Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. CyberArk
  5. PAM-DEF

CyberArk PAM-DEF Exam Questions
CyberArk Defender - PAM (Page 6 )

Updated On: 8-May-2026
Page 6 of 31
PDF with 239 Questions

Which of the following statements are NOT true when enabling PSM recording for a target Windows server? (Choose all that apply)

  1. The PSM software must be instated on the target server
  2. PSM must be enabled in the Master Policy (either directly, or through exception)
  3. PSMConnect must be added as a local user on the target server
  4. RDP must be enabled on the target server

Answer(s): A,C

Explanation:

The following statements are not true when enabling PSM recording for a target Windows server:
A . The PSM software must be instated on the target server. This is not true, because the PSM

software is installed on a dedicated server that acts as a proxy between the user and the target server. The PSM server intercepts the user's connection request, initiates the connection to the target server, and records the privileged session. The target server does not need to have the PSM software installed on it.
C . PSMConnect must be added as a local user on the target server. This is not true, because PSMConnect is a predefined user that is created on the PSM server during the installation. This user is used to establish the connection between the PSM server and the target server, and to run the PSM processes. The target server does not need to have a local user named PSMConnect on it. The following statements are true when enabling PSM recording for a target Windows server:
B . PSM must be enabled in the Master Policy (either directly, or through exception). This is true, because the Master Policy is a centralized overview of the security and compliance policy of privileged accounts in the organization. It allows the administrator to configure compliance driven rules that are defined as the baseline for the enterprise. One of the rules in the Master Policy is the Session Isolation rule, which determines whether or not privileged sessions are isolated and recorded by PSM. This rule can be enabled either directly in the Master Policy, or through an exception for a specific scope of accounts.
D . RDP must be enabled on the target server. This is true, because RDP is the protocol that is used by PSM to connect to Windows servers. The target server must have RDP enabled and configured properly to allow the PSM server to access it. The PSM server must also have the RDP client installed on it.


Reference:

1: Privileged Session Manager
2: PSMConnect and PSMAdminConnect
3: Session Isolation
4: Configure RDP for PSM



The Password upload utility can be used to create safes.

  1. TRUE
  2. FALSE

Answer(s): A

Explanation:

The Password Upload utility can be used to create safes, as well as password objects, folders, and platforms. The Password Upload utility works with the CyberArk Password Vault to create password objects from a passwords list and store them in the Vault. This enables you to upload large numbers of passwords automatically and makes the Vault implementation process quicker and more automatic. The Password Upload utility initiates the Vault environment required to store passwords in the safe and start working with them. This includes creating new safes, adding the CPM user as a safe owner, and sharing the safe with the Password Vault Web Access.


Reference:

1: Password Upload Utility



Which Cyber Are components or products can be used to discover Windows Services or Scheduled Tasks that use privileged accounts? Select all that apply.

  1. Discovery and Audit (DMA)
  2. Auto Detection (AD)
  3. Export Vault Data (EVD)
  4. On Demand Privileges Manager (OPM)
  5. Accounts Discovery

Answer(s): A,B,E

Explanation:

Discovery and Audit (DMA), Auto Detection (AD), and Accounts Discovery are CyberArk components or products that can be used to discover Windows Services or Scheduled Tasks that use privileged accounts.
Discovery and Audit (DMA) is a tool that scans Windows servers and workstations to identify privileged accounts that are used by Windows Services or Scheduled Tasks. DMA can also generate reports on the usage and risks of these accounts.
Auto Detection (AD) is a feature of the CyberArk Privileged Account Security Solution that automatically detects and onboards privileged accounts that are used by Windows Services or Scheduled Tasks. AD can also monitor and rotate the passwords of these accounts. Accounts Discovery is a feature of the CyberArk Privileged Account Security Solution that scans the network to discover privileged accounts on various platforms, including Windows. Accounts Discovery can also identify accounts that are used by Windows Services or Scheduled Tasks.


Reference:

: Discovery and Audit (DMA) User Guide
: Auto Detection Implementation Guide
: Accounts Discovery Implementation Guide



A Reconcile Account can be specified in the Master Policy.

  1. TRUE
  2. FALSE

Answer(s): B

Explanation:

A Reconcile Account is not specified in the Master Policy, but in the Platform settings. The Master Policy defines the general password management settings for all the accounts in the Vault, such as the frequency of password rotation and verification. The Platform settings define the specific password management settings for each type of target system, such as the password complexity and the Reconcile Account.


Reference:

Defender PAM course, Module 2: Password Management, Lesson 2: Master Policy and Platforms, slide 8
Defender PAM course, Module 2: Password Management, Lesson 3: Reconcile and Logon Accounts, slide 2

Defender PAM Sample Items Study Guide, Question 37
CyberArk Privileged Access Security Documentation, Password Management - Master Policy CyberArk Privileged Access Security Documentation, Password Management - Platforms



In order to connect to a target device through PSM, the account credentials used for the connection must be stored in the vault?

