Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free ECDE Practice Questions

Pass your EC-Council Certified DevSecOps Engineer (ECDE 312-97) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

What is the security advantage of using a 'distroless' or 'scratch' base image?

A
B
C
D
to track
Same family resources

Explore More EC-Council Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CEH

Practice Questions
1 blog

CND

Practice Questions

EC-Council CEH Practical (312-50 Practical, 6-hr Cyber Range)

Practice Questions

EC-Council Certified Application Security Engineer (CASE .NET 312-95 / Java 312-96)

Practice Questions

EC-Council Certified Blockchain Professional (CBP)

Practice Questions

EC-Council Certified Chief Information Security Officer (CCISO 712-50)

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleCEH v13 in 2026: A 12-Week Study System That Balances Theory, Labs, and Exam Speed15 min read
2026 Statistics

Key Facts: ECDE Exam

100

Exam Questions

EC-Council 312-97 Blueprint

70%

Passing Score

EC-Council ECDE

4 hours

Exam Duration

EC-Council

$550

Exam Voucher

EC-Council Store

10

Domains

ECDE Blueprint

3 years

Certification Validity

ECE cycle required

The EC-Council ECDE (312-97) exam has 100 multiple-choice questions in 4 hours with a 70% passing score and a $550 voucher. It covers ten domains: DevOps culture (8%), DevSecOps fundamentals (10%), the plan stage (10%), the code stage (12%), the build and test stage (12%), the release and deploy stage (10%), the operate and monitor stage (12%), container and orchestration security (10%), cloud-native DevSecOps (10%), and compliance and reporting (6%). The credential is valid for 3 years on the ECE cycle.

Sample ECDE Practice Questions

Try these sample questions to test your ECDE exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which acronym describes the five core pillars of a healthy DevOps culture: Culture, Automation, Lean, Measurement, and Sharing?
A.DORA
B.CALMS
C.STRIDE
D.ITIL
Explanation: CALMS (Culture, Automation, Lean, Measurement, Sharing) was popularized by Jez Humble and is the canonical mental model for DevOps adoption. ECDE expects you to map each letter to a real practice — for example, Lean to small-batch flow and Measurement to DORA-style metrics.
2A DevSecOps champion wants to reduce the cost of finding and fixing security defects. Which principle most directly supports this goal?
A.Shift-right testing in production only
B.Shift-left security throughout the SDLC
C.Manual penetration testing once per year
D.Outsourcing all security to an MSSP
Explanation: Shift-left security integrates threat modeling, SAST, SCA, and secret scanning at the earliest possible stages so defects are found when they are cheapest to fix. This is a foundational ECDE concept and the economic argument behind DevSecOps adoption.
3Which DevOps Research and Assessment (DORA) metric measures the time from a code commit until that code is running successfully in production?
A.Mean time to recover (MTTR)
B.Deployment frequency
C.Lead time for changes
D.Change failure rate
Explanation: Lead time for changes is one of the four DORA metrics and tracks commit-to-production duration. Elite performers measure it in hours; low performers in months.
4A team measures MTTR, deployment frequency, lead time, and change failure rate. They want to add ONE security-focused metric that aligns with DORA's spirit. Which metric is most appropriate?
A.Number of firewalls deployed
B.Mean time to remediate (MTTR) vulnerabilities
C.Total dollars spent on security tools
D.Number of security training hours per year
Explanation: Mean time to remediate vulnerabilities mirrors operational MTTR and is a recognized DevSecOps KPI. It pairs with vulnerability density and escape rate to quantify the security pipeline's effectiveness.
5Which practice best embodies the 'Sharing' pillar of CALMS in a DevSecOps program?
A.Restricting incident postmortems to the security team
B.Publishing blameless postmortems and threat models to all engineering teams
C.Keeping CI/CD pipeline logs hidden from developers
D.Allowing only senior engineers to view SAST results
Explanation: Sharing means knowledge, tooling, and learnings flow across silos. Blameless postmortems and openly published threat models are the canonical example — they accelerate learning and reduce the chance of repeat incidents.
6A DevSecOps maturity model places an organization at Level 2 (Repeatable). Which capability most likely defines the NEXT level (Level 3, Defined)?
A.Ad-hoc, manual security checks
B.Documented, organization-wide security standards integrated into the SDLC
C.Continuous risk-based decisioning with autonomous remediation
D.No security testing in pipelines
Explanation: Most maturity models (CMMI-derived, OWASP DSOMM, SAMM) describe Level 3 as 'Defined' — security practices are standardized, documented, and consistently applied across teams. Level 4 (Managed) adds quantitative measurement; Level 5 (Optimizing) adds continuous improvement and automation.
7Which KPI most directly measures the resilience of a delivery pipeline under failure conditions?
A.Deployment frequency
B.Lead time for changes
C.Change failure rate
D.Cyclomatic complexity
Explanation: Change failure rate captures the percentage of changes that cause degraded service, requiring a hotfix or rollback. It is the DORA metric most aligned with delivery resilience and quality of the change pipeline.
8Which statement BEST describes 'Lean' in the CALMS framework?
A.Maximize batch size to amortize fixed deployment costs
B.Minimize work-in-progress and optimize end-to-end flow
C.Replace humans with bots wherever possible
D.Ship features only after annual planning cycles
Explanation: Lean borrows from the Toyota Production System — limit WIP, expose bottlenecks, and optimize value flow end-to-end. In DevSecOps, this translates to small batch sizes and continuous delivery rather than waterfall releases.
9Which definition BEST captures DevSecOps as opposed to traditional DevOps?
A.DevSecOps adds a manual security gate at the end of the pipeline
B.DevSecOps integrates security as a shared responsibility across the entire SDLC
C.DevSecOps replaces the operations team with a security team
D.DevSecOps prohibits the use of automation for compliance
Explanation: DevSecOps embeds security as a shared responsibility from planning through monitoring. Security tasks are automated and shifted left, and developers, security engineers, and operators co-own the outcome.
10Which artifact is MOST commonly produced during the planning phase of DevSecOps to identify threats before code is written?
A.Container image manifest
B.Data flow diagram (DFD) with trust boundaries
C.Helm chart values file
D.Production runbook
Explanation: Threat modeling typically starts with a data flow diagram that maps assets, processes, data stores, and trust boundaries. STRIDE is then applied at each boundary to enumerate threats.

