100+ Free CyberArk CDE (CAU302) Practice Questions

Pass your CyberArk Certified Delivery Engineer — Defender + Sentry Combined Recertification (CAU302) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~50% Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

In the CyberArk Vault, which component physically stores the encrypted privileged account credentials and the recovery server keys protecting them?

PVWA web server filesystem

Vault server safes (PADR-protected DAT files)

Central Policy Manager (CPM) cache

PSM session recording filesystem

to track

2026 Statistics

Key Facts: CyberArk CDE (CAU302) Exam

Approx. Questions

CyberArk CAU302 handbook

90 min

Exam Duration

CyberArk / Pearson VUE

70%

Passing Score

CyberArk certification policy

$200

Exam Fee

CyberArk / Pearson VUE USD

3 years

Certification Validity

CyberArk recertification policy

Defender + Sentry

Combined Scope

CAU302 covers both tiers

~50%

Est. First-Attempt Pass

industry estimate

CAU302 (CyberArk CDE) is the combined Defender + Sentry recertification exam: ~65 questions, 90 minutes, 70% to pass, $200 USD, valid 3 years. It blends advanced PVWA/CPM/PSM operations (Master Policy, platforms, AAM, audit) with Sentry-tier Vault internals (Cluster Vault, PADR DR, hardening, REST API, performance tuning, FIPS, syslog forwarding, complex LDAP/RADIUS/SAML and connection-component troubleshooting). Most candidates already hold PAM-DEF + PAM-SEN.

Sample CyberArk CDE (CAU302) Practice Questions

Try these sample questions to test your CyberArk CDE (CAU302) exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In the CyberArk Vault, which component physically stores the encrypted privileged account credentials and the recovery server keys protecting them?

A.PVWA web server filesystem

B.Vault server safes (PADR-protected DAT files)

C.Central Policy Manager (CPM) cache

D.PSM session recording filesystem

Explanation: The Vault server stores all credentials inside Safes, persisted as encrypted DAT files. Each object is wrapped with the Safe key, which is wrapped with the Server key, which is in turn protected by the Recovery (Master) key — only the Vault holds these keys.

2Which CyberArk PAM component is responsible for verifying, changing, and reconciling privileged account passwords on target systems?

A.PVWA

B.PSM

C.CPM

D.AAM Credential Provider

Explanation: The Central Policy Manager (CPM) executes Verify, Change, and Reconcile tasks against target systems based on the Master Policy and platform settings. Each CPM polls the Vault for due tasks and uses platform plugins (CACPM/PMTerminal) to log in and rotate credentials.

3A user requests access to a privileged account but Master Policy enforces dual control. Which behavior is expected?

A.The user receives the password immediately and an audit log is generated.

B.The user must submit a request that one or more authorized approvers must confirm before retrieval is allowed.

C.The CPM rotates the password before granting access.

D.PSM automatically launches a session without showing the password.

Explanation: Dual control requires that one or more designated approvers (Authorized users for confirmation in the Safe) confirm a request before the requestor can retrieve the credential or launch a PSM session. This implements segregation of duties for sensitive accounts.

4Where in the PVWA do you adjust the default access control rule that determines whether passwords are shown to end users by default for ALL platforms?

A.Platform Management > Edit individual platform > UI & Workflows

B.Master Policy > Privileged Access Workflows > 'Require users to specify reason for access'

C.Master Policy > Session Management > 'Require monitoring of privileged sessions'

D.Master Policy > Access > 'Allow EPV transparent connections (Click-To-Connect)'

Explanation: The Master Policy 'Allow EPV transparent connections (Click-To-Connect)' rule globally controls whether the password is exposed to the user or only used in the background by PSM. Setting it to inactive forces password reveal; activating it allows transparent (hidden) connections via PSM.

5An auditor needs to identify all activities performed by a specific user across all Safes during the last 30 days. Which CyberArk capability is best suited for this?

A.Vault Audit log via PrivateArk Client (or PVWA Reports > User Activity)

B.Windows Event Viewer on the PVWA host

C.PSM session recording filesystem timestamps

D.CPM debug logs

Explanation: The Vault audit trail captures every Vault-side action and is exposed via PrivateArk Client and the PVWA Reports module (Activity Log / Privileged Accounts Inventory). Reports can be filtered by user, Safe, action, and date range, and exported as CSV/Excel for auditors.

