DARKTRACE CERTIFICATION

THREAT VISUALIZER ESSENTIALS STUDY GUIDE

DARKTRACE CERTIFICATION
Threat Visualizer Essentials
Study Guide
Congratulations! You have been accepted onto the Threat Visualizer Essentials Certification
path. Now that you can proceed to the official examination, this handbook is designed to
prepare you for what lies ahead. Over the next few pages, you will find study topics, an
outline of the process and sample questions where you can practice the format.

Darktrace Certifications�����������������������������������������������������������������������������������2
Threat Visualizer Essentials�������������������������������������������������������������������������������3
Cyber Analyst���������������������������������������������������������������������������������������������������������3
Cyber Engineer������������������������������������������������������������������������������������������������������3
Darktrace/Email�����������������������������������������������������������������������������������������������������3
Exam Preparation �����������������������������������������������������������������������������������������������4
Exam Topics������������������������������������������������������������������������������������������������������������ 4
Revision Materials�������������������������������������������������������������������������������������������������5
Exam Practice�������������������������������������������������������������������������������������������������������� 6
Certification Process�����������������������������������������������������������������������������������������9
Exam Procedure����������������������������������������������������������������������������������������������������9
Key Facts����������������������������������������������������������������������������������������������������������������� 11
Requirements������������������������������������������������������������������������������������������������������� 12
FAQs����������������������������������������������������������������������������������������������������������������������� 14

My Certification Exam Details

This guide can be used to track your individual study efforts. Optionally, using the fields below,
fill out the details of your exam so you have a date to work towards.

Name (Firstname Surname):

Date of Exam (YYYY/MM/DD):

© 2024, DARKTRACE ACADEMY 1

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

Darktrace Certifications
Darktrace offers multiple paths for certification: Threat
Visualizer Essentials, Cyber Analyst, Cyber Engineer
and Darktrace/Email. These paths are open to both
customers and partners.

It is imperative that you have your own Customer Portal

account prior to setting out on the certification journey.
If you do not have an account, you can request access
directly from the Customer Portal login page.

Certification paths each have modules, as depicted

below, which must be completed as prerequisites. You
must attend the appropriate classes and be comfortable
with the material. After attending these classes, you are
invited to take an attendance test. You must pass each
attendance test before you can proceed to certification.

The Threat Visualizer Essentials

certification has a unique exam
with both theoretical and practical
elements. However, in order to
become officially certified in a role-
based or product-centric path, you
must complete two components;
a theory exam and a practical,
hands-on laboratory style exam.
These exams will be proctored by a
Darktrace Examiner.

© 2024, DARKTRACE ACADEMY 2

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

Threat Visualizer Essentials

Our Threat Visualizer Essentials certification path will test

your basic networking and security knowledge and apply
it to investigating threats on your network using the Threat
Visualizer interface.

Courses in this path:

• Threat Visualizer Part 1 - Familiarization

• Threat Visualizer Part 2 - Investigation

Cyber Analyst

Our Cyber Analyst certification path focuses more on using

the Threat Visualizer interface to investigate threats on your
network.

Courses in this path:

• Cyber Analyst Part 1 - Advanced Analysis

• Cyber Analyst Part 2 - Model Optimization

Cyber Engineer

Our Cyber Engineer certification path verifies your competency

to install and administer the Darktrace Cyber AI Platform, as
well as testing networking and security fundamentals.

Courses in this path:

• Cyber Engineer
• Threat Visualizer Administration
• Darktrace RESPOND/Network

Darktrace/Email

Our Darktrace/Email certification path allows you to become

certified in using Darktrace/Email. Here, your email security
knowledge will be tested and you will need to apply your skills
to investigate emails and customize a deployment.

Courses in this path:

• Darktrace/Email Part 1 - Familiarization

• Darktrace/Email Part 2 - Customization

© 2024, DARKTRACE ACADEMY 3

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

Exam Preparation
By now, you should already have the knowledge required
to pass the Threat Visualizer Essentials Certification,
obtained through the Threat Visualizer classes outlined
on the right.

But, what can you do to prepare yourself even further?

To access additional materials and take the first part

of the exam, it is imperative that you have your own
Customer Portal account. This is something you should
already have prior to setting out on your certification
journey.

