🔒 Security Engineer

90-Day English Deep Dive for Security Engineers

A comprehensive 3-month programme that takes you from solid vulnerability-reporting vocabulary to full professional fluency in security engineering English. Over 13 weeks you will master threat modeling and cryptography vocabulary; develop incident response, pentest reporting, and SOC operations fluency; build confident responsible-disclosure and DevSecOps communication; and reach advanced fluency for executive risk briefings and technical interviews.

Advanced 90 days · 13 weeks · 3 phases · 1–2 hrs/week · Full role guide →
Start Week 1 →
1
Foundations
Weeks 1–4
Cybersecurity, CVE/CVSS, threat modeling, cryptography, IAM, and compliance vocabulary
2
Response & Offense
Weeks 5–8
Incident response, postmortems, penetration test reporting, and attack-chain language
3
Advanced
Weeks 9–13
SOC operations, responsible disclosure, DevSecOps, executive communication, and interviews

Advanced phrases you will master in 90 days

attack surface
"Removing the debug endpoint from production reduces the attack surface by eliminating an unauthenticated code path."
lateral movement
"After the initial foothold, the attacker used lateral movement via Pass-the-Hash to reach the domain controller."
CVSS Base Score
"The CVSS Base Score of 9.8 reflects network exploitability, no authentication, and high impact across all three CIA pillars."
chain of custody
"Maintain chain of custody for all forensic images — document who collected each artefact and when."
blameless postmortem
"We ran a blameless postmortem — the goal was identifying process gaps, not assigning fault."
threat actor / TTPs
"The TTPs are consistent with a financially motivated threat actor targeting cloud credential theft."
responsible disclosure
"I followed responsible disclosure and notified the vendor 90 days before publishing the advisory."
defence in depth
"Even if the WAF is bypassed, defence in depth means parameterised queries prevent actual injection."
shift-left security
"Shift-left security means SAST and dependency scanning run in CI before code reaches production."
patch cadence
"Our patch cadence for Critical CVEs is 24 hours — we need to verify all affected servers were patched within SLA."

Frequently asked questions

Who is the 90-day Security Engineer English deep dive designed for?

This programme is designed for security engineers, penetration testers, SOC analysts, and AppSec engineers at all levels who work in English-speaking teams or communicate with international developers, executives, and regulators. It covers vulnerability reporting, threat modeling, incident response, pentest reporting, SOC operations, disclosure, DevSecOps, and executive communication.

What English level is required for the 90-day Security Engineer path?

You should be at B2 level or above. The path builds from cybersecurity and CVE/CVSS foundations in Phase 1 to advanced offensive security and executive briefing communication in Phase 3. If you can write a CVE description but struggle with board briefings, this path will close that gap.

How much time per week does the 90-day path require?

Each week has 4 resources, each taking approximately 20–30 minutes. Total weekly commitment is 1.5–2 hours, spread across 4 sessions. This is sustainable alongside a full-time security engineering role.

What cryptography and identity vocabulary is covered?

Week 3 covers cryptography and PKI vocabulary (TLS handshake language, certificate chains, JWT claims) alongside identity and access management vocabulary — OAuth 2.0, OIDC, RBAC/ABAC, SSO federation, and zero trust authentication.

Does the path include penetration test reporting and red-teaming vocabulary?

Yes. Weeks 7 and 8 cover the full structure of a professional pentest report, describing multi-step attack chains, and the vocabulary of red-teaming and adversarial simulation, including AI red-teaming for teams that assess AI system safety.

What SOC operations and threat intelligence content is covered?

Week 9 covers SOC alert triage disposition language, MITRE ATT&CK technique vocabulary, and observability and log-reading vocabulary for reconstructing incident timelines from evidence.

Is responsible disclosure and security advisory writing included?

Yes. Week 10 covers the full responsible disclosure process — initial vendor communication, negotiating disclosure timelines, and writing formal security advisories, alongside supply chain security vocabulary (SBOM, SLSA framework).

Does this path cover DevSecOps and executive communication?

Yes. Week 11 covers DevSecOps pipeline vocabulary (SAST, DAST, SCA, shift-left security) and Week 12 covers executive briefing communication — translating technical findings into business risk language and presenting patch priority to leadership.

What should I do after completing the 90-day Security Engineer path?

After completing this path, explore the Security Engineer guide for comprehensive reference material. Consider also completing relevant weeks from the DevOps & SRE or Backend Developer path to build the infrastructure and application vocabulary for the systems you secure most closely.

Ready for the deep dive?

Begin Week 1 and commit to 90 days of structured English mastery.

Start Week 1 → 30-day path first All learning paths