When deploying theFalcon Kubernetes Admission Controller (KAC)using aHelm chart, access to CrowdStrike-hosted container images is required. These images are stored inCrowdStrike’s private container registry, which requires authentication.

To retrieve the Falcon KAC image, a validCrowdStrike API client key(client ID and secret) must be provided. This API credential allows Helm to authenticate to the Falcon registry and securely pull the required KAC image during deployment. Without valid API credentials, image retrieval fails, and the KAC deployment cannot complete successfully.

Other options listed do not satisfy this requirement. SENSOR_PLATFORM and FALCON_REGION are configuration parameters used during sensor installation but do not authenticate registry access. Docker itself is not sufficient, as authentication to the CrowdStrike registry is still required.

Therefore, anAPI client keyis mandatory to ensure successful retrieval of the Falcon KAC image during Helm-based deployment.

CrowdStrike recommends enablingDrift Preventionwhen container workloads have beendesigned to be immutable. Immutable infrastructure is a core cloud-native principle where containers are not modified after deployment. Any change to a running container—such as installing packages or modifying files—indicates potential misconfiguration or malicious activity.

Drift Prevention enforces this principle by blocking or alerting on runtime changes that deviate from the original container image. This makes it highly effective for production environments where containers should run exactly as built and deployed.

In development or testing environments, containers often change dynamically, making Drift Prevention impractical due to excessive false positives. Similarly, containers that must download or install packages at startup inherently require runtime modification and are not suitable candidates for Drift Prevention.

Enabling Drift Prevention at the wrong time can disrupt legitimate workloads. Therefore, CrowdStrike guidance clearly states that Drift Prevention should be enabledonly after workloads are intentionally designed to be immutable, making optionCthe correct answer.

CrowdStrike Falcon Cloud Security performs agentless cloud security posture management (CSPM) by integrating directly with cloud service providers such as AWS, Microsoft Azure, and Google Cloud Platform using native APIs. This approach allows Falcon to continuously assess cloud configurations, permissions, networking, storage, and identity controls without deploying sensors or agents.

By default, CrowdStrike configures cloud account scans to runevery 4 hours. This scan frequency is designed to strike a balance between near-real-time visibility and efficient API usage across cloud providers. Cloud environments are highly dynamic, with frequent changes to configurations, IAM policies, and services. A four-hour scan interval ensures that new misconfigurations or risky changes—such as overly permissive roles, exposed storage, or insecure network rules—are identified quickly enough to reduce exposure time.

Scanning more frequently could introduce unnecessary API throttling or operational overhead, while less frequent scans could delay detection of critical security gaps. The four-hour interval is therefore CrowdStrike’s recommended default for maintaining continuous visibility while preserving cloud provider performance and stability.

This default interval can be adjusted in certain scenarios, but unless explicitly changed,every 4 hoursis the standard scan cadence applied to AWS, Azure, and GCP environments.

InFalcon Cloud Security Network Events, port states reflect how network connections are established and handled at runtime. The platform uses standardized connection state terminology to help analysts understand traffic behavior and intent.

The three valid port states are:

Connect: Indicates an outbound connection attempt initiated by a process or container.

Accept: Represents an inbound connection that was accepted by a listening process.

Listen: Shows that a process is actively listening on a port for incoming connections.

These states provide crucial context for detecting suspicious behavior such as unauthorized listeners, unexpected inbound access, or abnormal outbound communications. Other options include terms not used by Falcon to define port state semantics within Network Events.

Therefore,Connect, Accept, and Listenis the correct answer.

To identifyremediable vulnerabilities in running containers, CrowdStrike Falcon Cloud Security recommends filteringimage vulnerabilities by container running status and remediation. This approach correlates container runtime state with image assessment results, allowing security teams to focus on vulnerabilities that are bothpresent in images and actively impacting running workloads.

Image vulnerability findings include remediation metadata such as fixed versions, patch availability, and upgrade paths. By filtering oncontainer running status, you ensure that attention is limited to vulnerabilities that pose immediate risk rather than those in dormant or unused images. Adding theremediation filterfurther refines results to show only vulnerabilities that can realistically be addressed, helping teams prioritize efficiently.

Other options are incorrect because container assets and detections focus on runtime behavior, not vulnerability remediation context. Image detections relate to malware or suspicious artifacts, not CVEs.

This filtering method aligns with CrowdStrike best practices for vulnerability prioritization by combiningruntime relevance and remediation feasibility, making optionCthe correct answer.

InFalcon Cloud Security, thePackages dashboardallows filtering package inventory bypackage type, such as Python, Java, or OS-level packages.

To share results with a team memberwho is not a Falcon user, the data must be exported. Creating saved filters does not grant access to non-users. Filtering bypackage type: PYTHONensures all Python-related packages are included regardless of name or version, providing complete coverage.

Exporting the filtered results toCSV or JSONenables easy sharing, offline analysis, and integration into other tools.

Therefore, the correct option isFilter by package type: PYTHON and export to CSV or JSON.

When using theFalcon Kubernetes Admission Controller, CrowdStrike allows administrators to precisely scope which Kubernetes assets are evaluated againstIndicators of Misconfiguration (IOMs)andImage Assessment policiesby usingboth namespaces and pod or service labels.

Namespaces provide a logical boundary within Kubernetes clusters, often representing environments such as dev, staging, or production. Labels add further granularity by identifying workloads based on application, team ownership, or deployment tier. By combining namespaces and labels, security teams can enforce policies with fine-grained control while minimizing unintended enforcement.

Using only namespaces or only labels limits flexibility and may lead to over- or under-enforcement. CrowdStrike documentation supports the combined approach as a best practice for scalable and precise policy enforcement in Kubernetes environments.

Therefore, the correct answer isNamespaces and Pod or Service labels.