CyberArk PAM-CDE-RECERT Exam Dumps & Practice Test Questions

Question 1:

Your organization is preparing to harden the Privileged Session Manager (PSM) component as part of a CyberArk deployment. Before beginning the hardening process, you’ve identified that a required executable for the PSM Universal Connector must be allowed to run. 

To ensure it functions correctly during and after hardening, which configuration file should you modify?

A. PSMConfigureAppLocker.xml
B. PSMHardening.xml
C. PSMAppConfig.xml
D. PSMConfigureHardening.xml

Correct Answer: A

Explanation:

When securing the Privileged Session Manager (PSM), CyberArk recommends the use of Microsoft AppLocker policies to restrict which executables can run on the system. The file PSMConfigureAppLocker.xml is specifically designed to manage these AppLocker whitelisting rules. If the organization plans to use a custom executable such as the PSM Universal Connector, that executable must be explicitly included in this XML file to ensure it is not blocked.

Let’s analyze the options:

• A. PSMConfigureAppLocker.xml
  This is the correct file used to configure the AppLocker policy on the PSM machine. Adding your executable path here ensures it is allowed through Microsoft AppLocker during and after system hardening.

• B. PSMHardening.xml
  This file is used for broader PSM hardening configurations, such as disabling services and applying general OS-level restrictions. However, it does not manage executable whitelisting or AppLocker rules.

• C. PSMAppConfig.xml
  This file handles the functional configuration of PSM, such as session recording, vault connectivity, and timeouts. It does not control executable access.

• D. PSMConfigureHardening.xml
  Despite its similar-sounding name, this is not a valid CyberArk configuration file. It is likely a distractor or incorrect naming convention.

Understanding the purpose of PSMConfigureAppLocker.xml is essential when customizing PSM behavior while maintaining a secure and compliant hardening posture.

Question 2:

You are working as a Vault Administrator and need to configure LDAP-based authentication so users can log in to CyberArk using their corporate Active Directory credentials. 

Which administrative permissions are required to successfully perform the LDAP integration and mapping?

A. Audit Users and Add Network Areas
B. Audit Users and Manage Directory Mapping
C. Audit Users and Add/Update Users
D. Audit Users and Activate Users

Correct Answer: B

Explanation:

LDAP integration in CyberArk allows users to authenticate using corporate directory credentials (such as Active Directory), which simplifies identity management and strengthens security through centralized access control. To perform this configuration, administrators must map directory users or groups to corresponding CyberArk roles. The “Manage Directory Mapping” permission is essential for this task.

Let’s break down the permission sets:

• A. Audit Users and Add Network Areas
  This set relates to network segmentation and monitoring, particularly for configuring PSM trust zones or connection policies, and is not relevant to LDAP integration.

• B. Audit Users and Manage Directory Mapping
  This is the correct set of permissions. “Manage Directory Mapping” allows the administrator to configure how LDAP users and groups are imported and assigned roles within CyberArk. “Audit Users” is generally required to monitor and track user-related activities, complementing administrative duties.

• C. Audit Users and Add/Update Users
  These rights apply to manually managing CyberArk users, such as creating local accounts or modifying them, but not to mapping LDAP accounts, which is done through a different mechanism.

• D. Audit Users and Activate Users Account activation is a post-creation process and has no bearing on directory integration or mapping.

Key LDAP Integration Concepts:

• LDAP integration centralizes identity management.

• Mapping LDAP groups/users to CyberArk roles ensures they receive appropriate permissions.

• Without Manage Directory Mapping, LDAP configuration cannot be completed successfully.

Hence, the correct answer is B, as it grants both the necessary auditing visibility and the authority to manage how external users are connected to the CyberArk Vault environment.

Question 3:

To establish secure LDAP communication over SSL (LDAPS) between your CyberArk Vault and an external directory service like Active Directory, which certificate must be installed on the Vault server?

