Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications200-201DomainsNetwork Intrusion Analysis
200-201Free — No Signup

Network Intrusion Analysis

Practice 200-201 Network Intrusion Analysis questions with full explanations on every answer.

99questions

Start practicing

Network Intrusion Analysis — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

200-201 Domains

Security MonitoringNetwork Intrusion AnalysisSecurity Policies and ProceduresHost-Based AnalysisSecurity Concepts

Practice Network Intrusion Analysis questions

10Q20Q30Q50Q

All 200-201 Network Intrusion Analysis questions (99)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

During a network intrusion analysis, a security analyst observes repeated TCP SYN packets sent to a range of ports on a target host, each followed by an RST response. No subsequent ACK packets are observed. Which phase of the Cyber Kill Chain is the attacker most likely executing?

2

An analyst reviewing network alerts notices a rule triggered for 'ET SCAN NMAP -sU scan' based on traffic to a Linux server. The packet capture shows multiple UDP packets to various ports, and for closed ports, the server responds with ICMP Destination Unreachable (Port Unreachable). Which type of scan is being performed, and how should the analyst classify this alert?

3

A security analyst is investigating an alert that indicates a potential SQL injection attack. Which of the following HTTP request patterns is most indicative of a SQL injection attempt?

4

An analyst detects traffic from an internal host that periodically sends small DNS queries to a domain with high entropy subdomains (e.g., 'a3k9f2.example.com'). The domain is not on any blocklist, and the query intervals are consistent every 60 seconds. Which technique is most likely being used?

5

During an incident response, an analyst extracts a file from a PCAP using Wireshark's 'Export Objects' feature. The file contains shellcode that uses NOP sleds and encodes a reverse shell command. Which Cyber Kill Chain phase does this file represent?

6

An analyst is investigating lateral movement and observes SMB authentication attempts from host A to multiple other hosts using NTLM authentication with a hash value instead of a password. Which attack technique is most likely being used?

7

A network analyst is examining a PCAP file and applies the Wireshark display filter 'http.request'. The results show several POST requests to '/login.php' with parameters containing 'username=admin&password=secret'. What type of attack is indicated?

8

An intrusion detection system alerts on traffic that appears to be a command and control (C2) beacon. Which of the following characteristics is most typical of beaconing traffic?

9

An analyst detects a large outbound FTP transfer from a sensitive server to an external IP address not previously seen. The file being transferred is a compressed archive containing database dumps. Which Cyber Kill Chain phase is most directly indicated?

10

A security analyst is reviewing PCAP data and sees a TCP stream with interactive shell commands such as 'whoami', 'ls -la', and 'cat /etc/passwd'. The session appears to be bidirectional with a remote IP. Which type of attack is most likely occurring?

11

An analyst receives an alert for 'ET WEB_SERVER Possible SQL Injection Attempt' triggered by a URL parameter containing ' OR 1=1--'. After investigating, the analyst confirms that the web application is not vulnerable to SQL injection and the request was a benign test. How should this alert be classified?

12

During an intrusion analysis, an analyst identifies that an attacker used a domain generation algorithm (DGA) to resolve C2 domains. Which of the following traffic patterns is most consistent with DGA?

13

A security analyst is investigating a suspected data exfiltration incident. Which TWO of the following indicators are most consistent with exfiltration over DNS?

14

An analyst is analyzing a PCAP from a compromised host. Which THREE of the following are common indicators of exploitation attempts in network traffic?

15

An analyst is examining network alerts for lateral movement. Which TWO of the following are typical indicators of lateral movement using SMB?

16

A security analyst observes repeated ICMP port unreachable responses from a target host. The source IP is sending packets to multiple UDP ports. Which type of scan is most likely being performed?

17

During an intrusion analysis, a SOC analyst reviews logs showing an outbound connection from an internal host to an external IP at 03:00 AM every 60 seconds. The traffic is HTTPS to a suspicious domain with a high entropy name. Which phase of the Cyber Kill Chain does this activity represent?

18

An analyst is reviewing alerts from an IDS. A signature matched 'script' and 'alert' in HTTP request parameters. The analyst inspects the packet and sees <script>alert('XSS')</script> in the URI. What is the most accurate classification of this alert?

19

In a PCAP analysis, an analyst uses the filter 'http.request.uri contains "UNION"' and finds multiple HTTP requests with 'SELECT' and 'UNION SELECT' in the URI parameter. Which type of attack is likely occurring?

