Empower Your Cybersecurity Education with Chrysallis AI and Metaversity XR

The essential starting point for anyone entering cybersecurity — beginner, career changer, or professional needing a structured foundation. What You'll Learn: • Networking fundamentals — TCP/IP, DNS, DHCP, routing, and switching • Operating systems basics — Windows & Linux, file systems, permissions, command line • Core security concepts — CIA triad, encryption basics, common attack types • Threat landscape — actors, motivations, and methods behind real-world attacks • Security tools — firewalls, IDS/IPS, SIEM, and endpoint protection • Vulnerability basics — discovery, prioritization, and industry frameworks • Certification roadmap — CompTIA A+, Network+, Security+ Delivery: Hybrid — online and in-person Alaska cohorts. Target: Career changers, students, veterans, and non-technical professionals. Prerequisites: None. Basic computer literacy recommended. Outcome: Solid technical foundation and clear career direction into the full Cyber Nomad portfolio.

A practical introduction to NIST RMF, the NIST AI Risk Management Framework, and the CIS Controls Self-Assessment Tool — built for workforce entrants and professionals in government IT or federal contractor environments. What You'll Learn: • NIST RMF — 7 steps, FIPS 199/200 categorization, SP 800-53 Rev. 5 control families • SSP concepts — what an SSP is and how CCIs map across frameworks • NIST AI RMF — Map, Measure, Manage, Govern applied to AI systems • AI risk governance — responsible deployment, bias mitigation, GRC integration • Federal AI obligations — OMB memoranda and EO 14110 documentation requirements • CIS Controls v8 — 18 controls, IG1/IG2/IG3 right-sizing, and CSAT scoring • CSAT setup — platform navigation, remediation roadmap, and control mapping Delivery: Hybrid — online and in-person Alaska cohorts. Mobile lab options for rural outreach. Target: Job seekers, career changers, entry-level government IT staff, and federal contractor employees. Prerequisites: None. Basic computer literacy recommended. Outcome: Foundational GRC and AI governance literacy with hands-on CSAT experience — on-ramp to GRC Pathway, CMMC, and AI Ethics tracks.

For everyone who uses the internet. Not about becoming a security professional — about understanding the digital world you already live in and building habits that keep you and your family safer. What You'll Learn: • How the internet works — websites, email, apps, and everyday devices • Common threats — phishing, scams, identity theft, and social engineering • Password and account security — password managers and multi-factor authentication • Safe browsing and device hygiene — spotting unsafe sites and keeping devices clean • Digital footprint awareness — what you share online and who can see it • Family protection — cyberbullying, child safety, parental controls • Incident response — what to do if your account, identity, or device is compromised Delivery: Hybrid — online and in-person Alaska cohorts. Built for community, family, and organizational delivery. Target: Individuals, families, community members, and non-technical employees. Prerequisites: None. No technical background required. Outcome: Confident digital citizens who recognize threats and protect themselves, their families, and their organizations.

Think like an attacker. A hands-on, lab-intensive course grounded in real-world adversarial techniques, legal boundaries, and ethical responsibility. What You'll Learn: • Reconnaissance and OSINT — passive/active recon and adversary profiling • Scanning and enumeration — Nmap, service enumeration, attack surface mapping • Exploitation fundamentals — Metasploit, manual exploitation, exploit chaining • Web application hacking — OWASP Top 10 from the attacker's perspective • Privilege escalation — Windows/Linux escalation, credential harvesting, lateral movement • Red teaming fundamentals — simulated campaigns, rules of engagement, reporting • Social engineering — phishing, pretexting, vishing, physical access techniques • Ethics and law — CFAA, scope definitions, and written authorization requirements Delivery: Hybrid — online and in-person Alaska cohorts. Lab access included. Target: Security professionals, IT admins, military/government personnel, and career changers. Prerequisites: Cyber Foundations Bootcamp or equivalent networking/OS knowledge. Outcome: Junior penetration testers and red team operators ready for ethical hacking and vulnerability assessment roles.

