FrontGuard
Frontend security taught the way a museum teaches — let people touch the exhibit first, then read the plaque.
Security tools usually open with a warning. FrontGuard opens with a button that says try the attack.
Most frontend security education is text. A blog post explains XSS. A doc page explains CSP. An engineer reads it, nods, and forgets it by lunch — because the threat never did anything in front of them. FrontGuard is built on the opposite premise: the lesson sticks when the exploit fires, the alert lights up, and the dashboard records it as if it were a real incident.
The product is two things wearing one coat. The first is an interactive playground — a series of small vulnerable surfaces (a comment box that doesn't sanitize, an iframe that trusts its parent, a postMessage handler that accepts anything) where you, the visitor, run the attack yourself. The second is a real telemetry pipeline behind those exhibits. Every attack you fire produces a typed security event, ingested through a scoped API, stored in Redis, and surfaced in a triage dashboard that looks and behaves like the one a real security team would run on Monday morning.
The two halves talk to each other on purpose. You leave knowing not just what the vulnerability is, but what it looks like on the receiving end. The dashboard isn't a demo of dashboards. It's the back office of the museum you just walked through.
“The lesson sticks when the exploit fires in front of you — not when someone tells you it could.”
The exhibit and the back office share a schema
Every interactive demo emits the same typed event envelope the agent emits in production. The playground isn't a fake — it's the same pipeline, run from a different door.
Project scoping is a first-class object
Each visitor's session is its own project with its own API key and its own RBAC. Nothing leaks across visitors. The thing that makes it usable as a teaching tool is the same thing that would make it usable as a real product.
Alerts have a budget, not a volume
The triage dashboard groups, dedupes, and rate-limits before it ever surfaces a notification. Security tools that cry wolf get muted by the third Tuesday. This one was built to be readable on the tenth.