What is the MITRE ATT&CK Fundamentals badge?

The MITRE ATT&CK Fundamentals badge is issued by MAD20 (MITRE Engenuity) upon completing the foundational ATT&CK online course and passing all module assessments at 80% or above. The badge is a Living Certification issued via Credly, meaning it stays updated as ATT&CK evolves.

What topics does the ATT&CK Fundamentals course cover?

The course covers the ATT&CK framework structure (14 Enterprise tactics, techniques, sub-techniques), what ATT&CK does and does not capture, using the ATT&CK Navigator for visualization and gap analysis, applying ATT&CK to detection engineering, threat intelligence, red teaming, and defense, and data sources for detection coverage.

What is the passing score for the MAD20 ATT&CK Fundamentals badge?

Candidates must pass each module assessment at 80% or above to earn the ATT&CK Fundamentals badge. MAD20 allows up to 10 attempts per module assessment.

Is MITRE ATT&CK Fundamentals worth getting?

The ATT&CK Fundamentals badge is valuable for security analysts, threat intelligence practitioners, detection engineers, and red teamers who want to formalize their ATT&CK knowledge. It is a prerequisite for all other MAD20 certifications and provides a credential verifiable through Credly.

How do I access the ATT&CK Fundamentals course?

The MAD20 ATT&CK Fundamentals course requires a MAD20 subscription through MITRE Engenuity at mad20.com. The MITRE ATT&CK knowledge base itself (attack.mitre.org) and ATT&CK Navigator are freely available without a subscription for self-study.

What is the ATT&CK Navigator?

The ATT&CK Navigator is a free, open-source, browser-based web application for annotating and exploring the ATT&CK matrix. It allows users to create custom layers — highlighting techniques used by specific threat groups, visualizing detection coverage, or creating heat maps — without any installation or API key required.

All Practice Exams

100+ Free MITRE ATT&CK Fundamentals Practice Questions

MITRE ATT&CK Fundamentals (MAD20 Badge) practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

A CTI analyst receives a threat report describing an adversary using DNS TXT record lookups to exfiltrate data. Which ATT&CK technique best describes this?

T1048 Exfiltration Over Alternative Protocol

T1041 Exfiltration Over C2 Channel

T1568 Dynamic Resolution

T1071 Application Layer Protocol

to track

Same family resources

Explore More MITRE ATT&CK Defender (MAD) Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

MITRE ATT&CK Threat Hunting (MAD)

Practice Questions100 questions

2026 Statistics

Key Facts: MITRE ATT&CK Fundamentals Exam

80%

Passing Score

MAD20

Enterprise Tactics

MITRE ATT&CK

Assessment Attempts Allowed

MAD20

Living Certification

Badge Type

MAD20 / Credly

Free

ATT&CK Navigator Access

MITRE

v7+

Reconnaissance Added

MITRE ATT&CK

The MAD20 ATT&CK Fundamentals badge is the foundational credential in MITRE Engenuity's practitioner training series. Candidates pass self-paced online module assessments at 80% or above, earning a Living Certification badge via Credly that stays updated with the current ATT&CK version.

Sample MITRE ATT&CK Fundamentals Practice Questions

Try these sample questions to test your MITRE ATT&CK Fundamentals exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1What is the primary purpose of the MITRE ATT&CK framework?

A.To document real-world adversary tactics, techniques, and procedures based on observed behavior

B.To provide a checklist of security controls for compliance audits

C.To score software vulnerabilities using a standardized numeric system

D.To define a step-by-step kill chain for penetration testers

Explanation: MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary behavior built from real-world threat intelligence observations. It documents how attackers actually operate — not theoretical scenarios — giving defenders a shared vocabulary to describe, detect, and defend against threats.

2How many tactics are in the MITRE ATT&CK Enterprise Matrix?

A.9

B.11

C.14

D.17

Explanation: The MITRE ATT&CK Enterprise Matrix contains 14 tactics: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Tactics represent the adversary's high-level objectives at each stage.

3In ATT&CK terminology, what does a 'tactic' represent?

