100+ Free CCIS Practice Questions

Pass your CrowdStrike Certified Identity Specialist (CCIS) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which best describes the difference between a GraphQL query and a mutation?

Queries read data; mutations change data (e.g., perform an action like resolving a detection)

There is no functional difference

Queries always run on the client

Queries change data; mutations read data

to track

Same family resources

Explore More CrowdStrike Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

2026 Statistics

Key Facts: CCIS Exam

Exam Questions

CrowdStrike CCIS Exam Guide

90 min

Exam Duration

CrowdStrike CCIS Exam Guide

$250

Exam Fee

CrowdStrike / Pearson VUE

3 years

Cert Validity

CrowdStrike Certification Program

Exam Domains

CCIS Exam Guide (Mar 2026)

100

Free Practice Qs

OpenExamPrep

The CCIS is CrowdStrike's identity-focused certification, targeting IAM administrators and identity-threat analysts who run Falcon Identity Protection. It is a 60-question, 90-minute Pearson VUE exam (online or test center) with a $250 attempt fee and a 3-year recertification cycle. The exam covers 12 domains: Zero Trust, identity tenets, Falcon Identity Protection fundamentals, Domain Security Assessment, risk and user assessment, threat hunting, policy rules, configuration and connectors, MFA/IDaaS, Falcon Fusion, and the GraphQL API. CrowdStrike does not publish the passing score or pass rate.

Sample CCIS Practice Questions

Try these sample questions to test your CCIS exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which NIST publication defines the canonical Zero Trust Architecture model that Falcon Identity Protection aligns with?

A.NIST SP 800-53

B.NIST SP 800-207

C.NIST SP 800-171

D.NIST CSF 2.0

Explanation: NIST Special Publication 800-207, published in August 2020, defines Zero Trust Architecture (ZTA). It establishes the policy decision point / policy enforcement point model and the seven tenets of Zero Trust that Falcon Identity Protection is designed to operationalize for identity.

2Which statement best summarizes the core Zero Trust principle that drives identity-based access decisions?

A.Trust the internal network and verify only external connections

B.Verify explicitly, use least privilege, and assume breach

C.Encrypt all traffic and skip authentication on trusted hosts

D.Allow domain admins implicit trust for management actions

Explanation: Microsoft, NIST SP 800-207, and CrowdStrike all summarize Zero Trust as 'verify explicitly, enforce least privilege, and assume breach.' Each access request is evaluated against current signals; no implicit trust is granted based on network location or prior session.

3In the NIST SP 800-207 reference model, which logical component makes the actual access decision for a request?

A.Policy Enforcement Point (PEP)

B.Policy Decision Point (PDP)

C.Identity Provider (IdP)

D.Resource Owner

Explanation: The Policy Decision Point evaluates trust signals (identity, device posture, behavior, threat intelligence) and produces the allow/deny decision. The PEP merely enforces it on the data plane.

4Which Zero Trust tenet directly justifies challenging a user with MFA even after they have an active Kerberos TGT?

A.Trust is granted only after the first authentication of the day

B.Authentication and authorization are dynamic and strictly enforced before access is allowed

C.Network segments are inherently trusted once joined to the domain

D.All assets in the same VLAN share the same trust level

Explanation: NIST SP 800-207 states that authentication and authorization to a resource are dynamic and strictly enforced before access. A valid TGT is not enough; per-request signals (risk, device, behavior) drive a fresh decision, including step-up MFA.

5Which list correctly enumerates pillars commonly cited in Zero Trust architectures (CISA Zero Trust Maturity Model)?

A.Identity, Device, Network, Application/Workload, Data

B.People, Process, Technology, Compliance, Audit

C.Endpoint, Server, Cloud, SaaS, Hybrid

D.Confidentiality, Integrity, Availability, Authenticity, Non-repudiation

Explanation: The CISA Zero Trust Maturity Model defines five pillars: Identity, Device, Network/Environment, Application & Workload, and Data, supported by cross-cutting capabilities of Visibility & Analytics, Automation & Orchestration, and Governance.

6Why is identity considered the new perimeter in modern Zero Trust deployments?

A.Firewalls have been deprecated by major vendors

B.Workforce, SaaS, and hybrid cloud have dissolved the network boundary, leaving the user/service identity as the consistent anchor

C.Most attacks now target Layer 1 hardware

D.Antivirus signatures cover identity-based threats automatically

Explanation: With remote work, BYOD, SaaS, and multi-cloud, traffic no longer flows through a single perimeter. The identity (human or service) is the only consistent attribute that follows the request, so it becomes the unit of policy enforcement.

7Which sentence most accurately describes how Falcon Identity Protection extends Zero Trust to legacy Active Directory?

A.It replaces Active Directory with a SaaS-only directory

B.It inserts conditional access and risk-based policy enforcement at AD authentication time (Kerberos, NTLM, LDAP) without changing application code

C.It encrypts the AD database at rest

D.It rewrites Group Policy Objects to remove privileged accounts

Explanation: Falcon Identity Protection sits in the AD authentication path and enforces dynamic policy on Kerberos, NTLM, and LDAP traffic, allowing legacy applications to participate in Zero Trust without modification.

