EC-Council · ECDE
Validates the ability to integrate security practices into DevOps pipelines and continuous delivery workflows, covering DevSecOps culture, threat modeling, secure code review, automated security testing, container security, and security monitoring throughout the software development lifecycle.
Questions
609
Duration
240 minutes
Passing Score
70%
Difficulty
AssociateLast Updated
Feb 2026
Use this ECDE practice exam to prepare for Certified DevSecOps Engineer (ECDE) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 609 questions for EC-Council ECDE, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The EC-Council Certified DevSecOps Engineer (E|CDE), exam code 312-97, is a comprehensive certification that validates a professional's ability to embed security practices across the entire DevOps pipeline. The program covers all eight stages of the DevOps lifecycle — from planning and coding through building, testing, releasing, deploying, operating, and monitoring — ensuring that security is treated as a shared, continuous responsibility rather than an afterthought. Candidates learn to apply threat modeling, secure coding guidelines, static and dynamic application security testing (SAST/DAST), infrastructure as code (IaC) security, container security, and runtime monitoring using industry tools such as SonarQube, Snyk, Checkmarx, Jenkins, Terraform, and Docker Bench.
The certification is notably hands-on, featuring over 80 guided lab exercises delivered in virtual environments spanning Amazon Web Services (AWS), Microsoft Azure, and on-premises platforms. This dual focus on theoretical DevSecOps principles and practical tool-based implementation distinguishes E|CDE from more conceptual security credentials, making it one of the most lab-intensive DevSecOps certifications available. The program has been updated to incorporate AI-powered security tooling and cloud-native security patterns relevant to modern CI/CD workflows.
The E|CDE is designed for mid-career technology professionals who work at the intersection of software development, operations, and security. Primary target roles include DevOps engineers looking to formalize their security knowledge, application security specialists transitioning into DevSecOps, software engineers and QA testers responsible for secure delivery pipelines, and cybersecurity engineers or analysts who need to integrate security tooling into CI/CD workflows. Professionals holding EC-Council's Certified Application Security Engineer (CASE) credential or similar AppSec certifications will find E|CDE a natural progression.
EC-Council recommends candidates have at least two years of experience in information security, along with familiarity with SDLC concepts, automation tools, and scripting languages such as Python or PowerShell. The certification suits professionals targeting specialized roles such as DevSecOps Engineer, Cloud DevSecOps Engineer, AWS/Azure DevSecOps Engineer, or CI/CD Security Engineer.
EC-Council requires applicants who wish to sit for the exam without attending official training to have a minimum of two years of work experience in the information security domain and to submit an eligibility application with a non-refundable fee of USD $100. Candidates who complete an authorized EC-Council training course have the application fee included and gain direct exam eligibility upon course completion.
While there are no mandatory prerequisite certifications, candidates are strongly advised to arrive with a working understanding of application security concepts, the Software Development Lifecycle (SDLC), and CI/CD pipeline fundamentals. Familiarity with at least one cloud platform (AWS or Azure), containerization concepts (Docker, Kubernetes), and basic scripting will allow candidates to make full use of the lab-heavy curriculum and perform well on exam questions focused on practical tool configuration and pipeline integration.
The E|CDE exam (code 312-97) consists of 100 multiple-choice questions and must be completed within 240 minutes (4 hours). The exam is closed-book and is delivered exclusively through the ECC Exam Centre portal; it is not available at third-party proctoring sites. A passing score of 70% (70 out of 100 correct) is required. The exam fee is USD $550, and the voucher is valid for one year from the date of receipt.
There are no published unscored or survey questions. Upon passing, certified professionals are enrolled in EC-Council's Continuing Education Scheme and must pay an annual maintenance fee of USD $80 to keep the credential active.
Holding the E|CDE credential positions professionals for high-demand roles in the DevSecOps specialty, which sits at the convergence of software engineering, cloud operations, and cybersecurity — a skills combination that remains scarce in the market. Certified professionals typically pursue titles such as DevSecOps Engineer, Cloud DevSecOps Engineer (AWS or Azure-focused), Infrastructure DevSecOps Engineer, or DevSecOps CI/CD Specialist. According to EC-Council's published data, the average annual salary for a DevSecOps engineer in the United States is approximately USD $139,479, with entry-level positions starting around USD $118,733 and experienced practitioners earning upward of USD $172,500.
Compared to broader security credentials such as CompTIA Security+ or even CEH, E|CDE is deliberately narrow and applied, making it a strong differentiator for professionals who want to demonstrate pipeline-specific security engineering skills to employers adopting DevSecOps practices. The certification's hands-on lab focus on both AWS and Azure cloud environments also complements cloud platform certifications and makes the credential appealing to organizations undergoing cloud-native transformation. Annual continuing education requirements ensure the credential stays current as the tooling landscape evolves.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 609 questions.