A.The adversary's high-level goal or objective during an intrusion

B.A specific method an adversary uses to accomplish an objective

C.A detailed step-by-step procedure used in a specific attack campaign

D.A data source used to detect adversary activity

Explanation: In the ATT&CK framework, tactics represent the 'why' — the adversary's tactical goal or objective at a given phase of an operation. For example, 'Persistence' is a tactic because the goal is to maintain foothold. Techniques answer 'how' the adversary achieves that goal, and procedures are specific real-world implementations.

4What is the correct format for a MITRE ATT&CK Enterprise sub-technique ID?

A.ST1059.001

B.T1059/001

C.T1059.001

D.TA0002.001

Explanation: ATT&CK sub-techniques are identified with the parent technique ID followed by a period and a three-digit number, e.g., T1059.001 (Command and Scripting Interpreter: PowerShell). The 'T' prefix denotes technique, and the decimal notation distinguishes sub-techniques from parent techniques.

5Which of the following is the FIRST tactic in the ATT&CK Enterprise Matrix (leftmost column)?

A.Reconnaissance

B.Initial Access

C.Resource Development

D.Execution

Explanation: Reconnaissance (TA0043) is the first tactic in the ATT&CK Enterprise Matrix, representing activities the adversary performs before any direct interaction with the victim infrastructure, such as gathering information via open sources or active scanning. It was added in ATT&CK v7 along with Resource Development.

6ATT&CK contains separate matrices for different domains. Which of the following is NOT a separate ATT&CK matrix domain?

A.Mobile

B.ICS (Industrial Control Systems)

C.Cloud

D.Enterprise

Explanation: MITRE ATT&CK currently has three top-level domains: Enterprise, Mobile, and ICS. 'Cloud' is a platform within the Enterprise matrix (alongside Windows, Linux, macOS, Containers, etc.), not a separate stand-alone matrix. Enterprise covers network, endpoints, and cloud platforms together.

7What is the relationship between an ATT&CK technique and a sub-technique?

A.Sub-techniques are more specific implementations of a parent technique

B.Sub-techniques are more abstract than techniques and group related behaviors together

C.Sub-techniques belong to a different tactic than their parent technique

D.Sub-techniques are deprecated versions of older techniques

Explanation: Sub-techniques provide more granular detail about specific implementations or variations of a parent technique. For example, T1059 (Command and Scripting Interpreter) is the parent technique, and T1059.001 (PowerShell) is a sub-technique specifying one particular scripting interpreter. Sub-techniques share the same tactic(s) as their parent.

8Which ATT&CK tactic covers an adversary's efforts to steal credentials such as passwords and hashes?

A.Privilege Escalation

B.Lateral Movement

C.Credential Access

D.Defense Evasion

Explanation: Credential Access (TA0006) encompasses techniques adversaries use to steal account names and credentials, including password dumping, brute force, and keylogging. Gaining credentials allows adversaries to access systems and resources using legitimate accounts, making detection harder.

9What does the 'Impact' tactic in ATT&CK Enterprise primarily cover?

A.Techniques adversaries use to disrupt availability or compromise data integrity

B.Techniques for gaining initial footholds through phishing and exploits

C.Techniques to gather information about target systems

D.Techniques for encrypting command-and-control communications

Explanation: Impact (TA0040) is the final tactic in the Enterprise matrix, covering techniques that adversaries use to disrupt business operations, destroy data, or compromise data integrity. Examples include ransomware (T1486 Data Encrypted for Impact), defacement (T1491), and disk wiping (T1561).

10Which ATT&CK tactic was added to the Enterprise matrix to cover adversary activities BEFORE any direct victim interaction, such as gathering open-source intelligence?

A.Collection

B.Exfiltration

C.Reconnaissance

D.Resource Development

Explanation: Reconnaissance (TA0043) was added in ATT&CK v7 to capture pre-attack information-gathering activities that occur before the adversary contacts the victim. Examples include T1595 (Active Scanning), T1592 (Gather Victim Host Information), and T1589 (Gather Victim Identity Information) via open sources like LinkedIn.

About the MITRE ATT&CK Fundamentals Practice Questions

Verified exam format metadata for MITRE ATT&CK Fundamentals (MAD20 Badge) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.