100+ Free CyberArk PAM-DEF Practice Questions

Pass your CyberArk Defender - PAM (PAM-DEF, formerly CAU201) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

In the CyberArk Privileged Access Security (PAS) architecture, which component is the secure, hardened repository where all privileged credentials, recordings, and audit data are encrypted and stored?

Password Vault Web Access (PVWA)

Central Policy Manager (CPM)

PrivateArk Vault Server

Privileged Session Manager (PSM)

to track

2026 Statistics

Key Facts: CyberArk PAM-DEF Exam

~65

Multiple-Choice Questions

CyberArk PAM-DEF candidate guide

90 min

Exam Duration

CyberArk certification program

$200

Exam Fee

Pearson VUE listing

~70%

Target Score

Industry guidance (CyberArk does not publish exact cut score)

CAU201

Legacy Exam Code

CyberArk certification history

CyberArk PAM-DEF is the Defender-level CyberArk certification for security operations engineers managing the PAS / Identity Security Platform. The exam is delivered through Pearson VUE in 90 minutes with approximately 65 multiple-choice questions and a $200 fee. Topics span Vault, PVWA, CPM, PSM, PSMP, HTML5 Gateway, Master Policy, Platforms, Safes, AAM (CP/CCP/ASCP), LDAP/RADIUS/SAML, and PTA.

Sample CyberArk PAM-DEF Practice Questions

Try these sample questions to test your CyberArk PAM-DEF exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In the CyberArk Privileged Access Security (PAS) architecture, which component is the secure, hardened repository where all privileged credentials, recordings, and audit data are encrypted and stored?

A.Password Vault Web Access (PVWA)

B.Central Policy Manager (CPM)

C.PrivateArk Vault Server

D.Privileged Session Manager (PSM)

Explanation: The PrivateArk Vault Server (also called the Digital Vault or simply 'the Vault') is the central, hardened repository in the CyberArk PAS solution. It runs a proprietary protocol on port 1858, has the operating system firewall locked down, and stores all secrets, session recordings, and audit data encrypted with object-level encryption. PVWA is the web interface, CPM rotates passwords, and PSM brokers sessions — none of them store the data.

2Which CyberArk component is responsible for automatically changing, verifying, and reconciling privileged account passwords on target systems?

A.PrivateArk Server

B.Central Policy Manager (CPM)

C.Privileged Session Manager (PSM)

D.Privileged Threat Analytics (PTA)

Explanation: The Central Policy Manager (CPM) executes the password management workflow against target systems. It performs change, verify, and reconcile operations based on the platform policy assigned to each account. PVWA initiates the workflow, the Vault stores results, and PSM is for live session brokering — not credential rotation.

3A user needs to launch an RDP session to a Windows server through CyberArk without ever seeing the privileged password. Which component brokers the connection, isolates the endpoint from the target, and records the session?

A.Central Credential Provider (CCP)

B.Privileged Session Manager (PSM)

C.Application Server Credential Provider (ASCP)

D.Vault Conjur Synchronizer

Explanation: The Privileged Session Manager (PSM) launches the connection on a hardened jump host using a connection component (PSM-RDP, PSM-SSH, PSM-Web, etc.), injects the password automatically, isolates the user's endpoint from the target, and records the entire session for audit. CCP and ASCP serve credentials to applications, not interactive users.

4Which CyberArk component provides the web-based user interface for end-users and administrators to retrieve passwords, request access, and launch privileged sessions?

A.PrivateArk Client

B.Password Vault Web Access (PVWA)

C.PARClient

D.CyberArk Identity Portal

Explanation: Password Vault Web Access (PVWA) is the primary web portal users interact with to view accounts, retrieve credentials, request access, approve workflows, and launch PSM sessions. The PrivateArk Client is a Windows administrative thick client used mainly by Vault administrators, and PARClient is a CLI utility.

5Which protocol and TCP port does the CyberArk Vault use for its proprietary, encrypted communication with components such as PVWA, CPM, and PSM?

