Hands-On GraphQL
RCCE students will learn GraphQL API security including query depth and complexity attacks, introspection abuse, authorization bypass through nested queries, batching attacks, and GraphQL-specific injection vulnerabilities. RCCE students will learn to assess GraphQL implementations for security weaknesses, configure query depth limits and cost analysis, disable introspection in production environments, implement field-level authorization, detect and block resource exhaustion through query complexity attacks, secure GraphQL subscriptions, audit GraphQL schemas for data exposure risks, and integrate GraphQL security testing into application development pipelines. This practice-intensive course emphasizes applied skills through lab exercises, real-world scenarios, and production-realistic workflows. Building on core knowledge, RCCE students will learn by doing, building muscle memory and practical confidence through repeated hands-on engagement. Students complete exercises that mirror actual workplace tasks, ensuring skills transfer directly to their professional roles.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Hands-On GraphQL
- Explain Course Overview fundamentals
- Execute hands-on tasks for what you will learn
- Execute hands-on tasks for skills you will build — covering query depth limits & cost analysis.
- Execute hands-on tasks for core concepts
- Execute hands-on tasks for key operations — covering Query language for APIs (Facebook, 2015), Query: read data from server.
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for attack surface areas — covering Transport layer: TLS enforcement required.
- Design a scalable privilege management architecture with policy and enforcement, including Multiple endpoints, each independently, and GraphQL Security Model.
- Design a scalable privilege management architecture with policy and enforcement, including Single endpoint handles all operations.
- Execute hands-on tasks for schema & type system security
- Execute hands-on tasks for security implications — covering Defines available types, fields, operations, Overly permissive schemas leak sensitive fields.
| Module 01 | Course Overview |
| Module 02 | What You Will Learn |
| Module 03 | Skills You Will Build |
| Module 04 | Core Concepts |
| Module 05 | Key Operations |
| Module 06 | GraphQL Architecture & Data Flow |
| Module 07 | Attack Surface Areas |
| Module 08 | GraphQL vs REST Security Model |
| Module 09 | REST Security Model |
| Module 10 | GraphQL Security Model |
| Module 11 | Schema & Type System Security |
| Module 12 | Security Implications |
| Module 13 | Introspection & Schema Discovery |
| Module 14 | Introspection Risk |
All hands-on labs run on Rocheston Rose X OS. Students practice hands-on graphql by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Explain Course Overview fundamentals
- Lab 2: Execute hands-on tasks for what you will learn
- Lab 3: Execute hands-on tasks for skills you will build
- Lab 4: Execute hands-on tasks for core concepts
- Lab 5: Execute hands-on tasks for key operations
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Hands-On GraphQL, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI