October 13, 2025
New Feature: Archive and Unarchive Assessments
Admins now have the ability to archive and unarchive Assessments directly within the platform. This enhancement provides greater flexibility for managing Assessment visibility and organization over time.
October 9, 2025
Update: Enhanced Assessment Insights & Assignment Messaging
Assessment Updates
-
Admins can now view how individual users answered each Assessment question by clicking on the user’s name in the Assessment report. Previously, only correct or incorrect indicators were displayed.
Improved Assignment Creation Experience
- We've added a clarifying messaging to the Audience tab when generating an Assignment from an Assessment.
- Removed the “Add Foundational Users” button.
- New message displayed:
Please note that adding or removing users below will not update the recommended lessons in this Assignment. To receive updated recommendations, generate a new Assignment.
October 8, 2025
New Feature: Introducing Aspen — Your AI Assistant for Code Help
We’re thrilled to introduce Aspen, our new AI-powered assistant designed to help you get unstuck faster while working through Security Journey’s hands-on labs.
Aspen provides immediate, context-aware feedback on your code submissions, helping you maintain momentum without waiting for support.
Additional Updates:
-
Users can now provide feedback on Aspen’s hints by clicking the thumbs up or thumbs down buttons and adding optional comments.
-
A new AI Safety Center page has been added under platform settings.
-
This page explains how AI is used within Security Journey and includes a toggle to turn Aspen on or off.
-
The AI Safety Center will also serve as the hub for future AI-related settings and capabilities.
-
To learn more, check out this article.
September 22, 2025
Update: Recommended Lessons for AI Category & New Assessment Language Support
-
Recommended Lessons are now available for the new Artificial Intelligence and Large Language Models category.
-
New Assessment languages are now applied to existing Assessments:
-
If an Assessment is available in all languages, the new language will be automatically included.
-
If an admin has specified Assessment languages, they will need to manually add the new language to that Assessment.
-
September 19, 2025
New Assessment Category: Artificial Intelligence and Large Language Models
A new multiple-choice Assessment category, “Artificial Intelligence and Large Language Models,” has been added to the platform. This category evaluates learners on both foundational concepts and advanced attack vectors related to modern AI and LLM security. To learn more about our Assessment feature, click here.
September 16, 2025
New: Developer Profile - Default Language Setting
The language selected in a user’s Developer Profile is now automatically applied as their default language across the platform.
-
The default language will be auto-selected in Knowledge Assessments and hands-on lessons.
-
Users can still change the language for any individual lesson or assessment.
-
The platform will now remember the user’s last selected language for future lessons.
Update: Targeted Recommendations
We’ve improved Recommended Assignment to make it easier than ever to deliver targeted training.
-
When you filter an Assessment Report by proficiency, assessment language, or learner attributes, the scores dynamically update based on the selected cohort.
-
You can then generate an Assignment tailored specifically for that group.
To learn more about Recommended Assignments, check out this article.
September 5, 2025
New: API Endpoint – Developer & User Profile Data
We’ve added Developer Profile and User Profile fields to the Reporting API. This enhancement makes it easier to access profile-level data directly through the API.
For full details, please see our Security Journey Reporting API v3 documentation.
August 28, 2025
New: Developer Profile Fields in User Profile
August 22, 2025
New Lesson Release: IDOR (CWE-639: Authorization Bypass Through User-Controlled Key)
We’re excited to announce a new lesson inspired by a customer request!
This new lesson offers a fun, approachable way to understand Insecure Direct Object References (IDOR) and how attackers can exploit authorization bypass through user-controlled keys.
👉 Check it out here: (CWE-639: Authorization Bypass Through User-Controlled Key)
We’d love to hear your feedback!
August 21, 2025
CSV Support for Deleting Learner Attributes
Note: this does not apply to Developer Profile fields.
August 8, 2025
Assessment Updates
-
Estimated Run Time – When creating an Assessment, admins will now see an estimated run time for each category. Learners will also see the estimate in the Assessments drop-down on the map/list view.
-
Display During Launch – For untimed assignments, the estimated run time will also appear when learners launch the Assessment. For timed assignments, learners will see the total time allowed to complete it.
-
Assessment Data API Endpoint – We now offer a customer-facing API for Assessment data. To learn more, check out this article.
July 31, 2025
Reporting Improvements and Content Release
Assignment Progress Report Update
Added learner completion date to give you clearer insight into training timelines and progress tracking.
New Path: Applied Cryptography
We’ve launched the Applied Cryptography path, designed to turn learners’ abstract understanding of cryptography into practical, real-world skills through engaging, hands-on lessons.
As part of this release, the Mutual TLS (mTLM) lesson introduces an interactive app set in an online video store scenario to demonstrate the benefits of a zero-trust architecture. You can find this under our Hands-on Only DevSecOps paths!
