Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CyberArk Guardian Practice Questions

Pass your CyberArk Guardian (GUARD) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
CyberArk does not publish Guardian pass-rate statistics Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

A board-level question: 'If our Identity Provider is compromised, can the attacker still empty the CyberArk Vault?' What is the architecturally correct answer?

A
B
C
D
to track
Same family resources

Explore More CyberArk Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CyberArk Certified Trustee (entry-level online assessment)

Practice Questions

CyberArk Defender - Endpoint Privilege Manager (EPM-DEF)

Practice Questions

CyberArk Defender - Identity (Access)

Practice Questions

CyberArk Defender - PAM (PAM-DEF)

Practice Questions

CyberArk Defender + Sentry CDE (CAU302)

Practice Questions

CyberArk Sentry - PAM (PAM-SEN)

Practice Questions
2026 Statistics

Key Facts: CyberArk Guardian Exam

65

Exam Questions

CyberArk Guardian (GUARD)

90 min

Time Limit

Pearson VUE delivery

70%

Passing Score

CyberArk

$200

Exam Fee

CyberArk standalone proctored exam

In-person

Delivery Mode

Pearson VUE only since Nov 1, 2025

Top tier

Credential Tier

CyberArk certification ladder

CyberArk Guardian (GUARD) is CyberArk's top-tier certification, delivered in-person at Pearson VUE test centers (in-person only since November 1, 2025) with 65 multiple-choice questions, 90 minutes, a 70% passing score, and a $200 exam fee. The exam expects deep production experience: Vault key hierarchy and content-addressable storage, CVM clustering, PADR DR, multi-region design, Privilege Cloud SaaS, Conjur cluster topology and authenticators, multi-CPM and PSM sizing, advanced troubleshooting across every component, REST API and PACLI automation, compliance mapping (SOX, PCI, HIPAA, NIST 800-53), and Zero Trust strategy with PTA-driven response. Defender (PAM-DEF) and Sentry (PAM-SEN) are strongly recommended prerequisites. Some sources misquote the fee as $2,250 — that figure conflates training package costs with the standalone proctored exam.

