Foundations to industry — across 11 sectors

Build Real GRC Skills
Not Just Theory

Built for |

Most GRC training teaches frameworks. This platform teaches execution. Practice real-world workflows across risk, compliance, audit, privacy, AI governance, cloud, OT/ICS, and high-demand industries — then turn your work into portfolio-ready evidence that proves you can do the job, not just talk about it.

Open the lab
See the 11 industry tracks
0
Framework controls
Cross-mapped across NIST, ISO, SOC 2, PCI, HIPAA, GDPR, and 11 more
0
Decision scenarios
Real incident reconstructions with practitioner-written explanations
0
Guided missions
Each one ships a real artifact graded against a written rubric
0
Portfolio capstones
Interview-grade deliverables built across the live lab
Live Platform Preview

A real GRC workspace.
Built for the way working analysts move.

Risk registers, control crosswalks, audit evidence, findings, exceptions, BIA, BCM, AI command — every workspace you'd touch on the job, mapped to source frameworks and reviewed by a practitioner. The lab follows you across both courses.

grcmadesimple.io/lab
WORKSPACE
Acme Corp GRC
QUICK STATS
Open Risks24
Controls156
Findings8

Risk Register

24 active risks across 6 categories

3
Critical
8
High
13
Medium
IDRiskSeverityL × ITrend
RSK-001Cloud misconfiguration exposureCritical4 × 5 = 20
RSK-002Third-party vendor data breachHigh3 × 4 = 12
RSK-003Privileged access abuseHigh3 × 4 = 12
RSK-004Encryption key management gapMedium2 × 3 = 6
RISK MATRIX
1
2
1
1
2
3
2
1
3
2
1
1
1
Risk Register
Live entries, severity scoring, treatment plans, and a 5×5 matrix that updates in real time.
Control Crosswalk
1,529 controls mapped across NIST, ISO, SOC 2, PCI, HIPAA, GDPR, and 11 more — at the level a regulator expects.
Audit & Evidence
Evidence packs scored against rubrics. Findings tracked end to end. Audit simulation against fictional auditors.
AI Command Center
Crosswalk frameworks, generate scenarios, draft policies, analyze gaps — every command grounded in your live lab state.
Career breadth

Most platforms stop at IT GRC.
This one keeps going.

Foundations get you in the door. Industry depth gets you the offer. The lab covers eleven sectors at the level a regulator, auditor, or hiring panel would actually expect.

3.6K
Active Users
Building in the live lab
122K
Events
Real actions this year
63K
Views
Across all content
8m 47s
Avg. Session
Focused learning time

Frameworks mapped across both courses

NIST 800-53 Rev 5ISO 27001:2022SOC 2 TSCNIST CSF 2.0PCI DSS 4.0HIPAAHITRUST CSFSOX ITGCFedRAMPCMMC 2.0GDPRCCPA / CPRAIEC 62443NERC CIPISO 42001EU AI ActISO 27701CIS v8NIST 800-53 Rev 5ISO 27001:2022SOC 2 TSCNIST CSF 2.0PCI DSS 4.0HIPAAHITRUST CSFSOX ITGCFedRAMPCMMC 2.0GDPRCCPA / CPRAIEC 62443NERC CIPISO 42001EU AI ActISO 27701CIS v8
What you'll build

The kind of work
that gets you hired.

Theory teaches the words. The lab teaches the work. Inside, every step ends in a real artifact — a risk register with thirty live entries, a control crosswalk across four frameworks, an evidence pack assembled the way a real auditor would expect to see it, a finding write-up that drives actual remediation.

By the time you reach the capstone, you don't just know the language. You can defend a complete program under audit pressure, leadership scrutiny, and remediation timelines. That's the moment hiring managers stop asking what you've studied and start asking when you can start.

Source-mapped framework depth

1,529 controls cross-referenced to NIST 800-53, ISO 27001, SOC 2, PCI DSS, HIPAA, GDPR, IEC 62443, and 11 more — at the level a regulator would expect.

Decisions before deliverables

220 scenarios put you inside real incidents. You make the call, defend the call, and learn how senior practitioners actually reason under pressure.

Capstones graded against rubrics

24 portfolio capstones simulate the questions an auditor, CRO, or hiring panel would actually ask. The bar is your outcome — not your time on platform.

How It Works

Three steps. One method.
End-to-end practitioner depth.

Build the operating core. Carry it into industry pressure. Keep your edge sharp with rolling practice. Every step ships an artifact you can defend in front of an auditor, a hiring manager, or a CRO.

01

Build the operating core

Start with IT GRC Practitioner. Learn the language working analysts use. Make the first risk calls. Map controls. Review evidence. Brief leadership without sounding like a textbook.

Course 01 · 12–16 weeks
02

Pick your industry

Move into Course 02 once the core is solid. Eleven sector overlays — Healthcare, Financial Services, AI Governance, OT/ICS, Government, Privacy, Energy, Telecom, Automotive, ESG, GRC Engineering. Each ends in its own capstone.

Course 02 · 11 industry overlays
03

Keep your edge sharp

Membership doesn't end at completion. Weekly drills, monthly cases, and rotating capstones produce new judgment — so the next interview, audit, or board update finds you ready.

Weekly + monthly recurring practice
Who This Is For

Three starting points.
One serious system.

The courses stay the same. What changes is where you start, how much proof you already have, and which pressure you need to train for next.

Career switcher or new learner

University student, recent graduate, or non-technical professional entering GRC for the first serious time. Walk in unsure. Walk out building the artifacts working analysts actually ship.

