Cybersecurity Education Platform
LMS + GRC Compliance + Phishing Simulations
Code and demo not publicly available (company project)
The Problem
Organizations struggle to build cyber resilience. Traditional training is boring PDFs employees click through without absorbing. There's no connection between training content and compliance requirements. And employees never face realistic threat simulations until a real attack happens.
My Approach
- 1Worked within the CyLabs R&D division at Cybears to design and build the platform from scratch
- 2Built a Learning Management System with a clear structure: Course → Module → Lesson → Quiz, including gamification (badges, achievements, leaderboards)
- 3Implemented a Compliance Module (GRC) that maps training content to frameworks and controls—managers can align awareness efforts with organizational policies
- 4Developed Phishing Campaign features: creating fake landing pages, email push mechanisms that avoid spam filters, and tracking employee responses
- 5Added an escalation system that alerts employees who haven't completed training, then escalates to managers and admins if ignored
What It Looks Like
Technical Decisions
Separated frontend and backend for better scalability. Next.js gave us fast server-side rendering and modern React patterns. Django REST provided robust API development with built-in security features.
Complex relationships: users → courses → modules → lessons → quizzes → compliance frameworks → controls. Relational database made these connections manageable and queryable for admin dashboards.
Standard JWTs are vulnerable if stolen. Rotation limits the window of exposure, and blacklisting allows immediate session termination. Security-by-design was a core principle.
Ensured consistent environments across development and production. Made it easier for the team to onboard and for future deployment to client infrastructure.
Tradeoffs & Limitations
Every project has constraints. Here's what I chose not to build and why:
- Built MVP versions of some manager features due to time constraints—prioritized core LMS and phishing functionality
- Chose custom authentication over OAuth/SSO—faster to implement initially, but the team recommended adding SSO for enterprise clients later
- Phishing email delivery required careful tuning to avoid spam filters—still an ongoing challenge for the team
- Mobile version was recommended for future development but not implemented during the internship
Outcome
Delivered a functional MVP integrating all three components: LMS, GRC compliance module, and phishing campaigns. Resolved performance issues including Next.js hydration errors and optimized load times (LCP improvements). The platform architecture I built became the foundation for Cybears' production version. Received positive feedback for the platform's usability and security-by-design approach.
What I Learned
- First experience working in a real cybersecurity company—understood how awareness training connects to broader organizational security strategy
- Learned Agile in practice: sprint planning, daily stand-ups, code reviews, and collaborating across departments (CyBrain for compliance alignment, CyBright for learning content)
- Deepened understanding of security concepts: phishing tactics, social engineering, GRC frameworks, and how to bake security into code from the start
- Improved debugging skills—resolving hydration errors, optimizing database queries, and handling real production issues
- Learned to communicate technical decisions to both developers and non-technical stakeholders