8Which scenario is the WEAKEST justification for adopting a Zero Trust approach to identity?

A.Frequent lateral movement using stolen credentials inside the perimeter

B.Increasing use of SaaS and unmanaged devices

C.A desire to remove all multi-factor authentication prompts

D.Service accounts with high privileges and weak monitoring

Explanation: Zero Trust typically introduces more contextual MFA, not less. Removing MFA prompts is contrary to the 'verify explicitly' tenet. The other options are classic ZT drivers.

9Which capability is foundational to the Identity Protection tenet of 'continuous visibility into all identities'?

A.Signature-based antivirus on endpoints

B.An authoritative inventory of human, service, and shared accounts across AD and Entra ID

C.Quarterly password expiry policies

D.Disabling SMB on member servers

Explanation: You cannot protect identities you cannot see. Falcon Identity Protection builds and continuously updates a unified inventory of users, service accounts, shared accounts, and privileged objects across Active Directory and Entra ID.

10Which Identity Protection tenet is BEST illustrated by reducing the privileges granted to a service account from Domain Admin to a delegated GMSA scoped to one server?

A.Threat intelligence sharing

B.Least privilege

C.Geographic redundancy

D.Tamper-resistant logging

Explanation: Right-sizing privileges for service accounts and using Group Managed Service Accounts (GMSA) with delegated access is a textbook least-privilege control, a core Identity Protection tenet.

About the CCIS Exam

The CrowdStrike Certified Identity Specialist (CCIS) validates an analyst's or administrator's ability to manage domain security and identity-based threats using Falcon Identity Protection (CrowdStrike's Identity Threat Detection and Response platform, formerly Preempt). Candidates are expected to fluently apply NIST SP 800-207 Zero Trust principles to Active Directory and Microsoft Entra ID, deploy and tune Falcon Identity Protection sensors and connectors, interpret Domain Security Assessment findings, score and tune identity risk, hunt classic AD attacks (Pass-the-Hash, Kerberoasting, Golden/Silver Tickets, DCSync), design policy rules with conditional-access actions including step-up MFA via supported IDaaS providers, build Falcon Fusion playbooks, and use the Identity Protection GraphQL API.

Assessment

Approximately 60 multiple-choice questions covering Zero Trust, Identity Protection tenets, Falcon Identity Protection fundamentals, Domain Security Assessment, risk and user assessment, threat hunting, policy rules, configuration and connectors, MFA/IDaaS, Falcon Fusion, and the GraphQL API.

Time Limit

90 minutes

Passing Score

Set by CrowdStrike (not publicly disclosed)

Exam Fee

$250 (CrowdStrike / Pearson VUE)

CCIS Exam Content Outline

Zero Trust Architecture

NIST SP 800-207 ZTA model, ZT tenets (verify explicitly, least privilege, assume breach), CISA ZT pillars (Identity, Device, Network, Application, Data), and how Falcon Identity Protection enforces ZT at the AD/Entra ID layer.

Identity Protection Tenets

Continuous identity visibility, least privilege, dynamic risk evaluation, automated response, and identity-as-perimeter principles for human, service, and shared accounts.

Falcon Identity Protection Fundamentals

Origin (Preempt acquired 2020 → Falcon Identity Protection / ITDR), domain controller sensor placement with passive monitoring of LDAP/Kerberos/NTLM/DNS/RPC, hybrid AD + Microsoft Entra ID coverage, and console areas (Detections, Risk, Threat Hunting, Policy, Configuration).

Domain Security Assessment

Reviewing AD authentication hygiene: NTLMv1 acceptance, LDAP signing/channel binding, anonymous LDAP bind, Kerberos pre-authentication misconfigurations, SMB signing, weak ciphers (RC4-HMAC), unconstrained delegation, and krbtgt rotation.

Risk Assessment

Composite, dynamic identity risk scoring across users, endpoints, and accounts; risk factor weighting; risk tuning with scoped exceptions; risk-aware policy enforcement.

User Assessment

Privileged users (Domain Admins, Tier 0), service accounts, dormant/shared/generic accounts, password hygiene flags (PasswordNotRequired, password never expires), and gMSA modernization.

Threat Hunting & Investigation

Hunting Pass-the-Hash, Kerberoasting, AS-REP roasting, Golden and Silver Tickets, DCSync, lateral movement, RC4 spikes, anomalous logons, and pivoting via entity timelines.

Risk Management with Policy Rules

Designing conditional-access style policy rules with allow, audit, deny, and MFA-challenge actions; staged rollout from audit to enforce; risk-aware conditions; break-glass exclusions.

Configuration & Connectors

DC sensor prerequisites, Falcon cloud connectivity, Microsoft Entra ID connector, detection tuning workflows, scoped exception management, change management, and post-deployment validation.

MFA & IDaaS Configuration Basics

MFA factors (FIDO2/WebAuthn, push with number matching, OTP, SMS), the MFA Connector and RADIUS-based MFA for legacy apps, IDaaS integrations (Duo, Okta, Microsoft Authenticator), enrollment, and protections against MFA fatigue.

