CertPrepNow
CrowdStrikeCCFH-202bUpdated 2026-06-17

CCFH-202b Study Guide

Everything you need to pass the CrowdStrike Certified Falcon Hunter exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The CCFH-202b exam is heavily platform-specific, making it harder to pass with free resources alone. However, you can significantly reduce costs by leveraging these:

  • CrowdStrike University free eLearning courses (available to Falcon customers from the console)
  • CCFH Certification Exam Guide PDF (free download from CrowdStrike)
  • MITRE ATT&CK Framework official documentation and navigator (free)
  • CrowdStrike blog posts on threat hunting techniques and adversary research (free)
  • CQL Hub open query library for Falcon NextGen SIEM and LogScale (free)
  • 500+ free practice questions on this site

Unlike vendor-neutral certs, the CCFH requires hands-on experience with the Falcon console. If your organization uses CrowdStrike Falcon, you get free access to CrowdStrike University 100-level courses and practice exams. Without Falcon access, passing is significantly harder.

Choose Your Study Path

Limited CrowdStrike Falcon experience. You need to learn the platform fundamentals and threat hunting concepts from scratch.

Week 1Learn CrowdStrike Falcon platform basics: console navigation, sensor deployment, host management, and the overall architecture. Complete FALCON 101 eLearning if available
Week 2Study the MITRE ATT&CK framework: tactics, techniques, procedures (TTPs), the cyber kill chain, and how CrowdStrike maps detections to ATT&CK. Learn CrowdStrike adversary naming conventions (BEAR, PANDA, SPIDER, etc.)
Week 3Deep dive into detection analysis: host timelines, process timelines, process trees, detection severity levels, and how to pivot from detections to investigation tools in the Falcon console
Week 4Learn the Investigate module: user searches, host searches, hash lookups, IP searches, domain searches. Understand file and process metadata fields
Week 5Begin CQL (CrowdStrike Query Language) fundamentals: basic query syntax, event_simpleName filtering, field selection, time ranges, and boolean operators. Practice with common event types like ProcessRollup2 and DnsRequest
Week 6Advanced CQL: constructing multi-event queries, formatting and filtering results, converting Unix timestamps, understanding process relationships through TargetProcessId and ParentProcessId fields
Week 7Study Reports and References: built-in Hunt reports, Visibility reports, and the Events Full Reference documentation. Learn to create custom dashboards
Week 8Focus on hunting analytics: recognizing malicious behaviors, evaluating information reliability, differentiating adversary activity from DevOps/testing/user activity
Week 9Study hunting methodology: hypothesis-driven hunting, outlier analysis, EAM (Endpoint Activity Monitoring) queries, investigating process trees, and documenting hunt findings
Week 10Practice questions across all domains. Take full mock exams targeting 80%+. Focus on Event Search (23%) and Hunting Analytics (18%) which together make up 41% of the exam

Exam Overview

Format

60 multiple-choice questions, 90 minutes. Delivered via Pearson VUE (online or test center).

Scoring

Percentage-based scoring. Passing: 80%. You need at least 48 out of 60 correct answers to pass.

Domains & Weights

  • ATT&CK Frameworks10%
  • Detection Analysis12%
  • Search and Investigation Tools15%
  • Event Search23%
  • Reports and References8%
  • Hunting Analytics18%
  • Hunting Methodology14%

Registration

$250 USD. Available at Pearson VUE testing centers or online proctored from home. Exam fee is $250 USD. Schedule through CrowdStrike University or Pearson VUE.

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowYou must understand these Falcon features and concepts deeply. They appear across multiple domains and numerous questions.
Tier 2: Should KnowUnderstand these features and concepts well. Each may appear in 2-5 questions.
Tier 3: Recognize OnlyKnow what these are at a high level. Rarely more than 1-2 questions each.
Domain 110% of exam

ATT&CK Frameworks

This domain covers the MITRE ATT&CK framework and the cyber kill chain. You must understand how CrowdStrike maps Falcon detections to ATT&CK tactics and techniques, recognize adversary groups by CrowdStrike's naming conventions, and apply ATT&CK knowledge to research threat models and TTPs.

