100+ Free CyberArk SECRET-SEN Practice Questions

Pass your CyberArk Sentry - Secrets Manager (SECRET-SEN) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

In a Conjur Enterprise deployment, which node type accepts policy load and variable update operations?

Master

Standby

Follower

Auditor

to track

2026 Statistics

Key Facts: CyberArk SECRET-SEN Exam

Exam Questions

CyberArk

90 min

Exam Duration

CyberArk

70%

Passing Score

CyberArk

$200

Exam Fee

CyberArk

Sentry

Cert Tier

CyberArk

Conjur

Core Product

CyberArk

SECRET-SEN is CyberArk's Sentry-tier certification for Conjur Secrets Manager. The exam has 65 questions in 90 minutes with a 70% passing score, validating skills in Conjur architecture, HA promotion, Vault-to-Conjur sync, authn-jwt, authn-k8s, Secretless Broker, and the Application Access Manager (CP/CCP/ASCP).

Sample CyberArk SECRET-SEN Practice Questions

Try these sample questions to test your CyberArk SECRET-SEN exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In a Conjur Enterprise deployment, which node type accepts policy load and variable update operations?

A.Master

B.Standby

C.Follower

D.Auditor

Explanation: Only the Master node in Conjur Enterprise is read/write. Policy loads, variable value updates, and host/role creation must hit the Master. Standbys and Followers are read-only by design and serve secret reads.

2Which Conjur node type is best suited for high-volume read traffic from application clusters distributed across multiple regions?

A.Master only

B.Standby

C.Follower

D.Audit Vault

Explanation: Followers are read-only replicas designed to be deployed close to consumers (per region, per data center, per Kubernetes cluster) so secret reads happen with low latency without burdening the Master. They replicate from the Master via streaming PostgreSQL replication.

3What replication technology underlies Conjur Master-to-Standby and Master-to-Follower data replication?

A.MongoDB oplog

B.PostgreSQL streaming replication

C.MySQL binlog

D.Custom REST polling

Explanation: Conjur stores its policy and secret data in PostgreSQL, and Standbys and Followers are kept in sync via native PostgreSQL streaming (WAL) replication. This gives Conjur strong consistency on writes from the Master and low-lag read replicas.

4During a Master failure, which CLI command is typically used to promote a Standby to become the new Master?

A.evoke replication promote

B.conjur promote master

C.evoke standby promote

D.conjur cluster failover

Explanation: The evoke CLI on the Standby host is used to promote it: 'evoke replication promote'. This stops standby replication, opens the database for writes, and reconfigures the node as Master.

5After promoting a Standby to Master, what must be done with the remaining Standby nodes that were previously replicating from the failed Master?

A.They will automatically reattach to the new Master

B.They must be re-seeded from the new Master and re-enrolled as Standbys

C.They become Followers automatically

D.They must be deleted permanently

Explanation: Conjur Standbys do not auto-discover a new Master. After a promotion, surviving Standbys must be reseeded from the new Master and re-enrolled as Standbys (typically using a fresh seed file generated by the new Master).

6In a Conjur Enterprise auto-failover cluster, what mechanism do nodes use to elect a new Master without operator intervention?

A.Manual evoke commands only

B.Etcd-based consensus among cluster members

C.Raft-based consensus using the cluster manager

D.STONITH only

Explanation: Conjur Enterprise auto-failover uses a Raft-based consensus protocol to elect a Master from the cluster of Master-eligible nodes. When the current Master is unhealthy, the surviving members elect a new leader and promote it.

7Which Conjur policy element represents an application identity that authenticates and retrieves secrets?

A.user

B.host

C.group

D.webservice

Explanation: In Conjur policy, a 'host' represents a non-human (application/machine) identity. Hosts authenticate using API keys, JWT, IAM, or one of the platform-specific authenticators and are typically organized into layers.

8Which Conjur policy element is used to organize multiple hosts so that permissions can be granted in bulk?

A.group

B.layer

C.permit

D.annotation

Explanation: A 'layer' in Conjur policy is a collection of hosts. Granting a permission to a layer applies it to all current and future host members of that layer, which is how operational scale is achieved without per-host permits.

9Which three privileges are typically granted on a Conjur variable resource?

A.read, write, delete

B.read, execute, update

C.get, post, put

D.list, create, destroy

Explanation: Conjur uses three privileges on variables: read (see metadata/exists), execute (fetch the secret value), and update (write a new secret value). 'execute' is the privilege that actually allows the secret to be retrieved.

10Which privilege must a host have on a variable to actually fetch the current secret value via the REST API?

