100+ Free Sophos Central Endpoint Engineer Practice Questions

Pass your Sophos Certified Engineer — Central Endpoint Protection exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~70-80% Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

Which Sophos Central console role has full administrative access across all product areas and can create other admin accounts?

Help Desk

Admin

Super Admin

Read Only

to track

2026 Statistics

Key Facts: Sophos Central Endpoint Engineer Exam

~50

Exam Questions

Sophos

80%

Passing Score

Sophos (typical)

60 min

Exam Duration

Sophos

$100

Exam Fee

Sophos (or free with training)

2-3 yr

Validity

Sophos

Engineer

Certification Level

Sophos

The Sophos Certified Engineer — Central Endpoint Protection exam has ~50 questions in 60 minutes with an 80% passing score. The exam tests Sophos Central administration, Intercept X for Endpoint (Advanced and Advanced with XDR), threat policies, CryptoGuard ransomware rollback, Exploit Prevention, Deep Learning AI, Sophos XDR with Live Discover queries, and Managed Detection and Response (MDR). Typically $100 USD or free with training via the Sophos Partner Portal.

Sample Sophos Central Endpoint Engineer Practice Questions

Try these sample questions to test your Sophos Central Endpoint Engineer exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which Sophos Central console role has full administrative access across all product areas and can create other admin accounts?

A.Help Desk

B.Admin

C.Super Admin

D.Read Only

Explanation: Super Admin is the highest-privilege role in Sophos Central. It has full access across every product area and is the only role permitted to create, modify, and delete other administrator accounts. Admin has broad management rights but cannot change the organization account or other admins. Help Desk is limited to day-to-day support tasks, and Read Only can view but not change settings.

2Which Sophos product provides next-gen endpoint protection combining Deep Learning, CryptoGuard, and Exploit Prevention?

A.Sophos Firewall

B.Intercept X for Endpoint

C.Sophos Email Appliance

D.Sophos iView

Explanation: Intercept X for Endpoint is Sophos's next-generation endpoint protection product that combines Deep Learning AI for malware classification, CryptoGuard for ransomware rollback, and Exploit Prevention techniques. Sophos Firewall is the network security product, Sophos Email Appliance is email protection, and Sophos iView is the SIEM reporting platform.

3Which Intercept X feature specifically detects and rolls back unauthorized file encryption typical of ransomware attacks?

A.WipeGuard

B.CryptoGuard

C.HitmanPro

D.Sophos Clean

Explanation: CryptoGuard monitors file activity for the characteristic rapid-encryption behavior of ransomware. When detected, it blocks the process and automatically rolls back encrypted files using journaled copies. WipeGuard focuses on Master Boot Record and disk-wiping attacks, Sophos Clean removes residual malware, and HitmanPro is the kernel-level second-opinion scanner.

4Which Sophos Central feature allows an administrator to block USB flash drives, external hard drives, and Bluetooth devices on endpoints?

A.Application Control

B.Device Control

C.Data Loss Prevention

D.Peripheral Control

Explanation: Peripheral Control in Sophos Central allows administrators to block, monitor, or allow peripherals including USB removable storage, optical drives, floppy drives, MTP/PTP devices, wireless adapters, and Bluetooth. Device Control is sometimes used interchangeably but Sophos Central specifically labels this as Peripheral Control. Application Control restricts software, and DLP inspects file content.

5Which Intercept X component uses a neural network trained on millions of malware samples to classify files before execution?

A.CryptoGuard

B.Deep Learning model

C.HitmanPro

D.Sophos Linux Sensor

Explanation: The Deep Learning model in Intercept X is a neural network pre-trained on hundreds of millions of malware and clean-file samples. It classifies portable executable files as malicious or benign in under 20 milliseconds without requiring signatures. CryptoGuard handles ransomware, HitmanPro is second-opinion scanning, and Sophos Linux Sensor covers Linux telemetry.

6Which Exploit Prevention technique detects attempts to hijack execution by chaining together existing code snippets ending with RET instructions?

A.Heap spray allocation

B.Return-Oriented Programming (ROP)

C.Structured Exception Handler (SEH) overwrite

D.DEP bypass

Explanation: Return-Oriented Programming (ROP) is an exploit technique where attackers chain together small snippets of existing code (gadgets) that end in RET instructions to execute arbitrary logic without injecting new code, bypassing DEP. Intercept X Exploit Prevention detects anomalous RET-chain patterns. Heap spray fills memory with shellcode, SEH overwrite hijacks exception handling, and DEP bypass is a broader category.

7An administrator wants to query endpoint telemetry across the organization using SQL-like syntax to hunt for threats. Which Sophos feature provides this?

A.Sophos Central Dashboard

B.Live Discover in Sophos XDR

C.Sophos iView

D.Endpoint Self Service Portal

Explanation: Live Discover, available in Sophos XDR (Intercept X Advanced with XDR), lets administrators run SQL-like queries against on-device data and the Sophos Data Lake to hunt for threats across the entire estate. The Central Dashboard shows summary widgets, iView provides reporting/SIEM, and the Self Service Portal is for end users.

8Where in the Sophos Central hierarchy are threat policies applied to endpoints?

