Cyberange

Training · VA / CA · Vulnerability + Compliance Assessment

Find it. Validate it. Prioritise it. Document it for the auditor.

A twelve-week practitioner programme covering vulnerability assessment from scanner output to a validated, risk-prioritised register — and compliance assessment from framework to evidence pack. Real tenants. Real scanners. Real regulator paperwork.

Browse tracks Cohort schedule

The misunderstood discipline

A scanner finds findings. A practitioner finds vulnerabilities. An auditor finds compliance gaps. Three different jobs.

VA and CA are the two disciplines that touch every security programme — and the two most consistently misunderstood. A scanner dumps ten thousand findings; a practitioner validates the two hundred real ones; an auditor wants to see them mapped to a control framework and tracked to closure. The programme trains both halves of the practitioner role.

01

"VA is just running a scanner"

Scanners produce findings. Practitioners produce a defensible, validated, deduplicated, false-positive-cleared, business-context-aware risk register. The gap is the discipline.

02

Compliance as theatre

Audit-by-checkbox produces audit-shaped binders that no-one reads. Real compliance work attaches evidence to controls, maintains it between cycles, and survives a regulator on-site.

03

Two languages, one practitioner

Technical teams cannot speak regulator. Compliance teams cannot validate controls. The practitioner who can do both gets hired, paid, and listened to.

Two parallel tracks. One practitioner.

VA from scanner to register. CA from framework to evidence pack.

The programme runs both tracks in parallel. Two intersection points — Validation (week 5) and Reporting (week 11) — are where the two tracks cross and the same evidence has to satisfy a risk owner and a regulator at the same time.

Two parallel tracks: vulnerability-assessment pipeline on the top row, compliance-assessment pipeline on the bottom row, crossing at Validation and Reporting. VA · TECHNICAL TRACKCA · COMPLIANCE TRACKSCANauth'd + unauth'dVALIDATEPOC · false-pos cullPRIORITISECVSS + business contextTRACKregister · SLA · retestFRAMEWORKISO · PCI · NIST · RBISCOPEcontrol set · boundaryEVIDENCEcollect · attest · attachAUDIT-READYreport · gap · roadmapWEEK 5 · VALIDATION CROSSOVERWEEK 11 · REPORTING12-WEEK PROGRAMME · BOTH TRACKS · WEEKLY DELIVERABLE PER TRACKCAPSTONE · A SINGLE TENANT, BOTH TRACKS, ONE INTEGRATED REPORT

What you do on the programme

Twelve weeks. Two tracks. One practitioner who can do both jobs.

Run a proper scan

Authenticated vs unauthenticated. Active vs passive. Internal vs external. Build the scan plan that matches the engagement letter — not the one the tool defaults to.

Validate every finding

Manual proof-of-concept against each high or critical. False-positive cull. Duplicate consolidation. Business-context overlay. The unglamorous work that turns ten thousand rows into two hundred real ones.

Prioritise with CVSS + context

CVSS base. Temporal modifiers. Environmental score. Risk-owner overlay. The scanner suggests a severity; the practitioner defends one.

Map findings to frameworks

Same vulnerability, four framework views: ISO 27001 Annex A, PCI-DSS requirement, NIST CSF function, sector-regulator clause. Every finding mapped, every clause evidence-backed.

Collect and attest evidence

Screenshot, log excerpt, configuration export, policy reference, attestation interview. Indexed, timestamped, attached to the control it satisfies.

Write the audit-ready report

Executive summary. Scope statement. Methodology. Findings narrative. Control gap analysis. Risk-prioritised roadmap. Retest scope. The format an auditor or regulator will accept on first read.

Sample week · Regulator-led assessment · week 7 of 12

The week the auditor sits across the table from you.

A representative week running a regulator-grade assessment on a single tenant in the Cyberange lab. Both tracks work the same environment in parallel; the deliverable on Friday is one integrated report that satisfies both the risk owner and the regulator.

