CCD Cheat Sheet 2026

The 30 highest-yield CCD facts, distilled from real exam questions. Print it, save it as a PDF, or study it here β€” free, no sign-up.

  1. What does 'TTP' stand for in the context of threat intelligence? β†’ Tactics, Techniques, and Procedures
  2. What should be the response when a security event is detected? β†’ Investigate and take action
  3. Which STIX/TAXII concept is used to share threat intelligence between organizations in a standardized format? β†’ TAXII as transport protocol and STIX as data format
  4. Which team handles alerts and threat mitigation in real-time? β†’ Security Operations Center (SOC)
  5. Which ATT&CK tactic involves an adversary trying to avoid detection by security controls? β†’ Defense Evasion
  6. What does the 'Diamond Model' of intrusion analysis primarily focus on? β†’ Relationships between adversary, capability, infrastructure, and victim
  7. Which standard of practice is MOST important for ensuring quality in Vulnerability Assessment & Management? β†’ Following evidence-based protocols while adapting to specific circumstances
  8. Which type of account typically has elevated privileges and is used to run automated processes or services? β†’ Service account
  9. Why is continuous monitoring essential in cybersecurity? β†’ To detect and respond to threats in real time
  10. Which standard of practice is MOST important for ensuring quality in Incident Response & Handling? β†’ Following evidence-based protocols while adapting to specific circumstances
  11. What is 'write blocking' in the context of digital forensics? β†’ Using hardware or software to prevent any writes to the evidence drive during acquisition
  12. Which file system artifact in Windows records metadata about files including creation, modification, and access times? β†’ Master File Table (MFT)
  13. In Endpoint Protection & Hardening, what is the FIRST step a CCD professional should take when encountering a new case or situation? β†’ Conduct a comprehensive assessment and gather all relevant information
  14. Which of the following best describes a VPN? β†’ A secure connection over a public network.
  15. What is the purpose of a security information and event management (SIEM) system? β†’ Monitor and analyze security data in real time.
  16. What is alert fatigue in security operations? β†’ Analysts ignore important alerts
  17. What is the PRIMARY purpose of continuing education requirements in Intrusion Detection & Prevention for CCD professionals? β†’ Maintaining current knowledge and competency as the field evolves
  18. Which Windows Registry hive contains information about recently run programs, USB device history, and user activity? β†’ NTUSER.DAT (user-specific hive) and SYSTEM hive
  19. In Incident Response & Handling, what is the FIRST step a CCD professional should take when encountering a new case or situation? β†’ Conduct a comprehensive assessment and gather all relevant information
  20. Which metric represents the average time taken to detect a security incident? β†’ MTTD
  21. What is the PRIMARY purpose of continuing education requirements in Incident Response & Handling for CCD professionals? β†’ Maintaining current knowledge and competency as the field evolves
  22. What is the primary goal of containment during incident response? β†’ To stop the incident from spreading.
  23. What is Role-Based Access Control (RBAC)? β†’ Granting users permissions based on their assigned organizational roles
  24. What is a 'hypothesis-driven' threat hunt? β†’ Starting a hunt based on an assumed adversary behavior or TTP
  25. Which standard of practice is MOST important for ensuring quality in Log Analysis & Forensics? β†’ Following evidence-based protocols while adapting to specific circumstances
  26. Which protocol is commonly used to securely access a remote system? β†’ SSH
  27. When a conflict arises between standard procedures and a unique situation in Log Analysis & Forensics, what should a CCD professional prioritize? β†’ Safety and ethical obligations while seeking expert consultation
  28. Which method enhances security by verifying a user’s identity with more than one factor? β†’ Multi-factor authentication
  29. During forensic analysis of a Linux system, which file contains a history of commands entered by users in the bash shell? β†’ ~/.bash_history
  30. What should be done immediately after detecting a confirmed breach? β†’ Alert the incident response team.