TrainingTracker — Security-Awareness Training Compliance

What it is

The shape behind every awareness-training compliance program (KnowBe4, Hoxhunt, Living Security). The 40×8 matrix the auditor pulls under “show me everyone’s training records for the past year.”

What’s in it

• 40 employees across 7 roles: eng, support, sales, marketing, admin, sre, clinical.
• 8 training modules:
  • Security Awareness (annual, all roles)
  • Phishing Simulation (90-day cadence, all roles)
  • HIPAA Privacy + Security (annual, eng + support + clinical)
  • PCI-DSS for Cardholder Data (annual, eng + support + ops)
  • GDPR / DSAR Handling (annual, support + sales + legal)
  • Secure Coding (OWASP Top 10) (annual, eng only)
  • AI Risk + Acceptable Use (annual, all roles)
  • Role-based Privilege Training (annual, admin + sre + security)
• Per-cell state — ok (current), warn (within 60 days of expiry), bad (overdue), N/A (role doesn’t need this module).
• Compliance matrix — vertical labels per module, 40-row employee list, hover for the actual days-since-last-completed.
• Phishing-fail tracking — phishing-sim modules >90 days since last completion are flagged. Marketing is the worst-offender team (high-velocity reorgs + non-technical staff).
• Per-employee drilldown with per-module status, days-ago, and the regulation citation (HIPAA §164.308(a)(5), PCI Req 12.6.1, etc.).

Why this shape

PCI-DSS Req 12.6 explicitly requires “implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures”. HIPAA §164.530(b)(1) requires training for all members of the workforce. SOC2 CC1.4 (training + commitment). GDPR Art 32(4) (awareness as a TOM). All four want the same artifact: a 40×8 matrix with completion dates.

How it ships

Single HTML file, ~19KB. Zero dependencies. 40 employees × 8 modules × cadence math + matrix renderer in 200 lines of vanilla JavaScript.

Open the tool →