, due diligence, operational oversight, incident coordination, and remediation across healthcare ecosystems.
Locked — Upgrade required
Path 10
Outsourcing Governance & Intragroup Service Oversight
Navigate advanced GRC decisions for third-party and intragroup service oversight across intake, contracting, criticality assessment, control reliance, concentration risk, incident escalation, remediation, and executive reporting in complex regulated environments.
Locked — Upgrade required
Path 11
Third-Party Concentration Risk Governance & Exit Strategy Planning
Build advanced GRC judgment for identifying, quantifying, governing, and exiting concentrated third-party dependencies across critical services, cloud platforms, managed providers, data processors, and niche vendors. Practice scenario-driven decisions involving board reporting, contract design, financial and operational stress, substitutability analysis, incident-driven exits, and regulator-facing remediation.
Locked — Upgrade required
Path 12
Vendor Security Incident Notification & Joint Response Governance
Work through advanced third-party incident governance scenarios involving contractual notification triggers, joint response operating models, evidence negotiation, regulatory time-pressure, cross-border constraints, executive escalation, and post-incident remediation across complex vendor ecosystems.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Map Fourth-Party Exposure in a Critical Claims Processing Chain
3 guided questions
Locked — Upgrade required
Case Study
Stabilize Sanctions Governance After Screening Alert Backlogs
3 guided questions
Locked — Upgrade required
Case Study
Stabilize Sanctions Screening Governance After Alert Backlogs
3 guided questions
Locked — Upgrade required
Case Study
Software Licensing Compliance and Audit Response Governance at Northbridge Analytics
3 guided questions
Locked — Upgrade required
Case Study
Governing Open Source License Obligations Before a Public Sector Release
3 guided questions
Locked — Upgrade required
Case Study
Cyber Due Diligence and Integration Governance for a Manufacturing Acquisition
3 guided questions
Locked — Upgrade required
Case Study
Cyber Due Diligence and Integration Governance for a Planned Acquisition
3 guided questions
Locked — Upgrade required
Case Study
Cyber Due Diligence and Integration Governance for a Cross-Border Acquisition
3 guided questions
Locked — Upgrade required
Case Study
Govern ICS2 Shipment Data and Supplier Attestations Before EU Filing
3 guided questions
Locked — Upgrade required
Case Study
Escalate a Distributor Screening and Export Classification Conflict
3 guided questions
Locked — Upgrade required
Job path certificate
Third-Party Risk Analyst Job Path
Complete every lab, case study, and the scenario path above to unlock the Third-Party Risk Analyst Job Path certificate.
Scenario prompts in this job path
- Scenario 1Triage a high-risk vendor onboarding request and identify required due diligence evidence.
- Scenario 2Assess anti-bribery red flags and document escalation rationale.
- Scenario 3Evaluate an ITGC deficiency and classify impact to financial reporting.
- Scenario 4Draft a remediation plan with control owner, due date, and retest criteria.
- Scenario 5Prepare a regulator-ready summary with supporting evidence references.
- Scenario 6Build a tiering model to align due diligence depth with vendor criticality.
- Scenario 7Evaluate SOC, ISO, and questionnaire evidence for control design and operating effectiveness.
- Scenario 8Define trigger events for reassessment, continuous monitoring, and contract review.
- Scenario 9Draft a remediation plan for material findings with accountability and verification steps.
- Scenario 10Create a governance summary of vendor risk trends and concentration exposures.
GRC Program Manager Job Path
For leads and managers running enterprise governance operating models, reporting, and cross-functional delivery.
Locked for free members
Path 1
Enterprise GRC Program Management
Build practical skills to run an enterprise GRC function through governance design, operating cadences, issue handling, metrics, committee reporting, and cross-functional decision-making.
Locked — Upgrade required
Path 2
Enterprise GRC Program Management II
Build enterprise GRC capabilities through charter design, risk intake, policy exceptions, issue escalation, executive reporting, and cross-functional assurance planning.
Locked — Upgrade required
Path 3
Governance & Leadership
Develop executive-ready governance skills: policy lifecycle, reporting, operating models, and risk culture enablement.
Locked — Upgrade required
Path 4
Executive Cyber Risk Reporting
Master the craft of translating cyber risk data into board-level narratives — covering dashboard design, governance actions, remediation storytelling, and cross-functional KRI operating models.
Locked — Upgrade required
Path 5
Board Cyber Oversight & Director Governance
Practice board-level cyber oversight through realistic governance scenarios involving strategy approval, risk appetite, third-party and regulatory scrutiny, incident decision-making, executive challenge, and remediation tracking.
Locked — Upgrade required
Path 6
Regulatory Change Management & Compliance Obligations
Build practical skills for identifying, assessing, assigning, implementing, monitoring, and reporting regulatory changes through realistic GRC scenarios across legal, compliance, operational, incident, and governance workflows.
Locked — Upgrade required
Path 7
Policy Exception Management & Compensating Controls
Practice managing policy exceptions and compensating controls through realistic GRC scenarios covering intake, risk evaluation, approvals, operations, monitoring, incident handling, remediation, and reporting.
Locked — Upgrade required
Path 8
Security Awareness & Culture
Hands-on advanced training to design, govern, and operate security awareness & culture programs.
Locked — Upgrade required
Path 9
Insider Threat Program Governance: Charter & Escalation
Build a practical insider threat governance program through chartering, data handling rules, escalation design, and oversight decisions grounded in realistic GRC scenarios.
Locked — Upgrade required
Path 10
Insider Threat Program Governance: Investigations & Assurance
Build a practical insider threat governance program by defining oversight, triage, investigations, and continuous improvement controls for real-world organizational scenarios.
Locked — Upgrade required
Path 11
Quantitative Risk Methods: FAIR Analysis & Loss Estimation
Practice applying quantitative cyber risk methods such as FAIR to estimate loss exposure, compare treatment options, and support defensible GRC decisions in realistic business scenarios.
Locked — Upgrade required
Path 12
Quantitative Risk Methods: Calibrated Estimation & Decision Support
Apply practical quantitative cyber risk methods, including FAIR-style analysis, calibrated estimation, loss event modeling, and decision support in realistic GRC scenarios.
Locked — Upgrade required
Path 13
ESG Environmental Governance: Foundations & Oversight
Build practical ESG governance skills through scenario-driven exercises covering environmental data controls, supplier oversight, climate risk decisions, reporting governance, incident response, and board-level accountability.
Locked — Upgrade required
Path 14
ESG Environmental Governance: Scope & Performance
Build practical skills for governing environmental ESG obligations through scenarios involving data quality, supplier oversight, climate risk, target tracking, incident response, and board reporting.
Locked — Upgrade required
Path 15
ESG Environmental Governance: Obligations & Assurance
Build practical GRC skills for environmental ESG scenarios by identifying obligations, setting controls, validating evidence, managing incidents, overseeing vendors, and reporting performance without overstating results.
Locked — Upgrade required
Path 16
ESG Environmental Governance: GHG & Emissions Controls
Build practical skills for governing environmental ESG obligations through scenario-driven controls, evidence, escalation, and operational decision-making.
Locked — Upgrade required
Path 17
ESG Environmental Governance: Reporting & Board Accountability
Build practical ESG capability by handling environmental governance scenarios involving emissions data, supplier oversight, control evidence, reporting decisions, incident response, and board-level accountability.
Locked — Upgrade required
Path 18
Compliance Training & Attestation Governance
Advance enterprise governance for mandatory compliance training and control attestation programs across regulated teams, third parties, executives, and distributed operations. Navigate edge cases involving role-based obligations, evidence quality, exceptions, overdue populations, investigations, metric design, and board-level reporting under real-world operational pressure.