6Which protocol and port does the PVWA use to communicate with the Vault by default?

A.HTTPS / TCP 443

B.Vault proprietary / TCP 1858

C.RDP / TCP 3389

D.SSH / TCP 22

Explanation: The PVWA, CPM, PSM, and other CyberArk components communicate with the Vault using the proprietary, AES-256 encrypted Vault protocol on TCP port 1858. End-user browsers reach PVWA over HTTPS/443, but PVWA-to-Vault is always 1858.

7Which file controls the firewall rules of the CyberArk Vault server itself?

A.dbparm.ini

B.padr.ini

C.tsparm.ini

D.fwboot.ini and the rules under FirewallRules in dbparm.ini / vault.ini

Explanation: The Vault has its own internal firewall (PARFW). Boot rules live in fwboot.ini, and runtime AllowNonStandardFWAddresses and per-component rules are configured in dbparm.ini. These are independent of the OS-level Windows Firewall.

8Which Master Policy rule, when set to inactive, allows users to retrieve passwords without specifying a reason?

A.Require dual control password access approval

B.Enforce check-in/check-out exclusive access

C.Require users to specify reason for access

D.Enforce one-time password access

Explanation: The 'Require users to specify reason for access' rule, when active, forces the user to enter a free-text reason that becomes part of the audit log. Setting it to inactive (or applying an exception) skips that prompt.

9An object's password fails its scheduled CPM Verify because the previous password is correct on the target. What is the most likely root cause?

A.The platform's Verify policy is set to NeverVerify.

B.The Vault stores the new password but the target was never updated, indicating a previous Change failed silently and the object is out-of-sync.

C.The CPM is offline.

D.The Safe is in read-only mode.

Explanation: When the PREVIOUS password is correct on the target but the CURRENT (Vault) password is not, the object is desynchronized — typically because a Change task failed to commit on the target after the Vault stored it. The fix is to run a manual Reconcile (which uses the Reconcile account) or, if no reconcile account exists, restore the previous password.

10Which platform parameter must be configured to enable CPM to use a separate, more privileged account to reset a target password when the managed account is locked or has lost its password?

A.ImmediateInterval

B.ReconcileAccount linked account on the object (and AllowedSafes/Reconcile platform settings)

C.VFExecutablesPath

D.MaxConcurrentConnections

Explanation: Reconciliation is performed by the linked Reconcile account associated with the managed object. The platform must allow reconciliation (AutomaticReconcileWhenUnsynched=Yes), and the account must have the appropriate privileges on the target to overwrite the managed password.

About the CyberArk CDE (CAU302) Exam

CAU302 is CyberArk's combined Defender + Sentry recertification exam for the Certified Delivery Engineer (CDE) track. It validates expert command of the CyberArk Privileged Access Security suite end-to-end: Vault architecture, hardening, HA/DR (Cluster Vault and PADR), and upgrades on the Sentry side; and Master Policy, Safes, platforms, CPM rotation, PSM/PSMP session proxying, AAM/CCP, audit/syslog forwarding, and REST API on the Defender side. Roughly 65 questions in 90 minutes; 70% to pass. CDE certification is valid 3 years and is required for CyberArk implementation partners.

Questions

65 scored questions

Time Limit

90 minutes

Passing Score

70%

Exam Fee

$200 USD (CyberArk / Pearson VUE)

CyberArk CDE (CAU302) Exam Content Outline

20%

PSM, PSMP & Session Management

Connection components, Universal Web Connector, PSM-RDP / PSM-SSH / PSM-WebApp, PSMP for Linux, PSMConnect / PSMAdminConnect, AppLocker hardening, live monitoring, session recording retention, SSH key brokering

15%

Vault Architecture, Hardening & Cluster

Vault data files, server/recovery key, FIPS mode, dbparm.ini / fwboot.ini firewall rules, Cluster Vault on shared storage, OS hardening, network segmentation, HSM integration, ENE notifications

12%

Platforms & CPM Rotation

Regular vs Group vs Usages, PMTerminal prompt scripting, Verify/Change/Reconcile cycles, ChangePasswordInResetMode, AllowedSafes regex, FromHour/ToHour windows, multi-CPM ownership, password policy, immediate intervals

