O V E R A L L P R O G R A M D E S C R I P T I O N

CrowdStrikeTM is proud to announce the availability of

the CrowdStrike Falcon Certification Program (CFCP).

CFCP is a multi-tier certification program, covering

three levels of Falcon users from the administrator to

the front-line analyst to the investigator/hunter.

In creating this certification, CrowdStrike has

drawn on a talent pool of seasoned incident

responders, investigators/hunters and subject

matter experts who use the Falcon platform daily to

perform their incident response duties. This ensures

that analysts and administrators who hold one of

these certifications have demonstrated a

thorough knowledge in the respective area and

their managers can trust that they can effectively

and proficiently use CrowdStrike products

and workflows.

Each certification level requires that the candidate

attend the course(s) listed in the Required Learning

Path section for each certification. Although there is

no requirement on how recently you completed the

required learning, candidates are encouraged to stay

current on features as the certification is subject to

update at any time. Each level of certification also

assumes a working knowledge of the tool for that

level as well as familiarity with the product guides

listed in the Required Learning Path.

C F C P C E R T I F I C AT I O N G U I D E

CROWDSTRIKE CERTIFIED FALCON ADMINISTRATOR

Completion of the FHT-100 level courses, access to your

instance of Falcon and applicable user guides as

listed inthe certification description.

CROWDSTRIKE CERTIFIED FALCON RESPONDER

Completion of the FHT-201 course, access to your

instance of Falcon and applicable user guides as listed in

the certification description. Completion of the FHT-100

level courses is highly recommended.

CROWDSTRIKE CERTIFIED FALCON HUNTER

Completion of the FHT-202 course, access to your instance

of Falcon and applicable user guides as listed in the

certification description. Completion FHT-201 and FHT-100

level courses are highly recommended.

C F C P C E R T I F I C A T I O N G U I D E

C R O W D S T R I K E C E R T I F I E D FA L C O N A D M I N I S T R AT O R ( C C FA )

The CCFA certification is directed at the administrator or any

analyst with access to the administrative side of Falcon. Examples

of positions aligning with this certification are Security Analyst,

SOC Analyst, Security Engineer, IT Security Operations Manager,

Security Administrator, Falcon Administrator or Endpoint Security

Administrator.

Persons holding this certification have demonstrated sufficient

knowledge to effectively manage the Falcon instance. Specific duties

might include: User management and role-based permissions,

sensor deployment and management, group creation, deployment

and prevention policy settings, white and black listing, file path

exclusion, administrative reporting and more.

This examination is 60 questions and open book. Candidates are

allowed 90 minutes to complete this examination and should have

access to their Falcon instance during the exam. Candidates who

are unsuccessful will receive a second opportunity to complete the

examination and should wait at least one week before the

second attempt.

Required Learning Path: The required learning path for the CCFA

certification is the FHT-100, FHT-101, FHT-105 and FHT-120 courses in

CrowdStrike University. Although the exam is open book, students

should be familiar with the following guides as well (available in

Falcon at Support>Docs):

• -FalconIntroduction

• -FalconSensorDeploymentguides

• -GettingStartedGuide

• -GroupsandPoliciesGuide

• -Next-GenAntivirusFeaturesGuide

• -SEIMConnectorFeatureGuide

In addition to the above learning path, we suggest that candidates

for this certification have at least six months of experience with

CrowdStrike Falcon in a production environment.

C R O W D S T R I K E C E R T I F I E D FA L C O N R E S P O N D E R ( C C F R )

The CCFR certification is directed at the front-line analyst responding

to detections or any one performing those duties. Examples of

positions aligning with this certification are Security Analyst, SOC

Analyst, Security Engineer, IT Security Operations Manager, Security

Administrator or Endpoint Security Administrator.

Persons holding this certification have demonstrated sufficient

knowledge to effectively respond to a detection within the Falcon

interface and Activity app. Specific duties might include: Initial

triage of a detection, filtering, grouping, assignment, commenting

and status changes. They can perform basic investigation by

performing any number of tasks such as host search, host timeline,

process timeline, user search and other click-driven workflows. They

Tests are administered online through CrowdStrike University so there is no need to report to a physical

testing center. Each participant MUST have a valid subscription to CrowdStrike University. The cost for each

exam is $150 and the voucher can be purchased through your CrowdStrike sales representative. Each exam is

timed, candidates will have two opportunities to complete the exam successfully, and should have access

to their Falcon instance during the exam. The passing score for the exam is 80 percent.

