Onboarding project | EXPLIoT Academy

📄

Onboarding project | EXPLIoT Academy

Ideal Customer Profile

Define your ICPs

ICP 1: Independent Cybersecurity Professional ( Researchers & Consultant )

ICP 2: Enterprise IoT Security & Compliance Teams

ICP 3: IoT Security Students ( University level learners & Early Professionals)

Method Used for defining personas

1. Analysis of all paid customer profiles

2. Analysis of visitors ; company data sourced from ZoomInfo

3. Analysis of visitors - who sign up for free course.

Criteria	ICP 1: Independent Cybersecurity Professional	ICP 2: Enterprise IoT Security & Compliance Teams	IoT Security Students ( University Level Learners & Early Professionals )
Age	20-40 Year Old	30-50 Year Old	18-28 Year old
Demographics	Region: Primary - US, UK, Germany ; Secondary - India	Region: Primary - US, UK , Germany ; Secondary - India	Region: Primary - US, UK , Germany ; Secondary - India
	Small security consulting firms, IoT security, Bug Bounties	Industries - Automative, industrial IoT, Manufacturing, Smart Devices.	Industries - Cybersecurity, Embedded Systems, IoT Development
Who are they	Pen-testers, Red Teamers, Bug Bounty Hunters, IoT Security Consultants.	Security Professional working in large enterprises & industrial IoT companies.	University students & fresh graduates in cybersecurity, IoT, and embedded systems
	Security professionals who need advanced IoT hacking skills for client work & bug bounty programs	Teams responsible for IoT Security assessments, compliance, and vulnerability management.	Early-career professional transitioning into IoT Security
Why they need EXPLIoT Academy?	IoT security is a niche, high-paying field - learning these skills increase their earning potential.	Their companies design, manufacture, or deploy IoT devices, which are high-risk targets for cyber threats.	Practical IoT security training missing in university courses.
	More companies demand IoT pentests, and they want to expand their consulting services.	Regulatory compliance (ISO 21434, NIST 800-183, EU, Cyber Resilience Act) requires their team to have IoT security expertise.	Hands-on experience helps them get internships or entry-level jobs.
	Bug bounty programs are offering rewards for IoT vulher abilities —> learning these skills is financially valuable.	They need structured corporate training for their security engineers & analyst	Prepare them for future certification & professional growth.
Pain Point	IoT Security training is hard to find —> most available courses are not hands-on	Compliance risk - struggle to meet IoT security compliance standards.	Theoretical university courses don’t provide hands-on hacking practice.
	Lack of structured labs and real-world scenarios —-> needs interactive practice with real IoT vulnerabilities	Lack of in-house IoT security training - most security teams are general cybersecurity experts, not IoT-specific.	Lack of affordable IoT security courses for students.
	Stiff competition in bug bounties & consulting —> need advanced skills to stand out	High cost of third-party security assessment - need to upskill internal teams to reduce dependency on external vendors.	Tough job market –> needs extra certification to stand out.
Behavior	Learns via practical, hands -on training ( HTB, TryHackMe, CTF challenges )	Learns via structured, corporate training programs	Consume free content first (youtube, free course) before buying paid content
	Engages in online security communities ( Reddit IoT Security, Discord, Twitter/X)	Engages in IoT security conferences ( DEFCON, IoT Villages, Nullcon, Hardware.io)	Prefer structured certifications to add to resumes
	Prefer self-paced, in-dept courses	Trends to follow compliance related cybersecurity content (LinkedIn, Industry Report)	Follow security professionals on Twitter/LinkedIn/youtube
Who takes the decision?	Decision makers - The individual learns	Decision Makers: CISO, Security Manger, Compliance Officer.	Decision maker - The Student or University
	Decision blockers - High Pricing	Decision Blocker: Budget constraints, internal approval processes for training.	Decision Blocker - High pricing or lack of university endorsement
Frequency of Use?	Multiple courses per year ( Basis ups killing requirement )	Quarterly or Annual Team Training Cycles.	Low cost courses at the start, then upgrade to advanced training over time.
	Hands-on labs used frequently for real-world hacking practices.	New team members need onboarding in IoT security training.	Uses training material for internships & job application.

