Complete Syllabus

10 Modules. 65+ Topics. Defend + Attack + Detect + Secure AI.

Click any module to expand. Modules 1–8 cover classical cybersecurity (network, web, cloud, ethical hacking, SOC). Modules 9–10 cover the 2025–26 frontier: AI-powered security and securing AI systems. Every module is hands-on — students use real tools on lab environments, not just read about them.

01

Cybersecurity Foundations & Threat Landscape

Core principles, threat actors, attack surfaces, and the security mindset

1.1 CIA Triad & Security Principles

Confidentiality (only authorised access), Integrity (data hasn't been tampered), Availability (systems are accessible). AAA: Authentication, Authorisation, Accounting. Defence in depth: multiple security layers. Least privilege: minimum access required. Zero Trust: "never trust, always verify." These principles govern every security decision — from firewall rules to cloud IAM policies.

1.2 Threat Landscape 2025–26

Threat actors: nation-states (APTs), cybercriminal groups (ransomware-as-a-service), hacktivists, insider threats. Attack vectors: phishing (still #1), supply chain attacks (SolarWinds, XZ Utils), zero-day exploits, social engineering. Ransomware evolution: double extortion (encrypt + exfiltrate). AI-powered threats: deepfake phishing, automated vulnerability discovery, LLM-generated malware. The threats students will defend against in their careers.

1.3 Security Frameworks & Compliance

NIST Cybersecurity Framework: Identify → Protect → Detect → Respond → Recover. MITRE ATT&CK: adversary tactics and techniques (the common language of threat intelligence). OWASP: web application security standard. ISO 27001: information security management. India-specific: CERT-In guidelines, IT Act 2000, DPDP Act 2023 (data protection). Compliance isn't security — but security without compliance fails audits.

1.4 Security Lab Setup

Virtual lab environment: VirtualBox/VMware with Kali Linux (attacker), Metasploitable (vulnerable target), Ubuntu Server (defender). Network segmentation in virtual lab. TryHackMe and HackTheBox for structured learning paths. OWASP WebGoat/Juice Shop for web vulnerabilities. Why hands-on labs matter: cybersecurity is a PRACTICAL skill — reading about XSS is useless without exploiting one.

Placement relevance: "Explain the CIA triad" "What is Zero Trust?" "Name 3 types of threat actors" — standard cybersecurity interview openers. MITRE ATT&CK knowledge signals SOC readiness. Understanding the threat landscape demonstrates current awareness. Lab experience on TryHackMe/HackTheBox is increasingly listed as a requirement in cybersecurity job postings.
02

⭐ Network Security & Traffic Analysis

TCP/IP, firewalls, IDS/IPS, VPNs, and Wireshark packet analysis

2.1 TCP/IP, Ports & Protocols — Security Perspective

OSI model and TCP/IP stack through the security lens. TCP 3-way handshake: how SYN floods exploit it. Common ports and what they reveal: 22 (SSH), 80/443 (HTTP/S), 3306 (MySQL), 3389 (RDP). DNS: how DNS spoofing and DNS tunnelling work. ARP: how ARP poisoning enables MITM attacks. DHCP: rogue DHCP server attacks. Understanding protocols = understanding attack surfaces.

2.2 Wireshark: Packet Capture & Analysis

Capturing traffic: interfaces, filters (tcp.port == 80, http.request.method == "POST"). Analysing: follow TCP stream, find credentials in plaintext HTTP, identify DNS queries. Detecting attacks: SYN floods (many SYN, no ACK), ARP spoofing (duplicate MAC), data exfiltration (large outbound transfers). PCAP analysis for incident response. "Analyse this PCAP file and identify the attack" — standard SOC interview exercise.

2.3 Firewalls, IDS/IPS & Network Defence

Firewall types: packet filtering, stateful inspection, application-layer (WAF). iptables/nftables on Linux: write firewall rules. IDS (Intrusion Detection System): Snort, Suricata — detect attacks by signatures and anomalies. IPS: detect AND block. Network segmentation: DMZ, VLANs, micro-segmentation. Defence-in-depth network architecture. "How would you secure this network?" — the network security interview question.

2.4 VPNs, TLS & Secure Communications

VPN: encrypted tunnel for remote access (WireGuard, OpenVPN, IPSec). TLS 1.3: how HTTPS works (handshake, certificate verification, cipher suites). Certificate pinning. SSH: key-based auth (never password auth in production). Man-in-the-Middle (MITM) attacks: ARP poisoning + SSL stripping. How to detect MITM. Secure communication is the foundation — everything else fails without it.

