Practice 350-701 Endpoint Security and Identity questions with full explanations on every answer.
Start practicing
Endpoint Security and Identity — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A network administrator wants to deploy Cisco AMP for Endpoints to protect endpoints. Which feature allows the detection of a file that was initially deemed benign but later discovered to be malicious?
2An engineer is configuring Cisco ISE for 802.1X authentication. The organization has a mix of devices, including some that do not support 802.1X supplicants. Which method should the engineer use to allow these non-supplicant devices to authenticate?
3During a security incident, a SOC analyst notices that a malicious file was executed on an endpoint. Using Cisco AMP for Endpoints, which feature should the analyst use to visualize the file's propagation and activities across the network over time?
4In Cisco ISE, profiling is used to identify device types. Which probe must be enabled for ISE to determine the operating system of a device by analyzing DHCP options?
5An organization wants to enforce endpoint posture compliance before granting network access. In Cisco ISE, which component performs the actual checks on the endpoint to verify antivirus status and patch levels?
6A security engineer is configuring Duo for VPN authentication with AnyConnect. Which authentication factor does Duo provide in addition to the user's primary credentials?
7In a Cisco ISE deployment, after a device passes posture assessment, ISE needs to dynamically change the VLAN assignment for the device. Which protocol or feature enables ISE to send a new authorization policy to the network access device without requiring the endpoint to reauthenticate?
8Which component in the 802.1X architecture is responsible for relaying authentication messages between the client and the authentication server?
9An organization uses Cisco AMP for Endpoints and wants to perform a remote investigation on an infected endpoint. The security analyst needs to isolate the endpoint from the network while collecting forensic data. Which AMP feature should be used?
10In Cisco ISE, which protocol is used for EAP-TLS authentication, and what is the primary requirement for the client to successfully authenticate?
11A company wants to implement privileged access management (PAM) to secure administrative credentials. They need a solution that provides just-in-time access and session recording. Which product integrated with Cisco SecureX can fulfill these requirements?
12In Cisco AMP for Endpoints, which technology prevents exploit techniques such as code injection and memory corruption at runtime without relying on signatures?
13A network administrator is configuring Cisco ISE for guest access. The company requires a solution where guests can create their own accounts and receive network access after a sponsor approves. Which two components must be configured? (Choose two.)
14An organization wants to deploy endpoint hardening measures. Which three of the following are considered endpoint hardening techniques? (Choose three.)
15An administrator is configuring Cisco ISE profiling using Device Sensor. Which two types of information can the Device Sensor collect from endpoints? (Choose two.)
16A security engineer is deploying Cisco AMP for Endpoints in an organization. To ensure that any malicious file that was initially allowed but later determined to be malicious can be traced, which feature should be used?
17During 802.1X authentication, which component acts as the intermediary that forwards authentication requests between the client and the authentication server?
18A network administrator needs to provide network access to a legacy printer that does not support 802.1X. Which Cisco ISE feature should be used to authenticate this device?
19An organization uses Cisco ISE for network access control. After a user authenticates via 802.1X, a posture assessment determines that the user's antivirus definitions are outdated. What ISE feature can be used to dynamically restrict the user's network access until the issue is resolved?
20Which Cisco security product provides multi-factor authentication through push notifications, TOTP, and hardware tokens?
21A security analyst wants to investigate a remote endpoint that is suspected of being compromised. Using Cisco AMP for Endpoints, which capability allows the analyst to run commands on the endpoint and perform live analysis?
22In a Cisco TrustSec deployment, after successful authentication, ISE assigns a Security Group Tag (SGT) to the user. Which protocol is used to propagate the SGT to the network devices for policy enforcement?
23Which Cisco ISE probe is used to identify the operating system and open ports of an endpoint by actively scanning it?
24An organization is implementing privileged access management (PAM) with Cisco SecureX and CyberArk. Which feature allows administrators to grant temporary elevated privileges for a specific task, after which the privileges are automatically revoked?
25A network engineer is configuring 802.1X on a switch port that connects to a VoIP phone and a PC behind the phone. Which authentication method should be used to authenticate both devices separately?
26Which EAP method used with 802.1X requires a client-side certificate for authentication?
27Cisco ISE posture assessment requires that endpoints meet certain security requirements before being granted network access. Which of the following is a typical posture requirement?