A. The root certificate of the Certificate Authority that signed the LDAP server’s certificate
B. A Certificate Authority-signed SSL certificate for the Vault server
C. A trusted SSL certificate specifically installed on the PVWA server
D. A self-signed SSL certificate generated by the Vault server

Correct Answer: A

Explanation:

When enabling LDAP over SSL (LDAPS) for communication between the CyberArk Vault and an external directory service such as Microsoft Active Directory, the Vault must be able to verify the LDAP server’s certificate. The key to establishing this trust lies in installing the Root Certificate Authority (CA) certificate that issued the LDAP server’s certificate onto the Vault server.

This is crucial because, during the LDAPS handshake, the LDAP server presents its SSL certificate to the Vault. For the Vault to validate and accept this certificate, it must trust the CA that issued it. If the Vault does not recognize the CA, the connection attempt will fail, preventing secure directory queries.

Let’s analyze the options in more detail:

• Option A (Correct): Installing the root CA certificate that signed the LDAP server’s SSL certificate ensures that the Vault can authenticate the server it is connecting to. This is a mandatory requirement for enabling trusted LDAPS communication.

• Option B: While installing a CA-signed certificate on the Vault server is recommended for incoming client connections (e.g., from PVWA or CPM), it is not required for outgoing LDAPS communication, where the Vault acts as a client, not a server.

• Option C: Certificates for the PVWA (Password Vault Web Access) server are only relevant to securing HTTPS sessions with users. They do not affect LDAPS connections between the Vault and LDAP server.

• Option D: Self-signed certificates are not inherently trusted by other systems unless manually imported and trusted. Using self-signed certificates for production LDAP communications introduces security risks and trust issues and is therefore not recommended.

In conclusion, to enable secure and trusted LDAPS communication, the Vault must trust the LDAP server’s certificate chain, and that begins by installing the root CA certificate that issued the LDAP server’s certificate. This ensures that the Vault can confidently establish a secure connection with the directory service.

Question 4:

You are required to create a user in CyberArk who will authenticate using CyberArk’s built-in authentication mechanism (not LDAP or SAML) and access the REST API. 

What is the correct method for creating this type of user?

A. Use the PrivateArk Client to navigate to Administrative Tools > Users and Groups > Create New User
B. Use the PrivateArk Client to go to Directory Mapping and add a new directory integration
C. Use the PVWA web interface to configure LDAP Integration and add a new mapping
D. Use the PVWA web interface to create a new internal user under Users and Groups

Correct Answer: A

Explanation:

When you need to create a CyberArk internal user—a user who will authenticate using CyberArk’s native authentication mechanism (not via LDAP, RADIUS, or SAML)—you must use the PrivateArk Client. These internal users are necessary in many cases, such as automation scripts or when using the CyberArk REST API in environments without external identity providers.

The correct procedure involves launching the PrivateArk Client, accessing the Administrative Tools, and navigating to Users and Groups to manually create a new internal user. During creation, the administrator can assign relevant Vault permissions, group memberships, and API access as required.

Let’s review the options:

• Option A (Correct): This is the official and correct method to create CyberArk-native users. Only the PrivateArk Client allows full control over internal user creation, including password policy enforcement and user-specific permissions.

• Option B: Directory Mapping is used to integrate users from external directory services like LDAP. Since this question specifies internal CyberArk authentication (not LDAP or SAML), this method does not apply.

• Option C: The PVWA web interface supports LDAP mappings, not the creation of CyberArk-native users. This option is therefore irrelevant to the task at hand.

• Option D: While the PVWA offers some user provisioning features, it does not support the creation of Vault-native accounts. Those must be set up using the PrivateArk Client.

In summary, to provision an internal CyberArk user for REST API access (or any native login scenario), you must use the PrivateArk Client’s administrative tools. This ensures proper user configuration and secure authentication within the CyberArk Vault.

Question 5:

When installing the CyberArk Password Vault Web Access (PVWA) component, which action is mandatory to complete the setup successfully?

A. Configure a DNS record for the PVWA hostname
B. Install an SSL certificate from a trusted Certificate Authority
C. Register the PVWA using a Vault Admin-level account
D. Disable Data Execution Prevention (DEP) on the server hosting PVWA

Correct Answer: C

Explanation:

During the installation of CyberArk’s Password Vault Web Access (PVWA) component, one of the most critical steps is the registration of the PVWA application with the Vault, which must be performed using a Vault Admin-level account. This step establishes the trust and secure communication channel between PVWA and the Vault.