20

An analyst examines PCAP and sees multiple SMB sessions from internal host 10.1.1.10 to 10.1.1.20, 10.1.1.30, and 10.1.1.40 within seconds. The NTLM authentication contains a hash parameter that is identical across sessions. Which lateral movement technique is most likely being used?

21

An analyst observes a series of DNS queries for subdomains like 'ZGVzdGluYXRpb24= .malicious.com' where the subdomain part appears base64-encoded. The volume of DNS traffic from a single host is unusually high. Which exfiltration technique is most likely in use?

22

During incident response, an analyst extracts files from a PCAP using Wireshark's Export Objects feature. One extracted file is a PDF that triggers an IDS alert for 'Exploit:PDF/HeapSpray'. Which technique does this alert describe?

23

A SOC analyst sees an alert for 'Possible SQL Injection' on a web server. Reviewing the PCAP, the analyst finds the parameter 'id=1 OR 1=1' in the HTTP request. However, the web server returns a normal page with no signs of compromise. What is the correct classification?

24

An analyst captures traffic and sees a TCP connection with only a SYN packet and an RST response. No SYN-ACK is observed. Which scan technique is this?

25

A threat hunter identifies a binary that uses a Domain Generation Algorithm (DGA) to create domain names like 'eksdghf23.com', 'mzncxv89.net' each day. The malware contacts these domains over HTTPS. Which phase of the Cyber Kill Chain is most directly associated with this technique?

26

An analyst reviews network logs and sees a large outbound FTP transfer of 500 MB from a workstation to an external IP at 2:00 AM. The workstation regularly sends 10 MB daily. What should the analyst suspect?

27

An analyst filters PCAP with 'tcp.stream eq 0' and sees an interactive shell session with commands like 'whoami', 'ls -la', 'cd /etc'. The session originated from an HTTP POST to a web shell. Which type of attack is this?

28

An analyst identifies an alert for 'ET TROJAN Win32/DarkComet RAT Beacon'. The analyst confirms the host is infected. Which TWO phases of the Cyber Kill Chain have been completed prior to this C2 beacon? (Choose two.)

29

A SOC analyst is investigating a suspected data exfiltration. Which THREE indicators in network traffic are most consistent with exfiltration? (Choose three.)

30

An analyst is reviewing PCAP from a network intrusion. The attacker used a payload with ROP gadgets and shellcode. Which TWO exploitation indicators are associated with this attack? (Choose two.)

31

An analyst observes an alert triggered by a single SYN packet to a closed port. The packet did not complete a TCP handshake. What type of attack does this most likely indicate?

32

During alert triage, an analyst determines that an alert fired but no actual attack or malicious activity occurred on the network. How should this alert be classified?

33

An analyst reviews PCAP traffic and sees a series of HTTP POST requests from an internal host to an external IP at exactly 60-second intervals. The payload size is consistent. Which phase of the Cyber Kill Chain does this activity most likely represent?

34

While analyzing a PCAP, an analyst uses the Wireshark filter 'http.request' and finds a URI parameter containing '%27%20UNION%20SELECT%201,2,3%20--'. What type of attack is indicated?

35

An analyst detects multiple SMB authentication attempts from a single internal host to several other internal hosts using NTLM hashes instead of plaintext passwords. Which technique is most likely being used?

36

An analyst notices that a DNS query for 'www.attacker.com' contains a long subdomain with Base64-encoded data. This activity is observed every 5 minutes. What exfiltration technique is most likely in use?

37

In a PCAP, an analyst sees a large outbound data transfer over FTP to an external IP address during non-business hours. The source host is a database server. Which phase of the Cyber Kill Chain does this represent?

38

An analyst is reviewing PCAP and sees a TCP stream with a Wireshark filter 'tcp.stream eq 0'. The conversation shows an interactive shell session with commands like 'whoami' and 'ls'. This is most likely evidence of what?

39

An analyst examines a PCAP and finds a series of UDP packets sent to multiple ports on a target. The target responds with ICMP 'Destination Unreachable (Port Unreachable)' messages for each port. What type of scan is being performed?

40

A security analyst is investigating a potential exploit. The PCAP shows a HTTP POST request containing a long string of characters that, when decoded, reveals a series of return-oriented programming (ROP) gadgets. What is the likely purpose of this payload?

41

During a forensic analysis, an analyst uses NetworkMiner to extract files from a PCAP. One of the extracted files contains a PE executable with a known signature of a malware variant. Which phase of the Cyber Kill Chain does the file transfer most likely represent?

42

An analyst detects HTTPS traffic to a domain that was registered only 24 hours ago and has no web content. The traffic occurs at odd hours and with consistent packet sizes. What technique is likely being used for C2?