Locked — Upgrade required
Path 19
Anti-Bribery & Corruption Internal Investigations Governance
Run advanced anti-bribery and corruption investigations governance across intake, triage, evidence preservation, cross-border fact-finding, privilege strategy, disciplinary decisions, third-party misconduct, executive escalation, remediation, and regulator-facing reporting through realistic enterprise scenarios.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Board Oversight of Cyber Risk After a Cloud Control Failure
3 guided questions
Locked — Upgrade required
Case Study
Governing New Regulatory Obligations After a Cross-Border Product Launch
3 guided questions
Locked — Upgrade required
Case Study
Update Regulatory Obligations After a Cross-Border Product Expansion
3 guided questions
Locked — Upgrade required
Case Study
Coordinating a State Regulator Examination Response
3 guided questions
Locked — Upgrade required
Case Study
Policy Exception and Risk Acceptance Governance for Legacy Vendor Access
3 guided questions
Locked — Upgrade required
Case Study
Policy Exception and Waiver Operations for Legacy Endpoint Encryption
3 guided questions
Locked — Upgrade required
Case Study
Govern a Firewall Logging Exception with a Compensating Control
3 guided questions
Free preview
Case Study
Protecting Speak-Up Integrity During a Procurement Investigation
3 guided questions
Locked — Upgrade required
Case Study
Whistleblower Hotline Governance and Investigation Triage at Northstar Biologics
3 guided questions
Locked — Upgrade required
Case Study
Scaling an Ethics Hotline: Intake SLAs, Escalations, and Independence
3 guided questions
Locked — Upgrade required
Case Study
Repair Governance Gaps in a Global Speak-Up Program
3 guided questions
Locked — Upgrade required
Case Study
Vendor Bank Detail Change Controls After a Suspected CEO Spoof
3 guided questions
Locked — Upgrade required
Case Study
Cyber Insurance Readiness and Renewal Governance for a Manufacturing Group
3 guided questions
Locked — Upgrade required
Case Study
Cyber Insurance Readiness and Renewal Governance for a Mid-Market Manufacturer
3 guided questions
Locked — Upgrade required
Case Study
Prepare Claim-Ready Governance After a Ransomware Near Miss
3 guided questions
Locked — Upgrade required
Case Study
Governance Gaps in Sustainability Disclosure Readiness
3 guided questions
Locked — Upgrade required
Case Study
Govern a Materiality Assessment for Enterprise Risk and Disclosure
3 guided questions
Locked — Upgrade required
Case Study
Govern Third-Party Access and Incident Escalation for an Open Banking Payment Initiation Service
3 guided questions
Locked — Upgrade required
Case Study
Govern WCAG Compliance for a Multi-Department Public Services Portal
3 guided questions
Locked — Upgrade required
Job path certificate
GRC Program Manager Job Path
Complete every lab, case study, and the scenario path above to unlock the GRC Program Manager Job Path certificate.
Scenario prompts in this job path
- Scenario 1Define governance forum cadence and decision rights for a new GRC program.
- Scenario 2Create KPI/KRI metrics for executive reporting and board visibility.
- Scenario 3Prioritize competing remediation initiatives under constrained capacity.
- Scenario 4Resolve a cross-functional ownership conflict using a RACI approach.
- Scenario 5Write a quarterly GRC update with top risks, actions, and blockers.
- Scenario 6Define a measurable loss event scenario using threat, asset, and effect.
- Scenario 7Estimate frequency and probable loss magnitude ranges with assumptions.
- Scenario 8Compare treatment options using expected risk reduction and cost.
- Scenario 9Document uncertainty drivers and sensitivity to key assumptions.
- Scenario 10Present a decision recommendation in business terms for leadership.
Business Continuity Manager Job Path
For leaders designing resilience programs, coordinating crisis response, and strengthening service continuity.
Locked for free members
Path 1
Business Continuity Impact Analysis & Recovery Strategy
Build practical business continuity skills through realistic GRC scenarios involving impact analysis, recovery prioritization, dependency mapping, alternate operating models, crisis decision-making, and recovery strategy design across enterprise functions.
Locked — Upgrade required
Path 2
Business Impact Analysis & Recovery Prioritization
Build practical skills in assessing business impact, defining recovery priorities, and translating disruption scenarios into actionable resilience decisions across operations, technology, vendors, and executive governance.
Locked — Upgrade required
Path 3
Operational Resilience: IBS Identification & Mapping
Build practical skills in identifying, scoping, and mapping Important Business Services through realistic operational resilience scenarios covering customer journeys, supporting resources, dependencies, tolerances, governance, and change handling.
Locked — Upgrade required
Path 4
Operational Resilience: IBS Mapping & Dependency Governance
Build practical skills in identifying important business services, mapping dependencies, defining impact tolerances, validating resilience information, and responding to mapping gaps across real-world operational resilience scenarios.
Locked — Upgrade required
Path 5
Cyber Resilience & Continuity
Hands-on advanced training to design, govern, and operate cyber resilience & continuity programs.
Locked — Upgrade required
Path 6
Incident Response Operations
Train for real incident response: triage, containment, communications, and leadership decisions under pressure.
Locked — Upgrade required
Path 7
Ransomware Readiness Governance
Build practical ransomware readiness governance skills through realistic GRC scenarios covering asset visibility, backup governance, third-party oversight, decision-making during incidents, and post-event remediation reporting.
Locked — Upgrade required
Path 8
Security Operations Engineering
Build practical SOC engineering capability across alerting quality, investigations, automation, and detection tuning.
Locked — Upgrade required
Path 9
Vulnerability Management Operations
Hands-on advanced training to design, govern, and operate vulnerability management operations programs.
Locked — Upgrade required
Path 10
Business Impact Analysis Governance for Shared Services & Internal Dependencies
Apply advanced BIA governance techniques to shared services and internal dependencies using scenario-driven decisions across service intake, operational change, resilience monitoring, incident prioritization, and remediation reporting.
Locked — Upgrade required
Path 11
Operational Resilience Impact Tolerance Calibration & Breach Escalation Governance
Calibrate impact tolerances with quantitative rigor and govern breach escalation across severe but plausible scenarios involving payments, customer access, market activity, third parties, cyber disruption, data integrity loss, and executive decision making.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Critical Process Mapping for a Regional Pharmacy Distributor
3 guided questions
Locked — Upgrade required
Case Study
Govern Impact Tolerances for a Retail Broker's Trade Confirmation Service
3 guided questions
Locked — Upgrade required
Case Study
Payment Outage Scenario Testing and Impact Tolerance Breach Governance
3 guided questions
Locked — Upgrade required
Case Study
Executive Escalation During a Product Safety Recall
3 guided questions
Locked — Upgrade required
Case Study
Classify and Escalate a Payment Platform Outage Under DORA
3 guided questions
Locked — Upgrade required
Case Study
Coordinate NIS2 Governance and Incident Reporting for a Cross-Border SaaS Provider
3 guided questions
Locked — Upgrade required
Case Study
Coordinate NIS2 Governance and Incident Reporting for a Cross-Border Logistics Provider
3 guided questions
Locked — Upgrade required
Case Study
Coordinate NIS2 Governance and Incident Reporting After a Supplier-Linked Outage
3 guided questions
Locked — Upgrade required
Case Study
Classifying a Significant Cyber Event Under NIS2 Governance
3 guided questions
Locked — Upgrade required
Case Study
Cross-border Outage at an MSP: NIS2 Operational Readiness and Reporting
3 guided questions
Locked — Upgrade required
Job path certificate
Business Continuity Manager Job Path
Complete every lab, case study, and the scenario path above to unlock the Business Continuity Manager Job Path certificate.
Scenario prompts in this job path
- Scenario 1Define critical business services and map maximum tolerable downtime for each.
- Scenario 2Document dependency chains across people, process, technology, and third parties.
- Scenario 3Design crisis command roles and decision thresholds for service disruption events.
- Scenario 4Run a tabletop exercise scenario and capture response timeline strengths and gaps.
- Scenario 5Build a continuity improvement backlog with ownership, due dates, and validation tests.
- Scenario 6Classify a security event and determine escalation based on impact and confidence.
- Scenario 7Draft an incident timeline capturing detection, containment, eradication, and recovery.
- Scenario 8Define communications for legal, executive, customer, and regulator stakeholders.
- Scenario 9Identify critical outsourced services and map recovery requirements for each.
