EC-Council · CND
Validates the ability to protect, detect, and respond to network security threats, covering network perimeter protection, endpoint security, firewall and IDS/VPN configuration, network traffic analysis, vulnerability scanning, and incident response.
Questions
562
Duration
240 minutes
Passing Score
70%
Difficulty
AssociateLast Updated
Feb 2026
Use this CND practice exam to prepare for Certified Network Defender (CND) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 562 questions for EC-Council CND, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The EC-Council Certified Network Defender (CND) is a vendor-neutral, skills-based certification that validates a professional's ability to protect, detect, respond to, and predict network security threats. Exam code 312-38, the certification covers a broad range of network defense disciplines including network perimeter protection, endpoint security across Windows, Linux, mobile, and IoT platforms, firewall and IDS/VPN configuration, network traffic and log analysis, vulnerability scanning, and incident response. The program was updated with a v4 exam blueprint effective April 10, 2024, which introduced new topic segmentation and refreshed domain content while maintaining the same exam format and eligibility criteria.
Built on the cybersecurity education framework established by the National Initiative of Cybersecurity Education (NICE) and mapped to Department of Defense (DoD) work roles for system and network administrators, CND emphasizes real-world, job-task-aligned competencies. The certification spans 20 knowledge domains that collectively address the full lifecycle of enterprise network defense — from administrative governance and compliance to cloud security, wireless security, threat intelligence, and business continuity. It holds accreditation from ANSI, GCHQ, and is approved under the DoD 8570/8140 directive.
CND is designed primarily for network and security professionals who are responsible for the day-to-day protection of enterprise network infrastructure. Core target roles include Network Administrators, Security Administrators, Network Security Engineers, Security Analysts, and Network Defense Technicians. The certification is also relevant to IT professionals transitioning into security-focused roles who already have a foundational understanding of networking.
The program is particularly well-suited for individuals working in environments requiring regulatory compliance or DoD-aligned security frameworks. Those seeking to formalize their hands-on network defense skills with a recognized credential, or professionals aiming to qualify for cybersecurity roles within U.S. government contractors and defense agencies, will find the CND especially applicable.
EC-Council does not impose formal academic prerequisites for the CND exam, but candidates must meet one of two eligibility paths. The first is to complete an official EC-Council-authorized CND training course, after which candidates may sit for the exam without further application. The second path allows candidates to attempt the exam without attending official training, provided they can demonstrate at least two years of work experience in the information security domain. Self-study candidates must submit an eligibility application form along with a non-refundable $100 USD processing fee.
In terms of recommended knowledge, candidates should have a solid understanding of TCP/IP networking fundamentals, familiarity with common network devices and protocols, and basic exposure to operating system administration (Windows and Linux). Prior experience with network monitoring tools, firewall configuration, or security operations will provide a meaningful advantage when preparing for the exam.
The CND certification exam (312-38) consists of 100 multiple-choice questions and must be completed within 4 hours (240 minutes). The exam is delivered through the EC-Council ECC Exam Portal and is available at authorized testing centers as well as via online proctoring. The passing score is set at 70%, though EC-Council notes that cut scores can range from 60% to 85% depending on the specific exam form administered, as each form is independently calibrated by subject matter experts to ensure consistent difficulty across versions.
The exam uses multiple exam forms with varied question banks to maintain exam integrity. There are no unscored pilot questions disclosed. Candidates who do not pass may retake the exam immediately for the second attempt using an ECC Exam Center voucher; a 14-day waiting period is enforced starting from the third attempt onward. The current exam is aligned to the CND v4 blueprint, which became effective on April 10, 2024.
The CND certification qualifies holders for network defense and security operations roles in both private industry and government sectors. Common job titles pursued after earning CND include Network Security Engineer, Security Operations Center (SOC) Analyst, Network Administrator (security-focused), and Information Systems Security Officer (ISSO). The certification satisfies DoD 8570.01-M/DoD 8140 requirements for IAT Level II roles, making it directly applicable for personnel seeking positions with U.S. federal agencies or defense contractors. The average salary for a network security engineer in the United States is approximately $125,000 per year.
Compared to alternatives such as CompTIA Security+ (broader but less network-defense-specific) or the Cisco CyberOps Associate (more SOC-focused), CND occupies a distinct niche in hands-on, defender-oriented network security. It complements offensive certifications like CEH and is often pursued alongside or as a precursor to more advanced credentials such as CISSP or CCNP Security. The certification's ANSI accreditation and GCHQ endorsement give it international recognition beyond the U.S. market.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 562 questions.