The registration process involves using the Vault Configuration Utility (Vault.ini or equivalent) to point the PVWA to the Vault, followed by authentication using an account that has administrative permissions. Without this linkage, the PVWA will not be able to retrieve data from the Vault, effectively rendering the web interface inoperable.

Let’s examine the other options:

• Option A: While configuring a DNS name improves usability and is typically recommended for production environments—especially for HTTPS certificate validation—it is not a mandatory requirement. PVWA can operate using a direct IP or hostname.

• Option B: Installing a CA-signed SSL certificate is advisable for securing communication and avoiding browser warnings, but the setup can initially proceed with a self-signed certificate. Therefore, it is not mandatory for installation.

• Option C (Correct): This step is essential. The PVWA cannot communicate with the Vault or operate as a functional component unless it is properly registered using a Vault admin account during setup. This step ensures secure authentication and authorization between the components.

• Option D: There is no requirement to disable Data Execution Prevention (DEP). In fact, CyberArk is designed to work with standard Windows security settings. Disabling DEP is unnecessary unless advised in very rare troubleshooting scenarios.

In conclusion, while DNS configuration and SSL certificates are best practices, the only mandatory step to successfully install PVWA is registering it with the Vault using an admin account. This establishes the backbone of secure communication between the web component and the Vault.

Question 6:

Your company mandates that passwords for all privileged accounts must be changed every 90 days to comply with internal security policies. 

Where in the CyberArk system should you configure this 90-day rotation schedule to ensure it is consistently enforced?

A. Configure the Master Policy to define password rotation rules globally
B. Set up Safe Templates to apply rotation settings to all new Safes
C. Modify the PVWA configuration XML to include password change behavior
D. Define rotation intervals within the Platform configuration for each account type

Correct Answer: D

Explanation:

In CyberArk, the rotation interval for privileged account passwords is controlled within the Platform settings for each type of account. These Platform settings define how CyberArk manages accounts belonging to different systems, such as Windows, Linux, Oracle, databases, or network devices. Configuring password management properties at the Platform level allows organizations to tailor security policies—like password rotation frequency—on a per-platform basis, which provides both flexibility and precision.

For example, if your security policy requires passwords to be rotated every 90 days, this specific interval must be configured in the Platform associated with each account type. Within the Platform settings, you can define how often CyberArk should automatically initiate password changes, how password complexity is enforced, and what verification mechanisms should be used after rotation.

Let’s evaluate the answer options in detail:

• A. Master Policy:
  The Master Policy governs high-level security behaviors and determines whether password management (like automatic rotation, reconciliation, and verification) is enabled. However, it does not specify rotation frequency. It simply ensures that certain rules must be followed, but those detailed rules are configured elsewhere—specifically, in the Platform settings.

• B. Safe Templates:
  Safe Templates are used to streamline the creation of Safes and may include preset permissions and audit settings. However, they do not dictate account-specific management behaviors, such as password rotation intervals. These templates are helpful for consistency in Safe structure but do not control platform-level settings.

• C. PVWA configuration XML file:
  The PVWAConfig.xml file configures settings related to the Privileged Vault Web Access (PVWA) interface, such as UI behavior, timeout values, session options, and integration endpoints. It does not manage security policies or platform-level settings related to password changes.
  D. Platform Configuration:
  This is the correct location to configure password rotation schedules. Platform settings are account-type specific and include detailed configuration for password rotation frequency, complexity policies, allowed password characters, and more. Modifying this setting ensures that all accounts governed by the platform rotate passwords every 90 days, as required by your policy.

In summary, for precise control over how and when passwords are rotated for different account types, CyberArk relies on Platform configurations. This approach ensures compliance with security policies while allowing for detailed customization based on system type and risk level.

Question 7:

While using the CyberArk Password Vault Web Access (PVWA) interface to create a "Privileged Accounts Inventory" report for a specific Safe, which permission set must the user possess to ensure the report includes all necessary and accurate account data?

