200+ Free CND Practice Questions

Pass your Certified Network Defender (CND) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

200+ Questions

100% Free

1 / 200

Question 1

Score: 0/0

A sudden flood of TCP SYN packets is exhausting a public web server's connection table. Which attack is MOST likely occurring?

SYN flood

DNS cache poisoning

ARP spoofing

SQL injection

to track

2026 Statistics

Key Facts: CND Exam

100

Exam Questions

EC-Council

4 hours

Exam Duration

EC-Council

60%-85%

Cut Score Range

EC-Council

$550

RPS Voucher

EC-Council Store

$650

Pearson VUE Voucher

EC-Council Store

120 ECEs

Renewal Requirement

3-year cycle

The CND (Certified Network Defender) exam has 100 multiple-choice questions in 4 hours. EC-Council's current public blueprint weights the exam across 8 domains: Network Defense Management (10%), Network Perimeter Protection (10%), Endpoint Protection (20%), Application and Data Protection (10%), Enterprise Virtual, Cloud, and Wireless Network Protection (15%), Incident Detection (10%), Incident Response (10%), and Incident Prediction (15%). Self-study candidates need approved eligibility and a $100 application fee before buying a voucher.

Sample CND Practice Questions

Try these sample questions to test your CND exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1A sudden flood of TCP SYN packets is exhausting a public web server's connection table. Which attack is MOST likely occurring?

A.SYN flood

B.DNS cache poisoning

C.ARP spoofing

D.SQL injection

Explanation: A SYN flood abuses the TCP three-way handshake by creating large numbers of half-open connections. That consumes server or firewall state-table resources and can make the service unavailable to legitimate users.

2Which statement BEST describes defense in depth?

A.Using one perimeter firewall as the primary security control

B.Applying multiple layered controls so that one failure does not expose the entire environment

C.Encrypting every packet on the network with the same shared key

D.Blocking all outbound traffic from user workstations

Explanation: Defense in depth means building overlapping preventive, detective, and corrective controls at different layers. If one control fails, other controls still reduce the chance of compromise or limit impact.

3An attacker sends a targeted email to a finance employee with a fake invoice link that leads to a credential-harvesting site. Which attack category BEST fits this scenario?

A.Spear phishing

B.Wardriving

C.Bluejacking

D.DNS tunneling

Explanation: Spear phishing is a targeted email-based social engineering attack aimed at a specific person or role. The attacker relies on trust and urgency to trick the user into disclosing credentials or opening malicious content.

4A workstation becomes infected after a user opens a malicious attachment, and the malware encrypts local files before attempting lateral movement. How should this attack be classified MOST accurately?

A.Physical attack

B.Host-level attack

C.Wireless-only attack

D.Routing attack

Explanation: The malware first compromises and impacts the endpoint itself, making host-level attack classification the best fit. Even if it later spreads across the network, the immediate target and effect are at the host layer.

5A customer portal is vulnerable because user input is inserted directly into a backend query without proper validation. Which attack type is MOST likely?

A.Pass-the-hash

B.SQL injection

C.MAC flooding

D.Smurf attack

Explanation: SQL injection occurs when untrusted input is interpreted as part of a database query. Proper parameterized queries and input validation are key controls because perimeter defenses alone may not stop this application-layer attack.

6A company discovers that an internet-facing object storage bucket was left public and contains sensitive files. Which category BEST describes the exposure?

A.Cloud-specific attack surface

B.On-premises switch attack

C.Bluetooth exploit

D.Host BIOS compromise

Explanation: Misconfigured cloud storage is a classic cloud-specific security problem because the service is externally reachable and governed by cloud permissions. The root cause is usually identity, access, and configuration weakness rather than a traditional on-premises network exploit.

7Employees are connecting to a rogue wireless network that impersonates the company SSID in the parking lot. Which attack is this?

A.Evil twin attack

B.Watering-hole attack

C.Rogue DHCP failover

D.SMB relay

Explanation: An evil twin is a fraudulent access point designed to look like a legitimate wireless network. Attackers use it to capture credentials, intercept traffic, or push users toward malicious content.

8A trusted vendor's signed software update is compromised upstream and delivers malware to customers. Which type of attack does this BEST illustrate?

A.Man-in-the-browser attack

B.Supply chain attack

C.Smishing attack

D.Teardrop attack

Explanation: Supply chain attacks target the organizations, software, or services that customers already trust. Because the malicious code rides through a legitimate update path, these attacks often bypass normal user suspicion and some allowlisting assumptions.

9Which action BEST reflects an adaptive security strategy rather than a static annual review model?

A.Keeping firewall rules unchanged until the next budget cycle

B.Updating detections and controls continuously based on telemetry, incidents, and threat changes

C.Retiring all legacy systems before implementing monitoring

D.Requiring every user to have local administrator rights for flexibility

Explanation: Adaptive security uses current observations such as alerts, incidents, vulnerabilities, and threat intelligence to tune defenses over time. Static reviews are too slow for modern attack patterns because the environment and threat landscape change constantly.