28A security administrator is configuring Cisco ISE for guest access. Which TWO components are required to allow guests to self-register and obtain network access? (Choose two.)
29A company wants to deploy endpoint hardening measures to prevent unauthorized applications from executing. Which THREE techniques are commonly used for application control? (Choose three.)
30An organization is deploying Cisco Duo for multi-factor authentication. Which TWO authentication methods can be used with Duo? (Choose two.)
31An engineer is configuring Cisco Secure Endpoint (AMP) connectors. Which deployment is supported for the macOS platform?
32A security analyst notices that a file previously marked as 'clean' on an endpoint was later determined to be malicious. Using Cisco Secure Endpoint, which feature allows the analyst to see the propagation of that file across the system and understand its impact?
33An organization wants to deploy 802.1X for network access control. Which component is responsible for forwarding authentication requests from the endpoint to the authentication server?
34A network administrator is configuring Cisco ISE to authenticate devices that do not support 802.1X supplicant software. Which authentication method should be used for these non-supplicant devices?
35Cisco ISE performs profiling to identify device type. Which probe collects information by querying the device's MAC address OUI and DHCP options?
36An administrator wants to dynamically change the VLAN assignment for a user after a posture assessment determines that the endpoint is missing a critical patch. Which ISE feature accomplishes this?
37Which Cisco Duo authentication method involves a one-time code generated by a hardware token?
38A security engineer is investigating a suspicious process on an endpoint. Using Cisco Secure Endpoint, which EDR capability allows the engineer to isolate the process and prevent it from executing further?
39Which protocol does Cisco ISE use to communicate with network devices for 802.1X authentication?
40An organization is implementing privileged access management (PAM) using Cisco SecureX and CyberArk. Which PAM capability provides temporary elevated access that is automatically revoked after a set period?
41A Cisco ISE administrator is configuring guest access with a sponsor portal. Which type of guest account requires approval from a sponsor before network access is granted?
42Which EAP method used with 802.1X provides certificate-based mutual authentication and is commonly used with Cisco ISE?
43A security analyst is configuring Cisco Secure Endpoint (AMP) to detect and respond to threats. Which TWO features are part of the Exploit Prevention capability? (Choose two.)
44An engineer is deploying Cisco ISE for posture assessment. Which THREE conditions can ISE check during posture assessment before granting full network access? (Choose three.)
45An organization wants to implement multi-factor authentication (MFA) for VPN access using Cisco AnyConnect and Duo. Which TWO authentication factors can Duo provide? (Choose two.)
46A security administrator notices that a file initially classified as 'unknown' by Cisco AMP for Endpoints has been later determined to be malicious. Which Cisco AMP feature allows the administrator to see the file's propagation and impacts across endpoints?
47An engineer is configuring Cisco ISE for 802.1X authentication. The network has many printers and IP phones that do not support 802.1X supplicant software. Which ISE feature should be used to allow these devices to authenticate?
48A security analyst needs to enforce that all endpoints have antivirus software running and are up-to-date with patches before granting full network access. Which Cisco ISE feature should be used to enforce this policy?
49An organization deploys Cisco ISE for network access control. After successful 802.1X authentication, a user's device is found to be missing critical patches via posture assessment. The administrator wants to dynamically move the user to a remediation VLAN without requiring the user to reconnect. Which ISE capability enables this?
50A company wants to implement two-factor authentication for remote VPN access using Cisco AnyConnect. They need a solution that supports push notifications to a mobile app. Which Cisco product meets this requirement?
51In a Cisco ISE 802.1X deployment, which component acts as the authenticator?
52A security engineer is configuring Cisco AMP for Endpoints to protect against memory injection attacks. Which feature should be enabled to block exploits that attempt to inject malicious code into legitimate processes?
53During a security incident, an analyst needs to isolate a compromised endpoint and perform remote forensic analysis using Cisco AMP for Endpoints. Which capability allows the analyst to execute commands on the endpoint remotely?
54An organization wants to implement privileged access management (PAM) for critical servers. They require just-in-time access and session recording. Which solution integrates with Cisco SecureX to provide these capabilities?
55Which authentication protocol is used in Cisco ISE for certificate-based 802.1X authentication?
