You Can Pass This Exam For Free
Choose Your Study Path
Limited or no hands-on Falcon experience. You need to build foundational knowledge of the platform before tackling admin-level topics.
Week 1Set up a Falcon trial environment. Learn the Falcon console layout: Activity dashboard, Investigate, Host Management, Configuration, and Support & Resources sections
Week 2Study user management: creating local users, configuring SSO/SAML, understanding predefined roles (Falcon Administrator, Falcon Analyst, RTR roles), and RBAC best practices
Week 3Deep dive into sensor deployment: installation prerequisites per OS (Windows, macOS, Linux), installer switches, CID/CCID concepts, proxy configuration, and sensor health verification
Week 4Learn prevention policies: cloud-based ML settings, sensor-based ML settings, exploit mitigation, script-based execution monitoring, and behavioral IOA prevention
Week 5Study policy management: sensor update policies, device control policies, firewall management policies, containment, and host groups (static vs dynamic)
Week 6Cover allowlists, blocklists, and exclusion management. Understand IOA exclusions vs ML exclusions vs sensor visibility exclusions. Learn when to use each type
Week 7Study detection and response: alert triage in Investigate, detection severity levels, Real Time Response (RTR) capabilities, and quarantine management
Week 8Cover reporting and dashboards: custom dashboards, scheduled reports, host activity reporting, sensor health metrics, and API key management
Week 9Practice questions across all domains. Focus on policy configuration which is 25% of the exam
Week 10Take full mock exams, review weak areas, re-study any domains where you score below 70%. Remember the passing score is 70%
Exam Overview
Format
60 multiple-choice questions, 90 minutes. Proctored through Pearson VUE testing centers or online.
Scoring
Percentage-based scoring. Passing: 70%. No penalty for wrong answers — always answer every question.
Domains & Weights
- User and Access Management15%
- Sensor Deployment and Management20%
- Platform Navigation and Core Functionality15%
- Policy Configuration and Management25%
- Detection and Prevention15%
- Reporting and Administration10%
Registration
$250 USD. Available at Pearson VUE testing centers or online proctored. Exam fee is $250 USD. Requires a CrowdStrike University account.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Domain 115% of exam
User and Access Management
This domain covers user account creation, role-based access control (RBAC), SSO/SAML configuration, and API client management. You need to understand predefined roles, custom role creation, and how to manage programmatic access to the Falcon platform.
Key Topics
RBACSSO/SAMLAPI ClientsPredefined RolesCustom RolesMFA
Must-Know Concepts
- Predefined roles and their permissions: Falcon Administrator (full console access), Falcon Analyst (investigate and triage), Falcon Investigator (deep investigation), RTR Active Responder, RTR Administrator
- How to create local user accounts and assign roles. Know that a user can have multiple roles and permissions are additive
- SSO/SAML configuration basics: setting up an identity provider, metadata exchange, and attribute mapping
- API client creation: OAuth2 client credentials, scope assignment, and the principle of least privilege for API access
- Multi-factor authentication (MFA) enforcement options for console access
- Difference between read and write API scopes and which operations require which scope level
- How to manage API client lifecycle: creation, rotation, and revocation of credentials
Common Exam Traps
An RTR Active Responder and RTR Administrator are NOT the same role. Administrator has elevated privileges including running custom scripts
API clients have specific scopes. A client with Host read scope CANNOT modify host groups. Scopes are granular
SSO configuration does NOT eliminate the need for a local admin account. You must maintain at least one local admin for break-glass access
Roles are additive. A user with both Analyst and Administrator roles has the combined permissions of both
Domain 220% of exam
Sensor Deployment and Management
This domain covers sensor installation across Windows, macOS, and Linux, including prerequisites, deployment methods, proxy configuration, troubleshooting, and sensor lifecycle management. You need to know OS-specific requirements and best practices for large-scale deployments.