- Scenario 10Evaluate supplier resiliency evidence and define minimum assurance thresholds.
Data Governance Lead Job Path
For practitioners building data ownership models, quality controls, and governance operating rhythms.
Locked for free members
Path 1
Data Security & Privacy Operations
Operationalize data classification, retention, privacy workflows, and control assurance across regulated datasets.
Locked — Upgrade required
Path 2
Privacy Governance Foundations — Track C
Alternate practice track for the Privacy Governance Foundations chapter. Covers ROPA operations, lawful basis design, vendor due diligence, retention controls, data subject rights, and breach coordination. Track A, B, and C cover the same learning objectives with different rooms — pick any one to complete the chapter.
Locked — Upgrade required
Path 3
Privacy Operations & Compliance — Track C
Alternate practice track for the Privacy Operations & Compliance chapter. Covers data inventory, lawful basis decisions, DSAR triage, retention and disposal, vendor transfer governance, and incident coordination. Track A, B, and C cover the same learning objectives with different rooms — pick any one to complete the chapter.
Locked — Upgrade required
Path 4
Advanced Privacy Program Operations — Track C
Alternate practice track for the Advanced Privacy Program Operations chapter. Covers governance operating model, records mapping, impact assessments, data subject rights center, transfers, and incident retention. Track A, B, and C cover the same learning objectives with different rooms — pick any one to complete the chapter.
Locked — Upgrade required
Path 5
Technology Asset Lifecycle Governance
Practice governing technology assets from intake through retirement using realistic GRC scenarios covering acquisition, inventory, ownership, change, monitoring, exceptions, disposal, and reporting.
Locked — Upgrade required
Path 6
Enterprise GRC Program Management II
Build enterprise GRC capabilities through charter design, risk intake, policy exceptions, issue escalation, executive reporting, and cross-functional assurance planning.
Locked — Upgrade required
Path 7
Enterprise Data Retention Governance & Legal Hold Operations
Build practical GRC skills for designing, operating, and improving enterprise data retention and legal hold processes across collaboration platforms, HR systems, finance records, messaging, backups, and cross-functional investigations.
Locked — Upgrade required
Path 8
Business Impact Analysis Data Governance & Evidence Quality
Build practical beginner-level skills for governing BIA data and evaluating evidence quality across intake, analysis, operations, monitoring, exceptions, and reporting scenarios.
Locked — Upgrade required
Path 9
Integrated Assurance Mapping & Control Rationalization
Learn how to map overlapping compliance requirements, rationalize duplicate controls, assign evidence owners, and manage exceptions through practical GRC scenarios across onboarding, operations, monitoring, incidents, and reporting.
Locked — Upgrade required
Path 10
Enterprise Data Lineage Governance & Critical Data Element Control
Build advanced capability to govern enterprise data lineage and critical data elements through high-stakes scenarios involving regulatory change, cross-border transformations, model consumption, control failures, executive escalation, and remediation planning across finance, risk, operations, and technology domains.
Locked — Upgrade required
Path 11
Enterprise Data Minimization Governance & Purpose Limitation Operations
Run advanced, scenario-driven governance operations for data minimization and purpose limitation across intake, design, production use, monitoring, exceptions, and executive reporting in complex enterprise environments.
Locked — Upgrade required
Path 12
Enterprise Data Inventory & Records of Processing Governance
Develop advanced, scenario-driven governance skills for building and sustaining defensible enterprise data inventories and Records of Processing Activities across complex operating models, including M&A, shadow IT, AI use cases, vendor ecosystems, international transfers, incident response, and executive reporting.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Repair Governance Gaps in a Product Analytics Data Domain
3 guided questions
Locked — Upgrade required
Case Study
Stabilize Critical Data Quality Controls for a Master Data Governance Program
3 guided questions
Locked — Upgrade required
Case Study
Tracing Revenue Recognition Data Across Policy Systems
3 guided questions
Locked — Upgrade required
Case Study
Stabilize Data Classification and Handling Operations After a Product Launch
3 guided questions
Locked — Upgrade required
Case Study
Govern Data Retention and Disposition for Claims Operations
3 guided questions
Locked — Upgrade required
Case Study
Freeze the Right Records During a Product Safety Lawsuit
3 guided questions
Locked — Upgrade required
Case Study
Govern Retired Engineering Assets After a Data Center Exit
3 guided questions
Locked — Upgrade required
Case Study
Control the Lifecycle of Regulated Research Records
3 guided questions
Locked — Upgrade required
Case Study
Align the Retention Schedule with Legal Hold Governance
3 guided questions
Locked — Upgrade required
Job path certificate
Data Governance Lead Job Path
Complete every lab, case study, and the scenario path above to unlock the Data Governance Lead Job Path certificate.
Scenario prompts in this job path
- Scenario 1Define data ownership roles for critical datasets used in risk and compliance reporting.
- Scenario 2Create quality rules for completeness, accuracy, timeliness, and consistency checks.
- Scenario 3Design exception handling workflows for failed data controls and unresolved defects.
- Scenario 4Assess lineage documentation gaps and prioritize remediation for audit-relevant flows.
- Scenario 5Prepare a governance dashboard for quality trend monitoring and accountability.
- Scenario 6Map a data flow and identify controller/processor roles for a business-critical system.
- Scenario 7Design control self-assessment workflows and evidence retention standards for data assets.
- Scenario 8Classify findings by severity, systemic impact, and regulatory sensitivity for data quality issues.
- Scenario 9Define risk screening criteria for data migration and system change requests.
- Scenario 10Build a policy taxonomy aligned to data governance obligations and retention requirements.
AI Governance & Model Risk Job Path
For teams establishing AI oversight, model inventory governance, and accountable risk controls.
Locked for free members
Path 1
AI Governance & Model Risk Management
Build practical AI governance and model risk management skills through realistic GRC scenarios covering intake, use-case classification, data and vendor risk, validation, human oversight, monitoring, incident handling, and remediation across enterprise AI deployments.
Locked — Upgrade required
Path 2
Model Risk Management Governance
Build practical governance skills for model risk management through realistic scenarios involving model intake, roles and accountability, committee oversight, policy exceptions, change governance, monitoring, issue escalation, and board reporting across the model lifecycle.
Locked — Upgrade required
Path 3
Risk Management Professional
Master advanced risk assessment methods, treatment planning, monitoring, and executive reporting through practical scenarios.
Locked — Upgrade required
Path 4
Framework Mastery
Build fluency across major security and compliance frameworks, then map controls across standards for unified assurance.
Locked — Upgrade required
Path 5
Governance & Leadership
Develop executive-ready governance skills: policy lifecycle, reporting, operating models, and risk culture enablement.
Locked — Upgrade required
Path 6
Enterprise GRC Program Management
Build practical skills to run an enterprise GRC function through governance design, operating cadences, issue handling, metrics, committee reporting, and cross-functional decision-making.
Locked — Upgrade required
Path 7
EU AI Act Compliance Operations
Practice operating an EU AI Act compliance program through realistic GRC scenarios covering system intake, risk classification, conformity obligations, transparency controls, post-market monitoring, incident handling, supplier oversight, and remediation reporting.
Locked — Upgrade required
Path 8
Control Design & Operating Effectiveness Testing
Build practical GRC skills for evaluating whether controls are designed appropriately and operating effectively through realistic scenarios covering onboarding, daily operations, monitoring, exceptions, remediation, and reporting.
Locked — Upgrade required
Path 9
ISO/IEC 42001 Foundations in Practice
Build practical AI management system skills through realistic ISO/IEC 42001 scenarios involving governance, risk assessment, supplier oversight, operational controls, monitoring, incidents, and reporting.
