The Varhugi curriculum

The full list of every module. Short, practical, and grounded in real examples that match a real workplace.

Modules

Total minutes

178

across the whole curriculum

Cadence

One per month

Module 15 min
Passwords and password managers
Learn how to create strong passwords and why a password manager is the single most important security tool you can use.
- Passwords
- Fundamentals
Module 25 min
Phishing, recognising the trap
Learn to spot Icelandic phishing emails and SMS, what to do when you're targeted, and how to report it.
- Phishing
- Fundamentals
Module 35 min
Two-factor authentication
Learn why two-factor authentication is the most important security step after a password manager, and how to set it up the right way.
- 2FA
- Fundamentals
Module 45 min
AI-powered phishing
AI now writes flawless Icelandic phishing emails that the old advice, looking for typos, no longer catches. Learn how to react.
- Phishing
- AI
- Modern threats
Module 55 min
SMS scams, smishing
The most common phishing attack in Iceland today doesn't arrive by email, it arrives by SMS. Learn how to spot it and what to do.
- Phishing
- Mobile
- Fundamentals
Module 65 min
MFA fatigue, repeated approval prompts
Attackers no longer try to bypass 2FA, they spam you with prompts until you approve one by accident. Learn to recognise and stop the attack.
- 2FA
- Modern threats
Module 75 min
Impersonated colleagues
Attackers impersonate your manager on WhatsApp, Slack, or Teams asking for a "quick favour". Learn how to recognise and stop the scam.
- Social engineering
- Modern threats
Module 85 min
Invoice fraud, fake payment requests
Attackers impersonate vendors or executives and request transfers from finance. Learn how companies lose millions to a single email.
- Finance
- Social engineering
- Modern threats
Module 95 min
The CEO's voice on the phone, voice deepfakes
Three seconds of audio is enough to create a convincing deepfake. Learn what the attack looks like and the simple defence that stops it.
- AI
- Deepfake
- Modern threats
Module 105 min
AI tools and data leaks
You paste a work document into ChatGPT to save time. Where does it end up? Who sees it? Learn how to use AI without leaking your company's secrets.
- AI
- Data protection
- Modern threats
Module 115 min
Public Wi-Fi, rogue access points
Wi-Fi at a café, airport, or hotel might be run by an attacker. Learn when it's dangerous and when it's not.
- Network
- Mobile
- Fundamentals
Module 125 min
Overly open share links
You share a Google Doc or OneDrive file with "anyone with the link". Who can see it? Learn to share documents without leaking them to the internet.
- Data protection
- Cloud
- Fundamentals
Module 135 min
First steps after a security mistake
You clicked a phishing link, typed your password, or pasted confidential data into AI. The next hour matters most. Learn what to do.
- Incident response
- Behaviour
- Fundamentals
Module 145 min
AI commands in the terminal
AI hands you a command to run in the terminal. Stop before you press Enter. Learn why and how.
- AI
- Modern threats
Module 155 min
When AI lies with confidence
AI answers with the same confidence whether it's right or wrong. Learn to spot the difference and protect yourself.
- AI
- Modern threats
Module 165 min
Hidden instructions in text, prompt injection
You ask Copilot to summarise an email. The email contains hidden instructions telling Copilot to send data to an attacker. Learn how the attack works.
- AI
- Modern threats
Module 175 min
AI at home, family and personal life
AI is now part of our personal lives. Children use it, older relatives are targeted by deepfakes, and family photos end up in training datasets. Learn what to discuss at home.
- AI
- Personal
- Modern threats
Module 185 min
USB drives and unknown devices
A dropped USB drive, a tampered airport charging station or an unknown Bluetooth device can compromise your computer in seconds. Learn why physical hardware is just as dangerous as malicious email.
- Physical security
- Hardware
- USB
Module 195 min
Fake sign-in pages
You click a link, see a familiar Microsoft or Google sign-in page, and type your password. Then a blank screen appears. This is one of the most common attacks today — and easy to defeat by reading the URL.
- Phishing
- Credentials
Module 205 min
Phone scams and voice fraud
The phone rings. It's "the bank", "IT support" or "the CEO" — and they need one small thing, right now. Phone scams trade on the fact that a voice feels more trustworthy than text. But voices can be faked in minutes.
- Phishing
- Social engineering
- Voice
Module 214 min
Lock screen and clean desk
The most physical of all security mistakes is leaving an unlocked computer or sensitive documents on your desk when you step away. Learn a two-second habit that prevents a huge share of insider data leaks.
