PSOE exam domains
The PSOE exam is weighted across 6 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.
| Exam domain | Exam weight | Practice |
|---|---|---|
| Platform operations | 14% | Practice this topic |
| Data management | 14% | Practice this topic |
| Threat hunting | 19% | Practice this topic |
| Detection engineering | 22% | Practice this topic |
| Incident response | 21% | Practice this topic |
| Observability | 10% | Practice this topic |
Sample PSOE questions
A sample of the PSOE questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.
- A security operations team must detect network-based exploitation attempts (e.g., known CVE exploit signatures) targeting workloads communicating acro…View question
- A security operations team currently runs SCC Premium, Cloud IDS on three VPCs, Google SecOps, and GTI Enterprise. Leadership asks the team to justify…View question
- Your organization forwards logs from a niche in-house web application firewall to Google SecOps. The logs arrive successfully, but analysts report tha…View question
- As a Security Operations Engineer, you maintain a coverage dashboard that shows all 4,200 corporate endpoints reporting EDR telemetry into your SIEM.…View question
- Your SOC platform team publishes a weekly 'log source health' dashboard. A recent phishing incident revealed that a critical mail-gateway log source h…View question
- During a quarterly observability review, a SOC engineer notices that the endpoint detection rules covering a critical business unit's Windows fleet fi…View question
- A SOC lead is building a quarterly observability review for the security operations platform. They have a MITRE ATT&CK heatmap showing rule counts per…View question
- A SOC manager reviews the quarterly observability dashboard for the security operations platform. The 'endpoint process execution' log source shows he…View question
- Your SOC tracks endpoint telemetry health across three business units of very different sizes: BU-A has 12,000 hosts, BU-B has 2,500 hosts, and BU-C h…View question
- A security operations engineer is building an observability dashboard to measure the health of telemetry feeding the SIEM. For a critical Windows endp…View question
Key PSOE terms
Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the PSOE exam.
PSOE frequently asked questions
What is the PSOE certification?+
Google positions the Professional Security Operations Engineer as detecting, monitoring, analyzing, investigating, and responding to threats against workloads, endpoints, and infrastructure, proficient in writing detection rules, log ingestion, orchestration, and response automation.
It is built around Google Security Operations (SecOps) and Security Command Center (SCC), and expects experience leveraging posture and threat intelligence for detection and response.
What topics are on the PSOE exam?+
The PSOE exam is organised into six sections. The percentages below are the approximate weights Google publishes in its exam guide. Detection engineering and incident response carry the most weight.
Platform operations (14%)
Covers enhancing detection and response by prioritizing telemetry sources (SCC, Google SecOps, GTI, Cloud IDS), integrating multiple tools into the security architecture, configuring access and roles, and evaluating tool effectiveness and coverage gaps.
Data management (14%)
Covers log ingestion and normalization into Google SecOps, parsers and data pipelines, prioritizing logs, and managing data retention and enrichment with reference and context data.
Threat hunting (19%)
Covers proactive hunting in Google SecOps using UDM search and YARA-L, identifying new or low-prevalence processes, domains, and IPs, and leveraging threat intelligence (GTI) and IOCs for hypothesis-driven hunts.
Detection engineering (22%)
The heaviest section. It covers writing and tuning YARA-L single-event and multi-event detection rules, building rules from threat intelligence and MITRE ATT&CK, reducing false positives, and managing the detection rule lifecycle.
Incident response (21%)
Covers investigating and triaging alerts and cases in Google SecOps and SCC, response automation and orchestration with SOAR playbooks, containment and remediation, and root cause and post-incident activities.
Observability (10%)
The smallest section. It covers monitoring the health and coverage of the security operations platform, metrics, dashboards, and reporting on effectiveness, and identifying gaps in logging, detection coverage, and telemetry.
Is the PSOE hard?+
PSOE is a professional-level exam that expects real detection-engineering skill — writing and tuning YARA-L rules and reasoning about telemetry — on Google’s specific security stack, not vendor-neutral concepts.
The difficulty comes from the depth of Google SecOps and SCC and from scenario questions that hinge on the right detection, hunt, or response action. Practising SecOps-specific scenarios is the key.
How many questions are on the PSOE exam and how long is it?+
Google’s Professional Security Operations Engineer exam presents roughly 50–60 multiple-choice and multiple-select questions to be completed in 120 minutes, delivered online with remote proctoring or at a test center.
Our full-length practice mock uses a 50-question, 120-minute session so you can rehearse pacing under realistic time pressure before test day.
What score do you need to pass the PSOE?+
Google does not publish a numeric passing score for the Professional Security Operations Engineer, and results are reported simply as pass or fail, so treat any specific percentage you see elsewhere as unofficial. Our practice mock uses a 70% threshold as a sensible readiness target — aim to clear it comfortably and consistently before you book.
How much does the PSOE exam cost?+
The Professional Security Operations Engineer exam fee is set by Google — historically around $200 (plus tax), but check the official certification page for current pricing in your region. The certification is valid for two years. Everything on this hub is free.
Who should take the PSOE?+
PSOE is aimed at security operations engineers, detection engineers, and SOC analysts who work in Google Security Operations and Security Command Center.
Google recommends experience writing detection rules, prioritizing and ingesting logs, orchestration, and response automation, plus leveraging posture and threat intelligence, though there is no formal prerequisite.
What jobs and salaries can the PSOE lead to?+
PSOE maps to roles such as security operations engineer, detection engineer, and threat hunter working on Google Cloud, where building detections and responding to threats in Google SecOps is the core of the job.
How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. PSOE is best viewed as validation of Google Cloud security-operations skill rather than a guaranteed raise on its own.
How long does it take to study for the PSOE?+
Candidates with security-operations experience on Google Cloud often need six to ten weeks; those newer to Google SecOps should plan longer. The most efficient path is to study each section while practising in Google SecOps and SCC, drilling YARA-L as you go.
Spend the final stretch on full-length timed mocks, reviewing every explanation — including for questions you answered correctly — because PSOE distractors are usually valid actions that do not best fit the scenario. Use the per-section results here to find your weakest area.
How should you prepare for the PSOE?+
Study the six sections above, giving the most time to detection engineering and incident response, then drill scenario questions section by section. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong — essential for an exam that turns on the right detection or response.
When you can answer scenarios comfortably, move to full-length timed mocks, ideally alongside hands-on practice in Google SecOps. Use the glossary to keep the concepts straight, and aim to score consistently above the pass mark before you book.
Can you take the PSOE exam online?+
Yes. Google delivers the Professional Security Operations Engineer both at onsite test centers and online with remote proctoring. The online option requires a private, quiet room, a clear workspace, a webcam and microphone, a stable connection, and government-issued photo ID, with a proctor monitoring you throughout.
If you do not pass, Google applies a retake policy with escalating waiting periods between attempts (a 14-day wait after the first attempt, longer after subsequent ones), and each attempt needs its own registration and fee.
What certification should you take after the PSOE?+
After PSOE, common next steps include the Professional Cloud Security Engineer for broader Google Cloud security design, or the Professional Cloud Architect for a wider remit.
For many, the real next step is owning detection and response for a Google Cloud environment. Pairing PSOE with hands-on Google SecOps experience is what turns the certificate into a career.