Google Cloud · Professional

Professional Security Operations Engineer (PSOE) practice exam & study guide

The Google Professional Security Operations Engineer (PSOE) is Google Cloud’s professional certification for security operations. It validates the ability to run platform operations, manage data, hunt threats, engineer detections, respond to incidents, and maintain observability using Google Security Operations (SecOps) and Security Command Center (SCC).

PSOE is a professional, scenario-driven exam centered on Google SecOps and SCC. Questions test how you detect, hunt, and respond to threats using Google Cloud’s security tooling, including writing detection rules.

This free hub gives you everything you need to prepare: a syllabus breakdown by exam section, realistic scenario-style practice questions with teacher-style explanations, a glossary of the Google Cloud security-operations concepts the exam relies on, and full-length timed mock exams that mirror the real testing experience.

50
Questions
120 min
Time limit
70%
Mock pass %
6
Domains

Start studying PSOE

New here? Follow the three steps below in order. Everything is free and needs no account.

  1. 1
    Learn the plan

    See all 6 domains in exam-weight order.

    Open study path
  2. 2
    Drill by domain

    Practice one topic at a time with explained answers.

    Start with the first domain
  3. 3
    Sit a timed mock

    50 questions · 120 min · 70% to pass our mock.

    Take the mock exam

All PSOE study resources

PSOE exam domains

The PSOE exam is weighted across 6 domains. Pick any domain below to drill it — or read the full breakdown in the FAQ.

Exam domainExam weightPractice
Platform operations14%Practice this topic
Data management14%Practice this topic
Threat hunting19%Practice this topic
Detection engineering22%Practice this topic
Incident response21%Practice this topic
Observability10%Practice this topic

Sample PSOE questions

A sample of the PSOE questions on this hub. Each links through to the full question, the correct answer, and an explanation of why every other option is wrong.

Key PSOE terms

Start with these terms, then explore the full glossary. Each links to a plain-English definition written for the PSOE exam.

PSOE frequently asked questions

What is the PSOE certification?+

Google positions the Professional Security Operations Engineer as detecting, monitoring, analyzing, investigating, and responding to threats against workloads, endpoints, and infrastructure, proficient in writing detection rules, log ingestion, orchestration, and response automation.

It is built around Google Security Operations (SecOps) and Security Command Center (SCC), and expects experience leveraging posture and threat intelligence for detection and response.

What topics are on the PSOE exam?+

The PSOE exam is organised into six sections. The percentages below are the approximate weights Google publishes in its exam guide. Detection engineering and incident response carry the most weight.

Platform operations (14%)

Covers enhancing detection and response by prioritizing telemetry sources (SCC, Google SecOps, GTI, Cloud IDS), integrating multiple tools into the security architecture, configuring access and roles, and evaluating tool effectiveness and coverage gaps.

Data management (14%)

Covers log ingestion and normalization into Google SecOps, parsers and data pipelines, prioritizing logs, and managing data retention and enrichment with reference and context data.

Threat hunting (19%)

Covers proactive hunting in Google SecOps using UDM search and YARA-L, identifying new or low-prevalence processes, domains, and IPs, and leveraging threat intelligence (GTI) and IOCs for hypothesis-driven hunts.

Detection engineering (22%)

The heaviest section. It covers writing and tuning YARA-L single-event and multi-event detection rules, building rules from threat intelligence and MITRE ATT&CK, reducing false positives, and managing the detection rule lifecycle.

Incident response (21%)

Covers investigating and triaging alerts and cases in Google SecOps and SCC, response automation and orchestration with SOAR playbooks, containment and remediation, and root cause and post-incident activities.

Observability (10%)

The smallest section. It covers monitoring the health and coverage of the security operations platform, metrics, dashboards, and reporting on effectiveness, and identifying gaps in logging, detection coverage, and telemetry.

Is the PSOE hard?+

PSOE is a professional-level exam that expects real detection-engineering skill — writing and tuning YARA-L rules and reasoning about telemetry — on Google’s specific security stack, not vendor-neutral concepts.

The difficulty comes from the depth of Google SecOps and SCC and from scenario questions that hinge on the right detection, hunt, or response action. Practising SecOps-specific scenarios is the key.

How many questions are on the PSOE exam and how long is it?+

Google’s Professional Security Operations Engineer exam presents roughly 50–60 multiple-choice and multiple-select questions to be completed in 120 minutes, delivered online with remote proctoring or at a test center.

Our full-length practice mock uses a 50-question, 120-minute session so you can rehearse pacing under realistic time pressure before test day.

What score do you need to pass the PSOE?+

Google does not publish a numeric passing score for the Professional Security Operations Engineer, and results are reported simply as pass or fail, so treat any specific percentage you see elsewhere as unofficial. Our practice mock uses a 70% threshold as a sensible readiness target — aim to clear it comfortably and consistently before you book.

How much does the PSOE exam cost?+

The Professional Security Operations Engineer exam fee is set by Google — historically around $200 (plus tax), but check the official certification page for current pricing in your region. The certification is valid for two years. Everything on this hub is free.

Who should take the PSOE?+

PSOE is aimed at security operations engineers, detection engineers, and SOC analysts who work in Google Security Operations and Security Command Center.

Google recommends experience writing detection rules, prioritizing and ingesting logs, orchestration, and response automation, plus leveraging posture and threat intelligence, though there is no formal prerequisite.

What jobs and salaries can the PSOE lead to?+

PSOE maps to roles such as security operations engineer, detection engineer, and threat hunter working on Google Cloud, where building detections and responding to threats in Google SecOps is the core of the job.

How much any certification affects pay depends heavily on geography, seniority, and hands-on experience, so treat any single salary figure with caution. PSOE is best viewed as validation of Google Cloud security-operations skill rather than a guaranteed raise on its own.

How long does it take to study for the PSOE?+

Candidates with security-operations experience on Google Cloud often need six to ten weeks; those newer to Google SecOps should plan longer. The most efficient path is to study each section while practising in Google SecOps and SCC, drilling YARA-L as you go.

Spend the final stretch on full-length timed mocks, reviewing every explanation — including for questions you answered correctly — because PSOE distractors are usually valid actions that do not best fit the scenario. Use the per-section results here to find your weakest area.

How should you prepare for the PSOE?+

Study the six sections above, giving the most time to detection engineering and incident response, then drill scenario questions section by section. Every MockAPI question reveals a full explanation and tells you why each wrong answer is wrong — essential for an exam that turns on the right detection or response.

When you can answer scenarios comfortably, move to full-length timed mocks, ideally alongside hands-on practice in Google SecOps. Use the glossary to keep the concepts straight, and aim to score consistently above the pass mark before you book.

Can you take the PSOE exam online?+

Yes. Google delivers the Professional Security Operations Engineer both at onsite test centers and online with remote proctoring. The online option requires a private, quiet room, a clear workspace, a webcam and microphone, a stable connection, and government-issued photo ID, with a proctor monitoring you throughout.

If you do not pass, Google applies a retake policy with escalating waiting periods between attempts (a 14-day wait after the first attempt, longer after subsequent ones), and each attempt needs its own registration and fee.

What certification should you take after the PSOE?+

After PSOE, common next steps include the Professional Cloud Security Engineer for broader Google Cloud security design, or the Professional Cloud Architect for a wider remit.

For many, the real next step is owning detection and response for a Google Cloud environment. Pairing PSOE with hands-on Google SecOps experience is what turns the certificate into a career.