CFCP CERTIFICATION GUIDE
OV E R AL L P R O G R A M DE S C R IPTI O N
CROWDSTRIKE CERTIFIED FALCON HUNTER
Completion of the FHT-202 course, access to your instance
of Falcon and applicable user guides as listed in the
certification description. Completion FHT-201 and FHT-100
level courses are highly recommended.
CROWDSTRIKE CERTIFIED FALCON RESPONDER
Completion of the FHT-201 course, access to your
instance of F alcon and applicable user guides as listed in
the certification description. Completion of the FHT-100
level courses is highly recommended.
CROWDSTRIKE CERTIFIED FALCON ADMINISTRATOR
Completion of the FHT-100 level courses, access to your
instance of Falcon and applicable user guides as
listed inthe certification description.
CrowdStrikeTM is proud to announce the availability of
the CrowdStrike Falcon Certification Program (CFCP).
CFCP is a multi-tier certification program, covering
three levels of Falcon users from the administrator to
the front-line analyst to the investigator/hunter.
In creating this certification, CrowdStrike has
drawn on a talent pool of seasoned incident
responders, investigators/hunters and subject
matter experts who use the Falcon platform daily to
perform their incident response duties. This ensures
that analysts and administrators who hold one of
these certifications have demonstrated a
thorough knowledge in the respective area and
their managers can trust that they can effectively
and proficiently use CrowdStrike products
and workflows.
Each certification level requires that the candidate
attend the course(s) listed in the Required Learning
Path section for each certification. Although there is
no requirement on how recently you completed the
required learning, candidates are encouraged to stay
current on features as the certification is subject to
update at any time. Each level of certification also
assumes a working knowledge of the tool for that
level as well as familiarity with the product guides
listed in the Required Learning Path.
CFCP CERTIFICATION GUIDE

Tests are administered online through CrowdStrike University so there is no need to report to a physical
testing center. Each participant MUST have a valid subscription to CrowdStrike University. The cost for each
exam is $150 and the voucher can be purchased through your CrowdStrike sales representative. Each exam is
timed, candidates will have two opportunities to complete the exam successfully, and should have access
to their Falcon instance during the exam. The passing score for the exam is 80 percent.

Upon successful completion of an exam, the candidate will receive notification of completion
and a certificate will be sent via standard mail. Certifications are valid for a period of three years.
Questions regarding Falcon Certification can be sent to CFCP@crowdstrike.com

CROWDSTRIKE • - Falcon Introduction

CERTIFIED FALCON • - Falcon Sensor Deployment guides

ADMINISTRATOR • - Getting Started Guide

(CCFA)
The CCFA certification is directed at the administrator or any
analyst with access to the administrative side of Falcon. Examples
of positions aligning with this certification are Security Analyst,
SOC Analyst, Security Engineer, IT Security Operations Manager,
Security Administrator, Falcon Administrator or Endpoint Security
Administrator.
• - Groups and Policies Guide
• - Next-Gen Antivirus Features Guide
• - SEIM Connector Feature Guide
In addition to the above learning path, we suggest that candidates
for this certification have at least six months of experience with
CrowdStrike Falcon in a production environment.

Persons holding this certification have demonstrated sufficient

knowledge to effectively manage the Falcon instance. Specific duties
might include: User management and role-based permissions,
sensor deployment and management, group creation, deployment
and prevention policy settings, white and black listing, file path
exclusion, administrative reporting and more.
This examination is 60 questions and open book. Candidates are
allowed 90 minutes to complete this examination and should have
access to their Falcon instance during the exam. Candidates who
are unsuccessful will receive a second opportunity to complete the
examination and should wait at least one week before the
second attempt.
Required Learning Path: The required learning path for the CCFA
certification is the FHT-100, FHT-101, FHT-105 and FHT-120 courses in
CrowdStrike University. Although the exam is open book, students
should be familiar with the following guides as well (available in
Falcon at Support>Docs):
CROWDSTRIKE
CERTIFIED FALCON
RESPONDER
(CCFR)
The CCFR certification is directed at the front-line analyst responding
to detections or any one performing those duties. Examples of
positions aligning with this certification are Security Analyst, SOC
Analyst, Security Engineer, IT Security Operations Manager, Security
Administrator or Endpoint Security Administrator.
Persons holding this certification have demonstrated sufficient
knowledge to effectively respond to a detection within the Falcon
interface and Activity app. Specific duties might include: Initial
triage of a detection, filtering, grouping, assignment, commenting
and status changes. They can perform basic investigation by
performing any number of tasks such as host search, host timeline,
process timeline, user search and other click-driven workflows. They
CFCP CERTIFICATION GUIDE

