CertPrepNow
CrowdStrikeCCFR-201bUpdated 2026-06-17

CCFR-201b Study Guide

Everything you need to pass the CrowdStrike Certified Falcon Responder exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The CCFR exam is passable with free resources if you have hands-on experience with the Falcon platform and study consistently for 3-6 weeks:

  • CrowdStrike official CCFR Certification Guide PDF (free download from CrowdStrike University)
  • CrowdStrike Falcon documentation and knowledge base articles (free with Falcon login)
  • MITRE ATT&CK framework website and technique descriptions (free)
  • CrowdStrike Tech Center blog posts on detection and response workflows (free)
  • CrowdStrike YouTube channel with Falcon console walkthroughs and RTR demos (free)
  • Free practice questions on this site

The CCFR is a hands-on certification focused on incident response within the Falcon console. CrowdStrike recommends at least 6 months of production Falcon experience. Free documentation covers the exam content, but real-world detection triage and RTR experience is essential.

Choose Your Study Path

Limited or no Falcon console experience. You understand general security concepts but need to learn the platform from scratch before tackling detection and response workflows.

Week 1Get access to a Falcon environment (trial or production). Learn the console layout: Activity dashboard, Endpoint Detections, Investigate section, and configuration panels. Understand detection severity levels (Info, Low, Medium, High, Critical)
Week 2Study the MITRE ATT&CK framework fundamentals: tactics, techniques, and procedures. Learn how Falcon maps detections to ATT&CK techniques and how this context informs response decisions
Week 3Deep dive into Detection Analysis (40% of exam): learn to interpret the Activity dashboard, Endpoint detections page, Full Detection view, and the three process views (Process Tree, Process Table, Process Activity)
Week 4Continue Detection Analysis: study IOC management (Block, Detect Only, Allow, No Action), allowlisting vs blocklisting, ML exclusions, sensor visibility exclusions, IOA exclusions, and quarantine management
Week 5Study Event Search and Event Investigation: learn to perform Event Advanced Searches from detections, understand event types and event actions, interpret Process Timeline and Host Timeline data
Week 6Study Search Tools: User Search, IP Search, Hash Search, Host Search, and Bulk Domain Search. Understand what information each tool provides and when to use it
Week 7Study Real Time Response (RTR): technical capabilities, administrative settings, connecting to hosts, RTR commands for remediation, custom scripts, workflow setup, and audit logging
Week 8Practice questions across all domains. Focus heavily on Detection Analysis which is 40% of the exam. Review process tree interpretation and IOC management actions
Week 9Take full mock exams. Review all incorrect answers. Re-study any domain where you score below 80%. Remember the passing score is 80% — higher than most vendor certifications
Week 10Final review: focus on process relationships, detection triage workflows, RTR command usage, and commonly confused concepts. Take one more mock exam to verify readiness

Exam Overview

Format

60 multiple-choice questions (scenario-based and conceptual), 90 minutes. Proctored through Pearson VUE testing centers or online.

Scoring

Percentage-based scoring. Passing: 80%. No penalty for wrong answers — always answer every question.

Domains & Weights

  • MITRE ATT&CK Framework Application5%
  • Detection Analysis40%
  • Event Search10%
  • Event Investigation12%
  • Search Tools13%
  • Falcon Real Time Response (RTR)20%

Registration

$250 USD. Available at Pearson VUE testing centers or online proctored. Exam fee is $250 USD. Requires a CrowdStrike exam voucher purchased through Pearson or your CrowdStrike Account Executive.

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowYou must understand these concepts deeply, know their configurations, and be able to apply them in detection and response scenarios. These appear across multiple questions.
Tier 2: Should KnowUnderstand what these are and their key characteristics. May appear in 2-5 questions each.
Tier 3: Recognize OnlyKnow what these are at a high level. Rarely more than 1-2 questions each.
Domain 15% of exam

MITRE ATT&CK Framework Application

This domain covers understanding and applying the MITRE ATT&CK framework within the Falcon console. At only 5% weight, expect roughly 3 questions, but this knowledge underpins detection analysis across the entire exam. You must know how ATT&CK tactics and techniques map to Falcon detections and how this context informs response decisions.