10Why do defenders commonly map observed activity to frameworks such as MITRE ATT&CK?

A.To replace incident response documentation entirely

B.To identify coverage gaps across attacker tactics and techniques and improve detections

C.To encrypt endpoint logs before storage

D.To eliminate the need for vulnerability scanning

Explanation: MITRE ATT&CK helps defenders organize adversary behavior into tactics and techniques that can be monitored, tested, and mapped to controls. That makes it useful for gap analysis, detection engineering, and prioritizing blue-team improvements.

About the CND Exam

CND is EC-Council's blue-team network defense certification. It focuses on protecting enterprise networks through secure architecture, hardening, logging, monitoring, incident response, and threat prediction across on-prem, cloud, wireless, and IoT environments.

Questions

100 scored questions

Time Limit

4 hours

Passing Score

60%-85% (cut score varies by exam form)

Exam Fee

$550 (ECC/RPS) or $650 (Pearson VUE) (EC-Council)

CND Exam Content Outline

10%

Network Defense Management

Attack types, defense strategies, compliance, policies, awareness, and administrative controls

10%

Network Perimeter Protection

Access control, cryptography, segmentation, firewalls, IDS/IPS, router and switch hardening

20%

Endpoint Protection

Windows, Linux, mobile, and IoT endpoint security baselines, hardening, and management

10%

Application and Data Protection

Application whitelisting, sandboxing, WAFs, encryption, DLP, backup, retention, and destruction

15%

Enterprise Virtual, Cloud, and Wireless Network Protection

Virtualization, containers, Kubernetes, cloud security controls, and wireless encryption and access security

10%

Incident Detection

Traffic baselining, Wireshark analysis, bandwidth monitoring, anomaly detection, and log analysis

10%

Incident Response

First response, incident handling, SOAR, EDR/MDR/XDR, and forensic investigation workflow

15%

Incident Prediction

BC/DR, risk management, attack surface reduction, and cyber threat intelligence

How to Pass the CND Exam

What You Need to Know

Passing score: 60%-85% (cut score varies by exam form)
Exam length: 100 questions
Time limit: 4 hours
Exam fee: $550 (ECC/RPS) or $650 (Pearson VUE)

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CND Study Tips from Top Performers

1Treat CND as a blue-team exam, not a penetration testing exam. Favor hardening, monitoring, containment, and recovery decisions over offensive novelty.

2Master the Windows, Linux, mobile, and IoT endpoint controls since Endpoint Protection is the largest weighted domain at 20%.

3Know where prevention ends and detection begins: firewall and segmentation questions are different from Wireshark, logging, and anomaly-detection questions.

4Practice mapping controls to environments: on-prem, virtualized, cloud, wireless, mobile, and IoT all have different hardening tradeoffs.

5Be comfortable with operational tooling such as Wireshark, centralized logging, IDS/IPS, WAF, EDR, and SOAR use cases.

6Use the official blueprint as your study checklist and make sure you can explain why each control reduces risk, not just what the acronym stands for.

Frequently Asked Questions

What is the CND exam format?

The current EC-Council CND exam uses 100 multiple-choice questions with a 4-hour time limit. The official training page lists exam code 312-38 and the July 1, 2025 CND Candidate Handbook confirms the 100-question, 4-hour format.

What passing score do I need for CND?

EC-Council states that the CND cut score varies by exam form. On current public CND pages, the passing range is presented as 60%-85%, which reflects form-based scoring rather than a single fixed percentage for every candidate.

How much does the CND exam cost?

Current EC-Council store pricing shows the CND RPS/ECC Exam Center voucher at $550 and the CND Pearson VUE voucher at $650. If you use the self-study route instead of official training, EC-Council also requires a non-refundable $100 eligibility application fee.

What are the eligibility requirements for self-study candidates?

If you do not complete official EC-Council training, you need at least 2 years of information security work experience, an educational background reflecting information security specialization, a completed eligibility application, and the $100 non-refundable application fee. Approved applications remain valid for 3 months, and the voucher is valid for 1 year from release.

How is the CND exam weighted?

The official CND v4 blueprint weights Network Defense Management at 10%, Network Perimeter Protection at 10%, Endpoint Protection at 20%, Application and Data Protection at 10%, Enterprise Virtual/Cloud/Wireless Network Protection at 15%, Incident Detection at 10%, Incident Response at 10%, and Incident Prediction at 15%. Endpoint Protection is the single largest domain.

Were there any 2026 CND policy or blueprint changes?

As of March 11, 2026, EC-Council has not publicly posted a new CND-specific 2026 blueprint or handbook revision. The latest visible CND changes remain the CND v4 blueprint effective April 10, 2024 and the CND Candidate Handbook v6.1 issued July 1, 2025. Broader EC-Council policies still in force include optional CE auto-renewal effective October 1, 2024 and RPS rescheduling fees introduced on October 17, 2023.

How do I maintain the CND certification?

CND remains valid for 3 years. To renew, EC-Council requires 120 ECE credits within that 3-year cycle and continuing education fees under its current member policy framework.