Prisma Certified Cloud Security Engineer

Here you have the best Palo Alto Networks PCCSE practice exam questions

You have 252 total questions across 51 pages (5 per page)
These questions were last updated on February 5, 2026
This site is not affiliated with or endorsed by Palo Alto Networks.

Question 1 of 252

Given a default deployment of Console, a customer needs to identify the alerted compliance checks that are set by default.
Where should the customer navigate in Console?

A.

Monitor > Compliance

B.

Defend > Compliance

C.

Manage > Compliance

D.

Custom > Compliance

Suggested Answer: A

To identify the alerted compliance checks in a default deployment of Console, the customer should navigate to Monitor > Compliance. This section is designed to help users monitor and review compliance statuses, including any alerts triggered by compliance checks. Options under 'Monitor' typically provide visibility into ongoing system operations and alerts.

Community votes

No votes yet

Question 2 of 252

Which container scan is constructed correctly?

A.

twistcli images scan -u api -p api --address https://us-west1.cloud.twistlock.com/us-3-123456789 --container myimage/latest

B.

twistcli images scan --docker-address https://us-west1.cloud.twistlock.com/us-3-123456789 myimage/latest

C.

twistcli images scan -u api -p api --address https://us-west1.cloud.twistlock.com/us-3-123456789 --details myimage/latest

D.

twistcli images scan -u api -p api --docker-address https://us-west1.cloud.twistlock.com/us-3-123456789 myimage/latest

Suggested Answer: C

The correct construction of the 'twistcli images scan' command includes both authentication flags (-u and -p) and the appropriate --address flag with a URL as well as the container image name at the end. The --docker-address flag is used to specify the Docker socket, not a URL. Therefore, the correct command is the one that uses --address to specify the URL and the image name, which matches the syntax of option C.

Community votes

No votes yet

Question 3 of 252

The development team wants to fail CI jobs where a specific CVE is contained within the image.
How should the development team configure the pipeline or policy to produce this outcome?

A.

Set the specific CVE exception as an option in Jenkins or twistcli.

B.

Set the specific CVE exception as an option in Defender running the scan.

C.

Set the specific CVE exception as an option using the magic string in the Console.

D.

Set the specific CVE exception in Console's CI policy.

Suggested Answer: D

To fail CI jobs when a specific CVE is present within the image, the development team should configure the CI policy in the Console. This allows for the creation of rules and conditions that directly target the build process, ensuring that any image containing the specific CVE will fail the CI job.

Community votes

No votes yet

Question 4 of 252

Which three types of classifications are available in the Data Security module? (Choose three.)

A.

Personally identifiable information

B.

Malicious IP

C.

Compliance standard

D.

Financial information

E.

Malware

Suggested Answer: A, D, E

The three types of classifications available in the Data Security module are Personally Identifiable Information, Financial Information, and Malware. These categories encompass sensitive personal data, crucial financial records, and harmful software threats, all of which are critical areas of focus in data security to protect against unauthorized access and malicious activities.

Community votes

No votes yet

Question 5 of 252

A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed.
How should the administrator configure Prisma Cloud Compute to satisfy this requirement?

A.

set the Container model to manual relearn and set the default runtime rule to block for process protection.

B.

set the Container model to relearn and set the default runtime rule to prevent for process protection.

C.

add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to ג€preventג€.

D.

choose ג€copy into ruleג€ for the Container, add a ransomWare process into the denied process list, and set the action to ג€blockג€.

Suggested Answer: D

To meet the requirement of terminating any container from the image topSecret:latest when the ransomWare process is executed, the administrator should choose the option that ensures the entire container is stopped if the process violates the policy. The correct approach involves adding a ransomWare process to the denied process list and setting the action to 'block', as this action will terminate the entire container, not just the offending process.

Community votes

No votes yet

About the Palo Alto Networks PCCSE Certification Exam

About the Exam

The Palo Alto Networks PCCSE (Prisma Certified Cloud Security Engineer) validates your knowledge and skills. Passing demonstrates proficiency and can boost your career prospects in the field.

How to Prepare

Work through all 252 practice questions across 51 pages. Focus on understanding the reasoning behind each answer rather than memorizing responses to be ready for any variation on the real exam.

Why Practice Exams?

Practice exams help you familiarize yourself with the question format, manage your time, and reduce anxiety on the test day. Our PCCSE questions are regularly updated to reflect the latest exam objectives.