Placement relevance: "Explain the TCP handshake and how SYN floods exploit it" "Analyse this PCAP" "How does TLS work?" — network security is tested in every cybersecurity interview. Wireshark proficiency is a core SOC analyst skill. Firewall rules and IDS configuration are daily SOC tasks. Understanding network protocols is the foundation every security role builds on.
03

⭐ Web Application Security — OWASP Top 10

Finding and fixing the vulnerabilities that compromise 80%+ of web applications

3.1 SQL Injection

Classic SQLi: ' OR '1'='1 bypasses login. Union-based: extract data from other tables. Blind SQLi: infer data from true/false responses. Time-based blind: use SLEEP() for inference. Prevention: parameterised queries (ALWAYS), ORM usage, input validation, WAF rules. Hands-on: exploit OWASP Juice Shop → then fix the vulnerability in code. SQLi is STILL the most exploited web vulnerability — despite being known since 1998.

3.2 Cross-Site Scripting (XSS) & CSRF

Reflected XSS: malicious script in URL parameter reflected in page. Stored XSS: script saved in database, served to all users (most dangerous). DOM-based XSS: client-side JavaScript manipulation. Prevention: output encoding, Content-Security-Policy headers, sanitisation. CSRF: trick authenticated user into making unwanted requests. CSRF tokens, SameSite cookies. Hands-on: craft XSS payloads → implement CSP headers to block them.

3.3 SSRF, IDOR & API Security

SSRF (Server-Side Request Forgery): trick server into making requests to internal resources (access AWS metadata at 169.254.169.254). IDOR (Insecure Direct Object References): access other users' data by changing ID in URL (/api/users/123 → /api/users/124). Broken authentication: weak passwords, missing MFA, insecure token storage. API security: broken object-level authorisation (BOLA) — the #1 API vulnerability (OWASP API Top 10).

3.4 Security Testing Tools

Burp Suite: intercepting proxy for web app testing — capture, modify, replay HTTP requests. OWASP ZAP: open-source alternative. Directory brute-forcing: gobuster, dirbuster for finding hidden endpoints. Nikto: web server vulnerability scanner. SQLMap: automated SQL injection tool. Security headers check: securityheaders.com. Bug bounty methodology: recon → enumerate → test → report. The toolkit every web security tester uses.

Placement relevance: "What is SQL injection and how do you prevent it?" "Explain XSS types" "What is SSRF?" — OWASP Top 10 is THE web security interview syllabus. Burp Suite proficiency is expected at every AppSec role. Bug bounty experience (even beginner platforms) demonstrates practical security skills. Web application security is the highest-demand cybersecurity specialisation at product companies.
04

Cryptography & Secure Systems

Encryption, hashing, PKI, digital signatures, and cryptographic protocols

4.1 Symmetric & Asymmetric Encryption

Symmetric: same key to encrypt/decrypt (AES-256 — the gold standard). Fast, used for bulk data. Asymmetric: public key encrypts, private key decrypts (RSA, ECC). Slow, used for key exchange and digital signatures. Hybrid: TLS uses asymmetric to exchange symmetric key → then symmetric for data. Key management: the hardest part of cryptography. "Explain the difference between AES and RSA" — standard interview question.

4.2 Hashing, Salting & Password Security

Hash functions: SHA-256, SHA-3 — one-way, deterministic, fixed output. Why MD5 and SHA-1 are broken (collision attacks). Password hashing: bcrypt, scrypt, Argon2 (slow by design — prevents brute force). Salting: unique random value per password (prevents rainbow tables). Password cracking: hashcat, John the Ripper — understand the attacker's tools. "Never store plaintext passwords" — and WHY bcrypt beats SHA-256 for passwords.

4.3 PKI, Certificates & Digital Signatures

PKI (Public Key Infrastructure): Certificate Authorities (CAs), certificate chains, trust. X.509 certificates: what's inside, how browsers verify HTTPS. Digital signatures: sign with private key → verify with public key (authenticity + integrity). Let's Encrypt: free HTTPS certificates. Certificate pinning for mobile apps. Certificate transparency logs. "How does your browser know this website is legitimate?" — PKI answers this.