However, if you still do not have an account, you can

request access directly from the Customer Portal login
page.

Exam Topics
To assist with your study, the topics covered on the exam are the following learning objectives from
Threat Visualizer Part 1 - Familirization and Threat Visualizer Part 2 - Investigation:

There are multiple questions for each of the above topics to test you on a variety of skills.

At a minimum, you will be expected to have a

Navigate the Threat Visualizer interface
general knowledge of network security.

Based on the concepts obtained from the Threat Obtain basic information about network devices
Visualizer courses, you should be able to apply
your knowledge to the Threat Visualizer interface
in order to review and analyze various alerts as Investigate Cyber AI Analyst incidents
well as dive deeper into Model breaches.

The checklist on the right outlines a more Generate reports of network activity
granular approach to study topics you should
have familiarity with.
Review individual Model Breaches
Optionally, use this list to track which topics you
are comfortable with.
Perform basic queries in Advanced Search

Perform packet inspection

Use Darktrace to triage alerts

© 2024, DARKTRACE ACADEMY 4

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

Revision Materials
Materials that you may use to revise the Threat Visualizer content includes:

• Live Webinars/Classes

• On-demand eLearning videos

• Dedicated Training Manuals

• The Darktrace Product Guides

Most of these materials are located

in the Darktrace Academy section
of the Customer Portal.

Firstly, you are more than welcome

to attend live webinars with our
global instructors as many times as
you would like. To sign up for these
complimentary classes, go to the
Training Courses page.

Remember, attending all the classes in the Threat Visualizer Essentiels certification path gives
you access to course-specific Training Manuals. The course-specific Training Manuals for Threat
Visualizer are available from the Training Videos page, at the end of the Threat Visualizer video
categories.

These manuals have been written to complement the training you received and will have a lot of detail
about the different topics. Consider these useful reference documents as the exams are structured
around the course content.

If on-demand eLearning is preferable, bite-size training videos can be found in the Training Videos
page. There you will find an eLearning library covering a range of topics, sorted into relevant classes.

For further reading materials, navigate to the Product Guides section of the Customer Portal. These
articles outline many areas of the Darktrace Product Suite.

One of the best ways to study is to utilize these materials in conjunction with hands-on practice using
the interface. Note that you will have access to a Threat Visualizer interface in the certification exam
and will be expected to answer questions based on this interface.

© 2024, DARKTRACE ACADEMY 5

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

Exam Practice

Sample Questions

The certification exam contains multiple questions, both theoretical and practical. Some questions
will require you to access a Threat Visualizer interface, accessible only during the examination, to
answer these questions.

The question format below is similar to what you will have access to during the Threat Visualizer
Essentials exam. Each question is worth one mark.

If possible, practice the following questions using your own Threat Visualizer interface. Remember to
remove any changes afterwards so it does not impact your deployment!

1. Refer to your assigned Darktrace cloud master for this question. What is the MAC address of
the device LT-LON-102?
a. 2E:44:B3:22:8C:B4
b. 3D:33:E5:33:C9:E5
c. 4A:22:C3:44:9A:A6
(1)
d. 5C:16:91:55:D2:E1

2. Refer to your assigned Darktrace cloud master for this question. How many model breaches
are there in the Suspicious category in the last 24 hours?
a. 0
b. 1-3
c. 4-6 (1)
d. 7+

3. Which of the following ports is a commonly used transport layer networking port?
a. 15
b. 77
c. 103
d. 443 (1)

4. Which of the following are operators that can be used for Advanced Search queries?
a. LOOP, FOR, WHILE
b. AND, OR, NOT
c. TRUE, FALSE
d. IF, ELSE
(1)

© 2024, DARKTRACE ACADEMY 6

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

Sample Answers

The correct answer is highlighted in orange and is in bold format. An examiner's guide is written in
orange to show you some example methodologies for these questions.

1. Refer to your assigned Darktrace cloud master for this question. What is the MAC address of
the device LT-LON-102?
a. 2E:44:B3:22:8C:B4
b. 3D:33:E5:33:C9:E5
c. 4A:22:C3:44:9A:A6
d. 5C:16:91:55:D2:E1

In the certification exam some questions

require you use your assigned Darktrace cloud
master deployment. You can then find the MAC
address (if seen) of any device using the Device
Summary for that device in the Omnisearch bar.