Locked — Upgrade required
Path 10
ISO/IEC 42001 Applied Management System Scenarios
Practice AI management system controls through realistic ISO/IEC 42001 scenarios covering context, risk treatment, supplier oversight, operational governance, monitoring, incidents, and continual improvement.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Human Oversight Gaps in a Claims Triage AI Rollout
3 guided questions
Locked — Upgrade required
Case Study
Escalating Governance Gaps in a Credit Decision Model Program
3 guided questions
Locked — Upgrade required
Case Study
Coordinate EU AI Act Compliance for a High-Risk Hiring System
3 guided questions
Locked — Upgrade required
Case Study
Govern a Time-Bound Security Exception for Vendor Access
3 guided questions
Locked — Upgrade required
Case Study
Govern a Firewall Logging Exception with a Compensating Control
3 guided questions
Free preview
Job path certificate
AI Governance & Model Risk Job Path
Complete every lab, case study, and the scenario path above to unlock the AI Governance & Model Risk Job Path certificate.
Scenario prompts in this job path
- Scenario 1Classify an AI use case by risk tier and define required governance checkpoints.
- Scenario 2Document model inventory fields including owner, purpose, data sources, and controls.
- Scenario 3Evaluate bias, explainability, and performance monitoring requirements for deployment.
- Scenario 4Draft incident response procedures for harmful output, drift, or control failure events.
- Scenario 5Prepare board-level reporting on model risk exposure and mitigation status.
- Scenario 6Build a control map linking AI-specific risks to preventive and detective controls.
- Scenario 7Define approval workflows, review cadence, and exception governance for model deployments.
- Scenario 8Define risk screening criteria for AI use cases entering production environments.
- Scenario 9Map recurring AI compliance obligations to owner teams and operating cadence.
- Scenario 10Resolve a cross-functional ownership conflict for shared AI models using a RACI approach.
Compliance Analyst / Regulatory Compliance Analyst Job Path
For compliance analysts tracking regulatory obligations, managing change programmes, and ensuring ongoing adherence to industry standards.
Free scenarios available
Path 1
Compliance Analyst
Learn how to collect evidence, prepare audits, and manage compliance obligations with repeatable analyst workflows.
Locked — Upgrade required
Path 2
GRC Fundamentals
Build your foundation in governance, risk, and compliance. Learn core concepts, key terminology, and how GRC frameworks work together.
Locked — Upgrade required
Path 3
GRC Primer Practice
A beginner-friendly path to practice core GRC concepts with short, practical rooms before moving into larger role-based tracks.
Locked — Upgrade required
Path 4
Risk & Compliance Operations
An intermediate path focused on day-to-day risk analysis, treatment decisions, KRIs, and compliance operations execution.
Locked — Upgrade required
Path 5
Framework Mastery
Build fluency across major security and compliance frameworks, then map controls across standards for unified assurance.
Locked — Upgrade required
Path 6
Regulatory Change Management & Compliance Obligations
Build practical skills for identifying, assessing, assigning, implementing, monitoring, and reporting regulatory changes through realistic GRC scenarios across legal, compliance, operational, incident, and governance workflows.
Locked — Upgrade required
Path 7
Policy Exception Management & Compensating Controls
Practice managing policy exceptions and compensating controls through realistic GRC scenarios covering intake, risk evaluation, approvals, operations, monitoring, incident handling, remediation, and reporting.
Locked — Upgrade required
Path 8
US State Privacy Law Compliance Operations
Build practical operating skills for managing US state privacy law obligations through intake, classification, consumer rights handling, vendor oversight, assessments, and incident-driven response workflows.
Locked — Upgrade required
Path 9
PCI DSS Cardholder Data Governance
Build practical PCI DSS skills through realistic GRC scenarios involving scoping, access control, evidence handling, third-party oversight, and incident response for cardholder data environments.
Locked — Upgrade required
Path 10
PCI DSS: Cardholder Data Governance & Incident Response
Build practical PCI DSS skills through scenario-driven governance exercises focused on scoping, access, logging, third-party oversight, and incident response for cardholder data environments.
Locked — Upgrade required
Path 11
Enterprise KYC / CDD Governance & Periodic Review Operations
Advance enterprise-grade KYC and customer due diligence judgment through complex governance, periodic review, risk segmentation, exception handling, remediation, and executive reporting scenarios spanning onboarding inheritances, BAU review operations, trigger events, data quality failures, and regulator-facing decisions.
Locked — Upgrade required
Path 12
AML Transaction Monitoring Governance & Alert Disposition Oversight
Build advanced AML governance skills through realistic oversight scenarios covering model governance, alert disposition quality, threshold change control, escalation decisioning, backlog risk treatment, investigator consistency, sanctions and fraud interface boundaries, regulator-facing documentation, and board-level reporting for transaction monitoring programs.
Locked — Upgrade required
Path 13
Regulatory Complaint Management & Escalation Governance
Work through advanced, scenario-driven complaint governance challenges involving multi-channel intake, jurisdictional classification, escalation thresholds, vulnerable customer risk, root cause analysis, remediation governance, executive reporting, and regulator-facing decision making.
Locked — Upgrade required
Scenario Submissions
Free members: 1 AI-graded submission per week across the intro scenario tracks.
Open Scenario Submissions →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Governing New Regulatory Obligations After a Cross-Border Product Launch
3 guided questions
Locked — Upgrade required
Case Study
Update Regulatory Obligations After a Cross-Border Product Expansion
3 guided questions
Locked — Upgrade required
Case Study
Coordinating a State Regulator Examination Response
3 guided questions
Locked — Upgrade required
Case Study
Stabilize Sanctions Governance After Screening Alert Backlogs
3 guided questions
Locked — Upgrade required
Case Study
Stabilize Sanctions Screening Governance After Alert Backlogs
3 guided questions
Locked — Upgrade required
Case Study
Govern Third-Party Access and Incident Escalation for an Open Banking Payment Initiation Service
3 guided questions
Locked — Upgrade required
Case Study
Escalating KYC Gaps in a High-Risk SME Onboarding Queue
3 guided questions
Locked — Upgrade required
Case Study
Software Licensing Compliance and Audit Response Governance at Northbridge Analytics
3 guided questions
Locked — Upgrade required
Case Study
Stabilize Digital Accessibility Compliance Operations After a Public Portal Rollout
3 guided questions
Locked — Upgrade required
Case Study
Govern WCAG Compliance for a Multi-Department Public Services Portal
3 guided questions
Locked — Upgrade required
Case Study
Policy Exception and Risk Acceptance Governance for Legacy Vendor Access
3 guided questions
Locked — Upgrade required
Case Study
Policy Exception and Waiver Operations for Legacy Endpoint Encryption
3 guided questions
Locked — Upgrade required
Job path certificate
Compliance Analyst / Regulatory Compliance Analyst Job Path
Complete every lab, case study, and the scenario path above to unlock the Compliance Analyst / Regulatory Compliance Analyst Job Path certificate.
Scenario prompts in this job path
- Scenario 1Triage an incoming regulation and map impacted obligations to business functions.
- Scenario 2Estimate implementation complexity, deadlines, and dependency risks for each obligation.
- Scenario 3Define control and policy changes needed to satisfy new regulatory requirements.
- Scenario 4Create stakeholder governance for legal interpretation, implementation, and validation.
- Scenario 5Deliver an executive readiness update with risks, blockers, and decision requests.
- Scenario 6Map recurring compliance obligations to owner teams and operating cadence.
- Scenario 7Design control self-assessment workflows and evidence retention standards.
- Scenario 8Evaluate control exceptions and determine compensating control requirements.
- Scenario 9Develop a centralized obligations tracker with status and due-date governance.
- Scenario 10Prepare an annual compliance effectiveness review with improvement priorities.
Risk Manager / Operational Risk Analyst Job Path
For risk managers and operational risk analysts running risk registers, RCSA programmes, appetite frameworks, and control effectiveness reviews.
Free scenarios available
Path 1
Risk Management Professional
Master advanced risk assessment methods, treatment planning, monitoring, and executive reporting through practical scenarios.
Locked — Upgrade required
Path 2
Risk & Compliance Operations
An intermediate path focused on day-to-day risk analysis, treatment decisions, KRIs, and compliance operations execution.
Locked — Upgrade required
Path 3
Beginner Risk & Controls Workshop
An entry-level workshop path covering risk scoring, appetite basics, and understanding control outcomes vs activities.