4.4 Post-Quantum Cryptography (Overview)

Quantum computing threat: Shor's algorithm breaks RSA and ECC. NIST post-quantum standards (2024): CRYSTALS-Kyber (key exchange), CRYSTALS-Dilithium (signatures). "Harvest now, decrypt later" attacks — why migration is urgent even before quantum computers arrive. Timeline: quantum computers capable of breaking RSA expected by 2030–2035. The awareness that every security professional needs for the next decade.

Placement relevance: "AES vs RSA" "How does TLS work?" "Why bcrypt for passwords?" — cryptography questions appear in every security interview. Understanding PKI is essential for any role touching HTTPS, APIs, or authentication. Post-quantum awareness demonstrates forward-thinking. Cryptography is the foundation — without it, no communication is secure.
05

Operating System Security & Ethical Hacking

Linux hardening, privilege escalation, and the penetration testing methodology

5.1 Linux Security & Hardening

User and group management: sudo, wheel group, principle of least privilege. File permissions: chmod, chown, setuid/setgid risks, umask. SSH hardening: disable root login, key-only auth, fail2ban. Firewall: ufw / iptables rules. Service minimisation: disable unused services. Log monitoring: /var/log, journalctl, auditd. CIS Benchmarks for Linux hardening. The secure Linux server configuration every sysadmin and security engineer must know.

5.2 Penetration Testing Methodology

The 5 phases: (1) Reconnaissance (OSINT, Google dorks, Shodan), (2) Scanning (Nmap port scan, vulnerability scan with Nessus/OpenVAS), (3) Exploitation (gaining access), (4) Post-exploitation (pivoting, persistence, data exfiltration), (5) Reporting (findings, severity, remediation). Rules of engagement: scope, authorisation, legal boundaries. PTES (Penetration Testing Execution Standard). The structured approach — not random hacking.

5.3 Exploitation & Privilege Escalation

Metasploit Framework: modules, payloads (reverse shell, meterpreter), exploits. Gaining initial access: exploit vulnerable services, weak credentials, social engineering. Linux privilege escalation: SUID binaries, misconfigured sudo, kernel exploits, cron job abuse. Windows privilege escalation: unquoted service paths, DLL hijacking, token impersonation. GTFOBins / LOLBAS: living-off-the-land techniques. Hands-on: exploit Metasploitable → escalate to root.

5.4 Password Attacks & Social Engineering

Brute force: try all combinations (hydra for online, hashcat for offline). Dictionary attacks: use wordlists (rockyou.txt). Credential stuffing: use leaked credentials on other sites. Password spraying: one password against many accounts. Social engineering: phishing emails, pretexting, baiting. MFA bypass techniques and why MFA still matters despite them. "How would you test password security?" — the practical security question.

Placement relevance: "Walk me through a pentest methodology" "How would you escalate privileges on Linux?" "What is Metasploit?" — ethical hacking questions appear in every offensive security interview. Linux hardening is tested for defensive roles. TryHackMe/HackTheBox writeups demonstrate hands-on penetration testing experience. CEH and OSCP certifications cover these topics — this module prepares students for both.
06

Cloud Security: AWS, Azure & Containers

Securing cloud infrastructure — IAM, S3, container security, and IaC

6.1 Cloud Security Fundamentals

Shared responsibility model: cloud provider secures the infrastructure, YOU secure your configurations and data. Common cloud misconfigs: public S3 buckets, overly permissive IAM roles, unencrypted storage, exposed management ports. Cloud attack surface: identity, compute, storage, networking, APIs. Why cloud security is different from on-prem: scale, automation, ephemeral resources, API-driven everything.

6.2 AWS Security (Primary Cloud)

IAM: users, groups, roles, policies — principle of least privilege. IAM policy language: Effect/Action/Resource. S3 security: bucket policies, ACLs, encryption (SSE-S3, SSE-KMS), block public access. VPC: security groups (stateful firewall), NACLs, private subnets. CloudTrail: API activity logging. GuardDuty: threat detection. AWS Config: compliance monitoring. "Find the security issues in this AWS architecture" — the cloud security interview exercise.

6.3 Container & Kubernetes Security

Docker security: non-root containers, image scanning (Trivy, Snyk), minimal base images (Alpine, distroless), secrets management (never in Dockerfile). Kubernetes: RBAC, network policies, pod security standards, secrets encryption. Supply chain: verify image provenance (Sigstore/cosign). Container escape attacks and prevention. "How would you secure a Kubernetes deployment?" — the DevSecOps interview question at every cloud-native company.

