All Practice Exams
100+ Free CCDL1 Practice Questions
Certified CyberDefender Level 1 practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
Loading practice questions...
Same family resources
Explore More CyberDefenders Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: CCDL1 Exam
$500 USD
Certification Cost
CyberDefenders
70%
Passing Score
CyberDefenders
4 months
Course Access Window
CyberDefenders
4 years
Certification Validity
CyberDefenders
6 modules
Course Structure
CyberDefenders
90% NIST
CDA Role Alignment
CyberDefenders
The CCDL1 (Certified CyberDefender Level 1) certifies entry-level SOC Tier 1 analyst skills through a practical browser-based exam aligned with real-world blue team scenarios. Six course modules cover SIEM operations (Microsoft Sentinel with KQL, Splunk with SPL, Elastic with EQL, QRadar with AQL, Graylog), network traffic analysis (Wireshark, NetworkMiner, Brim/Zeek, Arkime), endpoint forensics (Windows event logs, Sysmon, Volatility, NTFS artifacts), incident response (NIST SP 800-61, FTK Imager, chain of custody), phishing analysis, and cloud forensics (AWS CloudTrail, Azure AD). Cost is $500 USD including 4-month course access. Certification is valid for 4 years. This 100-question practice exam covers all six module knowledge domains.
Sample CCDL1 Practice Questions
Try these sample questions to test your CCDL1 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1A SOC analyst is investigating an alert in Microsoft Sentinel. Which Kusto Query Language (KQL) operator would filter SecurityEvent records to show only failed logon events (EventID 4625) from the last 24 hours?
A.SecurityEvent | where EventID == 4625 | where TimeGenerated > ago(24h)
B.SecurityEvent | filter EventID = 4625 | timerange last 24h
C.SecurityEvent | select EventID=4625 | timeslice 24h
D.SecurityEvent | search EventID:4625 | last(24h)
Explanation: In KQL (used by Microsoft Sentinel), the 'where' operator filters rows and 'ago()' is used to compute relative time ranges. The correct syntax is 'where EventID == 4625 | where TimeGenerated > ago(24h)'. All other options use incorrect operators or syntax not valid in KQL.
2In Splunk, which Search Processing Language (SPL) command computes a count of events grouped by a specific field, similar to a SQL GROUP BY clause?
A.count group src_ip
B.stats count by src_ip
C.aggregate count field=src_ip
D.eval count(*) by src_ip
Explanation: In SPL, the 'stats' command with 'count by <field>' groups events and counts occurrences for each unique value of the specified field. This is the correct aggregation approach in Splunk. The other options use syntax from SQL or non-existent SPL commands.
3While analyzing network traffic in Wireshark, you want to display only packets where the destination port is 443 and the source IP is 10.0.0.5. Which display filter is correct?
A.src=10.0.0.5 port=443
B.ip.source=10.0.0.5 && port.dst=443
C.ip.src == 10.0.0.5 and tcp.dstport == 443
D.filter src 10.0.0.5 dst port 443
Explanation: Wireshark display filters use dot-notation field names and comparison operators. 'ip.src' specifies the source IP, 'tcp.dstport' specifies the TCP destination port, and 'and' (or '&&') combines conditions. This is the correct Wireshark display filter syntax.
4A security analyst uses NetworkMiner to analyze a captured PCAP file. What is NetworkMiner's primary function that differentiates it from Wireshark?
A.Provides deep packet inspection with real-time signature-based IDS alerting
B.Generates PCAP files from live network interfaces using BPF capture filters
C.Decrypts TLS traffic using pre-shared keys and exports decrypted payloads
D.Automatically reconstructs sessions and extracts files, credentials, and host information from PCAP files
Explanation: NetworkMiner is a passive network forensic analysis tool that automatically parses PCAP files to reconstruct sessions, extract transferred files, images, credentials, and build host profiles — without writing custom filters. Wireshark is more focused on granular packet dissection and display filtering.
