What is the Checkmarx Certified Engineer (CxCE) certification?

CxCE is Checkmarx's professional credential for engineers who configure and operate its application-security tools, especially Checkmarx SAST (CxSAST) and the Checkmarx One platform, within a secure software development lifecycle. It is earned by passing a multiple-choice exam after the Certified Engineer learning path.

What topics does the CxCE exam cover?

It covers application-security fundamentals (OWASP Top 10, the secure SDLC, SAST versus DAST, SCA and IAST), CxSAST scan configuration and results triage (presets, CxQL queries, result states, false positives, best-fix location), the Checkmarx One platform (SAST, SCA, IaC Security/KICS, API Security), CI/CD integration and remediation guidance.

How many questions are on the CxCE exam and what is the passing score?

Checkmarx does not publish a fixed public question count, time limit or passing percentage. The exam is multiple choice and is delivered through the Checkmarx Learning Center, where the passing threshold is configured. Confirm current details with Checkmarx or your account team.

What is the difference between SAST, SCA and DAST in Checkmarx?

SAST (CxSAST) analyzes source code statically for vulnerabilities like SQL injection and XSS. SCA analyzes open-source dependencies for known CVEs and license risk. DAST tests a running application from the outside. Checkmarx One combines these engines, plus IaC and API security, on one platform.

What is a preset in Checkmarx SAST?

A preset is a named collection of CxQL queries that defines which vulnerability checks run in a scan. Choosing or customizing a preset lets teams tune coverage and noise for a project, for example focusing on the OWASP Top 10 or a specific compliance set.

Are these official Checkmarx practice questions?

No. These are original OpenExamPrep practice questions and are not affiliated with or endorsed by Checkmarx. Use them alongside the official Checkmarx Learning Center training and documentation when preparing for the CxCE exam.

All Practice Exams

100+ Free Checkmarx CxCE Practice Questions

Checkmarx Certified Engineer (CxCE) - Application Security practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

Loading practice questions...

2026 Statistics

Key Facts: Checkmarx CxCE Exam

Multiple choice

The CxCE certification exam is a multiple-choice assessment delivered in the Checkmarx Learning Center

Checkmarx - Certified Engineer (CxCE)

CxSAST

Static Application Security Testing is the core focus, including scan configuration, CxQL queries and results triage

Checkmarx - Certified Engineer (CxCE)

Checkmarx One

Unified cloud platform combining SAST, SCA, IaC Security/KICS and API Security

Checkmarx One Documentation

OWASP Top 10

Application-security fundamentals on the exam map to the OWASP Top 10 and the secure SDLC

OWASP Top 10 project

KICS

Checkmarx IaC Security is powered by the open-source KICS engine for infrastructure-as-code scanning

Checkmarx Documentation

Not published

Checkmarx does not publish a fixed public question count, time limit or passing percentage for CxCE

Checkmarx - Certifications

DevSecOps

Checkmarx integrates with Jenkins, GitLab, GitHub and Azure DevOps via plugins, CLI and pipeline thresholds

Checkmarx Documentation

100

Free original CxCE practice questions provided here

OpenExamPrep

The Checkmarx Certified Engineer (CxCE) is Checkmarx's professional certification for engineers who configure and operate its application-security platform within a secure SDLC. It is an online multiple-choice exam delivered through the Checkmarx Learning Center, weighted toward CxSAST scan configuration and results triage (projects, presets, CxQL queries, result states, false positives, best-fix location, incremental scans) plus the Checkmarx One platform (SAST, SCA, IaC Security/KICS, API Security). It also covers application-security fundamentals such as the OWASP Top 10 and how SAST differs from DAST, SCA and IAST, along with CI/CD integration via Jenkins, GitLab, GitHub and Azure DevOps and developer remediation guidance. Checkmarx does not publish a fixed public question count, time limit, passing percentage or standalone price; candidates pass the threshold set inside the Learning Center. This 100-question bank provides original practice across all of those areas with explanations for every option.

Sample Checkmarx CxCE Practice Questions

Try these sample questions to test your Checkmarx CxCE exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In Checkmarx SAST, which result state should an engineer assign to a finding they have reviewed and determined is a genuine, real vulnerability that must be fixed?