A. The user needs "List Accounts" and "View Safe Members" rights.
B. The user must have the "Manage Safe Owners" permission.
C. The user must be granted both "List Accounts" and "Access Safe without Confirmation" permissions.
D. The user requires "Manage Safe" and "View Audit" permissions.

Correct Answer: C

Explanation:

In CyberArk, the "Privileged Accounts Inventory" report is a powerful tool used to extract detailed information about all accounts housed within a specific Safe. This report provides critical metadata, including account names, platforms, statuses, last password changes, and policy associations. However, in order to generate a complete and accurate report, the user must possess specific Safe-level permissions that allow both visibility and unrestricted access to the account records.

The two essential permissions required for this functionality are:

1. List Accounts – This permission allows the user to view the list of account entries in the Safe. Without it, the user won’t even see which accounts exist, let alone any details about them.

2. Access Safe without Confirmation – This allows the user to access account information without triggering a manual approval process. If this permission is not granted, certain account details will be hidden or inaccessible, especially if the Safe has confirmation workflows enabled.

These two permissions together ensure that the report will display complete and accurate information. Without either, the resulting report might be incomplete or even entirely blank, defeating its purpose.

Let’s review the incorrect options:

• Option A: "List Accounts" is necessary, but "View Safe Members" only allows a user to see who else has access to the Safe. It does not grant the ability to retrieve account-level data.

• Option B: "Manage Safe Owners" is a high-level administrative right that allows changing Safe ownership, but it does not inherently include visibility into account details for reporting purposes. It’s too elevated and not aligned with the principle of least privilege.

• Option D: "Manage Safe" allows users to modify Safe settings, while "View Audit" enables access to activity logs and audit records. Although useful for administrative and monitoring purposes, neither is directly involved in granting access to account inventories.

The correct and minimal set of permissions needed for generating a detailed "Privileged Accounts Inventory" report is "List Accounts" and "Access Safe without Confirmation". These ensure the user can both view the account list and access detailed data without approval barriers. This permission model supports secure visibility while adhering to the principle of least privilege, enabling reporting without granting unnecessary administrative powers.

Question 8:

Which two practices are essential for protecting privileged accounts when utilizing CyberArk’s Privileged Access Management platform?

A. Regularly rotate passwords for privileged accounts
B. Enable manual password handling for operational flexibility
C. Implement multi-factor authentication (MFA) for access
D. Store privileged credentials in unencrypted (plaintext) format
E. Provide universal access to all privileged accounts for convenience

Correct Answers: A, C

Explanation:

CyberArk's Privileged Access Management (PAM) system is specifically designed to secure and control access to highly sensitive privileged accounts across enterprise environments. These accounts, if left vulnerable, can provide attackers with unfettered access to critical systems. Two cornerstone best practices when securing privileged accounts with CyberArk include automated password rotation and the enforcement of multi-factor authentication (MFA).

Option A — implementing regular password rotation — is a fundamental defense strategy. Static credentials pose a high risk as they can be stolen, reused, or shared without detection. CyberArk automates this process by rotating passwords at predefined intervals or even after each use. This significantly reduces the attack window and helps organizations meet compliance mandates such as PCI DSS and SOX. Automated rotation ensures that passwords are never reused or exposed for extended periods, thus minimizing the risk of lateral movement by threat actors within the network.

Option C — enabling MFA — enhances the security posture by introducing a second layer of authentication. Even if a password is compromised (through phishing, for instance), the attacker would still require a secondary factor (such as a mobile device, token, or biometric) to gain access. CyberArk supports integration with common MFA solutions, making it easier for organizations to enforce this added protection without disrupting user experience. This is critical in high-risk environments where privileged access could result in data breaches or compliance failures.

The incorrect options, by contrast, illustrate poor security practices:

• Option B promotes manual password management, which introduces inconsistencies, human error, and lack of auditability — defeating the core benefits of a PAM solution.

• Option D suggests storing passwords in plaintext, which is a major vulnerability. CyberArk uses encrypted digital vaults to ensure credentials are secured at rest and in transit.

• Option E violates the principle of least privilege, which dictates users should have access only to the resources necessary for their roles.

In conclusion, automated password rotation and MFA integration are key CyberArk best practices that greatly enhance privileged account security, reduce insider and outsider threat risks, and support regulatory compliance.