Risk language that sounds practitionerControl basics tied to source frameworksEvidence review with real artifactsFirst portfolio pieces you can defend
Salary Range
$60K – $95K
Learning Path
Start with Course 01
Timeline
3–6 months
Outcome
Your first GRC role — held under interview pressure

Junior analyst or IT auditor

Already in the seat but running on checklists. Step up to operating depth, sharper artifacts, and proof that holds up when a senior auditor or CRO challenges your reasoning.

Crosswalk logic across 17 frameworksEvidence judgment, not just collectionFindings flow that drives remediationBriefings that don't get sent back
Salary Range
$80K – $120K
Learning Path
Finish Course 01, then add Course 02
Timeline
2–4 months
Outcome
Senior analyst trajectory with a portfolio hiring panels remember

Practitioner picking an industry

You have the basics. Now you need vertical depth in Healthcare, Financial Services, Privacy, AI, OT, Government, or one of five more — at the level a regulator or auditor would expect.

Sector frameworks at source-document depthStakeholder defense under regulator pressureCapstone work hiring teams ask about by namePortfolio credibility for specialist and lead roles
Salary Range
$120K – $200K+
Learning Path
Use Course 02 + recurring drills
Timeline
3–6 months
Outcome
Industry specialist or lead role in a regulated environment
Inside the lab

A complete GRC operating surface.
Built once. Used across both courses.

Eight workspace surfaces. Every framework, every artifact, every decision-making moment a working analyst would touch on the job — connected end-to-end and tied to source documents.

01
Risk Management
Risk register, 5x5 matrix, KRIs, risk appetite, treatments, cloud risk overlays — all linked to controls and findings.
02
Control Catalog & Crosswalk
1,529 controls across 17 frameworks, with a crosswalk engine that maps NIST → ISO → SOC 2 → PCI in real time.
03
Evidence & Findings
Evidence packs with audit-grade scoring, finding write-ups, remediation tracking, and audit simulation against fictional auditors.
04
Governance & Policy
Policy library, requirements traceability, compliance calendar, exceptions register — the operating layer leadership actually reviews.
05
Assets & Vendor Risk
Asset inventory, vendor management, third-party risk assessments tied to contracts, SLAs, and risk appetite.
06
Resilience
Business impact analysis, BCM/DR planning, incident workspace — built around real recovery objectives, not generic templates.
07
Practice & Career
220 decision scenarios, 115 guided missions, 200+ interview questions, portfolio surface, dedicated capstone runner.
08
Reference & AI Command
Framework explorer, glossary, executive reports, and an AI command center grounded in your live lab state.
Courses

Two flagship courses.
One connected lab.

Course 01 builds the operating core. Course 02 carries that method into regulated sectors where evidence and pressure change.

Eleven industry tracks

Pick the industry where
your career actually pays.

The hiring market doesn't pay for generic GRC. It pays for sector specialists. Course 02 takes the same operating method into eleven regulated industries — each with its own frameworks, evidence patterns, regulators, and dedicated capstone. Click any track to see what's inside.

What Learners Say
"

I came in with a finance degree and zero GRC experience. Six months later I'd built a full HIPAA risk register, a Privacy Rule analysis, and a breach notification playbook inside the lab. I walked into the interview with the work already done. Got the offer.

SK
Sarah K.
Career Switcher → Healthcare GRC Analyst

"Switched from IT operations to GRC in four months. The crosswalk engine alone was worth the price. When my interviewer asked how NIST 800-53 AC-2 maps to ISO 27001 A.5.16, I had already done it forty times in the lab."

MT
Marcus T.
IT Ops → GRC Career Switch

"The SOX ITGC capstone gave me something I could actually defend in a Big Four interview. PCI DSS 4.0 overlay caught me up on the customized approach changes nobody else explains. Three months later — promoted."

PR
Priya R.
Junior Auditor → Financial Services Specialist

"OT/ICS depth at this level is rare. IEC 62443 zones, NERC CIP scoping, segmentation tradeoffs — all built into actual workspace decisions. I went from a security engineer who 'knew compliance' to leading the OT GRC program."

JL
James L.
Security Engineer → OT/ICS GRC Lead
Pricing

Start free. Pay when it clicks.
Cheaper than a single GRC certification course.

One subscription unlocks both flagship courses, every project, every capstone, and a recurring lab layer with new drills, cases, and rotations every month.
Annual billing saves you $120 a year.

Starter

Open the lab. Run the practitioner starter arc. See how the work changes the way you think before paying anything.

$0forever
Practitioner starter arc
Core framework references
Selected guided missions
One mini project
Real feel for the live lab
MOST POPULAR

Pro

Full access to both flagship courses, every project, every capstone, eleven industry overlays, and the recurring practice that keeps your edge sharp after completion.

$29/mo
Full IT GRC Practitioner course
Full Industry Specialized GRC Analyst — all 11 overlays
Theory, video, knowledge check, guided mission flow
Every project and every capstone across both courses
Weekly drills, monthly cases, capstone rotations
Lab-linked artifacts and exports
Annual saves you $120 vs. monthly

Team

Run the same paths with manager visibility. Built for security, audit, and risk teams onboarding new analysts and refreshing senior practitioners.

$29/user/mo
Everything in Pro
Team progress dashboards
Manager reviews and cohort visibility
Shared pathways and private cohorts
Priority support
Annual contracts available

Enterprise

Private learning environments for large GRC programs and university partnerships.

Custom
Everything in Team
SSO / SAML
Custom frameworks and policies
Private learning paths
Dedicated onboarding and CSM
White-label options
FAQ

Questions & Answers

Theory ends here.
Your portfolio begins.

The free tier is real work — not a demo. Open the lab, run the practitioner starter arc, and decide for yourself whether this is the depth you were looking for.

When it clicks, the rest of the platform is one decision away.

Open the lab