56A network administrator configures Cisco ISE to identify devices by analyzing DHCP requests, HTTP user agents, and SNMP queries. Which ISE feature is being used?
57A security team wants to enforce application whitelisting on endpoints to prevent unauthorized software execution. Which Cisco AMP for Endpoints feature can be used to implement this control?
58A company deploys Cisco ISE for network access control. They need to allow guests to access the internet via a self-registration portal. Which two components must be configured? (Choose two.)
59An organization wants to deploy endpoint hardening measures. Which three capabilities are provided by Cisco AMP for Endpoints as part of EDR (Endpoint Detection and Response)? (Choose three.)
60A network engineer is troubleshooting 802.1X authentication failures. Which two components are required for a successful 802.1X authentication? (Choose two.)
61A security administrator notices that a file initially classified as 'unknown' by Cisco AMP for Endpoints was later determined to be malicious after execution. Which feature allows the administrator to see the file's propagation and impact on endpoints?
62An organization wants to provide network access to guest users through Cisco ISE. Guests must register themselves and accept an acceptable use policy before gaining internet-only access. Which guest access method should be configured?
63In a Cisco ISE deployment, a network administrator needs to dynamically change the VLAN assignment for an endpoint after a posture assessment determines that the endpoint is non-compliant. Which ISE feature enables this dynamic change without re-authentication?
64Cisco ISE is performing profiling on a network. It receives a DHCP request from a device with vendor class identifier 'MSFT 5.0' and an HTTP user-agent 'Mozilla/5.0 (Windows NT 10.0)'. Which probes are most likely used to collect this information?
65An organization wants to enforce multi-factor authentication for remote VPN access. Cisco AnyConnect is used as the VPN client. Which Cisco product integrates with AnyConnect to provide MFA capabilities such as push notifications and one-time passwords?
66A network engineer is troubleshooting 802.1X authentication on a Cisco switch. Users report that they cannot authenticate. The engineer verifies that the switch (authenticator) is configured correctly and the RADIUS server (ISE) is reachable. Which component is most likely misconfigured on the client side?
67During a security incident, an analyst uses Cisco AMP for Endpoints to remotely investigate a compromised endpoint. The analyst needs to isolate the endpoint from the network while preserving the ability to continue the investigation. Which AMP action should be taken?
68A company wants to implement network access control for IoT devices that do not support 802.1X. Which Cisco ISE feature can be used to grant these devices network access based on their MAC address?
69An organization requires that endpoints must have antivirus running and up-to-date patches before being granted full network access. Cisco ISE is used for authentication. Which ISE component enforces these requirements?
70A security engineer is configuring Cisco ISE for 802.1X authentication using EAP-TLS. What must be deployed on the endpoints to support this authentication method?
71A company uses Cisco AMP for Endpoints and wants to deploy it on mobile devices running iOS and Android. Which deployment method is supported for these platforms?
72Cisco ISE is configured to assign Security Group Tags (SGTs) to endpoints based on their identity. This is part of which Cisco security architecture?
73A security analyst is investigating an alert from Cisco AMP for Endpoints. The analyst wants to perform remote actions on the endpoint. Which TWO actions are available in AMP for Endpoints? (Choose two.)
74A company is deploying Cisco ISE for network access control. They need to authenticate devices that do not support 802.1X, such as printers and IP phones. Which TWO methods can be used to authenticate these devices? (Choose two.)
75An organization wants to implement Privileged Access Management (PAM) using Cisco SecureX and CyberArk. Which THREE capabilities are typically associated with PAM solutions? (Choose three.)
76A security administrator is implementing Cisco AMP for Endpoints and wants to identify files that were initially allowed but later determined to be malicious. Which feature allows the administrator to see the propagation of such a file across the environment?
77An engineer is configuring Cisco ISE for 802.1X authentication in a corporate network. A printer that does not support 802.1X needs to be granted network access. Which method should the engineer use to authenticate the printer?
78A security analyst discovers that an endpoint was infected by a file that initially received a 'clean' disposition from Cisco AMP. The analyst needs to identify all other endpoints that executed the same file and examine their trajectory. Which approach should be used to find these endpoints in the AMP console?
79A network administrator is configuring Cisco ISE profiling to identify devices on the network. Which probe allows ISE to identify device type by analyzing the HTTP User-Agent string?