About the ECDE Exam

The EC-Council Certified DevSecOps Engineer (ECDE 312-97) validates skills in integrating security into every phase of the DevOps pipeline. The exam covers DevOps culture and DORA metrics, threat modeling with STRIDE and PASTA, SAST/SCA/secret-scanning in the code stage, container and IaC scanning in build/test, secure release with image signing and GitOps, runtime monitoring and SIEM/SOAR, container and Kubernetes hardening, and cloud-native security across AWS, Azure, and GCP. It is designed for application security engineers, DevOps engineers, and software engineers building secure CI/CD pipelines.

Assessment

100 multiple-choice questions covering DevOps culture, DevSecOps fundamentals, threat modeling, secure coding, SAST/SCA/DAST/IAST/RASP, IaC and container scanning, CI/CD security, Kubernetes hardening, cloud-native posture, and compliance reporting

Time Limit

4 hours

Passing Score

70%

Exam Fee

$550 (exam voucher) (EC-Council / ECC Exam Portal)

ECDE Exam Content Outline

12%

DevSecOps Code Stage

Secure coding (OWASP Top 10, SEI CERT), pre-commit hooks (Talisman, git-secrets), secret scanning (TruffleHog, GitGuardian), SAST (SonarQube, Checkmarx, Fortify, Veracode, CodeQL, Semgrep), SCA (Snyk, Dependency-Check, Mend, Dependabot)

12%

DevSecOps Build and Test Stage

Container image scanning (Trivy, Anchore, Clair, Snyk Container, Docker Scout), IaC scanning (Checkov, Terrascan, tfsec, KICS), policy-as-code (OPA, Conftest, Sentinel), DAST (OWASP ZAP, Burp Enterprise), IAST (Contrast, Seeker)

12%

DevSecOps Operate and Monitor Stage

SIEM (Splunk, ELK, Microsoft Sentinel), SOAR, RASP, runtime detection with Falco, cloud audit logs (CloudTrail, Activity Log, Audit Logs), credential-stuffing and anomaly monitoring

10%

Introduction to DevSecOps

Definitions, shift-left, SDLC integration, OWASP DSOMM maturity model, security/policy/compliance as code, SBOM (CycloneDX/SPDX), and SAST/SCA/DAST/IAST/RASP categories

10%

DevSecOps Plan Stage

Threat modeling with STRIDE, PASTA, LINDDUN; tools like OWASP Threat Dragon, IriusRisk, Microsoft Threat Modeling Tool; DREAD and FAIR risk scoring; secure requirements via NIST 800-53, ISO 27001, OWASP ASVS

10%

DevSecOps Release and Deploy Stage

Secure CI/CD (Jenkins, GitLab CI, GitHub Actions, CircleCI, Azure DevOps, AWS CodePipeline), GitOps with Argo CD/Flux, Cosign/Sigstore signing, SLSA provenance, blue-green and canary, Helm hardening, Binary Authorization

10%

Container and Orchestration Security

Docker hardening (USER, no-new-privileges, read-only rootfs, distroless), Pod Security Standards, NetworkPolicy, ServiceAccount tokens, RBAC, CIS Kubernetes Benchmark, admission controllers (OPA Gatekeeper, Kyverno), Istio mTLS

10%

Cloud-Native DevSecOps

AWS (IAM Conditions, GuardDuty, Inspector, Security Hub, KMS, Config, Macie), Azure (Defender for Cloud, Sentinel, Key Vault), GCP (SCC, Cloud Armor, Cloud KMS, Binary Authorization), CSPM/CIEM, SPIFFE/SVID zero-trust