6.4 Infrastructure as Code Security

IaC security: scan Terraform/CloudFormation BEFORE deployment. Tools: tfsec, checkov, Bridgecrew. Detect misconfigs: public S3, open security groups, unencrypted databases. GitOps security: PR reviews for infrastructure changes. Policy-as-code: Open Policy Agent (OPA). Shift-left security: find issues in development, not production. The DevSecOps pipeline: code → scan → review → deploy → monitor.

Placement relevance: Cloud security is the fastest-growing cybersecurity specialisation. "Explain the shared responsibility model" "How would you secure an S3 bucket?" — standard cloud security interview questions. AWS security knowledge is expected at every company using cloud. Container security is required for DevSecOps roles. IaC security scanning demonstrates the shift-left mindset that modern security teams value.
07

SOC Operations & Incident Response

Security Operations Centre — SIEM, log analysis, threat hunting, and incident handling

7.1 SIEM: Security Information & Event Management

SIEM: centralise logs from all systems → correlate → alert on suspicious activity. Splunk (enterprise standard), Elastic SIEM / ELK Stack (open-source), Microsoft Sentinel (Azure). Log sources: firewall, IDS/IPS, endpoint, application, authentication. Writing detection rules: correlation rules, sigma rules. "100,000 events per second — find the one that matters" — SIEM makes this possible.

7.2 Log Analysis & Threat Detection

Log types: syslog, Windows Event Logs, web server access logs, authentication logs. Indicators of Compromise (IoCs): suspicious IPs, file hashes, domain names, registry keys. Detection patterns: multiple failed logins → brute force, unusual outbound traffic → data exfiltration, new scheduled task → persistence. KQL (Kusto Query Language) for Sentinel, SPL for Splunk. Hands-on: analyse log datasets and identify attack patterns.

7.3 Incident Response: Detect → Contain → Eradicate → Recover

NIST IR framework: Preparation → Detection & Analysis → Containment → Eradication → Recovery → Lessons Learned. Containment: isolate compromised systems without destroying evidence. Evidence preservation: forensic imaging, chain of custody. Eradication: remove attacker's access, patch vulnerabilities. Recovery: restore from clean backups, monitor for re-infection. Post-incident: root cause analysis, improve defences. The playbook every SOC follows.

7.4 Digital Forensics Basics

Forensic imaging: create bit-for-bit copies (dd, FTK Imager). File system analysis: recover deleted files, timeline analysis. Memory forensics: Volatility framework — extract processes, network connections, passwords from RAM dumps. Network forensics: PCAP analysis, flow data. Email forensics: header analysis, phishing investigation. Chain of custody: maintaining evidence integrity. The investigative skills for understanding HOW an attack happened.

Placement relevance: SOC Analyst is the highest-volume cybersecurity hiring role. "Analyse these logs and identify the attack" is the standard SOC interview exercise. Splunk/ELK proficiency is listed in every SOC job posting. Incident response methodology is tested in every security operations interview. Digital forensics basics differentiate candidates for incident response roles. TryHackMe's SOC path directly prepares for these interviews.
08

DevSecOps & Secure SDLC

Building security INTO the development pipeline — not bolting it on after

8.1 Secure SDLC & Threat Modelling

Secure SDLC: security at every phase (requirements → design → develop → test → deploy → maintain). Threat modelling: STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege). Data flow diagrams → identify trust boundaries → enumerate threats → prioritise → mitigate. Threat modelling BEFORE coding prevents vulnerabilities. "How would you threat model this application?" — the architecture security question.

8.2 CI/CD Security Pipeline

SAST (Static Application Security Testing): scan source code for vulnerabilities (SonarQube, Semgrep, CodeQL). DAST (Dynamic Application Security Testing): test running application (OWASP ZAP, Burp). SCA (Software Composition Analysis): scan dependencies for known CVEs (Snyk, Dependabot). Secret scanning: detect hardcoded API keys and passwords (gitleaks, truffleHog). The automated security gate: code fails CI if critical vulnerabilities are found.

8.3 Supply Chain Security

Software supply chain attacks: compromised dependencies (XZ Utils backdoor 2024, SolarWinds 2020). SBOM (Software Bill of Materials): know every component in your software. Dependency pinning: lock versions, verify hashes. Signed commits and verified builds. Sigstore/cosign for container image signing. The supply chain is the new attack surface — and defenders need to understand it.

