100+ Free XDR Analyst Practice Questions

Pass your Palo Alto Networks Certified XDR Analyst (Specialist) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~60-70% Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which Cortex XDR agent license tier adds Behavioral Threat Protection (BTP), Local Analysis via WildFire, and exploit prevention modules beyond what the base Prevent agent provides?

Cortex XDR Prevent

Cortex XDR Pro per Endpoint

Cortex XDR Pro per TB

Cortex XSOAR Standard

to track

2026 Statistics

Key Facts: XDR Analyst Exam

~60-70%

Est. Pass Rate

Industry estimate

860/1000

Passing Score

Palo Alto

40-80 hrs

Study Time

Recommended

90 min

Exam Duration

Palo Alto

$250

Exam Fee

Palo Alto

2 years

Cert Valid

Palo Alto

The XDR Analyst exam costs $250, runs 90 minutes, and requires a scaled score of 860/1000 to pass. The four domains are Incident Handling and Response (34%), Data Analysis with XQL (28%), Alerting and Detection (23%), and Endpoint Security Management (15%). It replaces PCDRA.

Sample XDR Analyst Practice Questions

Try these sample questions to test your XDR Analyst exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which Cortex XDR agent license tier adds Behavioral Threat Protection (BTP), Local Analysis via WildFire, and exploit prevention modules beyond what the base Prevent agent provides?

A.Cortex XDR Prevent

B.Cortex XDR Pro per Endpoint

C.Cortex XDR Pro per TB

D.Cortex XSOAR Standard

Explanation: Cortex XDR Pro per Endpoint extends the Prevent agent with full EDR capabilities including Behavioral Threat Protection, Local Analysis (WildFire ML model on the endpoint), exploit prevention, and response actions like Live Terminal. The Pro per TB SKU is for ingesting third-party logs.

2An analyst is triaging a high-severity incident in Cortex XDR. Which view stitches together related alerts, processes, and network connections into a single causal timeline anchored on the causality actor?

A.Action Center

B.Causality View

C.Asset Inventory

D.Broker VM Console

Explanation: The Causality View visualizes the entire chain of events — parent processes, child processes, file activity, registry changes, and network connections — anchored at the causality group owner (CGO). It is the analyst's primary investigation pane in Cortex XDR.

3Which Cortex XDR feature uses machine learning to score and group related alerts from multiple sources (NGFW, EDR, identity, cloud) into a single incident?

A.Smart Grouping

B.Causality Chain Engine

C.Identity Analytics

D.Host Insights

Explanation: Smart Grouping (also referred to as the alert grouping engine) clusters alerts that share infrastructure, hosts, users, or causality into a single incident with a calculated severity, dramatically reducing alert fatigue and producing one investigation pane per attack.

4A Tier-1 analyst needs to quickly determine whether an alert is part of a known attack campaign or an isolated event. Which incident field should they check first?

A.Alert source

B.MITRE ATT&CK technique

C.Causality actor process image

D.Number of alerts in the incident

Explanation: The MITRE ATT&CK technique mapped to each alert tells the analyst what tactic and technique the adversary executed. Multiple alerts mapping to a sequence of techniques (Initial Access -> Execution -> Persistence -> C2) is a strong indicator of a coordinated campaign rather than a single misfire.

5Which alert source in Cortex XDR is generated by analyst-defined detection rules that match on raw EDR telemetry such as process, file, registry, or network events?

A.Correlation Rule

B.BIOC (Behavioral Indicator of Compromise)

C.IOC (Indicator of Compromise)

D.Analytics BIOC

Explanation: BIOCs are user-defined behavioral detections that fire when raw endpoint telemetry matches the rule logic — for example, 'powershell.exe spawned by winword.exe with a suspicious command line.' They are the customizable detection layer in Cortex XDR.

6An analyst wants to query 'all process executions from PowerShell on Windows endpoints in the last 24 hours.' Which Cortex XDR feature is used?

A.Live Terminal

B.XQL Search

C.Action Center

D.BIOC Editor

Explanation: XQL Search (the Cortex Query Language) is the analyst-facing query engine over the Cortex XDR datalake. The query would look like: dataset = xdr_data | filter event_type = PROCESS and action_process_image_name = "powershell.exe" | fields ...

7Which XQL stage filters records based on a condition, similar to a SQL WHERE clause?

A.dataset

B.filter

C.fields

D.alter

Explanation: The 'filter' stage applies a Boolean expression and discards rows that do not match. It is the most common stage after 'dataset =' in an XQL query.

8An incident is confirmed to be a ransomware infection. Which response action immediately cuts the host off from all networks except its connection to Cortex XDR?

