PCCSE Exam Prep Free – 50 Practice Questions to Get You Ready for Exam Day
Getting ready for the PCCSE certification? Our PCCSE Exam Prep Free resource includes 50 exam-style questions designed to help you practice effectively and feel confident on test day
Effective PCCSE exam prep free is the key to success. With our free practice questions, you can:
- Get familiar with exam format and question style
- Identify which topics you’ve mastered—and which need more review
- Boost your confidence and reduce exam anxiety
Below, you will find 50 realistic PCCSE Exam Prep Free questions that cover key exam topics. These questions are designed to reflect the structure and challenge level of the actual exam, making them perfect for your study routine.
Which two required request headers interface with Prisma Cloud API? (Choose two.)A. Content-type:application/json
B. x-redlock-auth
C. >x-redlock-request-id
D. Content-type:application/xml
Based on the following information, which RQL query will satisfy the requirement to identify VM hosts deployed to organization public cloud environments exposed to network traffic from the internet and affected by Text4Shell RCE (CVE-2022-42889) vulnerability?
• Network flow logs from all virtual private cloud (VPC) subnets are ingested to the Prisma Cloud Enterprise Edition tenant.
• All virtual machines (VMs) have Prisma Cloud Defender deployed.A. network from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-42889')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
B. config from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-42889')) AND source.publicnetwork = ('Internet IPs' or 'Suspicious IPs')
C. network from vpc.flow_record where bytes > 0 AND finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-42889') AND source.publicnetwork = 'Internet IPs'
D. config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances' AND json.rule = publicIpAddress exists AND finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-42889')
Console is running in a Kubernetes cluster, and you need to deploy Defenders on nodes within this cluster.
Which option shows the steps to deploy the Defenders in Kubernetes using the default Console service name?A. From the deployment page in Console, choose pod name for Console identifier, generate DaemonSet file, and apply the DaemonSet to twistlock namespace.
B. From the deployment page configure the cloud credential in Console and allow cloud discovery to auto-protect the Kubernetes nodes.
C. From the deployment page in Console, choose twistlock-console for Console identifier, generate DaemonSet file, and apply DaemonSet to the twistlock namespace.
D. From the deployment page in Console, choose twistlock-console for Console identifier, and run the curl | bash script on the master Kubernetes node.
The development team wants to fail CI jobs where a specific CVE is contained within the image.
How should the development team configure the pipeline or policy to produce this outcome?A. Set the specific CVE exception as an option in Jenkins or twistcli.
B. Set the specific CVE exception as an option in Defender running the scan.
C. Set the specific CVE exception as an option using the magic string in the Console.
D. Set the specific CVE exception in Console's CI policy.
Which three serverless runtimes are supported by Prisma Cloud for vulnerability and compliance scans? (Choose three.)A. Swift
B. Python
C. Dart
D. Java
E. Node.js
What is an automatically correlated set of individual events generated by the firewall and runtime sensors to identify unfolding attacks?A. policy
B. incident
C. audit
D. anomaly
When an alert notification from the alarm center is deleted, how many hours will a similar alarm be suppressed by default?A. 12
B. 8
C. 24
D. 4
DRAG DROP
-
Put the steps of integrating Okta with Prisma Cloud in the right order in relation to CIEM or SSO okra integration.