12%

Master Policy, Safes & Permissions

Click-To-Connect, dual control, exclusive (check-in/check-out), OTP, Master Policy exceptions, Safe authorizations (Use vs Retrieve, List, Manage Safe, Backup Safe), reason capture, activity log retention

10%

DR, Backup & Upgrades

PADR replication and activation, failover/failback, PAReplicate cold backup, Safe-recovery limits, side-by-side PVWA upgrade, Vault major-version upgrade prereqs, Cluster Vault failover semantics

10%

Authentication & Directory Integration

CyberArk vs LDAP vs RADIUS vs SAML SSO, directory mappings and auto-provisioning, RadiusServersInfo, MFA layering, break-glass for built-in users, PVConfiguration.xml AuthenticationMethods

AAM / Conjur / CCP

Credential Provider (CP) on application hosts, Central Credential Provider (CCP) with mTLS, App ID restrictions (path/hash/OS user), Allowed Machines, Vault Conjur Synchronizer, secrets sync patterns

REST API & Automation

/PasswordVault/api/Accounts CRUD, password retrieve API, session token reuse, deprecated PIMServices.svc, session timeout tuning, scripted onboarding patterns

Audit, Reporting & SIEM

Vault audit trail, PVWA reports (Privileged Account Inventory, Activity Log), syslog forwarding via dbparm.ini with XSL translators (Splunk/QRadar/ArcSight) over TCP/TLS, retention strategy, PTA basics

How to Pass the CyberArk CDE (CAU302) Exam

What You Need to Know

Passing score: 70%
Exam length: 65 questions
Time limit: 90 minutes
Exam fee: $200 USD

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CyberArk CDE (CAU302) Study Tips from Top Performers

1Recert questions blend Defender and Sentry — practice scenarios that span both halves (e.g., a CPM failure that's actually a Vault firewall + LDAP timeout)

2Master the difference between Master Policy rules vs platform parameters vs Safe exceptions — exam loves to test which lever fixes which symptom

3Know the supported HA/DR matrix cold: Cluster Vault (shared storage, MS Failover) vs PADR (asynchronous replication) vs PAReplicate (cold backup) — and what each does and does not protect against

4Practice REST API authentication and the modern /PasswordVault/api/* endpoints (the legacy /PIMServices.svc SOAP endpoints are deprecated and rarely tested as the right answer)

5Drill PSM connection components: PSM-RDP, PSM-SSH, PSMP, PSM-WebApp + Universal Connector — including AppLocker, PSMConnect, and recording behavior

6Memorize the Vault firewall + dbparm.ini parameter set: SyslogServerProtocol, MaxConcurrentSessions, MaxIdleSessionTimeout, RadiusServersInfo, FirewallRules

Frequently Asked Questions

What is CAU302 and how is it different from PAM-DEF and PAM-SEN?

CAU302 is the combined Defender + Sentry recertification exam for the Certified Delivery Engineer (CDE) track. It covers everything in PAM-DEF (operations) AND PAM-SEN (advanced architecture, install, hardening, upgrade, troubleshooting) in a single exam. It is most often used by CDEs renewing their certification rather than by first-time candidates.

How many questions and how much time?

CAU302 has approximately 65 questions in 90 minutes, with a passing score of 70%. Question types are mostly multiple choice with some scenario-based items. Pearson VUE delivers it in-person and online via OnVUE.

What experience is recommended for CAU302?

CyberArk recommends candidates have already passed PAM-DEF and PAM-SEN (or be currently certified CDEs), plus 12-18 months of hands-on PAM deployment, upgrade, and troubleshooting experience. Recert candidates typically have multiple years of CyberArk delivery work.

How long is the certification valid?

CDE certification is valid 3 years. Recertification is achieved by passing CAU302 (or a current equivalent) within the validity window. Failing to recertify drops the candidate from the active CDE roster.

Where do I find the official CAU302 exam objectives?

The CyberArk Training and Certification portal (training.cyberark.com) lists current CDE exam objectives, recommended training, and Pearson VUE registration links. Objectives are versioned periodically; always confirm against the current handbook before scheduling.