Upon successful completion of an exam, the candidate will receive notification of completion

and a certificate will be sent via standard mail. Certifications are valid for a period of three years.

Questions regarding Falcon Certification can be sent to CFCP@crowdstrike.com

C F C P C E R T I F I C A T I O N G U I D E

can perform basic proactive hunting for atomic indicators such as a

domain names IP addresses or hash values across enterprise event

data, whether it is related to an alert of some external form of Intel.

This examination is 60 questions and open book. Candidates are

allowed 90 minutes to complete this examination and should have

access to their Falcon instance during the exam. Candidates who

are unsuccessful will receive a second opportunity to complete the

examination and should wait at least one week before the

second attempt.

Required Learning Path: The required learning path for the CCFR

certification is the FHT-201 instructor-led course. Completion of FHT-

100, FHT-101, FHT-105 and FHT-120 courses in CrowdStrike University is

highly recommended. The CCFA certificate is not required however it

is a commonly obtained first, especially for those who perform

multiple functions. Although the exam is open book, students should

be familiar with the following guides as well (available in Falcon at

Support>Docs):

• -GettingStartedGuide

• -StreamingAPIGuide(fordetectiontypes)

In addition to the above learning path, we suggest that candidates

for this certification have at least six months of experience with

CrowdStrike Falcon in a production environment.

C R O W D S T R I K E C E R T I F I E D FA L C O N H U N T E R ( C C F H )

The CCFH certification is directed at the investigative analyst who

performs deeper detection analysis and response as well as machine

timelining and event-related search queries. They are also frequently

responsible for insider-threat-related investigations and proactive

investigation (hunting) based on intel reports and other sources of

information. Examples of positions aligning with this certification are

Hunt Team Members, Security Analyst, SOC Analyst, Security Engineer,

IT Security Operations Manager, Security Administrator or Endpoint

Security Administrator.

Persons holding this certification have demonstrated sufficient

knowledge to effectively respond to a detection within the Falcon

interface and Activity app. They understand what automated reports

and queries exist and how to use them to assist in machine auditing

and proactive investigation. They have demonstrated the ability

to perform simple and intermediate level search queries using the

Splunk syntax. They understand how to navigate between and use

multiple views such as Process Explorer, Host Search, Host Timeline

and Process Timeline to maximize productivity and quickly obtain the

desired results.

This examination is 60 questions and open book. Candidates are

allowed 90 minutes to complete this examination and should have

access to their Falcon instance during the exam. Candidates who

are unsuccessful will receive a second opportunity to complete the

examination, and should wait at least one week before the second

attempt.

Required Learning Path: The required learning path for the CCFH

certification is the FHT-202 course. Completion of FHT-100, FHT-101,

FHT-105 and FHT-120 courses in CrowdStrike University and the FHT-

201 instructor-led course are highly recommended. The CCFA and

CCFR certificates is not required however they may be obtained first,

especially for those who perform multiple functions. Although the

exam is open book, students should be familiar with the following

guides as well (available in Falcon at Support>Docs):

• -GettingStartedGuide

• -StreamingAPIGuide(fordetectiontypes)

• -EventsDataDictionary

• -HuntingGuide

In addition to the above learning path, CrowdStrike suggests that

candidates for this certification have at least six months of experience

with CrowdStrike Falcon in a production environment.

A B O U T C R O W D S T R I K E S E R V I C E SCrowdStrike’s team of incident responders has worked hundreds of the world’s most significant data breach

investigations. Our training subscriptions are unique and draw from our real-world incident response and

remediation experience with the near-immediate visibility provided by the Falcon Platform. CrowdStrike provides

the knowledge and skills your team needs to identify attackers and rapidly mitigate unauthorized access to

your environment — and get your organization back to normal business operations fast.

LEARN HOW CROWDSTRIKE STOPS BREACHES:

Speak to a representative to learn more about how CrowdStrike Services can help you

prepare for and defend against targeted attacks.

LET’S DISCUSS YOUR NEEDS

Phone: 1.888.512.8906 | Email: sales@crowdstrike.com | www.crowdstrike.com/services