Hack The Box Certification

Hack The Box HTB Certified Defensive Security Analyst (HTB CDSA) Practice Test

Prepare for HTB CDSA with free practice tests focused on SOC analysis, SIEM investigation, threat hunting, malware triage, DFIR, and incident reporting. Because the real CDSA exam is a 7-day practical assessment rather than a timed multiple-choice test, each 20-question set uses a focused 30-minute timer for realistic SOC decision-making practice.

20Practice Tests
400Total Questions
15Modules Covered
100%Free Forever

Mixed Set — HTB CDSA Practice Tests

Build exam readiness with mixed question sets covering all 15 HTB CDSA SOC Analyst modules. These tests help you move between SIEM investigation, Windows telemetry, threat hunting, network evidence, malware triage, DFIR, and report-focused scenarios the way a real SOC analyst does.

Domain Wise — HTB CDSA Mock Tests

Target one SOC Analyst module at a time with focused 20-question practice. HTB does not publish official percentage exam weights for CDSA, so each module is treated as an equal study-weight objective while the broader coverage table below groups related modules into practical SOC skill areas.

D1
Incident Handling Process
Preparation, identification, containment, eradication, recovery, lessons learned, escalation, and evidence handling
~6.7% Study Weight Start Test →
D2
Security Monitoring and SIEM Fundamentals
SIEM concepts, log ingestion, alert triage, event correlation, Elastic basics, and SOC monitoring workflow
~6.7% Study Weight Start Test →
D3
Windows Event Logs and Finding Evil
Windows event IDs, Sysmon, ETW, suspicious process activity, lateral movement traces, and credential access indicators
~6.7% Study Weight Start Test →
D4
Introduction to Threat Hunting and Hunting With Elastic
Hypothesis-driven hunting, Elastic and KQL workflows, phishing investigation, CTI enrichment, and behavior-based detection
~6.7% Study Weight Start Test →
D5
Understanding Log Sources and Investigating With Splunk
Splunk search, Windows, Linux, and web logs, source onboarding, field extraction, and investigation pivots
~6.7% Study Weight Start Test →
D6
Windows Attacks and Defense
Active Directory attacks, Kerberos abuse, credential theft, lateral movement, hardening, and defensive detections
~6.7% Study Weight Start Test →
D7
Intro to Network Traffic Analysis
Packets, flows, Wireshark and tcpdump basics, protocol inspection, and network evidence collection
~6.7% Study Weight Start Test →
D8
Intermediate Network Traffic Analysis
Advanced packet analysis, suspicious sessions, command-and-control patterns, tunneling, and multi-source correlation
~6.7% Study Weight Start Test →
D9
Working With IDS and IPS
IDS and IPS architecture, alert tuning, Snort and Suricata-style rules, signatures, false positives, and detection validation
~6.7% Study Weight Start Test →
D10
Introduction to Malware Analysis
Static and dynamic malware triage, hashes, strings, sandbox behavior, persistence clues, and safe analysis workflow
~6.7% Study Weight Start Test →
D11
JavaScript Deobfuscation
Obfuscated script behavior, browser-delivered payloads, decoding, malicious logic, and IOC extraction
~6.7% Study Weight Start Test →
D12
YARA and Sigma for SOC Analysts
Detection engineering, YARA rules, Sigma logic, rule testing, tuning, and portable detection content
~6.7% Study Weight Start Test →
D13
Introduction to Digital Forensics
Disk and memory evidence, timelines, file system artifacts, volatile data, and forensic reporting basics
~6.7% Study Weight Start Test →
D14
Detecting Windows Attacks With Splunk
Splunk detections for AD reconnaissance, password attacks, Kerberos abuse, Windows telemetry, and attack correlation
~6.7% Study Weight Start Test →
D15
Security Incident Reporting
Executive summaries, technical evidence, timelines, IOCs, impact analysis, remediation, and commercial-grade report writing
~6.7% Study Weight Start Test →

About the HTB CDSA Certification Exam

The Hack The Box Certified Defensive Security Analyst exam validates hands-on defensive security ability through practical investigation work rather than a traditional multiple-choice test.

What Is HTB CDSA?