Sample CyberArk Guardian Practice Questions

Try these sample questions to test your CyberArk Guardian exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In an enterprise CyberArk PAM architecture, which component is the single source of truth for all encrypted secrets and audit data?
A.PVWA
B.Central Policy Manager (CPM)
C.Digital Vault
D.Privileged Session Manager (PSM)
Explanation: The Digital Vault is the proprietary hardened server that stores all secrets, Safe metadata, and audit records in its content-addressable storage. Every other component (PVWA, CPM, PSM, PSMP, PTA) is a stateless or semi-stateful client that authenticates to the Vault over TCP/1858 and never holds the authoritative copy of credentials.
2Which inbound TCP port must be open from PVWA, CPM, PSM, PSMP, PTA, and PrivateArk Client to the Vault for normal PAS operations?
A.TCP/443
B.TCP/1858
C.TCP/636
D.TCP/22
Explanation: All component-to-Vault traffic uses CyberArk's proprietary Vault protocol on TCP/1858. The Vault firewall is intentionally restrictive: only port 1858 is allowed inbound, and source IPs must appear on the AllowedMachines list of the corresponding Vault user.
3You are designing a two-data-center CyberArk deployment with one active Vault site and one warm DR site. Which architectural pattern correctly describes how the DR Vault stays in sync?
A.Synchronous block-level replication via shared SAN
B.PADR asynchronous logical replication of Safe data and metadata over TCP/1858
C.Active-active multi-master replication with quorum
D.Database-engine replication using PostgreSQL streaming
Explanation: The DR Vault uses the PADR (PrivateArk Disaster Recovery) service, which performs asynchronous, logical replication of Safe data and metadata from the production Vault over the Vault protocol (TCP/1858). Replication is one-way until you fail over, and the DR Vault refuses client writes until promoted.
4In a CyberArk Cluster Vault Manager (CVM) implementation, how do the two nodes coordinate state and detect failure?
A.Independent local disks plus PADR replication and a TCP heartbeat
B.Shared cluster storage holding the Vault data plus a private heartbeat network for liveness arbitration
C.DNS round-robin between two independent active Vaults
D.Eventual-consistency replication over HTTPS
Explanation: CVM is an active-passive Microsoft Failover Cluster: both nodes attach to the same shared storage volume that holds the Vault data and metadata, and a dedicated cluster heartbeat network is used for liveness and failover arbitration. Only one node owns the Vault role at a time.
5A global enterprise wants users in three regions to authenticate to PVWA against the same Vault with low latency, while keeping a single set of secrets. Which design satisfies this with the smallest footprint?
A.Build three independent Vaults and synchronize secrets via custom scripts
B.Deploy a single primary Vault, regional PVWA/CPM/PSM components, and a DR Vault — route users to the nearest PVWA via GTM/global load balancer
C.Run three active-active Vaults across regions
D.Place the Vault in the cloud and let users connect to it directly over the internet
Explanation: CyberArk's recommended multi-region design keeps one active Vault (with a DR Vault) and deploys regional PVWA, CPM, and PSM components close to users and targets. A global load balancer (e.g., F5 GTM, Azure Traffic Manager) routes users to the nearest PVWA, which then talks to the central Vault on TCP/1858. Active-active Vaults are not supported.
6What is the role of the Server Key in the Vault encryption hierarchy?
A.It encrypts every account password directly with AES-256
B.It is the master key that unlocks the Vault's internal encryption keys at start-up; without it the Vault service cannot start
C.It is a per-Safe key generated during Safe creation
D.It is the SSL certificate private key used by PVWA
Explanation: The Server Key sits at the top of the Vault key hierarchy. At Vault start-up it unlocks the internal encryption keys, which in turn protect per-Safe keys, which finally encrypt account data. Losing the Server Key (and its master CD/HSM backup) means the Vault cannot start, so it must be guarded offline.
7What is on the Vault master CD (or its HSM/soft-token equivalent) that makes it operationally critical?
A.The Vault license file only
B.The Server Key, Recovery Public Key, and credentials for the predefined Master and Administrator users
C.The PVWA server's TLS certificate
D.Pre-recorded PSM session video
Explanation: The master CD holds the Server Key, the Recovery Public Key (for Vault recovery), and credentials for the predefined Master and Administrator users. It is presented during installation, key generation, and recovery, and must then be stored offline in a secure location.
8How does the Vault enforce strict tamper-resistance for stored objects such as Safes, accounts, and recordings?
A.By writing to ext4 with noatime
B.By relying on Windows EFS
C.Through content-addressable storage where each object is encrypted, hashed, and access-controlled by Safe-level ACLs and Vault audit
D.By chaining objects in a public blockchain
Explanation: The Vault stores objects in a proprietary content-addressable scheme: each object is encrypted under the Safe key, hashed for integrity, and access is mediated by Safe ACLs and Vault audit. This is what gives the Vault its tamper-evident, single-source-of-truth properties.
9Which document in the Vault holds the global cross-platform policy controls (e.g., dual control, one-time passwords, exclusive access)?
A.DBPARM.ini
B.The Master Policy in PVWA
C.TSparm.ini
D.PADR.ini
Explanation: The Master Policy in PVWA is the single place where global controls such as Require Dual Control, One-Time Password access, Enforce Check-in/Check-out Exclusive Access, and Privileged Session Management are defined. Per-platform overrides (exceptions) inherit from the Master Policy.
10You are sizing the Vault for an environment with 200,000 managed accounts, 5,000 concurrent users, and heavy CPM activity. Which sizing dimension drives the Vault tier most directly?
A.Disk capacity for binaries
B.Sustained transactions per second (TPS) from CPM verifications/changes plus user reads, plus IOPS on the data volume
C.Number of CPU sockets only
D.RAM only, regardless of TPS
Explanation: CyberArk's Vault sizing is driven by sustained TPS (CPM rotations and verifications, PVWA/PSM credential fetches, REST API calls) and the IOPS/latency of the Vault data volume. Account population and concurrent users translate into TPS; the Vault tier is then chosen to keep TPS comfortably below the published per-tier ceilings.

