## Why It Matters

A training program is only audit-evidence if participants demonstrate they learned the material and formally agree to follow the controls. Kit handles both: a **knowledge check** they must pass and an **attestation** they must sign. Both are configured here, and both are required before a program can go live.

## The Knowledge Check

Open **Knowledge check** from the program editor. The seeded quiz has **7 questions** covering the highest-risk topics: acceptable MFA factors, the dependency cooldown rule, what to do after clicking a phishing link, where to store passwords, how card data is handled, an employee's role during a service disruption, and how to respond to a suspicious wire-transfer (business email compromise) request.

Each question has:

| Field | Purpose |
|-------|---------|
| Question | The prompt shown to the participant. |
| Answer options | The multiple-choice answers. |
| Correct answer | The option marked correct. Used for grading; never shown to participants. |

There is also a **pass mark (%)** for the whole quiz. The template default is **86%** (6 of 7 correct). Adjust the questions, options, correct answers, and pass mark, then save.

> [!CAUTION]
> The correct answer is the grading key. It is stored separately from what participants see and is never exposed in the participant view — but double-check you've marked the right option before publishing.

Questions with a blank prompt are dropped when you save, so you can clear a row to remove a question.

## The Attestation

Open **Attestation** from the program editor. This is the legal sign-off each participant must agree to before completion is recorded. The seeded text summarizes the controls covered in the deck — MFA, password manager, device compliance, data handling, dependency hygiene, and incident reporting.

Like slides, the attestation supports `{{ variables }}`. The default text uses `{{ incident_contact }}` so the sign-off names the right reporting contact for your company. Edit the text to match your policies, save, and you're done.

> [!TIP]
> Keep the attestation specific and plain-spoken. It's the record an auditor reads, so it should state exactly what the person is committing to.

## Publishing

A program moves through three states: **Draft → Published → Archived**.

Before you can publish, the program must clear three requirements. The editor shows a banner listing any that are still missing:

| Requirement | Blocker shown if missing |
|-------------|--------------------------|
| At least one slide | *Add at least one slide.* |
| A configured knowledge check | *Configure the knowledge-check quiz.* |
| Attestation text | *Add the sign-off attestation text.* |

Once all three are satisfied, the **Publish** button activates. Click it to set the program live.

## Pausing a Program

A published program can be paused at any time with the **Pause** action, which moves it to **Archived**. Pause it when you need to take it offline — for example, while you revise the content.

## Quick Checklist

- [ ] Every quiz question has a correct answer marked
- [ ] The pass mark reflects your standard (default 86%)
- [ ] The attestation text matches your policies and names your incident contact
- [ ] The program has at least one slide
- [ ] No publish blockers remain in the editor banner
- [ ] You clicked **Publish**

## Related

- [Security Training Overview](/docs/security-training-overview)
- [Build from the Smart Template](/docs/training-smart-template)
- [Editing Slides](/docs/training-editing-slides)