Skip to main content

    Foundations track — final assessment

    25 questions combining the five Foundations lessons. Pass 60% to complete the track. Your progress is stored only in this browser; nothing is sent to us.

    Quick check

    Five questions. Answers and rationale appear after submission.

    1. Q1.

      Why does an attacker most often have detailed information about your role and colleagues before contacting you?

    2. Q2.

      What is the four-step pattern most attacks follow?

    3. Q3.

      True or false: most cyber attacks against your company are personal.

    4. Q4.

      What is the single highest-leverage personal defence against the attacker mindset?

    5. Q5.

      Your photo shows a sticky note with a temporary password. The post gets 200 likes. Most likely outcome?

    6. Q6.

      Which category does a 'click here to confirm your shipment' SMS lure belong to?

    7. Q7.

      An MFA prompt arrives on your phone that you did not initiate. Which category is in motion?

    8. Q8.

      Why is it useful to know the attack category when reporting an incident?

    9. Q9.

      Most real-world cyber incidents are best described as:

    10. Q10.

      Your SaaS provider sends an unexpected 'we had a security incident, your data may have been accessed' email. Which category?

    11. Q11.

      Which of these is NOT one of the four universal phishing red flags?

    12. Q12.

      Two of the four red flags appear in a message. What is your correct response?

    13. Q13.

      A coworker DMs you a link in Slack asking you to 'log in to the new IT portal'. The DM was unsolicited and the link domain is unfamiliar. Most likely:

    14. Q14.

      Which type of verification is genuinely safe?

    15. Q15.

      Is urgency by itself enough to flag a message as phishing?

    16. Q16.

      What is the single highest-leverage personal cyber-hygiene change you can make today?

    17. Q17.

      Why is FIDO2 / passkey MFA categorically stronger than TOTP or SMS?

    18. Q18.

      You receive an MFA push prompt at 2 AM. You are not signing in. Correct response?

    19. Q19.

      Is a 16-character random password generated by a password manager 'secure'?

    20. Q20.

      Which MFA method does NOT defend against SIM-swap attacks?

    21. Q21.

      You see a ransomware demand on a colleague's screen. They are not at their desk. What is your correct first action?

    22. Q22.

      Under NIS2, what is the early-warning notification window to NCSC after an organisation becomes aware of a significant incident?

    23. Q23.

      You suspect you've been phished and you clicked a credential link. What should you do FIRST?

    24. Q24.

      True or false: it's safer to delete a suspicious email immediately after reporting it.

    25. Q25.

      Why does the 'first 30 minutes' matter so much in incident response?

    Track complete ✓

    You've completed the Foundations track. Continue with the Phishing deep-dive — 9 modules covering every variant from BEC to deepfake voice.

    Continue with Phishing →

    Need an adversary in your environment?

    HackersHub runs paid red-team engagements.

    Talk to an expert

    This module is HackersHub-endorsed exactly as you see it here, watermark and all. Free under CC-BY-ND 4.0. Edit the content? Remove our watermark first. — The HackersHub team View license details.