About the CyberArk Guardian Exam

The CyberArk Guardian (GUARD) certification is CyberArk's top-tier credential, validating the ability to architect, deploy, troubleshoot, automate, and govern enterprise CyberArk Privileged Access Manager and Identity Security deployments. It assumes the Defender (PAM-DEF) and Sentry (PAM-SEN) bodies of knowledge and adds enterprise architecture, multi-region design, Privilege Cloud SaaS and hybrid Connector models, advanced troubleshooting, REST and Conjur automation, compliance mapping (SOX, PCI, HIPAA, NIST 800-53), and Zero Trust strategy with PTA-driven detection and automatic response.

Assessment

65 multiple-choice questions covering enterprise PAM architecture and design, deployment strategy and component sizing, advanced troubleshooting across Vault/PVWA/CPM/PSM/PSMP/PTA, REST API and Conjur automation, compliance and risk mapping, and identity security strategy

Time Limit

90 minutes

Passing Score

70%

Exam Fee

$200 (CyberArk / Pearson VUE)

CyberArk Guardian Exam Content Outline

25%

Architecture & Design

Enterprise PAM architecture, Vault key hierarchy and content-addressable storage, Cluster Vault Manager (CVM), PADR DR, multi-region design, Privilege Cloud SaaS, hybrid Connectors, Distributed Vault/Satellite Vaults, MNA, AAM/CCP, Conjur cluster, sizing for TPS/IOPS and PSM concurrency

20%

Deployment Strategy

Phased rollout (Discover → Onboard → Manage → Audit), priority onboarding (domain admin/root/Tier 0 service accounts), OOTB platforms (Windows AD, *nix, mainframe, network, AWS/Azure/GCP, databases), Onboarding Rules and account discovery, multi-CPM placement, dependent-account propagation, EPM, Conjur authenticators, upgrade order

20%

Advanced Troubleshooting

Trace logs, ITAlog, PADR.log, PVWA.log, PMConsole/PMTrace, psm.log/PSMTrace.log, IIS/load-balancer correlation, AppLocker event channels, GPO impact on CPM auth, Server Key recovery, DR lag triage, Vault performance tuning (IOPS, DBPARM), Universal Connector dispatcher debug

15%

API Integration & Automation

PVWA REST endpoints (/API/auth/{provider}/Logon, Accounts, Safes, Members, Live Sessions, immediate-change), PACLI scripting, Onboarding Rules with REST onboarding, CI/CD secrets injection via Conjur and CCP, ServiceNow dual-control integration, TLS-inspecting proxy patterns

10%

Compliance & Risk

Out-of-the-box and custom PVWA reports, SOX separation of duties via dual control + PSM recording, PCI named-user attribution for shared credentials, HIPAA 164.312(b) audit controls, NIST 800-53 AC-6/AU-2/AU-9, breakglass design with forced post-use rotation, risk-based access, Italog as tamper-evident source of record

10%

Identity Security Strategy

Zero Trust adoption with CyberArk, CyberArk Identity + Identity Bridge to PAM, SAML federation, PTA detections (irregular activity, suspected credential theft, vault breach), automatic response via Live Sessions API, EPM and pass-the-hash mitigation, identity-security maturity model, IdP-compromise resilience

How to Pass the CyberArk Guardian Exam

What You Need to Know

  • Passing score: 70%
  • Assessment: 65 multiple-choice questions covering enterprise PAM architecture and design, deployment strategy and component sizing, advanced troubleshooting across Vault/PVWA/CPM/PSM/PSMP/PTA, REST API and Conjur automation, compliance and risk mapping, and identity security strategy
  • Time limit: 90 minutes
  • Exam fee: $200

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CyberArk Guardian Study Tips from Top Performers

