100+ Free CCOA Practice Questions

Pass your ISACA Certified Cybersecurity Operations Analyst (CCOA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~65-70% Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

Which OSI layer is responsible for end-to-end reliable delivery using sequence numbers and acknowledgments?

Layer 2 (Data Link)

Layer 3 (Network)

Layer 4 (Transport)

Layer 5 (Session)

to track

2026 Statistics

Key Facts: CCOA Exam

115

Exam Questions

ISACA

150 min

Exam Duration

ISACA

450/800

Passing Score

ISACA (scaled)

$575

Member Fee

ISACA

3 years

Validity

CPE renewal

~28%

Largest Domain

Incident Detection & Response

The CCOA is ISACA's technical SOC-analyst certification (launched 2025). The exam has 115 questions (mix of multiple-choice and hands-on performance items) with a 150-minute time limit and 450/800 passing score. It covers five domains with Incident Detection and Response weighted largest (~28%). Fee is $575 (members) / $760 (non-members). Certification is valid for 3 years with CPE requirements.

Sample CCOA Practice Questions

Try these sample questions to test your CCOA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which OSI layer is responsible for end-to-end reliable delivery using sequence numbers and acknowledgments?

A.Layer 2 (Data Link)

B.Layer 3 (Network)

C.Layer 4 (Transport)

D.Layer 5 (Session)

Explanation: Layer 4 (Transport) provides end-to-end reliable delivery through protocols like TCP, which uses sequence numbers, acknowledgments, and flow control. Layer 2 handles frames within a local network, Layer 3 handles routing between networks, and Layer 5 establishes and manages sessions.

2A SOC analyst sees outbound traffic on TCP port 443 to an unfamiliar IP. Which protocol is most likely being used?

A.SSH

B.HTTPS/TLS

C.FTP

D.SNMP

Explanation: TCP port 443 is the default for HTTPS/TLS. However, attackers commonly abuse port 443 for C2 traffic because it blends with normal web traffic. SOC analysts should always pivot to TLS fingerprinting (JA3), domain reputation, and destination IP analysis rather than trusting the port alone.

3In a /26 CIDR subnet, how many usable host addresses are available?

A.30

B.62

C.126

D.254

Explanation: A /26 has 32-26=6 host bits, giving 2^6=64 total addresses. Subtracting the network and broadcast addresses leaves 62 usable hosts. SOC analysts must understand subnetting to interpret scope of scans, lateral movement, and segmentation boundaries.

4Which Windows event ID indicates a successful interactive logon?

A.4624

B.4625

C.4634

D.4672

Explanation: Event ID 4624 records a successful logon and includes the Logon Type (2=interactive, 3=network, 10=RemoteInteractive/RDP). Event 4625 is failed logon, 4634 is logoff, and 4672 is special privileges assigned (often used to detect admin logons).

5Which Linux log file typically records sudo and authentication events on Debian/Ubuntu systems?

A./var/log/messages

B./var/log/auth.log

C./var/log/syslog

D./var/log/kern.log

Explanation: On Debian/Ubuntu systems, /var/log/auth.log records authentication events including sudo use and SSH logins. On RHEL/CentOS, the equivalent is /var/log/secure. /var/log/messages holds general system messages and /var/log/kern.log holds kernel events.

6Which virtualization technology provides OS-level isolation without a full guest kernel?

A.Type 1 hypervisor

B.Type 2 hypervisor

C.Containers

D.Nested virtualization

Explanation: Containers (Docker, containerd, LXC) share the host kernel and isolate processes using namespaces and cgroups. This is OS-level virtualization without a full guest OS. Type 1 and 2 hypervisors run full guest kernels; nested virtualization runs hypervisors inside VMs.

7Which AWS log source provides network flow metadata for EC2 instances that SOC analysts should enable?

A.CloudTrail

B.CloudWatch Events

C.VPC Flow Logs

D.Config

Explanation: VPC Flow Logs capture IP traffic going to and from network interfaces in a VPC, including source/destination IP, ports, protocol, packets, and bytes. CloudTrail records API calls (management plane), CloudWatch Events are event triggers, and Config tracks resource configuration changes.

8Which PowerShell logging feature captures the contents of executed script blocks including deobfuscated code?

A.Transcription Logging

B.Module Logging

C.Script Block Logging

D.ETW Providers

Explanation: Script Block Logging (Event ID 4104) records the full text of PowerShell script blocks as they are executed, including code that was obfuscated or downloaded at runtime. Module Logging (4103) records pipeline inputs/outputs, and Transcription logs entire console sessions to disk.

9What is the primary purpose of a DMZ in network architecture?

A.To store backup data offsite

B.To isolate public-facing services from the internal network

C.To encrypt all database traffic

D.To provide failover routing

Explanation: A DMZ (demilitarized zone) is a buffer network hosting public-facing services (web servers, mail relays) while keeping them isolated from the trusted internal network. If an attacker compromises a DMZ host, segmentation limits their ability to pivot inward.

10Which TCP flag combination indicates a connection establishment request?