Locked — Upgrade required
Path 4
Intermediate Risk Treatment Lab
Intermediate path focused on practical risk-treatment prioritization and decision quality in constrained environments.
Locked — Upgrade required
Path 5
Control Assurance Practice
Intermediate path focused on control evidence, audit readiness, and practical assurance execution across day-to-day programs.
Locked — Upgrade required
Path 6
Enterprise Risk Appetite & Tolerance Frameworks
Practice building and applying enterprise risk appetite and tolerance frameworks through realistic GRC scenarios covering strategy setting, operational decision-making, monitoring, exception handling, and board reporting.
Locked — Upgrade required
Path 7
Framework Mastery
Build fluency across major security and compliance frameworks, then map controls across standards for unified assurance.
Locked — Upgrade required
Path 8
Control Design & Operating Effectiveness Testing
Build practical GRC skills for evaluating whether controls are designed appropriately and operating effectively through realistic scenarios covering onboarding, daily operations, monitoring, exceptions, remediation, and reporting.
Locked — Upgrade required
Path 9
Quantitative Risk Methods: FAIR Analysis & Loss Estimation
Practice applying quantitative cyber risk methods such as FAIR to estimate loss exposure, compare treatment options, and support defensible GRC decisions in realistic business scenarios.
Locked — Upgrade required
Path 10
Quantitative Risk Methods: Calibrated Estimation & Decision Support
Apply practical quantitative cyber risk methods, including FAIR-style analysis, calibrated estimation, loss event modeling, and decision support in realistic GRC scenarios.
Locked — Upgrade required
Path 11
FAIR Foundations in Practice
Build practical FAIR analysis skills through realistic GRC scenarios involving loss event scoping, factor estimation, control-informed risk reduction, third-party exposure, incident-informed recalibration, and executive reporting.
Locked — Upgrade required
Path 12
FAIR Applied Risk Quantification
Build practical skills applying the FAIR model to quantify cyber and operational risk through realistic GRC scenarios involving intake, analysis, monitoring, incident reassessment, treatment selection, and executive reporting.
Locked — Upgrade required
Path 13
Control Deficiency Rating & Materiality Governance
Develop advanced judgment for rating control deficiencies, determining materiality, governing aggregation decisions, and escalating nuanced risk scenarios across financial reporting, operational compliance, technology control environments, and executive oversight structures.
Locked — Upgrade required
Scenario Submissions
Free members: 1 AI-graded submission per week across the intro scenario tracks.
Open Scenario Submissions →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Operating Risk Appetite Limits During a Rapid Expansion
3 guided questions
Free preview
Case Study
Operating an Enterprise Risk Appetite, Tolerance, and Limit Framework
3 guided questions
Locked — Upgrade required
Case Study
Refresh the RCSA Program for Third-Party Claims Operations
3 guided questions
Locked — Upgrade required
Case Study
Launching the Semiannual RCSA Cycle at Harborview Credit Union
3 guided questions
Locked — Upgrade required
Case Study
Recurring Vendor Due Diligence Failures and Weak Root Cause Governance
3 guided questions
Free preview
Case Study
Overdue Corrective Actions After a Vendor Risk Review
3 guided questions
Locked — Upgrade required
Case Study
Corrective Action Governance After a Recurring Access Review Failure
3 guided questions
Free preview
Case Study
Rationalize Overlapping Operational Controls in a Shared Services Environment
3 guided questions
Free preview
Case Study
Govern a Time-Bound Security Exception for Vendor Access
3 guided questions
Locked — Upgrade required
Case Study
Policy Exception and Risk Acceptance Governance for Legacy Vendor Access
3 guided questions
Locked — Upgrade required
Job path certificate
Risk Manager / Operational Risk Analyst Job Path
Complete every lab, case study, and the scenario path above to unlock the Risk Manager / Operational Risk Analyst Job Path certificate.
Scenario prompts in this job path
- Scenario 1Draft an enterprise risk statement and identify the top three business drivers.
- Scenario 2Build a control map linking key risks to preventive and detective controls.
- Scenario 3Define a measurable loss event scenario using threat, asset, and effect.
- Scenario 4Estimate frequency and probable loss magnitude ranges with assumptions.
- Scenario 5Compare treatment options using expected risk reduction and cost.
- Scenario 6Classify findings by severity, systemic impact, and regulatory sensitivity.
- Scenario 7Define remediation plans with milestones, dependencies, and acceptance criteria.
- Scenario 8Assess overdue issues and determine escalation based on residual risk.
- Scenario 9Design verification testing to confirm sustainable closure of issues.
- Scenario 10Create portfolio reporting on remediation velocity and repeat issue drivers.
ISO 27001 / Security Compliance Manager Job Path
For security compliance managers leading ISMS implementation, certification readiness, and multi-framework control alignment.
Locked for free members
Path 1
ISO 27001: ISMS Foundations & Certification Readiness
A scenario-driven learning path covering core ISO 27001 concepts, implementation steps, risk treatment, documentation, internal audit, and continual improvement in practical GRC contexts.
Locked — Upgrade required
Path 2
ISO 27001: Control Implementation & Operations
A practical, scenario-driven path focused on implementing, operating, and evidencing ISO 27001 controls in real-world GRC environments.
Locked — Upgrade required
Path 3
ISO 27001: Scope, Controls & Continual Improvement
A practical, scenario-driven path for learning how to apply ISO 27001 concepts in real GRC situations, from scope and risk assessment to controls, incidents, audits, and continual improvement.
Locked — Upgrade required
Path 4
ISO 27001: Risk Assessment & Corrective Actions
A practical, scenario-driven path for learning how to apply ISO 27001 concepts in real GRC situations, from scoping and risk assessment to controls, incidents, audits, and continual improvement.
Locked — Upgrade required
Path 5
ISO 27001: Access Management & Supplier Assurance
A practical, scenario-driven learning path covering core ISO 27001 concepts through a Path 5-focused GRC lens, including scope, risk assessment, controls, incident response, supplier management, and audit readiness.
Locked — Upgrade required
Path 6
ISO 27001: Clause 6 Planning & Objectives
A practical, scenario-driven path focused on ISO 27001 Clause 6 planning activities, including risks and opportunities, information security objectives, and planning changes within an ISMS.
Locked — Upgrade required
Path 7
NIST CSF 2.0 Core Functions in Practice
Apply the NIST Cybersecurity Framework 2.0 through practical GRC scenarios across Govern, Identify, Protect, Detect, Respond, and Recover activities.
Locked — Upgrade required
Path 8
NIST CSF 2.0 Govern Function
A practical, scenario-driven path focused on the Govern function in NIST Cybersecurity Framework 2.0, helping learners apply governance, policy, risk oversight, roles, and supply chain expectations in realistic GRC situations.
Locked — Upgrade required
Path 9
NIST CSF 2.0: Governance & Incident Response
A scenario-driven learning path focused on applying NIST Cybersecurity Framework 2.0 concepts to practical governance, risk, and compliance situations. Learners analyze policies, asset inventories, third-party risks, incident workflows, and improvement planning through hands-on GRC tasks.
Locked — Upgrade required
Path 10
NIST CSF 2.0: Risk Assessment & Executive Communication
A hands-on learning path focused on practical governance, risk, and compliance scenarios using NIST CSF 2.0. Learners work through realistic situations involving governance, asset understanding, risk assessment, control improvement, and communication with leadership.
Locked — Upgrade required
Path 11
SOC 2: Scoping, Controls & Vendor Risk
A scenario-driven learning path focused on practical SOC 2 work across scoping, controls, evidence, vendor risk, and incident response in a growing SaaS company.
Locked — Upgrade required
Path 12
SOC 2: Communication and Information
A practical path focused on SOC 2 Common Criteria 2, covering internal communication, external communication, policy awareness, incident reporting, and evidence gathering through scenario-driven GRC exercises.
Locked — Upgrade required
Path 13
SOC 2: Risk Assessment & Monitoring
A practical, scenario-driven path focused on SOC 2 common criteria Path 3, teaching learners how to identify risks, evaluate control changes, assess vendor exposure, and maintain effective risk monitoring in a GRC program.