Key Topics

MITRE ATT&CK FrameworkFalcon Detection ContextTactics and Techniques MappingAdversary Behavior Patterns

Must-Know Concepts

  • MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Tactics represent the WHY, techniques represent the HOW
  • Falcon maps each detection to specific ATT&CK tactics and techniques, providing immediate context about what the adversary is trying to accomplish
  • Common ATT&CK tactics tested: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration
  • ATT&CK context helps prioritize response: a detection mapped to Lateral Movement or Exfiltration is more urgent than one mapped to Discovery
  • Falcon uses ATT&CK mappings in the detection details view, showing which tactics and techniques triggered the detection with links to ATT&CK documentation

Common Exam Traps

Tactics are NOT techniques. Tactics are adversary GOALS (like Persistence), techniques are specific METHODS (like Registry Run Keys). The exam tests whether you can distinguish them
A single detection can map to MULTIPLE ATT&CK techniques. Do not assume a one-to-one relationship between detections and techniques
ATT&CK provides CONTEXT for response prioritization, not automatic remediation. Knowing the tactic/technique helps you decide HOW to respond, but you still need to investigate
Quick Check: MITRE ATT&CK Framework Application

Question 1 of 3

A Falcon detection shows a process creating a new Windows service that runs automatically at system startup. Which MITRE ATT&CK tactic does this activity most likely represent?

Domain 240% of exam

Detection Analysis

The heaviest domain at 40% -- expect roughly 24 questions on this topic alone. This domain covers every aspect of analyzing and responding to detections in the Falcon console: interpreting dashboards, triaging detections, evaluating process views, managing IOCs, configuring exclusions, and making response decisions based on contextual data. Master this domain or you will not pass.

Key Topics

Activity DashboardEndpoint DetectionsProcess TreeProcess TableProcess ActivityIOC ManagementHash ActionsExclusionsPrevalenceOSINT ToolsQuarantine

Must-Know Concepts

  • Activity dashboard displays aggregate detection metrics: severity distribution, detection trends over time, top detections, and host activity. Endpoint detections page shows individual detection records with detailed context
  • Full Detection view provides comprehensive detection information: triggering process, parent process, command line, ATT&CK mapping, severity, detection source, and contextual event data (IP, DNS, disk activity)
  • Three process views: Process Tree (parent-child hierarchy), Process Table (tabular detail), Process Activity (chronological actions). Know what each reveals and when to use which
  • Detection triage using filtering (by severity, status, host, detection type), grouping (by host, tactic, user), and sort-by (time, severity, status). These are essential workflow skills
  • IOC types: hash, IP, domain. Hash management actions: Block, Block and Hide Detection, Detect Only, Allow, No Action. Know the exact effect of each action
  • Allowlisting vs blocklisting: allowlisted hashes bypass all detection globally. Blocklisted hashes are prevented from executing. These are different from exclusions
  • Three exclusion types and their effects: ML exclusions (suppress ML detections, sensor still collects data), IOA exclusions (suppress behavioral detections, sensor still collects data), sensor visibility exclusions (sensor stops collecting data entirely for specified paths)
  • Prevalence evaluation: internal prevalence (within your environment) and external prevalence (across all CrowdStrike customers). Both inform investigation priority and response
  • Detection sources determine response approach: ML-based, behavioral IOA, custom IOA, and intelligence-based detections may require different validation workflows
  • OSINT tool integration provides external context for IPs, domains, and hashes directly from the detection view
  • Host Search shows managed and unmanaged neighbors, revealing sensor coverage gaps
  • Quarantine best practices: review quarantined files before releasing, add to allowlist before release to prevent re-quarantine

Common Exam Traps

Block and Hide Detection does TWO things: prevents execution AND suppresses future detections for that hash. Existing detections remain visible. Do not confuse with just Block
Sensor visibility exclusions create COMPLETE blind spots. The sensor cannot detect ANY activity in excluded paths. Only use for known-good paths causing performance issues
High external prevalence does NOT mean a file is safe. Common malware and legitimate software both have high prevalence. Always investigate regardless of prevalence
Changing detection status (new, in progress, true positive, false positive) does NOT automatically remediate the threat. Status changes are for workflow management only
ML exclusions and IOA exclusions suppress DIFFERENT detection engines. An ML exclusion will not suppress an IOA detection and vice versa. Know which exclusion type matches which detection source
Allow (IOC action) is MORE aggressive than any exclusion type because it bypasses ALL detection engines for that hash globally
Quick Check: Detection Analysis

Question 1 of 4

A SOC analyst discovers a suspicious file hash on multiple endpoints. They want to prevent the file from executing on any endpoint and also suppress future detections to reduce alert noise. Which hash management action should they use?

