What is the SBT CJDE exam format?

The CJDE exam is a practical, scenario-based assessment that replicates real SOC detection engineering tasks. Unlike multiple-choice exams, it tests applied skills including writing Sigma and YARA rules, analyzing Zeek and SIEM logs, and working with detection pipelines. The course includes 15 modules and 120+ hands-on labs. Security Blue Team does not publicly disclose the specific exam duration or passing score threshold.

What tools and platforms does the CJDE cover?

The CJDE curriculum covers: Sigma rules (with sigma-cli and pySigma conversion to Splunk, Elastic, and Graylog); YARA rules for file and memory scanning; Zeek network analysis framework; Splunk (SPL queries, alerts, dashboards); Elastic SIEM (KQL, EQL, detection rules); Graylog (Lucene syntax); MISP for threat intel; Git and GitHub Actions for Detection-as-Code; Python basics for scripting; and AI tools for detection assistance.

How much does the CJDE cost?

The CJDE course and exam package costs £399 GBP (approximately $500 USD at current exchange rates). This includes 4-month access to the full self-paced course (15 modules, 400+ lessons, 120+ labs) and the practical exam. Achieving 90%+ on the first attempt earns a gold challenge coin instead of the standard silver.

How hard is the SBT CJDE?

The CJDE is rated as an intermediate-level certification. It requires practical skills across multiple tool sets — candidates who can write working Sigma rules, query Splunk and Elastic with real log data, and understand Zeek log structure are best positioned to pass. The 40-60 hour course estimate assumes 1-3 years of prior cybersecurity experience. Candidates without SOC experience should budget extra time for the 120+ available lab hours.

What jobs does CJDE qualify me for?

The CJDE demonstrates detection engineering skills valued in: SOC Analyst Tier 2 ($75,000-$110,000), Detection Engineer ($90,000-$140,000), Threat Hunter ($95,000-$135,000), Security Operations Engineer ($85,000-$130,000), and SIEM Administrator ($70,000-$105,000) roles. It complements broader certifications (CompTIA Security+, BTL1) and demonstrates hands-on detection capability.

Is this practice exam like the real CJDE?

No — this is a knowledge-based multiple-choice practice exam. The real CJDE is a practical scenario-based exam where you perform actual detection engineering tasks (writing rules, analyzing logs, building pipelines) in a lab environment. This practice exam tests the conceptual knowledge underlying those practical skills. To pass the real CJDE, you need extensive hands-on lab practice with Sigma, YARA, Zeek, Splunk, and Elastic.

All Practice Exams

100+ Free SBT CJDE Practice Questions

Security Blue Team Certified Junior Detection Engineer practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which Elastic query detects process creation events where `powershell.exe` spawned a child process with an encoded command (`-EncodedCommand` or `-enc` flag)?

process.parent.name: (powershell.exe OR cmd.exe) AND process.name: powershell.exe

process.command_line: powershell.exe AND event.action: encoded

event.type: process AND process.name: powershell.exe

process.parent.name: powershell.exe AND process.args: (*-EncodedCommand* OR *-enc*)

to track

Same family resources

Explore More Security Blue Team Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

2026 Statistics

Key Facts: SBT CJDE Exam

£399

Course + Exam Fee

Security Blue Team

15 modules

Course Structure

Security Blue Team

120+ hours

Available Lab Hours

Security Blue Team

Intermediate

Difficulty Level

Security Blue Team

40-60 hrs

Avg. Completion Time

Security Blue Team

2025

Year Launched

Security Blue Team

The SBT CJDE (Certified Junior Detection Engineer) certifies entry-to-intermediate detection engineering skills through a practical scenario-based exam. Core domains include Sigma & YARA rule writing, SIEM operations (Splunk, Elastic, Graylog), Zeek network log analysis, threat intelligence integration (MISP, STIX/TAXII, MITRE ATT&CK), and CI/CD detection pipelines with Git and GitHub Actions. The £399 course includes 15 modules, 120+ labs, and the practical exam. This 100-question knowledge-prep bank covers all CJDE domains to build the conceptual foundation for the hands-on exam.

Sample SBT CJDE Practice Questions

Try these sample questions to test your SBT CJDE exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which Sigma rule field specifies the log source technology, product, and service to ensure the rule targets the correct event stream?

A.detection

B.logsource

C.condition

D.filter

Explanation: The `logsource` block in a Sigma rule defines the category, product, and service fields that tell the SIEM conversion tool which log source the rule targets. Without a correct logsource, sigmac cannot map the rule to the right index or data stream. The `detection` block contains the actual search criteria, while `condition` ties detection identifiers together with logical operators.

2A YARA rule must match a file that contains the string 'MZ' at offset 0 AND has a PE section named '.text'. Which YARA condition correctly expresses this?

A.uint16(0) == 0x5A4D and pe.sections[0].name == ".text"

B."MZ" at 0 and pe.sections[0].name == ".text"

C.uint16(0) == 0x4D5A and for any s in pe.sections: (s.name == ".text")

D.uint16(0) == 0x5A4D and for any s in pe.sections: (s.name == ".text")

Explanation: The Windows PE magic bytes 'MZ' are stored in little-endian order as 0x5A4D at offset 0. `uint16(0) == 0x5A4D` reads the first two bytes as a little-endian 16-bit integer. The `for any s in pe.sections` loop correctly iterates over all sections to find one named '.text', rather than assuming it is always sections[0].