Key Topics

MITRE ATT&CK FrameworkCyber Kill ChainCrowdStrike Adversary NamingTactics/Techniques/ProceduresFalcon Adversary IntelligenceATT&CK Navigator

Must-Know Concepts

  • Cyber kill chain phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control (C2), Actions on Objectives — know what happens at each phase
  • MITRE ATT&CK matrix structure: Tactics (columns representing goals like Initial Access, Execution, Persistence) and Techniques (specific methods used to achieve each tactic)
  • How CrowdStrike Falcon labels each detection with the relevant ATT&CK tactic and technique combination for contextual analysis
  • CrowdStrike adversary naming conventions: BEAR (Russia), PANDA (China), KITTEN (Iran), SPIDER (eCrime), CHOLLIMA (North Korea), JACKAL (hacktivism), LEOPARD (Pakistan), WOLF (Turkey)
  • How to operationalize ATT&CK: using the framework to research threat models, identify TTPs used by specific adversary groups, and inform hunting hypotheses
  • The difference between TTPs: Tactics (strategic goals), Techniques (methods to achieve goals), and Procedures (specific implementation details of techniques)

Common Exam Traps

The cyber kill chain is linear and sequential. MITRE ATT&CK is a matrix where adversaries can use techniques from any tactic at any time — they are not the same model
SPIDER refers to eCrime (financially motivated criminals), not a nation-state. Do not confuse adversary naming categories — the animal indicates motivation/origin
ATT&CK sub-techniques exist under techniques. A question may test whether you know the difference between a technique and its sub-technique variants
CrowdStrike maps detections to ATT&CK automatically. The exam tests your ability to interpret these mappings, not just memorize the ATT&CK matrix
Quick Check: ATT&CK Frameworks

Question 1 of 3

A CrowdStrike Falcon detection is tagged with the ATT&CK tactic 'Lateral Movement' and technique 'Remote Services: SMB/Windows Admin Shares.' What does the TACTIC tell you about the adversary's behavior?

Domain 212% of exam

Detection Analysis

This domain tests your ability to interpret Falcon detections, analyze host and process timelines, and pivot from detection pages to other investigative tools. You must understand detection severity, process genealogy, and how to trace adversary activity through timeline analysis.

Key Topics

Host TimelineProcess TimelineProcess TreeDetection PageSeverity LevelsFalcon Investigate

Must-Know Concepts

  • How to interpret host timelines: reading chronological event sequences to reconstruct what happened on an endpoint
  • Process tree analysis: tracing parent-child process relationships to identify suspicious execution chains (e.g., Word spawning PowerShell spawning cmd.exe)
  • Detection severity levels in Falcon and how to prioritize analysis based on severity, confidence, and assigned ATT&CK tactic
  • How to pivot from the detection page to additional investigative tools: host timeline, process timeline, Investigate module, Event Search
  • Understanding process metadata: executable path, command line arguments, parent process, user context, file hash, and timestamps
  • Recognizing common suspicious process chains: document editors spawning scripting engines, services spawning shells, unusual parent-child relationships

Common Exam Traps

A high-severity detection does not automatically mean a confirmed threat — you must analyze the detection context, process tree, and timeline before concluding
Process timelines show events for ONE specific process. Host timelines show ALL events on a host. Do not confuse the scope of each view
The detection page provides initial context, but you must pivot to additional tools for complete investigation. The exam tests whether you know which tool to use next
Legitimate administrative tools (PowerShell, PsExec, WMI) often trigger detections. The exam tests whether you can distinguish malicious use from legitimate administration
Quick Check: Detection Analysis

Question 1 of 3

An analyst reviews a Falcon detection showing that Microsoft Word (winword.exe) spawned PowerShell, which then executed an encoded command. Which analysis step should the analyst take FIRST?

Domain 315% of exam

Search and Investigation Tools

This domain tests your ability to analyze file and process metadata, differentiate between investigation tools within the Falcon console, and apply appropriate search methods. You must know when to use user searches, host searches, hash lookups, IP searches, and domain searches.

Key Topics

Investigate ModuleUser SearchHost SearchHash LookupIP SearchDomain SearchFile MetadataProcess Metadata

Must-Know Concepts

  • Investigate module search types: user search (find user activity across hosts), host search (find host details and activity), hash lookup (find file prevalence and reputation), IP search (find network connections to an IP), domain search (find DNS queries to a domain)
  • File metadata fields: file name, file path, SHA256 hash, file size, digital signature status, first seen and last seen timestamps
  • Process metadata fields: process name, command line arguments, parent process ID, user SID, process start time, integrity level
  • When to use each search type: hash for malware prevalence, IP/domain for C2 infrastructure, user for insider threats, host for endpoint-specific investigation
  • How to pivot between search types: finding a suspicious hash, then searching for all hosts with that hash, then examining each host's activity
  • Understanding search result context: prevalence (how common a file is), first/last seen dates, associated processes and hosts

Common Exam Traps

Hash lookups show file prevalence across the environment. A low-prevalence hash is more suspicious than a high-prevalence one. The exam tests this logic
User searches show activity across ALL hosts a user has accessed, not just one endpoint. This is critical for insider threat investigations
Domain searches show which processes made DNS queries, not just which hosts. This level of detail helps identify the specific application communicating
The Investigate module provides pre-built searches. Event Search (CQL) provides custom queries. The exam tests when each is more appropriate
Quick Check: Search and Investigation Tools

Question 1 of 3

A security team suspects an insider threat where an employee may be exfiltrating data. Which Investigate module search type would BEST help identify all systems and files the employee has accessed?

