"Learn GRC the way real analysts do β by finding what's broken."
VulnGRC is an intentionally misconfigured, non-compliant, and poorly governed fictional company created purely for educational purposes.
NexaCorp, its documents, personnel, vendors, and data are entirely fictional. Do not use these artifacts in real-world GRC programs.
VulnGRC is the GRC equivalent of a deliberately vulnerable application β a complete, realistic, broken GRC program for a fictional fintech company called NexaCorp.
Where tools like VulnBank help security engineers practice finding technical vulnerabilities, VulnGRC helps:
- π Students breaking into GRC careers
- π GRC analysts sharpening their audit and risk skills
- π Security engineers learning the compliance and governance side
- π’ Security teams running internal training
- π οΈ Tooling vendors benchmarking GRC automation platforms
Everything here is broken on purpose. Policies are missing clauses. Risk scores are wrong. Vendors are unassessed. Audit findings have no remediation. Your job is to find it all.
| Attribute | Detail |
|---|---|
| Industry | Fintech SaaS |
| Size | ~300 employees, offices in London, Lagos, Austin |
| Customers | Banks, insurance companies, healthcare orgs |
| Data Types | Financial data, PII, health-adjacent data |
| Cloud | AWS (multi-account), some on-prem legacy |
| Regulatory Surface | SOC 2, ISO 27001, PCI-DSS, GDPR, HIPAA-adjacent |
| GRC Maturity | Level 1 (Initial / Ad Hoc) β everything is a mess |
NexaCorp recently hired you as their new GRC Analyst. Your predecessor left abruptly. No handover. You've been handed a folder of documents and told to "sort it out."
vulngrc/
βββ README.md β You are here
βββ CONTRIBUTING.md β How to add challenges
βββ LICENSE
β
βββ nexacorp/ β NexaCorp's broken GRC artifacts
β βββ policies/ β Policies with planted gaps
β βββ risk/ β Risk register, appetite statement
β βββ audits/ β Audit reports with findings
β βββ vendors/ β Vendor register + assessments
β βββ assets/ β Asset inventory + data flows
β βββ incidents/ β Incident log + breach notification
β βββ training/ β Security awareness records
β βββ board/ β Board reports + CISO updates
β
βββ challenges/ β Structured learning challenges
β βββ beginner/ β Foundation skills (Levels 1β5)
β βββ intermediate/ β Applied skills (Levels 6β10)
β βββ advanced/ β Expert scenarios (Levels 11β14)
β
βββ ctf/ β GRC Capture The Flag
β βββ challenges/ β CTF challenge briefs
β βββ solutions/ β Spoiler-gated answers (encrypted)
β
βββ frameworks/ β Quick reference cheat sheets
β βββ iso27001-annex-a.md
β βββ nist-csf-2.0.md
β βββ soc2-trust-services.md
β βββ pci-dss-v4.md
β βββ gdpr-key-articles.md
β
βββ scripts/
βββ ctf-verify.sh β CTF flag verification script
No installation needed. Clone the repo and start reading:
git clone https://github.com/YOUR_USERNAME/vulngrc.git
cd vulngrcOpen nexacorp/ and start exploring. Try to find gaps before looking at challenges.
Go to challenges/beginner/ and work through them in order. Each challenge tells you exactly which NexaCorp artifact to examine.
Head to ctf/challenges/ and compete. Each CTF challenge has a hidden flag (FLAG{...}) buried in the evidence. Find it.
For students and career changers entering GRC
- CH-01: Policy Gap Analysis
- CH-02: Risk Register Review
- CH-03: Asset Classification
- CH-04: Vendor Tiering
- CH-05: Incident Documentation Review
For analysts working toward certifications (CISA, CRISC, ISO LA)
- CH-06: SOC 2 Gap Assessment
- CH-07: ISO 27001 Annex A Mapping
- CH-08: GDPR Breach Notification
- CH-09: PCI-DSS Scoping
- CH-10: NIST CSF Maturity Scoring
For senior analysts, auditors, and aspiring CISOs
- CH-11: Full Internal Audit
- CH-12: Integrated Control Framework
- CH-13: Board Risk Reporting
- CH-14: Business Continuity Planning
GRC CTFs work differently from traditional security CTFs. Instead of exploiting systems, you're exploiting governance failures to find hidden information.
| ID | Challenge | Skill | Difficulty |
|---|---|---|---|
| CTF-01 | The Missing Controller | Access Control | π’ Easy |
| CTF-02 | Vendor in the Dark | Third-Party Risk | π’ Easy |
| CTF-03 | The Unsigned Policy | Policy Governance | π‘ Medium |
| CTF-04 | Risk Appetite Paradox | Risk Management | π‘ Medium |
| CTF-05 | The 72-Hour Clock | GDPR Compliance | π‘ Medium |
| CTF-06 | SOC 2 Ghost Control | Audit | π΄ Hard |
| CTF-07 | The Phantom Asset | Asset Management | π΄ Hard |
| CTF-08 | Board Report Manipulation | Executive Reporting | π΄ Hard |
| CTF-09 | The Insider Exception | Access Reviews | π΄ Hard |
| CTF-10 | PCI Scope Creep | PCI-DSS | β οΈ Expert |
| CTF-11 | The Framework Collision | Control Mapping | β οΈ Expert |
| CTF-12 | NexaCorp CISO for a Day | Full Program Review | β οΈ Expert |
| Framework | Coverage |
|---|---|
| ISO 27001:2022 | All Annex A controls, clause requirements |
| NIST CSF 2.0 | All 6 functions, categories, subcategories |
| SOC 2 (2017) | All 5 Trust Service Categories |
| PCI-DSS v4.0 | All 12 requirements |
| GDPR | Key articles: 5, 17, 25, 32, 33, 34, 35 |
| HIPAA | Security Rule, Privacy Rule basics |
Each CTF challenge contains a hidden flag in the format:
FLAG{keyword_or_phrase_in_snake_case}
Flags are hidden inside NexaCorp's documents β in policy version numbers, risk register entries, vendor names, incident IDs, or control references. You have to read carefully.
Verify your flag:
./scripts/ctf-verify.sh CTF-01 "FLAG{your_answer_here}"Each challenge has a maximum score. Grade yourself honestly.
| Score | Meaning |
|---|---|
| 0% | Couldn't identify any gaps |
| 25% | Found obvious surface-level issues |
| 50% | Found most critical gaps |
| 75% | Found all critical + some nuanced issues |
| 100% | Found everything + suggested remediation |
Found a bug in NexaCorp's GRC program? Want to add a challenge? See CONTRIBUTING.md.
We especially welcome:
- New CTF challenges
- Translations (the GRC world is global)
- Scenario additions for new frameworks (DORA, CCPA, NIS2)
- Tooling integrations (GRC platforms, SIEM, ticketing)
Inspired by the VulnBank project by Al Amir Badmus (@commando_skiipz) and it is proof that one person building something real can change how thousands of people learn.
"The best way to learn GRC is to inherit a broken program and fix it."