100+ Free CyberArk Defender - Identity Practice Questions

Pass your CyberArk Defender - Identity (Access) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which CyberArk Identity component is deployed on-premises and establishes a secure outbound connection back to the CyberArk Identity tenant so that AD or LDAP users can authenticate without opening inbound firewall ports?

CyberArk Identity Mobile App

Identity Connector

Cloud Directory Service

Privileged Session Manager

to track

2026 Statistics

Key Facts: CyberArk Defender - Identity Exam

~65

Questions

CyberArk Defender exam format

90 min

Exam Window

CyberArk certification program

$200

Exam Fee

Pearson VUE / CyberArk

Pass/Fail

Scoring

CyberArk does not publish numeric cut score

Topic Areas

Identity (Access) blueprint

2020

Idaptive Acquired

Rebranded to CyberArk Identity

The CyberArk Defender - Identity exam (the product formerly known as Idaptive, now CyberArk Identity) is a 90-minute proctored Pearson VUE test of approximately 65 multiple-choice questions. It validates Defender-level skills across Single Sign-On with SAML, OIDC, OAuth 2.0, and WS-Federation; Multi-Factor Authentication including push, FIDO2, and OATH-OTP; Identity Connector for AD/LDAP integration; Lifecycle Management via SCIM 2.0; Workforce Password Management; Authentication Profiles and Rules; User Behavior Analytics; and audit, reporting, and Endpoint Authentication. CyberArk reports the result as pass or fail and does not publish an exact numeric cut score.

Sample CyberArk Defender - Identity Practice Questions

Try these sample questions to test your CyberArk Defender - Identity exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which CyberArk Identity component is deployed on-premises and establishes a secure outbound connection back to the CyberArk Identity tenant so that AD or LDAP users can authenticate without opening inbound firewall ports?

A.CyberArk Identity Mobile App

B.Identity Connector

C.Cloud Directory Service

D.Privileged Session Manager

Explanation: The Identity Connector is a Windows service installed inside the corporate network that initiates an outbound TLS connection to the CyberArk Identity tenant. It brokers AD or LDAP authentication, directory queries, and federation requests so administrators do not have to expose AD over the internet or open inbound ports.

2An administrator wants to add an internally developed web application that does not exist in the CyberArk Identity App Catalog. Which catalog template type is the BEST starting point if the app supports SAML 2.0?

A.Custom OIDC

B.Custom SAML

C.User-Password (form-fill)

D.Bookmark

Explanation: The Custom SAML template lets administrators paste the relying party's metadata or manually configure ACS URL, entity ID, signing certificate, and attribute statements when a turnkey App Catalog tile does not exist. Custom OIDC is for OAuth/OIDC apps, User-Password is password vaulting form-fill, and Bookmark only places a launcher icon with no SSO.

3Which factor type provided by the CyberArk Identity mobile app delivers the strongest user experience for adaptive MFA by allowing one-tap approval on a registered device?

A.SMS one-time passcode

B.Push notification

C.Security questions

D.Email one-time passcode

Explanation: CyberArk Identity push notifications use the registered CyberArk Identity Mobile App and are approved with a single tap or biometric. Push is generally preferred over SMS, email, and security questions because it is phishing-resistant relative to OTP delivery and does not require typing a code.

4Where in CyberArk Identity does an administrator define WHICH set of authentication factors a user can satisfy and HOW MANY mechanisms must be presented?

A.Authentication Rule

B.Authentication Profile

C.Role Assignment

D.Identity Policy Set

Explanation: An Authentication Profile lists the available challenge mechanisms (for example, password, OTP, push, FIDO2) and how the user must respond at challenge 1 and challenge 2. Authentication Rules then decide WHICH profile to apply based on conditions like IP range, device, or risk; Role Assignments determine entitlements, not challenges.

5An administrator wants users connecting from the corporate IP range to skip MFA but require push when on an untrusted network. What is the correct construct to express this?