A.Terminate Process

B.Isolate Endpoint

C.Block Hash

D.Quarantine File

Explanation: Endpoint Isolation severs all inbound and outbound network connections on the host while preserving the agent's tunnel back to Cortex XDR so the analyst can still respond, retrieve files, or run Live Terminal.

9Which Cortex XDR component continuously inspects process behavior on the endpoint and uses post-execution analytics to detect attacks that have evaded static prevention?

A.Local Analysis (WildFire)

B.Behavioral Threat Protection (BTP)

C.Exploit Prevention

D.Disk Encryption Visibility

Explanation: Behavioral Threat Protection monitors process behavior post-execution and correlates events on the endpoint to detect malicious sequences (for example, credential dumping followed by lateral movement) that signature- or ML-based pre-execution checks may have missed.

10A trusted internal application is being killed by Local Analysis on dozens of endpoints. What is the recommended remediation while a longer-term fix is deployed?

A.Disable the Cortex XDR agent on those endpoints

B.Add a hash-based exception in the relevant security profile

C.Uninstall WildFire integration

D.Switch the agent to Report-Only mode globally

Explanation: The correct fix is a targeted exception: add the file hash (or path/signer where appropriate) to the malware security profile so Local Analysis no longer blocks it. This preserves protection on every other artifact across the fleet.

About the XDR Analyst Exam

The Palo Alto Networks Certified XDR Analyst (Specialist) validates SOC skills in alert triage, incident investigation, threat hunting with XQL, vulnerability assessment, and response actions using Cortex XDR. It replaces the retired PCDRA (April 30, 2025) and targets Tier 1/2 SOC analysts, incident responders, and threat researchers.

Questions

75 scored questions

Time Limit

90 minutes

Passing Score

Scaled 860 (300-1000)

Exam Fee

$250 (Palo Alto Networks / Pearson VUE)

XDR Analyst Exam Content Outline

34%

Incident Handling and Response

Causality View, alert triage, incident scoping, response actions (isolate, terminate, retrieve files), Live Terminal, MITRE ATT&CK mapping, and containment workflows

28%

Data Analysis (XQL)

XQL syntax (filter, alter, comp, join, fields), datasets (xdr_data, endpoint_inventory, incidents, panw.url), threat hunting, saved queries, and dashboards

23%

Alerting and Detection Processes

Alert sources (NGFW, EDR, IOC, BIOC, Analytics, Correlation), Smart Grouping, alert tuning, exclusions, IOC feeds, and identity analytics

15%

Endpoint Security Management

Cortex XDR Pro/Prevent agent, Local Analysis (WildFire), BTP, Exploit Prevention, Restrictions, Host Firewall, Disk Encryption Visibility, Host Insights, vulnerability assessment

How to Pass the XDR Analyst Exam

What You Need to Know

Passing score: Scaled 860 (300-1000)
Exam length: 75 questions
Time limit: 90 minutes
Exam fee: $250

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

XDR Analyst Study Tips from Top Performers

1Master XQL syntax: dataset, filter, alter, comp, join, fields, sort, limit — the Data Analysis domain is 28%

2Know the Causality View workflow inside out — Causality Group Owner (CGO), forensic timeline, and Network Story

3Memorize alert sources: BIOC, IOC, Analytics BIOC, Correlation, plus NGFW and identity-source alerts

4Practice tuning: alert exclusions vs disabling rules; hash exceptions vs Block Hash; isolate vs terminate

5Map common Cortex XDR alerts to MITRE ATT&CK tactics (T1003 LSASS, T1059 PowerShell, T1486 ransomware)

Frequently Asked Questions

What replaced the PCDRA?

The Palo Alto Networks Certified XDR Analyst (Specialist) replaced the PCDRA (Palo Alto Networks Certified Detection and Remediation Analyst) when PCDRA retired on April 30, 2025. The new exam is the official path for SOC-analyst Cortex XDR skills.

What is the XDR Analyst pass rate?

Palo Alto does not publish an official pass rate; industry estimates run 60-70%. Candidates with 6-12 months of hands-on Cortex XDR experience and XQL fluency tend to pass on the first attempt.

What experience is recommended?

The exam targets SOC analysts (Tier 1 and Tier 2), incident responders, threat researchers, and MSSP analysts. Working knowledge of Cortex XDR, TCP/IP, SIEM tools, scripting, MITRE ATT&CK, and incident handling is recommended.

How long should I study?

Most candidates study 4-6 weeks investing 40-80 hours. The recommended training is EDU-260: Cortex XDR Prevention, Analysis, and Response, plus hands-on work with the Cortex XDR tenant and XQL.