5During a Splunk investigation, you need to identify the top 10 source IP addresses generating the most DNS requests. Which SPL query achieves this?
A.index=dns | stats count by src_ip | sort -count | head 10
B.index=dns | top 10 src_ip | group by count
C.index=dns | select top(src_ip, 10) order by count desc
D.index=dns | aggregate src_ip count limit=10
Explanation: The correct SPL sequence uses 'stats count by src_ip' to count events per source IP, 'sort -count' to sort in descending order (negative sign = descending), and 'head 10' to limit to the top 10 results. Alternatively, the 'top' command can do this in one step, but the query in option 0 is also valid.
6A Windows Security Event log shows Event ID 4688 with a process named 'powershell.exe' spawned by 'winword.exe'. Which attack technique does this most likely indicate?
A.Kerberoasting using Mimikatz to extract service tickets from memory
B.Macro-based malware executing a malicious PowerShell payload via a Word document
C.Pass-the-hash using NTLM credentials captured from LSASS
D.DLL search order hijacking via a malicious DLL placed in the application directory
Explanation: Event ID 4688 logs process creation. When powershell.exe is spawned with winword.exe (Microsoft Word) as the parent process, this is a classic indicator of a malicious macro inside a Word document executing a PowerShell payload — a common initial access technique (MITRE ATT&CK T1059.001, T1566.001).
7In the NIST SP 800-61 incident response lifecycle, which phase involves documenting lessons learned and updating incident response procedures after an incident is resolved?
A.Containment, Eradication, and Recovery
B.Detection and Analysis
C.Post-Incident Activity
D.Preparation
Explanation: NIST SP 800-61 defines four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. The Post-Incident Activity phase is where the team conducts a lessons-learned meeting, documents findings, and updates policies, playbooks, and detection rules based on the incident.
8An analyst uses Volatility to analyze a Windows memory image. Which Volatility plugin lists running processes by walking the EPROCESS doubly-linked list, and is susceptible to DKOM (Direct Kernel Object Manipulation) hiding?
A.psscan
B.pstree
C.cmdline
D.pslist
Explanation: The 'pslist' plugin enumerates processes by following the doubly-linked list of EPROCESS structures maintained by the Windows kernel. Rootkits using DKOM can unlink a process from this list to hide it from pslist. The 'psscan' plugin instead scans physical memory for EPROCESS signatures, making it more resistant to DKOM hiding.
9While hunting in Elastic SIEM, you want to detect DNS queries to domains with high entropy names (a sign of DGA malware). Which Elastic approach is most appropriate?
A.Use a scripted field or runtime field with a custom painless script to calculate Shannon entropy of the dns.question.name field and alert when it exceeds a threshold
B.Create a Sigma rule that matches all dns.question.name values longer than 20 characters
C.Use the Elastic ml_anomaly_score field to detect anomalous DNS queries without custom configuration
D.Write an EQL sequence query that correlates DNS events with subsequent network connections on port 443
Explanation: Domain Generation Algorithm (DGA) domains have high entropy (randomness) in their names. The best way to detect them in Elastic is to compute the Shannon entropy of the domain name field using a Painless scripted/runtime field and alert when entropy exceeds a threshold (typically ~3.5 bits/char). Length alone (option 1) misses many DGA domains.
10In a Wireshark PCAP analysis, you observe regular outbound HTTP POST requests to the same external IP every 60 seconds, each with a small payload (~100 bytes). Which threat behavior does this most likely indicate?
A.DNS amplification DDoS attack
B.Command-and-control (C2) beaconing
C.ARP cache poisoning reconnaissance
D.SQL injection exfiltration via HTTP
Explanation: Regular, periodic outbound HTTP POST requests (consistent timing intervals, small fixed payload) are the hallmark of C2 beaconing — malware checking in with its command-and-control server for instructions. The regularity distinguishes it from legitimate web traffic and is a key indicator of compromise (MITRE ATT&CK T1071.001).
About the CCDL1 Practice Questions
Verified exam format metadata for Certified CyberDefender Level 1 is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.