Prisma Certified Cloud Security Engineer (PCCSE)

The Palo Alto Networks Certified Cloud Security Engineer (PCCSE) credential certifies that the applicant possesses the knowledge, abilities, and skills necessary to deploy and manage every part of Prisma Cloud. Prisma Cloud, Prisma Cloud Enterprise, and Prisma Cloud Compute are all covered by PCCSE. It displays a person’s familiarity with the Prisma Cloud platform’s data, applications, and whole cloud native technology stack—across multi- and hybrid cloud settings and across the development lifecycle.

Who are the target audience?

Anyone interested in showcasing their expertise with Prisma Cloud, including team leaders, professional services and Appsec engineers, customer success, DevOps, and cloud support staff.

PCCSE: Prisma Cloud Security Engineer Sample Questions

Exam Format

There are 75–85 items on the test. In addition to the five minutes allotted for reviewing the NDA, candidates will have 70 to 80 minutes to finish the exam’s questions and five minutes to answer a survey.

How to register for the examination?

The test can be taken through the independent Pearson VUE testing facility. Visit to sign up for the test.

For more information, click on Prisma Certified Cloud Security Engineer (PCCSE) FAQ.

Course Outline for Prisma Certified Cloud Security Engineer (PCCSE)

The Prisma Certified Cloud Security Engineer (PCCSE) covers the following topics:

Cloud Security Posture Management (CSPM)

• Identify assets in a cloud account
  • Inventory of resources in a cloud account
  • Resource configuration history
  • Asset configuration changes
  • References

• Configure policies
  • Custom policies
  • Policy types
  • Supported variables within configuration-run custom policies
  • References

• Configure compliance standards
  • Standards
  • Reports
  • References

• Configure alerting and notification
  • Alert states
  • Alert rules
  • Alert notifications and reports
  • Alert workflow
  • References

• Use third-party integrations
  • Inbound and outbound notifications
  • References

• Perform ad hoc investigations
  • Resource configuration with RQL
  • Network activity using RQL
  • Anomalous event(s)
  • Asset details using RQL
  • References

• Remediate alerts
  • Autoremediation
  • Manual versus automation remediation
  • References

• Use SecOps Dashboard
  • Internet-connected assets by source network traffic behavior
  • Components
  • References

Cloud Workload Protection (CWP)

• Monitor and defend against image vulnerabilities
  • Options available in the Monitor section
  • Options available in the Policies section
  • References

• Monitor and defend against host vulnerabilities
  • Options available in the Monitor section
  • Options available in the Policies section
  • Reference

• Monitor and enforce image/container compliance
  • Options available in the Monitor section
  • Options available in the Policies section
  • References

• Options available in the Monitor section
  • Options available in the Policies section
  • References

• Monitor and defend containers and hosts during runtime
  • Container models
  • Host observations
  • Runtime policies
  • Runtime audits
  • Incidents using Incident Explorer
  • References

• Monitor and protect against serverless vulnerabilities
  • Monitor
  • Policy
  • Auto-protect
  • References

• Configure WAAS
  • Application specifications
  • API methods
  • REST API endpoints
  • DoS protection
  • Access controls to limit inbound sources
  • Network lists
  • Access controls to enforce HTTP headers and file uploads
  • Rules
  • Audit logs

• Monitor and protect registries
  • Scanning
  • CI

Install, Upgrade, and Backup

• Deploy and manage console for the compute edition
  • Prisma Cloud release software
  • Console in Onebox configuration
  • Upgrade on Console
  • Business use case to determine the Prisma Cloud version to use
  • Tenant versus Scale projects

• Deploy and manage Defenders
  • Types
  • Networking for Defender-to-Console connectivity
  • Upgrade and compatibility

• Configure Agentless Security
  • Agent versus Agentless
  • Cloud discovery

• Backup and Restore console
  • Backup management
  • Disaster recovery

• Manage authentication
  • Certificates
  • Secrets and credentials store

• Onboard accounts
  • Onboard cloud accounts
  • Account groups

• Configure access control
  • Users, roles, and permission groups
  • Access control troubleshooting
  • Service accounts and access keys
  • Single Sign On
  • Role-based access control for Docker Engine (CWP)
  • Admission control with Open Policy Agent (CWP)
  • Resource lists and collections

• Configure logging
  • Audit logging
  • Defender logging

• Manage enterprise settings
  • Anomaly settings
  • Idle timeout
  • Auto-enable policies
  • Alert-dismissal reason
  • User attribution
  • Licensing
  • Access key maximum validity

• Configure third-party integrations
  • Inbound and outbound notifications
  • Supported capabilities