ICP Prioritisation

Criteria	Adoption Rate	Appetite to Pay	Frequency of Use Case	Distribution Potential	TAM ( users/currency)	Priority Ranking
ICP 1 - Independent Cybersecurity Professional	High	Medium	Medium - High	Medium	1000 user	2
ICP 2 - Enterprise IoT Security & Compliance Team	Moderate	High	Medium - High	High	1400 users	1
ICP 3 - IoT Security Students (University Level Learner’s &. Early Professionals)	Low	Low	High	Moderate	1100 users	3

Priority Ranking:

1. Enterprise IoT Security & Compliance Teams —> High distribution potential, high frequency of use, and significant TAM.

2. Independent Cybersecurity Professional —-> High adoption rate and willingness to pay but medium frequency of use and distribution potential.

3. IoT Security Students —-> High frequency of use but low adoption rate and low willingness to pay, making it the lowest priority.

JTBD and validation

ICP 1: Independent Cybersecurity Professionals ( Researchers & Consultants)

User Goals & JTBD

Goal Type	User Goal	JTBD
Primary - Functional	Master IoT Pen-testing for consulting and bug bounty	Gain real-world hacking skills to offer IoT security assessments or monetise bug bounties.
Secondary - Financial	Increase income from IoT Security projects	Expand client service and get higher-paying IoT security contracts.

Validation

Paid users from security consultancies (Security Innovation, Aress Software,ISCOC)
Freelance-heavy engagement -> Users purchasing hands-on IoT hacking courses.
Activity from bug bounty hunters & security professionals on TryHackMe, HTB

ICP 2 : Enterprise Security & Compliance Teams

User Goals & JTBD

Goal Type	User Goal	JTBD
Primary - Functional	Train internal security teams on IoT Security Compliance	Ensure in-house security teams are skilled in IoT security to reduce third-party assessment costs and meet ISO 21434, NIST 800-183 compliance
Secondary - Financial	Minimise security risks & compliance penalties	Avoid legal liabilities and cyber risks by training security professionals in secure IoT development

Validation

Paid users from Xylem, Valeo, Security Innovation —> confirm interest in enterprise-level security training.
Academy visits from major enterprise security teams —> Siemens, Schneider, Honeywell
Course purchased are compliance-focused (ISO 21434, IoT Protocol Security, Firmware Hacking)

ICP 3: IoT Security Students ( University Level Learner’s & Early Professionals )

User Goals & JTBD

Goal Type	User Goal	JTBD
Primary - Functional	Gain IoT Security skills for internships & jobs	Acquire hands-on IoT hacking knowledge to stand out in job applications.
Secondary - Financial	Invest in skill-building at a student-friendly cost	Access affordable training to bridge the university-industry skill gap.

Validation

Academy visits from students at universities (Purdue, Arizona State, Yale)
Students purchasing lower-cost introductory courses ( Automotive Security, IoT Protocols )
High engagement with free courses before upgrading to paid certifications.

Onboarding Teardown

Onboarding Process

Sign-Up Process

	What’s Working	What’s not working	Changes/Improvement
Ease of Access	CTAs like “Enroll Now“ or “Signup“ serve same purpose, its more like trying to get users to sign-up to the platform. On multiple occasion.	on home page, “Store“ button is highlighted - it nudges users to click on store ; instead of ”Signup“	make sure that, sing-in & sign-up buttons stay at right up corner ; and ‘store‘ button can take normal placement in the menu section, probably before contact us.
Steps and Fields	Only 3 form fields, and Password bar - has “checkmark“ which shows the password progress.	NA	NA
User Guidance	NA	There is no overall progress indicator for the page / which generally many pages shows	I don‘t think, similar progress bar is needed - so ; i am not recommending any changes as such

First-Time User Experience

	what’s working	what’s not working	Improvement
Welcome Message	email verification process	user can‘t login - if email is not verified [ minor issue ]	it force user to verify email ; then only login - if such condition can be removed ; and if we give 1 month to user to verify - then we can decrease one friction point
		There are no personalisation in the verification email.	implement personalisation
Onboarding Flow, Guided Tours, Tutorials		There are clearly no guided tours ; once user sign in his account ; there is no clear defined guide - helping him what to do next.	Create guided flow for user, once user sing-in ; clearly defining - what user can do ; which courses user can complete first, there is scope for personalisation as well