Which option shows the steps to install the Console in a Kubernetes Cluster?A. Download the Console and Defender image Generate YAML for Defender Deploy Defender YAML using kubectl
B. Download and extract release tarball Generate YAML for Console Deploy Console YAML using kubectl
C. Download the Console and Defender image Download YAML for Defender from the document site Deploy Defender YAML using kubectl
D. Download and extract release tarball Download the YAML for Console Deploy Console YAML using kubectl
Which IAM Azure RQL query would correctly generate an output to view users who have sufficient permissions to create security groups within Azure AD and create applications?A. config where api.name = ‘azure-active-directory-authorization-policy’ AND json.rule = defaultUserRolePermissions.allowedToCreateSecurityGroups is true and defaultUserRolePermissions.allowedToCreateApps is true
B. config from cloud.resource where api.name = ‘azure-active-directory-authorization-policy’ AND json.rule = defaultUserRolePermissions exists
C. config from network where api.name = ‘azure-active-directory-authorization-policy’ AND json.rule = defaultUserRolePermissions.allowedToCreateSecurityGroups is false and defaultUserRolePermissions.allowedToCreateApps is true
D. config from cloud.resource where api.name = ‘azure-active-directory-authorization-policy’ AND json.rule = defaultUserRolePermissions.allowedToCreateSecurityGroups is true and defaultUserRolePermissions.allowedToCreateApps is true
Under which tactic is “Exploit Public-Facing Application” categorized in the ATT&CK framework?A. Defense Evasion
B. Initial Access
C. Execution
D. Privilege Escalation
Who can access saved searches in a cloud account?A. Administrators
B. Users who can access the tenant
C. Creators
D. All users with whom the saved search has been shared
A security team has a requirement to ensure the environment is scanned for vulnerabilities.
What are three options for configuring vulnerability policies? (Choose three.)A. individual actions based on package type
B. output verbosity for blocked requests
C. apply policy only when vendor fix is available
D. individual grace periods for each severity level
E. customize message on blocked requests
Which three elements are part of SSH Events in Host Observations? (Choose three.)A. Startup process
B. User
C. System calls
D. Process path
E. Command
Which `kind` of Kubernetes object is configured to ensure that Defender is acting as the admission controller?A. MutatingWebhookConfiguration
B. DestinationRules
C. ValidatingWebhookConfiguration
D. PodSecurityPolicies
The security team wants to target a CNAF policy for specific running Containers.
How should the administrator scope the policy to target the Containers?A. scope the policy to Image names.
B. scope the policy to namespaces.
C. scope the policy to Defender names.
D. scope the policy to Host names.
The compliance team needs to associate Prisma Cloud policies with compliance frameworks.
Which option should the team select to perform this task?A. Custom Compliance
B. Policies
C. Compliance
D. Alert Rules
Which three fields are mandatory when authenticating the Prisma Cloud plugin in the IntelliJ application? (Choose three.)A. Secret Key
B. Prisma Cloud API URL
C. Tags
D. Access Key
E. Asset Name
Which three AWS policy types and identities are used to calculate the net effective permissions? (Choose three.)A. AWS IAM group
B. AWS IAM role
C. AWS service control policies (SCPs)
D. AWS IAM tag policy
E. AWS IAM User
A Prisma Cloud administrator is onboarding a single GCP project to Prisma Cloud.
Which two steps can be performed by the Terraform script? (Choose two.)A. enable flow logs for Prisma Cloud.
B. create the Prisma Cloud role.
C. enable the required APIs for Prisma Cloud.
D. publish the flow log to a storage bucket.
A user from an organization is unable to log in to Prisma Cloud Console after having logged in the previous day.
Which area on the Console will provide input on this issue?A. SSO
B. Audit Logs
C. Users & Groups
D. Access Control
A DevOps lead reviewed some system logs and notices some odd behavior that could be a data exfiltration attempt. The DevOps lead only has access to vulnerability data in Prisma Cloud Compute, so the DevOps lead passes this information to SecOps.
Which pages in Prisma Cloud Compute can the SecOps lead use to investigate the runtime aspects of this attack?A. The SecOps lead should investigate the attack using Vulnerability Explorer and Runtime Radar.
B. The SecOps lead should use Incident Explorer and Compliance Explorer.
C. The SecOps lead should use the Incident Explorer page and Monitor > Events > Container Audits.
D. The SecOps lead should review the vulnerability scans in the CI/CD process to determine blame.
Which two filters are available in the SecOps dashboard? (Choose two.)A. Time range
B. Account Groups
C. Service Name
D. Cloud Region
How is the scope of each rule determined in the Prisma Cloud Compute host runtime policy?A. By the order in which it is created
B. By the collection assigned to that rule
C. By the type of network traffic it controls
D. By the target workload
Prisma Cloud supports sending audit event records to which three targets? (Choose three.)A. SNMP Traps
B. Syslog
C. Stdout
D. Prometheus
E. Netflow
Given the following information, which twistcli command should be run if an administrator were to exec into a running container and scan it from within using an access token for authentication?
