SC-200 Study Guide 2026

Everything you need to pass the SC-200 exam in one place: the exam format, every topic to study, real practice questions with explanations, flashcards, and full-length practice tests. Free, no sign-up needed.

📋 SC-200 Exam Format at a Glance

50
Questions
100 min
Time Limit
70.00%
Passing Score

📚 SC-200 Topics to Study (63)

✍️ Sample SC-200 Questions & Answers

1. A vulnerability scan of an AKS cluster reveals that a pod is running as root. Which Microsoft Defender for Containers check would flag this as a misconfiguration?
CIS Kubernetes Benchmark: Containers should not run as root user

Defender for Containers maps to CIS Kubernetes Benchmark controls, and running containers as root violates the control 'Containers should not run as root user (UID 0).'

2. Which MITRE ATT&CK tactic describes an adversary's attempt to avoid detection while maintaining access to a network?
Defense Evasion

Defense Evasion encompasses techniques adversaries use to avoid detection, such as disabling security tools, obfuscating code, or clearing logs.

3. Which Azure Sentinel (Microsoft Sentinel) feature automatically maps detected threats to the MITRE ATT&CK framework?
Analytics rule templates

Analytics rule templates in Microsoft Sentinel include MITRE ATT&CK tactic and technique mappings to help analysts contextualize alerts.

4. An analyst notices a threat indicator in Sentinel with a 'Confidence' value of 45. How should this indicator be treated?
Use it as a low-confidence signal requiring additional corroboration before acting

A confidence value of 45 (out of 100) indicates low confidence, meaning the indicator should be treated as a weak signal that requires additional evidence before taking action.

5. A Logic Apps playbook fails intermittently when querying Microsoft Sentinel. Which best practice reduces transient failures?
Add retry policies to the HTTP or connector actions

Configuring retry policies on connector actions handles transient API errors and improves playbook reliability.

6. Which Microsoft Entra ID report helps identify users who have not completed MFA registration and are at risk under a Conditional Access policy requiring MFA?
MFA registration details report (Authentication methods usage)

The Authentication methods usage and insights report shows MFA registration status per user, identifying gaps before enforcement causes lockouts.

🎯 Free SC-200 Practice Tests

📖 SC-200 Guides & Articles

Your SC-200 Study Path
1. Learn with Flashcards → 2. Drill Practice Tests → 3. Take the Full Exam Simulation