Domain 412% of exam

Event Investigation

This domain covers using Process Timeline, Host Timeline, and Process Explorer to investigate detections. You must understand what information each tool provides, when to use each one, and how to analyze parent-child-sibling process relationships using Full Detection Details. At 12% weight, expect roughly 7 questions.

Key Topics

Process TimelineHost TimelineProcess ExplorerProcess RelationshipsParent-Child-Sibling Analysis

Must-Know Concepts

  • Process Timeline shows all events associated with a SINGLE process in chronological order: file writes, network connections, DNS requests, registry changes, child process creation, and module loads
  • Host Timeline shows all events across ALL processes on a specific endpoint in chronological order, giving a complete picture of host-level activity
  • Process Explorer provides deep-dive analysis of a single process: command line, loaded modules, network connections, file activity, and relationships to other processes
  • When to pivot from Event Search to Process Timeline: when you have identified a specific suspicious process and need to see everything it did. When to pivot to Process Explorer: when you need detailed information about a process's attributes and relationships
  • Parent-child-sibling process relationships: the parent process launched the child process. Siblings share the same parent. Analyzing these relationships reveals attack chains (e.g., Word spawning PowerShell spawning cmd.exe)
  • Full Detection Details include the complete process hierarchy, showing which process spawned the detected activity and what other processes share the same parent

Common Exam Traps

Process Timeline is for a SINGLE process. Host Timeline is for an ENTIRE host. Do not confuse their scope — using the wrong one wastes time and may miss critical context
Parent-child relationships can reveal attack techniques: a web browser spawning PowerShell (unusual) vs an IDE spawning a compiler (normal). The relationship pattern matters as much as the individual processes
Process Explorer is accessed from Event Search or Process Timeline by pivoting. It is not a standalone starting point — you need a specific process to explore
Sibling processes share the same parent but are NOT necessarily related to the same attack. A legitimate parent process may have both malicious and benign children
Quick Check: Event Investigation

Question 1 of 3

During an investigation, an analyst has identified a suspicious PowerShell process and wants to see every action it performed, including file writes, network connections, and child process launches. Which tool should they use?

Domain 513% of exam

Search Tools

This domain covers the five dedicated search tools in Falcon: User Search, IP Search, Hash Search, Host Search, and Bulk Domain Search. You must know what information each tool provides, how to interpret results, and when to use each tool during an investigation. At 13% weight, expect roughly 8 questions.

Key Topics

User SearchIP SearchHash SearchHost SearchBulk Domain SearchManaged NeighborsUnmanaged Neighbors

Must-Know Concepts

  • User Search provides identity and activity information: user account details, associated hosts, recent logon activity, and any detections associated with the user
  • IP Search provides context about an IP address: geolocation, associated hosts, reputation data, and recent activity involving that IP across the environment
  • Hash Search provides file reputation information: SHA256 file details, detection history, prevalence data (internal and external), associated detections, and vendor intelligence
  • Host Search provides endpoint details: hostname, OS, sensor version, last seen timestamp, policies applied, detection history, AND managed/unmanaged neighbors on the same network
  • Bulk Domain Search allows lookup of multiple domains simultaneously for reputation, associated activity, and threat intelligence context
  • Managed neighbors are endpoints WITH the Falcon sensor installed. Unmanaged neighbors are devices on the network WITHOUT the sensor — they represent security coverage gaps

Common Exam Traps

Host Search is the ONLY search tool that shows managed vs unmanaged neighbors. This is specifically called out in objective 2.11
Hash Search uses SHA256, not MD5 or SHA1, as the primary hash type in CrowdStrike Falcon
Bulk Domain Search is for domain reputation lookup across multiple domains at once. It is NOT for individual domain deep-dive analysis — use IP Search for individual domain investigation
User Search results may show activity across MULTIPLE hosts if the user logs into different endpoints. This is important for lateral movement investigation
Quick Check: Search Tools

Question 1 of 3

During an investigation, an analyst needs to determine if there are devices on the same network segment as a compromised host that do NOT have the Falcon sensor installed. Which search tool provides this information?

Domain 620% of exam

Falcon Real Time Response (RTR)

The second-heaviest domain at 20% -- expect roughly 12 questions. This domain covers RTR technical capabilities, administrative configuration, connecting to hosts, using commands for investigation and remediation, custom scripts, workflow automation with RTR, and reviewing audit logs. RTR is the hands-on remediation tool that separates investigation from response.

