All Practice Exams
100+ Free HTB CDSA Practice Questions
HTB Certified Defensive Security Analyst practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
What is the role of 'threat intelligence' in a SOC's detection and response workflow?
A
B
C
D
to track
Same family resources
Explore More Hack The Box Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: HTB CDSA Exam
7 days
Practical Exam Window
Hack The Box
15 modules
SOC Analyst Path
HTB Academy
~$210
Exam Voucher
Hack The Box
Intermediate
Difficulty Level
Hack The Box
150-250 hrs
Avg. Study Time
Community estimate
2 incidents
Exam Scenarios
CDSA review reports
The HTB CDSA (Certified Defensive Security Analyst) certifies intermediate SOC analyst skills through a 7-day practical lab and incident report. Domains include SIEM operations (Elastic/Splunk), network traffic analysis (Wireshark/tcpdump), Windows event log analysis, YARA and Sigma rule writing, threat hunting, Windows/AD attack detection, and incident reporting. The exam voucher costs ~$210 or is included in an HTB Academy Silver subscription (~$490/year). This 100-question practice exam covers the knowledge domains of the 15-module HTB SOC Analyst path.
Sample HTB CDSA Practice Questions
Try these sample questions to test your HTB CDSA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1In the NIST incident handling lifecycle, which phase immediately follows the Detection and Analysis phase?
A.Containment, Eradication, and Recovery
B.Preparation
C.Post-Incident Activity
D.Identification
Explanation: The NIST SP 800-61 incident response lifecycle has four main phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. After detecting and analyzing an incident, the team moves to contain the threat, eradicate its root cause, and recover normal operations.
2A SOC analyst sees 50 failed Windows logon events (Event ID 4625) in 10 minutes from a single source IP targeting one account. Which attack type does this most likely indicate?
A.Password spraying
B.Credential stuffing
C.Brute force attack
D.Pass-the-hash
Explanation: A high volume of failed logons (Event ID 4625) against a single account from one source IP in a short timeframe is the classic signature of a brute force attack. Password spraying targets many accounts with few guesses; credential stuffing replays breached credential pairs; pass-the-hash uses NTLM hashes and does not produce many 4625 events.
3Which Sysmon Event ID records the creation of a new process and is most useful for detecting execution of malicious binaries?
A.Sysmon Event ID 1
B.Sysmon Event ID 3
C.Sysmon Event ID 8
D.Sysmon Event ID 11
Explanation: Sysmon Event ID 1 (Process Creation) logs every new process with its full command line, parent process, hashes, and user context. This makes it invaluable for detecting malicious binary execution. Event ID 3 is network connection; Event ID 8 is CreateRemoteThread; Event ID 11 is file creation.
4In Elastic/KQL, which query correctly searches for all Windows Security events with Event ID 4688 (process creation)?
A.event.code:4688 AND winlog.channel:Security
B.SELECT * FROM Security WHERE EventID=4688
C.index=windows EventCode=4688
D.event_id=4688 source=WinEventLog:Security
Explanation: In Kibana Query Language (KQL) used with the Elastic Stack, field:value syntax is used. `event.code:4688` filters for that specific Windows event ID and `winlog.channel:Security` scopes it to the Security event log. The SQL-style query is not KQL. The other two are Splunk SPL syntax.
5A Wireshark capture shows repeated TCP SYN packets sent to ports 21, 22, 23, 25, 80, and 443 on a target host with no SYN-ACK responses. What does this traffic pattern indicate?
A.A TCP SYN port scan
B.A successful TCP handshake negotiation
C.An ARP spoofing attack
D.A UDP flood denial of service
Explanation: Sequential SYN packets to multiple ports with no SYN-ACK replies is the hallmark of a TCP SYN scan (half-open scan). The scanner sends SYN packets to identify open ports; closed ports respond with RST, and filtered ports do not respond. No RST or SYN-ACK means the ports are filtered or the host is down.
6In Splunk SPL, which search correctly identifies authentication failures for the Windows Security log?
A.index=windows EventCode=4625 | stats count by user
B.index=windows EventCode=4624 | stats count by user
C.sourcetype=WinEventLog:System EventID=4625
D.event.code:4625 AND winlog.channel:Security
Explanation: Windows Event ID 4625 is 'An account failed to log on.' In Splunk SPL, `index=windows EventCode=4625` targets the correct event, and `| stats count by user` aggregates failed attempts per account. EventCode 4624 is successful logon. The last option is KQL, not SPL.
7Which MITRE ATT&CK tactic describes actions taken by an adversary to maintain access to a compromised system across restarts?
A.Defense Evasion
B.Lateral Movement
C.Persistence
D.Privilege Escalation
Explanation: Persistence (TA0003) in MITRE ATT&CK covers techniques adversaries use to keep access to systems across interruptions such as restarts, changed credentials, or other disruptions. Examples include registry run keys, scheduled tasks, and new service creation. Defense Evasion focuses on avoiding detection; Lateral Movement on pivoting across the network.
8A YARA rule contains the condition `all of them`. What does this mean?
A.Match files that contain all of the defined strings
B.Match files that contain at least one of the defined strings
C.Match all files regardless of content
D.Match files where the file size exceeds a threshold
Explanation: `all of them` in YARA requires every defined string (or pattern) in the rule to be present in the scanned file for the rule to match. `any of them` would require at least one string. YARA conditions like `filesize` are separate keywords for size-based matching.
9In a Sigma rule, which field specifies the log source category (e.g., process_creation)?
A.logsource
B.detection
C.condition
D.title
Explanation: The `logsource` block in a Sigma rule defines where the log data comes from, including `category` (e.g., process_creation, network_connection), `product` (e.g., windows), and `service` (e.g., sysmon). The `detection` block contains search identifiers and conditions; `condition` is inside detection.
10Windows Event ID 4624 logon type 3 indicates which type of authentication?
A.Network logon (SMB, file share, or similar)
B.Interactive (local) logon at the console
C.Remote Desktop Protocol logon
D.Batch logon from a scheduled task
Explanation: Logon Type 3 in Event ID 4624 represents a network logon, which occurs when a user or service authenticates over the network such as via SMB, file shares, or `net use`. Type 2 is interactive; Type 10 is RemoteInteractive (RDP); Type 4 is batch.
About the HTB CDSA Practice Questions
Verified exam format metadata for HTB Certified Defensive Security Analyst is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.