PreFlight catches security issues. This is where we explain them — the patterns we look for, the real-world incidents behind the threat-intel, and the architecture shapes that shape (or break) your security posture. Read once, build safer forever.
Anyone with a pulse, a vibe-capable thing, and a dream can find their path here.
You do not need to know what you want to build. Pick the role that sounds like you. You will see the whole climb in front of you. You start at L0 with everyone else, and you ship. That is what "0 to hero" means when it is infrastructure instead of a slogan.
FlightSchool does not teach you. The best free teachers on earth already exist, and you will not out-learn them from a page on a security tool. What FlightSchool does is point you at exactly the right one for where you are, in the order that works, with a note at every step about what to verify before you trust what you built. Curated, not authored. Opinion, not a link dump.
One thing does not change as you climb: PreFlight. It searches for the same things on day one as on day one thousand. Secrets, auth holes, injection, deserialization, all of it, from the first scan. The coverage never narrows or widens by tier. What changes is you, and you do not have to be able to fix a finding to act on it. Hand the finding to your AI and it fixes what PreFlight caught, sometimes first try, sometimes after a few. Early on your job is to run the loop and verify the result. Over time you stop needing the loop: you read the finding and know the fix, then you apply it yourself, then you write code that does not trip it. The map below is not the tool getting deeper. It is you getting deeper, at reading what it surfaces and at fixing what you read.
How to use it: pick a role. Everyone shares L0. Roles split at L1 and run their own climb through L4. At L5 the paths converge back into the canon, because at the top everyone needs the same deep things.
The ground floor, the same for all six roles. Software is made things, not magic.
PreFlight here: Nothing to scan yet. The skill here is reading an error and knowing which file and line it points at. Every safety note below depends on that one habit.
Builds products on top of models and AI tools. The #1-paying tech role in 2026.
PreFlight here: Scan your app. You will find more than you expected, and that is the point. You will not be able to hand-fix most of it yet, and you do not need to. Paste the finding back to your AI; it fixes what PreFlight caught, even if it takes a few passes, and you verify it is actually gone. Act first on the obvious: secrets, leaked keys, the model API key you pasted into the client. The rest is in the same report, waiting on a better-read version of you.
PreFlight here: Same scan, same report. What changed is you can now read the auth-config and CORS findings that were always there. "The AI secured nothing" finally means something you can act on.
PreFlight here: Still the same findings. Now the prompt-injection sinks where user input flows into a system prompt, the unsanitized response stores, and the expensive unbounded AI endpoints are legible. They were in your L1 report. You just could not read them yet.
PreFlight here: The findings have not changed since your first scan. Your relationship to them has. You now require the gate of others: PreFlight in CI/CD as a pre-merge check, block on critical, audit trail public to the team.
Owns what the user actually touches. Design literacy and security both, not design alone.
PreFlight here: The obvious one on a vibe-coded UI is an API key hardcoded in client JavaScript. Everything in the browser is public. You will not hand-fix it yet; hand it to your AI, it moves the key server-side, you verify it is gone from view-source. The XSS and header findings are in the same report, becoming readable as you climb.
PreFlight here: Same report. Cross-site scripting is now legible: user content rendered as HTML, dangerouslySetInnerHTML, an unescaped template. It was always flagged; now you can act on it. Frontend is where XSS lives.
PreFlight here: Still the same findings. Now NEXT_PUBLIC_ leakage into the bundle, source maps shipped to production, and weak Content-Security-Policy are the ones you can read and own. All were in the report from scan one.
PreFlight here: The coverage has not changed. You now own the front-end security contract (CSP, Subresource Integrity, zero client secrets) and require PreFlight as the pre-merge gate for every UI contributor.
Goes deep where Full-Stack stays shallow: data, APIs, queues, distributed systems.
PreFlight here: The obvious finding is a database connection string with credentials in a committed config file. The backend is where the real secrets live. Hand it to your AI, it moves it to environment config, you verify nothing sensitive is in the repo. Injection and authz findings are in the same report.
PreFlight here: Same report. SQL and NoSQL injection from template-literal queries, and routes that authenticate but never authorize, are now legible. You can act on the endpoint that checks who you are but never what you may touch.
PreFlight here: Unchanged coverage. Now TLS verification disabled, unbounded endpoints with no rate limit, stack traces returned to the client, and committed env secrets all read clearly. These were in the first report; they take down backends.
PreFlight here: You define the data-handling and authorization invariants for every service. PreFlight is the required gate; you own the threshold and the dogfood discipline that keeps it honest.
Not "both, shallower." The generalist who owns a whole vertical slice and knows where to specialize next.
PreFlight here: The obvious finding lives in the seam: a secret the front end reads because it was never kept server-side. Hand it to your AI, verify the boundary holds. Owning a whole slice means owning the line between its halves, and the rest of the report is yours too.
PreFlight here: Same report. The boundary findings are now legible: CORS misconfiguration and a secret crossing from server to client. That seam is the part only a full-stack owner is actually responsible for.
PreFlight here: Unchanged findings, now readable across the slice: input validated on the client only, an API response stored unsanitized, an auth check living in the UI instead of the API. You are the only one who sees the whole path.
PreFlight here: Coverage constant. You own the entire threat surface of the slice; PreFlight gates it pre-merge and you decide what blocks, because no one else has the whole-slice view.
PreFlight is this learner’s professional instrument. No modesty here.
PreFlight here: You are learning to read the finding taxonomy, not to produce clean code yet. Run PreFlight on other people’s sample repos and learn what every finding class means. This is your field’s vocabulary; the report is the same one everyone gets.
PreFlight here: You should be able to explain every PreFlight finding class and reproduce it by hand. The Breakers panel is your practice harness: each adversarial input is a thing you should already know how to type.
PreFlight here: The tool surfaces nothing new at this tier. What changed is that you own the pipeline now. Wiring PreFlight into CI as the gate is literally the job: you tune .preflight.yml, set the block threshold, and own the dogfood discipline. It stops being a tool you run and becomes infrastructure you operate.
PreFlight here: Coverage is the same as day one. You set org policy, own the audit trail, and make the gate non-bypassable. You are this tool’s power user and its strongest critic; both are the job.
Advances the field or builds the models. Not the AI Engineer (who builds products on top). Math, then ML fundamentals, then research track.
PreFlight here: Light here. The safety lesson is reproducibility and data handling, not web vulnerabilities. A result you cannot reproduce is a bug the same way a crash is.
PreFlight here: Research code still ships and still leaks. The same report flags an API key committed in a notebook and data-leakage where test data bled into training. Hand them to your AI to fix, verify, and treat reproducibility as your security model.
PreFlight here: Same coverage. Now the model and data supply chain reads clearly: unsafe deserialization (pickle, torch.load on untrusted files), dataset paths that trust their input, secrets in training scripts. All were in the first report.
PreFlight here: Reproducibility and supply-chain integrity are your safety surface. You set the standard for safe model and data handling in your group, and the unsafe-deserialization class is the one you make non-negotiable.
At the ceiling there is no curriculum and no role-specific track. Everyone needs the same deep canon and the judgment to know which part matters now.
PreFlight here: You now define what "safe to ship" means for everyone below you. PreFlight becomes a gate you wire into other people's climb, not a thing you run on yourself.
Pair this with The Climb for where each tier sits in the bigger picture, and the Tools page for what to climb with. Everything here is free. PreFlight asks for nothing.