100+ Free CCFH Practice Questions

Pass your CrowdStrike Certified Falcon Hunter (CCFH) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which CrowdStrike Falcon module is specifically designed for proactive threat hunting performed by human analysts on top of the Falcon platform telemetry?

Falcon Prevent

Falcon Discover

Falcon OverWatch

Falcon Spotlight

to track

2026 Statistics

Key Facts: CCFH Exam

Exam Questions

CrowdStrike (CCFH-202)

90 min

Exam Duration

CrowdStrike

$250

Exam Fee

CrowdStrike

3 years

Cert Valid

CrowdStrike

Pearson VUE

Delivery

CrowdStrike

100

Free Practice Qs

OpenExamPrep

The CCFH (CCFH-202) exam targets the investigative analyst performing detection analysis, machine timelining, event search, insider-threat investigations, and proactive threat hunting on the CrowdStrike Falcon platform. It is delivered via Pearson VUE, costs $250 per attempt, runs ~90 minutes, and covers Event Search (FQL), Investigate App pivots, Process Tree analysis, Real Time Response, MITRE ATT&CK mapping, Custom IOAs, OverWatch leads, Falcon X intelligence, and Falcon Identity Threat Protection. The credential is valid for three years.

Sample CCFH Practice Questions

Try these sample questions to test your CCFH exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which CrowdStrike Falcon module is specifically designed for proactive threat hunting performed by human analysts on top of the Falcon platform telemetry?

A.Falcon Prevent

B.Falcon Discover

C.Falcon OverWatch

D.Falcon Spotlight

Explanation: Falcon OverWatch is CrowdStrike's managed threat hunting service. OverWatch threat hunters work 24/7 on top of the Falcon platform, looking for human-led adversary activity that automated detections may miss. CCFH analysts are expected to know that OverWatch complements (and does not replace) the in-house hunter's own work in the Falcon console.

2A hunter pivots from a suspicious detection to view every event the sensor recorded for that host in chronological order. Which Falcon investigation view is being used?

A.Bulk Domain Search

B.Process Explorer

C.Host Search

D.Machine Timeline

Explanation: The Machine Timeline (Host Timeline) shows a chronologically-ordered stream of every event the sensor produced for a single host — process executions, network connections, file writes, DNS requests, etc. It is one of the most-used hunting surfaces in the CCFH curriculum because it lets the hunter reconstruct attacker activity end-to-end on one endpoint.

3Which acronym best describes the CrowdStrike concept of an Indicator of Attack (IOA)?

A.A static file hash, IP, or domain associated with known malware

B.A behavior or sequence of behaviors that indicates adversary intent regardless of the tools used

C.A vulnerability identifier (CVE) associated with an adversary group

D.A YARA rule shared by an ISAC

Explanation: An IOA describes the behavior of an attacker — the sequence of actions that indicates intent — and is independent of the specific binary, hash, or infrastructure used. CrowdStrike emphasizes IOAs because adversaries change tools and IOCs constantly, but the underlying TTPs change much more slowly. IOCs are static artifacts (hashes, IPs, domains).

4In the Falcon Event Search workbench, which query language is used to filter and pivot through events?

A.KQL (Kusto Query Language)

B.FQL (Falcon Query Language) — SPL-style syntax used by Event Search

C.EQL (Event Query Language)

D.OQL (Open Query Language)

Explanation: Event Search uses Falcon's SPL-style query language, commonly referred to as Falcon Query Language (FQL), which supports search/where/stats/table/eval pipes similar to Splunk SPL. Hunters chain pipes such as `event_simpleName=ProcessRollup2 | stats count by FileName`. KQL is Microsoft Sentinel/Azure; EQL is Elastic.

5A hunter wants to find every host that contacted a specific suspicious second-level domain over the last 7 days, including hosts where no detection fired. Which built-in Falcon search is the most efficient first step?

A.Detections page filter

B.Bulk Domain Search

C.Hash Search

D.Spotlight Vulnerability Search

Explanation: Bulk Domain Search lets hunters submit one or many domains and return every host that resolved or connected to them across the configured retention window — even when no detection fired. It is the canonical pivot when starting an investigation from a suspicious domain IOC.

6Which MITRE ATT&CK tactic best categorizes an adversary using `whoami`, `net group "domain admins"`, and `systeminfo` shortly after gaining a shell?

A.Initial Access

B.Execution

C.Discovery

D.Exfiltration

Explanation: Commands like `whoami`, `net group`, `net user`, `systeminfo`, `nltest`, and `tasklist` are classic Discovery (TA0007) techniques — the adversary is enumerating the local environment, accounts, and domain to plan next steps. CCFH hunters routinely build hypotheses around bursts of native Windows discovery commands launched from non-administrative parents.

7When triaging a detection in the Falcon console, which view shows the full parent-to-child execution lineage of the suspicious process?

A.Hash Search

B.Process Tree (Process Explorer)

C.Bulk Domain Search

D.Detections Dashboard

Explanation: The Process Tree (Process Explorer) visualises the parent process, the suspicious process itself, and all child processes — including command lines, signers, and IOA tags. Reading the tree top-down to identify the true root cause (often a phishing-launched Office app or browser) is one of the core CCFH skills.

8A hunter needs to grab a suspicious binary from an endpoint to a sandbox for further analysis, while preserving evidence. Which Real Time Response (RTR) command transfers the file from the host to the Falcon cloud?

A.put

B.get

C.runscript

D.mv

Explanation: RTR's `get` command uploads a file from the endpoint to the Falcon cloud, where the responder can download it from the session for offline analysis. `put` is the opposite direction (push a file to the host). Using `get` is the standard way CCFH analysts retrieve potentially malicious binaries safely.

9Which RTR command lists currently-running processes on a target endpoint?