2. Refer to your assigned Darktrace cloud master for this question. How many model
breaches are there in the Suspicious category in the last 24 hours?
a. 0
b. 1-3
c. 4-6
d. 7+

In the certification exam some questions require you use your

assigned Darktrace cloud master deployment. You can filter model
breaches by the Suspicious category as seen in the screenshot, as
well as using the other appropriate filters (Time Range of last 24
hours, minimum Threat Score Range of 0-100), then simply count
the number of model breaches.

3. Which of the following ports is a commonly used transport layer networking port?
a. 15
b. 77
c. 103
d. 443

A basic knowledge of networking is also required for this certification. Ports 15, 77 and 102 do not
correspond to any commonly used network service. 443 corresponds to HTTPS (HTTP over SSL).
This information is also provided in the Threat Visualiser Part 2 manual under ‘Common Ports and
Protocols’

© 2024, DARKTRACE ACADEMY 7

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

2. Which of the following are operators that can be used for Advanced Search queries?
a. LOOP, FOR, WHILE
b. AND, OR, NOT
c. TRUE, FALSE
d. IF, ELSE

Try them out in the cloud master

provided otherwise recall from the
Threat Visualiser Part 2 manual under
the Advanced Search section:

© 2024, DARKTRACE ACADEMY 8

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

Certification Process
The following section outlines what procedure you may expect for the Threat Visualizer Essentials
certification examination.

Exam Procedure
In order to become Darktrace certified, you must complete one exam for the Threat Visualizer path -
this exam combines both theoretical and practical questions.

The exam procedure is made up of three stages: Reception, Verification and Examination.
Familiarizing yourself with this procedure prior to the examination should ensure that things run
smoothly on the day of your test.

STEP DURATION INFORMATION

Reception 15 minutes Introduction and explanation to exam with Q&A

Verification 15 minutes Private exam session and identification checks

Examination 3 hours Examination on Customer Portal

Finish

We require you to share your screen and we need to ensure that it is you who is taking the exam. As
such, a webcam will be required so we can verify your identity and confirm your presence for the
duration of the exam. Please make sure that your settings are configured to allow screen-sharing
through Zoom.

Step 1: Reception
Prior to your examination, you will have received a Zoom link. It is recommended you follow this link
half an hour before the start of your exam to allow for set up.

Follow the link to join the Zoom webinar session. This will act as the reception room for your exam
where a Darktrace instructor will welcome all attendees and take the register to ensure all parties are
present. The instructor will explain the certification process and reiterate the rules to all the attendees.
If you have any questions about the exam process, the webinar is the appropriate place to ask them.

While in Zoom webinar, each attendee will be provided with a unique link and password for their
individual Zoom meeting. When prompted, join the Zoom meeting and leave the webinar.

© 2024, DARKTRACE ACADEMY 9

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

Step 2: Verification
In this Zoom meeting, we will verify your identity and check your surroundings. Please ensure you
have your identification to hand and your webcam enabled as the Darktace instructor will need
both to perform an individual ID verification. This stage will allow time to ensure that your webcam is
functioning correctly in preparation for the exam.

In terms of ID verification, we require you to show us an official ID which contains your photo and full
name, such as:

• Passport
• Driver's license
• National identity card

For this exam, you will need to be logged into the Darktrace Customer Portal. Your exam will be ready
to take in the Darktrace Certification tab. Do not begin the exam until your Instructor allows it.

You will be provided with access to a Threat Visualizer interface which will be monitored during the
examination. The respective login details (links and passwords) are conveyed during the verification
step. Please inform your instructor if you are having issues accessing your dedicated interface. You
must wait until the exam begins before using the environment or viewing the questions.

Once verification is complete, you should be ready for the examination to begin as indicated by the
instructor.

Step 3: Examination
During the examination, students must ensure that their webcams and microphones are always on.
It is essential that you have enabled Zoom screen-sharing on your device prior to the examination.

You will be expected to complete a range of multiple-choice questions. This element of the certification
process will take place within the Darktrace Certification page of the Customer Portal.

Some questions will include practical elements, for which you will need to refer to your allocated
Darktrace Threat Visualizer interface in order to answer them. This will be indicated by the following
sentence at the beginning of the question: "Refer to your assigned Darktrace cloud master for
this question". You should try and complete these questions to the best of your ability within the
allotted time.