New Lesson: CWE-668 Exposure of Resource to Wrong Sphere
We’ve expanded CWE coverage with a lesson about OWASP On-the-Cusp vulnerabilities, paving the way for real-time CWE detection responses.
Bite-sized videos help you quickly learn and apply each concept—Check it out here! 
New Language Support in Assessments
We’ve expanded the Secure Coding Assessment Pillar with support for Ruby and Go!
With this update, learners can now complete our secure coding assessment in two more popular languages, making assessments more accessible and relevant across a wider range of development teams.
July 17, 2025
Recommended Assignments
When learners complete a secure coding assessment, Security Journey can auto-generate a custom assignment tailored to their results.
This feature ensures each assignment is both data-driven and flexible—perfect for guiding users toward meaningful progress in their secure coding journey. To learn more, check out this article!
July 11, 2025
Assessment: User Summary Enhancement
The user summary now shows both the learner’s answer and the correct answer for every question in their assessment.
Learners can also provide question-level feedback directly from the user summary.
June 26, 2025
Tournament Results Export
June 16, 2025
New C++ Content
Our new C++ lessons take a different approach from previous sandbox-based lessons. They offer a development environment that’s more familiar to developers, including the ability to run unit tests and use an interactive debugger.
This setup is designed to enhance the learner experience and reduce the effort required to complete each lesson—while maintaining, or even increasing, overall learning effectiveness.
All of these lessons can be added to any of your custom paths. Check them out below:
CWE-120: Buffer Copy without Checking Size of Input
CWE-121: Stack-based Buffer Overflow
CWE-122: Heap-Based Buffer Overflow
CWE-124: Buffer Underwrite
CWE-1288: Improper Validation of Consistency within Input
June 12, 2025
Reporting Improvements
Completion Status
All reports now show "Completed" when a user has completed a lesson. Previously, we were inconsistent with our naming showing "Passed" in some places and "Completed" in others.
You will also see this reflected across the app, like on the map and list legend.
Assignment Status Improvement
Previously, you would be marked as "not_started" if you started a lesson in an assignment but not completed it. Now, if you are enrolled in your path and have spent any time working on a lesson, that row will show as "in_progress" if the assignment isn't overdue or completed.
June 3, 2025
OWASP Top 10 Proactive Controls
Our Content team has introduced 10 new lessons covering the OWASP Top Ten Proactive Controls. These short, easy-to-consume lessons teach learners how to follow each proactive security control.
You can get this content in front of your developers by leveraging our new Recommended Video and Hands-On Path titled "OWASP Top 10 Proactive Security Controls" or these lessons can be assigned out individually!
May 16th, 2025
"New Hire" Assessments and Assignment's Table UI Update
"New Hire" Assessments
You will now be able to auto-enroll any new Security Journey users into Assessments by leveraging the "New Hire" setting in the Assessment workflow. 
Assignment's Table UI Updates
We've updated some functionality to make it easier to follow up on or report out on your active assignments!
- We've added a way for you to quickly filter by Active or Inactive Assignments
- Simplified columns and added a 'Total' column for easy calculation
May 16th, 2025
Updated Language Support for AI/LLM Lessons
All our Hands-On AI/LLM lesson can now be taken in C++! Check out our AI/LLM path here.
Export to SCORM
We are excited to announce that you can now download our Secure Code Training in SCORM Format!
To learn more check out these articles:
May 5th, 2025
Assessment Scoring Improvements
We continue to improve our Assessment feature and rolled out several changes.
First, we updated the UI to include a new color scheme to be more in alignment with our goals and branding. There are no more stoplight colors (red, yellow & green).
We updated the scoring names:
- Needs Attention is now "Growth Opportunities"
- Opportunities for Improvement is now "Proficiencies"
- Strengths is unchanged
Additionally, we made some changed to our scoring:
- Growth Opportunities - 0 to 60%
- Proficiencies - 61 to 80%
- Strengths - 81 to 100
April 24th, 2025
New Congratulations Screen and Last Login Metric
Path Congratulations Screen
When a learner completes the last incomplete lesson on a path, they will see a congratulations screen after closing out of that lesson.
This modal will display a congratulatory message, the path name, how many lessons they've completed and quick actions to share or download their Certificate.
They will still receive their path congratulations email, which also directs them to share and download their certificate.
Last Login Metric
You asked, we delivered! The Users page now has a column titled "Last Login" that displays a timestamp of the last time a user has logged in to the platform.
This is the last column in the table before "edit" and is sortable by date.
April 21st, 2025
Redesigned User Managment
Our Users page has been remodeled to provide better visibility into your users list and their attributes.
​
Learn more about how this update simplifies user management here!
April 4th, 2025
Test Connection Safelisting Tool
We are really excited to announce that we have developed a new page that can be used to test your organization's network connection. When a user or admin accesses this page, it will test all the required Security Journey domains and alert you if you need to work with your Network team to adjust your safelisting rules. If one of these domains is not accessible, our content may not work as expected.