80An organization uses Cisco ISE to enforce posture compliance. After a user's machine is patched, ISE sends a command to the switch to reclassify the endpoint from a restricted VLAN to a full-access VLAN. Which ISE feature accomplishes this?
81Which component in an 802.1X deployment is responsible for relaying authentication messages between the client and the authentication server?
82A company deploys Cisco Duo for multi-factor authentication to protect VPN access. Employees use AnyConnect to connect to the corporate network. After entering their credentials, they receive a push notification on their mobile device. Which Duo authentication method is being used?
83A security team is implementing Privileged Access Management (PAM) using CyberArk integrated with Cisco SecureX. They need to provide just-in-time access to a critical server for a specific task, with automatic password rotation after use. Which PAM capability addresses this requirement?
84An endpoint security engineer wants to protect against memory injection attacks on endpoints running Windows. Which Cisco AMP feature should be enabled?
85A network engineer is configuring Cisco ISE for wireless 802.1X authentication. The company wants to use certificate-based authentication for all corporate devices. Which EAP method should be configured?
86An organization uses Cisco ISE with TrustSec to assign Security Group Tags (SGTs) to endpoints based on their role. An endpoint initially receives an SGT for 'Employees' but after a posture check reveals missing antivirus updates, ISE changes the SGT to 'Quarantine'. Which ISE feature dynamically updates the SGT?
87A security analyst needs to investigate a potential breach on an endpoint running Cisco AMP. The analyst wants to remotely execute commands to gather forensic data and potentially isolate the endpoint from the network. Which Cisco AMP EDR capability should the analyst use?
88A network administrator is deploying Cisco ISE for network access control. The administrator needs to profile devices that connect to the network. Which TWO probes can be used to gather information for device profiling? (Choose two.)
89A security team is implementing endpoint hardening measures. They want to ensure that only approved applications can run, monitor for suspicious behavior, and have the ability to isolate processes if needed. Which THREE Cisco AMP features should they enable? (Choose three.)
90An administrator is configuring Cisco Duo for multi-factor authentication. Which THREE authentication methods can Duo provide to users? (Choose three.)
91A security analyst notices that a file that was initially allowed by Cisco AMP for Endpoints has later been determined to be malicious. The analyst needs to investigate the file's propagation across endpoints. Which Cisco AMP feature should the analyst use to view the timeline of events?
92An organization wants to deploy Cisco ISE to authenticate devices that do not support 802.1X supplicant software, such as printers and IoT sensors. Which authentication method should be configured on the switch port to allow these devices network access?
93A network administrator is configuring Cisco ISE for posture assessment. A Windows laptop connects to the network and passes 802.1X authentication. ISE then checks if the antivirus software is running and if the OS patches are up to date. If the posture check fails, ISE should dynamically restrict the endpoint to a remediation VLAN. Which mechanism allows ISE to change the VLAN assignment after authentication without requiring the user to reauthenticate?
94An organization wants to enforce multi-factor authentication (MFA) for VPN access using Cisco AnyConnect. Which Cisco product integrates with AnyConnect to provide MFA via push notifications or one-time passwords?
95A security engineer is deploying Cisco AMP for Endpoints and wants to ensure that the client can detect and block memory injection attacks. Which AMP feature should be enabled to provide this protection?
96A network administrator is configuring Cisco ISE for device profiling. The goal is to identify the type of device (e.g., Windows PC, iPhone, printer) connecting to the network. Which probe should be used to gather the DHCP option 60 (vendor class identifier) and option 12 (hostname) information?
97Which 802.1X component is responsible for enforcing access control on the network and relaying authentication messages between the client and the authentication server?
98An organization uses Cisco ISE for guest access. They want to allow guests to create their own accounts through a web portal while requiring approval from a sponsor before network access is granted. Which guest access method should be configured?
99A security analyst is investigating an incident on an endpoint protected by Cisco AMP. The analyst needs to isolate the compromised process and prevent it from communicating with other processes or the network. Which EDR capability should be used to achieve this?
100Which Cisco product provides privileged access management (PAM) capabilities such as just-in-time access, session recording, and password vaulting through integration with CyberArk?