Locked — Upgrade required
Path 14
Framework Mastery
Build fluency across major security and compliance frameworks, then map controls across standards for unified assurance.
Locked — Upgrade required
Path 15
Control Assurance Practice
Intermediate path focused on control evidence, audit readiness, and practical assurance execution across day-to-day programs.
Locked — Upgrade required
Path 16
NIST RMF Foundations Through Practical GRC Scenarios
Build hands-on NIST Risk Management Framework skills through realistic scenarios covering system categorization, control selection, implementation planning, assessment readiness, authorization support, and continuous monitoring across public sector and regulated environments.
Locked — Upgrade required
Path 17
CIS Controls Foundations in Practice
Practice applying CIS Controls v8 through realistic GRC scenarios covering asset visibility, software governance, data protection, secure configuration, access control, logging, vulnerabilities, and response-oriented compliance workflows.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Stabilize Baseline Drift in a Regional Lending Platform
3 guided questions
Locked — Upgrade required
Case Study
Govern a Firewall Logging Exception with Compensating Controls
3 guided questions
Locked — Upgrade required
Case Study
Govern a Time-Bound Security Exception for Vendor Access
3 guided questions
Locked — Upgrade required
Case Study
Govern a Firewall Logging Exception with a Compensating Control
3 guided questions
Free preview
Case Study
Architecture Review Board Escalation for an Unapproved Customer Analytics Integration
3 guided questions
Locked — Upgrade required
Case Study
ARB Governance for a Regional CRM Modernization
3 guided questions
Locked — Upgrade required
Case Study
Executive KRI Governance for a Rapidly Expanding SaaS Business
3 guided questions
Locked — Upgrade required
Case Study
Internal Control Deficiency Evaluation and CAPA Governance at Northbridge Fulfillment
3 guided questions
Locked — Upgrade required
Case Study
Rationalize a Global Control Library After a Merger
3 guided questions
Free preview
Case Study
Rationalize Overlapping Controls Across Three Frameworks
3 guided questions
Locked — Upgrade required
Job path certificate
ISO 27001 / Security Compliance Manager Job Path
Complete every lab, case study, and the scenario path above to unlock the ISO 27001 / Security Compliance Manager Job Path certificate.
Scenario prompts in this job path
- Scenario 1Define ISMS scope boundaries, exclusions, and ownership for a realistic organization.
- Scenario 2Draft a risk assessment approach and treatment decision model aligned to business context.
- Scenario 3Build a practical control selection rationale and Statement of Applicability structure.
- Scenario 4Design evidence requirements for policy operation, control execution, and monitoring.
- Scenario 5Prepare an internal audit and management review agenda with clear outputs.
- Scenario 6Design a control testing calendar using risk-weighted prioritization criteria.
- Scenario 7Define testing procedures with objective evidence requirements and pass/fail rules.
- Scenario 8Evaluate control exceptions and determine compensating control requirements.
- Scenario 9Build a policy taxonomy aligned to regulatory obligations and internal risk themes.
- Scenario 10Define approval workflows, review cadence, and exception governance requirements.
Operational Resilience Analyst Job Path
For resilience analysts mapping important business services, setting impact tolerances, and running scenario testing programmes.
Locked for free members
Path 1
Operational Resilience: IBS Identification & Mapping
Build practical skills in identifying, scoping, and mapping Important Business Services through realistic operational resilience scenarios covering customer journeys, supporting resources, dependencies, tolerances, governance, and change handling.
Locked — Upgrade required
Path 2
Operational Resilience: IBS Mapping & Dependency Governance
Build practical skills in identifying important business services, mapping dependencies, defining impact tolerances, validating resilience information, and responding to mapping gaps across real-world operational resilience scenarios.
Locked — Upgrade required
Path 3
Digital Operational Resilience Testing & Scenario Governance
Build practical skills for planning, governing, executing, and improving digital operational resilience testing through realistic scenarios involving test strategy, scenario design, third-party disruption, crisis decision-making, remediation, and board reporting.
Locked — Upgrade required
Path 4
Business Continuity Impact Analysis & Recovery Strategy
Build practical business continuity skills through realistic GRC scenarios involving impact analysis, recovery prioritization, dependency mapping, alternate operating models, crisis decision-making, and recovery strategy design across enterprise functions.
Locked — Upgrade required
Path 5
Business Impact Analysis & Recovery Prioritization
Build practical skills in assessing business impact, defining recovery priorities, and translating disruption scenarios into actionable resilience decisions across operations, technology, vendors, and executive governance.
Locked — Upgrade required
Path 6
Business Impact Analysis Data Governance & Evidence Quality
Build practical beginner-level skills for governing BIA data and evaluating evidence quality across intake, analysis, operations, monitoring, exceptions, and reporting scenarios.
Locked — Upgrade required
Path 7
Cyber Resilience & Continuity
Hands-on advanced training to design, govern, and operate cyber resilience & continuity programs.
Locked — Upgrade required
Path 8
Incident Response Operations
Train for real incident response: triage, containment, communications, and leadership decisions under pressure.
Locked — Upgrade required
Path 9
Ransomware Readiness Governance
Build practical ransomware readiness governance skills through realistic GRC scenarios covering asset visibility, backup governance, third-party oversight, decision-making during incidents, and post-event remediation reporting.
Locked — Upgrade required
Path 10
Crisis Management Team Governance & Executive Decision-Making
Build practical skills for structuring crisis governance, assigning executive decision rights, running cross-functional coordination, handling escalation, and documenting decisions across cyber, operational, regulatory, third-party, and public-facing crises.
Locked — Upgrade required
Path 11
Operational Resilience Impact Tolerance Calibration & Breach Escalation Governance
Calibrate impact tolerances with quantitative rigor and govern breach escalation across severe but plausible scenarios involving payments, customer access, market activity, third parties, cyber disruption, data integrity loss, and executive decision making.
Locked — Upgrade required
Path 12
Operational Resilience Self-Assessment & Regulatory Attestation Governance
Develop advanced judgment for drafting, challenging, and governing operational resilience self-assessments and regulatory attestations across impact tolerance setting, important business service mapping, scenario testing, third-party dependency management, incident-driven reassessment, and executive certification under regulatory scrutiny.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Govern Impact Tolerances for a Retail Broker's Trade Confirmation Service
3 guided questions
Locked — Upgrade required
Case Study
Payment Outage Scenario Testing and Impact Tolerance Breach Governance
3 guided questions
Locked — Upgrade required
Case Study
Critical Process Mapping for a Regional Pharmacy Distributor
3 guided questions
Locked — Upgrade required
Case Study
Executive Escalation During a Product Safety Recall
3 guided questions
Locked — Upgrade required
Case Study
Classify and Escalate a Payment Platform Outage Under DORA
3 guided questions
Locked — Upgrade required
Case Study
Classify and Escalate an ICT Disruption at a Cross-Border Investment Platform
3 guided questions
Locked — Upgrade required
Case Study
Classifying a Significant Cyber Event Under NIS2 Governance
3 guided questions
Locked — Upgrade required
Case Study
Cross-border Outage at an MSP: NIS2 Operational Readiness and Reporting
3 guided questions
Locked — Upgrade required
Job path certificate
Operational Resilience Analyst Job Path
Complete every lab, case study, and the scenario path above to unlock the Operational Resilience Analyst Job Path certificate.
Scenario prompts in this job path
- Scenario 1Define critical business services and map maximum tolerable downtime for each.
- Scenario 2Document dependency chains across people, process, technology, and third parties.
- Scenario 3Design crisis command roles and decision thresholds for service disruption events.
- Scenario 4Run a tabletop exercise scenario and capture response timeline strengths and gaps.
- Scenario 5Build a continuity improvement backlog with ownership, due dates, and validation tests.
- Scenario 6Classify a security event and determine escalation based on impact and confidence.
- Scenario 7Draft an incident timeline capturing detection, containment, eradication, and recovery.
- Scenario 8Define communications for legal, executive, customer, and regulator stakeholders.