A.ls

B.ps

C.netstat

D.kill

Explanation: `ps` lists running processes (PID, parent PID, image name, user) on Windows, macOS, and Linux endpoints inside an RTR session. Hunters routinely combine `ps`, `netstat`, and `ls` to triage live activity before deciding whether to `kill` a process or contain the host.

10Which Falcon module enriches investigations with adversary attribution, malware family information, and TTP intelligence reports?

A.Falcon Spotlight

B.Falcon Discover

C.Falcon X / Falcon Intelligence

D.Falcon Identity Threat Protection

Explanation: Falcon X (now branded Falcon Intelligence) provides finished intelligence: adversary profiles (BEAR, PANDA, SPIDER, etc.), malware family analyses, indicator enrichment, and a built-in sandbox. Hunters use it to confirm that a hash, domain, or TTP matches known adversary tradecraft.

About the CCFH Exam

The CrowdStrike Certified Falcon Hunter (CCFH) validates an investigative analyst's ability to perform deeper detection analysis and response, machine timelining, event-related search queries (FQL), insider-threat investigations, and proactive threat hunting using the CrowdStrike Falcon platform. Hunters are expected to fluently use Event Search, the Investigate App, Process Tree analysis, Hash Search, Bulk Domain Search, Real Time Response, MITRE ATT&CK mapping, Custom IOAs, OverWatch leads, and Falcon X / Falcon Identity Threat Protection / NG-SIEM signals.

Questions

60 scored questions

Time Limit

90 minutes

Passing Score

Set by CrowdStrike (not publicly disclosed)

Exam Fee

$250 (CrowdStrike University (delivered via Pearson VUE))

CCFH Exam Content Outline

30%

Threat Hunting Methodology & MITRE ATT&CK

Hypothesis-driven hunting, IOC vs anomaly vs TTP-based hunts, mapping detections and hunts to MITRE ATT&CK tactics and techniques, and OverWatch lead handling

25%

Event Search (FQL) & Investigation Tools

Falcon Query Language pipes (search, eval, stats, dc, table), Investigate App, Hash Search, Bulk Domain Search, Process Tree, Machine Timeline, and field reference (aid, CommandLine, ProcessRollup2)

20%

Detection Analysis & Custom IOAs

Triaging detections, severity, pattern_disposition, parent/child analysis, LOLBin tradecraft, and authoring durable Custom IOAs from mature hunts

15%

Real Time Response for Hunters

RTR commands (cd, ls, ps, netstat, runscript, get, put, kill, mv, mkdir), evidence preservation order, and Response Scripts & Files library usage

10%

Falcon X, Identity Threat Protection & NG-SIEM

Adversary attribution (BEAR/PANDA/SPIDER/CHOLLIMA/KITTEN/JACKAL), Falcon Sandbox, Identity-side hunting (NTLM/Kerberos), and NG-SIEM correlation across third-party logs

How to Pass the CCFH Exam

What You Need to Know

Passing score: Set by CrowdStrike (not publicly disclosed)
Exam length: 60 questions
Time limit: 90 minutes
Exam fee: $250

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CCFH Study Tips from Top Performers

1Live in Event Search — write FQL daily against ProcessRollup2, DnsRequest, NetworkConnectIP4, and FileWritten until aggregations like `stats dc(aid) by CommandLine` are second nature

2Memorize the Investigate App pivots: Hash Search, Bulk Domain Search, Process Tree, Machine Timeline — and the question each one answers fastest

3Learn the RTR command palette by purpose (cd, ls, ps, netstat, runscript, get, put, kill, mv, mkdir) and the evidence-preservation order: get → record → kill

4Map every hunt and detection to MITRE ATT&CK tactics and techniques — coverage thinking is heavily tested

5Practice writing testable hypotheses: the TTP, the artifact, and the telemetry source — vague hypotheses are wrong answers on this exam

6Know CrowdStrike's adversary naming convention: BEAR (Russia), PANDA (China), KITTEN (Iran), CHOLLIMA (North Korea), SPIDER (eCrime), JACKAL (hacktivist)

7Productionise hunts into Custom IOAs and Workflows — the exam treats codifying findings as the final step of a successful hunt

8Remember sensor health prerequisites: hosts in RFM produce reduced telemetry and can create false negatives in fleet-wide hunts

Frequently Asked Questions

What is the CCFH exam format?

The CCFH (CCFH-202) is a closed-book proctored exam delivered through Pearson VUE on behalf of CrowdStrike University. CrowdStrike's published guidance indicates approximately 60 questions in 90 minutes, focused on investigation, hunting, and detection analysis using the Falcon platform.

How much does the CCFH exam cost?

The CCFH attempt fee is $250 USD per appointment via Pearson VUE. Recommended preparation includes the Falcon Hunter (CFCH/CCFH-202) training through CrowdStrike University and at least 6 months of hands-on Falcon platform experience.

How long is CCFH valid for?

The CrowdStrike Certified Falcon Hunter credential is valid for 3 years from the date of issue. Recertification requires retaking the current exam (CCFH-202) before expiration.

How does CCFH compare to CCFA and CCFR?

CCFA (Administrator) focuses on platform configuration and policy. CCFR (Responder) focuses on incident response. CCFH (Hunter) goes deepest on Event Search (FQL), pivot/investigation workflows, MITRE ATT&CK-driven hunting, and proactive detection analysis.

What hands-on skills should I have before sitting CCFH?

You should be comfortable with FQL queries against ProcessRollup2, DnsRequest, NetworkConnectIP4, FileWritten, and UserLogon events; using the Investigate App, Hash Search, Bulk Domain Search, Process Tree, and Machine Timeline; running Real Time Response sessions; mapping detections to MITRE ATT&CK; and authoring Custom IOAs from a hunting hypothesis.