- Physical security
- Fundamentals
- Behaviour
Module 225 min
QR scams (quishing)
QR codes became an everyday tool after covid, and attackers followed. Fake QR codes on parking meters, restaurants, meeting invites and emails route you to fraud pages. Learn how to inspect a code before you tap.
- Phishing
- QR codes
- Mobile
Module 235 min
Updates and vulnerabilities
"Remind me later" is one of the most expensive buttons in the world. Learn why updates are direct defence against attacks, why "zero-day" gets so much airtime now, and why fake update popups are one of the most common ways malware gets onto your computer.
- Updates
- Vulnerabilities
- Fundamentals
Module 245 min
Ransomware: how the attack unfolds
Ransomware is one of the most expensive classes of cyberattack. Whole companies are paralysed for weeks, hospitals divert patients, small businesses close for good. Learn how a single click can spiral into shutdown — and why backups are the strongest defence.
- Malware
- Ransomware
- Incident
Module 255 min
Shadow IT: unsanctioned tools at work
"I just used this little AI tool to summarise the meeting." Shadow IT is when employees use tools, apps or cloud services without IT approval. It's rarely malicious — and it's one of the leading sources of data leaks in 2026.
- Shadow IT
- AI
- Data leak
Module 265 min
Security in Teams and Slack
Corporate chat platforms look like a trusted environment, but they've become a top attack target. Fake coworkers, external guests in channels, and malicious attachments slip past spam filters simply because you trust chat more than email.
- Phishing
- Teams
- Slack
- Collaboration
Module 274 min
Reporting security incidents
You clicked something you weren't sure about. Or got a strange phone call. Or plugged in a USB you found. Reporting it now is the difference between a technical issue and a costly legal crisis. Learn how, when and why.
- Incident
- Behaviour
- Operational
Module 285 min
Risks in PDF documents
PDFs aren't just text on a page. They can contain links, form fields, and fake login prompts. Four patterns to recognise: links inside documents, fake invoices, DocuSign impersonation, and PDFs arriving through a portal you trust.
- Phishing
- Attachments
- Fundamentals
Module 2915 min
Admins under attack: Active Directory, Entra, and the first hour
Attack patterns targeting privileged accounts in AD and Entra (MFA fatigue, Kerberoasting, OAuth consent phishing, AD CS), and what to do in the first 60 minutes of a confirmed incident.
- Advanced
- Active Directory
- Entra
- Incident response
- NIS2
Module 3015 min
What you can't see: supply chain and detection mindset
Advanced module on third-party attack chains (SolarWinds, MOVEit, XZ-utils) and how to set up logs and alerts that catch real attacks before you lose.
- Advanced
- Supply chain
- Detection
- Blue team
- SBOM
Module 315 min
Frontline: customers, calls, and pressure
Training for anyone who talks to customers directly: service reps, call centres, reception, sales, and helpdesk. Five attack patterns that turn your helpfulness against the company: pretexting with public info, time pressure, manager impersonation, unexpected visits, and gradual information harvesting.
- Phishing
- Social engineering
- Frontline
- Fundamentals
Module 325 min
Digital security in plain language
A complete walk-through of the fundamentals of online security, with everyday analogies and plain-language explanations of every technical term. The rules that matter and daily habits you can start using today.
- Fundamentals
- Fundamentals
- Essentials

Ready to try it?

Create your company account in two minutes. No sales calls, no implementation.

Start free See pricing

Passwords and password managers

Phishing, recognising the trap

Two-factor authentication

AI-powered phishing

SMS scams, smishing

MFA fatigue, repeated approval prompts

Impersonated colleagues

Invoice fraud, fake payment requests

The CEO's voice on the phone, voice deepfakes

AI tools and data leaks

Public Wi-Fi, rogue access points

Overly open share links

First steps after a security mistake

AI commands in the terminal

When AI lies with confidence

Hidden instructions in text, prompt injection

AI at home, family and personal life

USB drives and unknown devices

Fake sign-in pages

Phone scams and voice fraud

Lock screen and clean desk

QR scams (quishing)

Updates and vulnerabilities

Ransomware: how the attack unfolds

Shadow IT: unsanctioned tools at work

Security in Teams and Slack

Reporting security incidents

Risks in PDF documents

Admins under attack: Active Directory, Entra, and the first hour

What you can't see: supply chain and detection mindset

Frontline: customers, calls, and pressure

Digital security in plain language

Ready to try it?