DevSecOps Engineering: Automating Security - 24-Week Curriculum

Course Snapshot

Shift security left by integrating it into development pipelines. Master automated security testing, SAST/DAST, container scanning, and compliance.

⏱️24 Weeks

📊Advanced

🔐Security Engineering

Welcome to DevSecOps Engineering: Automating Security! 🎓

This curriculum for DevSecOps Engineering: Automating Security follows a Bloom-aligned progression from practical foundations to measurable professional outcomes, with weekly evidence, labs, and portfolio outputs matched to advanced expectations.

Each week advances from comprehension and application toward evaluation and creation, ensuring progressive learning and capstone readiness.

Your success is our priority. By the end of the course, you will be able to design and operate a secure delivery pipeline that balances speed, developer usability, and measurable security controls. You will graduate with a professionally curated portfolio that demonstrates scope, depth, and delivery quality. You will graduate with a professionally curated portfolio that demonstrates scope, depth, and delivery quality. You will graduate with a professionally curated portfolio that demonstrates scope, depth, and delivery quality. You will graduate with a professionally curated portfolio that demonstrates scope, depth, and delivery quality.

Prerequisites & What You Should Know

Hands-on experience with network protocols, operating system internals, and security control implementation
Practical knowledge of reading security logs, alert analysis, and threat detection workflows
Comfort with risk documentation, control decisions, and evidence-based compliance mapping
Familiarity with at least one SIEM platform, policy tool, or security scanner

Recommended Complementary Courses

Incident Response

Master triage, containment, and post-incident forensics workflows

Cloud Security

Extend identity, token, and workload protection into cloud environments

Governance & Compliance

Connect security controls to regulatory mappings and audit documentation

Essential Learning Resources

NIST Cybersecurity Framework, CIS Controls, and OWASP threat modeling guides
Incident simulation datasets, detection rule templates, and control efficacy checklists
Security architecture patterns repository and threat modeling workshop materials

Your Learning Roadmap

Early Weeks: Core controls, identity hardening, and baseline security posture
Middle Weeks: Detection engineering, incident handling, and service resilience
Late Weeks: Compliance evidence, executive reporting, and capstone defense

Detailed Weekly Curriculum

Week 15 hours + labs

DevSecOps Foundations

Analyze the principles of DevSecOps Foundations and link them to course outcomes at advanced depth with architecture-level decision quality.
Evaluate DevSecOps Foundations in a guided scenario using realistic tools, constraints, and quality gates.
Design trade-offs, risks, and decision points for DevSecOps Foundations, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for DevSecOps Foundations with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete DevSecOps Foundations build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate DevSecOps Foundations with objective tests and quality controls before review.
Deliver DevSecOps Foundations artifacts with reproducible steps and operational notes.

Week 25 hours + labs

SDLC Security

Analyze the principles of SDLC Security and link them to course outcomes at advanced depth with architecture-level decision quality.
Evaluate SDLC Security in a guided scenario using realistic tools, constraints, and quality gates.
Design trade-offs, risks, and decision points for SDLC Security, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for SDLC Security with measurable success criteria and next actions.

Lab Exercise

Implement baseline controls for SDLC Security and verify enforcement on target systems.
Run assessment/scanning for SDLC Security and prioritize findings by exploitability and impact.
Close critical findings for SDLC Security and publish re-test evidence.

Week 35 hours + labs

Code Analysis - SAST

Analyze the principles of Code Analysis - SAST and link them to course outcomes at advanced depth with architecture-level decision quality.
Evaluate Code Analysis - SAST in a guided scenario using realistic tools, constraints, and quality gates.
Design trade-offs, risks, and decision points for Code Analysis - SAST, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for Code Analysis - SAST with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete Code Analysis - SAST build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate Code Analysis - SAST with objective tests and quality controls before review.
Deliver Code Analysis - SAST artifacts with reproducible steps and operational notes.

Week 45 hours + labs

Dependency Scanning

Analyze the principles of Dependency Scanning and link them to course outcomes at advanced depth with architecture-level decision quality.
Evaluate Dependency Scanning in a guided scenario using realistic tools, constraints, and quality gates.
Design trade-offs, risks, and decision points for Dependency Scanning, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for Dependency Scanning with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete Dependency Scanning build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate Dependency Scanning with objective tests and quality controls before review.
Deliver Dependency Scanning artifacts with reproducible steps and operational notes.

Week 55 hours + labs

Container Security I

Analyze the principles of Container Security I and link them to course outcomes at advanced depth with architecture-level decision quality.
Evaluate Container Security I in a guided scenario using realistic tools, constraints, and quality gates.
Design trade-offs, risks, and decision points for Container Security I, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for Container Security I with measurable success criteria and next actions.