A.HTTPS over TCP 443

B.CyberArk Vault protocol over TCP 1858

C.LDAPS over TCP 636

D.SSH over TCP 22

Explanation: The Vault uses CyberArk's proprietary Vault protocol on TCP port 1858 for all component communication. The protocol is encrypted and mutually authenticated. Standard ports like 443, 636, and 22 are used by other CyberArk components or integrations, but never by the Vault itself.

6In CyberArk, what is a Safe?

A.A physical hardware appliance that stores Vault data

B.A logical container inside the Vault that groups accounts, files, and members with shared access permissions

C.A backup file generated by PARClient

D.A snapshot of CPM logs taken every 24 hours

Explanation: A Safe is a logical container within the Vault that groups privileged accounts, files, and the users/groups (Safe members) authorized to access them. Permissions, retention, and CPM/PSM behavior are configured at the Safe level. Safes are purely logical — they are not hardware, backups, or log snapshots.

7Which CyberArk concept defines the global rules for password rotation frequency, complexity, dual control, exclusivity, and one-time password behavior across all accounts?

A.Master Policy

B.Platform

C.Safe template

D.Connection component

Explanation: The Master Policy is the top-level set of rules in CyberArk that defines defaults for password change intervals, complexity, dual control, one-time password, exclusive access, and session monitoring. Platforms can override Master Policy settings per account type. Safes and connection components do not control these global rules.

8What is the relationship between a Platform and an account in CyberArk?

A.A Platform is a license tier; accounts inherit it from the Vault license

B.Each account is associated with one Platform that defines how the CPM and PSM connect to and manage that account type

C.Platforms are user groups that own the account

D.A Platform is the IP address used to reach the target

Explanation: Every account in CyberArk is linked to exactly one Platform. The Platform defines target connection settings, CPM plug-in, password change/verify/reconcile commands, PSM connection components, and policy overrides for that type of account (e.g., Windows Domain, Unix via SSH Key, Oracle DB).

9Which three properties are MANDATORY on every CyberArk privileged account object?

A.Address, UserName, and Platform ID

B.Owner, Department, and Cost Center

C.Hostname, OS Version, and Patch Level

D.Safe Owner, Approver, and Manager

Explanation: Every CyberArk account requires three mandatory properties: Address (the target host/DNS), UserName (the privileged account on the target), and Platform ID (which platform controls the account). Without these three, the CPM cannot connect to manage the account.

10A Vault administrator wants to require that two approvers authorize each retrieval of root passwords for production servers. Which CyberArk feature should be enabled at the Master Policy or Platform level?

A.Exclusive Access

B.Dual Control

C.Reconcile Account

D.One-Time Password

Explanation: Dual Control requires that one or more approvers (Safe members with the 'Authorize password requests' permission) confirm a request before a user can retrieve a password or launch a session. Exclusive Access prevents simultaneous use by multiple users; OTP forces a change after each use; Reconcile Account fixes out-of-sync passwords.

About the CyberArk PAM-DEF Exam

The CyberArk Defender - PAM (PAM-DEF) certification, formerly known as CAU201, validates the day-to-day administration skills required for CyberArk Privileged Access Security. It tests Vault architecture, PVWA, CPM password change/verify/reconcile workflows, PSM session brokering and recordings, Safes and Master Policy, Platforms, AAM Credential Providers, LDAP/RADIUS/SAML authentication, and Privileged Threat Analytics.

Questions

65 scored questions

Time Limit

90 minutes

Passing Score

Approximately 70% (CyberArk does not publish an exact cut score)

Exam Fee

$200 (CyberArk / Pearson VUE)

CyberArk PAM-DEF Exam Content Outline

Est. 20%

Vault Architecture & Hardening

PrivateArk Server, Vault protocol on TCP 1858, DR Vault and PADR replication, Server/Recovery Keys, DBParm.ini, Vault.ini, ITALOG.log, Event Notification Engine, PARClient commands (FindFiles/GetFile/AddFile)

Est. 20%

PSM, PSMP & HTML5 Gateway

Session brokering, PSM connection components (PSM-RDP, PSM-SSH, PSM-Web, PSM-WinSCP), PSM Universal Connector, PSM for Cloud, recording storage in PSM Recordings Safes, live session monitoring