For the people who hold the line. Deep training in the tools, techniques, and decision-making that define high-performing blue teams. What You'll Learn: • Detection engineering — building and tuning SIEM rules (Splunk, Sentinel, QRadar) • Threat hunting — MITRE ATT&CK-driven, hypothesis-based, behavioral analytics • Incident response lifecycle — preparation through lessons learned • Digital forensics basics — disk/memory forensics, log preservation, chain of custody • EDR operations — endpoint telemetry, malicious process identification, isolation • Network defense — NetFlow, packet captures, IDS/IPS alert analysis • Playbook development — repeatable, documented response procedures • Purple teaming — collaborating with red team to validate detection coverage Delivery: Hybrid — online and in-person Alaska cohorts. Cohort-based with practitioner mentorship. Target: SOC analysts, IT admins, incident responders, and security engineers. Prerequisites: Basic networking and OS knowledge. Cyber Foundations Bootcamp recommended. Outcome: Blue team analysts and incident responders ready for Tier 2/3 SOC and detection engineering roles.

Most CTI programs teach you to consume intelligence feeds. This track teaches you to produce, analyze, and weaponize intelligence — and understand the cognitive warfare dimensions of modern adversarial conflict. What You'll Learn: • CTI fundamentals — intelligence cycle, source types, confidence ratings, actionable products • OSINT tradecraft — social media, dark web monitoring, domain analysis, geolocation • Adversary profiling — MITRE ATT&CK, Diamond Model, Cyber Kill Chain • Influence operations — how state/non-state actors manipulate information environments • Behavioral analysis — attacker motivation, decision-making, and psychological patterns • Narrative warfare — disinformation detection and defending information environments • Intelligence writing — threat assessments, executive briefings, strategic forecasts • Countering cognitive manipulation — deepfakes, influence campaigns, coordinated harassment Delivery: Hybrid — online and in-person Alaska cohorts. Target: Intelligence analysts, security strategists, government/military personnel, journalists, and policy professionals. Prerequisites: Foundational cybersecurity knowledge or equivalent experience. Outcome: Cyber strategists with CTI skills, OSINT tradecraft, and cognitive warfare awareness to operate at the intersection of technology and national security.

For professionals who protect the systems that cannot fail — energy grids, water, transportation, maritime corridors, Arctic ports, and government networks. Deep focus on Alaska's unique security realities: maritime law, Arctic operations, tribal sovereignty, and Alaska Native Corporation environments. What You'll Learn: • ICS/SCADA fundamentals — industrial control systems, OT environments, NIST SP 800-82 Rev. 3 • OT/IT convergence risks — attack surface management using NIST SP 800-53 OT overlays • Maritime and port security — AIS spoofing, GPS jamming, ISPS Code, IMO cyber guidelines • Arctic security imperatives — national security, energy infrastructure, geopolitical competition • Tribal and sovereign infrastructure — federal trust responsibilities, ISDEAA, isolated Native communities • ANC cyber risk — defense contracting, CMMC, SP 800-171/172, indigenous data sovereignty • Infrastructure risk frameworks — NIST CSF 2.0, NERC CIP, TSA directives, MTSA • Supply chain threats — third-party risk management using NIST SP 800-161 Rev. 1 Delivery: Hybrid — online and in-person Alaska cohorts. Mobile delivery for rural/remote communities. Target: Infrastructure security professionals, Coast Guard, energy/utilities, tribal IT leads, ANC compliance teams. Prerequisites: Foundational cybersecurity knowledge or professional IT/OT/government experience. Outcome: Infrastructure security specialists ready for public sector, defense, maritime, and critical infrastructure protection roles.

CMMC compliance is not optional for defense contractors — and getting it wrong means lost contracts or federal debarment. This practitioner-level course is built for CISOs and the teams making CMMC real inside their organizations. What You'll Learn: • CMMC Level 1–3 requirements — maturity model, risk mapping, and what assessors look for • NIST SP 800-172 enhanced controls — 35 enhanced CUI requirements beyond SP 800-171 • SP 800-161 supply chain risk — vendor and contractor cyber risk in DoD supply chains • CUI identification and system boundaries — scoping your CMMC assessment correctly • SSP development — writing System Security Plans that hold up under third-party review • POA&M strategy — building Plans of Action and Milestones that satisfy assessors • C3PAO readiness — understanding the assessment process and preparing your team • Audit evidence discipline — policies, logs, configurations, and attestations that tell a defensible story Delivery: Hybrid — online and in-person Alaska cohorts. Cohort-based with practitioner access. Target: CISOs, security architects, GRC professionals, and compliance officers in defense contracting and federal IT. Prerequisites: Foundational GRC knowledge or GRC Pathway recommended. NIST SP 800-171 familiarity beneficial. Outcome: CMMC audit-ready teams with the documentation discipline and assessor-facing confidence to protect their place in the federal contracting ecosystem.

