Release Notes


May 2022

May 16, 2022

Major updates

Create and manage courses more easily with our new Courses creation experience

Instead of taking time replicating the process, you can focus more on the content and strategy to help your developers learn more effectively with the new Courses.

Courses tabular view

Get early access to new features

You can now turn on new beta-testing features by using the Early Access options in the Administration area. No more manual enablement needed. Early Access options are currently available for company admins.

Early Access options

Secure ABAP applications with newly released training content

Finally, ABAP engineers can also enjoy developer-led security training. ABAP coding challenges are available across Training, Courses, Tournament, and Assessment playmodes (and Missions are coming soon).

ABAP coding challenge

Other updates

  • An improved home page view is available for early access.
  • Updated microlearning experience for developer tooling integrations.
  • Added more vulnerability modules for course managers to select under “Target Specific Vulnerabilities” mode in the Courses creation flow.
  • Added a specific subcategory, “Insufficiently Protected Credentials”, under the “Authentication” category (already containing 147 challenges and available for 33 different languages:frameworks).
  • Added Missions for “Buffer Overflow” vulnerability.

April 2022

April 14, 2022


NEW OWASP course templates - build upon your developer’s knowledge and security awareness. CONTENT

  • OWASP Top 10 Introduction - a new and more robust introduction to the OWASP Top 10 for developers including 10 missions (for each category in OWASP) as well as videos and challenges.
  • Program Certification Level 5 with missions - focusing on OWASP 6-10 containing easy, medium, and hard missions and hard challenges.

NEW Video: Path Traversal vulnerabilities - Prevent attackers from getting unauthorized access to files on your webserver. In this video learn how to identify and review file system interactions within an application. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorized access to files or even execute arbitrary code on the server. CONTENT

Get actionable secure coding guidance to resolve vulnerabilities faster - with our two new integrations. INTEGRATIONS

  • GitLab Integration: Get more out of your GitLab’s scan results, by linking to highly relevant coding challenges - selected based on vulnerability descriptions and CWE IDs.
  • Synopsys Seeker Integration: Developers can get a deeper understanding of the vulnerability and how it should be resolved with access to secure coding explainer videos and training links in the Online Training tab findings from Seeker.


Serving improved quality content to help your developers get the most out of their training. CONTENT

  • Improved challenge content quality for Java: Basic and Java: Spring.
  • Improved challenge selection/prioritization for Training/Assessments/Courses: challenges will be prioritized based on quality and served to developers based on the ‘thumbs up’ rating developers provide as feedback.

Report on the progress and success of your application security program with improved Training metrics. CONTENT

  • Removed the ‘time played’ requirement for ‘Security Maturity’ - this metric will now focus purely on how well a developer is progressing in their training rather than how long they’ve spent on the platform.
  • Aligned metrics - ‘Accuracy’, ‘Time spent’, ‘Challenges played’ and ‘Confidence Level’ to Courses metrics, ensuring consistent metrics across the whole platform.
    If you have any questions on how this update may affect your reporting for Training Metrics, please contact customer support.

March 2022

March 14, 2022


Content now available for our latest (58th) language:framework - PHP:Laravel CONTENT

  • 45 challenges ( 30 - easy, 15 - medium) have been added

New challenges in existing language:frameworks have been added CONTENT

  • Java Basic - 28 new challenges
  • Python Basic - 12 new challenges
  • GO Basic - 12 new challenges


Want your Java developers to learn more about the Log4j vulnerability? You can now set up a course by adding only Log4j-specific activities to a course without having any other vulnerabilities in the mix. CONTENT

Consistent learning experience - a range of content quality updates were rolled out for the following languages:frameworks: CONTENT

  • C:Basic
  • C
  • Java:Spring API
  • C# (.NET): Core

Course template for Certification Level 5 (OWASP 6-10) has been introduced with 7 missions and 16 challenges. CONTENT

February 2022

February 7, 2022


Released  a public Log4j mission for developers to practice offensive skills. Inside the mission, developers will receive step-by-step guidance to mock-exploit the Log4j vulnerability in a simulated web browser. CONTENT

Added walkthroughs to 6 more existing course templates: CONTENT

  • Security Awareness
  • SCW Recommendations
  • Program Certification Level 1
  • Program Certification Level 2
  • NIST_EO_14028

Added 12 more walkthroughs (in total 26) to better align with OWASP Top 10 2021. Program managers can now build a comprehensive OWASP Top 10 2021 course with 1 walkthrough for each high-prevalence, high-impact subcategories. CONTENT

Added 10 more challenges to Java:Spring for support of OWASP Top 10 2021 (529 challenges). CONTENT


Updated all Certification Program courses templates with the latest OWASP Top 10 2021. CONTENT

Improved the support for deprecated content in courses and assessments, preventing confusion among developers. Before this update, the existing courses or assessments with deprecated content would use random challenges to fill in the gap, which led to confusion. From now on, developers can continue to assess the deprecated challenges instead of random ones, along with a warning explaining that these are outdated content. CONTENT

December 2021

December 13, 2021


Course Templates:

  • Program Certification Level 4 (with Missions). CONTENT
    Content focused on OWASP 1-5 (based off OWASP 2021 for web languages)
  • C/C++ Embedded now supported in the following course templates.
    - OWASP TOP 10 Awareness
    - OWASP TOP 10 Awareness 2021
    - SCW Recommendations
  • 3 New Videos covering the following vulnerabilties, the videos explain the vulnerability subcategory at a high level with examples and solutions. CONTENT
    - Authentication - Use of Single-factor Authentication.
    - Side-channel vulnerability - URL caching
    - Side-channel vulnerability - Data sent to 3rd parties


