Practice 350-701 Security Concepts questions with full explanations on every answer.
Start practicing
Security Concepts — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
Which security model requires that all subjects and devices are untrusted by default, and access is granted only after verification, regardless of the network location?
2A security analyst notices unusual outbound traffic from an internal host to a known malicious IP address on TCP port 4444. The host is also exhibiting high CPU usage and running an unknown process. Which type of malware is most likely present?
3An organization wants to ensure that digital certificates issued by its internal CA are validated for revocation in real-time. Which protocol should be implemented to allow clients to check certificate status without downloading a full CRL?
4During a penetration test, an attacker sends a malicious payload to a web application that causes the server to execute arbitrary SQL commands on the backend database. Which type of attack is being performed?
5A security administrator is configuring a Cisco Firepower NGFW to detect and block application-layer DDoS attacks. Which type of DDoS attack is characterized by overwhelming a server with incomplete HTTP requests, causing resource exhaustion?
6Which cryptographic algorithm is considered deprecated and should be avoided due to known vulnerabilities, especially when used in digital signatures and certificate signing?
7An attacker uses ARP spoofing to intercept traffic between two devices on the same subnet. After successfully becoming a man-in-the-middle, the attacker can then perform which further attack to downgrade HTTPS connections to HTTP?
8In a PKI hierarchy, which component is responsible for issuing and revoking certificates for end entities, and is directly subordinate to the root CA?
9A security engineer is evaluating authentication methods. Which authentication factor category does a fingerprint scanner fall under?
10Which Cisco security product is primarily designed to provide DNS-layer security by blocking requests to malicious domains?
11A network administrator is configuring an ASA to enforce that traffic between two internal zones must be inspected by the firewall. Which security principle is being applied?
12An attacker performs a DNS cache poisoning attack on a recursive DNS server. What is the primary impact of this attack?
13A security analyst is investigating a potential insider threat. Which TWO indicators are most commonly associated with malicious insider activity? (Choose two.)
14A company is implementing a Zero Trust architecture. Which THREE principles are core to the Zero Trust model? (Choose three.)
15A network engineer is tasked with securing email communications. Which TWO Cisco products are specifically designed for email security? (Choose two.)
16A security analyst is reviewing logs and sees multiple failed login attempts from a single IP address, followed by a successful login. Which type of attack does this represent?
17An organization wants to implement a security model where no user or device is trusted by default, regardless of whether they are inside or outside the network perimeter. Which concept does this describe?
18A security engineer is configuring a Cisco Firepower NGFW to detect and block a new malware variant that communicates with a command-and-control server using encrypted DNS queries. Which Cisco security product is best suited to provide visibility into this malicious DNS traffic?
19Which of the following is an example of a passive reconnaissance technique?
20A company deploys a solution that uses a root certificate authority (CA) and intermediate CAs to issue certificates. What is the term for the hierarchical structure of certificates from the root CA to the end entity?
21Which Cisco security product provides identity-based access control and policy enforcement for wired and wireless networks?
22An attacker intercepts traffic between a client and a server and modifies the communication without either party knowing. Which type of attack is being performed?
23Which encryption algorithm is classified as symmetric?
24A security team implements a policy where users must provide a password and a one-time code from a mobile app. Which authentication factors are being used?
25A Cisco ESA administrator notices that a large number of emails with malicious attachments are being delivered to users. Which feature should be configured to inspect attachments in a sandbox environment before delivery?
26What is the primary purpose of a digital signature?
27Which type of malware is characterized by encrypting files on a victim's system and demanding payment for the decryption key?
28A security analyst is investigating a potential ARP spoofing attack. Which two symptoms would indicate this type of attack?
29Which three components are part of the CIA triad?
30A company is planning to deploy a Zero Trust architecture. Which two principles are fundamental to Zero Trust?
31Which component of the CIA triad ensures that data is not altered by unauthorized entities during transmission?
32An attacker uses a tool to scan a target network for open ports and running services. Which type of reconnaissance does this represent?
33A security administrator is evaluating symmetric encryption algorithms for a new VPN deployment. Which algorithm uses a 128-bit block size and supports key sizes of 128, 192, and 256 bits?
34Which of the following is a characteristic of a zero trust security model?
35An employee receives an email that appears to be from the company's IT department requesting their login credentials. This is an example of which type of attack?
36A security engineer is configuring a Cisco Firepower NGFW to detect a buffer overflow attack. Which attack vector is this?
37What is the primary function of a Certificate Revocation List (CRL) in a PKI?
38Which Cisco security product provides DNS-layer security to block malicious domains and cloud-based threats?
39An organization implements multi-factor authentication requiring a password and a fingerprint scan. Which two authentication factors are being used?
40An attacker intercepts traffic between a client and server using ARP spoofing. Which type of attack is this?
41Which Cisco security product is primarily used for endpoint threat detection and retrospective security?
42What is the primary purpose of a digital signature?
43An organization is implementing a zero trust architecture. Which two principles are foundational to this model? (Choose two.)
