Safeguard
Product

Introducing Safeguard Academy: Free Courses and Certifications for Supply Chain Security

We're launching Safeguard Academy — a free learning platform at academy.safeguard.sh with curated courses, an AI tutor in every course, course communities, live sessions, and publicly verifiable certifications. The first credential is the Safeguard Certified Practitioner.

Safeguard Team
Product & Engineering
5 min read

Today we're launching Safeguard Academy — a free, public learning platform at academy.safeguard.sh where anyone can take curated courses on software supply chain security, pass a certification exam, and walk away with a certificate that anyone in the world can verify with one click.

Free means free. No trial, no paywall in front of the exam, no "premium certificate" tier. Individuals learn and certify at no cost, forever.

Why we built it

We spend our days building the platform that finds and fixes supply chain vulnerabilities. But tooling is only half the problem. The other half is people: every team we work with is trying to hire or grow practitioners who can read an SBOM, reason about reachability, record a not_affected decision as VEX and defend it, and run a compliance program that doesn't collapse under its own evidence.

That knowledge exists — in advisories, in standards documents, in our own docs, in the heads of senior engineers. What didn't exist was a structured, honest, free path from "I keep hearing about supply chain attacks" to "I can run this workflow end to end." So we built one.

What you can learn

The Academy launches with our flagship course and credential: the Safeguard Certified Practitioner. It's a beginner-friendly course in three modules that ends at working fluency:

  1. Software supply chain security fundamentals — what the supply chain actually is, the attack classes that target it (from typosquatting and dependency confusion to build-pipeline compromise), and how CVSS, EPSS, and CISA KEV measure different things — severity, likelihood, and evidence.
  2. Scanning and the findings workflow — how code becomes findings across the scan engines (SCA, SAST, DAST, secrets, IaC, container), and the triage loop that matters: prioritize by evidence, record decisions as VEX, fix or accept with an expiry, enforce with policy gates.
  3. Compliance, SBOM, and the ecosystem — generating and comparing SBOMs in CycloneDX and SPDX, running compliance with shared evidence and cross-framework controls, publishing a Trust Center, and the free tooling around the platform: Gold, the CLI, and the MCP server.

Lessons mix video, text, and audio blocks, with progress tracked per block. And every course has an AI tutor — a chat that knows the course material, available whenever you're stuck at 2 a.m. and a human isn't.

You're not learning alone

Every course carries its own community. Raise a doubt on a specific lesson and the AI tutor posts a first answer (clearly labeled as AI); human tutors and fellow learners pick it up from there, and you mark the answer that resolved it. Open discussions run alongside — the people taking the course with you are part of the course.

It goes live, too. Tutors schedule course-scoped live sessions over Google Meet — office hours, doubt-clearing calls, exam prep — and Academy-wide meetups stream on YouTube Live with a live Q&A thread, then persist as a recording archive. RSVP to anything and it lands on your learner calendar next to your own study tasks, exam cooldowns, and certificate expiry dates — exportable to Google Calendar or any iCal client.

The certification story

Certificates are only worth what their verification is worth. We designed the Academy's certification pipeline around that:

  • Exams are timed and drawn from pools. The Practitioner exam serves 30 questions from a larger bank — 45 minutes, 70% to pass, and a cooldown before retakes. No two attempts look quite the same.
  • Grading is honest about how it works. Multiple-choice grades instantly. Subjective answers are graded by AI against a rubric — with the rationale stored, and human review in the loop. And for certifications that warrant it, the exam itself can be an AI-conducted interview: an adaptive, oral-style exam held in chat.
  • Every certificate is a public URL. Each credential lives at academy.safeguard.sh/cert/ with its own ID — a page anyone can open to see the holder, the certification, and live verification status. Share the link, post it to LinkedIn, X, or Reddit straight from the certificate page, download the branded PDF, or let someone scan the QR code on it. If a certificate expires or is revoked, the page says so — that's what makes the green state mean something.

The Safeguard Certified Practitioner credential is valid for two years, and verifying one takes exactly one click. No transcripts requested by fax.

Built like the rest of the platform

The Academy is a Safeguard surface, and it behaves like one: light and dark mode, English and Hindi, mobile-friendly, and keyboard-first — Cmd/Ctrl+K opens a command bar that jumps to any course, lesson, or your certificates. You sign in with the same Safeguard account you use everywhere else, and an Academy feed keeps you current on new certificates earned, new threads, and upcoming meetups.

Start here

Safeguard Academy is rolling out now at academy.safeguard.sh. Browse the catalog without an account, enroll with a free Safeguard account, and take the Safeguard Certified Practitioner course as our opening credential — with more courses and certifications to follow.

If you've ever wanted a rigorous, free way into software supply chain security — this is it. See you in the course community.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.