can perform basic proactive hunting for atomic indicators such as a
domain names IP addresses or hash values across enterprise event
data, whether it is related to an alert of some external form of Intel.
This examination is 60 questions and open book. Candidates are
allowed 90 minutes to complete this examination and should have
access to their Falcon instance during the exam. Candidates who
are unsuccessful will receive a second opportunity to complete the
examination and should wait at least one week before the
second attempt.
Required Learning Path: The required learning path for the CCFR
certification is the FHT-201 instructor-led course. Completion of FHT-
100, FHT-101, FHT-105 and FHT-120 courses in CrowdStrike University is
highly recommended. The CCFA certificate is not required however it
is a commonly obtained first, especially for those who perform
multiple functions. Although the exam is open book, students should
be familiar with the following guides as well (available in Falcon at
Support>Docs):
• - Getting Started Guide
• - Streaming API Guide (for detection types)
In addition to the above learning path, we suggest that candidates
for this certification have at least six months of experience with
CrowdStrike Falcon in a production environment.
CROWDSTRIKE
Splunk syntax. They understand how to navigate between and use
multiple views such as Process Explorer, Host Search, Host Timeline
and Process Timeline to maximize productivity and quickly obtain the
desired results.
This examination is 60 questions and open book. Candidates are
allowed 90 minutes to complete this examination and should have
access to their Falcon instance during the exam. Candidates who
are unsuccessful will receive a second opportunity to complete the
examination, and should wait at least one week before the second
attempt.
Required Learning Path: The required learning path for the CCFH
certification is the FHT-202 course. Completion of FHT-100, FHT-101,
FHT-105 and FHT-120 courses in CrowdStrike University and the FHT-
201 instructor-led course are highly recommended. The CCFA and
CCFR certificates is not required however they may be obtained first,
especially for those who perform multiple functions. Although the
exam is open book, students should be familiar with the following
guides as well (available in Falcon at Support>Docs):
• - Getting Started Guide
• - Streaming API Guide (for detection types)
• - Events Data Dictionary
• - Hunting Guide
In addition to the above learning path, CrowdStrike suggests that
candidates for this certification have at least six months of experience
with CrowdStrike Falcon in a production environment.

CERTIFIED FALCON
HUNTER
(CCFH)
The CCFH certification is directed at the investigative analyst who
performs deeper detection analysis and response as well as machine
timelining and event-related search queries. They are also frequently
responsible for insider-threat-related investigations and proactive
investigation (hunting) based on intel reports and other sources of
information. Examples of positions aligning with this certification are
Hunt Team Members, Security Analyst, SOC Analyst, Security Engineer,
IT Security Operations Manager, Security Administrator or Endpoint
Security Administrator.

Persons holding this certification have demonstrated sufficient

knowledge to effectively respond to a detection within the Falcon
interface and Activity app. They understand what automated reports
and queries exist and how to use them to assist in machine auditing
and proactive investigation. They have demonstrated the ability
to perform simple and intermediate level search queries using the
 ABOUT CROWDSTRIKE SERVICES
CrowdStrike’s team of incident responders has worked hundreds of the world’s most significant data breach
investigations. Our training subscriptions are unique and draw from our real-world incident response and
remediation experience with the near-immediate visibility provided by the Falcon Platform. CrowdStrike provides
the knowledge and skills your team needs to identify attackers and rapidly mitigate unauthorized access to
your environment — and get your organization back to normal business operations fast.

LEARN HOW CROWDSTRIKE STOPS BREACHES:

Speak to a representative to learn more about how CrowdStrike Services can help you
prepare for and defend against targeted attacks.

LET’S DISCUSS YOUR NEEDS

Phone: 1.888.512.8906 | Email: sales@crowdstrike.com | www.crowdstrike.com/services