  • Enable continuous developer learning in Azure Boards, a task tracking tool that helps teams plan, track and discuss their work. Learn more about it here.
    - Download the plugin from VisualStudio marketplace here. INTEGRATIONS
  • Hdiv Security delivers continuous security that natively integrates into all stages of the software lifecycle (SDLC), automating application security. Hdiv’s Unified Application Security platform accurately finds security vulnerabilities and protects applications, microservices, and APIs from a broad range of attacks and exploits, including those that can be considered design flaws. Learn more about the Hdiv Integration. INTEGRATIONS


  • New and updated challenges: CONTENT
    - Python Flask: adding more medium/hard challengers - 93 challenges (▲28)
    - C++ embedded: - 50 challenges (▲20)
    - Java:Spring - 522 challenges (▲17)
  • Content Quality Improvements: Starting off with 30 Java:Spring challenges, we’ve ramped up our never ending commitment to improving the quality of our content. CONTENT

November 2021

November 8, 2021


Walkthroughs and missions in courses PLATFORM

  • Missions and walkthroughs enable developers to see the impact of poor coding practices by interacting with vulnerabilities on a live system and testing against them
  • With this month’s release, you can get started with 19 walkthroughs and 50 missions. To learn more about vulnerabilities covered and language:frameworks, please refer to the help article for Walkthroughs and Missions.
  • Try out a walkthrough mission to see it in action right away - this is the walkthrough of the latest Path Traversal vulnerability announced by Apache on 4th Oct (CVE-2021-41773) CONTENT


New and updated challenges: CONTENT

  • Python Django - 234 challenges (▲15)
  • Typescript - 28 challenges (▲8)

Accessibility: PLATFORM

Colour contrast on key elements in the platform, such as buttons and labels, has been improved to meet AA accessibility standards - progressively enabling a better and inclusive user experience for all.


API endpoints now include both primary user identifiers - email address and user_id. This provides improved consistency and convenience for API callers needing to match user activity across the various API endpoints.

October 2021

October 10, 2021


Added new templates to include the recently-released OWASP Top 10 2021 web standard, providing options for developers to receive up-to-date training. CONTENT

  • Courses - OWASP Top 10 Awareness template, supporting the latest OWASP Top 10 2021 web standard, as well as other current standards: OWASP Top 10 2016 mobile standard and OWASP Top 10 2019 API standard.
  • Assessments - "OWASP Top 10 Web" template, available for 7 language:frameworks: C# (.NET) MVC, C# (.NET) Web Forms, Java Enterprise Edition (JSP), Java Spring, JavaScript Node.js (Express), Python Django, Salesforce Apex.

Added support for SAML RelayState redirection in SSO configurations. By leveraging this update, program managers are able to connect internal tools with specific Courses or Assessments at scale. Tested by one of our largest clients, this configuration has successfully enabled 20,000+ developers to have a seamless SSO login experience when accessing targeted SCW Courses and Assessments, from right inside their existing learning management system. Learn more about its configuration here. INTEGRATION


Added more challenges: CONTENT

  • C:Embedded - 51 (▲33)
  • Javascript:Node.js API - 43 (▲8)
  • Python:Basic - 53 (▲15)

Added special Infrastructure-as-Code (IaC/cloud) challenges for the global tournament (Devlympics 2021). Rest assured, these new Challenges will still be available in the platform after Devlympics: CONTENT

  • CloudFormation - 42 (▲5)
  • Terraforms - 51 (▲4)
  • Kubernetes - 49 (▲2)

Courses UX improvement. We are continuously improving the experience of managing Courses at scale. PLATFORM

  • Inside Courses Management page, we've added:
    - "Manage Participants" button (previously inside each Courses editing page) to make editing participants easier.
    - "Publish (Unpublish)" option inside "More".
  • Inside each Courses editing page, we've:
    - Added "Enter Edit Mode" modal for better clarity on impacts and options for edit. When you need to edit a Course, you need to click this button to start the process. After it’s clicked, a modal will pop up to explain what the impact is to the participants and what you can edit (depending on the Course status).
    - Supported badge and notification settings even if a Course is published.

September 2021

September 13, 2021


New language:frameworks: CONTENT

  • C++ for embedded systems is now available - 30 challenges.
  • C for embedded systems only available in Courses - 18 challenges.
  • RPG: Basic - 18 challenges.

3 New Courses templates: CONTENT

  • Security Awareness 101: This course is pre-filled with videos and starter-level challenges that introduces the user to software security and the most prevalent vulnerabilities. Modules include: Application Security Concepts, Web App Security 101 and Threat Modeling.

  • Certification Program level 1, level 2 and level 3 (program-in-a-box), currently supports OWASP Web languages and frameworks:
    - OWASP 1-5 - Certification Program level 1 covering vulnerabilities from OWASP category 1 to 5 - beginner level,
    - OWASP 6-10 - Certification Program level 2 with a recap for OWASP category 1 to 5 and covering vulnerabilities from OWASP category 6 to 10 - beginner level.
    - OWASP & SCW recommendations - Certification Program level 3 with a recap for OWASP category 1 to 10 and additional SCW recommended categories - intermediate level.
  • Security Measures for "EO-Critical Software" Use Under Executive Order (EO) 14028 - This course is based on the National Institute of Standards and Technology (NIST) guidance on security measures for EO-critical software use as directed by the Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, May 12, 2021. Includes support for the following language groups: Web, API, Infrastructure as Code (IaC) and Mobile.