HTB Certified Defensive Security Analyst (HTB CDSA) is a hands-on certification from Hack The Box for candidates who want to prove practical skill in security analysis, SOC operations, and incident handling. It focuses on finding security incidents, correlating evidence from different data sources, using SIEM workflows, and communicating findings through an actionable incident report.

The certification is especially relevant for aspiring SOC analysts, junior security analysts, incident handlers, detection analysts, threat hunters, and DFIR learners who want a practical blue-team credential. In the United States, the broader information security analyst occupation reports a median annual wage of $124,910, although actual compensation varies by country, seniority, employer, tool stack, and hands-on investigation experience.

Exam Format (2026)

Testing method: Browser-based HTB Academy practical lab, accessible through Pwnbox or VPN/local VM.

Questions: Not a fixed multiple-choice question count. Candidates work through practical objectives, submit flags in the exam panel, and document findings.

Duration: 7 days from the time the exam is started.

Question types: SOC investigation tasks, SIEM searches, log analysis, network and endpoint evidence review, IOC extraction, and report writing.

Passing score: No public scaled score. HTB checks the required points or flags and manually reviews the submitted report for quality.

Exam fee: HTB lists the CDSA certification at $490 with 1 voucher; checkout options, subscriptions, taxes, and regional pricing may vary.

Eligibility Requirements

Required path: The related HTB Academy SOC Analyst job-role path must be completed before using an exam voucher.

Experience: HTB does not list a formal degree or years-of-experience requirement, but candidates should be comfortable with SOC workflows and technical investigation.

Recommended knowledge: Web applications, operating systems, networking basics, web and infrastructure attack concepts, and the ability to navigate large volumes of data.

Report requirement: Candidates must submit a professional report in English. CDSA reports are submitted as PDF or ZIP, without a password, and within the stated file-size limit.

Attempts: Each HTB Academy exam voucher includes two attempts. If the first attempt fails, the retake must be started within the allowed feedback window.

HTB CDSA Coverage Areas — 2026 SOC Analyst Path

HTB publishes CDSA coverage through SOC Analyst path modules rather than official exam-weight percentages. The study weights below normalize the 15 modules into practical coverage areas so you can prioritize review without pretending these are official scoring weights.

AreaTopicStudy Weight
Area 1SOC Processes and Methodologies13.3%
Area 2SIEM Operations (ELK/Splunk) and Tactical Analytics20%
Area 3Log Analysis6.7%
Area 4Threat Hunting6.7%
Area 5Active Directory Attack Analysis6.7%
Area 6Network Traffic Analysis20%
Area 7Malware Analysis13.3%
Area 8DFIR Operations13.3%

How Our Practice Tests Are Designed

Practical SOC reasoning — Questions are written to reinforce analyst decision-making: what evidence matters, which pivot comes next, how to interpret telemetry, and how to communicate findings clearly.

Module-aligned mixed sets — Mixed practice tests draw from all 15 CDSA modules, including Splunk, Elastic, Windows event logs, threat hunting, network traffic analysis, IDS/IPS, malware triage, YARA, Sigma, digital forensics, and incident reporting.

Focused practice timer — The real HTB CDSA exam is a 7-day practical lab and does not publish a fixed MCQ question count, so a proportional real-exam timer is not meaningful. Each 20-question practice test uses about 30 minutes, or roughly 1.5 minutes per question, to build disciplined triage speed without misrepresenting the official lab format.

Domain-specific reinforcement — Use domain-wise tests after a mixed set to strengthen weak areas. This is useful when your mistakes cluster around a tool family such as Splunk or Elastic, an evidence type such as Windows logs or packet captures, or an output skill such as incident reporting.

HTB CDSA Exam Preparation Tips

Study Strategy

Complete the path first: Treat the HTB Academy SOC Analyst path as the core preparation resource. The exam expects comfort with the modules, labs, and investigation style.

Practice both SIEM stacks: Build confidence with Splunk search and Elastic/KQL workflows. CDSA-style investigations reward fast pivots across fields, hosts, users, processes, URLs, hashes, and timestamps.

Strengthen Windows and network evidence: Review Sysmon, common Windows event IDs, Active Directory attack traces, packet analysis, IDS/IPS alerts, and protocol behavior so you can correlate endpoint and network clues.