Lab Exercise

Implement baseline controls for Container Security I and verify enforcement on target systems.
Run assessment/scanning for Container Security I and prioritize findings by exploitability and impact.
Close critical findings for Container Security I and publish re-test evidence.

Week 65 hours + labs

Container Security II

Analyze the principles of Container Security II and link them to course outcomes at advanced depth with architecture-level decision quality.
Evaluate Container Security II in a guided scenario using realistic tools, constraints, and quality gates.
Design trade-offs, risks, and decision points for Container Security II, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for Container Security II with measurable success criteria and next actions.

Lab Exercise

Implement baseline controls for Container Security II and verify enforcement on target systems.
Run assessment/scanning for Container Security II and prioritize findings by exploitability and impact.
Close critical findings for Container Security II and publish re-test evidence.

Week 75 hours + labs

Dynamic Testing - DAST

Analyze the principles of Dynamic Testing - DAST and link them to course outcomes at advanced depth with architecture-level decision quality.
Evaluate Dynamic Testing - DAST in a guided scenario using realistic tools, constraints, and quality gates.
Design trade-offs, risks, and decision points for Dynamic Testing - DAST, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for Dynamic Testing - DAST with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete Dynamic Testing - DAST build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate Dynamic Testing - DAST with objective tests and quality controls before review.
Deliver Dynamic Testing - DAST artifacts with reproducible steps and operational notes.

Week 85 hours + labs

CI/CD Pipeline Security

Analyze the principles of CI/CD Pipeline Security and link them to course outcomes at advanced depth with architecture-level decision quality.
Evaluate CI/CD Pipeline Security in a guided scenario using realistic tools, constraints, and quality gates.
Design trade-offs, risks, and decision points for CI/CD Pipeline Security, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for CI/CD Pipeline Security with measurable success criteria and next actions.

Lab Exercise

Implement baseline controls for CI/CD Pipeline Security and verify enforcement on target systems.
Run assessment/scanning for CI/CD Pipeline Security and prioritize findings by exploitability and impact.
Close critical findings for CI/CD Pipeline Security and publish re-test evidence.

Week 95 hours + labs

Infrastructure as Code (IaC)

Evaluate the principles of Infrastructure as Code (IaC) and link them to course outcomes at advanced depth with architecture-level decision quality.
Design Infrastructure as Code (IaC) in a guided scenario using realistic tools, constraints, and quality gates.
Optimize trade-offs, risks, and decision points for Infrastructure as Code (IaC), then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for Infrastructure as Code (IaC) with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete Infrastructure as Code (IaC) build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate Infrastructure as Code (IaC) with objective tests and quality controls before review.
Deliver Infrastructure as Code (IaC) artifacts with reproducible steps and operational notes.

Week 105 hours + labs

Policy as Code

Evaluate the principles of Policy as Code and link them to course outcomes at advanced depth with architecture-level decision quality.
Design Policy as Code in a guided scenario using realistic tools, constraints, and quality gates.
Optimize trade-offs, risks, and decision points for Policy as Code, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for Policy as Code with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete Policy as Code build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate Policy as Code with objective tests and quality controls before review.
Deliver Policy as Code artifacts with reproducible steps and operational notes.

Week 115 hours + labs

Secrets Management

Evaluate the principles of Secrets Management and link them to course outcomes at advanced depth with architecture-level decision quality.
Design Secrets Management in a guided scenario using realistic tools, constraints, and quality gates.
Optimize trade-offs, risks, and decision points for Secrets Management, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for Secrets Management with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete Secrets Management build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate Secrets Management with objective tests and quality controls before review.
Deliver Secrets Management artifacts with reproducible steps and operational notes.

Week 125 hours + labs

Cloud Security

Evaluate the principles of Cloud Security and link them to course outcomes at advanced depth with architecture-level decision quality.
Design Cloud Security in a guided scenario using realistic tools, constraints, and quality gates.
Optimize trade-offs, risks, and decision points for Cloud Security, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for Cloud Security with measurable success criteria and next actions.

Lab Exercise

Implement baseline controls for Cloud Security and verify enforcement on target systems.
Run assessment/scanning for Cloud Security and prioritize findings by exploitability and impact.
Close critical findings for Cloud Security and publish re-test evidence.

Week 135 hours + labs

Kubernetes Security

Evaluate the principles of Kubernetes Security and link them to course outcomes at advanced depth with architecture-level decision quality.
Design Kubernetes Security in a guided scenario using realistic tools, constraints, and quality gates.
Optimize trade-offs, risks, and decision points for Kubernetes Security, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for Kubernetes Security with measurable success criteria and next actions.