Added more challenges to 4 languages with the aim of improving the variety of challenges and reducing repetitiveness in content: CONTENT

  • Terraform - 47 challenges (▲12), new challenges expand on the vulnerability and difficulty coverage of content around Terraform.
  • Java:Spring - 505 challenges (▲10).
  • PseudoCode:Basic - 175 challenges (▲11).
  • Java:Basic - 80 challenges (▲15).

Improved Courses management navigation: PLATFORM

  • Added new navigation buttons at bottom of screen - providing course admins with clear direction during the course creation process.
  • Breadcrumbs have now been replaced with tabs dividing setup into Content, Participants and Settings - this will improve maneuverability along the edit flow of courses.
  • Add/Remove Languages' functionality has been removed from the setup wizard. Languages that are supported by a particular course template will now be shown on the left hand-side column on the screen.
  • New ‘course status’ indicators, providing the user with a better indication of the status of the course:
    - 'Cancel and exit’ out of course creation (which will prompt you to name and save the course).
    - 'Save draft' button and ‘Last saved’ indicator, providing the user with visibility as to last time the course had been saved.
Improved Courses Management Navigation
Improved Courses management navigation

Secure Code Warrior for GitHub now supports contextual learning in pull request review comments. The plugin will, when available, display relevant learning content by scanning for common vulnerability references and names are found in the comments - added by users or SAST tools. INTEGRATION

Secure Code Warrior for GitHub

August 2021

August 9, 2021


Our integration with Kondukto is live. An AppSec Orchestration and Correlation platform, Kondukto provides a unified view of vulnerabilities discovered at each stage in the SDLC via various commercial and open-source security tools. The integration will help link to hyper-relevant learning based on detected vulnerabilities. INTEGRATION


Several experiential enhancements have been completed for Courses PLATFORM

  • Video categories and subcategories have been added to reiterate the categories that the vulnerability belongs to - helps viewers associate the video with the right categories that they may explore further later.
Display category and sub-category of the videos
  • An updated look for the wizard navigation with easy-to-follow steps to make it simple for admins to set up courses.
Improved wizard navigation
  • Inclusive language - Secure Code Warrior is proud of its diverse global team and customers. Diversity has always influenced the way we work, build our products, and grow our teams. As first announced in December 2020, we embarked on a journey to ensure the user of inclusive language. We are happy to announce that it has now been completed across all areas of our products. CONTENT
  • Updated Course Template - OWASP Top 10 or equivalent has been introduced that also covers languages where specific OWASP definitions are not available. For e.g. IAC or front-end languages. CONTENT


Fixed a bug that severely affected performance for some of our customers on our US instance

July 2021

July 12, 2021


  • Added a new type of videos - security architecture/design: CONTENT
  1. Threat Modeling Overview
  2. S.T.R.I.D.E

  • Cloudogu has developed an integration with Secure Code Warrior on premise in their SCM-Manager platform. The plugin serves up contextual SCW resources within pull requests and comments for developers to understand and fix security issues faster. It works by identifying common vulnerability names and phrases in the pull request and comment text. INTEGRATION


  • Every Sensei recipe is now stored as a single file in YAML format - making it easier to read, review and maintain them in a version control system. SENSEI

  • XML recipes now utilize the YAML format to make recipe creation as convenient as the Java recipes. SENSEI

  • Increased challenge volumes for 2 languages to improve engagement: CONTENT
  • Kubernetes - 47 Challenges (Δ12)
  • PL/SQL:Basic - 54 Challenges (Δ10)

  • Improved the clarity of the Help Menu option labels, making it easier and faster for you and your team to get support. PLATFORM


Deprecation of AngularJS was officially implemented on July 1st, you can no longer access it on Training mode, nor can you create new AngularJS Courses or Tournaments. However, you can still access existing ones. CONTENT PLATFORM

June 2021

June 14, 2021


Added New language:framework Content

  • Bash (30 challenges)
  • Cobol:Mainframe (17 challenges)


Improved challenge quality: Content

  • C++ , a popular language on the platform, has undergone content rework, improving the quality of up to 25% (34) of total challenges available for developers to tackle.

Terminology review and update - ‘white’/'black' list terminology in learning resources has been renamed to ‘allow’/'deny' list, ensuring that all terms used on the platform are current and respectful to developers of all backgrounds.

Improvement and expansion to Course templates: Content

  • Improved guidance and messaging for company course admins, to ensure a smoother and less confusing experience during course creation. The new messaging will provide the user with the necessary information to make the correct edits to modules, especially when validation is required for overlapping content when multiple predefined modules are added. Content Platform

Course Focus page - Improved guidance for company course admins, when selecting course focus during course creation (better descriptions about the template and areas of focus), providing a more efficient and informative user experience during course creation. Content Platform

Warrior Connect partners - We’ve partnered with a number of global technology and regional service providers in the DevSecOps ecosystem to provide contextually relevant training material on findings that will help developers understand and resolve security issues, and arm them with the knowledge and skills to help prevent these vulnerabilities from re-occurring:

Sensei Feature Highlight: Library Scope - Discover more about the most loved features of Sensei. Read more (3 min read)

May 2021

May 3, 2021


Streamlined the user experience of End of Course Activity for messages and assessments. PLATFORM

  • Developers will be auto-invited to an assessment linked to a course, freeing application security managers from the endless admin tasks of inviting and guiding developers to the Assessments.
  • Developers can now access their end of course activity (message or assessment) as the last module on the Course break-down page.