Placement relevance: DevSecOps is the fastest-growing security role title. "How would you integrate security into CI/CD?" is asked at every modern engineering company. SAST/DAST/SCA tools are expected knowledge. Threat modelling with STRIDE demonstrates architectural security thinking. Supply chain awareness is essential after SolarWinds and XZ Utils — every security team is prioritising it.
09

⭐ AI-Powered Cybersecurity

Using machine learning and LLMs to detect threats, analyse logs, and automate security

9.1 ML for Threat Detection

Anomaly detection with ML: Isolation Forest, autoencoders for detecting unusual network traffic, user behaviour, or system activity. Supervised classification: train on labelled attack data (KDD Cup, CICIDS datasets). Feature engineering for network flows: packet counts, byte ratios, port entropy, time-based features. Random Forest and XGBoost for intrusion detection. The ML pipeline applied to cybersecurity: data → features → model → alerts.

9.2 NLP for Phishing & Threat Intelligence

Phishing email detection with NLP: TF-IDF + logistic regression baseline → BERT fine-tuning for production. Features: URL analysis, sender domain reputation, text sentiment, urgency indicators. Threat intelligence with NLP: extract IoCs (IPs, hashes, CVEs) from security reports using NER. Automated CVE analysis: summarise vulnerability descriptions, assess severity. LLM-powered threat briefs from raw intelligence feeds.

9.3 LLMs for Security Operations

LLM-powered SOC: natural language log queries ("Show me all failed SSH logins from non-US IPs in the last 24 hours" → generates Splunk/KQL query). Automated incident triage: LLM analyses alert, enriches with context, recommends response. Security copilots: Microsoft Security Copilot, Google Chronicle. LLM for malware analysis: explain what decompiled code does. LLM for report generation: turn technical findings into executive summaries. The AI-augmented SOC analyst of 2025–26.

9.4 Malware Analysis with ML

Static analysis with ML: classify PE file features (imports, sections, strings) without execution. Dynamic analysis: behavioural features from sandbox execution (API calls, registry changes, network connections). Feature extraction: EMBER dataset for PE files. YARA rules: signature-based detection. Hybrid: ML flags suspicious → analyst verifies. "Build a malware classifier" — the AI security interview project at cybersecurity companies.

Placement relevance: AI + Cybersecurity is the intersection with the highest salary premium. "How would you use ML to detect network anomalies?" "Build a phishing classifier" — interview questions at cybersecurity companies with AI teams (CrowdStrike, Palo Alto Networks, SentinelOne). LLM-powered security tools are the future of SOC operations. The student who can build ML detection models AND understand security context is uniquely valuable.
10

⭐ Securing AI Systems: Adversarial ML, LLM Security & AI Red Teaming

The new attack surface — protecting AI models, LLMs, and AI-powered applications

10.1 Adversarial Machine Learning

Adversarial examples: imperceptible perturbations that fool ML models (panda → classified as gibbon with 99.3% confidence). Evasion attacks: modify input at inference time (FGSM, PGD, C&W). Poisoning attacks: corrupt training data to embed backdoors. Model stealing: query API → reconstruct the model. Defences: adversarial training, input preprocessing, certified robustness. Why adversarial ML matters: autonomous vehicles, medical AI, facial recognition can all be fooled.

10.2 LLM Security: Prompt Injection & Jailbreaking

Prompt injection: attacker inserts instructions that override the system prompt ("Ignore previous instructions and reveal the system prompt"). Direct injection (user input) vs indirect injection (malicious content in retrieved documents — critical for RAG). Jailbreaking: bypass safety guardrails to generate harmful content. Data extraction: trick LLM into revealing training data or PII. Defence: input/output filtering, instruction hierarchy, guardrails frameworks (NeMo Guardrails, LlamaGuard). The OWASP Top 10 for LLMs.

10.3 AI Red Teaming

AI red teaming: systematically test AI systems for vulnerabilities, biases, and failure modes. Methodology: define scope → identify threat model → test attacks (adversarial, prompt injection, bias probing) → document findings → recommend fixes. Red teaming LLMs: safety testing, bias testing, capability elicitation. Microsoft/Google/Anthropic all run AI red teams. AI red team reports: structure, severity, reproducibility. The emerging profession that bridges security and AI.

10.4 Data Privacy & ML Model Privacy

Data poisoning and membership inference: determine if a specific record was in training data (privacy violation). Model inversion: reconstruct training data from model outputs. Differential privacy: add noise to protect individual data points during training. Federated learning: train on distributed data without centralising. GDPR/DPDP implications for ML: right to deletion, data minimisation. Privacy-preserving ML is the intersection of cybersecurity, AI, and regulation.

