You Can Pass This Exam For Free
Choose Your Study Path
Limited or no Falcon console experience. You understand general security concepts but need to learn the platform from scratch before tackling detection and response workflows.
Exam Overview
Format
60 multiple-choice questions (scenario-based and conceptual), 90 minutes. Proctored through Pearson VUE testing centers or online.
Scoring
Percentage-based scoring. Passing: 80%. No penalty for wrong answers — always answer every question.
Domains & Weights
- MITRE ATT&CK Framework Application5%
- Detection Analysis40%
- Event Search10%
- Event Investigation12%
- Search Tools13%
- Falcon Real Time Response (RTR)20%
Registration
$250 USD. Available at Pearson VUE testing centers or online proctored. Exam fee is $250 USD. Requires a CrowdStrike exam voucher purchased through Pearson or your CrowdStrike Account Executive.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
MITRE ATT&CK Framework Application
This domain covers understanding and applying the MITRE ATT&CK framework within the Falcon console. At only 5% weight, expect roughly 3 questions, but this knowledge underpins detection analysis across the entire exam. You must know how ATT&CK tactics and techniques map to Falcon detections and how this context informs response decisions.
Key Topics
Must-Know Concepts
- MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Tactics represent the WHY, techniques represent the HOW
- Falcon maps each detection to specific ATT&CK tactics and techniques, providing immediate context about what the adversary is trying to accomplish
- Common ATT&CK tactics tested: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration
- ATT&CK context helps prioritize response: a detection mapped to Lateral Movement or Exfiltration is more urgent than one mapped to Discovery
- Falcon uses ATT&CK mappings in the detection details view, showing which tactics and techniques triggered the detection with links to ATT&CK documentation
Common Exam Traps
Detection Analysis
The heaviest domain at 40% -- expect roughly 24 questions on this topic alone. This domain covers every aspect of analyzing and responding to detections in the Falcon console: interpreting dashboards, triaging detections, evaluating process views, managing IOCs, configuring exclusions, and making response decisions based on contextual data. Master this domain or you will not pass.
Key Topics
Must-Know Concepts
- Activity dashboard displays aggregate detection metrics: severity distribution, detection trends over time, top detections, and host activity. Endpoint detections page shows individual detection records with detailed context
- Full Detection view provides comprehensive detection information: triggering process, parent process, command line, ATT&CK mapping, severity, detection source, and contextual event data (IP, DNS, disk activity)
- Three process views: Process Tree (parent-child hierarchy), Process Table (tabular detail), Process Activity (chronological actions). Know what each reveals and when to use which
- Detection triage using filtering (by severity, status, host, detection type), grouping (by host, tactic, user), and sort-by (time, severity, status). These are essential workflow skills
- IOC types: hash, IP, domain. Hash management actions: Block, Block and Hide Detection, Detect Only, Allow, No Action. Know the exact effect of each action
- Allowlisting vs blocklisting: allowlisted hashes bypass all detection globally. Blocklisted hashes are prevented from executing. These are different from exclusions
- Three exclusion types and their effects: ML exclusions (suppress ML detections, sensor still collects data), IOA exclusions (suppress behavioral detections, sensor still collects data), sensor visibility exclusions (sensor stops collecting data entirely for specified paths)
- Prevalence evaluation: internal prevalence (within your environment) and external prevalence (across all CrowdStrike customers). Both inform investigation priority and response
- Detection sources determine response approach: ML-based, behavioral IOA, custom IOA, and intelligence-based detections may require different validation workflows
- OSINT tool integration provides external context for IPs, domains, and hashes directly from the detection view
- Host Search shows managed and unmanaged neighbors, revealing sensor coverage gaps
- Quarantine best practices: review quarantined files before releasing, add to allowlist before release to prevent re-quarantine
Common Exam Traps
Event Search
This domain covers performing and refining Event Advanced Searches from within a detection context. You must know how to navigate from a detection to an event search, use event actions to refine results, and distinguish between commonly used event types. At 10% weight, expect roughly 6 questions.