Domain 58% of exam

Reports and References

The lightest domain at 8% — roughly 5 questions. This domain tests your ability to use built-in Hunt and Visibility reports, and leverage the Events Full Reference documentation to find information about specific event types, fields, and data formats.

Key Topics

Hunt ReportsVisibility ReportsEvents Full ReferenceScheduled ReportsReport Customization

Must-Know Concepts

  • Built-in Hunt reports: pre-configured reports that summarize suspicious behaviors, anomalous activities, and potential threats identified during hunting operations
  • Visibility reports: reports showing sensor deployment coverage, data collection completeness, and endpoint visibility metrics across the environment
  • Events Full Reference documentation: comprehensive reference listing all event types, their fields, descriptions, data formats, and relationships
  • How to use the Events Full Reference to look up event_simpleName values, understand available fields, and determine data types for query construction
  • Scheduled reports: configuring automated report generation and delivery for ongoing monitoring and compliance
  • How reports complement active hunting: using report outputs to identify areas for deeper investigation

Common Exam Traps

Hunt reports show FINDINGS (suspicious activity). Visibility reports show COVERAGE (sensor health and data gaps). Do not confuse their purposes
The Events Full Reference is your lookup tool for understanding event data — if you do not know what fields an event type contains, this is where you look
Reports are pre-built and automated. Event Search is custom and ad-hoc. The exam tests whether you know when pre-built reports suffice versus when custom queries are needed
Visibility reports should be reviewed BEFORE starting a hunt to ensure you have adequate sensor coverage and telemetry in the target environment
Quick Check: Reports and References

Question 1 of 3

Before beginning a proactive threat hunt across a business unit's endpoints, what should the analyst review FIRST?

Domain 618% of exam

Hunting Analytics

The second-heaviest domain at 18% — approximately 11 questions. This domain tests your ability to recognize malicious behaviors, understand target systems, evaluate information reliability, and critically differentiate testing, DevOps, or general user activity from genuine adversary behavior. This requires both technical knowledge and analytical judgment.

Key Topics

Behavioral AnalysisTarget System UnderstandingInformation ReliabilityAdversary vs Legitimate ActivityAnomaly RecognitionBaseline Comparison

Must-Know Concepts

  • Recognizing malicious behaviors: suspicious process chains, unusual network connections, unexpected file modifications, persistence mechanisms, credential access attempts, and lateral movement indicators
  • Understanding target systems: knowing what normal looks like for servers versus workstations, domain controllers, web servers, database servers — each has different baseline behaviors
  • Evaluating information reliability: assessing the confidence level of indicators, understanding false positive rates, and weighing multiple weak indicators versus one strong indicator
  • Differentiating adversary activity from legitimate activity: DevOps automation, system administrators using remote tools, security scanning tools, software deployment systems, and testing/QA activities can all mimic adversary behavior
  • Common adversary techniques that blend with legitimate activity: PowerShell usage, WMI execution, scheduled tasks, service creation, registry modifications, and remote desktop
  • Baseline comparison: understanding what constitutes normal behavior for an environment and identifying deviations that warrant investigation

Common Exam Traps

PowerShell is used legitimately by administrators AND by adversaries. The exam tests whether you can analyze the CONTEXT (who ran it, what it did, when, from where) to determine if usage is malicious
A single suspicious indicator is rarely conclusive. The exam presents scenarios where you must evaluate MULTIPLE indicators together to make a determination
DevOps automation tools (CI/CD pipelines, configuration management) often trigger security detections. The exam tests whether you can recognize these as legitimate
Low-prevalence does not automatically mean malicious. Custom internal tools may have low prevalence across the environment but are completely legitimate
Scheduled tasks and services are both legitimate Windows features and common persistence mechanisms. The exam tests contextual analysis to differentiate
Quick Check: Hunting Analytics

Question 1 of 3

An analyst sees that PowerShell was executed on a server at 3:00 AM with an encoded command that downloads a script from an external URL. The server is a production web server with no scheduled maintenance window. How should the analyst assess this activity?

