Training Programs
Security awareness training, phishing simulation campaigns, and tabletop exercises. Covers the complete security training lifecycle from course enrollment through compliance reporting, with realistic phishing simulations and scenario-based incident exercises.
Complete
Phase 4
8 Demo Courses
5 Phishing Campaigns
4 Tabletop Exercises
5 Scenario Templates
Overview
The Training Programs module delivers a complete security training platform that combines three pillars: structured course-based learning, realistic phishing simulations with per-user tracking, and scenario-driven tabletop exercises with after-action reporting. It is designed for managed security providers to deliver training services to their clients with full multi-tenant isolation and compliance reporting.
Why This Module Is Needed
- Regulatory frameworks (SOC 2, NIST 800-53, ISO 27001) require documented security awareness training for all personnel.
- Phishing remains the primary initial access vector. Simulated phishing campaigns measurably reduce real-world click rates over time.
- Tabletop exercises validate incident response plans, identify communication gaps, and build organisational muscle memory.
- SOCaaS providers need to offer training as a managed service with per-tenant compliance dashboards.
- Centralised training metrics enable data-driven decisions about where to invest in security awareness.
What Was Proposed
- Course catalog with 6 categories (security awareness, phishing defense, SOC analyst, incident response, threat hunting, compliance), 3 difficulty levels, mandatory course flagging, and module-level content with quizzes.
- Enrollment management with progress tracking, scoring, completion/overdue status, and due dates.
- Phishing simulation engine with campaign lifecycle (draft → scheduled → active → completed), per-recipient result tracking (sent, opened, clicked, credentials entered, reported), and department-level breakdown.
- Tabletop exercise platform with scenario templates (ransomware, data breach, insider threat, DDoS, supply chain), timed injects, participant scoring, and after-action reports.
- Dashboard with training KPIs, phishing click rates, tabletop scores, and compliance metrics.
- Compliance reporting with per-category and per-department breakdowns and mandatory completion rate tracking.
What's Built
- 8 demo courses across 6 categories: Security Awareness Fundamentals, Phishing Defense, SOC Analyst Bootcamp, Incident Response Procedures, Threat Hunting Fundamentals, Compliance Essentials, Advanced Malware Analysis, Cloud Security Architecture
- Multi-module course structure with order, duration, quiz support, and quiz question JSON storage
- Enrollment system with 4 statuses (enrolled, in_progress, completed, overdue), progress percentage, score tracking, and due date enforcement
- Enroll user API endpoint with course existence validation
- Enrollment progress update API (PATCH) for progress_percent, completed_modules, score, and status
- 5 phishing simulation campaigns with full lifecycle: Q1/Q2/Q3/Q4 campaigns plus Executive Spear Phishing exercise
- Per-recipient phishing results tracking: email_sent, email_opened, link_clicked, credentials_entered, reported_as_phishing with timestamps
- Department-level phishing breakdown with per-department click rates, report rates, and credential submission counts
- Campaign launch API that transitions status from draft/scheduled to active
- 4 tabletop exercises: Ransomware Outbreak, Cloud Data Breach, Insider Threat, DDoS Attack -- with timed injects and participant scoring
- 5 scenario templates: Ransomware Attack, Data Breach Response, Insider Threat, DDoS Mitigation, Supply Chain Compromise
- After-action report structure with findings, recommendations, gaps, and strengths
- Training summary dashboard endpoint with course metrics, phishing averages, tabletop scores, compliance rate, recent completions, and top courses
- Compliance report endpoint with per-category and per-department breakdowns plus mandatory completion rate
- DB-first architecture with seamless demo-data fallback across all sub-modules
- Comprehensive frontend with dashboard, courses list, course detail, phishing campaigns, phishing detail, tabletop exercises, tabletop detail, and compliance report pages
Architecture
Next.js Frontend
→
FastAPI Router
→
TrainingService
→
PostgreSQL / Demo Data
Three Pillars
Courses & Enrollment
- TrainingCourse (catalog)
- TrainingModule (lessons + quizzes)
- TrainingEnrollment (progress)
- 6 categories, 3 difficulty levels
- Mandatory course flagging
Phishing Simulations
- PhishingCampaign (lifecycle)
- PhishingResult (per-recipient)
- 5 tracked actions per user
- Department-level breakdown
- Click rate + report rate metrics
Tabletop Exercises
- TabletopExercise (scenarios)
- TabletopParticipant (scoring)
- Timed injects (JSON)
- After-action reports (JSON)
- 5 scenario templates
Data Flow
- Frontend calls
/api/v1/training/*endpoints via the sharedapiclient. - The router validates inputs with Pydantic schemas and delegates to the unified
TrainingService. - The service handles all three sub-modules (courses, phishing, tabletop) with DB-first, demo-data fallback pattern.
- Phishing campaigns aggregate results at the campaign level (click_rate, report_rate) and at the department level.
- Tabletop exercises store injects as JSON arrays and after-action reports as JSON objects for maximum flexibility.
