The CrowdStrike Certified Falcon Administrator (CCFA) exam validates your ability to deploy, configure, and manage the CrowdStrike Falcon platform in production environments. If you're an IT administrator or security professional working with Falcon, this certification proves you can handle day-to-day platform operations — from sensor deployment to policy configuration to incident triage. Here's what the exam covers, how difficult it is, and how to prepare effectively.
What Is the CCFA?
The CCFA is CrowdStrike's foundational administrator certification. It targets professionals who manage the Falcon platform operationally: deploying sensors to endpoints, configuring prevention and detection policies, managing users and roles, and generating administrative reports.
Unlike vendor-neutral security certifications that test broad concepts, the CCFA is purely hands-on and platform-specific. Every question ties back to how you'd actually perform tasks inside the Falcon console. If you've never used the Falcon platform, this exam will be difficult regardless of your general security knowledge.
CrowdStrike recommends at least six months of hands-on experience with the Falcon platform in a production environment before attempting the exam. There are no formal prerequisites — no prior certifications or education requirements — but practical platform experience is effectively mandatory.
Exam Format at a Glance
| Detail | Value | |--------|-------| | Exam Code | CCFA-200b | | Questions | 60 | | Question Types | Multiple-choice and scenario-based | | Duration | 90 minutes | | Passing Score | 70% | | Exam Fee | $250 | | Delivery | CrowdStrike University proctored exam |
At 60 questions in 90 minutes, you get 90 seconds per question on average. That's more generous than some other security exams (CompTIA SecAI+ gives you 60 seconds per question), but scenario-based questions that describe a Falcon deployment situation and ask you to choose the right administrative action can eat into that buffer if you're not familiar with the platform's interface.
The Six Domains
The CCFA exam covers six domains, each focused on a different aspect of Falcon platform administration. Understanding the weight distribution is critical for allocating study time.
Domain 1: User and Access Management (15%)
This domain tests your ability to manage user accounts, configure role-based access control (RBAC), and implement permission hierarchies within the Falcon platform. You need to understand how to provision users, assign roles with appropriate permissions, and govern access across a multi-tenant environment.
Key topics include:
- Creating and managing user accounts in the Falcon console
- Configuring RBAC roles and custom permissions
- Understanding permission inheritance and hierarchies
- User group management and access governance
- API client management and authentication tokens
Don't overlook the API client management aspect. In production environments, automated integrations rely on properly scoped API keys, and the exam tests whether you understand how to create and manage these securely.
Domain 2: Sensor Deployment and Management (20%)
This is the second-heaviest domain and covers the full lifecycle of Falcon sensor deployment. You need to know how to install sensors across different operating systems, manage sensor versions, troubleshoot deployment issues, and handle sensor policies at scale.
Key topics include:
- Deploying sensors on Windows, macOS, and Linux endpoints
- Sensor installation methods (MSI, package managers, scripts)
- Managing sensor update policies and versioning
- Troubleshooting sensor connectivity and communication issues
- Sensor tagging and grouping for policy assignment
- Understanding sensor proxy configurations
The exam presents scenario-based questions where a sensor isn't communicating properly or an endpoint isn't receiving policy updates. You need to diagnose the issue based on the described symptoms — not just know that sensors exist, but understand how they communicate with the Falcon cloud and what breaks that communication.
Domain 3: Platform Navigation and Core Functionality (15%)
This domain tests your familiarity with the Falcon console interface: how to navigate dashboards, use the activity app, search for hosts, and leverage the platform's core features for day-to-day operations.
Key topics include:
- Navigating the Falcon console and dashboard views
- Using the host search and management interface
- Understanding detection and alert workflows
- Leveraging the activity app for event investigation
- Managing host groups and dynamic grouping rules
This domain rewards daily users of the platform. If you've spent months clicking through the Falcon console, these questions will feel intuitive. If you've only read about the platform, the interface-specific questions will trip you up.
Domain 4: Policy Configuration and Management (25%)
This is the heaviest domain at 25% of the exam. It covers how to create, configure, and manage the various policy types within Falcon — prevention policies, sensor update policies, device control policies, and firewall management policies.