Question 9:

Which two components of CyberArk’s Privileged Access Security (PAS) solution are responsible for monitoring and recording privileged user sessions?

A. Privileged Session Manager (PSM)
B. CyberArk Vault
C. Central Policy Manager (CPM)
D. Identity Manager
E. Privileged Threat Analytics (PTA)

Correct Answers: A, E

Explanation:

In CyberArk’s Privileged Access Security (PAS) architecture, monitoring and recording of privileged sessions are critical features that ensure visibility, compliance, and threat detection. Two components play vital roles in this capability: Privileged Session Manager (PSM) and Privileged Threat Analytics (PTA).

Option A, the Privileged Session Manager (PSM), is the primary tool for recording and managing privileged sessions. It acts as a secure proxy that brokers user connections to target systems — such as databases, servers, or network devices — without revealing the actual credentials. PSM records the entire session in video format, including every action taken, command executed, and file accessed. These recordings are crucial for forensic analysis, internal audits, and regulatory compliance.

PSM also offers real-time session control, such as the ability to block risky activities (e.g., clipboard usage, file transfers) or terminate suspicious sessions instantly. Importantly, it removes the need for direct access to passwords, ensuring that users can access systems securely without ever seeing the credentials.

Option E, the Privileged Threat Analytics (PTA) component, adds a behavioral analytics layer. While it doesn’t record sessions like PSM, PTA monitors patterns and detects anomalies in privileged user behavior. By analyzing metadata from PSM and other logs, PTA identifies suspicious activities — such as accessing systems at odd hours, executing unusual commands, or deviating from normal behavior profiles. These insights help security teams proactively detect insider threats and compromised accounts.

The remaining options, though important in other contexts, do not support session monitoring:

• Option B, the CyberArk Vault, secures credentials and secrets but has no session tracking capability.

• Option C, the Central Policy Manager (CPM), handles automated credential rotation and policy enforcement, not session oversight.

• Option D, the Identity Manager, handles identity lifecycle and access governance, not direct session recording or behavioral monitoring.

In summary, PSM provides full session recording and control, while PTA delivers threat analytics and anomaly detection, making them the cornerstone tools for monitoring privileged access in CyberArk’s PAM ecosystem.

Question 10:

What is the primary function of the Central Policy Manager (CPM) in a CyberArk Privileged Access Management (PAM) solution?

A. It handles user authentication and authorization through the vault.
B. It rotates and manages privileged account passwords according to defined policies.
C. It enables session recording and monitoring for all privileged activities.
D. It provides secure, browser-based access to remote devices without exposing credentials.

Correct Answer: B

Explanation:

The Central Policy Manager (CPM) is one of the core components of the CyberArk Privileged Access Management suite. Its primary role is to automate the management and rotation of privileged account passwords, which is essential for reducing the risk of credential misuse and ensuring regulatory compliance.

When an organization defines password rotation rules—such as complexity requirements, rotation frequency, and post-use reset conditions—CPM enforces these policies across various platforms, including Windows, UNIX/Linux, databases, and network devices. This automation ensures that credentials are not reused, shared, or left static, which significantly reduces the attack surface for threat actors.

CPM interacts directly with the CyberArk Digital Vault, where the credentials are securely stored. When a password is due for change, CPM retrieves the current password from the vault, connects to the target system using a secure method, changes the password according to policy, and then updates the vault with the new credential. This entire cycle is logged and auditable, helping organizations maintain visibility and meet compliance standards such as PCI DSS, HIPAA, and NIST.

Let’s consider why the other options are incorrect:

• A describes the Vault's function, especially in tandem with LDAP or RADIUS integrations—not CPM’s job.

• C is the responsibility of the Privileged Session Manager (PSM), which provides session isolation and recording.

• D refers to PSM for Web (PSM-W) or Remote Access (RA) capabilities, which provide secure access without exposing passwords.

In summary, the CPM is the password management engine in the CyberArk architecture. It’s essential for maintaining credential hygiene, enforcing least privilege, and enabling automated security controls around privileged identities.

Let me know if you'd like more questions or scenario-based items for this certification!