• Console is located at https://prisma-console.mydomain.local
• Token is: TOKEN_VALUE
• Report ID is: REPORT_ID
• Container image running is: myimage:latestA. twistcli images scan --address https://prisma-console.mydomain.local --token TOKEN_VALUE --containerized --details myimage:latest
B. twistcli images scan --console-address https://prisma-console.mydomain.local --auth-token TOKEN_VALUE --containerized --vulnerability-details REPORT_ID
C. twistcli images scan --address https://prisma-console.mydomain.local --token TOKEN_VALUE --containerized --details REPORT_ID
D. twistcli images scan --console-address https://prisma-console.mydomain.local --auth-token MY_TOKEN --local-scan --details myimage:latest
An administrator sees that a runtime audit has been generated for a Container. The audit message is `DNS resolution of suspicious name wikipedia.com. type A`.
Why would this message appear as an audit?A. The DNS was not learned as part of the Container model or added to the DNS allow list.
B. This is a DNS known to be a source of malware.
C. The process calling out to this domain was not part of the Container model.
D. The Layer7 firewall detected this as anomalous behavior.
An administrator has deployed Console into a Kubernetes cluster running in AWS. The administrator also has configured a load balancer in TCP passthrough mode to listen on the same ports as the default Prisma Compute Console configuration.
In the build pipeline, the administrator wants twistcli to talk to Console over HTTPS.
Which port will twistcli need to use to access the Prisma Compute APIs?A. 8084
B. 443
C. 8083
D. 8081
What is the most reliable and extensive source for documentation on Prisma Cloud APIs?A. prisma.pan.dev
B. docs.paloaltonetworks.com
C. Prisma Cloud Administrator’s Guide
D. Live Community
A Prisma Cloud administrator is tasked with pulling a report via API. The Prisma Cloud tenant is located on app2.prismacloud.io.
What is the correct API endpoint?A. https://api.prismacloud.io
B. https://api2.eu.prismacloud.io
C. httsp://api.prismacloud.cn
D. https://api2.prismacloud.io
Which two attributes are required for a custom config RQL? (Choose two.)A. json.rule
B. cloud.account
C. api.name
D. tag
On which cloud service providers can you receive new API release information for Prisma Cloud?A. AWS, Azure, GCP, Oracle, IBM
B. AWS, Azure, GCP, Oracle, Alibaba
C. AWS, Azure, GCP, IBM
D. AWS, Azure, GCP, IBM, Alibaba
Where are Top Critical CVEs for deployed images found?A. Defend → Vulnerabilities → Code Repositories
B. Defend → Vulnerabilities → Images
C. Monitor → Vulnerabilities → Vulnerabilities Explorer
D. Monitor → Vulnerabilities → Images
The security team wants to enable the “block” option under compliance checks on the host.
What effect will this option have if it violates the compliance check?A. The host will be taken offline.
B. Additional hosts will be prevented form starting.
C. Containers on a host will be stopped.
D. No containers will be allowed to start on that host.
Which command correctly outputs scan results to stdout in tabular format and writes scan results to a JSON file while still sending the results to Console?A. $ twistcli images scan--address --user --password --stdout-tabular--output-file scan-results.jsonnginx:latest
B. $ twistcli images scan--address --username --password --details--json-output scan-results.jsonnginx:latest
C. $ twistcli images scan--address --user --password --details--file-output scan-results.jsonnginx:latest
D. $ twistcli images scan--address --u --p --details--output-file scan-results.jsonnginx:latest
Which policy type should be used to detect and alert on cryptominer network activity?A. Anomaly
B. Config-run
C. Config-build
D. Audit event
The security team wants to protect a web application container from an SQLi attack.
