BOLA and BFLA patterns in REST and GraphQL endpoints, with live exploitation walkthroughs.
Security knowledge that holds up under real conditions.
Most security courses cover the concepts. Skelvorad focuses on what happens when those concepts meet production code — authentication flows that break under edge cases, injection points buried in legacy APIs, misconfigured headers that pass automated scans but fail a manual review.
Where the platform stands in the field
Skelvorad's curriculum has been referenced in discussions at OWASP chapter events and cited by independent security researchers who reviewed the content structure. The platform does not claim awards or rankings — recognition here comes from practitioners who found the material technically sound enough to recommend to their colleagues.
The webinar format was deliberately chosen because security is a moving discipline. Static course recordings age quickly. Live sessions allow instructors to address recently disclosed vulnerabilities, walk through CVEs that appeared in the previous month, and answer questions that no pre-recorded video anticipated.
- Curriculum reviewed against OWASP Top 10 (2021 edition) and updated each quarter
- Referenced by security researchers at three independent community forums
- Participant materials distributed across 38 countries without regional paywalls
- Session recordings archived and accessible to enrolled participants for 12 months post-event
Connected to conditions in the field right now
The gap between published security guidance and actual attack patterns observed in production systems is wider than most training materials acknowledge. Skelvorad sessions draw directly from incident reports, penetration test findings, and bug bounty disclosures that are current at the time of delivery — not from a syllabus written two years prior.
Each module maps to a specific class of vulnerability: server-side request forgery in cloud-hosted services, broken object-level authorization in REST APIs, prototype pollution in Node.js applications. The scope is narrow by design. Covering one area with depth produces more durable understanding than surveying everything at surface level.
SQL, NoSQL, and template injection — identifying them in code review and in running applications.
JWT misuse, session fixation, and token leakage through referrer headers and browser storage.
Metadata endpoint exposure, DNS rebinding, and filter bypass techniques observed in real deployments.
Dependency confusion, malicious packages, and integrity verification in CI/CD pipelines.
DOM clobbering, prototype pollution, and postMessage misuse in modern single-page applications.
The people who built and deliver the content
The instructors at Skelvorad are not career educators who moved into security. They are practitioners — people who have spent years doing penetration testing, secure code review, and incident response — who also happen to be capable of explaining what they do. That distinction matters when the material covers edge cases that only surface in real engagements.
Building the curriculum took longer than anticipated because the team insisted on testing every claim against actual environments before including it. Several modules were rewritten after the initial draft produced results in lab conditions that did not replicate in production. What remains is narrower in scope but considerably more reliable.
Nine years in offensive security, primarily focused on web application assessments for financial institutions. Contributed to three CVE disclosures in widely used open-source libraries.
Previously led the security engineering function at a mid-size SaaS company. Specialises in API authorization flaws and cloud-native attack paths.