Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free OffSec Threat Hunter Practice Questions

Pass your OffSec Threat Hunter (OSTH / TH-200) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
OffSec does not publicly publish OSTH pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

A hunter is in the Prepare phase of a PEAK hunt. Which activity is MOST appropriate for this phase?

A
B
C
D
to track
Same family resources

Explore More OffSec Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

OffSec OSEP Experienced Penetration Tester

Practice Questions

OffSec OSWE Web Expert

Practice Questions

OffSec OSCP Certified Professional

Practice Questions

OffSec Defense Analyst (OSDA)

Practice Questions

OffSec Exploit Developer (OSED)

Practice Questions

OffSec Exploitation Expert (OSEE)

Practice Questions
2026 Statistics

Key Facts: OffSec Threat Hunter Exam

8 hr

Practical Exam

Online proctored hands-on scenario

24 hr

Report Window

Technical report submission after the lab

$1,749

Bundle Fee

TH-200 Course + Cert

7

TH-200 Modules

From fundamentals to behavioral hunting

54 hr

Course Content

TH-200 self-paced learning

200

Course Level

Foundational defensive certification

OSTH (OffSec Threat Hunter, TH-200) is a foundational defensive certification with an 8-hour hands-on proctored exam plus a 24-hour report submission, priced at $1,749 for the Course + Cert bundle. The credential validates proactive, hypothesis-driven threat hunting against ransomware groups and APTs using the Pyramid of Pain, Hunt Maturity Model, PEAK framework, Diamond Model, and MITRE ATT&CK Enterprise. Hunters demonstrate skill with network analysis (Wireshark, tcpdump, Suricata), endpoint and EDR hunting (CrowdStrike Falcon, Microsoft Defender KQL), and SIEM hunting in Splunk (SPL, CIM, ESCU). Our 100-question MCQ bank reinforces the conceptual frameworks that underpin the hands-on lab.

Sample OffSec Threat Hunter Practice Questions

Try these sample questions to test your OffSec Threat Hunter exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which statement BEST describes proactive threat hunting as opposed to traditional alert-driven incident response?
A.Threat hunting starts with an alert from the SIEM and pivots to scoping
B.Threat hunting is a hypothesis-driven search for adversaries that have evaded existing detections
C.Threat hunting is the process of writing new IDS signatures from CVE feeds
D.Threat hunting only runs after a confirmed breach has been declared
Explanation: Threat hunting is a proactive, hypothesis-driven activity. The hunter assumes that some attacks have evaded preventive and detective controls and searches the environment for evidence of that compromise rather than waiting for an alert.
2In David Bianco's Pyramid of Pain, which indicator type causes the MOST pain to an attacker when defenders detect it?
A.File hash values (MD5/SHA1/SHA256)
B.IP addresses
C.Domain names
D.Tactics, Techniques, and Procedures (TTPs)
Explanation: TTPs sit at the apex of the Pyramid of Pain. Forcing an adversary to change how they operate, not just what tool or domain they use, requires retraining and re-tooling and is therefore the most expensive level of pain you can inflict.
3Place these Pyramid of Pain levels in the CORRECT order from LEAST painful (bottom) to MOST painful (top).
A.Hash Values, IP Addresses, Domain Names, Network/Host Artifacts, Tools, TTPs
B.TTPs, Tools, Network/Host Artifacts, Domain Names, IP Addresses, Hash Values
C.IP Addresses, Hash Values, Domain Names, Tools, Network/Host Artifacts, TTPs
D.Hash Values, Domain Names, IP Addresses, Tools, Network/Host Artifacts, TTPs
Explanation: Bianco's canonical ordering from base to apex is: Hash Values, IP Addresses, Domain Names, Network/Host Artifacts, Tools, then TTPs at the top. Each level imposes more cost on the attacker to change.
4An organization relies almost entirely on automated SIEM and antivirus alerts and collects very little log data centrally. Which level of David Bianco's Hunting Maturity Model BEST describes them?
A.HM0 — Initial
B.HM2 — Procedural
C.HM3 — Innovative
D.HM4 — Leading
Explanation: HM0 organizations rely primarily on automated alerting (IDS, AV, SIEM) and do not centrally collect enough data to perform real hunts. They have no proactive hunting capability beyond what their tools surface.
5What single capability differentiates an HM4 (Leading) organization from an HM3 (Innovative) organization in the Hunting Maturity Model?
A.HM4 organizations have access to commercial threat intelligence feeds
B.HM4 organizations operationalize successful hunts into automated detections
C.HM4 organizations only respond to alerts, while HM3 organizations hunt manually
D.HM4 organizations only collect endpoint data, while HM3 organizations also collect network data
Explanation: HM3 and HM4 are functionally identical in skill; the defining difference is automation. HM4 takes the procedures developed by hunters and converts them into automated, repeatable detections that run continuously.
6What does the acronym PEAK stand for in the PEAK Threat Hunting Framework developed by Splunk's SURGe team?
A.Plan, Engage, Analyze, Knowledge
B.Prepare, Execute, Act with Knowledge
C.Predict, Evaluate, Action, Kill-chain
D.Profile, Examine, Attack, Kill
Explanation: PEAK is Prepare, Execute, and Act with Knowledge. Knowledge is the connective tissue that flows across all three phases, capturing what was learned and feeding it back into future hunts.
7Which of the following is NOT one of the three primary hunt types defined by the PEAK framework?
A.Hypothesis-Driven Hunt
B.Baseline Hunt
C.Model-Assisted Threat Hunt (M-ATH)
D.Signature-Driven Hunt
Explanation: PEAK identifies three hunt types: Hypothesis-Driven, Baseline, and Model-Assisted Threat Hunt (M-ATH). 'Signature-Driven' is not a PEAK hunt type — running signatures is detection, not hunting.
8A hunter is in the Prepare phase of a PEAK hunt. Which activity is MOST appropriate for this phase?
A.Running SPL searches over six months of proxy logs
B.Selecting a topic, doing background research, and writing the hunt plan
C.Filing a ticket with the SOC to contain a confirmed compromise
D.Operationalizing the hunt query as a scheduled correlation rule
Explanation: Prepare is the planning phase: pick the topic, gather threat intel and background research, scope data sources, and document the hunt plan and hypothesis before any analysis begins.
9The four vertices of the Diamond Model of Intrusion Analysis are:
A.Attacker, Tool, Network, Asset
B.Adversary, Capability, Infrastructure, Victim
C.Reconnaissance, Weaponization, Delivery, Exploitation
D.Person, Process, Technology, Data
Explanation: The Diamond Model describes an intrusion event using four core features: Adversary, Capability, Infrastructure, and Victim. Edges connect them and meta-features (timestamp, phase, result) describe each event.
10Which Diamond Model vertex BEST describes a malicious payload such as Cobalt Strike Beacon used in an intrusion?
A.Adversary
B.Capability
C.Infrastructure
D.Victim
Explanation: Capability covers the tools, techniques, exploits and malware an adversary brings to bear. Cobalt Strike Beacon is a capability used by an adversary against a victim, hosted on infrastructure.