ISO certification is a sustained operational commitment — not just a badge. Built for security leads, IT managers, and GRC analysts responsible for building and defending an ISO-compliant program. What You'll Learn: • ISO 27001 ISMS structure — scope, organizational context, and control decisions • Risk assessment and treatment — systematic assessments documented for certification bodies • Annex A controls — all 93 controls across organizational, people, physical, and tech domains • Statement of Applicability (SoA) — defensible SoA with justified exclusions • ISMS policy development — information security policies and procedures auditors will test • ISO 20000 requirements — IT service management, continual improvement, and integration with 27001 • Internal audit execution — genuine ISMS testing that finds nonconformities before external auditors do • Certification body readiness — Stage 1/2 audit preparation, evidence requests, and findings handling Delivery: Hybrid — online and in-person Alaska cohorts. Includes policy templates, SoA frameworks, and audit checklists. Target: IT managers, GRC analysts, security teams, compliance officers, and service delivery leads. Prerequisites: Basic IT knowledge. GRC Pathway or equivalent experience beneficial. Outcome: Audit-ready teams with the documentation discipline to pass their ISO review and sustain through recertification.

The definitive workforce pipeline track for individuals ready to step into a professional security role — building the technical depth, operational instincts, and career readiness to land and succeed as a SOC analyst. What You'll Learn: • SOC operations — how alerts are triaged and incidents are prioritized under pressure • SIEM tools and log analysis — Splunk, Microsoft Sentinel, QRadar • Incident detection and triage — IOCs, false positive filtering, and proper escalation • Threat intelligence basics — threat feeds and adversary TTPs via MITRE ATT&CK • Malware awareness — how malware behaves and how analysts identify it in endpoint data • Network traffic analysis — packet captures, anomaly identification, normal vs. malicious traffic • Documentation and reporting — professional incident reports for leadership and legal teams • Career and certification prep — Security+, CySA+, and CEH roadmap coaching Delivery: Hybrid — online and in-person Alaska cohorts. Cohort-based with mentorship. Target: Career changers, Bootcamp graduates, and veterans transitioning to tech. Prerequisites: Basic computer literacy. Cyber Foundations Bootcamp recommended. Outcome: Job-ready SOC analysts with hands-on tool experience and a clear certification pathway for Tier 1/2 roles.

GRC is one of the most in-demand disciplines in cybersecurity — and Cyber Nomad teaches it from inside the system. Not a checkbox exercise, but the living language of how organizations manage risk, win contracts, and stay out of trouble. What You'll Learn: • NIST RMF — the full 7-step cycle applied to real systems • ISO 27001 fundamentals — ISMS structure, Annex A controls, and how certification works • FedRAMP basics — cloud security authorization for government environments • Policy writing — SSPs, POA&Ms, and risk treatment documents regulators actually accept • Risk assessments and audits — real methodologies, not theoretical frameworks • Compliance vs. security — checking boxes vs. actually reducing risk • Government contracting reality — how contracts work and what agencies really look for • Fraud, waste, and abuse — federal case studies where compliance theater replaced real security Delivery: Hybrid — online and in-person Alaska cohorts. Includes policy templates and SSP examples. Target: Career changers, entry-level government IT staff, federal contractor employees, and auditors. Prerequisites: Basic IT understanding or Cyber Foundations Bootcamp recommended. Outcome: GRC specialists who can write, audit, and defend a compliance program — in demand across government, defense, healthcare, and financial services.

Vulnerabilities don't start in the SOC — they start in the code. Built for developers, QA engineers, and security professionals who want to understand how applications get compromised and how to build software that doesn't. What You'll Learn: • OWASP Top 10 — injection, broken auth, XSS, CSRF, broken access control, and more • Secure coding fundamentals — input validation, output encoding, session management • Threat modeling — identifying attack surfaces early in the development lifecycle • DevSecOps basics — security in CI/CD pipelines, SAST/DAST tooling, shifting left • Vulnerability testing labs — DVWA, WebGoat, Juice Shop using Burp Suite and OWASP ZAP • API security — REST/GraphQL attack surfaces and broken object-level authorization • Secure code review — identifying vulnerabilities before they reach production • Dependency and supply chain risk — third-party library and open-source component risk Delivery: Hybrid — online and in-person Alaska cohorts. Lab-heavy with real tools. Target: Software developers, QA engineers, and IT professionals transitioning to security. Prerequisites: Basic programming or scripting experience (Python, JavaScript, or similar) recommended. Outcome: Junior AppSec and DevSecOps professionals ready for application security and penetration testing roles.