Source Files
| Layer | Path |
|---|---|
| Router | platform/api/app/routers/training.py |
| Service | platform/api/app/services/training.py |
| Models (7) | platform/api/app/models/training.py |
| Schemas | platform/api/app/schemas/training.py |
| Frontend Dashboard | platform/frontend/src/app/training/page.tsx |
| Frontend Courses | platform/frontend/src/app/training/courses/page.tsx |
| Frontend Course Detail | platform/frontend/src/app/training/courses/[id]/page.tsx |
| Frontend Phishing | platform/frontend/src/app/training/phishing/page.tsx |
| Frontend Phishing Detail | platform/frontend/src/app/training/phishing/[id]/page.tsx |
| Frontend Tabletop | platform/frontend/src/app/training/tabletop/page.tsx |
| Frontend Tabletop Detail | platform/frontend/src/app/training/tabletop/[id]/page.tsx |
| Frontend Compliance | platform/frontend/src/app/training/compliance/page.tsx |
Routing
Frontend Routes
| Route | Description |
|---|---|
/training | Dashboard -- KPIs, course completion chart, phishing click trends, tabletop scores, recent activity |
/training/courses | Course catalog with category/difficulty filters, enrollment counts, mandatory badges |
/training/courses/[id] | Course detail -- module list, quiz info, enrollment stats, Enroll button |
/training/phishing | Phishing campaigns list with status, target count, click rates, create campaign |
/training/phishing/[id] | Campaign detail -- per-recipient results table, department breakdown, Launch button |
/training/tabletop | Tabletop exercise list with scenario type, status, participant count, overall score |
/training/tabletop/[id] | Exercise detail -- inject timeline, participant scores, after-action report |
/training/compliance | Compliance report -- overall rate, per-category breakdown, per-department breakdown, overdue count |
API Endpoints
All endpoints are under /api/v1/training with the training tag.
# Courses
GET /api/v1/training/courses # List courses (filter: category, difficulty, is_mandatory)
POST /api/v1/training/courses # Create course
GET /api/v1/training/courses/{course_id} # Get course detail with modules
# Enrollments
GET /api/v1/training/enrollments # List enrollments (filter: user_id, course_id, status)
POST /api/v1/training/courses/{course_id}/enroll # Enroll user in course
PATCH /api/v1/training/enrollments/{enrollment_id} # Update progress, score, status
# Phishing Campaigns
GET /api/v1/training/phishing/campaigns # List campaigns (filter: status)
POST /api/v1/training/phishing/campaigns # Create campaign
GET /api/v1/training/phishing/campaigns/{campaign_id} # Get detail (results + department breakdown)
POST /api/v1/training/phishing/campaigns/{campaign_id}/launch # Launch campaign
# Tabletop Exercises
GET /api/v1/training/tabletop/exercises # List exercises (filter: status)
POST /api/v1/training/tabletop/exercises # Create exercise
GET /api/v1/training/tabletop/exercises/{exercise_id} # Get detail (injects, participants, after-action)
GET /api/v1/training/tabletop/templates # List 5 scenario templates
# Dashboard & Compliance
GET /api/v1/training/summary # Training metrics (courses, phishing, tabletop, compliance)
GET /api/v1/training/compliance-report # Per-category + per-department compliance breakdownPrerequisites
- FastAPI backend with async SQLAlchemy and PostgreSQL (or demo mode).
- Next.js 14+ frontend with the shared
apiclient. - Tenant middleware -- all endpoints read
request.state.tenant_id. - Database migrations for 7 tables:
training_courses,training_modules,training_enrollments,phishing_campaigns,phishing_results,tabletop_exercises,tabletop_participants.
