Prisma Certified Cloud Security Engineer

Here you have the best Palo Alto Networks PCCSE practice exam questions

You have 252 total questions to study from
Each page has 5 questions, making a total of 51 pages
You can navigate through the pages using the buttons at the bottom
This questions were last updated on October 23, 2025
This site is not affiliated with or endorsed by Palo Alto Networks.

Question 1 of 252

Given a default deployment of Console, a customer needs to identify the alerted compliance checks that are set by default.
Where should the customer navigate in Console?

Monitor > Compliance

Defend > Compliance

Manage > Compliance

Custom > Compliance

Correct Answer: A

To identify the alerted compliance checks in a default deployment of Console, the customer should navigate to Monitor > Compliance. This section is designed to help users monitor and review compliance statuses, including any alerts triggered by compliance checks. Options under 'Monitor' typically provide visibility into ongoing system operations and alerts.

Question 2 of 252

Which container scan is constructed correctly?

twistcli images scan -u api -p api --address https://us-west1.cloud.twistlock.com/us-3-123456789 --container myimage/latest

twistcli images scan --docker-address https://us-west1.cloud.twistlock.com/us-3-123456789 myimage/latest

twistcli images scan -u api -p api --address https://us-west1.cloud.twistlock.com/us-3-123456789 --details myimage/latest

twistcli images scan -u api -p api --docker-address https://us-west1.cloud.twistlock.com/us-3-123456789 myimage/latest

Correct Answer: C

The correct construction of the 'twistcli images scan' command includes both authentication flags (-u and -p) and the appropriate --address flag with a URL as well as the container image name at the end. The --docker-address flag is used to specify the Docker socket, not a URL. Therefore, the correct command is the one that uses --address to specify the URL and the image name, which matches the syntax of option C.

Question 3 of 252

The development team wants to fail CI jobs where a specific CVE is contained within the image.
How should the development team configure the pipeline or policy to produce this outcome?

Set the specific CVE exception as an option in Jenkins or twistcli.

Set the specific CVE exception as an option in Defender running the scan.

Set the specific CVE exception as an option using the magic string in the Console.

Set the specific CVE exception in Console's CI policy.

Correct Answer: D

To fail CI jobs when a specific CVE is present within the image, the development team should configure the CI policy in the Console. This allows for the creation of rules and conditions that directly target the build process, ensuring that any image containing the specific CVE will fail the CI job.

Question 4 of 252

Which three types of classifications are available in the Data Security module? (Choose three.)

Personally identifiable information

Malicious IP

Compliance standard

Financial information

Malware

Correct Answer: A, D, E

The three types of classifications available in the Data Security module are Personally Identifiable Information, Financial Information, and Malware. These categories encompass sensitive personal data, crucial financial records, and harmful software threats, all of which are critical areas of focus in data security to protect against unauthorized access and malicious activities.

Question 5 of 252

A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed.
How should the administrator configure Prisma Cloud Compute to satisfy this requirement?

set the Container model to manual relearn and set the default runtime rule to block for process protection.

set the Container model to relearn and set the default runtime rule to prevent for process protection.

add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to ג€preventג€.

choose ג€copy into ruleג€ for the Container, add a ransomWare process into the denied process list, and set the action to ג€blockג€.

Correct Answer: D

To meet the requirement of terminating any container from the image topSecret:latest when the ransomWare process is executed, the administrator should choose the option that ensures the entire container is stopped if the process violates the policy. The correct approach involves adding a ransomWare process to the denied process list and setting the action to 'block', as this action will terminate the entire container, not just the offending process.