diff --git a/content/nginx-one/workshops/lab1/getting-started-with-nginx-one.md b/content/nginx-one/workshops/lab1/getting-started-with-nginx-one.md
index 826c18252..a9650fa8d 100644
--- a/content/nginx-one/workshops/lab1/getting-started-with-nginx-one.md
+++ b/content/nginx-one/workshops/lab1/getting-started-with-nginx-one.md
@@ -122,5 +122,5 @@ Now that you’ve explored NGINX One Console and created a key, you’re ready t
## References
-- [Create and manage data plane keys]({{< ref "nginx-one/how-to/data-plane-keys/create-manage-data-plane-keys.md" >}})
+- [Create and manage data plane keys]({{< ref "nginx-one/connect-instances/create-manage-data-plane-keys.md" >}})
- [NGINX Agent overview]({{< ref "agent/overview.md" >}})
\ No newline at end of file
diff --git a/content/nginx-one/workshops/lab3/explore-nginx-one-console-and-features.md b/content/nginx-one/workshops/lab3/explore-nginx-one-console-and-features.md
new file mode 100644
index 000000000..db653b8cc
--- /dev/null
+++ b/content/nginx-one/workshops/lab3/explore-nginx-one-console-and-features.md
@@ -0,0 +1,184 @@
+---
+title: "Lab 3: Explore NGINX One Console features"
+weight: 300
+toc: true
+nd-content-type: tutorial
+nd-product: nginx-one
+---
+
+## Introduction
+
+This guide shows you how to explore and use key NGINX One Console features:
+
+- Overview dashboard
+- TLS certificate management
+- Configuration recommendations
+- CVE scanning
+- AI Assistant for config insights
+
+You’ll see how each feature helps you monitor and secure your NGINX fleet without writing custom scripts.
+
+## What you’ll learn
+
+By the end of this tutorial, you’ll know how to:
+
+- Navigate the Overview Dashboard panels
+- View and filter certificate status
+- Review and apply config recommendations
+- Investigate CVEs and jump to details
+- Use the AI Assistant to explain directives and variables
+
+## Before you begin
+
+Make sure you have:
+
+- An F5 Distributed Cloud (XC) account with NGINX One enabled
+- All containers from Lab 2 running and registered
+- Basic NGINX and Linux knowledge
+- Your `$NAME` environment variable set (from [Lab 2]({{< ref "nginx-one/workshops/lab2/run-workshop-components-with-docker.md" >}}))
+
+---
+
+## 1. Overview Dashboard panels
+
+Open NGINX One Console and select **Overview**. Here are the key metrics you’ll see and what they tell you:
+
+
+{{< img src="nginx-one/images/nginx-one-dashboard.png"
+ alt="Overview dashboard showing panels for instance availability, NGINX versions, operating systems, certificates status, configuration recommendations, CVE severity, CPU and memory utilization, disk space usage, unsuccessful response codes, and network usage." >}}
+
+
+- **Instance availability**
+ Understand the operational state of each instance.
+ - **Online**: Agent and NGINX are connected and working.
+ - **Offline**: Agent is running but NGINX isn’t installed, isn’t running, or can’t talk to the agent.
+ - **Unavailable**: Agent lost connection or instance was removed.
+ - **Unknown**: Current state can’t be determined.
+
+- **NGINX versions by instance**
+ See which NGINX OSS or Plus versions your instances are running.
+
+- **Operating systems**
+ Find out which Linux distributions are in use.
+
+- **Certificates**
+ Monitor your SSL certificates—expiring soon or still valid.
+
+- **Config recommendations**
+ Get actionable suggestions to improve security, performance, and best practices.
+
+- **CVEs (Common Vulnerabilities and Exposures)**
+ Evaluate threats by severity.
+ - **Major**: High-severity; fix immediately.
+ - **Medium**: Moderate-severity; plan a fix soon.
+ - **Low/Minor**: Lower-severity; monitor.
+ - **Other**: Any non-standard categories.
+
+- **CPU utilization**
+ Track which instances are using the most CPU over time.
+
+- **Memory utilization**
+ Watch which instances consume the most RAM over time.
+
+- **Disk space utilization**
+ See which instances are nearing full disk capacity.