44A security analyst detects a DDoS attack targeting the company's web server. Which three attack types are classified as application layer attacks? (Choose three.)
45Which three cryptographic algorithms are considered secure for use in modern systems? (Choose three.)
46An attacker uses Shodan to discover internet-facing ICS devices and then performs banner grabbing. This is an example of which type of attack?
47A security analyst notices traffic from an internal host to an external IP address on port 4444, and the host's CPU is high. The host has been running unknown processes. Which type of malware is most likely involved?
48An organization implements a policy where every access request must be authenticated and authorized, even if it originates from within the internal network. Network segments are isolated, and lateral movement is restricted through microsegmentation. Which security model does this align with?
49Which Cisco product provides DNS-layer security to block malicious domains and prevent connections to malware command-and-control servers?
50An attacker intercepts communication between a client and server by spoofing ARP messages to associate the attacker's MAC address with the server's IP. This is an example of which type of attack?
51A web application accepts user input and directly includes it in SQL queries without sanitization. An attacker submits a single quote (') to cause a syntax error. What is this attack called?
52A security engineer needs to choose a hashing algorithm for storing passwords. Which of the following should be avoided due to known collision vulnerabilities?
53Which authentication factor does a fingerprint scanner represent?
54When a certificate is revoked, which protocol allows a client to check the revocation status in real-time without downloading a full CRL?
55Which Cisco product provides advanced malware protection for endpoints, including file analysis and retrospective security?
56An attacker sends a flood of SYN packets with spoofed IP addresses to a server, causing it to allocate resources for half-open connections until it can no longer accept legitimate traffic. This is which type of DDoS attack?
57Which symmetric encryption algorithm is considered the current standard and is often used in VPNs and SSL/TLS?
58A security analyst observes a sustained increase in traffic from many different IP addresses to a single web application, causing CPU spikes. The traffic consists of legitimate-looking HTTP GET requests for the same resource. Which TWO types of attack could this be? (Choose two.)
59A company wants to implement a Zero Trust architecture. Which THREE principles should be included? (Choose three.)
60A network administrator wants to deploy security products that provide network-based intrusion prevention and advanced threat detection. Which TWO Cisco products are most suitable? (Choose two.)
61A security analyst is reviewing logs and identifies numerous ICMP echo requests from an external IP address to multiple internal hosts. Which type of reconnaissance activity is this?
62An attacker injects a malicious SQL query into a web application's login form, bypassing authentication. Which type of exploitation is this?
63A company's server is infected with malware that encrypts files and demands payment for decryption. Which type of malware is this?
64Which cryptographic algorithm is a symmetric block cipher commonly used in modern VPNs and is considered secure?
65A PKI administrator needs to check the revocation status of a certificate without causing a heavy load on the CA. Which protocol should be used?
66Which security model mandates that access decisions should be based on context, device posture, and user identity, and never trust any entity by default?
67An attacker intercepts ARP packets on a local network and associates their MAC address with the IP address of a legitimate host. This is an example of which attack?
68A security engineer is evaluating Cisco solutions to detect and respond to network anomalies, including potential insider threats, by analyzing NetFlow data and behavioral patterns. Which Cisco product is best suited?
69Which authentication factor relies on something the user is, such as a fingerprint or retina scan?
70A company wants to protect against DNS-based attacks by filtering malicious domains and providing secure DNS resolution. Which Cisco product should be deployed?
71During an incident response, a forensic analyst finds that an attacker used a script to modify ARP tables, enabling them to intercept and modify traffic between two hosts. Which attack technique was used?
72Which Cisco product provides next-generation firewall (NGFW) capabilities, including application visibility and intrusion prevention?
73A security administrator is implementing a zero-trust architecture. Which two principles are core to the zero-trust model? (Choose two.)
74An organization is experiencing a DDoS attack that floods the network with large volumes of traffic, overwhelming bandwidth. Which three types of DDoS attacks are primarily volumetric? (Choose three.)
75A security team is investigating a breach where the attacker gained access to a server using stolen credentials. Later, the attacker moved laterally and exfiltrated data. Which three security controls would best help detect and prevent lateral movement? (Choose three.)
76A security engineer is implementing a zero trust architecture. Which TWO principles are foundational to zero trust? (Choose two.)
77An organization is experiencing repeated SQL injection attacks. A security analyst is tasked with recommending mitigations. Which THREE actions are most effective in preventing SQL injection? (Choose three.)
78A network administrator is configuring PKI for secure communications. Which TWO components are essential for a public key infrastructure? (Choose two.)
79A security analyst is investigating a malware outbreak. Analysis reveals a remote access trojan (RAT) that communicates with a command-and-control (C2) server. Which TWO behaviors are typical of a RAT? (Choose two.)
80An organization is adopting Cisco's security portfolio. Which THREE products are correctly paired with their primary function? (Choose three.)
The Security Concepts domain covers the key concepts tested in this area of the 350-701 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-701 domains — no account required.
The Courseiva 350-701 question bank contains 80 questions in the Security Concepts domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Concepts domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included