Est. 20%

Safes, Master Policy & Platforms

Safe design, members, Safe handlers, naming and retention, object versioning, Master Policy rules, Platforms with logon and reconcile accounts, platform overrides

Est. 15%

PVWA & CPM

PVWA web portal and REST API, CPM change/verify/reconcile workflow and plug-ins, password manager service users, troubleshooting CPM failures, scaling with multiple CPMs

Est. 10%

Account Workflows

Dual control with Master Approver, Exclusive Access, One-Time Password, Just-In-Time access, Account Discovery and onboarding, mandatory account properties (Address, UserName, Platform)

Est. 8%

Application Access Manager (AAM)

Credential Provider (CP), Central Credential Provider (CCP), Application Server Credential Provider (ASCP), AppID and application authentication checks (path, hash, OS user, machine), Conjur secrets manager

Est. 7%

Authentication, PTA & Audit

LDAP directory mappings, RADIUS for MFA, SAML 2.0 federation, Privileged Threat Analytics behavioral detection and automated response, ITALOG.log, SIEM integration via syslog/CEF

How to Pass the CyberArk PAM-DEF Exam

What You Need to Know

Passing score: Approximately 70% (CyberArk does not publish an exact cut score)
Exam length: 65 questions
Time limit: 90 minutes
Exam fee: $200

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CyberArk PAM-DEF Study Tips from Top Performers

1Master the difference between Master Policy and Platform: Master Policy sets defaults for password change frequency, dual control, exclusive access, OTP, and session monitoring; Platforms can override these per account type.

2Memorize the CPM password change workflow exactly: generate new password, store in Vault, change on target, verify by login. Storing in the Vault first is what protects against losing the new password mid-change.

3Know the difference between Logon (or connection) account and Reconciliation account on a Platform; reconciliation accounts are what fix out-of-sync managed accounts.

4Memorize CyberArk component ports: Vault on TCP 1858, PSM RDP on 3389, PSMP SSH on 22, PVWA on 443. Remember the Vault is non-domain-joined and hardened.

5Practice mapping AAM components to use cases: Credential Provider for local agent, CCP for centralized REST API, ASCP for Java app server data sources, and Conjur for DevOps and Kubernetes secrets.

6Understand PSM session flow end-to-end: user authenticates to PVWA -> PVWA checks Safe permissions -> PSM retrieves credential -> PSM injects into the connection component on the PSM host -> session is recorded to a PSM Recordings Safe.

Frequently Asked Questions

What is the PAM-DEF exam code and how does it relate to CAU201?

PAM-DEF is the current code for CyberArk's Defender PAM certification. It replaces the legacy code CAU201 and tests the same skill set for day-to-day administration of CyberArk Privileged Access Security (Vault, PVWA, CPM, PSM, AAM, and PTA).

How much does the CyberArk PAM-DEF exam cost?

The PAM-DEF exam is delivered through Pearson VUE for approximately $200 USD. Pricing can vary slightly by region; check the CyberArk certification program page or your Pearson VUE account for the exact fee in your country.

What is the passing score for CyberArk PAM-DEF?

CyberArk does not publish an exact numeric cut score. The general guidance from candidates and training partners is to aim for around 70 percent or higher. The exam returns a pass or fail result with a high-level score report.

Who should take the CyberArk PAM Defender certification?

PAM-DEF is targeted at security operations engineers, PAM administrators, and identity engineers who manage CyberArk PAS day-to-day: onboarding accounts, configuring Master Policy and Platforms, troubleshooting CPM and PSM, and maintaining audit and PTA configurations.

How long should I study for CyberArk PAM-DEF?

Most candidates study for 4 to 8 weeks, investing 40 to 60 hours, especially if they are already running CyberArk in production. Focus on Master Policy versus Platform overrides, CPM workflow steps, PSM session flow, AAM Credential Providers, and PTA detection behavior.

How does PAM-DEF compare to PAM-SEN?

PAM-DEF (Defender) covers daily administration: managing Safes, accounts, Master Policy, and troubleshooting CPM and PSM. PAM-SEN (Sentry) is the next level and covers installation, hardening, deployment, and advanced architecture topics. Most candidates take PAM-DEF first.