8%

Understanding DevOps Culture

CALMS pillars (Culture, Automation, Lean, Measurement, Sharing), DORA metrics (deployment frequency, lead time, change failure rate, MTTR), blameless postmortems, Lean WIP and value-stream thinking

6%

Compliance, Governance, and Reporting

PCI DSS v4.0 in pipelines, SOC 2 Type II evidence, ISO 27001/27002 controls, HIPAA, FedRAMP impact levels, compliance-as-code, immutable audit logs, balanced KPIs (DORA plus vulnerability density and MTTR vulns)

How to Pass the ECDE Exam

What You Need to Know

  • Passing score: 70%
  • Assessment: 100 multiple-choice questions covering DevOps culture, DevSecOps fundamentals, threat modeling, secure coding, SAST/SCA/DAST/IAST/RASP, IaC and container scanning, CI/CD security, Kubernetes hardening, cloud-native posture, and compliance reporting
  • Time limit: 4 hours
  • Exam fee: $550 (exam voucher)

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

ECDE Study Tips from Top Performers

1Memorize CALMS (Culture, Automation, Lean, Measurement, Sharing) and the four DORA metrics (deployment frequency, lead time, change failure rate, MTTR) — they appear in multiple questions
2Map every tool to a stage: pre-commit + git-secrets in Code; Trivy, Checkov, ZAP in Build/Test; Cosign, Argo CD in Release; Falco, Sentinel, Splunk in Operate. The exam regularly asks 'which stage uses tool X'
3Compare equivalent services across CSPs: GuardDuty vs Defender for Cloud vs Security Command Center, KMS vs Key Vault vs Cloud KMS, Security Hub vs Defender posture vs SCC findings
4Master Kubernetes admission options: OPA Gatekeeper (Rego), Kyverno (YAML), and image-verification with Cosign/Sigstore via Binary Authorization on GCP
5Practice the threat-modeling decision tree: STRIDE for security taxonomies, PASTA for risk-centric process, LINDDUN for privacy, DREAD/FAIR for scoring
6Memorize the canonical pipeline order: unit tests -> SAST -> SCA -> container image scan -> deploy -> DAST. The exam tests whether you understand why this order minimizes feedback time

Frequently Asked Questions

What is the EC-Council ECDE (312-97) exam format?

The ECDE exam is 100 multiple-choice questions delivered in a single 4-hour session. The passing score is 70%. The exam is administered through the EC-Council Exam Portal (ECC) or Pearson VUE and is available at testing centers and via online proctoring.

How much does the EC-Council Certified DevSecOps Engineer cost?

The ECDE exam voucher is $550 from the EC-Council Store. Self-study candidates without official training must submit an eligibility application with the standard $100 EC-Council application fee. Official 5-day ECDE training packages typically range from $2,000 to $3,000.

What topics does the ECDE exam cover?

ECDE covers DevOps culture (CALMS, DORA), DevSecOps fundamentals, the plan stage (STRIDE, PASTA, LINDDUN, OWASP Threat Dragon, IriusRisk), code stage (SAST, SCA, secret scanning, pre-commit hooks), build/test (Trivy, Checkov, OPA, ZAP, IAST), release/deploy (signing with Cosign, GitOps, Helm, Binary Authorization), operate/monitor (Splunk, Sentinel, Falco, SOAR), container and Kubernetes hardening, cloud-native security across AWS/Azure/GCP, and compliance/reporting (PCI DSS, SOC 2, ISO 27001, FedRAMP).

What is the difference between ECDE and CSSLP?

CSSLP from (ISC)2 is a vendor-neutral secure software lifecycle credential that requires 4 years of experience and emphasizes secure architecture and software engineering at a managerial level. EC-Council's ECDE is more hands-on and tooling-focused, covering specific SAST/SCA/IaC/container scanners, OPA, Kyverno, and CSP-specific services. ECDE suits engineers; CSSLP suits architects and managers.

Do I need experience for the ECDE exam?

EC-Council recommends 2+ years of experience in application security, software development, or DevOps. Candidates without official training must submit an eligibility application that documents experience. Practical exposure to a CI/CD platform (GitHub Actions, GitLab CI, Jenkins) and at least one cloud (AWS, Azure, or GCP) is strongly recommended.

Is the ECDE multi-cloud?

Yes. ECDE is explicitly multi-cloud, with content covering AWS (IAM Condition keys, GuardDuty, Inspector, Security Hub, KMS, CloudTrail, Config, Macie), Azure (Defender for Cloud, Sentinel, Key Vault), and GCP (Security Command Center, Cloud Armor, Cloud KMS, Binary Authorization). Expect questions that ask you to identify the equivalent service across providers.

How long is the ECDE certification valid?

ECDE is valid for 3 years and is governed by the EC-Council Continuing Education (ECE) program. Renewal requires earning continuing-education credits or recertifying via a higher-level credential before the expiration date.