Top 10 Dev Training
FAQ

Frequently Asked Questions

Everything you need to know about OWASP training, compliance, and how Top 10 Dev Training works.

What is the OWASP Top 10?

The OWASP Top 10 is a widely recognized list of the most critical security risks to web applications, published by the Open Web Application Security Project (OWASP). The current edition is OWASP Top 10:2025, covering risks like Broken Access Control, Injection, Cryptographic Failures, and more. It is referenced by SOC 2, ISO 27001, PCI DSS, and other compliance frameworks as a baseline for developer security awareness.

What is SOC 2 and why does developer security training matter?

SOC 2 is an auditing standard that assesses how a company manages data security and privacy. Auditors routinely ask for proof that developers have completed security awareness training. Top 10 Dev Training provides the modules, scored quizzes, formal attestations, and timestamped compliance reports that satisfy this requirement out of the box.

Who is this training designed for?

Software engineering teams at startups and SMBs that need to demonstrate security training for compliance audits (SOC 2, ISO 27001) without enterprise-scale budgets or complex LMS setup. Engineering managers, compliance leads, and founders preparing for their first audit are the primary audience.

What courses are included?

All courses are included at one price. Currently available: the OWASP Top 10 (2025) course covering 10 modules, and the General Security Awareness course covering foundational security concepts for every developer on your team. New courses are added automatically for all customers at no extra cost.

How much does it cost?

$11.99 per learner per year. All courses are included, with no per-module fees or upsells. Company admins purchase training credits and assign them to team members.

How long does training take to complete?

The average completion time is approximately 50 minutes across all included courses. Individual modules are short and self-paced, making it easy to fit into a workday.

How is progress tracked?

Each team member's progress is tracked per module and per course. Company admins can view a real-time dashboard showing who has started, who has completed each module, and who has passed the associated quiz. Progress data is timestamped and included in exportable compliance reports.

What is a formal attestation?

Upon completing all modules in a course, a learner signs a formal attestation, a digital record confirming they completed the training. Attestations include the learner's name, completion date, and a timestamp. These are a key piece of evidence for SOC 2 auditors.

Can I export proof of training for an auditor?

Yes. Company admins can export a full compliance report at any time, including each team member's name, modules completed, quiz scores, completion timestamps, and attestation status. This is exactly what a SOC 2 or ISO 27001 auditor needs.

Does this support teams and organizations?

Yes. Company admins can invite members via email, assign training credits, create training campaigns with due dates, and monitor progress across the entire team from a single dashboard.

Is this training useful for ISO 27001 or NIST compliance?

Yes. ISO 27001 (Annex A.7.2.2) and NIST SP 800-53 both require security awareness training for personnel. The OWASP modules and General Security Awareness course directly satisfy these requirements, and the exportable audit trail provides the documented evidence auditors look for.

Is the training content freely accessible?

Yes. All module reading material is publicly accessible without an account. Taking quizzes, tracking progress, generating attestations, and exporting compliance reports require a sign-in and a paid training credit.

How do training credits work?

Training credits are the unit of access. Company admins purchase credits in bulk and assign one to each team member. Each credit unlocks all available courses for that learner. Credits must be assigned within 12 months of purchase. Once assigned, each credit is valid for 12 months from the date of assignment. There are no subscriptions or automatic renewals.

Can I require MFA for everyone on my team?

Yes. Company admins can enforce multi-factor authentication (MFA) at the company level. When required, team members must enroll a TOTP authenticator app (Google Authenticator, Authy, 1Password, or any compatible app) before they can access their dashboard. MFA enforcement is configured in company security settings.

Can my team sign in with GitHub or Google?

Yes. GitHub and Google OAuth are available as sign-in options alongside email and password. Company admins can restrict sign-in to GitHub or Google only, disabling email and password login entirely, for organizations that want to enforce identity through a known OAuth provider. Each method can be toggled independently in company security settings.

What is a training campaign?

A campaign links a course to a group assignment with an optional due date. When you create a campaign and invite users, new team members who join are automatically enrolled in the assigned course. Admins can track completion rates per campaign from the dashboard. Campaigns make it easy to run a company-wide training push and see who has finished by a specific deadline.

What happens if someone fails a quiz?

Quizzes are retakable with no limit on attempts. Each attempt presents a fresh set of questions. Progress is tracked per attempt, and the most recent result is reflected in reports. All modules in a course must be passed before a learner can sign their formal attestation.

How do I add my whole team at once?

During onboarding, or from the Invites tab in company settings, you can paste a list of email addresses to send invitations in bulk. Each person receives an email with a unique invite link. You can also enable domain restriction so that team members who sign in via GitHub or Google with a matching company email address join automatically without a manual invite.

What is domain restriction?

Domain restriction automatically adds users to your organization when they sign in via GitHub or Google OAuth using an email address that matches your configured company domain. For example, if your domain is acme.com, any user who authenticates via GitHub or Google with an @acme.com address is added to your organization without a manual invite. Domain restriction is optional and is configured in company settings. Users who register with email and password still require a manual invite regardless of their email domain.

Can I reassign a credit to a different person?

Yes. If a team member leaves or is replaced before completing their training, their credit can be reassigned to someone else. Once a learner completes a course and signs their attestation, the credit is permanently consumed and cannot be transferred.

Do you offer a free trial?

There is no free trial for the full platform, but all training module content is publicly readable without an account. Anyone can visit the course modules and read the material before purchasing. Quizzes, progress tracking, attestations, and compliance reports require a paid credit.