Key Topics

RTR ConsoleRTR CommandsRTR Custom ScriptsRTR WorkflowsRTR Audit LogsRTR Administrative SettingsResponse Policies

Must-Know Concepts

  • RTR enables remote shell access to endpoints for investigation and remediation. It works on Windows, macOS, and Linux. Sessions are established from the Falcon console directly to the endpoint
  • RTR must be enabled in the response policy assigned to the host AND the analyst must have appropriate RTR role permissions. Both requirements must be met
  • RTR role levels: RTR Active Responder can run read-only and active responder commands. RTR Administrator can run all commands including write operations, custom scripts, and full remediation commands
  • RTR built-in commands include: ls (list files), cat (read files), ps (list processes), netstat (network connections), reg (registry operations), kill (terminate processes), rm (delete files), put/get (file transfer), runscript (execute scripts)
  • Custom scripts can be uploaded and executed through RTR for complex remediation scenarios. Requires RTR Administrator role
  • RTR session timeout: sessions disconnect after 10 minutes of inactivity. Scripts timeout after 30 seconds of execution
  • File transfer through RTR: put sends files TO the endpoint, get retrieves files FROM the endpoint. File size limit is 4GB
  • Workflows can be configured to automatically execute RTR custom scripts based on detection triggers using Falcon Fusion
  • RTR audit logs record all sessions and commands: who connected, what commands were run, which hosts were accessed, and timestamps for accountability and compliance

Common Exam Traps

RTR Active Responder and RTR Administrator have DIFFERENT permission levels. Administrator can run write commands and custom scripts that Active Responder cannot
RTR sessions timeout after 10 minutes of INACTIVITY, not 10 minutes total. Active sessions can run longer. Scripts timeout after 30 seconds regardless
The put command sends files TO the endpoint (push). The get command retrieves files FROM the endpoint (pull). This naming convention is from the analyst's perspective
RTR works on CONTAINED hosts. Network containment does not block RTR access because CrowdStrike cloud connectivity is maintained during containment
Automated RTR workflows execute without human confirmation. Misconfigured workflows can affect many endpoints simultaneously. Always test workflows in limited scope first
Quick Check: Falcon Real Time Response (RTR)

Question 1 of 3

An analyst needs to use RTR to delete a malicious file from an endpoint, but their RTR session shows they cannot execute the 'rm' command. What is the most likely cause?

Concepts You Must Not Confuse

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

Process Tree View vs Process Activity View

Use Process Tree View when…

Shows the parent-child-sibling execution hierarchy of processes. Reveals which process spawned which child processes, showing the full attack chain visually.

Use Process Activity View when…

Shows the chronological sequence of actions taken by a specific process: file writes, network connections, DNS requests, registry changes, and child process launches.

Exam trap

Process Tree answers WHO spawned WHOM (hierarchy). Process Activity answers WHAT a process DID (actions). A suspicious child process in the tree should be followed up with its activity view to see its specific behaviors.

Block (Hash Action) vs Detect Only (Hash Action)

Use Block (Hash Action) when…

Prevents the file from executing on any endpoint. The sensor will block execution and generate a detection alert when the file is encountered.

Use Detect Only (Hash Action) when…

Allows the file to execute but generates a detection alert. Used when you want visibility into the file's behavior without disrupting operations.

Exam trap

Block PREVENTS execution. Detect Only ALLOWS execution but alerts. Use Detect Only when you suspect a file is malicious but need to observe its behavior or cannot afford to block it in production. Block when you are certain it is malicious.

ML Exclusions vs Sensor Visibility Exclusions

Use ML Exclusions when…

Prevent the machine learning engine from generating detections for specific files or paths. The sensor STILL collects telemetry data for those files.

Use Sensor Visibility Exclusions when…

Prevent the sensor from collecting ANY data on specified paths. No telemetry, no detections, complete blindness to activity in those paths.

Exam trap

ML exclusions suppress ML detections while preserving visibility. Sensor visibility exclusions create a COMPLETE blind spot. Use sensor visibility exclusions only for known-good paths causing performance issues, never for security investigation paths.

Process Timeline vs Host Timeline

Use Process Timeline when…

Shows all events for a SINGLE process in chronological order. Ideal for deep-diving into one suspicious process to understand everything it did.

Use Host Timeline when…

Shows all events across ALL processes on a specific endpoint in chronological order. Ideal for understanding the full scope of activity on a compromised host.

Exam trap

Process Timeline is narrow and deep (one process, all its events). Host Timeline is broad and wide (one host, all processes). Start with Host Timeline to identify suspicious processes, then pivot to Process Timeline for the ones that stand out.