Missions (bonus level) in Tournaments are available for PHP: Basic and Scala: Play. CONTENT


Added more challenges to 2 languages: CONTENT

  • C#(.NET): Basic - 71 challenges (▲7).
  • C#(.NET): Web API - 54 challenges (▲7).

Continuously improved content quality of Javascript:Node.js, providing better learning experience for the developers. CONTENT

Improved the calculation methods of “Challenge Played“ to better indicate engagement level and provide more clarity. Renamed “Language Progress“ dashboard as “Quest Progress“ in the platform and added “Unique Challenge Played“ column in CSVs. PLATFORM


Support for Internet Explorer 11 (IE 11) will be retired by 1st July 2021. For now, we have completed stop supporting API Missions in IE 11. We recommend that customers consider using an alternative browser to avoid a sub-optimum experience. PLATFORM

April 2021

April 6, 2021


Introducing PHP to the platform with 36 challenges. CONTENT

3 new languages now available to play bonus-level missions in Tournaments including Python, Python:Flask, Java. CONTENT


Added more challenges to 3 languages: CONTENT

  • PHP: Symfony - 51 challenges (▲20).
  • Java: Enterprise Edition API - 80 challenges (▲45)
  • Pseudocode - 164 challenges (▲15).

Improved challenge quality: CONTENT

  • JavaScript:Node.js Express, a popular language on the platform, has undergone content rework, improving the quality of challenges for developers to tackle - 337 challenges.
  • JavaScript: Vue.js, content has been realigned to Secure Code Warrior recommended Top 5 categories for front-end languages, providing more relevant content to front-end developers - 43 challenges.

Improvement and expansion to Course templates: CONTENT
PCI-DSS Course template has been made available to API languages - providing relevant course templates to companies that require courses for API languages.

  • C# (.NET):Web API
  • GO:API
  • Java:Enterprise Edition API
  • Java:Spring API
  • JavaScript:Node.js API
  • Kotlin:Spring API
  • Python:API

Admins will now also be able to download csv-files listing all available content, making them aware of the full breadth and depth of content available to them. The three csv-files (challenges, videos and missions) are available in the administration section under the report tabs. CONTENT

Edit function to published/unpublished courses (applicable only to courses where no developers are enrolled). Course admins will now  be able to edit the content of a course that has already been published (or unpublished), this will provide administrators the freedom and flexibility to continue making changes to the course content (add/delete modules and activities) up until course enrollment is opened up for developers. PLATFORM

Changes to the Add/Edit Activity screen in Courses.

  • A Checkpoint toggle is now available within the Challenge tab. This will allow the administrator the option to include a checkpoint challenge at setup.
    The order of activities has been updated. Admins will now see Challenges first in this list, improving the setup experience as Challenges are typically the the most frequently added activity in a course. PLATFORM
  • Course progress API endpoint reporting will now include ‘enrolled’ and ‘completed’ date for Courses.This will allow customers who utilize Reporting APIs to setup the necessary tracking to demonstrate training progress of developers required for compliance purposes (for example PCI - DSS compliance). PLATFORM

Check out the Sensei Product Update - March 2021. Discover the latest improvements to the user experience of Sensei, Secure Code Warrior's IntelliJ plugin and start writing quality code even faster. Learn more here. SENSEI


Support for Internet Explorer 11 (IE 11) will soon be retired. PLATFORM

In preparation for Microsoft’s end-of-support for IE11 the Secure Code Warrior Learning Platform will be retiring support for IE 11 as of 1st July 2021. Until this date, the browser can still be used to access the platform, however, it is recommended that customers consider using an alternative browser as continued use may result in a sub-optimum experience when using the platform.

Retiring Angular.JS language:framework. PLATFORM
In conjunction with Google and the Angular team’s announcement (three years ago) of their end-of-support for AngularJS from December 31 2021, the Platform will also be retiring Angular.JS language:framework content.Customers currently training on AngularJS are encouraged to transition their program to Further communication will be sent out over the next few months.

March 2021

March 1, 2021


Added auto-send notification for Courses end-date changes. Courses admins can choose to send out email communications to relevant developers when they change the end-date of a published course, making sure developers are well-informed of the changes. PLATFORM

Enabled 4 additional API languages in Missions: CONTENT

  • C# (.NET): Web API
  • Python: API
  • PseudoCode: API
  • GO: API


Added accuracy and confidence data on top of the progress data for Courses leaderboard ranking, providing better insights for program managers to gauge developer skill levels in the team. PLATFORM

Added more challenges to 4 languages: CONTENT

  • JavaScript: React - 145 challenges (▲25).
  • (2+) - 133 challenges (▲12).
  • C#: Basic - 64 challenges (▲24).
  • CloudFormation - 37 challenges (▲1), reaching Course-ready.