  1. Monday

    Scope + frameworks lock

    Read the tenant's engagement letter. Identify which of ISO 27001, PCI-DSS, NIST CSF, and the sector regulator's framework apply. Document the control set per framework. Bound the assessment scope with the risk owner.

  2. Tuesday

    Scan and collect

    Run authenticated scans against the in-scope estate. In parallel, collect framework evidence — policy excerpts, configuration exports, attestation interviews. Two tracks, one tenant, same day.

  3. Wednesday

    Validate, deduplicate, contextualise

    Cull the scan output. Manual POCs against criticals. Cross-reference with collected evidence — does a misconfiguration finding contradict the policy attestation collected on Tuesday? It usually does.

  4. Thursday

    Map to clauses

    Every validated finding mapped to: an ISO Annex A control, a PCI requirement, a NIST CSF subcategory, a regulator-clause reference. Same finding, four lenses. The cohort cross-checks each other's mappings.

  5. Friday morning

    Write the integrated report

    Executive summary, risk-prioritised technical findings, framework-mapped gap analysis, prioritised roadmap, retest scope. The same report a risk owner and a regulator will both accept.

  6. Friday afternoon

    Mock regulator review

    An instructor — usually with prior regulator-side experience — runs a mock on-site review. Your evidence, your scoping, your control-mappings get challenged. The cohort watches and grades.

Tooling coverage

The scanner stack, the GRC discipline, the framework libraries.

Vulnerability scanners

Nessus, OpenVAS / Greenbone, nuclei, trivy, grype. Authenticated profile engineering. Custom NASL / template authoring.

Web + API scanners

OWASP ZAP, Burp Pro (Scanner), nuclei web templates. False-positive thresholds. Auth-flow recording.

Container + cloud posture

kube-bench, kube-hunter, Prowler, ScoutSuite, CloudSploit. CIS-benchmark-aligned configuration auditing.

Identity + AD assessment

PingCastle, BloodHound (read-only), Purple Knight, ADRecon. Posture not exploitation.

GRC + evidence platforms

Open-source compliance trackers, evidence-vault patterns, audit-log archives. Workflow rather than vendor lock-in.

Framework libraries

ISO 27001 Annex A. PCI-DSS 4.0. NIST CSF 2.0. NIST SP 800-53. SOC 2 Trust Services Criteria. CIS Benchmarks.

Regulator-specific

RBI Cybersecurity Framework. SEBI CSCRF. IRDAI cyber-security guidelines. CERT-In Directions. NCIIPC CII guidance. DPDP Act 2023.

Reporting discipline

A template library covering exec summary, scope, methodology, findings, control gaps, roadmap, retest scope, evidence index.

What you walk away with

The practitioner who can run the assessment and sit the audit.

Validated risk-register portfolio

Three full tenant assessments. Real validation work. Real risk owner sign-offs in your portfolio.

Audit-ready report library

Three integrated VA + CA reports. Framework-mapped. Evidence-indexed. The shape an auditor will actually accept.

Cross-framework fluency

You can speak ISO, PCI, NIST CSF, and the major Indian-regulator frameworks in the same sitting. Most candidates can speak one.

Hiring pipeline access

BFSI risk + compliance teams, MSSP assessment desks, internal-audit cyber units, regulator-side assessment cells.

Frameworks drilled

  • ISO/IEC 27001 · 27002
  • PCI-DSS 4.0
  • NIST CSF 2.0 · SP 800-53
  • SOC 2 Trust Services
  • RBI CSF · SEBI CSCRF · IRDAI
  • CERT-In · NCIIPC · DPDP 2023

Practice

"A vulnerability that hasn't been validated is a finding. A finding that hasn't been prioritised is noise. Noise that hasn't been documented to a control isn't security work — it's just paperwork waiting to be lost."
VA / CA Training · operating principleThe case for validation-first, framework-mapped assessment work.

Twelve weeks. Two tracks. One integrated capstone.

Weekend and weekday cohorts. Corporate cohorts on request. Particularly well suited to BFSI risk-and-compliance teams, internal-audit cyber units, and MSSP assessment desks.

See current cohorts Train a team