Setting Yourself Up for Success

This bootcamp is ~50 hours of material. That is a lot. People who finish share three habits: they set a schedule, they take notes in their own words, and they do the exercises even when they think they already know the answer.

How the Platform Works

Phases, Modules, and Lessons

The bootcamp is organized into 14 phases. Each phase covers a domain: identity, endpoints, data protection, compliance automation, and so on. Phases contain modules (groups of related lessons), and modules contain lessons (the individual pages you are reading right now).

Each lesson has a type:

• Article — written content with examples and diagrams
• Video — embedded video, typically 5-12 minutes
• Quiz — multiple choice for active recall
• Exercise — hands-on task with a reference solution
• Reference — cheat sheet you can save and come back to

Points and Ranks

Every lesson and module awards points when you mark it complete. Points accumulate into ranks:

Rank                     Points    Roughly equals
───────────────────────────────────────────────────
Recruit                  0         Just started
Analyst                  150+      Phase 0-1 complete
Associate                350+      Phase 2 complete
GRC Engineer             630+      MVP complete (Phases 0-2 + 8.1)
Senior GRC Engineer      1000+     Phases 3-9 complete
UprootSecurity Fellow    1400+     Full bootcamp + capstone

Completion is honor-system. You click "Mark complete" when you have genuinely worked through the material. There is no proctoring. The ranks are for your own motivation and for the certificate at the end.

The Certificate

When you reach GRC Engineer rank (630+ points), you unlock the UprootSecurity Certified GRC Engineer certificate. It includes a verification hash so employers can confirm it is real. The certificate is not a substitute for CISSP or CISA, but it proves you built the technical skills those exams do not test.

Study Cadence

What a Good Week Looks Like

• Monday (1 hour): Read 2-3 articles. Take notes on anything you did not already know.
• Wednesday (1 hour): Do the exercises from the current module. Do not skip them.
• Friday (1 hour): Review your notes from the week. Take the module quiz if there is one.
• Weekend (optional): Catch up if you missed a day, or go deeper on something that interested you.

How to Take Notes

Do not copy the text. Write what you learned in your own words. The best format for GRC notes:

Control: What the framework requires (e.g., "CC6.1 requires logical access controls")

Implementation: How you would implement it technically (e.g., "Okta SSO + AWS IAM roles with MFA condition key")

Evidence: What you would show an auditor (e.g., "IAM credential report, Okta MFA enrollment dashboard, quarterly access review export")

This three-part format mirrors the actual work of a GRC Engineer. By the time you finish the bootcamp, your notes are a working reference you can use on the job.

Common Mistakes

Skipping exercises. The articles teach concepts. The exercises build skill. You cannot learn to write IAM policies by reading about IAM policies. You have to write them.

Going too fast. Marking lessons complete without actually working through them gets you points but not skills. The certificate means something because the curriculum is hard. Do not water it down for yourself.

Not taking notes. You will forget 80% of what you read within a week unless you write it down. The act of writing forces you to process the information. Your notes are the most valuable output of this bootcamp.

Studying alone. Find one other person doing the bootcamp. Explain what you learned to them after each module. Teaching is the most effective form of learning. If you cannot find a partner, explain it out loud to yourself. It sounds silly. It works.

Ready?

Mark this lesson complete and move on. The real work starts in Phase 1.