Key Topics
Falcon SensorCIDSensor Update PoliciesProxy ConfigurationKernel CompatibilityDeployment Tools
Must-Know Concepts
- Pre-installation requirements per OS: Windows (admin rights, .NET not required), macOS (system extensions approval, MDM profile), Linux (kernel compatibility check)
- Customer ID (CID) is required during installation to register the sensor with your Falcon tenant. The CID includes a checksum
- Sensor installation command-line switches: CID, proxy settings, tagging, and quiet install options
- Sensor update policies: N (latest), N-1 (one version back), N-2 (two versions back). Use N-1/N-2 for staged rollouts in production
- Proxy configuration for environments where endpoints cannot directly reach the CrowdStrike cloud
- Sensor uninstallation: requires an uninstall token (anti-tamper protection) that is generated from the Falcon console
- How to verify sensor health: sensor status in console, RFM (Reduced Functionality Mode) indicators, and connectivity checks
- Deployment at scale using GPO, SCCM, Intune, Jamf, or configuration management tools (Ansible, Puppet, Chef)
Common Exam Traps
The Falcon sensor does NOT require a reboot on Windows after installation. It begins protecting immediately
On macOS, the system extension must be approved (via MDM or manually). Without approval, the sensor operates in reduced functionality
Linux sensor deployment requires kernel compatibility. Not all Linux distributions and kernel versions are supported
Reduced Functionality Mode (RFM) means the sensor is running but with limited capability, often due to kernel incompatibility or policy issues. It is NOT the same as the sensor being offline
The uninstall token is an anti-tamper feature. Without it, the sensor cannot be removed. This prevents adversaries from removing protection
Domain 425% of exam
Policy Configuration and Management
The heaviest domain at 25%. Covers all policy types: prevention, sensor update, device control, firewall, response, and containment. You must understand each policy type, its settings, and how policies are assigned to host groups with proper precedence.
Key Topics
Prevention PoliciesSensor Update PoliciesDevice ControlFirewall ManagementResponse PoliciesContainmentHost Groups
Must-Know Concepts
- Prevention policy settings in detail: cloud ML slider (disabled, cautious, moderate, aggressive, extra aggressive), sensor ML slider (same options), exploit mitigation, script-based execution monitoring, behavioral IOA prevention
- Prevention policy additional settings: adware/PUP detection, intelligence-sourced signatures, MalQuery detection, and file attribute check
- Sensor update policy options: auto-update (N), N-1, N-2, or specific build pinning. Maintenance windows for update scheduling
- Device control policy: USB mass storage blocking, read-only mode, specific device exceptions by vendor/product ID
- Falcon Firewall Management: rule creation, rule ordering (top-down, first match wins), platform-specific rules, and rule group management
- Response policy settings: RTR enablement, RTR custom script enablement, and remote script execution controls
- Containment: network isolating a host while maintaining CrowdStrike cloud connectivity. IP exclusions for maintaining access to critical services
- Policy assignment to host groups: how policies are linked to host groups and what happens when multiple policies could apply
- Policy precedence: when a host is in multiple host groups with different policies, how CrowdStrike determines which policy applies
- Default policies: every policy type has a default that applies to hosts not assigned to any specific host group
Common Exam Traps
Cloud ML and sensor ML are SEPARATE settings. You can set cloud ML to aggressive and sensor ML to moderate. They protect differently (cloud requires connectivity, sensor works offline)
Policy precedence is determined by the order of policies in the policy list. The FIRST matching policy wins, not the most restrictive. Admins control precedence by reordering
Default policies apply to ALL hosts not covered by a specific policy. Leaving the default policy weak is a common security mistake
Containment allows the host to reach CrowdStrike cloud ONLY (plus any IP exclusions). All other network access is blocked
Device control only covers USB MASS STORAGE by default. Other USB device classes (HID, audio) are not blocked unless specifically configured
Firewall rules are evaluated top-down. A broad ALLOW rule above a specific DENY rule will allow the traffic
Domain 515% of exam
Detection and Prevention
This domain covers how the Falcon platform detects and prevents threats, including alert triage, custom IOA rules, detection tuning, and response actions. You need to understand the detection pipeline and how to manage alerts effectively.