Domain 714% of exam

Hunting Methodology

This domain tests your understanding of structured threat hunting approaches: conducting active hunting operations, performing outlier analysis, generating hypotheses, constructing EAM queries, and investigating process trees. You must know how to plan, execute, and document a complete hunting operation.

Key Topics

Hypothesis-Driven HuntingOutlier AnalysisEAM QueriesProcess Tree InvestigationHunting DocumentationThreat Intelligence Integration

Must-Know Concepts

  • Hypothesis-driven hunting: formulating a theory about adversary behavior based on threat intelligence or environmental context, then building queries to test the hypothesis
  • Outlier analysis: using statistical methods to identify rare processes, unusual network connections, uncommon file paths, or other anomalies that deviate from established baselines
  • EAM (Endpoint Activity Monitoring) query construction: building queries that leverage real-time endpoint telemetry to identify suspicious behaviors, ASEPs, and anomalous activity patterns
  • Process tree investigation: tracing execution chains from initial entry point through lateral movement, examining parent-child relationships and command line arguments at each level
  • Active hunting operations: the structured workflow of planning a hunt (scope, hypothesis, data sources), executing the hunt (running queries, analyzing results), and documenting findings
  • Using threat intelligence to inform hunting: incorporating adversary TTPs from intelligence reports, known IOCs, and trending attack techniques into hunting hypotheses

Common Exam Traps

Hypothesis-driven hunting requires a STARTING hypothesis. If the question describes hunting without a hypothesis, the methodology is likely data-driven or outlier-based, not hypothesis-driven
EAM queries provide real-time data. Historical event search queries provide past data. The exam tests whether you know which to use based on the investigation timeline
Outlier analysis can produce many false positives in diverse environments. The exam tests whether you understand that outliers need CONTEXTUAL analysis, not automatic escalation
Documenting hunt findings is part of the methodology. The exam may test whether you know what to include in hunt documentation: hypothesis, queries used, findings, and recommended actions
Quick Check: Hunting Methodology

Question 1 of 3

A threat intelligence report indicates that a specific adversary group is using DLL side-loading to achieve persistence on Windows systems. An analyst wants to hunt for this technique in their environment. Which hunting methodology best applies?

Falcon Features You Must Not Confuse

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

Indicators of Attack (IOAs) vs Indicators of Compromise (IOCs)

Use Indicators of Attack (IOAs) when…

Behavioral indicators that detect adversary tactics and techniques in real time, regardless of the specific malware or tools used. Focus on WHAT the attacker is DOING.

Use Indicators of Compromise (IOCs) when…

Static, artifact-based indicators like file hashes, IP addresses, domain names, and registry keys that identify KNOWN threats after they have been observed.

Exam trap

IOAs are behavioral and proactive — they catch novel attacks. IOCs are static and reactive — they only match known threats. CrowdStrike's Falcon platform emphasizes IOA-based detection. The exam tests whether you understand this fundamental distinction.

Host Timeline vs Process Tree

Use Host Timeline when…

Shows ALL events on a specific endpoint in chronological order: process executions, network connections, file operations, registry changes, and more. Answers the question 'what happened on this host?'

Use Process Tree when…

Shows the parent-child relationship chain of a SPECIFIC process: how it was spawned, what it spawned, and the full genealogy of execution. Answers 'how did this process get here?'

Exam trap

Host timeline provides breadth (all events on one host). Process tree provides depth (one process chain). Use host timeline to understand overall activity, then pivot to process tree for specific suspicious processes.

Event Search (CQL) vs Investigate Module

Use Event Search (CQL) when…

Flexible query-based searching using CrowdStrike Query Language to find specific events across the environment. Requires knowledge of query syntax, event types, and field names.

Use Investigate Module when…

Pre-built search interfaces for looking up specific entities: users, hosts, hashes, IPs, and domains. Point-and-click workflow that does not require query syntax knowledge.

Exam trap

Event Search is for custom, complex queries when you know what you are looking for. Investigate is for quick lookups of specific entities. The exam tests when to use each approach.

Hypothesis-Driven Hunting vs Outlier Analysis

Use Hypothesis-Driven Hunting when…

Starts with a specific theory about adversary behavior based on threat intelligence, known TTPs, or environmental context. You build queries to prove or disprove the hypothesis.

Use Outlier Analysis when…

Starts with data analysis to find statistical anomalies — rare processes, unusual network connections, or behaviors that deviate from the baseline. No specific hypothesis needed.