Key topics include:
- Creating and configuring prevention policies
- Understanding prevention policy settings and their security implications
- Managing sensor update policies for staged rollouts
- Configuring device control and USB policies
- Firewall management policies and rule creation
- Policy precedence and assignment to host groups
- Allowlists, blocklists, and IOA exclusions
The critical concept here is policy precedence. When multiple policies could apply to an endpoint, you need to understand which one takes effect and why. The exam tests this with scenarios where overlapping policies produce unexpected behavior, and you need to identify the root cause.
Also pay close attention to the distinction between different exclusion types: IOA exclusions, machine learning exclusions, sensor visibility exclusions, and custom blocking. Each serves a different purpose, and choosing the wrong exclusion type is a common real-world mistake that the exam tests directly.
Domain 5: Detection and Prevention (15%)
This domain covers how Falcon detects and prevents threats — understanding detection severity levels, managing detections in the queue, and responding to alerts appropriately.
Key topics include:
- Understanding detection severity and confidence levels
- Managing the detection queue and triage workflow
- Distinguishing between detections and preventions
- Investigating detections using process trees
- Real Time Response (RTR) session management
- Quarantine and network containment actions
You need to understand the difference between a detection (something suspicious was observed) and a prevention (something malicious was blocked). The exam tests whether you can interpret detection details, understand why Falcon flagged an activity, and decide on appropriate response actions.
Domain 6: Reporting and Administration (10%)
The lightest domain covers reporting capabilities, dashboard customization, and administrative tasks like managing audit logs and scheduled reports.
Key topics include:
- Creating and scheduling reports
- Customizing dashboard views
- Understanding audit logging and compliance reporting
- Managing notification settings and escalation rules
- Platform administration best practices
While this domain has the lowest weight, don't skip it entirely. The questions are generally more straightforward than other domains and represent easy points if you've used the reporting features.
How Difficult Is the CCFA?
The CCFA is generally considered a moderately difficult exam. The difficulty comes not from complex theoretical concepts but from the specificity of the questions. You need to know the Falcon platform's interface, settings, and behaviors at a granular level.
Here's what makes it challenging:
Platform specificity. Unlike vendor-neutral exams where general security knowledge helps, the CCFA tests CrowdStrike-specific workflows. Knowing endpoint security concepts in the abstract won't help if you don't know where a specific setting lives in the Falcon console or what a particular policy option does.
Scenario-based format. Questions describe real-world situations — a sensor not communicating, a policy not applying correctly, a detection that needs triage — and ask you to identify the cause or choose the best response. This rewards operational experience over textbook knowledge.
Policy nuance. The interplay between prevention policies, exclusions, host groups, and policy precedence creates complexity that's easy to underestimate. A question might describe a situation where a legitimate application is being blocked despite an exclusion being in place, and you need to identify which exclusion type is incorrect or why the policy precedence overrides it.
That said, candidates with six months or more of hands-on Falcon experience generally report the exam as manageable. The difficulty spikes for those who've only used the platform casually or studied from documentation without operational practice.
Common Mistakes to Avoid
Studying general endpoint security instead of Falcon specifics. The CCFA doesn't test whether you understand endpoint detection and response as a concept. It tests whether you can configure Falcon's specific EDR features. Studying a general EDR textbook won't prepare you for questions about Falcon-specific settings, menu locations, and workflow steps.
Ignoring sensor deployment edge cases. Sensor deployment sounds straightforward — install the agent, connect to the cloud. But the exam tests troubleshooting scenarios: sensors behind proxies, sensors on air-gapped networks, sensors failing to update, sensor version conflicts. Understand the common deployment failure modes and their resolutions.
Underestimating policy precedence. When multiple policies apply to a host through different host groups, which one wins? This is the most commonly missed concept according to community discussions. Understand how CrowdStrike resolves policy conflicts and how platform-default policies interact with custom policies.
Not practicing in the Falcon console. Reading documentation helps, but the exam's scenario-based questions are designed for people who've navigated the console repeatedly. If you have access to a Falcon environment, spend time clicking through every policy type, every detection workflow, and every administrative panel. Muscle memory with the interface translates directly to exam performance.