Reworked the first batch of Node.js challenges, keeping the training content fresh and up-to-date. CONTENT

Realigned Angular and React with a new top 5 categories, making the training more focused on front-end vulnerabilities. The new categories are: CONTENT

  • Cross-site scripting (XSS)
  • Vulnerable components
  • Unvalidated redirects and forwards
  • Information exposure
  • Injection flaws

February 2021

February 1, 2021


Enabled PCI-DSS Recommendations course templates for security program manager to align the training more tightly with PCI requirements 6.5. CONTENT

Added Secure Code Warrior Recommendations course templates for developers to receive a more up-to-date training on high priority vulnerability of a language. Compared to OWASP Top 10 templates, these templates include emerging new vulnerabilities and revised priority based on the data we have. CONTENT

Added Intro templates for clients to have a quick and easy experience of a short Course. CONTENT

Supported Typescript in the platform (20 Challenges). CONTENT

Our first iteration of the Sensei Cookbook Index is now available. Developers can find recipes and cookbooks that help them write high quality and secure code right inside the IDE. SENSEI


Enabled 4 more languages in Missions, including: CONTENT

  • 3 API languages: C# API, Pseudocode API, and Python API.
  • GO

Supported Korean in the platform, helping Korean developers who are not used to English material to have more focus on learning instead of translating the content.CONTENT

Added more challenges to 7 languages: CONTENT

  • Pseudocode - 149 Challenges (▲65).
  • Java Spring API - 80 Challenges (▲45).
  • C#:Core - 176 Challenges (▲44).
  • Python:Flask - 65 Challenges (▲5).
  • Python:Basic - 61 Challenges (▲3).
  • Kubernetes - 35 Challenges(▲4).
  • Terraform - 35 Challenges (▲11).

December 2020

December 7, 2020


Added team-level tagging in API endpoints, making it easier for company admins to manage developers by departments/functions. PLATFORM

Added Courses start-date and end-date data in exportable data files (csv format), helping program managers to keep the progress of PCI compliance training on track. PLATFORM

Supported German content in the platform. CONTENT

The secure coding extension for the Jira Data Center edition is available. Developers can learn about related vulnerabilities right inside their tickets. INTEGRATION


Enabled the End-of-Course activity to support all active types of assessment, making it easier to manage a long-term security program. PLATFORM

Improved the structure of the "Privacy" section in "Company Preferences" settings, admins will find it easier to manage privacy settings across different play modes. PLATFORM

Docker now has in total of 54 challenges (▲17). CONTENT

Renamed racially insensitive “Whitelist/Blacklist” to “Allowlist/Denylist” across all platform content. CONTENT

Supported 2 additional languages, Pseudocode and Java:JSF in Missions - Bonus Level in Tournaments. CONTENT

November 2020

November 2, 2020


Missions can now be played in your subscription as a Bonus Level in Tournaments. PLATFORM

  • Bonus Level in Tournaments are now automatically enabled for eligible language:frameworks (unless disabled by Admin), increasing the difficulty of the tournament and thus more engaging for more experienced developers.
  • 40 Missions will be made available in 7 web languages - C# Core, C# MVC, C# Webforms, Java Enterprise Edition, Java Spring, Node.js Express, Python Django. Additional languages will be progressively added. CONTENT

Three new language frameworks:  CONTENT

  • Kotlin Spring API (35 challenges), allows back-end developers to train and explore the Kotlin language through the Spring API framework library.
  • Javascript: Basic (45 challenges), provides developers with a framework-agnostic option for Javascript content, this opens up the platform to broader appeal giving developers who do not want content that is limited to a specific framework library.
  • Salesforce APEX (46 challenges), Salesforce APEX, used on the Salesforce platform, allows customers to extend the capabilities of Salesforce for their specific needs. Your SFDC instance contains essential customer and confidential information. With this new content you can now ensure developers and contractors touching or interacting with your code base are coding securely. Invite them to your team today. Find out how you can invite your Salesforce APEX developers to the platform here.

Reinforce structured learning with just-in-time training snippets using GitHub Action workflows. Learn more about building coding skills at every stage of the SSDLC here. Get the Secure Code Warrior GitHub Action from the marketplace today!

Sensei now available on the JetBrains Marketplace for organisations and developers to try it for themselves. SENSEI

  • Added the ability to add tags onto recipes, allowing users to add custom metadata which can be used to categorize and group recipes.
  • Added our variable browser into the recipe editor in more places. The variables shown are relative to the selected target. This helps developers understand their code and craft a good recipe with less effort.


Increased the number of Python:Basic challenges 59 challenges (▲ 17), providing greater content options for developers requiring framework-agnostic training. CONTENT

Review of Common Weakness Enumeration (CWE) mapping against platform vulnerability categories (more than 30%) with the inclusion of more CWE ID’s (particularly for mobile specific vulnerabilities). This review will significantly improve in the reporting of challenge vulnerabilities. CONTENT

As an extension of platform anonymization, company admins will now have the option to hide API Key generation for ‘all roles’, providing increased personal information security when generating reporting API keys. PLATFORM

October 2020

October 6, 2020


Enabled finish-date modification for published/unpublished courses. When you go to the course management pages of those courses, you will see an edit button under Course End Date.

Introduced a new scripting/command-line language, Powershell, to the platform with 30 Challenges, securing your DevOps, DBA, and business automation teams' development.

Launched Secure Code Bootcamp on Google PlayStore. It is a free and interactive game for beginners to learn secure coding knowledge.


Extend anonymization capability to the whole platform, including Courses, settings, and search options. Companies are able to have No-PII reporting.  

Introduced more challenges for 4 languages, providing more playtime and difficulty levels for these languages in tournaments:

  • C#(.NET):Core - 176 Challenges (▲126)
  • Java:Enterprise Edition (JSP) - 475 Challenges (▲60)
  • Java:Spring - 495 Challenges (▲53)
  • Perl:Dancer 2 - 90 Challenges (▲15)

Implemented more consistent naming conventions in learning resources videos, providing a better education quality.


Fixed the occasional max-point issue in mix-language tournaments. Maximum points are guaranteed to be the same for all participants, making tournaments fair for all.