Feature Discovery

In our case “feature discovery“ means experiencing the actual product ; that is course material. - which can be, free course or any knowledge base that we share.

	what’s working	what’s not working	Improvement
Introduction to features	Paid courses are shown	There is no clear distinction, between, paid and free course, they are random ; user ;	User need to be “nudge“ towards completing free course ; or either - completing ”learning experience“ by watching some portion of paid course.
User engagement		There are no interactive elements, there is option for community and asking questions, but that’s not being effectively communicated to users	Use - existing LMS interactive elements like ; community, and q&a

User Interface & Experience

	what’s working	what’s not working	improvements
Consistency	Design consistency is maintained across all the landing pages.	NA	NA
Usability	Ease of use - good	NA	NA

First Success Milestone

	what’s working	what’s not working	Improvement
Defining Success	Once user complete the course, as he download the certificate - there is this “nudge“ with chance to be, lucky draw winner by sharing it on social media	As experince is not targeted towards, completing first course - users coming to this point is too much dependent on motivation of the user; whole platform don’t help in any way in the process.	Define - success milestone, and nudge users towards that’s via - written communication and visual communication.
Reinforcement: Positive Feedback, Next Step	User can download certificate and share it on social	No clear next step defined!	Basis on what, user has completed next step can be created.

Continuous Engagement

	what’s working	what’s not working	improvement
Follow-up Communication:Emails/notification		No follow-up messages are being sent at this moment	Follow-up messages sequence to be implemented
Re-Engagement: Inactive Users		No re-engagement sequence is set	Setup re-engage net sequence

AHA Moment - Where does it occur?

3 Potential AHA moments in user journey

Primary AHA Moment - Completing the first hands-on exercise

When user complete hands-on excise, they experience main value of EXPLIoT Academy, that is - Academy’s practical, real-world learning approach.
This practical experience differentiates EPXLIoT Academy from other cybersecurity training providers and reinforces the value proposition.

AHA Moment - Watching the first expert led training module

pro Users watch a high quality, structured lesson from an expert, helping them realise they are learning from professional In the filed.
This build trust and credibility but does not directly translate into engagement like hands-on training does.

AHA Moment - Getting certified for a completed module/course

receiving certification for completion reinforce motivation.
however, this occurs later in the journey - user can drop off before reaching to that point

Activation metrics

Activation Metric

✅ Complete the first hands-on lab within 48 hours of signing up

(X action = completing first hands-on lab, Y time = within 48 hours)

📌 Explanation:

This metric is a strong predictor of user retention and engagement. If users complete their first hands-on lab within 48 hours:

• It reinforces the habit of learning and using EXPLIoT Academy.

• It reduces drop-off rates, as users experience the platform’s core value early.

• Hands-on labs showcase practical cybersecurity skills, leading to a higher chance of course completion.

🔍 How to Track & Optimize This Metric

Tracking Metric	Why It Matters?
% of users who start the first hands-on lab	Ensures users are engaging early
% of users who complete the first lab in 48 hours	Core activation metric
Drop-off rate between starting & completing the lab	Identifies friction points
Average time taken to complete the lab	Helps streamline user experience

Activation Metic - Hypothesis Considered

Activation Metric Considered	Reason	Selected As Primary Activation Metric?	Reason for Primary Selection	Impact on Revenue
Complete the first hands-on lab within 48 hours	Strong predictor of engagement and retention, users who complete a hands-on lab early are more likely to finish the course	Yes	User who engage early are more likely to complete the course	Higher course completion rate, leads to repeat purchase
Watch the first 30 minutes of video content in 3 days	Indicate interest and engagement	No	watching video is passive, does not guarantee active learning.	Lower impact
Enroll in at least 2 courses within the first week	Users enrolling in multiple courses show a stronger commitment to learning	No	Aspirational action ; user may enroll but never start a course.	Medium
Log in at least 3 times in the first week	Frequent logins indicate habit formation and potential engagement with content	No	Logging in does not equate to actual learning or completion	Lower - to medium