AssociateVendor-specificCrowdStrike· issued from US

CrowdStrike CCFA

CrowdStrike Certified Falcon Administrator

Day-to-day administration of the market-leading EDR platform — sensor deployment, policy authoring, and detection triage in Falcon.

Official page at CrowdStrike ↔ Compare with another cert

Exam fee

$250

Ongoing

$0/yr AMF

Study time

40–80 hrs

Delivery

Online proctored

Validity

2 yrs (renewal cycle)

› Quality score

22.0 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor

How well-defined and rigorous the exam blueprint is.

Vendor blueprint scoped tightly to the current Falcon release. Clear, narrow.

6.5/10

Practical evidence

Hands-on labs / written reports vs pure MCQ.

Pure MCQ; CrowdStrike University training includes hands-on labs that aren't graded.

1.0/10

Currency & upkeep

How aggressively content is kept current with the field.

Falcon platform releases monthly — exam content tracks the platform aggressively.

8.0/10

Market recognition

How often this signal actually moves a hiring decision.

Common requirement on EDR-focused SOC and IR roles in CrowdStrike shops, which now span much of the F500. [Holders: vendor doesn't publish]

6.5/10

› Market signals

public, citable inputs to the recognition score

Holders worldwide

20,000

as of 2024-12 · source

CrowdStrike does not publish certified-holder counts; estimate from partner-channel signals.

› Built for these roles

EDR AdministratorSOC Analyst (CrowdStrike-track)Endpoint Security Engineer

› Exam format

Multiple-choice exam, ~60 questions, 90 minutes, English. Online proctored. Covers Falcon console navigation, prevention/detection policies, host management, and basic IR workflow.

› Recertification

Credential is valid for two years; renewal requires passing the current exam version.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

PD-WRL-005PD-WRL-008

Recognition

GlobalUSEUUKAPAC

Exam languages

› Core domains covered

The 3 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A10Security Operations

SOC operations, SIEM tuning, SOAR playbooks, alert triage, log analysis, runbook development.

A7Incident Response & Forensics

IR playbooks, memory/disk/network forensics, chain of custody, malware analysis.

A11Detection Engineering & Threat Hunting

SIGMA/YARA/Suricata rule writing, hypothesis-driven hunting, log deep-dives, detection gap analysis.

› Also touched

Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.

A8Threat Intelligence

CTI lifecycle, MITRE ATT&CK, IOCs/TTPs, threat modeling (STRIDE, PASTA), STIX/TAXII.

B1AI-Powered Threat Detection

ML-based anomaly detection, UEBA, network traffic analysis, deep learning for malware.

› Prerequisites

Experience

Hands-on access to a Falcon tenant. CrowdStrike University foundations course strongly recommended.

Knowledge assumed

Falcon console and policy model
EDR detection and prevention concepts
Windows / macOS / Linux endpoint basics

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain map Browse all certifications