Falcon Fusion for Identity Protection

Fusion SOAR triggers (detections, alerts, schedules), identity playbooks (auto-disable account, force MFA reset, isolate host, krbtgt rotation runbook), break-glass exclusions, and cross-module response with Falcon Insight and NG-SIEM.

GraphQL API

Identity Protection GraphQL queries (entities, detections, policies) and mutations (resolve, act), OAuth2 client-credentials flow with JWT bearer tokens, filtering and pagination, API credential hygiene, and CI/CD gating patterns.

How to Pass the CCIS Exam

What You Need to Know

Passing score: Set by CrowdStrike (not publicly disclosed)
Assessment: Approximately 60 multiple-choice questions covering Zero Trust, Identity Protection tenets, Falcon Identity Protection fundamentals, Domain Security Assessment, risk and user assessment, threat hunting, policy rules, configuration and connectors, MFA/IDaaS, Falcon Fusion, and the GraphQL API.
Time limit: 90 minutes
Exam fee: $250

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CCIS Study Tips from Top Performers

1Read NIST SP 800-207 cover to cover and map each ZT tenet to a Falcon Identity Protection capability before memorizing console clicks

2Practice the 'who/where/what/risk' shape of every policy rule — user/group, source, target, protocol, risk level, and action — until it is reflexive

3Drill the AD attack family until you can write a one-paragraph hunt for each: Pass-the-Hash, Kerberoasting, AS-REP roasting, Golden Ticket, Silver Ticket, DCSync

4Memorize the Domain Security Assessment hot list: NTLMv1 acceptance, LDAP signing, anonymous bind, Kerberos pre-auth disabled, SMB signing, RC4 prevalence, krbtgt rotation, unconstrained delegation

5Treat MFA design as a system: factor type (FIDO2 > push-with-number-matching > OTP > SMS), enrollment + fallback, legacy-protocol bypass closure, fatigue protection

6Prototype at least one Falcon Fusion identity playbook (e.g., auto-disable + force MFA + notify) and walk through break-glass exclusions and dry-run validation

Frequently Asked Questions

What is the CCIS exam format?

The CrowdStrike Certified Identity Specialist (CCIS) is a closed-book proctored exam delivered via Pearson VUE (test center or OnVUE) on behalf of CrowdStrike University. CrowdStrike's exam guide indicates approximately 60 multiple-choice questions in 90 minutes, covering Falcon Identity Protection across 12 domains including Zero Trust, AD posture, risk, hunting, policy, MFA, Fusion, and the GraphQL API.

How much does the CCIS exam cost?

The CCIS attempt fee is $250 USD per appointment via Pearson VUE. Recommended preparation includes the Falcon Identity Protection training through CrowdStrike University and hands-on time with the Falcon Identity Protection console covering AD and Microsoft Entra ID.

What is the CCIS passing score?

CrowdStrike does not publicly disclose the CCIS passing score or pass-rate statistics. Plan to be comfortable across all 12 exam domains rather than targeting a specific cut score, and aim for consistent 80%+ on full-length practice attempts before scheduling.

How long is the CCIS credential valid?

The CrowdStrike Certified Identity Specialist credential is valid for 3 years from the date of issue. Recertification requires passing the current CCIS exam (or a higher-tier identity credential where applicable) before the expiration date.

Who should take the CCIS?

CCIS is targeted at identity and access management (IAM) administrators, identity-threat analysts, and policy/access administrators who operate Falcon Identity Protection (formerly Preempt). It validates ability to manage domain security with identity-based controls, administer policy rules, automate identity threat response, and manage risk across the authentication landscape.

What hands-on skills should I have before sitting CCIS?

You should be comfortable with NIST SP 800-207 Zero Trust principles, AD authentication (Kerberos, NTLM, LDAP), Microsoft Entra ID basics, Falcon Identity Protection sensor and connector setup, the Domain Security Assessment, risk-tuning workflows, identity threat hunts (Pass-the-Hash, Kerberoasting, Golden/Silver Tickets, DCSync), policy rule design with MFA challenge, Falcon Fusion playbooks, and the Falcon Identity Protection GraphQL API with OAuth2/JWT auth.

Is the CCIS the same as CCFA, CCFH, or CCFR?

No. CCFA (Administrator) is platform configuration and policy, CCFH (Hunter) goes deepest on Event Search/FQL hunting, and CCFR (Responder) focuses on incident response. CCIS is the identity-focused specialist track centered on Falcon Identity Protection (Identity Threat Detection and Response) for AD and Entra ID.

100+ Free CCIS Practice Questions

Explore More CrowdStrike Certifications

CrowdStrike Certified Cloud Specialist (CCCS)

CrowdStrike Certified Falcon Hunter (CCFH)

CrowdStrike Certified Falcon Responder (CCFR)

CrowdStrike Certified SIEM Analyst (CCSA)

CrowdStrike Certified SIEM Engineer (CCSE)

CrowdStrike Falcon Certified Administrator