Healthcare is one of the most targeted and heavily regulated sectors in cybersecurity. Built for IT professionals, compliance officers, and security teams who need HIPAA as an operational security framework — not a legal abstraction. What You'll Learn: • HIPAA framework — Privacy Rule, Security Rule, Breach Notification Rule; covered entities vs. business associates • PHI and ePHI — what qualifies, how it flows, and controls required at rest and in transit • Administrative safeguards — security management, workforce training, and contingency planning • Physical safeguards — facility access, workstation security, and device/media controls • Technical safeguards — access controls, audit controls, and transmission security for EHR and medical devices • Risk analysis — HIPAA-required assessments using NIST SP 800-30 adapted for healthcare • Business Associate Agreements — evaluating vendor compliance and breach liability • Breach notification — 60-day rule, breach determination, and incident response planning • OCR audits — how investigations work, how penalties are assessed, and how organizations fail • Framework mapping — HIPAA Security Rule to NIST CSF 2.0, SP 800-66 Rev. 2, and CIS Controls Delivery: Hybrid — online and in-person Alaska cohorts. Relevant to Tribal Health, rural clinics, and remote healthcare environments. Target: Healthcare IT professionals, compliance officers, privacy officers, practice administrators, and business associates. Prerequisites: Basic IT or healthcare operations knowledge. GRC Pathway beneficial but not required. Outcome: HIPAA-ready compliance professionals with the skills to build, defend, and audit a compliant healthcare security program.

FERPA governs the privacy of student education records — and getting it wrong means federal funding consequences and real harm to students. Built for IT professionals, compliance officers, school admins, and EdTech vendors. What You'll Learn: • FERPA framework — education records, school official definitions, and student/parent rights • Directory information — what's protected, opt-out processes, and managing disclosure requests • Legitimate educational interest — access control policies and access logs as compliance evidence • Technical safeguards — access controls, audit logging, encryption, and identity management for LMS/EdTech • Data sharing agreements — school official exception, vendor compliance, and breach liability • Incident response under FERPA — breach notification obligations vs. HIPAA and state laws • FERPA and state law intersections — COPPA, state student privacy laws, and AI governance for educational data • FERPA in Alaska — distributed districts, Alaska Native village schools, and remote learning environments • Audit readiness — policy framework, access documentation, and disclosure logs for Dept. of Education reviews Delivery: Hybrid — online and in-person Alaska cohorts. Relevant to Alaska school districts, UA system campuses, and EdTech organizations. Target: School IT professionals, registrars, compliance officers, EdTech leads, and school administrators. Prerequisites: Basic IT or educational operations knowledge. GRC Pathway beneficial but not required. Outcome: FERPA-ready compliance professionals with the skills to protect student privacy, manage vendors, and defend institutional compliance posture.

GDPR is the most comprehensive data privacy law in the world — and it applies to any organization processing personal data of EU residents, regardless of where you're based. Built for IT professionals, DPOs, compliance officers, and security practitioners. What You'll Learn: • GDPR framework — key definitions, territorial scope, and six lawful bases for processing • Data subject rights — access, rectification, erasure, portability, and objection; 30-day response requirements • Controller and processor obligations — DPAs, liability flow, and supply chain accountability • Privacy by Design and Default — data minimization embedded from the ground up • DPIAs — when required, how to conduct them, and documenting decisions for supervisory authorities • Technical and organizational security — Article 32 obligations mapped to NIST CSF 2.0 and ISO 27001 • Breach notification — 72-hour reporting rule, individual notification, and incident response alignment • DPO role and obligations — when required, independence, and supervisory authority interface • International data transfers — SCCs, adequacy decisions, BCRs, and post-Schrems II compliance • Enforcement and fines — how DPAs investigate, how fines up to €20M or 4% global revenue are calculated • GDPR and US law intersections — CCPA/CPRA, HIPAA, FERPA, and multi-framework privacy programs Delivery: Hybrid — online and in-person Alaska cohorts. Relevant to any organization with EU customers or global operations. Target: IT professionals, DPOs, compliance officers, privacy leads, security architects, and product managers. Prerequisites: Basic IT or data governance knowledge. GRC Pathway beneficial but not required. Outcome: GDPR-ready compliance professionals with the skills to build and defend a compliant privacy program across one of the world's most consequential regulatory frameworks.