You may not need to use the full 3 hours of the allotted time. Upon completion of the exam, ensuring
you are satisfied with your answers, you are permitted to leave. Before you do so, please send a direct
message to the instructor to indicate that you have finished. Please note that you will not be able to
re-enter the Zoom meeting once you have completed your exam. You will then be able to exit the
Zoom application and continue with your day.

In the event that there are connection issues during the exam, we may need to contact you. Please
keep your phone to hand, face down, but with the phone call notification set to vibrate. If this rings
during the test, before answering, ask out loud if the instructor can hear you. If there is no answer,
please pick up your phone.

© 2024, DARKTRACE ACADEMY 10

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

After the Exam

After completing the certification, you will likely be keen to know the results. On
completion of the theory element on the Customer Portal, click Review to display
your exam results.

If you have passed your exam, will receive a certificate to confirm you are officially certified for Threat
Visualizer Essentials. You will also be issued with a digital badge which can be shared online. Please
note that Darktrace Certifications are valid for 3 years.

Key Facts

• The exam is a 3-hour multiple-choice test, accessible through the Customer Portal, with 90
questions.
• Candidates must answer correctly at least 70% of the questions to pass the certification.
• Candidates will be given access to a Threat Visualizer environment, allocated by the proctor. This
is used to answer the questions in the Customer Portal.

© 2024, DARKTRACE ACADEMY 11

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

Requirements

Before you start your proctored exam, please carry out the following to ensure the exam procedure
runs smoothly.

• Restart your computer to ensure any pending updates have installed.

• Download the Zoom desktop application prior to the exam. Make sure you are on the most
recent version. Ensure the correct permissions have been granted so that there are no issues
with screen sharing or audio on the day of the exam.

• Test Zoom: https://zoom.us/test

• Enable screen-sharing for Zoom on your device in device Settings.

• Secure a reliable internet connection of at least 2.0 Mbps upload and download speed (3.0
Mbps recommended)
• To check this, we recommend carrying out a speed test in advance of the session.
• If there are multiple people using the same network, ensure that other users are not
utilizing too much bandwidth. For example, if you are participating from home and another
member of your household is streaming while you are taking the exam, kindly ask them to
reschedule.

• Locate a quiet space where you will not be interrupted. Put in place the appropriate measures
to ensure you will not be disturbed during your test.

• Connect your computer to a power source. If this is not possible, ensure that your device is fully
charged before beginning the test.

• Keep your phone within reach. Make sure all notifications, excluding phone calls, are switched
off and that your phone is set to vibrate.

• Close all other programs on your device which may cause distractions.

• Gather only the supplies allowed for this test.

• A box of tissues, a glass of water and your ID will be acceptable to have within reach of your
workspace.

© 2024, DARKTRACE ACADEMY 12

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

The exam will be hosted using Zoom. As such, there are a list of minimum requirements, as tabulated
below. It is preferable that you join the exam using an acceptable device type such as a desktop PC
or laptop. If you do not have audio hardware, you can connect via VOIP using your mobile or tablet.
However, the exam itself must be taken on a computer rather than mobile device.

FEATURE MINIMUM REQUIREMENTS AND RECOMMENDATIONS

Windows 7 - Windows 10
Mac OS X 10.9 (Mavericks) - macOS Catalina (10.15)
Linux
Operating System Google Chrome OS
Android OS 5 (Lollipop) - Android 9 (Pie)
iOS 10 - iOS 12
Windows Phone 8+, Windows 8RT+

Google Chrome (most recent 2 versions)

Browser
Mozilla Firefox (most recent 2 versions)

Computer: 2 Mbps or better (broadband recommended)

Internet Speed
Mobile device: 3G or better (WiFi recommended for VoIP audio)

Zoom desktop application (recommended)

Software JavaScript enabled
Screen-sharing permission for Zoom

2GB of RAM (minimum), 4GB or more of RAM (recommended)

Hardware
Microphone and speakers (USB headset recommended)

iPhone 4S or later
Mobile devices (for VOIP only)
iPad 2 or later

© 2024, DARKTRACE ACADEMY 13

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

FAQs
Certification exams are fully proctored by Darktrace and therefore you will be required to share your
screen and have your webcam turned on.