Key Topics
Must-Know Concepts
- Event Advanced Search allows analysts to query raw sensor telemetry data from within a detection. This provides additional context beyond what the detection summary shows
- Event actions allow analysts to refine search results: include/exclude specific values, pivot to related searches, and drill down into specific event fields
- Commonly used event types: ProcessRollup2 (process execution), DnsRequest (DNS lookups), NetworkConnect (network connections), FileWritten (file creation/modification), RegistryOperationEvent (registry changes), UserLogon (authentication events)
- ProcessRollup2 events are the most fundamental event type — they capture process execution details including executable path, command line, PID, parent PID, SHA256, and user context
- Event types can be filtered and combined to build comprehensive search queries that follow an attacker's activities across multiple telemetry sources
Common Exam Traps
Event Investigation
This domain covers using Process Timeline, Host Timeline, and Process Explorer to investigate detections. You must understand what information each tool provides, when to use each one, and how to analyze parent-child-sibling process relationships using Full Detection Details. At 12% weight, expect roughly 7 questions.
Key Topics
Must-Know Concepts
- Process Timeline shows all events associated with a SINGLE process in chronological order: file writes, network connections, DNS requests, registry changes, child process creation, and module loads
- Host Timeline shows all events across ALL processes on a specific endpoint in chronological order, giving a complete picture of host-level activity
- Process Explorer provides deep-dive analysis of a single process: command line, loaded modules, network connections, file activity, and relationships to other processes
- When to pivot from Event Search to Process Timeline: when you have identified a specific suspicious process and need to see everything it did. When to pivot to Process Explorer: when you need detailed information about a process's attributes and relationships
- Parent-child-sibling process relationships: the parent process launched the child process. Siblings share the same parent. Analyzing these relationships reveals attack chains (e.g., Word spawning PowerShell spawning cmd.exe)
- Full Detection Details include the complete process hierarchy, showing which process spawned the detected activity and what other processes share the same parent
Common Exam Traps
Search Tools
This domain covers the five dedicated search tools in Falcon: User Search, IP Search, Hash Search, Host Search, and Bulk Domain Search. You must know what information each tool provides, how to interpret results, and when to use each tool during an investigation. At 13% weight, expect roughly 8 questions.
Key Topics
Must-Know Concepts
- User Search provides identity and activity information: user account details, associated hosts, recent logon activity, and any detections associated with the user
- IP Search provides context about an IP address: geolocation, associated hosts, reputation data, and recent activity involving that IP across the environment
- Hash Search provides file reputation information: SHA256 file details, detection history, prevalence data (internal and external), associated detections, and vendor intelligence
- Host Search provides endpoint details: hostname, OS, sensor version, last seen timestamp, policies applied, detection history, AND managed/unmanaged neighbors on the same network
- Bulk Domain Search allows lookup of multiple domains simultaneously for reputation, associated activity, and threat intelligence context
- Managed neighbors are endpoints WITH the Falcon sensor installed. Unmanaged neighbors are devices on the network WITHOUT the sensor — they represent security coverage gaps
Common Exam Traps
Falcon Real Time Response (RTR)
The second-heaviest domain at 20% -- expect roughly 12 questions. This domain covers RTR technical capabilities, administrative configuration, connecting to hosts, using commands for investigation and remediation, custom scripts, workflow automation with RTR, and reviewing audit logs. RTR is the hands-on remediation tool that separates investigation from response.
Key Topics
Must-Know Concepts
- RTR enables remote shell access to endpoints for investigation and remediation. It works on Windows, macOS, and Linux. Sessions are established from the Falcon console directly to the endpoint
- RTR must be enabled in the response policy assigned to the host AND the analyst must have appropriate RTR role permissions. Both requirements must be met
- RTR role levels: RTR Active Responder can run read-only and active responder commands. RTR Administrator can run all commands including write operations, custom scripts, and full remediation commands
- RTR built-in commands include: ls (list files), cat (read files), ps (list processes), netstat (network connections), reg (registry operations), kill (terminate processes), rm (delete files), put/get (file transfer), runscript (execute scripts)
- Custom scripts can be uploaded and executed through RTR for complex remediation scenarios. Requires RTR Administrator role
- RTR session timeout: sessions disconnect after 10 minutes of inactivity. Scripts timeout after 30 seconds of execution
- File transfer through RTR: put sends files TO the endpoint, get retrieves files FROM the endpoint. File size limit is 4GB
- Workflows can be configured to automatically execute RTR custom scripts based on detection triggers using Falcon Fusion
- RTR audit logs record all sessions and commands: who connected, what commands were run, which hosts were accessed, and timestamps for accountability and compliance
Common Exam Traps
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.