• Leverage Cloud and Compute APIs
  • Authenticate with APIs
  • API documentation
  • Policies and custom queries by API
  • Alerts and Reports using APIs
  • Vulnerability results via API
  • Access keys
  • Data security and IAM APIs

• Leverage Adoption Advisor and Alarm Center
  • Notification rule
  • Adoption Advisor guidance

• Access Knowledge Center and Help Center
  • Knowledge Center
  • Help Center
  • Feature requests
  • PCCSE
  • Live Community
  • Product status updates
  • Docs, Prisma Cloud Privacy and Support options

Cloud Network Security and Identity-based Microsegmentation Enterprise Edition

• Configure Cloud network analyzer
  • Network exposure policy
  • RQL

• Deploy and manage enforces
  • Processing units
  • Namespaces
  • Tags and identity
  • Network rulesets
  • Out-of-the box rules
  • Application profiling

• Manage local changes in a remote repository (dev-prod) configuration
  • Types
  • Networking for Enforcers to Console connectivity

• Use NetSecOps dashboard
  • flows

Understanding Prisma Cloud Code Security (PCCS)

• Implement scanning for IAC templates
  • Terraform and Cloudformation scanning configurations
  • OOTB IAC scanning integrations
  • API scanning
  • IAC scanning integration
  • Supply-chain security
  • Handling scanned issues
  • Repository scanning

• Configure policies in Console for IAC scanning
  • OOTB policies
  • Custom build policies
  • Types of config policies
  • Prisma configuration files

• Configure CI policies for Computer scanning
  • Default CI policies
  • Custom CI policies

• Manage configuration settings
  • Code repository settings
  • Notifications
  • Pull Request and Tagging bots

Next, Identity and Access Management (IAM)/Identity and Access Management (IAM)/Prisma Cloud Data Security (PCDS)

• Calculate net effective permissions
  • AWS calculation
  • Azure calculation

• Investigate incidents and create IAM policies
  • RQL queries
  • IAM policies

• Integrate IAM with IdP
  • Azure active directory
  • Okta

• Remediate alerts
  • Manual versus automatic
  • AWS remediation
  • Azure remediation

• Monitor Scan Results
  • Data dashboard
  • Data Inventory
  • Resource Explorer
  • Object Explorer
  • Exposure Evaluation

• Assess Data Policies and Alerts
  • Data policy vs data pattern
  • Alerts

• Define data security scan settings
  • Scan configuration
  • Data profile and pattern
  • File extensions
  • Snippet masking

Preparation Guide: Prisma Certified Cloud Security Engineer (PCCSE)

Before starting to study for any exam, it is crucial to get the right study materials. The effect is that there is a ton of study material available online. By using this study guide, you may better understand and learn the goals of each exam. We give you the best study resources possible to help you ace the test.

Refer to the Exam Guide

It is advised to review and consult the official exam guide prior to each exam. Palo Alto offers approved study materials and an exam guide to ensure that you are well-prepared for the test. It’s time to review the fundamental exam information. As a result, we have prepared a list of exam objectives you can refer to to help with your preparation:

• Cloud Security Posture Management (CSPM) 21%
• Cloud Workload Protection (CWP) 21%
• Install, Upgrade, and Backup / Prisma Cloud 19%
• Cloud Network Security and Identity-Based Microsegmentation Enterprise Edition 11%
• Prisma Cloud Code Security (PCCS) 12%
• Identity and Access Management (IAM) / Prisma Cloud Data Security (PCDS) 16%

Official Palto Alto Training

For the Prisma Certified Cloud Security Engineer (PCCSE) exam, Palto Alto offers training. You will study all the domains and modules necessary for passing the exam with this official training. It is suggested that you put this training into practice in order to pass the test.

Recommended Training

The following instructor-led training sessions, or equivalent online training, are highly advised by Palo Alto Networks.

• Prisma Cloud: Cloud Security Posture Management
• Prisma Cloud: Cloud Network Security
• Prisma Cloud: Cloud Workload Protection
• Prisma Cloud: Cloud Code Security

Join Study groups

Joining study groups is a great way to immerse yourself completely in the certification exam you applied for. These groups will help you stay informed about any current changes or exam updates. Additionally, these clubs include both amateurs and experts. Without concern for criticism, you are allowed to debate the test or ask any questions connected to it. Additionally, you are free to start a discussion about any exam-related issue or question here. If you do this, you will get the best answer to your query possible.

Practice Tests

Applying what you have learned is essential so that you can evaluate your outcomes. You may improve your replying skills via practice, which will help you save a lot of time. Furthermore, since practice exams will operate as a revision aid for you, it is best to start them once you have finished studying for one entire topic. Practice with free sample test questions right away!