What should I do if I have any special requirements, for example learning difficulties or medical
issues?

You should contact us after booking the exam to inform us of any potential challenges you may face
with the exam conditions or the exam format. We will be considerate of this and make appropriate
allowances.

What is the procedure if the Internet connection or the power drops?

If you lose Internet connection or if the Zoom call drops then use the standard troubleshooting
techniques to get back online. If this does not work then use either your phone or another device
to inform the proctor. If this is not possible then contact the proctor or another person at Darktrace
Academy as soon as you are able. Each case will be assessed individually.

Your computer battery should be fully charged prior to an exam. If the power goes off during the
exam, your device should automatically switch to battery power. If this occurs, inform your proctor.

If your power completely fails and you are unable to notify the proctor, then we will take this into
consideration and look to reschedule the remaining exam.

What can I do to ensure good connectivity if I am taking the exam from home?

1. Ensure you have at least a 3 Mbps download speed.

2. Check who else is using the Internet. If there are multiple Internet users, your connectivity may be
poorer than expected, especially if the other users are streaming or gaming.

3. Ensure that you have adequate equipment from your ISP. Any equipment more than 5 years old
may be limiting your Internet speeds.

4. Take the exam close to the router and if necessary avoid walls or anything else that may block a
Wi-Fi connection. Alternatively, use an Ethernet cable to connect to the router.

How do I keep others from entering my testing area workspace?

Ideally, you will take the exam in a quiet part of an office or your home. Some tips for ideal rooms are:

• If you are home alone for the duration of the exam, any room should suffice.
• If you are not home alone, giving forewarning or putting a sign up may help to deter people from
entering the exam room.
• If you have a room available at your workplace, ensure that you are alone and will not be
disturbed. Consider booking a private meeting room or similar for this purpose.

© 2024, DARKTRACE ACADEMY 14

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

What can I do to make sure my connection is secure?

First of all, you should ensure that your wireless system is secured and that you follow the instructions
on your router to secure your wireless network.

Also, we recommend that you take your exam either at work or at home, but not while using free Wi-Fi

Do I need to remove all items from my exam space?

The Darktrace certification exams are closed book. We will not be carrying out a thorough inspection
of your environment via webcam but trust you to complete this exam on your own, without the
assistance of colleagues. Items which are permitted to be on your desk are:

• ID - you will need this for the verification room.

• Phone - make sure notifications are muted.
• A beverage e.g. water, soda, tea or coffee.
• A snack.

You must stay within the view of the proctor at all times. If an item drops off your desk and you reach
for materials, the proctor may interrupt to ensure that there are no prohibited assets are being used.

What should I do if I need the bathroom during the exam?

You must notify the proctor that you will go to the bathroom, so they can be aware.

What should I do if I cannot attend the examination on the day?

Class sizes are limited. If you fail to attend the exam, you may have denied another person's access
to the exam. As such, you may be subject to fees which may ultimately result in a loss of your exam
payment that was paid on registration. Please see our terms and conditions for full details.

What data does Darktrace collect for certification?

Only a limited set of data will be required for certification. This may include:

• Registration data such as your full name and email address.

• Data to authenticate you as a test-taker, such as a form of photographic identification.
• Data to process your payment, such as a credit card or debit card number.

Will the Darktrace instructor (proctor) be able to access my computer?

If a Darktrace proctor needs to troubleshoot technical issues or enter an exam password, they will
always request permission first and will only gain access to the mouse and keyboard. You will always
have the ability to revoke privileges, even if you grant access. Any access granted will be automatically
disabled at the termination of the proctoring session.

If I fail the certification, can I have a retake?

You must pass both parts of the certification process to receive your official certificate. One retake is
permissible subject to our terms and conditions.

© 2024, DARKTRACE ACADEMY 15

DARKTRACE CERTIFICATION
THREAT VISUALIZER ESSENTIALS STUDY GUIDE

Contact Us
To sign up for examinations, go to the Darktrace Customer Portal.

For education inquiries, use the following contact details.

AMERICAS EMEA APAC

[email protected] [email protected] [email protected]

US: +1 415 229 9100 UK: +44 (0) 1223 394 100 APAC: +65 6804 5010
LATAM: +55 11 97242 2011

© 2024, DARKTRACE ACADEMY 16