You Can Pass This Exam For Free
Choose Your Study Path
Limited CrowdStrike Falcon experience. You need to learn the platform fundamentals and threat hunting concepts from scratch.
Exam Overview
Format
60 multiple-choice questions, 90 minutes. Delivered via Pearson VUE (online or test center).
Scoring
Percentage-based scoring. Passing: 80%. You need at least 48 out of 60 correct answers to pass.
Domains & Weights
- ATT&CK Frameworks10%
- Detection Analysis12%
- Search and Investigation Tools15%
- Event Search23%
- Reports and References8%
- Hunting Analytics18%
- Hunting Methodology14%
Registration
$250 USD. Available at Pearson VUE testing centers or online proctored from home. Exam fee is $250 USD. Schedule through CrowdStrike University or Pearson VUE.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
ATT&CK Frameworks
This domain covers the MITRE ATT&CK framework and the cyber kill chain. You must understand how CrowdStrike maps Falcon detections to ATT&CK tactics and techniques, recognize adversary groups by CrowdStrike's naming conventions, and apply ATT&CK knowledge to research threat models and TTPs.
Key Topics
Must-Know Concepts
- Cyber kill chain phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control (C2), Actions on Objectives — know what happens at each phase
- MITRE ATT&CK matrix structure: Tactics (columns representing goals like Initial Access, Execution, Persistence) and Techniques (specific methods used to achieve each tactic)
- How CrowdStrike Falcon labels each detection with the relevant ATT&CK tactic and technique combination for contextual analysis
- CrowdStrike adversary naming conventions: BEAR (Russia), PANDA (China), KITTEN (Iran), SPIDER (eCrime), CHOLLIMA (North Korea), JACKAL (hacktivism), LEOPARD (Pakistan), WOLF (Turkey)
- How to operationalize ATT&CK: using the framework to research threat models, identify TTPs used by specific adversary groups, and inform hunting hypotheses
- The difference between TTPs: Tactics (strategic goals), Techniques (methods to achieve goals), and Procedures (specific implementation details of techniques)
Common Exam Traps
Detection Analysis
This domain tests your ability to interpret Falcon detections, analyze host and process timelines, and pivot from detection pages to other investigative tools. You must understand detection severity, process genealogy, and how to trace adversary activity through timeline analysis.
Key Topics
Must-Know Concepts
- How to interpret host timelines: reading chronological event sequences to reconstruct what happened on an endpoint
- Process tree analysis: tracing parent-child process relationships to identify suspicious execution chains (e.g., Word spawning PowerShell spawning cmd.exe)
- Detection severity levels in Falcon and how to prioritize analysis based on severity, confidence, and assigned ATT&CK tactic
- How to pivot from the detection page to additional investigative tools: host timeline, process timeline, Investigate module, Event Search
- Understanding process metadata: executable path, command line arguments, parent process, user context, file hash, and timestamps
- Recognizing common suspicious process chains: document editors spawning scripting engines, services spawning shells, unusual parent-child relationships
Common Exam Traps
Search and Investigation Tools
This domain tests your ability to analyze file and process metadata, differentiate between investigation tools within the Falcon console, and apply appropriate search methods. You must know when to use user searches, host searches, hash lookups, IP searches, and domain searches.
Key Topics
Must-Know Concepts
- Investigate module search types: user search (find user activity across hosts), host search (find host details and activity), hash lookup (find file prevalence and reputation), IP search (find network connections to an IP), domain search (find DNS queries to a domain)
- File metadata fields: file name, file path, SHA256 hash, file size, digital signature status, first seen and last seen timestamps
- Process metadata fields: process name, command line arguments, parent process ID, user SID, process start time, integrity level
- When to use each search type: hash for malware prevalence, IP/domain for C2 infrastructure, user for insider threats, host for endpoint-specific investigation
- How to pivot between search types: finding a suspicious hash, then searching for all hosts with that hash, then examining each host's activity
- Understanding search result context: prevalence (how common a file is), first/last seen dates, associated processes and hosts
Common Exam Traps
Event Search
The heaviest domain at 23% — approximately 14 questions. This domain tests your CQL (CrowdStrike Query Language) skills: defining syntax, constructing queries, formatting and filtering data, interpreting process relationships, understanding event types, converting Unix timestamps, and creating custom dashboards. Hands-on CQL experience is essential.
