About CCDL1
The Certified CyberDefenders Level 1 (CCDL1) is the foundational certification for SOC Tier-1 analysts in the CyberDefenders ecosystem. CCDL1 validates a candidate's practical ability to triage security alerts, investigate incidents, analyze logs, and operate real SOC tools within a live, scenario-driven environment.
The broad spectrum of topics included in the CCDL1 Exam Outline ensure its relevancy across the core disciplines of Tier-1 SOC analysis. Successful candidates are competent in the following four domains:
Endpoint & Network Analysis
SIEM Analysis & Log Navigation
Phishing & Email Analysis
Cloud Security
Experience Requirements
There are no formal experience prerequisites to sit the CCDL1 exam. The certification is designed for candidates beginning their career in a Security Operations Center environment or transitioning into a Tier-1 analyst role.
Job Task Analysis (JTA)
CyberDefenders has an obligation to its community to maintain the relevancy of the CCDL1. The Job Task Analysis (JTA) is a methodical and critical process of determining the tasks that are performed by security professionals engaged in the profession defined by the CCDL1. A survey was conducted with actively practicing SOC L1 analysts, whose responses were used to generate a report that was subsequently reviewed and validated by a Subject Matter Expert (SME) panel. The results of this process were used to define the domain weights and topic areas assessed in the examination. This ensures that candidates are tested on skills directly relevant to the roles and responsibilities of today's practicing SOC L1 analysts.
CCDL1 Exam Information
The CCDL1 exam combines a live lab environment with scenario-based multiple choice questions.
Length of exam | 6 hours |
Number of items | 48 |
Item format | Multiple choice — each question contains between 4 and 8 answer choices with one correct answer |
Lab environment | Live virtual machine accessible throughout the exam |
Passing grade | 70% |
Attempts included | 2 attempts |
CCDL1 Examination Weights
Domain | Weight |
1. Endpoint & Network Analysis | 35% |
2. SIEM Analysis & Log Navigation | 42% |
3. Phishing & Email Analysis | 13% |
4. Cloud Security | 10% |
Total | 100% |
Domains
Domain 1: Endpoint & Network Analysis
Focuses on Windows host artifact analysis, process chain investigation, network traffic analysis, memory forensics, and scoped digital forensics artifact interpretation relevant to Tier-1 SOC investigations.
Domain 2: SIEM Analysis & Log Navigation
Covers SIEM log sources, event correlation, authentication and service event interpretation, lateral movement indicators, and alert enrichment using log-based evidence.
Domain 3: Phishing & Email Analysis
Assesses email header analysis, sender validation techniques, attachment analysis, URL and payload extraction, and attacker infrastructure identification.
Domain 4: Cloud Security
Includes cloud provider log structures, cloud IAM concepts, object storage API activity, and cloud-based incident indicators relevant to Tier-1 SOC investigations.