1Build a full architecture lab — primary Vault, DR Vault with PADR, a Cluster Vault Manager pair, regional CPM/PSM/PVWA, and a Conjur Leader/Standby/Follower set — before the exam; Guardian rewards architects who have actually run the runbooks, not just read them
2Walk a real DR failover and reverse-replicating failback end to end so you can defend why each step exists; the same applies to Vault upgrade order (Vault → DR → PVWA → CPM → PSM/PSMP)
3Memorize the REST API surface and call shapes — /API/auth/{provider}/Logon, Accounts, Safes, Safe Members, Live Sessions, and immediate-change — and rehearse PACLI for admin operations that are not in REST
4Map every CyberArk control to at least one regulatory requirement (SOX separation of duties, PCI named-user attribution, HIPAA 164.312(b), NIST AC-6/AU-2/AU-9) so compliance questions become pattern-matching
5For Conjur, internalize the four canonical authenticators (authn-k8s for Kubernetes pods, authn-iam for AWS workloads, authn-jwt for GitHub/GitLab CI, authn-azure for Azure managed identities) — Guardian leans hard on the right authenticator for the right workload
6Practice incident-response playbooks: PTA detection → Live Sessions API termination → forced credential rotation → SIEM/SOAR ticket — and explain why Italog inside the encrypted Vault remains the evidentiary baseline even if the SIEM is compromised

Frequently Asked Questions

What is the CyberArk Guardian (GUARD) exam?

CyberArk Guardian is CyberArk's top-tier certification for engineers and architects who design, deploy, troubleshoot, and govern enterprise CyberArk PAM and Identity Security implementations. The exam has 65 multiple-choice questions, a 90-minute time limit, a 70% passing score, and a $200 fee, and is delivered in-person at Pearson VUE test centers.

Is the CyberArk Guardian exam available online?

No. Since November 1, 2025, the CyberArk Guardian exam is delivered in-person only at Pearson VUE test centers; CyberArk retired the online proctoring option for Guardian. Earlier CyberArk credentials (PAM-DEF, PAM-SEN, etc.) may still offer remote options — check the current Pearson VUE page for each exam.

Do I need Defender (PAM-DEF) and Sentry (PAM-SEN) before Guardian?

CyberArk strongly recommends earning Defender (PAM-DEF) and Sentry (PAM-SEN) before attempting Guardian, because the Guardian exam assumes you already understand day-to-day operation, Sentry-level engineering, and customization. Guardian focuses on architecture, deployment strategy, advanced troubleshooting, automation, compliance mapping, and identity security strategy.

How much does the CyberArk Guardian exam cost?

The standalone proctored Guardian (GUARD) exam fee is $200 USD per attempt at Pearson VUE. Some online listings quote ~$2,250, but that figure conflates the cost of CyberArk training packages with the exam fee — the exam itself is $200. CyberArk training is sold separately.

What topics are weighted most heavily on the Guardian exam?

Architecture & Design (~25%) is the largest section, followed by Deployment Strategy (~20%), Advanced Troubleshooting (~20%), API Integration & Automation (~15%), and Compliance & Risk plus Identity Security Strategy (~10% each). Vault architecture, HA/DR, multi-CPM design, PSM customization, REST/Conjur automation, and PTA-driven response are repeatedly tested.

How long should I study for CyberArk Guardian?

Plan for 120-200 hours over 12-20 weeks if you already hold PAM-DEF and PAM-SEN and have multiple years of hands-on production experience. Lab time is essential: build a Vault + DR + Cluster lab, run a multi-CPM/PSM deployment, author Universal Connectors, run PACLI/REST automation, configure Conjur authenticators (authn-k8s, authn-iam, authn-jwt, authn-azure), and rehearse PTA-driven response playbooks.

How long is the Guardian credential valid?

CyberArk Guardian, like other CyberArk certifications, follows CyberArk's published validity policy (typically 2 years for current credentials, with recertification via the current exam or the CDE recertification path). Confirm the latest policy on the CyberArk certification site before scheduling, since CyberArk has refined recertification rules in recent years.