Which type of policy should the administrator create to protect the container?A. CNAF
B. Runtime
C. Compliance
D. CNNF
A customer has a requirement to scan serverless functions for vulnerabilities.
Which three settings are required to configure serverless scanning? (Choose three.)A. Defender Name
B. Region
C. Credential
D. Console Address
E. Provider
Which two variables must be modified to achieve automatic remediation for identity and access management (IAM) alerts in Azure cloud? (Choose two.)A. API_ENDPOINT
B. SQS_QUEUE_NAME
C. SB_QUEUE_KEY
D. YOUR_ACCOUNT_NUMBER
Which three types of runtime rules can be created? (Choose three.)A. Processes
B. Network-outgoing
C. Filesystem
D. Kubernetes-audit
E. Waas-request
Per security requirements, an administrator needs to provide a list of people who are receiving e-mails for Prisma Cloud alerts.
Where can the administrator locate this list of e-mail recipients?A. Target section within an Alert Rule.
B. Notification Template section within Alerts.
C. Users section within Settings.
D. Set Alert Notification section within an Alert Rule.
A customer wants to scan a serverless function as part of a build process.
Which twistcli command can be used to scan serverless functions?A. twistcli function scan
B. twistcli scan serverless
C. twistcli serverless AWS
D. twiscli serverless scan
Anomaly policy uses which two logs to identify unusual network and user activity? (Choose two.)A. Network flow
B. Audit
C. Traffic
D. Users
Which policy type provides information about connections from suspicious IPs in a customer database?A. Anomaly
B. Threat detection
C. Network
D. AutoFocus
Which two statements explain differences between build and run config policies? (Choose two.)A. Run and Network policies belong to the configuration policy set.
B. Build policies allow checking for security misconfigurations in the IaC templates and ensure these issues do not get into production.
C. Run policies monitor network activities in the environment and check for potential issues during runtime.
D. Run policies monitor resources and check for potential issues after these cloud resources are deployed.
Which role does Prisma Cloud play when configuring SSO?A. JIT
B. Service provider
C. SAML
D. Identity provider issuer
When would a policy apply if the policy is set under Defend > Vulnerability > Images > Deployed?A. when a serverless repository is scanned
B. when a Container is started form an Image
C. when the Image is built and when a Container is started form an Image
D. when the Image is built
Which API calls can scan an image named myimage: latest with twistcli and then retrieve the results from Console?A. $ twistcli images scan --address --user --password --verbose myimage: latest
B. $ twistcli images scan --address --user --password --details myimage: latest
C. $ twistcli images scan --address --user --password myimage: latest
D. $ twistcli images scan --address --user --password --console myimage: latest
Which IAM RQL query would correctly generate an output to view users who enabled console access with both access keys and passwords?A. config from network where api.name = ‘aws-iam-get-credential-report’ AND json.rule = cert_1_active is true or cert_2_active is true and password_enabled equals "true"
B. config from cloud.resource where api.name = 'aws-iam-get-credential-report' AND json.rule = access_key_1_active is true or access_key_2_active is true and password_enabled equals "true"
C. config from cloud.resource where api.name = 'aws-iam-get-credential-report’ AND json.rule = access_key_1_active is false or access_key_2_active is true and password_enabled equals "*"
D. config where api.name = ‘aws-iam-get-credential-report' AND json.rule= access_key_1_active is true or access_key_2_active is true and password_enabled equals “true”
What happens when a role is deleted in Prisma Cloud?A. The access key associated with that role is automatically deleted.
B. Any integrations that use the access key to make calls to Prisma Cloud will stop working.
C. The users associated with that role will be deleted.
D. Any user who uses that key will be deleted.
Access Full PCCSE Exam Prep Free
Want to go beyond these 50 questions? Click here to unlock a full set of PCCSE exam prep free questions covering every domain tested on the exam.
We continuously update our content to ensure you have the most current and effective prep materials.
Good luck with your PCCSE certification journey!