September 2020

September 7, 2020


Introducing standard Java with 68 Challenges, providing developers who code in Java (without any frameworks) with relevant security training.

10 additional languages have been enabled for Courses - Company admins and team managers can now create a course from scratch from these languages.

  • Rust - 31 Challenges,
  • Java:Servlets - 40 Challenges,
  • Java:Struts - 51 Challenges,
  • JavaScript:React Native - 64 Challenges,
  • JavaScript.Vue.js - 30 Challenges,
  • Perl:Dancer2 - 75 Challenges.
  • PHP:Symfony - 44 Challenges,
  • Angular 1 - 8 Challenges,
  • Swift:iOS SDK - 141 Challenges,
  • PL/SQL - 44 Challenges

Added new Pseudocode content with challenges focusing on mobile vulnerabilities - 66 Challenges. These new additions allow non-coding users to experience, learn and understand the concepts around mobile vulnerabilities without needing to know or specialize in a specific in a specific coding language:framework.

New video content covering Mobile Vulnerabilities: Reverse Engineering/Code Information Leakage, Improper Session Handling/Client Side Session Token Generation.

New video content covering Web Vulnerabilities: Authentication/Forceful Browsing, Information Exposure/Error Details, Memory Corruption/Race Conditions.

Two updates for Courses: Custom Activity and End of Course Activity

Anonymization has now been enabled. Company Administrators are now able to toggle on the anonymization of personal identifiers on the platform. This will allow customers to comply with regulatory requirements that require personal identifiable information or performance information of individual users to be anonymized within the company.


Improvements have been made to existing Java:Spring challenges enhancing overall content and quality of challenges for the developer.

Improved Java:Enterprise Edition JSP challenges to provide developers with more solid training.

August 2020

August 3, 2020


14 more language:frameworks are Courses ready:

  • Ansible - 50 Challenges (▲26),
  • Docker - 37 Challenges (▲1),
  • CloudFormation - 36 Challenges,
  • Terraform - 24 Challenges,
  • Kubernetes - 31 Challenges (▲7).
  • 6 API language:frameworks:
  • C# (.NET): Web API - 47 Challenges (▲3),
  • Java:Spring API - 35 Challenges,
  • Java:EE API - 35 Challenges,
  • JavaScript:Node.js API,
  • GO:API - 35 Challenges,
  • Python:API - 35 Challenges,
  • Objective-C - 76 Challenges,
  • Python:Flask - 60 Challenges (▲16),
  • C# (.NET):Basic - 40 Challenges.

Added "First Completion Date" in the Courses reporting API. Monitoring developers' study progress to meet compliance schedule is easier.

Anonymization for Tournament Leaderboard is now available, providing Company Admins more options to protect developers' privacy.


Team Managers and Company Admins will see better report accuracy when tracking developer engagement on the platform, due to improvements in the time calculations. This change will only affect time spent data after July 3rd.

Pseudocode challenges now cover all Web Vulnerability categories, providing developers and non-developers alike with a broader awareness of secure coding for web applications. 84 Challenges (▲38).

PL/SQL language is now Assessment ready with 35 Challenges (▲3).

Added more challenges in web languages: 

  • Java:Spring - 507 Challenges (▲106),
  • Java:Servlets - 40 Challenges (▲3),
  • C# (.NET):Web Forms - 382 Challenges (▲10),
  • Ruby:Rails - 234 Challenges (▲8),
  • Scala:Play - 201 Challenges (▲8),
  • PHP:Symfony - 44 Challenges (▲3).

Reworked on the quality of 96 Java:Spring challenges, providing developers with more solid training.

July 2020

July 6, 2020


Introducing two new language:frameworks to the platform:

  • Python: Web API with 35 Challenges.
  • Go: Web API with 35 Challenges.

New video content covering Web Vulnerability: Insufficient Transport Layer Protection/Unprotected Transport of Credentials

New video content covering Mobile Vulnerability: Improper Platform Usage/Tapjacking, Insecure Authentication/Client-Side Authentication For Authenticating To Server, Insecure Authentication/Misuse of Fingerprint, Insecure Authentication/Weak Lockout Mechanism, Improper Platform Usage/Incorrect Activity Configuration, Improper Platform Usage/Misuse of Intents.

Secure Code Warrior for Jira (Jira Cloud and Jira Server versions) have now been introduced to Public Labs, accessible through Atlassian Marketplace. Secure Code Warrior for Jira, provides just-in-time contextual micro-learning (on-premises and cloud variant) to developers as they work to resolve security issues.


Improved localization of content. Platform admins can now select the language localization (US or UK English) relevant to their company, improving the immersiveness of content, user experience, and engagement.

Significant improvement of existing Pseudocode challenges, enhancing overall content and quality of challenges for the developer.


Addressed and implemented a number of user interface fixes, which look to improving both overall user play experience and eliminating administrative confusion.

  • Identified and fixed an issue where the solution dropdown could not be selected by the developer.
  • Fixed an issue where changes to the title of a course were not being reflected when viewed by the developer.

Significant improvement to the length of time to export training leaderboard and related reports, team admins will now receive the exported report by email in a more timely manner.

Performance improvement and scalability of reports resulting in faster response times and report retrieval for the user.

June 2020

June 1, 2020


Introducing two new language:frameworks to the platform:

  • Javascript:Vue.js with 30 Challenges,
  • Node.js API with 35 challenges.