About the OffSec Threat Hunter Exam

The OffSec Threat Hunter (OSTH) certification, earned through the TH-200 Foundational Threat Hunting course, validates a defender's ability to proactively detect and investigate adversaries through behavioral analysis, threat actor profiling, and the use of network and endpoint indicators. The exam is an 8-hour practical hunt in a simulated environment plus a 24-hour report. Our 100-question MCQ bank covers the conceptual scaffolding TH-200 builds on: the Pyramid of Pain, Hunt Maturity Model, PEAK framework, Diamond Model, MITRE ATT&CK Enterprise, the Cyber Kill Chain, threat-actor profiles (LockBit, BlackCat/ALPHV, CLOP, APT28, APT29, APT40, Lazarus, Sandworm), threat intelligence (STIX 2.1/TAXII 2.1, TLP 2.0, MISP, OpenCTI), IoC categories, network analysis with Wireshark/tcpdump/Suricata, endpoint and EDR hunting with CrowdStrike Falcon and Microsoft Defender KQL, Splunk SPL and CIM, and behavioral hunting techniques.

Assessment

8-hour proctored, hands-on threat hunting scenario in a simulated network, followed by a 24-hour technical report submission window. Our practice bank provides 100 conceptual MCQs that prepare you for the underlying frameworks (Pyramid of Pain, PEAK, MITRE ATT&CK, Diamond Model) and the SIEM/EDR analysis skills the practical assesses.

Time Limit

8 hours hands-on + 24 hours report submission

Passing Score

Practical pass/fail determined by OffSec graders against the rubric

Exam Fee

$1,749 (Course + Cert bundle) (OffSec online proctored)

OffSec Threat Hunter Exam Content Outline

15%

Threat Hunting Fundamentals

Proactive hypothesis-driven hunting; Pyramid of Pain (hash -> IP -> domain -> artifact -> tool -> TTP); Hunt Maturity Model HM0-HM4; PEAK Prepare/Execute/Act with Knowledge; Diamond Model vertices and pivots; assume-breach mindset

15%

Threat Actors and TTPs

Ransomware (LockBit, BlackCat/ALPHV, CLOP, MOVEit campaign); APTs (APT28 GRU, APT29 SVR, APT40 MSS, Lazarus DPRK, Sandworm); MITRE ATT&CK Enterprise TA0001-TA0040; Lockheed Cyber Kill Chain phases

15%

Threat Intel and IoCs

STIX 2.1 / TAXII 2.1; TLP 2.0 (Red, Amber+Strict, Amber, Green, Clear); MISP, OpenCTI, Anomali; hashes, IPs, domains, URIs, mutexes, registry keys, JA3/JA3S, HASSH; entropy and DGA detection

15%

Network Analysis

Wireshark display filters (http.request.method, dns.qry.name, tls.handshake.type); tcpdump BPF; Suricata/Snort rule headers, flow keyword, content/offset/depth; DNS tunneling and TXT exfil; C2 beaconing, jitter, low-and-slow