Lab Exercise

Implement baseline controls for Kubernetes Security and verify enforcement on target systems.
Run assessment/scanning for Kubernetes Security and prioritize findings by exploitability and impact.
Close critical findings for Kubernetes Security and publish re-test evidence.

Week 145 hours + labs

Monitoring & Compliance

Evaluate the principles of Monitoring & Compliance and link them to course outcomes at advanced depth with architecture-level decision quality.
Design Monitoring & Compliance in a guided scenario using realistic tools, constraints, and quality gates.
Optimize trade-offs, risks, and decision points for Monitoring & Compliance, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for Monitoring & Compliance with measurable success criteria and next actions.

Lab Exercise

Implement baseline controls for Monitoring & Compliance and verify enforcement on target systems.
Run assessment/scanning for Monitoring & Compliance and prioritize findings by exploitability and impact.
Close critical findings for Monitoring & Compliance and publish re-test evidence.

Week 155 hours + labs

SIEM Integration

Evaluate the principles of SIEM Integration and link them to course outcomes at advanced depth with architecture-level decision quality.
Design SIEM Integration in a guided scenario using realistic tools, constraints, and quality gates.
Optimize trade-offs, risks, and decision points for SIEM Integration, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for SIEM Integration with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete SIEM Integration build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate SIEM Integration with objective tests and quality controls before review.
Deliver SIEM Integration artifacts with reproducible steps and operational notes.

Week 165 hours + labs

Incident Response

Evaluate the principles of Incident Response and link them to course outcomes at advanced depth with architecture-level decision quality.
Design Incident Response in a guided scenario using realistic tools, constraints, and quality gates.
Optimize trade-offs, risks, and decision points for Incident Response, then record rationale for stakeholder review.
Justify a portfolio-ready control validation dossier for Incident Response with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete Incident Response build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate Incident Response with objective tests and quality controls before review.
Deliver Incident Response artifacts with reproducible steps and operational notes.

Week 175 hours + labs

Advanced CI/CD

Design the principles of Advanced CI/CD and link them to course outcomes at advanced depth with architecture-level decision quality.
Optimize Advanced CI/CD in a guided scenario using realistic tools, constraints, and quality gates.
Architect trade-offs, risks, and decision points for Advanced CI/CD, then record rationale for stakeholder review.
Defend a portfolio-ready control validation dossier for Advanced CI/CD with measurable success criteria and next actions.

Lab Exercise

Implement a production-style Advanced CI/CD setup using versioned config/code and environment controls.
Run validation gates for Advanced CI/CD covering reliability, security, and rollback readiness.
Publish Advanced CI/CD execution evidence with logs, metrics, and troubleshooting notes.

Week 185 hours + labs

Supply Chain Security

Design the principles of Supply Chain Security and link them to course outcomes at advanced depth with architecture-level decision quality.
Optimize Supply Chain Security in a guided scenario using realistic tools, constraints, and quality gates.
Architect trade-offs, risks, and decision points for Supply Chain Security, then record rationale for stakeholder review.
Defend a portfolio-ready control validation dossier for Supply Chain Security with measurable success criteria and next actions.

Lab Exercise

Implement baseline controls for Supply Chain Security and verify enforcement on target systems.
Run assessment/scanning for Supply Chain Security and prioritize findings by exploitability and impact.
Close critical findings for Supply Chain Security and publish re-test evidence.

Week 195 hours + labs

API Security

Design the principles of API Security and link them to course outcomes at advanced depth with architecture-level decision quality.
Optimize API Security in a guided scenario using realistic tools, constraints, and quality gates.
Architect trade-offs, risks, and decision points for API Security, then record rationale for stakeholder review.
Defend a portfolio-ready control validation dossier for API Security with measurable success criteria and next actions.

Lab Exercise

Implement baseline controls for API Security and verify enforcement on target systems.
Run assessment/scanning for API Security and prioritize findings by exploitability and impact.
Close critical findings for API Security and publish re-test evidence.

Week 205 hours + labs

Automation Best Practices

Design the principles of Automation Best Practices and link them to course outcomes at advanced depth with architecture-level decision quality.
Optimize Automation Best Practices in a guided scenario using realistic tools, constraints, and quality gates.
Architect trade-offs, risks, and decision points for Automation Best Practices, then record rationale for stakeholder review.
Defend a portfolio-ready control validation dossier for Automation Best Practices with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete Automation Best Practices build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate Automation Best Practices with objective tests and quality controls before review.
Deliver Automation Best Practices artifacts with reproducible steps and operational notes.