  1. True.
  2. False. Because the user can also enter credentials manually using Secure Connect.
  3. False. Because if credentials are not stored in the vault, the PSM will log into the target device as PSM Connect.
  4. False. Because if credentials are not stored in the vault, the PSM will prompt for credentials.

Answer(s): B

Explanation:

In order to connect to a target device through PSM, the account credentials used for the connection do not necessarily have to be stored in the vault. The user can also enter credentials manually using Secure Connect, which is a feature that enables users to connect to target systems through PSM without storing the account credentials in the vault. Secure Connect allows users to provide their own credentials at the time of connection, and these credentials are not saved or managed by CyberArk. Secure Connect can be used with any connection component that supports PSM, such as RDP, SSH, WinSCP, etc. To use Secure Connect, the user needs to specify the target system address and the connection component ID in the URL, and then enter the credentials in the PSM login screen.
The other options are not correct, because:
A . True. This is not correct, because as explained above, the user can also enter credentials manually using Secure Connect.
C . False. Because if credentials are not stored in the vault, the PSM will log into the target device as PSM Connect. This is not correct, because PSM Connect is a predefined user that is created on the PSM server during the installation. This user is used to establish the connection between the PSM server and the target server, and to run the PSM processes. The PSM Connect user is not used to log into the target device as the end user.
D . False. Because if credentials are not stored in the vault, the PSM will prompt for credentials. This is not correct, because this option is essentially the same as Secure Connect, which is the correct answer.


Reference:

1: Secure Connect
2: PSMConnect and PSMAdminConnect



SAFE Authorizations may be granted to____________.
Select all that apply.

  1. Vault Users
  2. Vault Group
  3. LDAP Users
  4. LDAP Groups

Answer(s): A,B,C,D

Explanation:

SAFE Authorizations may be granted to Vault Users, Vault Groups, LDAP Users, and LDAP Groups. These are the four types of users that can be defined in the Vault and assigned permissions to access Safes and manage passwords. Vault Users and Vault Groups are created and managed within the

Vault, while LDAP Users and LDAP Groups are imported from an external directory service such as Active Directory.


Reference:

Defender PAM Course, Module 4: Managing Safes, Lesson 4.2: Safe Authorizations, slide 4 Defender PAM Sample Items Study Guide, Question 39, page 15 CyberArk Privileged Access Security Documentation, Vault Administration Guide, Chapter 4:
Managing Safes, Section: Safe Authorizations, page 4-12



Secure Connect provides the following. Choose all that apply.

  1. PSM connections to target devices that are not managed by CyberArk.
  2. Session Recording
  3. Real-time live session monitoring.
  4. PSM connections from a terminal without the need to login to the PVWA

Answer(s): A,B,C

Explanation:

Secure Connect provides the following features:
A . PSM connections to target devices that are not managed by CyberArk. This is true, because Secure Connect is a feature that enables users to connect to target systems through PSM without storing the account credentials in the vault. Secure Connect allows users to provide their own credentials at the time of connection, and these credentials are not saved or managed by CyberArk. Secure Connect can be used with any connection component that supports PSM, such as RDP, SSH, WinSCP, etc.
B . Session Recording. This is true, because Secure Connect sessions are recorded by PSM and stored in the Vault, just like regular PSM sessions. The recorded sessions can be viewed and audited by authorized users through the PVWA or the PSM web interface. C . Real-time live session monitoring. This is true, because Secure Connect sessions can be monitored in real-time by authorized users through the PSM web interface. The PSM web interface allows users to view the live session screen, send messages to the session user, pause or terminate the session, and take control of the session if needed.
The following feature is not provided by Secure Connect:
D . PSM connections from a terminal without the need to login to the PVWA. This is false, because Secure Connect requires users to login to the PVWA and initiate the connection from there. The

PVWA provides the URL for the Secure Connect session, which contains the target system address and the connection component ID. The user then needs to copy and paste the URL into a browser or a remote connection manager to launch the session.


Reference:

1: Secure Connect
2: Recorded Sessions
3: PSM Web Interface



Which onboarding method would you use to integrate CyberArk with your accounts provisioning process?

  1. Accounts Discovery
  2. Auto Detection
  3. Onboarding RestAPI functions
  4. PTA Rules

Answer(s): C

Explanation:

The Onboarding RestAPI functions are a set of web services that allow you to integrate CyberArk with your accounts provisioning process. You can use the Onboarding RestAPI functions to create, update, delete, or verify accounts in the CyberArk Vault, as well as to retrieve information about accounts, platforms, and safes. The Onboarding RestAPI functions are part of the Central Credential Provider component, which is installed on a dedicated server that communicates with the Vault.


Reference:

[Defender PAM Course], Module 4: Onboarding Accounts, Lesson: Onboarding RestAPI Functions [Onboarding RestAPI Functions Guide], Introduction



Viewing page 6 of 31
Viewing questions 41 - 48 out of 239 questions


PAM-DEF Exam Discussions & Posts (Share your experience with others)

AI Tutor AI Tutor 👋 I’m here to help!