Data Model
TrainingCourse
| Column | Type | Notes |
|---|---|---|
id | String(36) PK | UUID |
tenant_id | String(36) | Indexed |
title | String(255) | Course title |
description | Text | Course description |
category | String(50) | security_awareness / incident_response / soc_analyst / compliance / phishing_defense / threat_hunting |
difficulty | String(20) | beginner / intermediate / advanced |
duration_minutes | Integer | Total course duration |
passing_score | Integer | Minimum score to pass (default 80) |
is_mandatory | Boolean | Whether course is required for compliance |
is_published | Boolean | Whether course is visible to users |
created_by | String(255) | Author |
TrainingModule
| Column | Type | Notes |
|---|---|---|
id | String(36) PK | UUID |
course_id | String(36) FK | References training_courses.id |
title | String(255) | Module title |
content | Text | Lesson content |
order | Integer | Display order within course |
duration_minutes | Integer | Module duration (default 15) |
has_quiz | Boolean | Whether module has a quiz |
quiz_questions | JSON | Quiz question data (nullable) |
TrainingEnrollment
| Column | Type | Notes |
|---|---|---|
id | String(36) PK | UUID |
course_id | String(36) FK | References training_courses.id |
user_id | String(36) | Indexed, enrolled user |
tenant_id | String(36) | Indexed |
status | String(20) | enrolled / in_progress / completed / overdue |
progress_percent | Float | 0.0 to 100.0 |
completed_modules | JSON | Array of completed module IDs |
score | Float | Final score (nullable until completed) |
enrolled_at | DateTime | Enrollment date |
completed_at | DateTime | Nullable, set on completion |
due_date | DateTime | Deadline for mandatory courses |
PhishingCampaign
| Column | Type | Notes |
|---|---|---|
id | String(36) PK | UUID |
tenant_id | String(36) | Indexed |
name | String(255) | Campaign name |
description | Text | Campaign description |
template_subject | String(500) | Phishing email subject line |
template_body | Text | Phishing email body |
status | String(20) | draft / scheduled / active / completed |
target_departments | JSON | Array of target department names |
target_count | Integer | Number of target recipients |
launched_at | DateTime | Nullable, set on launch |
completed_at | DateTime | Nullable, set on completion |
created_by | String(255) | Creator |
PhishingResult
| Column | Type | Notes |
|---|---|---|
id | String(36) PK | UUID |
campaign_id | String(36) FK | References phishing_campaigns.id |
user_email | String(255) | Target email |
department | String(100) | User department |
email_sent | Boolean | Was email delivered |
email_opened | Boolean | Was email opened (tracking pixel) |
link_clicked | Boolean | Did user click the phishing link |
credentials_entered | Boolean | Did user submit credentials |
reported_as_phishing | Boolean | Did user report the email |
sent_at / opened_at / clicked_at / reported_at | DateTime | Timestamps for each action |
TabletopExercise
| Column | Type | Notes |
|---|---|---|
id | String(36) PK | UUID |
tenant_id | String(36) | Indexed |
title | String(255) | Exercise title |
scenario | String(50) | ransomware / data_breach / insider_threat / ddos / supply_chain |
description | Text | Scenario description |
injects | JSON | Array of timed inject objects |
status | String(20) | scheduled / in_progress / completed |
scheduled_at | DateTime | When exercise is planned |
completed_at | DateTime | When exercise was completed |
overall_score | Float | Aggregate participant score |
after_action_report | JSON | Findings, recommendations, gaps, strengths |
TabletopParticipant
| Column | Type | Notes |
|---|---|---|
id | String(36) PK | UUID |
exercise_id | String(36) FK | References tabletop_exercises.id |
name | String(255) | Participant name |
role | String(100) | Role in exercise (e.g. Incident Commander) |
department | String(100) | Department |
score | Float | Individual performance score |
notes | Text | Evaluator notes |
Relationships
TrainingCourse→ has manyTrainingModule(ordered byorder)TrainingCourse→ has manyTrainingEnrollmentPhishingCampaign→ has manyPhishingResultTabletopExercise→ has manyTabletopParticipant
UI Description
Dashboard (/training)
Training Command Center
Summary KPI cards (Total Courses, Active Enrollments, Completion Rate, Average Score, Phishing Campaigns, Tabletop Exercises). Course completion trend chart. Phishing click-rate trend. Recent course completions list. Top-performing courses by enrollment. Quick-access links to Courses, Phishing, Tabletop, and Compliance sub-modules.
Courses (/training/courses)
Course Catalog
Filterable grid of course cards with category tags, difficulty badges (beginner=green, intermediate=amber, advanced=red), duration, enrollment count, completion rate, and mandatory flag. Create Course button opens a form with title, category, difficulty, duration, and passing score fields.
Course Detail (/training/courses/[id])
Course Detail View
Course header with category badge, difficulty level, and duration. Module list showing order, title, duration, and quiz indicator. Enrollment statistics. Enroll button for current user. Progress tracking for enrolled users.
Phishing (/training/phishing)
Phishing Campaigns
Campaign list with status badges (draft=grey, scheduled=blue, active=orange, completed=green), target count, click rate, and report rate metrics. Create Campaign button. Status filter tabs.
Phishing Detail (/training/phishing/[id])
Campaign Detail
Campaign header with template preview. Funnel metrics (sent → opened → clicked → credentials → reported). Per-recipient results table with action checkmarks. Department-level breakdown with click rates. Launch button for draft/scheduled campaigns.
Tabletop (/training/tabletop)
Tabletop Exercises
Exercise list with scenario type icons (ransomware, data breach, insider threat, DDoS, supply chain), status, participant count, inject count, and overall score. Create Exercise button with scenario template selection.
Tabletop Detail (/training/tabletop/[id])
Exercise Detail
Scenario description. Inject timeline showing timed scenario escalations. Participant table with name, role, department, individual score, and evaluator notes. After-action report with findings, recommendations, identified gaps, and organisational strengths.
Compliance (/training/compliance)
Compliance Report
Overall compliance rate gauge. Mandatory course completion rate. Per-category breakdown with completion percentages. Per-department breakdown showing enrolled, completed, and overdue counts. Overdue alert count. Export-ready formatting for audit submissions.