Preview — answers shown1. A DevSecOps team implements continuous security scanning for a Node.js application using npm dependencies. The CI/CD pipeline must detect vulnerabilities in direct and transitive dependencies, generate a Software Bill of Materials in CycloneDX format, and fail builds when high-severity CVEs are detected. Which tool integration should be prioritized? (Select one!)
Explanation
Snyk is purpose-built for Node.js dependency scanning, detecting vulnerabilities in both direct and transitive dependencies through analysis of package.json and package-lock.json. The snyk test command fails builds based on severity thresholds, while snyk monitor sends dependency snapshots for continuous monitoring and alerts on new vulnerabilities. Snyk natively generates CycloneDX SBOMs. npm audit is built into npm but has limited reporting capabilities and does not generate CycloneDX SBOMs. Trivy filesystem scanning can detect some dependency vulnerabilities but is primarily designed for container image scanning. OWASP Dependency-Check with Maven plugin is designed for Java projects, not Node.js npm ecosystems.
2. A DevOps team migrates from Jenkins to AWS and needs to implement a complete CI/CD pipeline with integrated security scanning. The pipeline must support automated builds, security testing, artifact storage, and blue-green deployments. Which AWS service combination correctly implements this pipeline architecture? (Select one!)
Explanation
AWS CodePipeline provides native CI/CD orchestration connecting all pipeline stages. CodeBuild handles compilation, testing, and can integrate security scanning tools like SAST and SCA. S3 serves as the artifact repository for CodePipeline, storing build outputs between stages. CodeDeploy specifically supports blue-green deployment strategies for EC2, Lambda, and ECS. Artifact Registry is a GCP service, not AWS. While Lambda can perform builds, CodeBuild is the purpose-built AWS service for CI/CD build automation. ECR stores container images but isn't the general artifact storage for CodePipeline. CodeBuild cannot orchestrate multi-stage pipelines. DynamoDB is a database, not an artifact storage service for CI/CD pipelines.
3. A DevOps team implements GitLab CI/CD security scanning using built-in templates. The pipeline must include SAST, dependency scanning, secret detection, and container scanning for a Node.js application deployed as a Docker container. Which GitLab CI configuration includes all required security templates? (Select one!)
Explanation
Comprehensive security scanning for containerized applications requires SAST for code analysis, Dependency-Scanning for vulnerable dependencies, Secret-Detection for exposed credentials, and Container-Scanning for Docker image vulnerabilities. These four templates cover static analysis, software composition analysis, secret management, and runtime security. DAST and License-Scanning are useful but not part of the core requirement. SAST and DAST alone miss dependency and container vulnerabilities. Code-Quality focuses on code maintainability rather than security vulnerabilities.
4. A company implements AWS WAF to protect their web application from common attacks. They need to configure security rules that block SQL injection attacks, XSS attempts, and requests from specific geographic locations known for malicious activity. They want to use AWS managed rule groups to minimize operational overhead. Which AWS WAF configuration approach should they use? (Select one!)
Explanation
AWS Managed Rules provide pre-configured rule groups including the Core Rule Set which protects against OWASP Top 10 vulnerabilities including SQL injection and XSS. Geographic restriction rules can be added to block traffic from specific countries. This approach minimizes operational overhead by using managed rules instead of custom patterns. Creating custom regex patterns requires more maintenance and expertise. AWS Shield Advanced protects against DDoS attacks, not application-layer attacks like SQLi and XSS. CloudFront signed URLs control access to content but do not protect against injection attacks.
5. A security operations team implements SIEM integration for a DevSecOps pipeline. Security scan results from SAST, DAST, SCA, and container scanning tools must be aggregated, correlated with runtime security events, and analyzed for patterns indicating potential breaches. Which output format standardization should be implemented for tool integration? (Select one!)
Explanation
SARIF is an OASIS standard specifically designed for static analysis tool output standardization, supported by major security tools including CodeQL, Semgrep, Trivy, and ZAP. SARIF provides a unified JSON schema for representing vulnerabilities, code locations, severity, remediation guidance, and tool metadata, enabling consistent ingestion into SIEMs and security dashboards regardless of source tool. CVSS provides severity scoring but not a complete output format for vulnerability details and code locations. CycloneDX is an SBOM format for component inventory and dependencies but not optimized for representing security scan findings with code locations and remediation steps. STIX/TAXII are threat intelligence sharing protocols for indicators of compromise, not application security scan results.
Certified Threat Intelligence Analyst (CTIA)
CTIA · 740 questions
Certified Cybersecurity Technician (CCT)
CCT · 630 questions
Certified Secure Computer User (CSCU)
CSCU · 630 questions
EC-Council Certified Encryption Specialist (ECES)
ECES · 627 questions
Ethical Hacking Essentials (EHE)
EHE · 627 questions
ICS/SCADA Cybersecurity
ICS-SCADA · 627 questions
$17.99
One-time access to this exam