A.Two separate Authentication Profiles applied via two Authentication Rules

B.A single Role with two Role Assignments

C.An OAuth scope filter

D.A SCIM filter on the connector

Explanation: Conditional access in CyberArk Identity is built by ordering Authentication Rules. Each rule matches conditions (IP zone, device managed/unmanaged, browser, day/time, risk) and points to an Authentication Profile that defines the actual factor requirements, so an inside-network rule can map to a no-MFA profile while an outside rule maps to a push-required profile.

6Which CyberArk Identity capability uses machine learning over historical login patterns to assign a risk score (Low, Medium, High) that an Authentication Rule can act on?

A.Workforce Password Management

B.User Behavior Analytics

C.Lifecycle Management

D.App Gateway

Explanation: User Behavior Analytics (UBA) inspects signals such as new country, new device, impossible travel, time of access, and prior failure patterns to score the risk of a sign-in attempt. Authentication Rules can then route Low/Medium/High to different Authentication Profiles, which is the foundation of CyberArk Identity adaptive MFA.

7Which directory source is built into the CyberArk Identity tenant and stores users that are NOT synced from AD or LDAP?

A.Cloud Directory

B.Federated Directory

C.Google Directory

D.Workspace Directory

Explanation: Cloud Directory is the native CyberArk Identity store used for users who do not exist in AD/LDAP, partners, or contractors. AD/LDAP users come through the on-prem Identity Connector, and Google or federated directories are external sources connected via dedicated integrations.

8What is the recommended deployment topology for Identity Connectors in a production environment to provide high availability for AD authentication?

A.A single connector in DMZ with inbound 443 open

B.Two or more connectors per AD site, all reaching out over 443

C.One connector clustered with Active Directory

D.Connectors installed on every domain controller

Explanation: Best practice is at least two Identity Connectors per Active Directory site so that the tenant can load balance and fail over between them. Connectors initiate outbound 443 to the tenant, so no inbound firewall change is required, and they should not be installed directly on domain controllers.

9Which protocol does CyberArk Identity use when an end user clicks a Salesforce tile from the User Portal and is signed in with no password prompt at Salesforce?

A.RADIUS

B.SAML 2.0

C.Kerberos

D.WS-Trust

Explanation: Salesforce, like most modern SaaS apps in the App Catalog, uses SAML 2.0. CyberArk Identity acts as the IdP, mints a SAML assertion containing the NameID and any required attributes, and POSTs it to Salesforce's Assertion Consumer Service URL.

10A SaaS app supports OpenID Connect rather than SAML. Which OAuth 2.0 flow does CyberArk Identity typically use when configuring an OIDC web app in the App Catalog?

A.Resource Owner Password Credentials

B.Authorization Code

C.Client Credentials

D.Implicit

Explanation: OIDC web applications use the Authorization Code flow (often with PKCE) because it keeps tokens off the user agent and is recommended by current IETF guidance. Resource Owner Password Credentials is deprecated, Implicit is being phased out, and Client Credentials is for machine-to-machine, not user SSO.

About the CyberArk Defender - Identity Exam

The CyberArk Defender - Identity exam (formerly Defender Access, covering the product previously known as Idaptive) validates Defender-level skills for configuring and operating CyberArk Identity. It focuses on Single Sign-On (SAML 2.0, OIDC, OAuth 2.0, WS-Federation), Multi-Factor Authentication, Authentication Profiles and Rules, the Identity Connector for AD/LDAP, Lifecycle Management with SCIM provisioning, Workforce Password Management, User Behavior Analytics, Endpoint Authentication, and audit and reporting.

Assessment

Approximately 65 multiple-choice questions

Time Limit

90 minutes

Passing Score

Pass/Fail (CyberArk does not publish a numeric cut score)

Exam Fee

$200 USD (CyberArk / Pearson VUE)

CyberArk Defender - Identity Exam Content Outline

~25%

Single Sign-On and App Catalog

Add and configure App Catalog tiles using SAML 2.0, OIDC, OAuth 2.0, WS-Federation, and User-Password (Workforce Password Management) templates; configure attribute mapping, NameID, signing certificates, and IdP/SP-initiated flows.