Check it out here!
April 3rd, 2025
Learning Swing Modal Redesign
Our learning swing modal got a much needed face-lift!
April 2nd, 2025
New Content & Path Alert 🚨
Blockchain Security | Reentrancy
In our newly updated blockchain lesson, “Blockchain Security | Reentrancy”, we’ve added an interactive IDE that allows learners to fix vulnerabilities directly in the smart contract code. This hands-on approach strengthens our appeal to the DeFi sector—an area underserved by existing training platforms—and positions us to be a leader in blockchain security education.
You can access the lesson here: Blockchain Security | Reentrancy
Next.js Publicly Disclosed Vulnerability CVE-2025-29927
Our team created a CTF-style lesson to challenge learners to exploit CVE-2025-29927, a vulnerability discovered in Next.js middleware on March 21, 2025. This CVE allows attackers to bypass authorization checks in the middleware and access protected content. Learners can use either the intercept request feature or make a direct request using GetMan to access a protected page and capture the flag.
​
You can try the lesson here: CTF: Music Calendar Break-in
Secure Privilege Management
A customer requested training content focused on CWE-268: Privilege Chaining. In response, we delivered a focused set of four lessons that directly address this issue. These lessons will emphasize the core security principles necessary to understand and prevent privilege chaining vulnerabilities. Path details are as follows:
​
​Insecure Design | Incorrect Privilege Assignment
-
This lesson explores Incorrect User Management, highlighting the security risks that arise when the principle of least privilege is not adequately enforced.
Challenge: Setuid Vulnerability Exploitation
-
In this challenge, you’ll examine a vulnerable setuid executable that runs with elevated privileges, exposing a critical security flaw. Your task is to analyze the program, identify the weakness, and exploit it to disable logins to the system.
Privilege Escalation: Container Escape
-
In this lesson, you’ll explore how misconfigured Docker environments can lead to privilege escalation attacks. By interacting with Docker containers, you’ll learn how attackers can exploit improper permissions to gain unauthorized root access.
Privilege Chaining in Databases
-
This hands-on lesson demonstrates how privilege chaining vulnerabilities can expose sensitive data in MySQL.
-
Learners will exploit a misconfigured SQL view to access restricted salary information, despite lacking direct permissions. Through guided remediation, they’ll learn how to properly secure views using SQL SECURITY INVOKER and avoid common access control pitfalls when working with database objects.
You can find the path here.
March 27th, 2025
Certificate Redesign 🎉
We released a new look and feel for our Security Journey Certificates! This will apply to any new and previously completed paths. You can download your new certificates from your Achievements in your User Profile.
March 26th, 2025
Coding Challenge Instruction Refresh & Quiz Question Refresh
Coding Challenge Instructions Refresh
Code Challenges, which give learners access to a full codebase, were originally designed to follow our break/fix lessons. As a result, some challenges assumed prior knowledge—such as login credentials—gained in earlier lessons, making it difficult to complete them as stand-alone activities or in a tournament setting.
Our team has now revisited each Code Challenge to update and improve the instructions, ensuring that learners have all the information they need to complete the tasks independently!
Quiz Question Refresh
Our Content team has gotten a lot of feedback around improving the quiz questions in some of our older video lessons. For context, many of these quizzes were originally created by a third-party vendor, and the quality has been inconsistent—often lacking subject matter expertise and clarity.
In response, we’ve committed to reviewing and improving the quiz content in 80 lessons, with a focus on quality and providing meaningful feedback to learners. Over the past two weeks, we’ve updated 43 of those lessons. See the current updated lessons below:
- Introduction to Go security
- Go Threat Landscape
- Go and OWASP Top 10 | Part 1
- Go and OWASP Top 10 | Part 2
- Secure Coding in Go
- Secure Database Interactions in Go
- Go Request Context Security
- Secrets Management with Go
- Secure Concurrency with Go
- Go Secure Micro-service Architecture
- Go Service Hardening
- Python Threat Landscape
- Secure Constructs in Python
- Input Validation with Python
- Secure Coding with Python | Part 1
- Secure Coding with Python | Part 2
- Secure Coding with Python | Part 3
- Secure OS interactions with Python
- Secure Serialization with Python
- Storing and Using Secrets with Python
- Secure Control Flow in Python
- Introduction to Scala Security
- Scala Input Validation
- Scala OWASP Top 10 | Part 1
- Scala OWASP Top 10 | Part 2
- Scala OWASP Top 10 | Part 3
- Scala Software Supply Chain
- Scala Security Best Practices
- Introduction to Rust Security
- Rust Secure Coding Tips
- Unsafe Rust & FFI
- Rust OWASP Top 10 Pt. 1
- Rust OWASP Top 10 Pt. 2
- Rust OWASP Top 10 Pt. 3
- Rust Secure Software Supply Chain
- Rust Security Toolchain
- Typescript: Intro to Typescript Security
- Typescript: Secure Coding with Typescript part 1
- Typescript: Secure Coding with Typescript part 2
- Typescript: Input Validation for Typescript
- Typescript: Secure Constructs with Typescript Part 1
- Typescript: Secure Constructs with Typescript Part 2
- Typescript: Typescript Secure Build Toolchain
March 14th, 2025
Assessment Due Dates
We've already made improvements to our new Developer Security Knowledge Assessment experience by adding in the time limit or due date to the Map and List View.
