All Practice Exams
100+ Free Fortinet FCF Practice Questions
Fortinet Certified Fundamentals in Cybersecurity (FCF) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
~90%+ for course completers Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
A company uses a SaaS email platform. Under the shared responsibility model, which responsibility typically remains with the customer?
A
B
C
D
to track
Same family resources
Explore More Fortinet Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
More From This Family
Videos and articles for deeper review.
2026 Statistics
Key Facts: Fortinet FCF Exam
$0
Certification Cost
Fortinet (completely free)
2 years
Certification Valid
Fortinet Training Institute
2 courses
Required to Certify
No exam needed
10-15 hrs
Average Study Time
Self-paced
None
Prerequisites
Open to all
4 topics
Exam Domains
Fortinet
FCF requires completing two free Fortinet online courses (no exam, no fee): Introduction to the Threat Landscape plus either Getting Started in Cybersecurity or Technical Introduction to Cybersecurity. Both courses must be completed within 2 years. Certification valid for 2 years. This is a completely free certification ideal for beginners, students, and career changers entering cybersecurity.
Sample Fortinet FCF Practice Questions
Try these sample questions to test your Fortinet FCF exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1Which of the following BEST describes the term 'threat landscape' in cybersecurity?
A.The collection of all known vulnerabilities published by NIST
B.The full range of potential threats, attack vectors, and adversaries an organization may face
C.A visual diagram of a company's network topology showing attack surfaces
D.The set of security controls deployed at the network perimeter
Explanation: The threat landscape refers to the entire set of potential threats, attack vectors, and adversarial actors that could target an organization or environment. It is dynamic and evolves as new vulnerabilities, malware, and attacker techniques emerge. Understanding it is the foundation of effective cybersecurity planning.
2Which type of malware disguises itself as legitimate software to trick users into installing it?
A.Worm
B.Ransomware
C.Trojan
D.Rootkit
Explanation: A Trojan (or Trojan horse) is malware that masquerades as a legitimate, useful program to convince users to install it. Once executed, it can open backdoors, steal data, or deliver additional payloads. Unlike viruses or worms, Trojans do not self-replicate.
3A social engineering attack that uses fraudulent email messages to steal credentials is called:
A.Vishing
B.Smishing
C.Phishing
D.Pretexting
Explanation: Phishing uses deceptive email messages that appear to come from trusted sources to trick recipients into revealing credentials, clicking malicious links, or opening infected attachments. It remains one of the most prevalent social engineering techniques because it can be launched at scale.
4Which category of threat actor is typically motivated by financial gain and operates for profit?
A.Hacktivist
B.Nation-state actor
C.Cybercriminal
D.Insider threat
Explanation: Cybercriminals are primarily motivated by financial gain. They carry out activities such as ransomware attacks, credit card fraud, business email compromise, and selling stolen data on underground markets. Unlike hacktivists or nation-state actors, their primary driver is profit rather than ideology or geopolitical objectives.
5What is the primary purpose of ransomware?
A.To quietly exfiltrate sensitive data without being detected
B.To encrypt victim data and demand payment for the decryption key
C.To use the victim's computing resources for cryptocurrency mining
D.To create a botnet for distributed denial-of-service attacks
Explanation: Ransomware encrypts files on the victim's system and demands a ransom payment—typically in cryptocurrency—in exchange for the decryption key. It has evolved to include double extortion tactics (also threatening to publish stolen data), but the core mechanism is encryption-based coercion.
6Which of the following describes a 'zero-day vulnerability'?
A.A vulnerability that has been patched but not yet deployed to production systems
B.A vulnerability that is publicly known and has a CVSS score of 10
C.A vulnerability that is unknown to the software vendor and has no available patch
D.A vulnerability that can only be exploited within the first 24 hours after disclosure
Explanation: A zero-day vulnerability is a security flaw that is unknown to the software vendor (and therefore has no patch). Attackers who discover zero-days can exploit them with no available defense from the vendor side. The name refers to the fact that developers have had 'zero days' to fix the issue.
7In the context of cybersecurity, what does the CIA triad represent?
A.Cryptography, Intrusion detection, and Authentication
B.Confidentiality, Integrity, and Availability
C.Cyber Intelligence Agency guidelines for data protection
D.Compliance, Identification, and Authorization
Explanation: The CIA triad is the foundational model of information security. Confidentiality ensures that data is accessible only to authorized parties. Integrity ensures data is accurate and has not been tampered with. Availability ensures systems and data are accessible when needed by authorized users.
8Which attack technique involves an attacker intercepting communications between two parties without their knowledge?
A.Man-in-the-Middle (MitM) attack
B.SQL Injection attack
C.Denial-of-Service (DoS) attack
D.Brute-force attack
Explanation: A Man-in-the-Middle (MitM) attack occurs when an attacker secretly intercepts and potentially alters communications between two parties who believe they are communicating directly with each other. MitM attacks can be used to eavesdrop, steal credentials, or inject malicious content into the communication stream.
9Which social engineering technique involves creating a fabricated scenario to manipulate a victim into providing information or access?
A.Baiting
B.Pretexting
C.Tailgating
D.Spear phishing
Explanation: Pretexting involves an attacker fabricating a believable scenario (the pretext) to establish trust and manipulate the victim. For example, an attacker may impersonate an IT support technician or auditor to convince an employee to provide credentials or physical access. The pretext is the invented justification for the interaction.
10What is a botnet?
A.A network scanning tool used by security professionals to discover open ports
B.A collection of compromised computers controlled remotely by an attacker to perform coordinated attacks
C.A type of firewall that uses AI to detect and block malicious traffic automatically
D.A legitimate content delivery network used to distribute software updates
Explanation: A botnet is a network of computers (bots or zombies) that have been infected with malware and are under the remote control of an attacker (the botmaster). Botnets are used for distributed denial-of-service (DDoS) attacks, sending spam, credential stuffing, and cryptocurrency mining at scale.
About the Fortinet FCF Practice Questions
Verified exam format metadata for Fortinet Certified Fundamentals in Cybersecurity (FCF) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.