A.read

B.execute

C.update

D.admin

Explanation: To retrieve the value of a secret a host must have the 'execute' privilege on the variable. 'read' only allows the host to see the variable exists with its metadata; 'update' is for writing a new value.

About the CyberArk SECRET-SEN Exam

The CyberArk Sentry - Secrets Manager (SECRET-SEN) certification validates an engineer's ability to deploy, configure, and operate CyberArk Conjur (Open Source, Enterprise, and Cloud) along with the Application Access Manager — including Conjur architecture, Master/Standby/Follower HA, the Vault Conjur Synchronizer, policy authoring, authenticators (authn-iam, authn-jwt, authn-k8s, authn-azure, authn-ldap, authn-oidc), Secrets Provider for Kubernetes, Secretless Broker, and Credential Provider / Central Credential Provider patterns.

Questions

65 scored questions

Time Limit

90 minutes

Passing Score

70%

Exam Fee

$200 USD (CyberArk / Pearson VUE)

CyberArk SECRET-SEN Exam Content Outline

25%

Conjur Architecture and HA

Master, Standby, Follower roles; PostgreSQL streaming replication; Standby promotion; auto-failover; Conjur OSS vs Enterprise vs Conjur Cloud.

20%

Policy Model and CLI

Declarative YAML policy: hosts, users, groups, layers, variables, webservices; permit and grant; load modes (append, replace, update); conjur CLI commands.

20%

Authenticators

authn-iam, authn-jwt, authn-k8s, authn-azure, authn-oidc, authn-ldap; webservice permits; identity-path; token-app-property; multi-authenticator hosts.

20%

Kubernetes and Secretless

Secrets Provider (init container and push-to-file modes), Secretless Broker connectors, follower placement per cluster, RBAC for cert injection.

15%

Vault Integration and AAM

Vault Conjur Synchronizer flow, data/vault branch, Credential Provider (CP), Central Credential Provider (CCP), Application Server Credential Provider (ASCP), summon and summon-conjur.

How to Pass the CyberArk SECRET-SEN Exam

What You Need to Know

Passing score: 70%
Exam length: 65 questions
Time limit: 90 minutes
Exam fee: $200 USD

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CyberArk SECRET-SEN Study Tips from Top Performers

1Master Conjur architecture: Master is read/write, Standbys are warm replicas, Followers serve scalable read traffic via PostgreSQL streaming replication.

2Memorize the evoke command set: evoke configure master, evoke seed standby/follower, evoke configure standby/follower, evoke replication promote, evoke backup/restore.

3Know policy load modes cold: append (POST, additive), replace (PUT, prunes — destructive at root), update (PATCH).

4For each authenticator (authn-iam, authn-jwt, authn-k8s, authn-azure, authn-oidc, authn-ldap), know what claim/identity it validates and what the host annotations bind.

5Know the difference between Secrets Provider init mode (writes K8s Secrets, exits) and push-to-file mode (sidecar, supports rotation via refresh interval).

6Understand Secretless Broker: it removes credentials from the application entirely by brokering protocol-level handshakes (HTTP, MySQL, PostgreSQL, MSSQL, SSH).

7Know the AAM family: Credential Provider (CP) is local agent; Central Credential Provider (CCP) is centralized HTTPS API; ASCP integrates with Java app servers via JNDI.

8Vault Conjur Synchronizer is a Windows service that polls EPV Synchronization Safes and writes secrets under data/vault/<safe>/<account>.

Frequently Asked Questions

What does SECRET-SEN validate?

SECRET-SEN is CyberArk's Sentry-tier exam for Secrets Manager. It validates the ability to deploy and operate Conjur (OSS, Enterprise, Cloud), implement HA and DR, author policy, configure authenticators, and integrate Conjur with Kubernetes, CI/CD, and the CyberArk Vault.

How many questions are on the SECRET-SEN exam?

The exam has 65 multiple-choice questions in a 90-minute session. The passing score is approximately 70%. CyberArk does not publish pass-rate statistics.

What experience is recommended before taking SECRET-SEN?

CyberArk recommends hands-on experience installing and operating Conjur Enterprise (Master/Standby/Follower), authoring Conjur policy, configuring at least one platform authenticator (authn-k8s, authn-iam, or authn-jwt), and integrating with the Vault via the Synchronizer.

How is SECRET-SEN different from PAM-SEN?

PAM-SEN focuses on the CyberArk Privileged Access Manager (EPV, CPM, PSM, PVWA). SECRET-SEN focuses on application-side secrets retrieval through Conjur and the Application Access Manager — the application/DevOps side of the platform.

Where can I take the SECRET-SEN exam?

SECRET-SEN is delivered via Pearson VUE at testing centers and via online proctoring. Registration is via the CyberArk certification portal.