Cyber Security Projects (Real Vulnerabilities, Real Portfolio)

The best security projects are real vulnerabilities you find and fix, not write-ups you read. These are real vulnerable systems you harden in a live cloud workspace - close a SQL injection, fix broken auth, scrub a secret from git - each one a portfolio piece.

Why fixing beats reading

Reading about a vulnerability is not the same as closing one under real constraints. Doing it builds the judgment security roles hire for, and gives you proof you did it.

18 projects to start with

Secure a Webhook Endpoint (HMAC + Replay)Security · SeniorMove JWT to httpOnly Cookies (XSS + CSRF)Security · SeniorPatch the JWT None-Algorithm BypassSecurity · MidBuild API Key AuthenticationSecurity · MidImplement OAuth 2.0 With PKCESecurity · MidMigrate MD5 Password Hashes to bcryptSecurity · MidRotate a Leaked JWT Secret Without LogoutSecurity · MidMove a Plaintext Secret to AWS Secrets ManagerSecurity · MidScope an AWS KMS Key Policy to One RoleSecurity · MidFix an IDOR Exposing Other Users' InvoicesSecurity · MidBlock an SSRF in a URL FetcherSecurity · MidClose a SQL Injection in a Search EndpointSecurity · JuniorNeutralize a Stored XSS in CommentsSecurity · JuniorRemove Hardcoded Credentials From Source CodeSecurity · JuniorHash Passwords Instead of Storing PlaintextSecurity · JuniorStop Login Brute-Force With Rate LimitingSecurity · JuniorBlock a Path Traversal VulnerabilitySecurity · JuniorClose an Open Redirect VulnerabilitySecurity · Junior

Pick by the area to show

Web appsec? The injection and access-control ones. Secrets and crypto? The hashing and history-scrub ones. Each finished fix is evidence on your portfolio.

Build your portfolio free. You are in a real cloud workspace in 30 seconds - fix real systems, show real work.

Start free →