Join the community of Certified MITRE ATT&CK® Defenders who have proven their real-world mastery in applying the knowledge of adversary behaviors to improve security configurations, analytics and decision-making.

One year of unlimited access to ATT&CK badges and certifications – USD 499

MAD Enterprise Solutions

Security operations are growing increasingly complex as adversaries become more capable and agile. Defenders need to continually learn new skills to stay ahead of adversaries. Team leaders need to know that their teams didn’t just watch a video they’ll forget later today; they need to know that their teams can put the new skills into action immediately. 

MITRE ATT&CK Defender offers a suite of courses, exercises, and certifications to ensure cyber security teams are fully able to harness the power of the MITRE ATT&CK Framework to improve enterprise security operations. The mix of solutions built for the enterprise include:  

  • Live onsite training at customer site
  • Bulk pricing for our on-demand training and certification platform
  • Live Purple Teaming training at events worldwide 

Learn More About Enterprise Licenses

Live onsite training at customer site

MAD offers a suite of customizable live instructor-led training courses at your location or virtually. Tracks can be customized to meet specific enterprise demands and to provide the skills and validation of mastery in using ATT&CK to understand and create cyber threat intelligence (CTI), assess security operations center (SOC) operations, and coordinate across blue and red teams with a powerful purple teaming approach to improve all aspects of operations.   

The three focus areas of MAD Enterprise are structured around ensuring a common baseline, preparing the team to create and leverage threat intelligence, and applying ATT&CK to improve operations through purple teaming.   Learn more about live onsite training.

Course 1: Ensuring a Common Baseline 

Making certain the entire team has a strong understanding and mastery of ATT&CK is the first step. This is accomplished through:  

  • Training the entire team in ATT&CK Fundamentals  
  • Live MAD Professor-led 1 day training course  
  • On-site at company’s facility, live-streamed, or on-site at a MITRE Facility  
  • Pre-planning session with MAD Professor to tailor a training plan to your needs  
    Course 2: Prepare the Team to Create and Leverage Threat Intelligence 

    ATT&CK is designed to provide a common language across tools regardless of the vendor or specialization. The second phase of MAD enterprise training is designed to ensure teams understand how ATT&CK enables practitioners to understand adversaries better through cyber threat intelligence. Taught through the following topics:  

    • Mapping to ATT&CK® from Narrative Reports  
    • Mapping to ATT&CK® from Raw Data  
    • Storing and Analyzing ATT&CK®-Mapped Data   
    • Making Defensive Recommendations from ATT&CK®-Mapped Data  
    Course 3: Application of ATT&CK to Improve Operations through Purple Teaming 

    MAD professors work hand-in-hand with your team to understand and operationalize CTI to emulate adversaries and build new ATT&CK-based analytics that is more resilient and effective against changing adversary techniques than traditional IOC-based analytics. This capstone course trains your team to effectively work together using ATT&CK as a common language. Participants will be introduced to:  

    • TTP-based hunt methodology  
    • Deep dives into up to 4 selected adversary techniques  
    • Effective adversary emulation of selected techniques   
    • A virtual environment established for the course (or can be conducted in your own provided environment)  
    • Development of ATT&CK-based analytics that can lead to new methods for detection in your existing systems   

    Cost  

    • Live, In-person[1] training of your team led by our MAD Professors   
    • ATT&CK Fundamentals: $2,500 / student (minimum 10 students)  
    • ATT&CK CTI: $2,500 / student (minimum 10 students)  
    • ATT&CK Purple Teaming: $62,500 (2.5 days, 3 instructors, maximum 50 students)  
    • MAD Subscriptions for Participants to Ensure They Understand the Materials, and Maintain Their Advantage Over the Next Year  

    Highlighted Subject Areas

    • ATT&CK Fundamentals  
    • Cyber Threat Intelligence  
    • Purple Teaming  
    • Adversary Emulation  
    • TTP-Based Hunt Methodology  

        [1] Note, in-person training may be delivered on-site at a customer’s facility, on-site at a MITRE facility that can accommodate the class, or online via Microsoft Teams, Zoom, or another capability at the same price. Travel and expenses will be billed additionally as agreed to in the Collaboration Agreement.  

        Bulk pricing for our on-demand training and certification platform

        Bulk pricing for MAD subscriptions is for the purchase of 10 or more subscriptions. Subscriptions provide access to the MAD Skills Hub enabling practitioners to demonstrate their mastery of the materials for a full year. They provide access to the growing library of training, labs, and assessments for the duration of the subscription.  

        The curriculum helps security operations apply ATT&CK for cyber threat intelligence, testing and evaluations, and defensive measures.  The curriculum is constantly growing and currently offers training and credentials in the following areas:  

        • ATT&CK Fundamentals 
        • ATT&CK for Cyber Threat Intelligence 
        • ATT&CK for Security Operations Center Assessments 
        • ATT&CK for Adversary Emulation Methodology 
        • ATT&CK for Threat Hunting Detection Engineering 

        Live Purple Teaming training at events worldwide

        Purple Teaming provides a powerful tool to deliver actual improvements to your enterprise security by ensuring red and blue teams work together to improve outcomes. In this 6-hour hybrid hands on training event, our MAD professors work together with your team to help them understand and operationalize CTI to emulate adversaries and build new ATT&CK-based analytics that is more resilient and effective against changing adversaries’ techniques than traditional IOC-based analytics. 

        A day of hands-on training from MAD professors on Purple Teaming Fundamentals opens attendees to earning: 

        • The Fundamentals of Purple Teaming Event badge (insert badge image) 
        • Badges for each technique successfully learned  

          Participants will be introduced to:  

            • TTP-based hunt methodology  
            • Deep dives into selected adversary techniques  
            • Effective adversary emulation of selected techniques   
            • A virtual environment established for the course 
            • Development of ATT&CK-based analytics that can lead to new methods for detection in your existing systems   
            1.1 Introduction to Purple Teaming - 60 min. (+/-)

            The team will introduce the event and explain the structure. They will then jump into an introduction to purple teaming. This is followed by an introduction to Kibana. This will prepare you with an understanding for the rest of the training. 

            1.2 Deep Dive into Technique #1: Scheduled Tasks - 60 min. (+/-)

            Adversaries may abuse task scheduling functionality to facilitate the initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system. 

            This time will give hands-on training where attendees will be introduced to effective adversary emulation of the Scheduled Task/Job technique and development of ATT&CK-based analytics. 

            1.3 Deep Dive into Technique #2: Credential Dumping - 60 min. (+/-)

            Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information. 

            This time will give hands-on training where attendees will be introduced to effective adversary emulation of the OS Credential Dumping technique and development of ATT&CK-based analytics. 

            1.4 Deep Dive into Technique #3: Symson Tampering - 60 min. (+/-)

            Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. 

            This time will give hands-on training where attendees will be introduced to effective adversary emulation of the Impair Defenses technique, specifically the Disable or Modify Tools sub-technique, and development of ATT&CK-based analytics. 

            1.5 Final Discussion and Wrap Up - 60 min. (+/-)

            The team will allow for any questions and discussion. It will also be a time to wrap up any of the hands-on training. 

            Subscribe to the Quick ATT&CK Facts Newsletter