Week 215 hours + labs

Team & Culture

Design the principles of Team & Culture and link them to course outcomes at advanced depth with architecture-level decision quality.
Optimize Team & Culture in a guided scenario using realistic tools, constraints, and quality gates.
Architect trade-offs, risks, and decision points for Team & Culture, then record rationale for stakeholder review.
Defend a portfolio-ready control validation dossier for Team & Culture with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete Team & Culture build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate Team & Culture with objective tests and quality controls before review.
Deliver Team & Culture artifacts with reproducible steps and operational notes.

Week 225 hours + labs

Tools & Integrations

Design the principles of Tools & Integrations and link them to course outcomes at advanced depth with architecture-level decision quality.
Optimize Tools & Integrations in a guided scenario using realistic tools, constraints, and quality gates.
Architect trade-offs, risks, and decision points for Tools & Integrations, then record rationale for stakeholder review.
Defend a portfolio-ready control validation dossier for Tools & Integrations with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete Tools & Integrations build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate Tools & Integrations with objective tests and quality controls before review.
Deliver Tools & Integrations artifacts with reproducible steps and operational notes.

Week 235 hours + labs

Industry Case Studies

Design the principles of Industry Case Studies and link them to course outcomes at advanced depth with architecture-level decision quality.
Optimize Industry Case Studies in a guided scenario using realistic tools, constraints, and quality gates.
Architect trade-offs, risks, and decision points for Industry Case Studies, then record rationale for stakeholder review.
Defend a portfolio-ready control validation dossier for Industry Case Studies with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete Industry Case Studies build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate Industry Case Studies with objective tests and quality controls before review.
Deliver Industry Case Studies artifacts with reproducible steps and operational notes.

Week 245 hours + capstone

Capstone: Secure Pipeline

Design the principles of Capstone: Secure Pipeline and link them to course outcomes at advanced depth with architecture-level decision quality.
Optimize Capstone: Secure Pipeline in a guided scenario using realistic tools, constraints, and quality gates.
Architect trade-offs, risks, and decision points for Capstone: Secure Pipeline, then record rationale for stakeholder review.
Defend a portfolio-ready control validation dossier for Capstone: Secure Pipeline with measurable success criteria and next actions.

Lab Exercise

Design and execute a concrete Capstone: Secure Pipeline build in DevSecOps Engineering: Automating Security with a clear acceptance checklist.
Validate Capstone: Secure Pipeline with objective tests and quality controls before review.
Deliver Capstone: Secure Pipeline artifacts with reproducible steps and operational notes.

Capstone Projects

Project 1: DevSecOps Engineering: Automating Security Foundation Build

Deliver a concrete foundation implementation covering the first phase of the curriculum.

Implement and validate DevSecOps Foundations.
Integrate SDLC Security with reusable workflow standards.
Publish evidence for Code Analysis - SAST with test and quality artifacts.

Project 2: DevSecOps Engineering: Automating Security Integrated Systems Build

Combine mid-program competencies into a production-style integrated workflow.

Build an end-to-end flow around Infrastructure as Code (IaC) and Policy as Code.
Add controls, observability, and rollback paths for reliability.
Document architecture decisions and trade-offs tied to Secrets Management.

Project 3: DevSecOps Engineering: Automating Security Capstone Delivery

Ship a portfolio-ready capstone with measurable outcomes and stakeholder-ready presentation.

Deliver a complete implementation centered on Team & Culture.
Validate readiness for Tools & Integrations using objective acceptance checks.
Present final defense and roadmap based on Industry Case Studies outcomes.

Study Tips for Success

Reserve two weekly deep-work blocks for hands-on labs, control validation, and remediation testing against real-world attacks.
Maintain a control-change ledger documenting each risk decision, its measurable impact, and improvement trajectory.
Conduct weekly threat model reviews, comparing assumed attack paths against current detection capability and control gaps.

About This Course

DevSecOps Engineering: Automating Security is built for organizations and practitioners who need security controls to operate at delivery speed. The course focuses on automation-first security design so that policy, scanning, secrets, and response workflows become part of engineering practice instead of external bottlenecks.

Best fit roles: DevSecOps Engineer, Security Automation Engineer, Platform Security Engineer, Cloud Security Engineer.
Primary outcome: Design and defend a secure software delivery pipeline with automated enforcement and monitoring.
Portfolio value: Pipeline security controls, IaC scanning, policy-as-code rules, SIEM integrations, and supply chain security evidence.