Key Topics
Must-Know Concepts
- CQL query syntax: field names, comparison operators (=, !=, <, >), boolean operators (AND, OR, NOT), wildcards (*), and regular expressions for pattern matching
- Key event types and their event_simpleName values: ProcessRollup2 (process creation), DnsRequest (DNS queries), NetworkConnectIP4 (network connections), UserLogon (authentication), FileWritten (file writes), RegKeyCreated/RegValueSet (registry operations)
- How to filter events using tag filters (#event_simpleName=) for faster indexed queries versus field filters for non-indexed searches
- Process relationship fields: TargetProcessId, ParentProcessId, ContextProcessId — how to correlate parent and child processes across events
- Unix timestamp conversion: converting epoch timestamps (seconds since January 1, 1970) to human-readable dates for analysis
- Formatting query results: selecting specific fields, sorting, aggregating (count, stats), and grouping results for analysis
- Creating custom dashboards: building visualization panels from CQL query results to monitor specific metrics or hunt findings
- Query optimization: using indexed tag filters first (#event_simpleName), narrowing timeframes, using specific matches before wildcards
Common Exam Traps
Reports and References
The lightest domain at 8% — roughly 5 questions. This domain tests your ability to use built-in Hunt and Visibility reports, and leverage the Events Full Reference documentation to find information about specific event types, fields, and data formats.
Key Topics
Must-Know Concepts
- Built-in Hunt reports: pre-configured reports that summarize suspicious behaviors, anomalous activities, and potential threats identified during hunting operations
- Visibility reports: reports showing sensor deployment coverage, data collection completeness, and endpoint visibility metrics across the environment
- Events Full Reference documentation: comprehensive reference listing all event types, their fields, descriptions, data formats, and relationships
- How to use the Events Full Reference to look up event_simpleName values, understand available fields, and determine data types for query construction
- Scheduled reports: configuring automated report generation and delivery for ongoing monitoring and compliance
- How reports complement active hunting: using report outputs to identify areas for deeper investigation
Common Exam Traps
Hunting Analytics
The second-heaviest domain at 18% — approximately 11 questions. This domain tests your ability to recognize malicious behaviors, understand target systems, evaluate information reliability, and critically differentiate testing, DevOps, or general user activity from genuine adversary behavior. This requires both technical knowledge and analytical judgment.
Key Topics
Must-Know Concepts
- Recognizing malicious behaviors: suspicious process chains, unusual network connections, unexpected file modifications, persistence mechanisms, credential access attempts, and lateral movement indicators
- Understanding target systems: knowing what normal looks like for servers versus workstations, domain controllers, web servers, database servers — each has different baseline behaviors
- Evaluating information reliability: assessing the confidence level of indicators, understanding false positive rates, and weighing multiple weak indicators versus one strong indicator
- Differentiating adversary activity from legitimate activity: DevOps automation, system administrators using remote tools, security scanning tools, software deployment systems, and testing/QA activities can all mimic adversary behavior
- Common adversary techniques that blend with legitimate activity: PowerShell usage, WMI execution, scheduled tasks, service creation, registry modifications, and remote desktop
- Baseline comparison: understanding what constitutes normal behavior for an environment and identifying deviations that warrant investigation
Common Exam Traps
Hunting Methodology
This domain tests your understanding of structured threat hunting approaches: conducting active hunting operations, performing outlier analysis, generating hypotheses, constructing EAM queries, and investigating process trees. You must know how to plan, execute, and document a complete hunting operation.
Key Topics
Must-Know Concepts
- Hypothesis-driven hunting: formulating a theory about adversary behavior based on threat intelligence or environmental context, then building queries to test the hypothesis
- Outlier analysis: using statistical methods to identify rare processes, unusual network connections, uncommon file paths, or other anomalies that deviate from established baselines
- EAM (Endpoint Activity Monitoring) query construction: building queries that leverage real-time endpoint telemetry to identify suspicious behaviors, ASEPs, and anomalous activity patterns
- Process tree investigation: tracing execution chains from initial entry point through lateral movement, examining parent-child relationships and command line arguments at each level
- Active hunting operations: the structured workflow of planning a hunt (scope, hypothesis, data sources), executing the hunt (running queries, analyzing results), and documenting findings
- Using threat intelligence to inform hunting: incorporating adversary TTPs from intelligence reports, known IOCs, and trending attack techniques into hunting hypotheses
Common Exam Traps
Falcon Features You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.