This guide explains the structure of the CCDL1 certification exam, including the skills assessed, exam format, domain weights, and the knowledge areas covered throughout the examination.
About CCDL1
The Certified CyberDefenders Level 1 (CCDL1) is the foundational certification for SOC Tier-1 analysts in the CyberDefenders ecosystem. CCDL1 validates a candidate's practical ability to triage security alerts, investigate incidents, analyze logs, and operate real SOC tools within a live, scenario-driven environment.
Targeted Professional Domains
The CCDL1 exam covers a broad spectrum of core competencies required for modern Tier-1 SOC analysis. Successful candidates must demonstrate technical proficiency across four primary domains:
Domain 1: Endpoint & Network Analysis
Domain 2: SIEM Analysis & Log Navigation
Domain 3: Phishing & Email Analysis
Domain 4: Cloud Security
Experience Requirements
There are no formal educational or professional experience prerequisites required to sit for the CCDL1 examination. This certification is designed objectively for individuals beginning their career in a Security Operations Center (SOC) environment, or professionals transitioning into a Tier-1 analyst role.
Job Task Analysis (JTA)
To ensure the CCDL1 credential remains a highly relevant and valid measure of professional competence, CyberDefenders utilizes a formal Job Task Analysis (JTA) process.
The JTA is a methodical study used to define the actual tasks, knowledge, and skills performed by active security professionals in the field.
[Industry-Wide JTA Survey] ➔ [SME Panel Review & Validation] ➔ [Exam Weights]
Research & Surveying: A comprehensive survey was conducted with actively practicing SOC L1 analysts across the industry.
SME Panel Validation: The survey data was analyzed to generate an occupational report, which was subsequently reviewed, refined, and validated by an independent Subject Matter Expert (SME) panel.
Exam Alignment: The outcomes of this process directly established the domain weights and specific topic areas assessed on the examination.
This development process ensures that candidates are evaluated solely on objective skills directly relevant to the real-world responsibilities of today's practicing SOC Tier-1 analysts.
CCDL1 Examination Specifications
The CCDL1 examination combines a live, practical lab environment with objective, scenario-based questions to measure technical troubleshooting and analytical capabilities.
Exam Characteristic | Specification |
Exam Duration | 6 hours |
Number of items | 48 Questions |
Item format | Multiple Choice (Each item contains between 4 and 8 choices with a single correct answer) |
Testing environment | Live virtual machine accessible via browser throughout the exam session |
Passing Score | 70% |
Attempts included | 2 attempts |
CCDL1 Examination Weights
Domain | Weight |
1. Endpoint & Network Analysis | 35% |
2. SIEM Analysis & Log Navigation | 42% |
3. Phishing & Email Analysis | 13% |
4. Cloud Security | 10% |
Total | 100% |
Detailed Domain Descriptions
Domain 1: Endpoint & Network Analysis
Focuses on Windows host artifact analysis, process chain investigation, network traffic analysis, memory forensics, and scoped digital forensics artifact interpretation relevant to Tier-1 SOC investigations.
Domain 2: SIEM Analysis & Log Navigation
Covers SIEM log sources, event correlation, authentication, service event interpretation, lateral movement indicators, and alert enrichment using log-based evidence.
Domain 3: Phishing & Email Analysis
Assesses email header analysis, sender validation techniques, attachment analysis, URL, and payload
extraction, and attacker infrastructure identification.
Domain 4: Cloud Security
Includes cloud provider log structures, cloud IAM concepts, object storage API activity, and cloud-based incident indicators relevant to Tier-1 SOC investigations.