Intern

0 XP

GRC learning platform

Learn GRC by doing the work.

Start with IT GRC Practitioner. Move into Industry Specialized GRC Analyst once the core is solid. Every module unlocks in order so learners read, watch, check, and then build inside the lab.

Pathways

One practitioner path and one industry path.

Capstones

Hardcore finals across the full platform.

Lab

1 engine

Shared system underneath every course and industry.

Open the pathway map Resume Mission 01

3.5K

Active users

People already building inside the lab

112K

Event count

Real mission and workspace actions this year

57K

Views

Visits across courses, missions, and workspaces

8m 34s

Avg. session duration

Focused time spent learning by doing

Pathways

Two pathways. One shared operating system.

The platform should feel coherent from the first practitioner module to the final industry capstone. Same engine underneath. Different context on top.

COURSE 01

Core pathway

IT GRC Practitioner

Build the real operating foundation first: scope systems, name risk clearly, map controls, review evidence, manage findings, and report upward without sounding theoretical or checkbox-driven.

FormatTheory + video

Projects4 integrated projects

Capstones2 hardcore IT GRC capstones

Duration12-16 weeks

You finish with a practitioner proof pack: a starter risk system, control map, evidence review, issue flow, leadership update, and two hardcore IT GRC capstones that pressure-test the whole operating model.

COURSE 02

9 industries

Industry Specialized GRC Analyst

Take the same operating model into regulated industries where the frameworks, stakeholders, evidence patterns, and business pressure all change.

FormatSector theory + video

ProjectsIndustry projects

CapstonesDedicated capstone in every industry path

Duration12-16 weeks

You prove real specialization through sector-specific judgment, multi-framework reasoning, evidence interpretation, and a dedicated capstone tied to the vertical you choose.

Delivery model

Every module moves in order.

No static page dumps. No skipping into the lab cold. The learner moves through the same sequence every time, then unlocks the next step.

Theory

Learner reads a short applied concept block that frames the operating move.

Video

Learner watches the guided walkthrough or demo tied to the same move.

Knowledge check

Learner passes a short quiz or scenario-based check before proceeding.

Guided mission

Learner completes the lab-linked task that changes an artifact, decision, or system state.

Lesson unlock

Every lesson step unlocks only after the current step is completed.

Module unlock

Every module unlocks the next module only after the required lessons, quiz checks, and mission outputs are complete.

Course unlock

Projects and capstones stay locked until the required mission clusters are complete.

Unified lab

One lab. Different context.

The engine stays unified. The context changes. That is how assets, evidence, and decisions stay practical across industries.

Core engine

Shared infrastructure

One shared lab engine powers assets, risks, controls, evidence, findings, reporting, and decision records across the whole platform.

Adaptation rule

Context swaps on top

The engine stays unified, but each course or industry path swaps in context packs: different asset types, evidence shapes, stakeholders, frameworks, and decision pressure.

Example 01

Assets in IT GRC focus on SaaS, identities, endpoints, cloud services, vendors, and business systems.

Example 02

Assets in OT or critical infrastructure add zones, conduits, safety systems, field devices, uptime constraints, and resilience dependencies.

Example 03

Evidence in privacy or AI governance leans toward DPIAs, model cards, data maps, consent records, and monitoring logs instead of generic audit files.

Industry paths

Specialize without leaving the platform.

Healthcare, financial services, privacy, AI, OT, government, and more. Every path ends with its own dedicated capstone.

Industry path

Healthcare

Protected health data, clinical workflows, vendor reliance, and breach pressure under real regulatory constraints.

HIPAA · HITRUST · HICP

Build a healthcare assurance pack for a digital-health platform under HIPAA and HITRUST pressure.

Industry path

Financial Services

ITGC breakdowns, payment controls, change governance, and control reliance for regulated financial systems.

SOX ITGC · PCI DSS 4.0 · GLBA

Defend a financial-controls programme under SOX, PCI, and audit committee pressure.

Industry path

Privacy & Data

Consent, minimization, retention, DPIAs, and privacy-by-design decisions tied to real product behavior.

GDPR · CCPA · ISO 27701

Run a privacy programme review with DPIA, retention, and consent failures in scope.

Industry path

AI Governance

Model risk, training data controls, impact assessment, monitoring drift, and governance by design.

ISO 42001 · EU AI Act · NIST AI RMF

Stand up an AI governance programme pack with model risk, monitoring, and AI Act obligations.

Industry path

OT / ICS

Zones and conduits, safety impact, reliability tradeoffs, and constrained evidence in industrial environments.

IEC 62443 · NERC CIP · NIST 800-82

Run an OT / ICS programme review where uptime, safety, and segmentation tradeoffs all matter.

Industry path

Government

Authorization logic, continuous monitoring, SSP thinking, and public-sector assurance expectations.

FedRAMP · FISMA · CJIS

Support a government authorization decision with SSP-style evidence and continuous-monitoring logic.

Industry path

Energy & Utilities

Critical infrastructure risk, outage exposure, regulatory scrutiny, and operational continuity under pressure.

NERC CIP · C2M2 · EPA

Defend an energy resilience programme under outage, regulator, and critical-system pressure.

Industry path

Telecom & Media

Service continuity, customer-data obligations, communications confidentiality, and large-scale dependency risk.

NIS2 · ePrivacy · 3GPP Security

Run a telecom continuity and customer-data programme review with dependency and outage pressure.

Industry path

GRC Engineering

Turn static compliance into automated controls, evidence pipelines, policy-as-code, and continuous assurance.

OSCAL · Rego · Terraform

Build a GRC engineering assurance system with policy-as-code, evidence automation, and traceability.

Why people stay

The subscription has to keep getting stronger after the course.

The course gets the learner in. Ongoing casework, drills, and capstone improvement keep the platform useful once the core path is finished.

Weekly drills

Short, high-pressure reps that keep judgment sharp after the core path is complete.

Monthly case drops

Fresh company scenarios so the platform keeps producing new decisions, not the same worksheet every month.

Proof tune-ups

Revisit your projects and capstones, tighten the artifacts, and improve what you would actually show in interviews.