~20%

Multi-Factor Authentication and Adaptive MFA

Build Authentication Profiles and Authentication Rules; enroll factors like push, FIDO2/WebAuthn, OATH-OTP, SMS, voice, email, and security questions; tune User Behavior Analytics risk to drive step-up authentication.

~15%

Identity Connector and Directory

Deploy Identity Connectors with outbound 443, integrate AD and LDAP, enable Kerberos/IWA, RADIUS bridging, and manage Cloud Directory users and custom attributes.

~15%

Lifecycle Management and Provisioning

Configure inbound HR SCIM, outbound app provisioning via SCIM 2.0 to apps like Salesforce, Box, Slack, and Microsoft 365; build joiner/mover/leaver and access request workflows.

~15%

Roles, Policies, and Self-Service

Build static, manual, and dynamic roles; assign apps and admin rights with least privilege; enable self-service password reset and account unlock; tune sessions in policy sets.

~10%

Audit, Reporting, and Endpoint Authentication

Stream audit events to SIEM, generate entitlement and risk reports, and protect Windows or Mac workstation login with Endpoint Authentication and FIDO2-backed passwordless flows.

How to Pass the CyberArk Defender - Identity Exam

What You Need to Know

Passing score: Pass/Fail (CyberArk does not publish a numeric cut score)
Assessment: Approximately 65 multiple-choice questions
Time limit: 90 minutes
Exam fee: $200 USD

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CyberArk Defender - Identity Study Tips from Top Performers

1Treat Single Sign-On as the largest topic area: practice SAML 2.0, OIDC Authorization Code, OAuth Client Credentials, and WS-Fed end to end.

2Memorize the Authentication Profile / Authentication Rule split; profiles define WHICH factors, rules decide WHEN to apply them.

3Know the Identity Connector heartbeat path: outbound TLS 443 from on-prem connector to the tenant; deploy at least two per AD site.

4Practice the Lifecycle Management flow inbound (HR SCIM) and outbound (Salesforce/Box/Slack/M365 SCIM) including attribute mapping and expressions.

5Know how UBA risk (Low / Medium / High) integrates with Authentication Rules to deliver adaptive MFA.

6Distinguish Workforce Password Management (end-user SaaS credentials) from CyberArk PAM (privileged accounts) - the Defender exam often probes this boundary.

Frequently Asked Questions

Is the Defender - Identity exam the same as Defender - Access?

Yes. CyberArk acquired Idaptive in 2020, rebranded the product to CyberArk Identity, and uses the name Defender - Identity for this credential. Older listings still call it Defender - Access (Idaptive).

How many questions are on the Defender - Identity exam?

The CyberArk Defender exams use a Pearson VUE proctored format with about 65 multiple-choice questions in a 90-minute window. CyberArk lists the exact count on its certification program page.

What is the passing score?

CyberArk reports the result as pass or fail and does not publish a specific numeric cut score for this exam. Aim for consistent competence across SSO, MFA, Lifecycle Management, and connector topics.

What does the exam cover?

Defender-level configuration and operation of CyberArk Identity: SSO with SAML 2.0, OIDC, OAuth 2.0, WS-Federation; MFA factors and adaptive policies; Identity Connector and AD integration; Lifecycle Management via SCIM 2.0; WPM; UBA; audit and reporting.

How long should I study?

Most candidates plan 40 to 70 hours of focused review combining CyberArk University Identity learning paths, hands-on tenant time, and timed practice questions across all six topic areas.

Where do I take the exam?

Schedule the proctored exam through Pearson VUE either at a test center or via OnVUE online proctoring after registering on the CyberArk certification program page.