New video content will be made available in the following week, covering Mobile vulnerabilities: Lack Of Binary Protections/No Protection From Piracy, Unintended Data Leakage/Copy/Paste Buffer Caching (Pasteboard), Unintended Data Leakage/Logging Sensitive Information

New video content will be made available in the following week covering API Vulnerability: Access Control - Missing Object Level Access Control, Security Misconfiguration - Improper Permissions.

Courses is available to Secure Code Warrior Labs. Company Administrators will be able to opt-in to Secure Code Warrior Labs for a team or their entire company to test drive new features and offer feedback


Java Enterprise Edition (JSP) has now reached 373 Challenges (▲57).

Support for Microsoft Azure within the Ansible Basic Challenges providing content to support organizations using different cloud infrastructure.

Enhancement to the User Management API. You can now update your user’s email address programmatically via the API.

Added French spoken language support to the platform, improving navigation and overall user experience for French-speaking users by making the user interface content available in their native tongue.

May 2020

April 5, 2020


Introduced three new language:frameworks to the platform:

  • Kubernetes an Infrastructure-as-code language with 24 challenges.
  • Java:Enterprise Edition API with 35 challenges.
  • Rust with 31 challenges.

New video content covering Mobile Vulnerabilities: Client-Side Injection/JavaScript Injection, Code Tampering/Backups Enabled, Extraneous Functionality/Autofill Password, Improper Platform Usage/Webview settings, Insecure data storage/Storage on SD card external storage, Insecure Authorization/Insecure direct object reference, Insecure Authorization/Using inputs from untrusted sources, Insecure Data Storage/Plaintext Storage Of Credentials, Insecure Data Storage/Storage In SQLite Databases, Insufficient Transport Layer Protection/Improper Certificate Pinning Configuration, Reverse Engineering/Emulation Detection.


We've introduced additional challenges to our Go content, providing developers of different experience levels from junior to senior with a greater variety of challenges to best suit their different skill levels - 184 challenges (▲29).

Improved team and user management capabilities via API:

  • Better reporting - Managers are now able to retrieve detailed information on each team and its members via the API, providing managers with better insight to more efficiently manage their teams.
  • User's last login date - Team managers are now able to see an individual user's last login date, providing managers with better visibility to monitor Platform usage.

Improved the retrieval performance of the Assessment Summary report (CSV), providing better insights to help manage teams.

Reviewed platform user interface when selecting Vulnerability Category options, ensuring that all options are relevant and up-to-date for the user.


The Weekly Active Summary report email has been reviewed and is showing the activity metrics of platform users for the client, helping provide better transparency on platform usage and utilization.

April 2020

April 6, 2020


Introducing two new language: frameworks - Python:Basic, with 41 challenges and Java:Spring API with 35 challenges.


Java:Spring has reached 399 challenges (▲94).

C# (.NET):Web Forms has now reached 382 challenges (▲126).

Ruby:Rails now Mixed Tournament Ready with 233 challenges (▲14).

Improved quality of challenges for Kotlin:Android SDK.

March 2020

March 9, 2020


Introducing new language: framework Perl:Dancer2, with 31 Challenges.

Added new Web vulnerability video resources covering; Side Channel Vulnerability/Timing Attack, Access Control/Using input from untrusted sources, Business Logic/Insufficient Validation, Injection/CSS Injection, Memory Corruption/Double Free, Injection Flaws/Log Forging.


Java: Enterprise Edition (JSP) has reached 314 challenges (▲79).

Improved quality of Challenges for C# (.NET):MVC.

Revised accuracy of Chinese and Spanish translations.


Improved usability when playing Challenges to help developers choose the correct solution when fixing a vulnerability.

Fixed vulnerability category display issue when playing 'Identify' stage.

February 2020

February 10, 2020


Expanding on last month’s newly introduced Infrastructure-as-Code language: framework - we’ve added two new Infrastructure-as-Code language: framework - Ansible (▲24) and Docker (▲24).

New training videos covering Mobile languages: Broken Cryptography/Insecure Generation Of Encryption Keys, Broken Cryptography/Insecure Storage Of Encryption Keys, Broken Cryptography/Reuse Of Initialization Vector, Broken Cryptography/Use Of Hardcoded Keys, Client Code Quality/Improper Memory Management.


Enhanced tool-tips and guidance for Administrators and Team Managers when editing Assessments to help make them aware of what edits will create a new Assessment version.

More challenges for Node.js (Express) now at 279 challenges (▲5).

C# (.NET): Webforms and Java: Enterprise Edition (JSF) are now mixed-tournament ready with 274 and 146 challenges respectively.

January 2020

January 13, 2020


First Infrastructure-as-Code (IaC) language:frameworks now available covering Terraform (▲24) and AWS CloudFormation (▲32).

Introduce 39 new challenges covering Server-Side Request Forgery (SSRF) vulnerability sub-category for JavaScript, C#, and Python programming languages.


Foster genuine learning by limiting the number of Assessment attempts within a specified timeframe.

Multiple API Keys – Company Admins now have the ability to generate more than one Report or Admin API Key's for their Company.

Updated user object in API so that a Developers preferred programming language can be specified.

PL/SQL one of our most played language:framework is now top-10 ready with 25 challenges available (▲17).

Additional Challenges for C#(.NET): MVC (▲101), C#(.NET):WebForms (▲22), Java:Spring (▲32), JavaScript:NodeJS (▲8), Python:Django (▲5), Java Enterprise:JSF (▲4), and Java:Servlets (▲5).