A.Not Exploitable

B.Confirmed

C.To Verify

D.Proposed Not Exploitable

Explanation: Marking a result as Confirmed records that an engineer reviewed it and verified it is a real, exploitable vulnerability requiring remediation. This keeps it visible and tracked across future scans.

2A developer marks a CxSAST finding as 'Not Exploitable' with a reason. What is the primary effect of this state on subsequent scans?

A.The finding is deleted from the database

B.The finding is suppressed and excluded from the active risk count in future scans

C.The query that produced it is disabled globally

D.The whole project is re-scanned automatically

Explanation: Not Exploitable suppresses the finding so it no longer counts toward active risk, while preserving an audit trail of who marked it and why. The result persists for the same vulnerability path on later scans.

3In Checkmarx SAST, what is a 'preset'?

A.A saved set of CxQL queries that defines which vulnerability checks run in a scan

B.A list of user accounts allowed to view results

C.A schedule that controls when scans execute

D.A network proxy configuration for the scanner

Explanation: A preset is a named collection of CxQL queries that determines which vulnerabilities a scan looks for. Teams pick or customize presets to tune coverage and noise per project.

4What is the core difference between Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST)?

A.SAST analyzes a running application; DAST analyzes source code

B.SAST analyzes source code without executing it; DAST tests a running application from the outside

C.Both require the application to be deployed and running

D.SAST only checks open-source libraries; DAST only checks first-party code

Explanation: SAST is white-box analysis of source or binaries without running the app, so it can run early in the SDLC. DAST is black-box testing of a deployed, running application, finding runtime and configuration issues.

5Which Checkmarx capability is specifically designed to find vulnerabilities and license risks in open-source and third-party dependencies?

A.CxSAST

B.SCA (Software Composition Analysis)

C.KICS

D.DAST

Explanation: Software Composition Analysis (SCA) inventories open-source and third-party components, flags known CVEs, and reports license obligations. It complements SAST, which analyzes first-party source code.

6In a CxSAST data-flow result, the 'source' and 'sink' represent which two points?

A.The first and last lines of the file

B.Where untrusted data enters the application and where it is dangerously used

C.The login and logout endpoints

D.The scan start and scan end timestamps

Explanation: In taint analysis the source is where untrusted/tainted data enters (e.g. user input), and the sink is where that data reaches a dangerous operation (e.g. a SQL query). The attack vector traces the flow between them.

7Why is the 'best-fix location' that CxSAST identifies in an attack vector useful to a developer?

A.It is the line with the most comments

B.It is a single node where a fix can remediate the vulnerability, often resolving multiple flows at once

C.It is the line that runs fastest

D.It marks where the scan should be paused

Explanation: The best-fix location is the optimal node in the data flow to apply a remediation, such as adding input validation or output encoding. Fixing there can close many converging attack vectors with a single change.

8Which OWASP Top 10 category does a SQL injection vulnerability fall under in the OWASP Top 10 (2021)?

A.A01: Broken Access Control

B.A03: Injection

C.A07: Identification and Authentication Failures

D.A09: Security Logging and Monitoring Failures

Explanation: SQL injection is part of A03: Injection in the OWASP Top 10 (2021), which also covers command, LDAP and other injection flaws caused by unsanitized input reaching an interpreter.

9An engineer wants Checkmarx to scan Terraform and Kubernetes manifests for misconfigurations. Which Checkmarx engine performs this?

A.SAST

B.IaC Security powered by KICS

C.SCA

D.API Security

Explanation: Checkmarx IaC Security is powered by the open-source KICS engine, which scans infrastructure-as-code such as Terraform, Kubernetes, CloudFormation and Dockerfiles for security misconfigurations.

10What is the main benefit of running an incremental scan in CxSAST instead of a full scan?

A.It scans the entire codebase from scratch every time

B.It scans only code that changed since the last full scan, reducing scan time

C.It disables all queries to finish faster

D.It only scans third-party libraries

Explanation: An incremental scan analyzes only the files changed since the previous full/baseline scan, dramatically reducing scan time. This makes it well suited to fast CI/CD feedback, with periodic full scans for completeness.

About the Checkmarx CxCE Practice Questions

Verified exam format metadata for Checkmarx Certified Engineer (CxCE) - Application Security is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.