The academy

A small academy that rewrites itself every cohort

BlueGrid Forge runs instructor-led cybersecurity analyst training out of Seoul. We started in 2021 with twelve learners in one classroom. Five years and many retros later, we are a seven-person team, three core curriculum tracks, and a replay-engine lab built specifically so analysts can investigate finished incidents on their own clock.

We believe two unusual things. First, mentor feedback is the irreducible piece of a training programme — and the part you cannot scale by template. Second, telling learners what we do not cover is more useful than promising the world.

Principles

Four habits we will not optimise away

  1. 01

    Honest about what we cannot promise

    We will not guarantee a job, a certification pass, or a transformation. We commit to mentor feedback, lab access, and curriculum we rewrite when retros say to.

  2. 02

    Mentor feedback is load-bearing

    Every detection submitted, every after-action written, every brief produced gets reviewed by a working analyst. That is the part we refuse to scale-by-template.

  3. 03

    Lab over lecture

    Our cohorts spend 60-70% of contact hours inside the lab. Slides exist; they support work, they do not replace it.

  4. 04

    Limitations get printed, not hidden

    The first slide of every track lists what the track does not cover. We would rather lose a sale than over-promise scope.

Milestones

A short, accurate timeline

  1. 2021

    Founded as a 12-seat instructor-led programme

    Da-Eun Kim ran the first cohort out of a single Seoul classroom. Twelve learners, one SIEM, one whiteboard. The retro from cohort 1 still hangs in the office.

  2. 2023

    Replay-engine lab goes live

    Tae-Hyun Choi finished building the academy's incident replay infrastructure, allowing every learner to investigate the same finished incident on their own clock.

  3. 2025

    Corporate cohort programme launched

    After three pilot enterprise client engagements, the Corporate Analyst Onboarding Programme became a permanent track. Discovery weeks remain mandatory — no exceptions.

Team

Seven people. One academy. Real day jobs in cybersecurity.

Every academy member maintains operational links to working SOCs or detection-engineering teams. We are not a training-only outfit. The reason: cohort feedback is sharper when the person reviewing your detections wrote one for production this morning.

  • Da-Eun Kim

    Academy Director · 14 yrs experience

    Da-Eun ran enterprise client incident response for a regional MSSP for nine years before founding the academy in 2021. She still personally manages every corporate cohort engagement for its first month. Her view: a junior analyst who learns to write a clear after-action report has a faster career than one who memorises every framework.

    Focus: Incident leadership, programme design

  • Min-Jun Park

    Lead Cybersecurity Instructor · 12 yrs experience

    Eight years inside SOC operations at a financial-sector enterprise client, then four years on detection content. Min-Jun teaches the SOC Foundations Bootcamp and rewrites at least one module every cohort based on retro feedback. Known for keeping a printed alert-triage rubric on every desk.

    Focus: SOC operations, alert triage

  • Hannah Bae

    Curriculum Designer · 10 yrs experience

    Hannah came to the academy after running detection content for an enterprise client SOC. She designed the lab's replay engine, owns the Threat Detection Engineering and Cloud Incident Handling tracks, and refuses to teach detection-as-code without a Git workflow attached.

    Focus: Detection engineering, cloud IR

  • Tae-Hyun Choi

    SOC Lab Engineer · 8 yrs experience

    Tae-Hyun built the academy's incident replay infrastructure on top of open-source telemetry tooling. He maintains the lab, writes the synthetic adversary content, and runs the weekend simulation labs alongside instructor staff. Quietly responsible for keeping the platform stable.

    Focus: Lab infrastructure, telemetry

  • Yuna Cho

    Career Coach · 8 yrs experience

    Four years running technical hiring for an enterprise client SOC, then two years coaching analysts through career changes. Yuna leads the Analyst Career Launchpad and reviews every cohort's mock-interview feedback. Will tell you the truth about which roles are not hiring juniors right now.

    Focus: Hiring readiness, portfolio review

  • Joon-Ho Lee

    Lead Cybersecurity Instructor · 11 yrs experience

    Previously ran threat intel for a regional CSIRT, where he learned that intelligence nobody reads is not intelligence. Joon-Ho teaches the Threat Intelligence Fundamentals track and runs the brief-writing reviews for both individual learners and corporate cohorts.

    Focus: Threat intelligence, brief writing

  • Seo-Yeon Hwang

    Curriculum Designer · 9 yrs experience

    Seo-Yeon was a GRC programme manager at a regional MSSP before joining curriculum. She owns the Compliance Readiness Workshop and is the academy's point of contact for quality-standards content. Her quietest superpower: writing audit evidence that survives external reviewer Q&A.

    Focus: Quality standards, GRC bridging
How we build curriculum

A short read on our process — and a few things we do not do

What we do

  • Run a 90-minute retrospective at the end of every cohort, anonymous and structured.
  • Publish an internal change list — what we will change next cohort, what we will not, and why.
  • Rebuild lab scenarios when retros consistently say "the scenario felt fake."
  • Maintain an admissions assessment for intermediate and advanced tracks. We are willing to recommend a different track or no track at all.
  • Let mentors push back on curriculum decisions in writing — we lose those debates in public, when we are wrong.

What we do not do

  • Job placement guarantees or income-share agreements. We considered them and decided against.
  • Graded letter assessments at module end. We use mentor written feedback instead — it is harder to ignore.
  • Vendor certifications outside the listed certification tracks.
  • Penetration-testing tradecraft, malware reverse engineering beyond triage, hardware/IoT security. We are defender-focused.
  • Cohort sponsorship clauses that compromise mentor independence.

Operating from KR — Seoul, with delivery in English. We work with enterprise clients across compliance-aware industry sectors and quality-standards programmes, and we will say no to engagements that ask us to compromise scope honesty.