- Scenario 9Classify an ICT provider's criticality and document rationale against DORA expectations.
- Scenario 10Evaluate concentration risk across key ICT providers and propose mitigation options.
Executive & Board Reporting Job Path
For governance leads and CISOs preparing board-level cyber risk reporting, KRI dashboards, and executive oversight materials.
Locked for free members
Path 1
Executive Cyber Risk Reporting
Master the craft of translating cyber risk data into board-level narratives — covering dashboard design, governance actions, remediation storytelling, and cross-functional KRI operating models.
Locked — Upgrade required
Path 2
Board Cyber Oversight & Director Governance
Practice board-level cyber oversight through realistic governance scenarios involving strategy approval, risk appetite, third-party and regulatory scrutiny, incident decision-making, executive challenge, and remediation tracking.
Locked — Upgrade required
Path 3
Governance & Leadership
Develop executive-ready governance skills: policy lifecycle, reporting, operating models, and risk culture enablement.
Locked — Upgrade required
Path 4
Enterprise GRC Program Management
Build practical skills to run an enterprise GRC function through governance design, operating cadences, issue handling, metrics, committee reporting, and cross-functional decision-making.
Locked — Upgrade required
Path 5
Enterprise GRC Program Management II
Build enterprise GRC capabilities through charter design, risk intake, policy exceptions, issue escalation, executive reporting, and cross-functional assurance planning.
Locked — Upgrade required
Path 6
Security Metrics & KRI Design
Build the skills to design, govern, and operationalise security metrics and key risk indicators — from taxonomy and data quality through to threshold calibration and escalation governance.
Locked — Upgrade required
Path 7
Security Awareness & Culture
Hands-on advanced training to design, govern, and operate security awareness & culture programs.
Locked — Upgrade required
Path 8
COBIT Governance & Management Foundations
Build practical COBIT skills through realistic governance, risk, control, assurance, and performance management scenarios across planning, operations, monitoring, exceptions, and reporting.
Locked — Upgrade required
Path 9
COSO Internal Control Foundations
Build practical COSO internal control skills through realistic business scenarios involving control design, risk assessment, control activities, information flows, monitoring, exceptions, and remediation across common enterprise processes.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Board Oversight of Cyber Risk After a Cloud Control Failure
3 guided questions
Locked — Upgrade required
Case Study
Cyber Insurance Readiness and Renewal Governance for a Manufacturing Group
3 guided questions
Locked — Upgrade required
Case Study
Cyber Insurance Readiness and Renewal Governance for a Mid-Market Manufacturer
3 guided questions
Locked — Upgrade required
Case Study
Prepare Claim-Ready Governance After a Ransomware Near Miss
3 guided questions
Locked — Upgrade required
Case Study
Govern a Materiality Assessment for Enterprise Risk and Disclosure
3 guided questions
Locked — Upgrade required
Case Study
Governance Gaps in Sustainability Disclosure Readiness
3 guided questions
Locked — Upgrade required
Case Study
Executive KRI Governance for a Rapidly Expanding SaaS Business
3 guided questions
Locked — Upgrade required
Case Study
Vendor Bank Detail Change Controls After a Suspected CEO Spoof
3 guided questions
Locked — Upgrade required
Job path certificate
Executive & Board Reporting Job Path
Complete every lab, case study, and the scenario path above to unlock the Executive & Board Reporting Job Path certificate.
Scenario prompts in this job path
- Scenario 1Define board-level risk appetite indicators and threshold breach triggers.
- Scenario 2Create a concise risk dashboard balancing trend clarity with decision relevance.
- Scenario 3Translate technical control findings into strategic business impact statements.
- Scenario 4Draft decision memos for top risk tradeoffs and funding implications.
- Scenario 5Build a quarterly board pack with accountability, status, and escalation items.
- Scenario 6Create KPI/KRI metrics for executive reporting and board visibility.
- Scenario 7Select KRIs linked to top enterprise risks and owner accountability.
- Scenario 8Set tolerance bands and escalation triggers with management response actions.
- Scenario 9Validate metric quality through back-testing and anomaly review.
- Scenario 10Present metric insights that drive concrete risk treatment decisions.
Cloud Governance & Asset Lifecycle Job Path
For cloud governance analysts and asset managers overseeing cloud risk, FinOps controls, and technology asset lifecycle programmes.
Locked for free members
Path 1
Cloud Security & Architecture
Build practical cloud governance and security architecture skills across IAM, network design, workloads, and resilience.
Locked — Upgrade required
Path 2
Cloud Governance, FinOps & Risk
Hands-on advanced training to design, govern, and operate cloud governance, finops & risk programs.
Locked — Upgrade required
Path 3
Technology Asset Lifecycle Governance
Practice governing technology assets from intake through retirement using realistic GRC scenarios covering acquisition, inventory, ownership, change, monitoring, exceptions, disposal, and reporting.
Locked — Upgrade required
Path 4
Zero Trust Implementation
Hands-on advanced training to design, govern, and operate zero trust implementation programs.
Locked — Upgrade required
Path 5
Vulnerability Management Operations
Hands-on advanced training to design, govern, and operate vulnerability management operations programs.
Locked — Upgrade required
Path 6
Identity Security Engineering
Design resilient IAM controls across joiner-mover-leaver lifecycle, privileged access, federation, and access reviews.
Locked — Upgrade required
Path 7
Data Security & Privacy Operations
Operationalize data classification, retention, privacy workflows, and control assurance across regulated datasets.
Locked — Upgrade required
Path 8
FedRAMP Authorization and Continuous Compliance
Build practical FedRAMP skills through realistic GRC scenarios covering system categorization, boundary definition, control implementation, assessment readiness, continuous monitoring, and incident and exception handling in cloud service environments supporting U.S. federal customers.
Locked — Upgrade required
Path 9
CIS Controls - Control 4: Secure Configuration of Enterprise Assets and Software
Practice applying CIS Control 4 through realistic GRC scenarios covering baseline creation, deployment standards, exception handling, monitoring, third-party coordination, and remediation reporting for secure configurations across enterprise assets and software.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Govern Retired Engineering Assets After a Data Center Exit
3 guided questions
Locked — Upgrade required
Case Study
Govern KMS Key Rotation and Retirement for Regulated Analytics Workloads
3 guided questions
Locked — Upgrade required
Case Study
Quarterly Access Review for a Clinical Research Platform
3 guided questions
Locked — Upgrade required
Case Study
Identity and Access Review Governance for JML and Privileged Access Oversight
3 guided questions
Locked — Upgrade required
Case Study
Open Source Release Governance and SBOM Assurance for a Telehealth Platform
3 guided questions
Locked — Upgrade required
Case Study
Stabilizing SBOM Assurance for an Open Source Release Pipeline
3 guided questions
Locked — Upgrade required
Case Study
Govern SBOM Quality for a Critical Vendor Release
3 guided questions
Locked — Upgrade required
Case Study
Open Source Software Governance and SBOM Compliance During a Product Release
3 guided questions
Locked — Upgrade required
Job path certificate
Cloud Governance & Asset Lifecycle Job Path
Complete every lab, case study, and the scenario path above to unlock the Cloud Governance & Asset Lifecycle Job Path certificate.
Scenario prompts in this job path
- Scenario 1Identify cloud account governance gaps and define ownership guardrails by business unit.
- Scenario 2Assess cost anomalies and map optimization options without weakening control coverage.
- Scenario 3Design policy-as-code checks for tagging, encryption, and network exposure controls.
- Scenario 4Create a risk register for cloud misconfiguration trends and unresolved exceptions.
- Scenario 5Prepare an executive update on cloud spend, risk posture, and remediation progress.
- Scenario 6Define joiner-mover-leaver control objectives and required evidence artifacts.
- Scenario 7Test privileged access reviews for timeliness, completeness, and revocation quality.
- Scenario 8Define risk screening criteria for business and technology change requests.
- Scenario 9Assess control impacts from major releases and process redesign initiatives.
- Scenario 10Design pre-implementation assurance checks for high-risk changes.