43

An analyst identifies a series of SMB authentication attempts from a compromised host to multiple internal servers. The authentication uses NTLM hashes. Which TWO techniques are most likely being used for lateral movement? (Select 2)

44

During an incident, an analyst observes the following in PCAP: (1) DNS queries with random-looking subdomains to a known malicious domain, (2) large outbound FTP transfers of .zip files, (3) HTTP POST requests with Base64-encoded data in the body. Which THREE exfiltration techniques are being used? (Select 3)

45

An analyst reviews a PCAP and sees HTTP requests containing script tags and event handlers such as 'onload' and 'onerror'. Additionally, the URI contains 'alert(1)'. Which TWO types of attacks are indicated? (Select 2)

46

In the Cyber Kill Chain, which phase involves sending a malicious attachment to a targeted user?

47

A security analyst receives an alert for a known malware signature in an outbound file transfer. After investigation, the file is confirmed as benign software. This alert is classified as:

48

During a SYN scan, an attacker sends a SYN packet to a closed port on a target. What response does the target typically send back?

49

Which type of attack is indicated by a series of SMB authentication attempts from one host to multiple other hosts in a short time frame?

50

A security analyst observes periodic outbound HTTPS connections to an unusual domain that resolves to different IP addresses each time. This behavior is most indicative of:

51

A PCAP contains an HTTP POST request with a parameter containing "UNION SELECT username, password FROM users". This is evidence of:

52

Which Wireshark filter can be used to extract the full TCP data of a specific conversation from a PCAP?

53

A network analyst finds a PCAP with a series of DNS queries for subdomains like "data12345.example.com" and "data67890.example.com" where the subdomain names appear to contain encoded base64 data. This pattern suggests:

54

In a PCAP, an analyst sees an interactive shell session over TCP with irregular command prompts and responses. Which tool was likely used to generate this traffic?

55

An alert shows a high volume of outbound traffic from an internal host to an external IP using FTP. The data includes files with names matching internal document names. This activity is most likely:

56

In Wireshark, which filter can be used to quickly find all HTTP requests that contain a specific keyword in the URL?

57

Which MITRE ATT&CK tactic corresponds to the Cyber Kill Chain phase 'Actions on Objectives'?

58

A security analyst is investigating a PCAP that shows multiple failed SMB authentication attempts from a single host to different IP addresses, followed by a successful authentication. Which TWO techniques are likely being used?

59

A PCAP contains the following patterns: (1) A TCP connection with a complete handshake to an external IP on port 443, (2) periodic data transfers every 60 seconds of approximately 1 KB, (3) the domain name in the TLS SNI field is generated by a DGA. Which THREE indicators are present?

60

An analyst identifies HTTP traffic containing the string "<script>alert('XSS')</script>" in the URL parameter. Which TWO attack types are likely being attempted?

61

During the Cyber Kill Chain, which phase involves sending a malicious attachment to a target user via email?

62

An analyst observes repeated TCP SYN packets to various ports on a target IP with no SYN-ACK responses. What type of scan is most likely being performed?

63

An intrusion detection system alerts on HTTP traffic containing the string 'UNION SELECT' in the URI parameter. This is most indicative of what type of attack?

64

During alert triage, an analyst determines that an alert was triggered by legitimate administrative activity. How should this alert be classified?

65

An analyst notices periodic HTTP GET requests to a suspicious domain every 60 seconds. The payload size is small and consistent. This behavior is characteristic of which phase of the Cyber Kill Chain?

66

In network forensics, which Wireshark filter would be used to reconstruct a TCP conversation between two hosts?

67

An analyst detects an attack where the attacker uses NTLM authentication with a hashed password instead of the plaintext password. This technique is known as:

68

Which of the following is a common indicator of DNS tunneling used for exfiltration?

69

An analyst analyzing a PCAP sees a series of TCP connections where the client sends data with interactive patterns and receives commands. This is most likely indicative of:

70

In the MITRE ATT&CK framework, TTPs are mapped to:

71

An analyst observes a large outbound FTP transfer to an external IP address from a server that normally does not generate such traffic. This is most likely an indicator of:

72

Which tool can be used to extract files from a PCAP file for further analysis?

73

An analyst is investigating a potential malware infection. Which TWO of the following are indicators of command and control (C2) communication?

74

During an incident response, an analyst finds evidence of lateral movement. Which THREE of the following are common techniques used for lateral movement?

75

Which TWO of the following are valid classifications for alerts during triage?

