A great way to start the Prisma Certified Cloud Security Engineer (PCCSE) preparation is to begin by properly appreciating the role that syllabus and study guide play in the Palo Alto PCCSE certification exam. This study guide is an instrument to get you on the same page with Palo Alto and understand the nature of the Palo Alto PCCSE exam.
Our team of experts has composed this Palo Alto PCCSE exam preparation guide to provide the overview about Palo Alto Cloud Security Engineer exam, study material, sample questions, practice exam and ways to interpret the exam objectives to help you assess your readiness for the Palo Alto PCCSE exam by identifying prerequisite areas of knowledge. We recommend you to refer the simulation questions and practice test listed in this guide to determine what type of questions will be asked and the level of difficulty that could be tested in the Palo Alto PCCSE certification exam.
Palo Alto PCCSE Exam Overview:
| Exam Name | Cloud Security Engineer |
| Exam Number | PCCSE |
| Exam Price | $175 USD |
| Duration | 90 minutes |
| Number of Questions | 75-85 |
| Passing Score | 860/300 to 1000 |
| Exam Registration | PEARSON VUE |
| Sample Questions | Palo Alto PCCSE Sample Questions |
| Practice Exam | Prisma Certified Cloud Security Engineer Practice Test |
Palo Alto PCCSE Exam Topics:
| Section | Objectives |
|---|---|
Cloud Security Posture Management (CSPM) - 21% |
|
| Identify assets in a Cloud account |
- Inventory of resources in a cloud account - Resource configuration history - Asset configuration changes |
| Configure policies |
- Custom policies - Policy types - Supported variables within configuration-run custom policies |
| Configure compliance standards |
- Standards - Reports |
| Configure alerting and notifications |
- Alert states - Alert rules - Alert notifications and reports - Alert workflow |
| Use third-party integrations | - Inbound and outbound notifications |
| Perform ad hoc investigations |
- Resource configuration with RQL - User activity using RQL - Network activity using RQL - Anomalous user event(s) - Asset details using RQL |
| Remediate alerts |
- Auto-remediation - Manual versus automated remediation |
| Use SecOps Dashboard |
- Internet-connected assets by source network traffic behavior - Components |
Cloud Workload Protection (CWP) - 21% |
|
| Monitor and defend against image vulnerabilities |
- Options available in the Monitor section - Options available in the Policies section |
| Monitor and defend against host vulnerabilities |
- Options available in the Monitor section - Options available in the Policies section |
| Monitor and enforce image/container compliance |
- Options available in the Monitor section - Options available in the Policies section |
| Monitor and enforce host compliance |
- Options available in the Monitor section - Options available in the Policies section |
| Monitor and defend containers and hosts during runtime |
- Container models - Host observations - Runtime policies - Runtime audits - Incidents using Incident Explorer |
| Monitor and protect against serverless vulnerabilities |
- Monitor - Policy - Auto-protect |
| Configure WAAS |
- Application specifications - API methods - Rest API endpoints - DoS protection - Access controls to Limit inbound sources - Network lists - Access controls to enforce HTTP headers and file uploads - Bot protection - Rules - Audit logs |
| Monitor and protect registries |
- Scanning - CI |
Install, Upgrade, and Backup/Prisma Cloud Administration - 19% |
|
| Deploy and manage Console for the Compute Edition |
- Prisma Cloud release software - Console in Onebox configuration - Upgrade on Console - Business use case to determine the Prisma Cloud version to use - Tenant versus Scale projects |
| Deploy and manage defenders |
- Types - Networking for Defender-To-Console connectivity - Upgrade and Compatibility |
| Configure Agentless Security |
- Agent versus Agentless - Cloud discovery |
| Backup and restore Console |
- Backup management - Disaster recovery |
| Manage authentication |
- Certificates - Secrets and credentials store |
| Onboard accounts |
- Onboard cloud accounts - Account Groups |
| Configure access control |
- Users, roles, and permission groups - Access control troubleshooting - Service accounts and access keys - Single Sign On - Role-based access control for Docker Engine (CWP) - Admission control with Open Policy Agent (CWP) - Resource lists and collections |
| Configure logging |
- Audit logging - Defender logging |
| Manage enterprise settings |
- Anomaly settings - Idle timeout - Auto-enable policies - Alert dismissal reason - User attribution - Licensing - Access key maximum validity |
| Configure third-party integrations |
- Inbound and outbound notifications - Supported capabilities |
| Leverage Cloud and Compute APIs |
- Authenticate with APIs - API documentation - Policies and custom queries by API - Alerts and Reports using APIs - Vulnerability results via API - Access keys - Data security and IAM APIs |
| Leverage Adoption Advisor and Alarm Center |
- Notification rule - Adoption Advisor guidance |
| Access Knowledge Center and Help Center |
- Knowledge Center - Help Center - Feature requests - PCCSE - Live Community - Product status updates - Docs, Prisma Cloud Privacy and Support options |
Cloud Network Security and Identity-Based Microsegmentation Enterprise Edition - 11% |
|
| Configure Cloud network analyzer |
- Network exposure policy - RQL |
| Deploy and manage Enforcers |
- Processing units - Namespaces - Tags and identity - Network rulesets - Out-of-the-box rules - Application profiling |
| Manage local changes in a remote repository (dev-prod) Configuration |
- Types - Networking for Enforcers-to-Console connectivity |
| Use NetSecOps dashboard | - Flows |
Prisma Cloud Code Security (PCCS) - 12% |
|
| Implement scanning for IAC templates |
- Terraform and Cloudformation scanning configurations - OOTB IAC scanning integrations - API scanning - IAC scanning integration - Supply-chain security - Handling scanned issues - Repository scanning |
| Configure policies in Console for IAC scanning |
- OOTB policies - Custom build policies - Types of config policies - Prisma configuration files |
| Configure CI policies for Compute scanning |
- Default CI policies - Custom CI policies |
| Manage configuration settings |
- Code reviews - Code repository settings - Notifications - Pull requests and tagging bots |
Identity and Access Management (IAM)/Prisma Cloud Data Security (PCDS) - 16% |
|
| Calculate net effective permissions |
- AWS calculation - Azure calculation |
| Investigate incidents and create IAM policies |
- RQL queries - IAM policies |
| Integrate IAM with IdP |
- Azure active directory - Okta |
| Remediate alerts |
- Manual versus automatic - AWS remediation - Azure remediation |
| Monitor Scan Results |
- Monitor Scan Results - Data Inventory - Resource Explorer - Object Explorer - Exposure Evaluation |
| Assess Data Policies and Alerts |
- Data policy vs data pattern - Alerts |
| Define data security scan settings |
- Scan configuration - Data profile and pattern - File extensions - Snippet masking |
Palo Alto PCCSE Exam Description:
The Palo Alto Networks Cloud Security Engineer (PCCSE) certification is designed to validate the knowledge and skills required to onboard, deploy, and administer all aspects of the Palo Alto Networks Prisma Cloud portfolio.