Key Topics
Detection PipelineIOAsIOCsCustom IOAsAlert TriageQuarantineRemediation
Must-Know Concepts
- Detection pipeline: how events flow from sensor telemetry through cloud analysis to generate detections and prevention actions
- Indicators of Attack (IOAs): behavioral-based detections that identify malicious patterns regardless of the specific malware involved
- Indicators of Compromise (IOCs): hash-based, domain-based, or IP-based indicators uploaded to Falcon for matching against endpoint activity
- Custom IOA rules: creating organization-specific detection rules based on process behavior, file writes, registry modifications, or DNS requests
- Detection severity levels: informational, low, medium, high, critical. Understanding what triggers each level
- Alert triage workflow: reviewing detections, assigning to analysts, setting status (new, in progress, true positive, false positive), and closing
- Quarantine management: viewing quarantined files, releasing false positives, and understanding automatic quarantine behavior
- Custom IOC management: uploading hash-based IOCs (SHA256), setting action (detect or prevent), and applying severity and expiration
Common Exam Traps
IOAs are BEHAVIORAL and detect attack patterns. IOCs are SIGNATURE/INDICATOR-based and match specific known artifacts. Know the difference
Custom IOA rules can be set to detect or prevent. Always test in detect mode first to avoid blocking legitimate activity
When you release a quarantined file, it goes back to its original location. You should add it to the allowlist BEFORE releasing to prevent immediate re-quarantine
Detection severity cannot be changed by administrators. CrowdStrike Intelligence sets severity based on threat analysis
A detection marked as 'false positive' does NOT automatically create an exclusion. You must manually create the appropriate exclusion
Domain 610% of exam
Reporting and Administration
This domain covers Falcon reporting capabilities, scheduled reports, dashboard customization, sensor health monitoring, and general administrative tasks. While the smallest domain by weight, it tests practical admin knowledge.
Key Topics
DashboardsScheduled ReportsSensor HealthAudit LogsNotificationsHost Activity
Must-Know Concepts
- Dashboard customization: creating custom dashboards with widgets showing detection trends, sensor health, host coverage, and security posture
- Scheduled reports: configuring recurring reports delivered via email. Options for frequency, content, and recipients
- Sensor health monitoring: identifying offline sensors, RFM hosts, sensors needing updates, and coverage gaps
- Audit log review: tracking administrative actions performed in the Falcon console (policy changes, user creation, exclusion modifications)
- Notification settings: configuring email and webhook notifications for detections, sensor events, and platform alerts
- Host activity data: understanding what telemetry the sensor collects and how long data is retained
Common Exam Traps
Scheduled reports are sent to specific email addresses. If a user leaves the organization, their scheduled reports continue unless manually deleted
Audit logs capture WHO made changes and WHEN, but may not capture the previous value. Document your changes separately for rollback purposes
Dashboard data is limited by the platform's data retention period. For historical data beyond the retention window, you need Falcon Data Replicator (FDR)
Notification thresholds should be tuned to avoid alert fatigue. Setting notifications for every low-severity detection creates noise
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Confusing IOA exclusions (behavioral detections) with ML exclusions (machine learning verdicts) — each suppresses a different detection type
Using sensor visibility exclusions when IOA or ML exclusions would suffice — visibility exclusions eliminate ALL telemetry, which is usually overkill
Thinking allowlisting and exclusions are the same — allowlisting is global by hash and bypasses everything; exclusions are targeted and can be scoped
Not understanding policy precedence — policies are applied based on their ORDER in the list, not by which is most restrictive
Confusing RTR Active Responder with RTR Administrator — Administrator has elevated privileges including custom scripts and file uploads
Forgetting that RTR requires BOTH a policy enabling it AND an RTR role assigned to the user — missing either one prevents access
Assuming cloud ML works when a host is offline — only sensor ML provides protection without cloud connectivity
Using N (latest) sensor version for all endpoints without staged rollout — best practice is N-1 or N-2 for production with N for test groups
Not maintaining a local admin account when SSO is configured — if the IdP is down, you lose all console access without a local break-glass account
Setting prevention features directly to Prevent mode without a Detect-mode tuning period — this risks blocking legitimate business applications
Exam-Ready Checklist
Can explain all 6 exam domains and their relative weights (15%, 20%, 15%, 25%, 15%, 10%)
Know all predefined Falcon roles and their permissions, especially RTR role differences
Understand sensor deployment prerequisites for Windows, macOS, and Linux including system extension approval on macOS
Can configure prevention policies: cloud ML, sensor ML, exploit mitigation, script monitoring, and behavioral IOA settings
Know the three exclusion types (IOA, ML, sensor visibility) and when to use each
Understand the difference between allowlisting (global, by hash) and exclusions (targeted, by path/behavior)
Can explain policy precedence: first match in the ordered list wins, default policy catches everything else
Know sensor update policy versioning: N, N-1, N-2 and when to use each
Understand containment: what it blocks, what it allows, and how IP exclusions work
Can explain the detection pipeline from sensor telemetry through cloud analysis to detection and prevention
Know how to create custom IOA rules and custom IOCs, and the difference between them
Understand device control, firewall management, and response policy configurations
Can navigate the Falcon console and know which section houses which functionality
Scored 70%+ on at least two full mock exams (the passing score is 70%). Aim for 80%+ for a comfortable margin
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.