PSOE cheat sheet

A one-page reference for the Professional Security Operations Engineer exam: the format, how the domains are weighted, and the glossary terms for this exam.

Exam at a glance

Vendor
Google Cloud
Level
Professional
Questions
50
Time
120 min
Mock pass mark
70%
Domains
6
Practice Qs
241
Code
PSOE

Domain weightings

How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.

Key terms

Google Security Operations
Google Security Operations (Google SecOps) is Google Cloud's platform for ingesting security telemetry, detecting threats, and orchestrating response. PSOE centers on operating Google SecOps and Security Command Center.
Security Command Center
Security Command Center (SCC) is Google Cloud's security and risk-management platform that surfaces misconfigurations, vulnerabilities, and threats. PSOE covers SCC alongside Google SecOps for detection and response.
UDM
UDM (Unified Data Model) is the normalized schema Google SecOps uses to represent ingested security events. PSOE covers UDM search for threat hunting and detection.
YARA-L
YARA-L is the rules language used in Google SecOps to write single-event and multi-event detections over UDM data. PSOE covers writing and tuning YARA-L rules in detection engineering.
Detection rule
A detection rule is logic that identifies suspicious activity and generates alerts, written in YARA-L in Google SecOps. PSOE covers building, tuning, and managing the detection rule lifecycle.
Threat hunting
Threat hunting is the proactive search for threats that evade automated detections, using hypotheses and telemetry. PSOE dedicates a domain to hunting in Google SecOps with UDM search and threat intelligence.
Google Threat Intelligence
Google Threat Intelligence (GTI) provides indicators and context about adversaries and malware to enrich detection and hunting. PSOE covers leveraging GTI for detection and response.
IOC
An IOC (indicator of compromise) is an artifact such as a hash, domain, or IP that indicates malicious activity. PSOE covers using IOCs and threat intelligence in hunting and detection.
SOAR
SOAR (security orchestration, automation, and response) automates and coordinates incident-response workflows through playbooks. PSOE covers response automation and orchestration in Google SecOps.
Playbook
A playbook is an automated, repeatable response workflow that a SOAR platform runs to handle an incident. PSOE covers building playbooks for containment and remediation.
Incident response
Incident response is the structured process of triaging, investigating, containing, and remediating security incidents. PSOE dedicates a domain to incident response in Google SecOps and SCC.
MITRE ATT&CK
MITRE ATT&CK is a knowledge base of adversary tactics and techniques used to guide detection coverage. PSOE covers building detections from MITRE ATT&CK and threat intelligence.
Cloud IDS
Cloud IDS is a Google Cloud intrusion-detection service that inspects network traffic for threats. PSOE covers prioritizing Cloud IDS among telemetry sources in platform operations.
Log ingestion
Log ingestion is the process of collecting and normalizing security logs into Google SecOps for analysis. PSOE covers ingestion, parsing, and prioritization in the data-management domain.