A.SYN only

B.SYN-ACK

C.ACK only

D.FIN-ACK

Explanation: The initial packet in the TCP three-way handshake has only the SYN flag set. The server responds with SYN-ACK, and the client completes the handshake with ACK. Port scans that send SYN packets without completing the handshake are called SYN scans (nmap -sS).

About the CCOA Exam

The ISACA Certified Cybersecurity Operations Analyst (CCOA), launched in 2025, is a hands-on technical certification for SOC analysts, incident responders, and threat hunters. It validates practical skills across SIEM/SOAR operations, threat intelligence, incident response (NIST 800-61), MITRE ATT&CK-aligned detection engineering, and threat hunting. The 3-year credential is delivered via PSI at authorized testing centers and online proctored.

Questions

115 scored questions

Time Limit

150 minutes

Passing Score

450/800 (70% scaled)

Exam Fee

$575 member / $760 non-member (ISACA / PSI)

CCOA Exam Content Outline

~22%

Technology Essentials

Networking fundamentals, operating systems, virtualization, cloud telemetry, scripting basics, and infrastructure concepts relevant to SOC operations

~20%

Cybersecurity Principles and Risk

CIA triad, AAA, defense in depth, risk management, governance, compliance frameworks, and control types

~18%

Adversarial Tactics, Techniques and Procedures

MITRE ATT&CK framework, kill chain, common TTPs (Kerberoasting, Pass-the-Hash, lateral movement with BloodHound), malware categories, and attack lifecycles

~28%

Incident Detection and Response

SIEM (Splunk, Sentinel, QRadar, Elastic), SOAR, log analysis, IOC/IOA identification, NIST 800-61 phases (preparation, identification, containment, eradication, recovery, lessons learned), EDR/XDR triage

~12%

Threat Hunting and Analysis

Hypothesis-driven hunting, pyramid of pain, threat intelligence lifecycle, STIX/TAXII, MISP, Sysmon, Zeek, Suricata, Volatility memory analysis

How to Pass the CCOA Exam

What You Need to Know

Passing score: 450/800 (70% scaled)
Exam length: 115 questions
Time limit: 150 minutes
Exam fee: $575 member / $760 non-member

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CCOA Study Tips from Top Performers

1Master MITRE ATT&CK tactics and at least 30-40 common techniques (T1059 Command and Scripting, T1003 OS Credential Dumping, T1021 Remote Services)

2Get hands-on with a free SIEM — Splunk Free, Microsoft Sentinel trial, or Elastic stack — and practice writing detection rules

3Memorize the six NIST SP 800-61 incident response phases: preparation, identification, containment, eradication, recovery, lessons learned

4Know the pyramid of pain — why TTPs are harder for attackers to change than hashes or IPs

5Understand STIX/TAXII for threat intel sharing and MISP for IOC collaboration

6Practice PowerShell logging (Module, Script Block, Transcription) and Sysmon event IDs for Windows forensics

7Learn Volatility plugins (pslist, pstree, malfind, dlllist) for memory forensics basics

Frequently Asked Questions

What is the CCOA exam?

The CCOA (ISACA Certified Cybersecurity Operations Analyst) is a hands-on technical certification launched by ISACA in 2025 for Security Operations Center (SOC) analysts, incident responders, and threat hunters. It validates the ability to monitor, detect, analyze, and respond to cybersecurity threats using SIEM, SOAR, EDR/XDR, and threat intelligence tools.

How many questions are on the CCOA exam?

The CCOA has 115 questions to complete in 150 minutes. The exam blends multiple-choice questions with hands-on performance-based items and scenario-driven questions. The passing score is 450 on a scale of 200-800 (equivalent to approximately 70% scaled).

What is the largest CCOA domain?

Incident Detection and Response is the largest domain at approximately 28% of exam content. It covers SIEM operations (Splunk, Microsoft Sentinel, QRadar, Elastic), SOAR playbooks, log analysis, NIST 800-61 incident response lifecycle, and IOC/IOA triage. Candidates should prioritize this domain in their study plan.

How much does the CCOA exam cost?

The CCOA exam fee is $575 for ISACA members and $760 for non-members. ISACA professional membership costs approximately $135/year (plus a local chapter fee), so membership typically pays for itself on the first exam attempt. The exam is administered globally by PSI at authorized testing centers and via online proctoring.

How long is the CCOA certification valid?

CCOA certification is valid for 3 years. Holders must earn Continuing Professional Education (CPE) credits annually and pay an ISACA maintenance fee to keep the credential active. CPE requirements align with ISACA's other certifications (CISM, CISA, CRISC).

How should I prepare for the CCOA exam?

Plan for 80-120 hours of focused study over 8-12 weeks. Prioritize Incident Detection and Response (28%) and Technology Essentials (22%). Hands-on lab time with a SIEM (Splunk Free, Microsoft Sentinel trial), Wireshark, Sysmon, and Volatility is essential. Review MITRE ATT&CK techniques, NIST 800-61, and STIX/TAXII. Complete 200+ practice questions scoring 80%+ before scheduling.