Updated mobile vulnerability video resources covering; Reverse Engineering, Insufficient Transport Layer Protection, Extraneous Functionality, Broken Cryptography and Code Tampering.

December 2019

December 1, 2019


Brand-new help menu to instantly access 24x7 knowledgebase, request support and keep up-to-date with the latest news and advice from Secure Code Warrior.

All new languages C#(NET):API and Java:Servlets (Jackson) are Top 10 Ready. C#(NET):API is our first API only language and Jackson is a popular and efficient java based library to serialize or map java objects to JSON and vice versa.

New and improved Direct Linking Content Mappings against CWE, OWASP and VRT (Vulnerability Rating Taxonomy), plus improved statistics to track leads being generated by our Partner Integrations.

5x new videos cover web vulnerabilities and 2x specifically for API vulnerabilities covering: Improper Assets Management and Mass Assignment.

Added preferred development language:framework(s) to account profiles for a more tailored gamified learning experience.


API now supports team management level role Reporting and Admin keys for better data segregation across an organisation.

More than 300 challenges for C#:MVC (▲70) – that's over 15hrs of playing time!

Mixed Tournament Ready for GO (▲23), and Scala:Play (▲21).

Additional Challenges for Swift:iOS SDK (▲17), C (▲10), C++ (▲5), Java:Spring (▲5), Javascript:Node.JS (▲5) and Java EE:JSP (▲2).


Certified ISO27001 for information security management.

November 2019

November 4, 2019


API Version 2: Streamline user management, and save time by programmatically managing users and building management reports with new reporting metrics and better filtering. Ability to programmatically assign users to assessments now also available.

6x New video learning resources for web vulnerabilities covering: Authentication/Improper Authentication, Authentication/Insecure Password Change Function, Authentication/Insecure Password Reset Function, Authentication/Insufficient Anti-Automation, Security Misconfiguration/Disabled Security Features, Lack of Resources and Rate Limiting.

New Challenges for Swift (▲33), Python:Django(▲29), C (▲28), GO (▲8),  JavaSript:Node.js (▲8), Java EE - JSP (▲6), C# Web Forms (▲4), C# MVC  (▲4) and Java:Spring (▲2).


Updated brand and messaging for email templates.


Fixed issue preventing the generation of PDF Certificates for Assessments.

October 2019

October 14, 2019


6x New video learning resources for web vulnerabilities covering: Insufficient Logging, Information Exposure - Sensitive Data Exposure, Cross-Site-Scripting - DOM-Based XSS, Authentication, Server-Side Request Forgery and Insecure Cryptography - Exposed Keys.

New Challenges for Ruby:Rails (▲62), C# Web forms (▲15), Java:Spring (▲6), Java EE: JSP (▲7), and C (▲4).


Replaced 12 vulnerability categories across Mobile (8) and Web(4) video learning resources with 25 finer-grained vulnerability sub-category resources for a more focused learning experience.

Prevent Players from enrolling in superseded Assessments.

Added new email deliverability status for Company Administrators and Team Managers to see if an email has bounced.


Fixed issues when creating Tournaments with C# (.NET) Core.


Migration to the Future Ready Platform that will deliver a more scalable, higher quality product at velocity.

September 2019

September 9, 2019


New C#.NET CORE language:framework is Top-10 Ready with 40 Challenges.

New challenges for Platinum languages; C#:MVC (▲19), C#:WebForms (▲8), Java: Spring (▲21), Java: Enterprise Edition - JSP(▲27), JavaScript: Node.JS (▲21)


Improved Partner Integration for MicroFocus with with increased mappings of vulnerabilities and training content.

Various back-end performance improvements to deliver a faster first-time login and better player experience.


Resolved issue of missing Tournament Missions (Quests) when geo-blocked countries had been enabled.

August 2019

August 5, 2019


New challenges elevate Java:AndroidSDK to Gold Status + Mobile Mixed-Tournament Ready (▲51) and Python:Django now has over 170 challenges (▲36).


Change main navigation menu order to better align user experience with AppSec program rollouts.


Fixed over 40 bugs for more accurate challenges across available language/frameworks.


Enhanced monitoring to deliver a better end-user experience by accurately viewing end-user page load times and reporting of application errors.

Addition capacity and performance for the Secure Code Warrior infrastructure to speed up our overall service.

July 2019

July 1, 2019


Grammatical improvements for our platinum languages including; Python Django, NodeJS, C# MVC and Pseudocode.

New Challenges now available for many of our supported languages and frameworks including C with more than 100 challenges and GO with over 130+.


Aligned training points calculation between UI display and report, CSV export and REST API.  No underlying data was changed or altered.

June 2019

June 3, 2019


New "Last Nudged"  timestamp has been added to better manage team communications and improve engagement.


Mobile Languages are now available to be played in Mixed Tournaments.


Grammatical errors have been fixed in Java Springs.

Removed videos from categories were irrelevant to prevent points penalty when using hints.

Fixed missing API timestamps for invitations and registration reports..

May 2019

May 1, 2019


Privacy Policy link added for greater transparency and convenience.


Grammatical errors have been fixed for Java EE (JSP) and C++

April 2019

April 1, 2019


Training ground improvements for Scala Play and Python Django.


Fixed sound issues in Web App Security 101.


Load Monitoring enabled to deliver a more secure and scalable platform.

Logging API operations enabled to increase platform security.

Become a secure code warrior.

Contact us today and make software security an intrinsic part of your development process.

Start Your Free Trial
Sensei Free 21 Day Trial
Book a Demo