PSOE cheat sheet
A one-page reference for the Professional Security Operations Engineer exam: the format, how the domains are weighted, and the glossary terms for this exam.
Exam at a glance
Vendor
Google Cloud
Level
Professional
Questions
50
Time
120 min
Mock pass mark
70%
Domains
6
Practice Qs
241
Code
PSOE
Domain weightings
How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.
Key terms
- Google Security Operations
- Google Security Operations (Google SecOps) is Google Cloud's platform for ingesting security telemetry, detecting threats, and orchestrating response. PSOE centers on operating Google SecOps and Security Command Center.
- Security Command Center
- Security Command Center (SCC) is Google Cloud's security and risk-management platform that surfaces misconfigurations, vulnerabilities, and threats. PSOE covers SCC alongside Google SecOps for detection and response.
- UDM
- UDM (Unified Data Model) is the normalized schema Google SecOps uses to represent ingested security events. PSOE covers UDM search for threat hunting and detection.
- YARA-L
- YARA-L is the rules language used in Google SecOps to write single-event and multi-event detections over UDM data. PSOE covers writing and tuning YARA-L rules in detection engineering.
- Detection rule
- A detection rule is logic that identifies suspicious activity and generates alerts, written in YARA-L in Google SecOps. PSOE covers building, tuning, and managing the detection rule lifecycle.
- Threat hunting
- Threat hunting is the proactive search for threats that evade automated detections, using hypotheses and telemetry. PSOE dedicates a domain to hunting in Google SecOps with UDM search and threat intelligence.
- Google Threat Intelligence
- Google Threat Intelligence (GTI) provides indicators and context about adversaries and malware to enrich detection and hunting. PSOE covers leveraging GTI for detection and response.
- IOC
- An IOC (indicator of compromise) is an artifact such as a hash, domain, or IP that indicates malicious activity. PSOE covers using IOCs and threat intelligence in hunting and detection.
- SOAR
- SOAR (security orchestration, automation, and response) automates and coordinates incident-response workflows through playbooks. PSOE covers response automation and orchestration in Google SecOps.
- Playbook
- A playbook is an automated, repeatable response workflow that a SOAR platform runs to handle an incident. PSOE covers building playbooks for containment and remediation.
- Incident response
- Incident response is the structured process of triaging, investigating, containing, and remediating security incidents. PSOE dedicates a domain to incident response in Google SecOps and SCC.
- MITRE ATT&CK
- MITRE ATT&CK is a knowledge base of adversary tactics and techniques used to guide detection coverage. PSOE covers building detections from MITRE ATT&CK and threat intelligence.
- Cloud IDS
- Cloud IDS is a Google Cloud intrusion-detection service that inspects network traffic for threats. PSOE covers prioritizing Cloud IDS among telemetry sources in platform operations.
- Log ingestion
- Log ingestion is the process of collecting and normalizing security logs into Google SecOps for analysis. PSOE covers ingestion, parsing, and prioritization in the data-management domain.