March 12th, 2025
Developer Profile
Starting today. learners visiting the Security Journey Platform will be
asked to complete the Developer Profile, which captures key details like:
- Their background and experience
- Preferred programming languages
- Job roles, architectural tools, and security knowledge
Capturing this information will allow you in the future to tailor training to
each developer’s expertise and deliver more relevant and impactful content. To learn more about our Developer Profile, check out this article!
February 18th, 2025
New Top 25 CWE Path
Top 25 CWEs
25 NEW Video Lessons covering the Top 25 CWEs has been released!
MITRE Corporation, a leader in cybersecurity, maintains the CWE Top 25, a list of the most critical software weaknesses across various application types. Unlike the OWASP Top 10, which focuses on web application security, the CWE Top 25 includes vulnerabilities found in native applications and other non-web environments.
Customers have frequently asked about our coverage of this topic and we now have a comprehensive set of lessons to help learners understand and mitigate these critical security flaws!
It's at our Foundational Level. You can find it under Paths & Quests > Recommended Paths > Video and Hands-On > CWE Top 25.
February 14th, 2025
Updated OWASP Top 10 for LLM Applications 2025 Paths & NEW Hacking Challenges
OWASP Top 10 for LLM Applications 2025
Our team has released a new course that covers LLM Security including lessons specific to the update OWASP Top 10 LLM Application list.
We've also added a new video component to these hands-on lessons to streamline the learning experience. Learners who need additional depth can now watch relevant videos without leaving the hands-on lesson, making it easier to absorb key concepts in context.
​
You can find these new paths here:
- Paths & Quests > Recommended Paths > Hands-On Only > HackEDU: OWASP Top 10 for LLM Applications
- Paths & Quests > Recommended Paths > Video and Hands-On > AI/LLM Security
For more details check out this article.
Three New Hacking Challenges
This week, we introduced three new Capture The Flag (CTF) challenges:
- CTF based on a publicly disclosed WordPress vulnerability
- Birthday Attack - Hacking Challenge inspired by the birthday paradox
- Escape Macrodata Refinement - CTF inspired by the Apple TV+ series Severance.
February 11th, 2025
Developer Security Knowledge Assessments 🎉
NEW FEATURE ALERT! Our Developer Security Knowledge Assessments are LIVE!
Assessments is a powerful tool designed to evaluate developers' understanding of secure coding and application security principles.
​
Our assessment helps organizations measure and improve their teams' security proficiency, ensuring they are equipped to build secure applications from the ground up.
​
To learn more, check out this article and find out how you can use them today!
January 31st, 2025
Assignment Reminder Frequency Update & Reporting Improvements
Ability to Send Daily Assignment Reminders
Now, you can send daily reminders to your learners by updating your Assignment notification settings. Assignments can be updated at any time. Once enabled, learners will receive a bell notification once a day until they complete their training. If they don't clear their bell notification within an hour of receiving it. They would get an "Unread Notification" email reminding them of their assigned training.
New Path Filters
We recently rolled out some new filters within our Progress Report and Assignment Progress reports to make reporting on learners' progress in paths even easier!
Within the Progress Report and Assignment Progress report you can filter on path enrollment or identify learners who have not yet enrolled in a path. This report will allow you to track who has not yet logged in and started training.
January 23rd, 2025
CWE Filter Vulnerability Details on Hover
We've made using CWE Filters even easier! You can now hover your cursor over the CWE number and see the name of the vulnerability will be displayed. This should make finding and assigning what you need even that easier!
​
January 16th, 2025
CWE Filter Displays Total Lesson Count
The CWE Filter in the Custom Path UI now displays the count of total lessons associated with each CWE number.
- This mirrors the Full Catalog experience
- Please note that the numbers in the Full Catalog can be higher than in the Custom Path Ul, as the Full Catalog displays Tournament-Only content (and the other Ul does not)
January 9th, 2025
Navigation Bar & User Profile Updates 🎉
We've made some big improvements to our Platform Navigation Bar & User Profile settings.
Notable changes include:
- Log Out moved to the bottom of the User Profile dropdown
- More Menu has been removed and features reorganized
To learn more, check out this article!
