# Top 10 Dev Training

> Affordable developer security training with OWASP Top 10 modules, quizzes, formal attestations, and exportable audit trails. Built for SOC 2 and ISO 27001 compliance.

Top 10 Dev Training is a web-based security awareness training platform for software development teams. It provides structured, self-paced courses with scored quizzes, formal attestations, team management, campaign-based assignments, and compliance-ready audit trail exports.

## What it does

- Delivers OWASP Top 10 (2025) security training across 10 modules
- Delivers General Security Awareness (GSA) training across 9 modules covering foundational security concepts for every developer
- Provides scored, retakable quizzes per module to verify understanding
- Issues formal attestations upon course completion (all modules must be passed)
- Generates timestamped compliance reports exportable as CSV for SOC 2 and ISO 27001 auditors
- Enables company admins to invite team members, assign training credits, and track individual progress
- Supports campaign-based training assignments with optional due dates and auto-enroll for new users
- Enforces company-level security policies: required MFA, required SSO, and allowed sign-in methods
- Provides a full audit log of all training and account activity per company

## Who it is for

- Software engineering teams at startups and SMBs
- Engineering managers who need proof of security training for auditors
- Compliance leads preparing for SOC 2 Type II or ISO 27001 certification
- Any organization that needs to demonstrate developer security awareness training

## Pricing

- $11.99 per learner per year
- All courses included at one price; no per-module fees or upsells
- Company admins purchase training credits and assign one to each team member
- Credits must be assigned within 12 months of purchase
- Once assigned, each credit is valid for 12 months from the date of assignment
- No subscriptions or automatic renewals

## Authentication methods

- Email and password (default)
- GitHub OAuth (requests email and display name only; user:email scope; no write permissions)
- Google OAuth (requests email and display name only; no write permissions)
- TOTP-based MFA via any compatible authenticator app (Google Authenticator, Authy, 1Password, etc.)

## Company security controls (admin-configurable)

- Require MFA: blocks dashboard access for any team member who has not enrolled a TOTP factor
- Require SSO: disables email and password login, enforcing GitHub or Google as the only sign-in method
- Allowed auth methods: each sign-in method (email/password, GitHub, Google) can be enabled or disabled independently
- Domain restriction: automatically adds new users to the organization when they sign in via GitHub or Google OAuth using an email address matching the configured company domain; email/password sign-ups still require a manual invite

## Credit system

- Credits are purchased by company admins via Stripe (one-time purchase, no recurring billing)
- One credit per learner unlocks access to all included courses
- Pool expiration: credits must be assigned within 12 months of purchase date
- Per-user expiration: 12 months from the date of assignment to the learner
- Reassignment: a credit can be reassigned to a different team member if the originally assigned learner has not yet completed a course
- Once a learner completes a course and signs their attestation, the credit is permanently consumed

## Training campaigns

- A campaign links a course to a group assignment with an optional due date
- New users who join the organization can be auto-enrolled in the campaign course (optional toggle per campaign)
- Admins track completion rates, assigned count, and per-user progress per campaign
- Multiple campaigns can run simultaneously across different courses or cohorts

## Partner program

- Referral-based partner program available at /partners
- Partners receive a unique referral link containing their referral code (?ref=CODE)
- Referred buyers can receive a discount applied automatically at Stripe checkout via a promotion code
- Partner earns a commission (configurable percentage of each sale) on conversions attributed to their link
- 30-day attribution window: the referral cookie persists for 30 days from the initial visit
- Partner dashboard shows earnings, conversion history, and payout requests
- Payouts are approved manually by platform administrators

## Audit and compliance

- Full company-level audit log recording: quiz passed/failed (with score), course enrolled, invite sent, user joined, attestation signed, password changed, credit assigned
- Compliance report exported as CSV, filterable by course, enrollment type (campaign vs. direct), attestation status, and date range
- Report columns: enrollment ID, course code, course title, learner name, email, role, enrollment type, enrolled date, completed date, attested date, modules passed count, total modules, individual module scores
- Row-level security enforced at the database layer: no company can access another company's data

## Courses included

### OWASP Top 10:2025 (10 modules)

1. A01 Broken Access Control: https://top10devtraining.com/courses/owasp/01
2. A02 Security Misconfiguration: https://top10devtraining.com/courses/owasp/02
3. A03 Software Supply Chain Failures: https://top10devtraining.com/courses/owasp/03
4. A04 Cryptographic Failures: https://top10devtraining.com/courses/owasp/04
5. A05 Injection: https://top10devtraining.com/courses/owasp/05
6. A06 Insecure Design: https://top10devtraining.com/courses/owasp/06
7. A07 Authentication Failures: https://top10devtraining.com/courses/owasp/07
8. A08 Software or Data Integrity Failures: https://top10devtraining.com/courses/owasp/08
9. A09 Security Logging and Alerting Failures: https://top10devtraining.com/courses/owasp/09
10. A10 Mishandling of Exceptional Conditions: https://top10devtraining.com/courses/owasp/10

### General Security Awareness (GSA, 9 modules)

1. 01 Security Fundamentals & Your Role: https://top10devtraining.com/courses/gsa/01
2. 02 Social Engineering & Phishing: https://top10devtraining.com/courses/gsa/02
3. 03 Passwords & Authentication: https://top10devtraining.com/courses/gsa/03
4. 04 Data Classification & Handling: https://top10devtraining.com/courses/gsa/04
5. 05 Access Control & Least Privilege: https://top10devtraining.com/courses/gsa/05
6. 06 Safe Browsing & Secure Work Habits: https://top10devtraining.com/courses/gsa/06
7. 07 Vendor & Third-Party Risk: https://top10devtraining.com/courses/gsa/07
8. 08 AI Tools & Security: https://top10devtraining.com/courses/gsa/08
9. 09 Incident Reporting & Response: https://top10devtraining.com/courses/gsa/09

## Training content access

Module training content (reading material) is publicly accessible without an account at the URLs listed above. Quizzes, progress tracking, attestations, and compliance reports require a sign-in and a paid training credit assigned by a company admin.

## Key URLs

- Homepage: https://top10devtraining.com
- FAQ: https://top10devtraining.com/faq
- Guides: https://top10devtraining.com/guides
- Trust and Security: https://top10devtraining.com/trust
- Privacy Policy: https://top10devtraining.com/privacy
- Terms of Service: https://top10devtraining.com/terms
- Partners: https://top10devtraining.com/partners
- RSS feed (guides): https://top10devtraining.com/rss.xml
- Full module content (for AI ingestion): https://top10devtraining.com/llms-full.txt

## Operator

NGU Digital, LLC · DBA Top 10 Dev Training
https://top10devtraining.com