3In Zeek, which log file records metadata about every TCP, UDP, and ICMP connection observed on the network, including duration, bytes transferred, and connection state?

A.conn.log

B.http.log

C.notice.log

D.weird.log

Explanation: Zeek's `conn.log` is the foundational connection log that records a summary row for every network connection, including the 5-tuple (src/dst IP and port, protocol), start time, duration, bytes sent/received, and conn_state. It is the primary source for traffic baselining and network anomaly detection.

4Which Splunk SPL command transforms raw events into a statistical table, making it essential for building detection dashboards and alert conditions?

A.search

B.where

C.stats

D.eval

Explanation: The `stats` command aggregates events and produces a table of summary statistics — count, sum, avg, values, etc. — grouped by one or more fields. Detection engineers use `stats count by src_ip, dest_port` to spot beaconing or port scanning patterns. It is fundamental to threshold-based alerting in Splunk.

5A detection engineer wants to create a Git branch for a new Sigma rule, make changes, and merge via pull request so automated YARA/Sigma linting runs in CI. What is the correct sequence of Git commands to start this workflow?

A.git branch feature/sigma-rule → git checkout feature/sigma-rule → git add → git commit

B.git commit -m 'add rule' → git branch feature/sigma-rule → git push

C.git stash → git pull origin main → git checkout -b feature/sigma-rule

D.git init → git remote add origin → git checkout -b feature/sigma-rule

Explanation: The standard workflow is: create the branch with `git branch`, switch to it with `git checkout` (or combine into `git checkout -b`), stage changes with `git add`, then commit. This allows CI pipelines triggered on branch pushes or pull requests to run linting and validation before merging to main.

6Which MITRE ATT&CK technique ID corresponds to the use of PowerShell for execution, commonly detected by enabling PowerShell Script Block Logging?

A.T1059.001

B.T1055.001

C.T1003.001

D.T1078.002

Explanation: T1059.001 is Command and Scripting Interpreter: PowerShell. Enabling PowerShell Script Block Logging (Event ID 4104) allows defenders to capture decoded script content even when obfuscated. Detection engineers use this to write Sigma rules that flag suspicious PowerShell activity such as encoded commands (-EncodedCommand), download cradles, and AMSI bypass attempts.

7In Elastic SIEM, which query language is optimized for event sequence detection across multiple documents and is specifically designed for temporal correlation of attack chains?

A.KQL (Kibana Query Language)

B.Lucene query syntax

C.EQL (Event Query Language)

D.SPL (Search Processing Language)

Explanation: EQL (Event Query Language) is designed for sequence-based detection. Its `sequence` keyword lets analysts detect ordered chains of events — for example, a process creation followed by network connection from the same process within a time window. This is critical for detecting multi-stage attacks and is Elastic's primary language for SIEM detection rules.

8A detection engineer receives a threat intelligence report containing a list of malicious IP addresses in STIX 2.1 format. Which tool is specifically designed to ingest, store, and share STIX/TAXII threat intelligence feeds?

A.Splunk Enterprise Security

B.MISP (Malware Information Sharing Platform)

C.Zeek Network Security Monitor

D.Elasticsearch

Explanation: MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform purpose-built to ingest, correlate, store, and share STIX/TAXII feeds. It supports automated import of STIX 2.1 objects, attribute correlation, and export to SIEM-compatible formats. Detection engineers use MISP to operationalize threat intel and push IOCs into detection pipelines.

9Which Sigma rule modifier changes a keyword match to be case-sensitive and requires the field value to end with the specified string?

A.endswith

B.contains|all

C.endswith|utf16le

D.re

Explanation: The `endswith` modifier in Sigma matches field values that end with the specified string. Sigma modifiers are appended to field names with a pipe character (e.g., `CommandLine|endswith: '.ps1'`). By default Sigma string matches are case-insensitive; use `|endswith|re` or regex modifiers for case-sensitive matching. `endswith` alone is case-insensitive but suffix-anchored.

10When writing a YARA rule to detect a specific malware family, why is it generally better to use unique internal strings (e.g., mutex names, error messages) rather than file hashes as the primary detection mechanism?

A.File hashes change with any binary modification, including recompilation or packing, making hash rules evasion-trivial

B.YARA does not support hash-based matching natively

C.String-based rules execute faster than hash comparison rules

D.Hash rules require the md5 module which is not available in all YARA versions

Explanation: File hashes (MD5, SHA-256) are brittle as detection mechanisms because any change to the binary — recompilation, adding a null byte, repacking, or encryption — produces a completely different hash, instantly evading the rule. Unique strings like mutex names, PDB paths, error messages, or encoded configs are often reused across variants of the same malware family and provide much more durable detections.

About the SBT CJDE Practice Questions

Verified exam format metadata for Security Blue Team Certified Junior Detection Engineer is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.

100+ Free SBT CJDE Practice Questions

Explore More Security Blue Team Certifications

Security Blue Team Blue Team Level 1 (BTL1)

Security Blue Team Blue Team Level 2 (BTL2)

Security Blue Team Certified Security Operations Manager (CSOM)

Key Facts: SBT CJDE Exam

Sample SBT CJDE Practice Questions

About the SBT CJDE Practice Questions