15%

Endpoint and EDR

Process-tree anomalies; LOLBins (certutil, rundll32, mshta, bitsadmin, msbuild); persistence (Run keys, Scheduled Tasks, WMI subscription); PowerShell EID 4104/4103, AMSI bypass; PsExec and wmiexec lateral movement; Falcon CQL and Defender KQL

15%

Hunting with SIEM and Splunk

SPL stats, eval, where, lookup, transaction, streamstats, tstats; Common Information Model (Authentication, Network_Traffic, Endpoint); ESCU detection content; SPL idioms for beacon detection and rare-pair stack ranking

10%

Behavioral Hunting

Frequency / stack-ranking analysis; least-frequency long-tail analysis; time-series anomalies; data stacking; baseline hunts and baseline drift; M-ATH model-assisted threat hunts under PEAK

How to Pass the OffSec Threat Hunter Exam

What You Need to Know

  • Passing score: Practical pass/fail determined by OffSec graders against the rubric
  • Assessment: 8-hour proctored, hands-on threat hunting scenario in a simulated network, followed by a 24-hour technical report submission window. Our practice bank provides 100 conceptual MCQs that prepare you for the underlying frameworks (Pyramid of Pain, PEAK, MITRE ATT&CK, Diamond Model) and the SIEM/EDR analysis skills the practical assesses.
  • Time limit: 8 hours hands-on + 24 hours report submission
  • Exam fee: $1,749 (Course + Cert bundle)

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

OffSec Threat Hunter Study Tips from Top Performers

1Memorize the Pyramid of Pain in order from base to apex: Hash, IP, Domain, Network/Host Artifact, Tool, TTP — and understand why each level imposes more cost on the attacker
2Master MITRE ATT&CK tactic IDs cold (TA0001 Initial Access through TA0040 Impact) and be able to map common malicious behaviors to the right tactic without looking it up
3Practice SPL idioms for beacon detection (streamstats with delta, stats avg/stdev) and rare-pair hunting (stats count by parent_image, child_image | sort count) on a Splunk lab
4Drill the Diamond Model by pivoting from a single Infrastructure indicator to Capability and Adversary using passive DNS, WHOIS, and sample sandboxing
5Build a personal cheat sheet of LOLBins (certutil, rundll32, mshta, bitsadmin, regsvr32, msbuild, installutil, wmic) and the abuse pattern for each
6Run the TH-200 Challenge Lab end-to-end at least once before exam day; the conceptual MCQs in this bank are scaffolding, but the hands-on lab is where reps build muscle memory

Frequently Asked Questions

What is the OffSec Threat Hunter (OSTH / TH-200) certification?

The OSTH is OffSec's foundational defensive certification earned through the TH-200 Foundational Threat Hunting course. It validates that a defender can proactively detect and investigate adversaries using behavioral analysis, threat actor profiling, and network and endpoint indicators of compromise. The exam is an 8-hour proctored, hands-on threat hunting scenario followed by a 24-hour report submission.

How much does the OSTH exam cost?

The OSTH course-and-certification bundle costs $1,749 USD and includes the TH-200 self-paced course, lab access, and one exam attempt. OffSec also offers Learn One ($2,749/year) and Learn Unlimited subscriptions that provide broader access. The OSTH is delivered through OffSec's online proctored platform.

What does the OSTH practical exam look like?

OSTH is a proctored 8-hour hands-on assessment in a simulated environment. You hunt across the network for compromised systems, document your findings, and submit a technical report within 24 hours after the proctored window closes. There are no multiple-choice questions on the real exam — our 100 MCQs are conceptual prep that builds the frameworks the hands-on hunt assumes.

What topics does the TH-200 course cover?

TH-200 has seven modules covering threat hunting concepts and methodologies, threat actors and TTPs (ransomware groups and APTs), threat intelligence and reports including the Traffic Light Protocol, network indicators of compromise (with Suricata-style IDS/IPS), endpoint hunting with CrowdStrike Falcon, hunting with Splunk SIEM, and behavioral analysis. The course is roughly 54 hours of content.

What frameworks should I master for OSTH?

The Pyramid of Pain (hash -> IP -> domain -> artifact -> tool -> TTP), the Hunting Maturity Model (HM0-HM4), Splunk SURGe's PEAK framework (Prepare, Execute, Act with Knowledge), the Diamond Model of Intrusion Analysis, MITRE ATT&CK Enterprise tactics (TA0001-TA0040), and the Lockheed Martin Cyber Kill Chain are the core conceptual frameworks for OSTH and threat hunting in general.

Do OffSec certifications expire?

OffSec credentials do not expire in the traditional sense, but OffSec offers a Continuing Education program that lets you mark your credential as 'active'. For the latest active-status policy, check OffSec's certification continuing-education page.

How long should I study for OSTH?

Most candidates spend 60-100 hours studying alongside the 54-hour TH-200 course over 6-10 weeks, including time on the Challenge Lab. Candidates with prior SOC, IR, or detection-engineering experience usually need less time on conceptual content and more time on the lab environment.