+
+- **Unsuccessful response codes**
+ Spot instances with high counts of HTTP 4xx/5xx errors.
+
+- **Top network usage**
+ Review network throughput (in/out) trends for your instances.
+
+---
+
+## 2. Investigate CVEs
+
+Use the **CVEs** panel to investigate vulnerabilities in your instances:
+
+1. In the **CVEs** panel, select **High** to list instances with high-severity issues.
+2. Select your `$NAME-plus1` instance to view its CVE details, including ID, severity, and description.
+3. Select any CVE ID (for example, `CVE-2024-39792`) to open its official page with full details and remediation guidance.
+4. Switch to the **Security** tab to see every CVE NGINX One tracks, along with how many instances each affects.
+5. Select **View More** next to a CVE name for a direct link to the CVE database.
+
+---
+
+## 3. Investigate certificates
+
+The **Certificates** panel shows the total number of certificates and their status distribution across all instances.
+
+**Note:** NGINX One only scans certificates that are part of a running NGINX configuration.
+
+The statuses mean:
+
+- **Expired**: The certificate’s expiration date is past.
+- **Expiring**: The certificate will expire within 30 days.
+- **Valid**: The certificate is not near expiration.
+- **Not Ready**: NGINX One can’t determine this certificate’s status.
+
+
+1. In the **Certificates** panel, select **Expiring** to list certificates that will expire soon.
+2. Select your `$NAME-oss1` instance and switch to the **Unmanaged** tab to see each certificate’s name, status, expiration date, and subject.
+3. Select a certificate name (for example, `30-day.crt`) to open its details page.
+4. Scroll to **Placements** to see all instances that use that certificate.
+
+---
+
+## 4. Configuration recommendations
+
+The **Configuration Recommendations** pane provides actionable suggestions:
+
+- **Orange** = Security
+- **Green** = Optimization
+- **Blue** = Best practices
+
+1. In the Console, navigate to **Overview > Dashboard**.
+2. In the **Configuration Recommendations** pane, select **Security** to view instances with security-related suggestions.
+3. Select an instance hostname.
+4. Switch to the **Configuration** tab.
+5. Select a config file (for example, `cafe.example.com.conf`) to see recommendations highlighted by line number.
+6. Select **Edit Configuration** (pencil icon) to enter edit mode.
+7. Update the configuration to address each recommendation.
+8. Select **Next** to preview your changes, then select **Save and Publish** to apply them.
+
+
+{{< img src="nginx-one/images/config-recommendation.png"
+ alt="NGINX One Console configuration recommendation panel showing a Best Practice warning: ‘log should not be set to off on line 34’, with a pencil icon to enter edit mode." >}}
+
+
+---
+
+## 5. AI Assistant
+
+Highlight any configuration text, such as a directive, variable, or phrase, in a config preview and select **Explain with AI**. The AI Assistant panel shows:
+
+- A concise definition of the selected element
+- Practical best-practice tips
+- Guidance on common use cases
+
+Try it on:
+
+- `stub_status`
+- `proxy_buffering off`
+- `$upstream_response_time`
+
+
+{{< img src="nginx-one/images/ai-assistant.png"
+ alt="NGINX One AI Assistant panel showing a highlighted $upstream_response_time snippet alongside the assistant’s response with Purpose and Guidance headings." >}}
+
+
+> **Pro tip:** You can learn about NGINX directives and variables without leaving the Console.
+
+
+---
+
+## Next steps
+
+When you’re ready, move on to [Lab 4 →](../lab4/readme.md)
+
+---
+
+## References
+
+- [NGINX One Console docs]({{< ref "nginx-one/" >}})
+- [CVE.org](https://www.cve.org/)
\ No newline at end of file
diff --git a/static/nginx-one/images/ai-assistant.png b/static/nginx-one/images/ai-assistant.png
new file mode 100644
index 000000000..df28268b1
Binary files /dev/null and b/static/nginx-one/images/ai-assistant.png differ
diff --git a/static/nginx-one/images/config-recommendation.png b/static/nginx-one/images/config-recommendation.png
new file mode 100644
index 000000000..e02179d20
Binary files /dev/null and b/static/nginx-one/images/config-recommendation.png differ