A self-directed cybersecurity training platform with progress tracking, study timer, notes, guest mode, and optional synced accounts through a self-hosted backend.
Live Demo - try it now, no account needed.
MDP Studio project page: CyberRoadmap / C3
Google OAuth, email/password, or skip straight to guest mode. Guest progress saves to your browser automatically.
Track 49 tasks across 6 phases. Stats update in real time: progress percentage, tasks completed, planned hours, and logged study time. The dashboard also includes a lightweight simulation-risk panel for logging tabletop or lab drill outcomes without sending phishing campaigns. It now includes an assessment-drill panel with ATT&CK/NIST-mapped rubrics, per-drill attempt history, evidence-quality bands, and first-to-latest outcome deltas so hands-on improvement can be measured without storing raw lab evidence.
Expand any phase to see modules and tasks. Check off completed work, open external lab links, and attach notes.
Start, pause, and stop a timer with session labels. Completed sessions log to your training history with daily breakdowns, cumulative hours, and streak tracking.
Daily breakdown of study sessions with dates, labels, durations, and streak counter.
Visit the live demo. Guest mode works instantly with localStorage persistence.
cp .env.example .env
npm install
npm run devIf VITE_C3_API_URL is empty, the app runs in guest-only mode. Signed-in sync uses the self-hosted API and Postgres stack documented in docs/self-hosted-backend.md.
Frontend: the production frontend currently runs as a Coolify static nginx container; the previous Netlify site is a rollback path. Build with VITE_C3_API_URL=https://c3-api.mdpstudio.com.au only after the remote API passes health, migration, backup, and smoke tests.
The current public frontend is served by the emergency Coolify static container described in the shared MDP deployment runbook. deploy/nginx.coolify.conf is the canonical nginx configuration for that path and mirrors the repository's CSP and security headers. Its HTML cache policy includes no-transform so an edge proxy cannot inject scripts outside the reviewed CSP. Do not replace it with a generic static-site config.
Search readiness: public/robots.txt and public/sitemap.xml publish the canonical https://c3.mdpstudio.com.au URLs for the dashboard, privacy, terms, and security pages.
Public growth pages live at /roadmap and /soc-checklist so the project can rank for student and junior analyst learning searches, not only branded app queries.
Backend: run docker-compose.remote.yml on the remote PC. It starts the Fastify API, a private Postgres container, and a scheduled backup container. Postgres must stay off the public internet.
Frontend Docker preview:
docker build --build-arg VITE_C3_API_URL=https://c3-api.mdpstudio.com.au -t cyber-command .
docker run -p 3000:3000 cyber-command- Zero-friction guest mode - works without any backend; progress is saved to localStorage.
- Google OAuth + email auth - sign up, log in, and reset password through the self-hosted API.
- Optional authenticator MFA - email/password accounts can require a 6-digit code at login and for high-risk account deletion.
- 6-phase curriculum - structured cybersecurity training across foundations, SOC, offense, forensics, governance, and certification prep.
- Real-time progress tracking - synced across devices for signed-in users, local-only for guests.
- Study timer - start, pause, and stop with labeled session logging.
- Training log - daily breakdown, streak counter, and cumulative hours.
- Simulation-risk tracking - log phishing, social-engineering, credential-hygiene, and incident-response drill outcomes with a compact risk trend.
- Assessment drills - score ATT&CK/NIST-mapped hands-on exercises, including phishing-alert investigation, and review attempts, rubric dimensions, evidence-quality bands, and first-to-latest improvement as compact metadata.
- Per-task notes - keep commands, flags, findings, and reminders inline.
- Server-side access control - each API request is scoped to the signed-in user.
- Account security and privacy controls - enable MFA, export data, or delete the account from the dashboard.
- Frontend: React 18, Vite, custom dark terminal aesthetic.
- Backend: Fastify API, PostgreSQL, secure cookies, CSRF checks, Google OAuth, password reset, optional TOTP MFA, CSP reporting.
- Deployment: Coolify/nginx frontend, remote Docker backend, and Cloudflare routing; the former Netlify frontend remains a rollback path.
React Frontend (Vite)
- Dashboard
- Study timer
- Auth and guest mode
If VITE_C3_API_URL is set:
Browser -> self-hosted API -> private PostgreSQL
If VITE_C3_API_URL is empty:
Browser -> localStorage guest modeSecurity posture is documented in SECURITY.md and on the live Security Policy page. The current model is intentionally small: guest data stays in browser storage, signed-in account data is scoped by the backend API, email/password accounts can opt in to authenticator MFA, and task notes, simulation-event labels, or assessment-drill metadata should not be used for secrets, client data, payment details, or incident evidence. Assessment outcome reporting is descriptive training evidence, not a certification or hiring prediction.
Production headers are defined for Netlify in netlify.toml, for the standard Docker image in nginx.conf, and for the current Coolify static container in deploy/nginx.coolify.conf:
X-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: strict-origin-when-cross-originPermissions-Policy: camera=(), microphone=(), geolocation=()Content-Security-Policylimited to the app, Google Fonts, andhttps://c3-api.mdpstudio.com.auCache-Control: public, no-cache, no-transformfor HTML to prevent edge script injection
Security reports: email meidie@mdpstudio.com.au with the subject Security report: Cyber Command Center. See SECURITY.md for scope, data lifecycle, known gaps, and incident reporting details.