How to Prepare
1. Get Hands-On Falcon Experience
This is non-negotiable. The CCFA is a practical certification, and the exam reflects it. If your organization uses CrowdStrike Falcon, volunteer for administrative tasks: deploying sensors to new endpoints, creating host groups, configuring prevention policies, investigating detections. Six months of active administration is the baseline CrowdStrike recommends.
If you don't have production access, CrowdStrike University offers lab environments through their training courses. The Falcon Administrator course (CrowdStrike University 101) includes hands-on labs that mirror exam scenarios.
2. Complete CrowdStrike University Training
CrowdStrike offers official training through CrowdStrike University, accessible at university.crowdstrike.com. The relevant courses for CCFA preparation include:
- Falcon Platform Fundamentals
- Falcon Administrator (the most directly aligned course)
- Falcon Sensor Management
These courses are available to CrowdStrike customers and partners. If your organization has a CrowdStrike subscription, you likely have access to CrowdStrike University at no additional cost.
3. Allocate Study Time by Domain Weight
Given the domain weights, prioritize accordingly:
- Domain 4 (Policy Configuration): 25-30% of study time — this is the largest domain and involves the most nuance
- Domain 2 (Sensor Deployment): 20% of study time — second-largest and tests troubleshooting skills
- Domain 1 (User/Access Management): 15% of study time
- Domain 3 (Platform Navigation): 15% of study time
- Domain 5 (Detection/Prevention): 10-15% of study time
- Domain 6 (Reporting): 5-10% of study time
4. Study the Official Certification Guide
Download the CCFA Certification Guide from CrowdStrike's website (updated February 2026). It lists the specific objectives and topics covered in each domain. Use it as your study checklist — every bullet point is a potential exam question topic.
5. Practice With Scenario-Based Questions
Because the exam emphasizes applied knowledge, practice questions that present Falcon administration scenarios are more valuable than simple definition recall. Our free CCFA practice questions cover all six domains with scenario-based questions and detailed explanations.
Who Should Get the CCFA?
The CCFA is the right certification for:
- IT administrators responsible for managing CrowdStrike Falcon in their organization
- Security operations analysts who use Falcon daily for detection and response
- Managed security service provider (MSSP) staff who administer Falcon for multiple clients
- Systems engineers at CrowdStrike partners who deploy and configure Falcon for customers
If your role involves hands-on Falcon administration, the CCFA validates the skills you're already using and creates a formal credential for career advancement.
If you're more interested in CrowdStrike's incident response and threat hunting capabilities rather than platform administration, look at the CCFR (CrowdStrike Certified Falcon Responder) certification instead.
Where CCFA Fits in the CrowdStrike Certification Path
CrowdStrike offers a tiered certification path:
- CCFA (Falcon Administrator) — foundational administration skills (this exam)
- CCFR (Falcon Responder) — incident response and threat hunting
- CCFH (Falcon Hunter) — advanced threat hunting with Falcon
The CCFA is the natural starting point. It establishes your operational baseline with the Falcon platform, which the responder and hunter certifications build on. Most professionals take CCFA first, then CCFR, as the responder exam assumes you already understand the administrative concepts CCFA covers.
CrowdStrike in the Market
CrowdStrike continues to expand its presence in the endpoint security market. As more organizations adopt the Falcon platform, demand for certified Falcon administrators grows. Unlike broad cybersecurity certifications that serve as general career credentials, the CCFA directly qualifies you for CrowdStrike-specific roles — which tend to command premium compensation because the talent pool is smaller than for general security roles.
Start Practicing Now
The most effective CCFA preparation combines hands-on platform experience with structured practice questions. Our free CrowdStrike CCFA practice questions cover all six exam domains with detailed explanations for every answer, helping you identify knowledge gaps before exam day.
Review the complete CCFA exam details for scheduling and registration information, check the CCFA study guide for a structured preparation plan, or grab the CCFA cheat sheet for quick reference during your final review.