Learn DevSecOps the way the DoD and NIST define it — unifying development, security, and operations across the whole software lifecycle. From the shift-left culture and software factories to CI/CD, containers, service mesh, container-level zero trust, and continuous authority to operate (cATO) — and remember it with spaced repetition.
DevSecOps is an organizational culture and engineering practice that unifies development, security, and operations — automating, monitoring, and applying security at every phase of the software lifecycle instead of bolting it on at the end. This track follows the authoritative source material: the DoD Enterprise DevSecOps Reference Design and NIST SP 800-204C.
It builds from the ground up. The culture and lifecycle — shift-left, the nine-phase closed loop, the four pillars and five guiding principles; the software factory and its CI/CD pipelines, GitOps, and everything as code; the runtime platform — containers and Kubernetes, service mesh and sidecars, and zero trust down to the container level; and hardening and testing with SAST, DAST, IAST, and SCA.
It keeps the DoD framing intact — cATO (continuous authority to operate), Iron Bank hardened containers, Platform One, DCAR, and the RMF — so it doubles as preparation for anyone working in a government or compliance-driven DevSecOps environment. Spaced repetition turns a stack of reference PDFs into recall you can actually use.
Each module is a set of practice cards — 161 in total. Answer, review, and watch your knowledge grow from seed to full bloom.
What DevSecOps is — its definition, shift-left culture, CI/CD primitives, and core goals
14 cardsDevOps vs DevSecOps, the nine-phase lifecycle, and the benefits and delivery metrics
18 cardsThe four pillars, five guiding principles, Agile values, and the cultural biases to overcome
15 cardsSoftware factories, the software supply chain, and push vs pull GitOps pipeline security
17 cardsThe CI/CD pipeline and orchestrator, and the continuous build/integration/delivery/deployment stages
17 cardsInfrastructure, security, policy, and observability as code — declarative code and its role
12 cardsContainers vs VMs, immutable infrastructure, and Kubernetes pods, nodes, scaling, and limits
15 cardsService mesh data and control planes, sidecar proxies, Istio, and container-level zero trust
18 cardsSAST, DAST, IAST and SCA testing, plus DoD container hardening, DCAR, and Iron Bank
20 cardsNext-generation governance, the RMF and ATO, and continuous authority to operate (cATO)
15 cardsA taste of the real cards. Pick an answer, then reveal the explanation.
What is DevSecOps?
What is a CI/CD pipeline?
What is a service mesh?
What is Continuous Authorization to Operate (cATO)?
Each card is one practical concept with multiple options. Pick what you think is right.
See the correct option plus a clear explanation, and a link to deeper docs when one is available.
A spaced-repetition engine (SM-2 or FSRS) resurfaces each card just before you would forget it.
Learn to build, test, and monitor security at every phase — not as a final gate, but baked into the pipeline from the start.
Every card traces back to the DoD Reference Design or NIST SP 800-204C, with links to the official material.
Covers the whole picture: culture and governance, the software factory, containers and service mesh, and continuous ATO.
cATO, RMF, Iron Bank and the DoD ecosystem make it directly useful for government and regulated DevSecOps work.
DevOps and platform engineers, security engineers, and compliance teams moving to a DevSecOps model — especially in DoD, government, or other regulated environments. It assumes general CI/CD and container familiarity but builds each topic from fundamentals.
The DoD Enterprise DevSecOps Reference Design and Strategy Guide, plus NIST SP 800-204C (and SP 800-207 for zero trust). Cards link to the official DoD and NIST material.
The core practices — shift-left, CI/CD, containers, service mesh, zero trust, and testing — are general DevSecOps. It also keeps DoD-specific concepts (cATO, Iron Bank, DCAR, RMF) intact, so it suits both general learners and those in government or compliance settings.
Yes, completely free. No registration or credit card is required, and all your progress is stored locally in your browser.
Plant your first seed today. Ten minutes a day builds DevSecOps knowledge that sticks — from culture all the way to cATO.