101A network administrator is configuring 802.1X on a Cisco switch for corporate Windows laptops. The organization uses certificates for authentication. Which EAP method should be configured on the supplicant and ISE to provide certificate-based mutual authentication?
102An organization wants to deploy endpoint hardening by allowing only approved applications to run. Which technology should be implemented to achieve this?
103A network engineer is configuring Cisco ISE to assign Security Group Tags (SGTs) to endpoints based on their identity and role. Which two components are required for TrustSec SGT classification and enforcement? (Choose two.)
104A security analyst needs to investigate a potential breach on an endpoint. Cisco AMP for Endpoints provides several EDR capabilities. Which three actions can the analyst perform using AMP's EDR features? (Choose three.)
105An organization wants to implement multi-factor authentication (MFA) for administrative access to network devices. Which two methods can be used with Cisco Duo to provide MFA for admin access? (Choose two.)
106An administrator needs to enforce 802.1X authentication for devices that do not support 802.1X supplicants. Which method should be configured on Cisco ISE to allow these devices to authenticate?
107A security analyst notices that a file initially deemed 'unknown' by Cisco AMP for Endpoints was later reclassified as 'malicious'. The analyst needs to investigate the propagation of this file across endpoints. Which Cisco AMP feature provides a timeline view of file activity and spread?
108Cisco ISE is configured with posture assessment to ensure endpoints meet security requirements before gaining network access. After a posture check, ISE needs to dynamically change the VLAN assignment for a non-compliant endpoint. Which ISE feature enables this real-time change?
109A company uses Cisco ISE for network access control. They want to authenticate users connecting via VPN using multi-factor authentication. Which solution integrates with ISE to provide MFA for AnyConnect VPN?
110In the 802.1X authentication process, which component is responsible for relaying authentication messages between the client and the authentication server?
111An organization wants to grant temporary administrative access to a server for a specific task and automatically revoke the access after the task is completed. Which Cisco solution should be used?
112A security team deploys Cisco AMP for Endpoints and wants to detect and block memory injection attacks. Which AMP feature should be enabled to achieve this?
113Cisco ISE uses profiling to identify the type of device connecting to the network. Which probe helps ISE identify a device by analyzing the DHCP requests it sends?
114An administrator configures Cisco ISE for guest access with a sponsor portal. What is the primary purpose of the sponsor portal?
115An endpoint running Cisco AMP for Endpoints is suspected of being compromised. The security analyst needs to isolate the process and perform a live investigation. Which EDR capability should the analyst use?
116An organization uses Cisco ISE for network access control. They want to authenticate users with certificates for strong security. Which two EAP methods support certificate-based authentication? (Choose two.)
117Cisco ISE can profile endpoints using various probes. Which three probes are used for device profiling? (Choose three.)
118Cisco AMP for Endpoints provides endpoint protection. Which two are core capabilities of AMP? (Choose two.)
119An organization wants to implement EDR capabilities for endpoints. Which three actions are typically associated with EDR? (Choose three.)
120Cisco TrustSec uses Security Group Tags (SGTs) for policy enforcement. Which two components are required for TrustSec to function? (Choose two.)
121A network administrator is deploying Cisco ISE for network access control. The network includes printers and IP phones that do not support 802.1X. Which TWO methods can be used to authenticate these devices?
122A security analyst is investigating a malware outbreak that occurred on endpoints protected by Cisco AMP for Endpoints. The malware was initially undetected but later identified as malicious based on new threat intelligence. Which THREE capabilities of AMP allow the analyst to trace the infection and remediate?
123An organization wants to implement multi-factor authentication for remote VPN access using Cisco AnyConnect. Which TWO authentication methods are supported when integrating with Cisco Duo?
124A network engineer is configuring Cisco TrustSec on a switch to enforce segmentation. Which THREE components are required for TrustSec to assign a Security Group Tag (SGT) to a user after successful authentication via ISE?
125An organization is implementing Privileged Access Management (PAM) using CyberArk integrated with Cisco SecureX. Which THREE capabilities are typically provided by such a PAM solution?
The Endpoint Security and Identity domain covers the key concepts tested in this area of the 350-701 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-701 domains — no account required.
The Courseiva 350-701 question bank contains 125 questions in the Endpoint Security and Identity domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Endpoint Security and Identity domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included