76

During network intrusion analysis, an analyst reviews logs and observes an alert for a TCP SYN scan. Which characteristic of a SYN scan would the analyst look for in packet captures?

77

An analyst is investigating a potential DNS tunneling attack. Which characteristic in DNS traffic would most likely indicate DNS tunneling?

78

In the Cyber Kill Chain model, which phase involves delivering the exploit to the target, such as via email attachment or malicious link?

79

An analyst is reviewing a PCAP and sees multiple HTTP requests with the parameter 'id=1 UNION SELECT username,password FROM users'. What type of attack is being attempted?

80

During a network intrusion investigation, an analyst notices repeated SMB authentication attempts from a single host to multiple other hosts using different usernames. Which type of activity does this pattern suggest?

81

An analyst is monitoring network traffic and observes a host making outbound HTTPS connections to a domain that appears to be generated by a Domain Generation Algorithm (DGA). Which phase of the Cyber Kill Chain best describes this activity?

82

An analyst is investigating a PCAP file and wants to reconstruct a conversation between two hosts. Which Wireshark filter would be most appropriate to follow the entire TCP stream?

83

During an incident response, an analyst identifies a PCAP containing an HTTP POST request to a suspicious external IP with a large payload. The response is not typical for web applications. What type of activity is most likely occurring?

84

An analyst reviews an alert that triggered on a network signature for 'shellcode' in a payload. The payload contains a sequence of NOP sleds followed by executable code. Which type of exploitation technique does this indicate?

85

An analyst is analyzing a PCAP and sees multiple ICMP port unreachable responses from a target host when scanning UDP ports. What does this indicate about the scanned ports?

86

An analyst is investigating a host that is making outbound HTTPS connections to multiple random-looking domains, each with a short TTL. The domains are not in any threat intelligence feeds. Which technique is most likely being used?

87

An analyst identifies a PCAP with a reverse shell session. Which characteristic in the traffic would most likely indicate an interactive shell session?

88

An analyst is triaging alerts and encounters a scenario where an IDS alerted on a network scan, but further investigation reveals the traffic was from a legitimate vulnerability scanner. Which TWO terms best describe this alert?

89

An analyst observes a host making outbound connections to a server on TCP port 443, with traffic patterns showing small packets at regular 60-second intervals. The destination IP is in a country where the company does no business. Which THREE characteristics suggest this is C2 beaconing?

90

An analyst is examining a PCAP for signs of pass-the-hash attack. Which THREE indicators would be consistent with pass-the-hash?

91

A security analyst observes a large number of SYN packets sent to various ports on a target host, receiving RST responses for closed ports and no response for open ports. Which phase of the Cyber Kill Chain does this activity represent?

92

During a PCAP analysis, a security analyst notices an HTTP request with the URI parameter 'id=1 UNION SELECT username,password FROM users--'. What is the most likely attack being attempted?

93

Which TWO of the following are typical indicators of a C2 beaconing communication?

94

An analyst is reviewing alerts from an IDS and needs to classify them. Which THREE of the following are valid alert classification types?

95

A network analyst is investigating a suspected DNS tunneling attack. Which THREE of the following are indicators of DNS tunneling?

96

An analyst is examining a PCAP file for signs of lateral movement. Which TWO of the following are typical indicators of lateral movement using pass-the-hash?

97

In the Cyber Kill Chain, which TWO phases occur after the attacker establishes command and control (C2)?

98

A security analyst is investigating a PCAP and sees the following HTTP POST request: POST /login HTTP/1.1 ... username=admin&password=letmein. Which TWO attack indicators are present?

99

During PCAP analysis, a security analyst observes the following pattern: a series of TCP SYN packets to multiple ports on a target, followed by RST packets from the target for closed ports. Which TWO characteristics describe this scan?

Practice all 99 Network Intrusion Analysis questions

Other 200-201 exam domains

Security MonitoringSecurity Policies and ProceduresHost-Based AnalysisSecurity Concepts

Frequently asked questions

What does the Network Intrusion Analysis domain cover on the 200-201 exam?

The Network Intrusion Analysis domain covers the key concepts tested in this area of the 200-201 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 200-201 domains — no account required.

How many Network Intrusion Analysis questions are in the 200-201 question bank?

The Courseiva 200-201 question bank contains 99 questions in the Network Intrusion Analysis domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Network Intrusion Analysis for 200-201?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Network Intrusion Analysis questions for 200-201?

Yes — the session launcher on this page draws questions exclusively from the Network Intrusion Analysis domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your 200-201 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

200-301SY0-701CS0-003CEH