Exam trap

Hypothesis-driven hunting is top-down (theory first, then data). Outlier analysis is bottom-up (data first, then theory). Both are valid hunting methodologies tested on the exam.

ProcessRollup2 vs DnsRequest

Use ProcessRollup2 when…

Event type that captures process creation details including executable path, command line arguments, parent process ID, file hash, and user context. The primary event for tracking what programs ran.

Use DnsRequest when…

Event type that captures DNS query details including the domain name queried, the requesting process, and the response. Used to track what domains endpoints are communicating with.

Exam trap

ProcessRollup2 tells you WHAT ran. DnsRequest tells you WHERE it tried to connect. Correlating these by process ID reveals whether a suspicious process made suspicious DNS queries.

Tactics vs Techniques

Use Tactics when…

In the MITRE ATT&CK framework, tactics represent the adversary's GOAL — the WHY behind an action. Examples: Initial Access, Execution, Persistence, Lateral Movement, Exfiltration.

Use Techniques when…

In the MITRE ATT&CK framework, techniques represent HOW the adversary achieves a tactic — the specific method used. Examples: Spearphishing (Initial Access), PowerShell (Execution), Registry Run Keys (Persistence).

Exam trap

Tactics are the columns in the ATT&CK matrix (strategic goals). Techniques are the cells (specific methods). One tactic can have many techniques. The exam tests whether you can map observed behaviors to the correct tactic and technique.

Hunt Reports vs Visibility Reports

Use Hunt Reports when…

Built-in reports that summarize hunting-relevant findings including suspicious behaviors, anomalous activities, and potential threats identified during hunting operations.

Use Visibility Reports when…

Built-in reports that show sensor coverage, data collection completeness, and endpoint visibility metrics. Help ensure you have adequate telemetry before hunting.

Exam trap

Hunt reports focus on THREATS FOUND. Visibility reports focus on COVERAGE GAPS. Run visibility reports first to ensure you have adequate data, then use hunt reports to track findings.

Top Mistakes to Avoid

Confusing host timelines (all events on one endpoint) with process trees (parent-child chain of one process) — they have different scopes and purposes
Using non-indexed field filters (event_simpleName=) instead of indexed tag filters (#event_simpleName=) in CQL queries, resulting in slow queries
Not understanding Unix timestamp conversion — Falcon event data uses epoch timestamps in seconds since January 1, 1970, and you must convert them to human-readable dates
Confusing MITRE ATT&CK tactics (the adversary's goal) with techniques (the specific method used to achieve that goal)
Treating the cyber kill chain and MITRE ATT&CK as interchangeable — the kill chain is linear and sequential, while ATT&CK is a matrix where techniques can be used in any order
Assuming all PowerShell or PsExec usage is malicious — these are legitimate administrative tools that require contextual analysis to determine intent
Mixing up CrowdStrike adversary naming conventions: SPIDER is eCrime (not a nation-state), BEAR is Russia, PANDA is China, KITTEN is Iran
Forgetting to check Visibility reports before starting a hunt — without confirming sensor coverage, you may have blind spots in your hunting scope
Immediately escalating outlier findings without contextual analysis — low-prevalence items may be legitimate custom or internal tools
Using ProcessRollup2 when looking for DNS or network events — each event type captures different telemetry, and you must use the correct event_simpleName

Exam-Ready Checklist

Can explain all 7 exam domains and their relative weights (10%, 12%, 15%, 23%, 8%, 18%, 14%)
Know the cyber kill chain phases and can map them to MITRE ATT&CK tactics
Can construct CQL queries using indexed tag filters, boolean operators, wildcards, and field selection
Know the key event types: ProcessRollup2, DnsRequest, NetworkConnectIP4, UserLogon, FileWritten, and their purposes
Can differentiate between host timeline, process tree, and Investigate module searches — know when to use each
Understand CrowdStrike adversary naming: BEAR, PANDA, SPIDER, KITTEN, CHOLLIMA, JACKAL and what each represents
Can convert Unix epoch timestamps to human-readable dates and understand their format in Falcon events
Know the difference between Hunt reports (findings) and Visibility reports (coverage) and when to use each
Can differentiate legitimate activity (DevOps, admin tools, testing) from adversary behavior using contextual analysis
Understand hypothesis-driven hunting versus outlier analysis and when to apply each methodology
Can trace process trees to identify suspicious execution chains and parent-child relationships
Know how to use the Events Full Reference documentation to look up event types and their fields
Scored 80%+ on at least two full practice exams (the passing score is 80% with no margin for error)

Recommended Resources

Free & Official Resources

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Frequently Asked Questions