A.To individual devices only

B.To computer or server groups

C.To Active Directory OUs directly

D.To VLANs

Explanation: Threat policies in Sophos Central are assigned to computer groups or server groups, not to individual devices directly. Administrators organize endpoints into groups and apply policies at the group level, which allows consistent management at scale. Sophos Central does not read AD OU structures for policy assignment, and VLANs are network constructs not used for policy scoping.

9Which Sophos feature prevents end users or malware from disabling the Sophos agent or altering its configuration?

A.HitmanPro

B.Tamper Protection

C.Sophos Clean

D.Exploit Prevention

Explanation: Tamper Protection requires a password before the Sophos agent can be disabled, uninstalled, or its settings changed. It defends against both accidental user changes and malware that targets security agents. If the password is lost, administrators can recover using the Tamper Protection lockout recovery workflow in Sophos Central.

10A user forgets the Tamper Protection password and needs to uninstall the Sophos agent. What is the correct recovery path?

A.Reinstall Windows to remove the agent

B.Retrieve the current password from Sophos Central under the computer's Tamper Protection settings

C.Disable Sophos from Safe Mode

D.Delete the Sophos service in regedit

Explanation: Sophos Central stores the current Tamper Protection password for each managed endpoint. An administrator can navigate to the endpoint in Sophos Central, open Tamper Protection settings, and view the current password to use for local uninstall or changes. Safe Mode cannot bypass Tamper Protection, and registry edits are blocked by the driver.

About the Sophos Central Endpoint Engineer Exam

The Sophos Certified Engineer — Central Endpoint Protection exam validates skills administering Sophos Central Endpoint, Intercept X Advanced with XDR, threat policies, CryptoGuard, Exploit Prevention, Deep Learning, Active Adversary Mitigation, Sophos XDR, and MDR.

Questions

50 scored questions

Time Limit

60 minutes

Passing Score

80%

Exam Fee

$100 (Sophos / Sophos Partner Portal)

Sophos Central Endpoint Engineer Exam Content Outline

25%

Sophos Central Administration

Sophos Central admin console, dashboards, alerts, Super Admin/Admin/Help Desk roles, tenant management, deployment (Installer, AD GPO, SCCM, Jamf), update caches, relays, and Source of Updates

30%

Intercept X Endpoint Protection

Intercept X Advanced and Advanced with XDR, threat policies, device control, application control, web control, peripheral control, DLP, tamper protection, and Deep Learning model

20%

Exploit & Ransomware Defense

CryptoGuard ransomware rollback, WipeGuard, Exploit Prevention (ROP, SEH overwrite, heap spray, DEP/ASLR bypass, shellcode), Active Adversary Mitigation, Sophos Clean, and HitmanPro

15%

Sophos XDR & MDR

Sophos XDR Live Discover queries, Data Lake threat hunting with SQL-like syntax, cross-product Extended Detection and Response, and Sophos Managed Detection and Response

10%

Cross-Platform & Troubleshooting

Sophos Linux Sensor, Sophos Mobile Security, Cloud Optix, Quarantine Manager, Endpoint Self Service Portal, ETW telemetry, and Tamper Protection lockout recovery

How to Pass the Sophos Central Endpoint Engineer Exam

What You Need to Know

Passing score: 80%
Exam length: 50 questions
Time limit: 60 minutes
Exam fee: $100

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

Sophos Central Endpoint Engineer Study Tips from Top Performers

1Master Intercept X features — Deep Learning, CryptoGuard, WipeGuard, and Exploit Prevention techniques including ROP and SEH overwrite detection

2Practice Sophos XDR Live Discover queries — understand the SQL-like syntax and Data Lake retention for threat hunting

3Know the threat policy stack — device control, application control, web control, peripheral control, and DLP

4Understand Sophos Central deployment options — Installer, AD GPO, SCCM, Jamf, and update caches/relays

5Differentiate Intercept X Advanced vs Advanced with XDR — XDR unlocks Live Discover and Data Lake

Frequently Asked Questions

What is the Sophos Certified Engineer — Central Endpoint Protection exam?

It is an engineer-level certification validating practical skills administering Sophos Central Endpoint Protection, including Intercept X, threat policies, CryptoGuard, Exploit Prevention, Sophos XDR, and Managed Detection and Response (MDR). It follows the ET15/ET80 training series.

How many questions are on the exam?

The exam has approximately 50 multiple-choice questions in 60 minutes with a passing score of 80%. It is typically delivered online through the Sophos Partner Portal after completing the associated engineer training course.

Do I need training to take this exam?

While formal prerequisites vary, Sophos strongly recommends completing the Sophos Central Endpoint Engineer training (often free via the Partner Portal) before attempting the exam. The exam tests practical knowledge gained through the training course and hands-on Sophos Central use.

How much does the exam cost?

The engineer-level exam is typically $100 USD or included free with the training course when accessed through the Sophos Partner Portal. Verify current pricing on training.sophos.com as fees can change and may depend on your partner status.

How long is the certification valid?

Sophos Engineer certifications are typically valid for 2-3 years. Recertification is required when major product versions change or when the associated training course is updated. Check training.sophos.com for current validity terms.

What topics should I focus on?

Focus heavily on Intercept X Endpoint Protection features (threat policies, Deep Learning, Device Control, Web Control, DLP), CryptoGuard and Exploit Prevention techniques, Sophos XDR Live Discover queries, MDR operations, and Sophos Central deployment methods including AD GPO and SCCM.