Preview — answers shown1. A network security engineer configures iptables on a Linux gateway router to provide internet access for an internal network (192.168.10.0/24) through a single public IP address on interface eth0. The engineer needs to enable outbound traffic while hiding internal IP addresses. Which command should be used? (Select one!)
Explanation
The POSTROUTING chain in the nat table is the correct location for MASQUERADE operations, which modify source addresses of outgoing packets after routing decisions. MASQUERADE dynamically assigns the outgoing interface IP address to outbound packets, ideal for gateways with dynamic IP addresses. PREROUTING is used for DNAT operations on incoming packets before routing. The filter table does not support MASQUERADE targets. The OUTPUT chain only processes locally-generated packets, not forwarded traffic from the internal network.
2. A network security engineer troubleshoots connectivity issues after implementing iptables rules on a Linux gateway. Users report they cannot access external HTTPS websites. The engineer needs to allow established connections while maintaining security. Which iptables rule resolves the issue? (Select one!)
Explanation
The rule iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT allows return traffic for connections initiated from inside the network, enabling stateful filtering. This permits response packets from external HTTPS servers to reach internal clients without opening all inbound HTTPS traffic. The -m state module with ESTABLISHED (bidirectional traffic seen) and RELATED (new connection related to existing) states provides secure stateful inspection. OUTPUT chain controls local process traffic, not forwarded packets. FORWARD chain with sport 443 only allows source port 443 without state tracking. The multiport rule opens inbound connections but doesn't use connection tracking, creating security risks by allowing any external connection to ports 80 and 443.
3. A global e-commerce company experiences a DDoS attack using Memcached amplification reaching 1.2 Tbps targeting their web infrastructure. The security team must implement immediate mitigation while maintaining service availability. Which DDoS defense strategy combination is most effective? (Select two!)
Multiple correct answersExplanation
DDoS scrubbing centers have capacity to absorb and filter terabit-scale attacks, cleaning malicious traffic while passing legitimate requests to origin servers. BCP 38 ingress filtering prevents attackers from spoofing source addresses, mitigating amplification attacks at the network level. Rate limiting individual IPs is ineffective against distributed attacks from thousands of sources. Scaling web servers cannot absorb 1.2 Tbps attacks and wastes resources. Blocking UDP 11211 only helps if your infrastructure uses Memcached, but doesn't stop the amplified traffic already in transit from compromised servers.
4. A security operations center implements SOAR platform to automate incident response workflows. When the NDR solution detects lateral movement indicators, the SOAR platform must automatically create incident tickets, enrich threat intelligence, isolate affected endpoints, and notify the security team. Which SOAR capability enables this automated workflow? (Select one!)
Explanation
Security Orchestration Automation and Response platforms provide security orchestration capabilities that integrate multiple security tools and execute automated playbooks to coordinate responses across the security infrastructure. When integrated with NDR solutions, SOAR can automatically trigger incident creation, threat enrichment, isolation actions, and notifications based on predefined workflows. Manual investigation defeats the automation purpose of SOAR. SIEM provides log aggregation but SOAR adds the orchestration and automation layer. Vulnerability scanning is unrelated to incident response automation.
5. A forensic investigator analyzes a memory dump from a compromised Windows server using Volatility framework. The investigator suspects malicious processes are running and needs to identify processes that are hidden from normal process listing tools. Which two Volatility plugins should be used to detect hidden or terminated processes? (Select two!)
Multiple correct answersExplanation
The pslist plugin enumerates processes by walking the EPROCESS doubly-linked list maintained by the Windows kernel, showing processes that are visible to the operating system. The psscan plugin performs a brute-force scan of physical memory looking for EPROCESS structure signatures, finding processes that may have been unlinked from the active process list by rootkits or have already terminated but remain in memory. Comparing pslist and psscan outputs reveals hidden processes. The pstree plugin displays the same processes as pslist but in tree format showing relationships, not revealing hidden processes. The netscan plugin identifies network connections, not processes. The cmdscan plugin extracts command history, useful for understanding attacker actions but not for detecting hidden processes.
Certified Threat Intelligence Analyst (CTIA)
CTIA · 740 questions
Certified Cybersecurity Technician (CCT)
CCT · 630 questions
Certified Secure Computer User (CSCU)
CSCU · 630 questions
EC-Council Certified Encryption Specialist (ECES)
ECES · 627 questions
Ethical Hacking Essentials (EHE)
EHE · 627 questions
ICS/SCADA Cybersecurity
ICS-SCADA · 627 questions
$17.99
One-time access to this exam