Write as you investigate: Keep clean notes, timestamps, screenshots, IOCs, assumptions, and query history. A strong report is easier when evidence is captured during analysis rather than reconstructed at the end.

Test-Taking Strategy

Read the engagement carefully: The letter of engagement defines scope, objectives, and deliverables. Revisit it often before spending time on an investigation path.

Work from timeline to impact: Build a timeline of initial access, execution, persistence, lateral movement, command-and-control, and actions on objectives. This helps connect isolated alerts into a complete incident story.

Validate before reporting: Avoid overclaiming. Confirm suspicious findings with logs, packet captures, process data, hashes, filenames, user context, or other supporting evidence.

Reserve time for the report: Passing is not only about finding flags. Plan enough time to produce a clear executive summary, technical analysis, timeline, IOCs, impact statement, and remediation guidance.

Frequently Asked Questions

How many questions are on the real HTB CDSA exam?+
The real HTB CDSA exam is not a fixed-question multiple-choice test. It is a 7-day hands-on lab where you investigate security incidents, submit required flags or objectives in the exam panel, and upload a professional incident report.
What is the passing score for the HTB CDSA exam?+
HTB does not publish a 700-style scaled passing score for CDSA. A candidate must gather the needed points or flags and submit a report that meets HTB's quality requirements during manual review.
How long should I study for HTB CDSA?+
Most learners should plan to complete all 15 SOC Analyst path modules first, then spend additional time reviewing weak areas such as Splunk, Elastic, Windows logs, network traffic analysis, malware triage, and incident reporting. Depending on experience, preparation may take several weeks to a few months.
Are these HTB CDSA practice tests free?+
Yes. The HTB CDSA practice tests on Security Practice Test are free to use. They are independent practice resources and are not the official Hack The Box exam.
How are mixed set questions distributed across topics?+
Mixed sets draw from all 15 SOC Analyst modules. Since HTB does not publish official percentage weights, the distribution uses balanced module coverage with extra attention to broad areas such as SIEM operations, network traffic analysis, malware analysis, DFIR, and incident reporting.
Can I retake the HTB CDSA exam if I fail?+
Yes. HTB Academy exam vouchers include two attempts. If you fail the first attempt, you must submit a report to remain eligible for the second attempt, and you have 14 days from receiving feedback to start the retake.
Is HTB CDSA a multiple-choice exam?+
No. HTB CDSA is a practical defensive security assessment. You work in an exam lab, analyze evidence from real-world-style incidents, submit flags or objectives, and produce a commercial-grade incident report.
Do I need work experience or a degree for HTB CDSA?+
HTB does not list a degree or years-of-experience requirement. You need to complete the related SOC Analyst job-role path, have an exam voucher, and be comfortable with SOC operations, logs, SIEM workflows, networking, operating systems, and security incident reporting.

Ready to Test Your HTB CDSA Knowledge?

Start with a mixed set to check your SOC readiness, then use module-wise tests to strengthen the investigation skills that need more practice.

Start HTB CDSA Practice Test 1 →

Authors

  • Security Practice Test Editorial Team

    Security Practice Test Editorial Team is the expert content team at SecurityPracticeTest.com dedicated to producing authoritative cybersecurity certification exam-prep resources. We create comprehensive practice tests, study materials, and exam-focused content for top security certifications including CompTIA Security+, SecurityX, PenTest+, CISSP, CCSP, SSCP, Certified in Cybersecurity (CC), CGRC, CISM, SC-900, SC-200, AZ-500, AWS Certified Security - Specialty, Professional Cloud Security Engineer, OSCP+, GIAC certifications, CREST certifications, Check Point, Cisco, Fortinet, and Palo Alto Networks exams. Our content is developed through careful review of official exam objectives, cybersecurity knowledge domains, and practical job-relevant concepts to help learners build confidence, strengthen understanding, and prepare effectively for certification success.

  • Sudhanshu Thakur - Reviewer

    Enterprise Technology and Digital Transformation Professional with 18+ years of experience in enterprise software, SaaS, industrial automation, and business consulting. Formerly associated with Rockwell Automation, Tech Mahindra, Emerson, ABB, L&T Infotech, and Hewlett Packard Enterprise.