Quantitative Risk & Insider Threat Job Path
For analysts applying quantitative risk methods and building insider threat detection, investigation, and governance programmes.
Locked for free members
Path 1
Quantitative Risk Methods: FAIR Analysis & Loss Estimation
Practice applying quantitative cyber risk methods such as FAIR to estimate loss exposure, compare treatment options, and support defensible GRC decisions in realistic business scenarios.
Locked — Upgrade required
Path 2
Quantitative Risk Methods: Calibrated Estimation & Decision Support
Apply practical quantitative cyber risk methods, including FAIR-style analysis, calibrated estimation, loss event modeling, and decision support in realistic GRC scenarios.
Locked — Upgrade required
Path 3
Insider Threat Program Governance: Charter & Escalation
Build a practical insider threat governance program through chartering, data handling rules, escalation design, and oversight decisions grounded in realistic GRC scenarios.
Locked — Upgrade required
Path 4
Insider Threat Program Governance: Investigations & Assurance
Build a practical insider threat governance program by defining oversight, triage, investigations, and continuous improvement controls for real-world organizational scenarios.
Locked — Upgrade required
Path 5
Risk Management Professional
Master advanced risk assessment methods, treatment planning, monitoring, and executive reporting through practical scenarios.
Locked — Upgrade required
Path 6
Security Awareness & Culture
Hands-on advanced training to design, govern, and operate security awareness & culture programs.
Locked — Upgrade required
Path 7
Security Operations Engineering
Build practical SOC engineering capability across alerting quality, investigations, automation, and detection tuning.
Locked — Upgrade required
Path 8
Security Metrics & KRI Design
Build the skills to design, govern, and operationalise security metrics and key risk indicators — from taxonomy and data quality through to threshold calibration and escalation governance.
Locked — Upgrade required
Path 9
FAIR Foundations in Practice
Build practical FAIR analysis skills through realistic GRC scenarios involving loss event scoping, factor estimation, control-informed risk reduction, third-party exposure, incident-informed recalibration, and executive reporting.
Locked — Upgrade required
Path 10
FAIR Applied Risk Quantification
Build practical skills applying the FAIR model to quantify cyber and operational risk through realistic GRC scenarios involving intake, analysis, monitoring, incident reassessment, treatment selection, and executive reporting.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Vendor Bank Detail Change Controls After a Suspected CEO Spoof
3 guided questions
Locked — Upgrade required
Case Study
Protecting Speak-Up Integrity During a Procurement Investigation
3 guided questions
Locked — Upgrade required
Case Study
Whistleblower Hotline Governance and Investigation Triage at Northstar Biologics
3 guided questions
Locked — Upgrade required
Case Study
Scaling an Ethics Hotline: Intake SLAs, Escalations, and Independence
3 guided questions
Locked — Upgrade required
Case Study
Repair Governance Gaps in a Global Speak-Up Program
3 guided questions
Locked — Upgrade required
Case Study
Triage and Escalation in a Regional Whistleblower Investigation
3 guided questions
Locked — Upgrade required
Case Study
Prioritize Intelligence-Led Risk Action After Vendor Credential Abuse
3 guided questions
Locked — Upgrade required
Case Study
Executive KRI Governance for a Rapidly Expanding SaaS Business
3 guided questions
Locked — Upgrade required
Job path certificate
Quantitative Risk & Insider Threat Job Path
Complete every lab, case study, and the scenario path above to unlock the Quantitative Risk & Insider Threat Job Path certificate.
Scenario prompts in this job path
- Scenario 1Define a measurable loss event scenario using threat, asset, and effect.
- Scenario 2Estimate frequency and probable loss magnitude ranges with assumptions.
- Scenario 3Compare treatment options using expected risk reduction and cost.
- Scenario 4Document uncertainty drivers and sensitivity to key assumptions.
- Scenario 5Present a decision recommendation in business terms for leadership.
- Scenario 6Draft insider threat program scope, objective, and governance charter language.
- Scenario 7Design intake and triage criteria for suspicious insider activity referrals.
- Scenario 8Define privacy guardrails for monitoring and investigations.
- Scenario 9Create escalation pathways for legal, HR, and security coordination.
- Scenario 10Build monthly oversight metrics and assurance checks.
ESG Governance & Disclosure Job Path
For ESG analysts and sustainability governance leads managing disclosure frameworks, materiality assessments, and environmental compliance reporting.
Locked for free members
Path 1
ESG Environmental Governance: Foundations & Oversight
Build practical ESG governance skills through scenario-driven exercises covering environmental data controls, supplier oversight, climate risk decisions, reporting governance, incident response, and board-level accountability.
Locked — Upgrade required
Path 2
ESG Environmental Governance: Scope & Performance
Build practical skills for governing environmental ESG obligations through scenarios involving data quality, supplier oversight, climate risk, target tracking, incident response, and board reporting.
Locked — Upgrade required
Path 3
ESG Environmental Governance: Obligations & Assurance
Build practical GRC skills for environmental ESG scenarios by identifying obligations, setting controls, validating evidence, managing incidents, overseeing vendors, and reporting performance without overstating results.
Locked — Upgrade required
Path 4
ESG Environmental Governance: GHG & Emissions Controls
Build practical skills for governing environmental ESG obligations through scenario-driven controls, evidence, escalation, and operational decision-making.
Locked — Upgrade required
Path 5
ESG Environmental Governance: Reporting & Board Accountability
Build practical ESG capability by handling environmental governance scenarios involving emissions data, supplier oversight, control evidence, reporting decisions, incident response, and board-level accountability.
Locked — Upgrade required
Path 6
Governance & Leadership
Develop executive-ready governance skills: policy lifecycle, reporting, operating models, and risk culture enablement.
Locked — Upgrade required
Path 7
Enterprise GRC Program Management II
Build enterprise GRC capabilities through charter design, risk intake, policy exceptions, issue escalation, executive reporting, and cross-functional assurance planning.
Locked — Upgrade required
Path 8
Framework Mastery
Build fluency across major security and compliance frameworks, then map controls across standards for unified assurance.
Locked — Upgrade required
Scenario Submissions
Submit scenario responses for AI marking (up to 25 total per day and 1 per scenario per day).
Locked — Upgrade required →
Case studies for this job path
Realistic governance narratives with guided comprehension questions.
Case Study
Governance Gaps in Sustainability Disclosure Readiness
3 guided questions
Locked — Upgrade required
Case Study
Govern a Materiality Assessment for Enterprise Risk and Disclosure
3 guided questions
Locked — Upgrade required
Case Study
Update Regulatory Obligations After a Cross-Border Product Expansion
3 guided questions
Locked — Upgrade required
Case Study
Governing New Regulatory Obligations After a Cross-Border Product Launch
3 guided questions
Locked — Upgrade required
Case Study
Govern WCAG Compliance for a Multi-Department Public Services Portal
3 guided questions
Locked — Upgrade required
Case Study
Stabilize Digital Accessibility Compliance Operations After a Public Portal Rollout
3 guided questions
Locked — Upgrade required
Job path certificate
ESG Governance & Disclosure Job Path
Complete every lab, case study, and the scenario path above to unlock the ESG Governance & Disclosure Job Path certificate.
Scenario prompts in this job path
- Scenario 1Identify material ESG topics and map accountable executive owners for each topic.
- Scenario 2Design controls for source data quality, versioning, and disclosure approvals.
- Scenario 3Evaluate a climate-risk scenario and define decision triggers for adaptation planning.
- Scenario 4Build an issue log for disclosure gaps with remediation owner and due date.
- Scenario 5Draft an audit committee briefing summarizing ESG reporting readiness and residual risks.
- Scenario 6Triage an incoming regulation and map impacted obligations to business functions.
- Scenario 7Define control and policy changes needed to satisfy new regulatory requirements.
- Scenario 8Create stakeholder governance for legal interpretation, implementation, and validation.
- Scenario 9Deliver an executive readiness update with risks, blockers, and decision requests.
- Scenario 10Prepare an annual compliance effectiveness review with improvement priorities.