Internal Prevalence vs External Prevalence

Use Internal Prevalence when…

Shows how many endpoints WITHIN your organization have seen a specific file, hash, or process. Helps determine if the activity is isolated or widespread.

Use External Prevalence when…

Shows how common a file is across ALL CrowdStrike customers globally. Helps determine if the file is well-known software or potentially novel malware.

Exam trap

Low internal + low external prevalence suggests a targeted or novel threat — investigate urgently. High internal + high external may be commodity malware or legitimate software. Always correlate both prevalence types together.

IOA Exclusions vs IOC Actions (Allow)

Use IOA Exclusions when…

Suppress Indicator of Attack behavioral detection alerts for specific files or patterns. The sensor still monitors and collects data, but will not trigger IOA-based alerts.

Use IOC Actions (Allow) when…

Globally allow a specific hash to execute without any detection. Bypasses ALL detection engines including ML, IOA, and intelligence-based detections for that hash.

Exam trap

IOA exclusions suppress only IOA-based alerts for specific patterns. IOC Allow bypasses ALL detection for a specific hash globally. IOC Allow is more aggressive and should only be used for verified safe files.

MITRE ATT&CK Tactics vs MITRE ATT&CK Techniques

Use MITRE ATT&CK Tactics when…

The adversary's strategic objectives or goals during an attack, such as Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, or Lateral Movement.

Use MITRE ATT&CK Techniques when…

The specific methods used to achieve a tactic. For example, under Execution, techniques include PowerShell, Windows Command Shell, or Scripting.

Exam trap

Tactics are the WHY (the goal). Techniques are the HOW (the method). Falcon detections are mapped to specific techniques within tactics. One tactic can have many techniques, and some techniques appear under multiple tactics.

Top Mistakes to Avoid

Confusing Process Tree (parent-child hierarchy) with Process Activity (chronological actions of a single process) — they answer completely different investigative questions
Mixing up Block and Block and Hide Detection — Block prevents execution but still generates detections, Block and Hide does both
Using sensor visibility exclusions when ML or IOA exclusions would suffice — sensor visibility exclusions create complete blind spots where NO telemetry is collected
Confusing Process Timeline (events for ONE process) with Host Timeline (events for ALL processes on a host) — wrong scope wastes investigation time
Assuming high external prevalence means a file is safe — popular malware and legitimate software both have high prevalence
Forgetting that RTR requires BOTH a response policy enabling RTR AND appropriate RTR role permissions — missing either prevents access
Confusing the RTR 'put' command (sends files TO the endpoint) with 'get' command (retrieves files FROM the endpoint) — naming is from the analyst's perspective
Thinking detection status changes (true positive, false positive, in progress) automatically remediate the threat — status is for workflow tracking only
Not understanding the difference between MITRE ATT&CK tactics (adversary goals) and techniques (specific methods) — the exam tests this distinction
Assuming IOC Allow and ML exclusion are equivalent — IOC Allow bypasses ALL detection engines globally for that hash, which is far more aggressive than any exclusion

Exam-Ready Checklist

Can interpret all three process views (Tree, Table, Activity) and know when to use each one
Know all five hash management actions (Block, Block and Hide Detection, Detect Only, Allow, No Action) and their exact effects
Can explain the difference between ML exclusions, IOA exclusions, and sensor visibility exclusions — including which collects telemetry and which does not
Understand how Falcon maps detections to MITRE ATT&CK tactics and techniques, and can distinguish tactics from techniques
Know all five Search Tools (User, IP, Hash, Host, Bulk Domain) and what unique information each provides
Can explain managed vs unmanaged neighbors in Host Search results and why this matters
Understand RTR capabilities: role requirements, session timeouts, command categories, custom scripts, and file transfer commands (put vs get)
Can perform and refine Event Advanced Searches and distinguish between common event types (ProcessRollup2, DnsRequest, NetworkConnect, FileWritten)
Know when to use Process Timeline vs Host Timeline vs Process Explorer for investigation
Understand internal vs external prevalence and what low/high combinations suggest about threat severity
Can explain detection triage workflow: filtering, grouping, sorting, status changes, and assignment
Know RTR audit log contents and their purpose for accountability and compliance
Scored 80%+ on at least two full mock exams (the passing score is 80% — higher than most vendor certifications)

Recommended Resources

Free & Official Resources

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Frequently Asked Questions