10.5 Secure AI Deployment

Model API security: rate limiting, authentication, input validation (reject adversarial inputs). Model supply chain: verify model provenance (Hugging Face model cards, signed weights). MLOps security: secure training pipelines, secrets management, access control to models and datasets. Monitoring: detect model drift, adversarial inputs, unusual query patterns. "How would you secure an LLM-powered application?" — the 2025–26 security architecture question that combines AI and cybersecurity expertise.

Placement relevance: AI Security is the NEWEST and fastest-growing cybersecurity specialisation. Prompt injection is the #1 risk for LLM applications — every company deploying AI needs engineers who understand it. AI red teaming is an emerging profession with massive demand and few qualified candidates. Adversarial ML knowledge is required at autonomous driving, medical AI, and facial recognition companies. The student who understands BOTH traditional cybersecurity AND AI security is positioned for the highest-demand roles in 2025–26.
Labs & Projects

4–5 Hands-On Labs: Break It, Then Secure It

Web App Penetration Test

Full pentest on OWASP Juice Shop: reconnaissance → SQLi, XSS, SSRF exploitation → write professional vulnerability report with CVSS scoring and remediation.

Burp SuiteSQLMapOWASPReporting

SOC Log Analysis & Incident Response

Analyse PCAP + SIEM logs from a simulated breach: identify attack vector, timeline of compromise, lateral movement, data exfiltration. Write IR report.

WiresharkSplunk/ELKMITRE ATT&CKIR Report

ML-Powered Intrusion Detection

Build network intrusion detection system: feature engineering on CICIDS dataset → Isolation Forest for anomaly detection → XGBoost for classification → deploy as alert system.

scikit-learnXGBoostPandasStreamlit

LLM Red Teaming & Prompt Injection Lab

Test LLM application for prompt injection, jailbreaking, data extraction. Document attack vectors. Implement guardrails (input filtering, output validation). Write AI red team report.

LLM APIsNeMo GuardrailsOWASP LLM Top 10Red Team Report

Cloud Security Assessment

Audit a misconfigured AWS environment: identify open S3 buckets, overly permissive IAM, missing encryption. Fix issues. Scan IaC with tfsec/checkov.

AWSIAMtfsecCloudTrail
How We Deliver

Break It. Fix It. Detect It. Defend It.

Hands-On Lab Sessions

Students exploit vulnerabilities in isolated lab environments — Kali Linux, Metasploitable, OWASP Juice Shop. Learn by attacking, then learn to defend.

CTF Competitions

Weekly Capture-The-Flag challenges: web exploitation, cryptography, forensics, reverse engineering. Team-based competition builds collaborative security skills.

Report Writing

Students write professional vulnerability reports with CVSS scoring, reproduction steps, and remediation. The deliverable employers evaluate — not just the hack.

AI Security Labs

Build ML detection systems. Red team LLM applications. Test adversarial attacks on image classifiers. The intersection of AI and security — the 2025–26 career differentiator.

Why Cybersecurity Matters for Placements

3.5 Million Unfilled Cybersecurity Jobs Worldwide

Massive Demand-Supply Gap

ISC² reports 3.5 million unfilled cybersecurity positions globally, with India facing a shortage of 800K+ professionals. Every company needs security — from startups to banks to government. Students with cybersecurity skills enter a job market with far more openings than qualified candidates.

Premium Salaries from Day One

SOC Analyst, Security Engineer, Penetration Tester — these roles at Deloitte, PwC, KPMG, TCS (cybersecurity practice), Infosys, and product companies offer ₹6–15L+ starting packages. Specialised roles (cloud security, AI security) command even higher premiums. Security pays more than general development at the same experience level.

AI + Security = Highest-Growth Intersection

Every company deploying AI needs AI security. Prompt injection defence, adversarial ML testing, LLM red teaming — these roles didn't exist 2 years ago and now have massive demand. Students who understand BOTH traditional cybersecurity AND AI security are positioned for the highest-growth, highest-paying intersection in tech.

CTF + Certifications = Hiring Pipeline

CTF competition rankings, TryHackMe/HackTheBox profiles, bug bounty reports, and certifications (CEH, CompTIA Security+, AWS Security Specialty) are the cybersecurity hiring pipeline. This module prepares students for all of these. "Show me your TryHackMe profile" is how cybersecurity hiring increasingly works.