Reinforce 200-201 concepts with active-recall study cards covering all 5 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For 200-201 preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the 200-201 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your 200-201 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real 200-201 exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass 200-201.
Sample cards from the 200-201 flashcard bank. Read the question, think of the answer, then read the explanation below.
An analyst is monitoring network traffic and observes a large number of TCP SYN packets sent to a single host on various ports with no corresponding SYN-ACK replies. This behavior is most indicative of which type of attack?
SYN flood attack
A SYN flood exploits the TCP three-way handshake by sending many SYN packets without completing the handshake, exhausting resources. The lack of SYN-ACK replies indicates the target is overwhelmed.
During a network intrusion analysis, a security analyst observes repeated TCP SYN packets sent to a range of ports on a target host, each followed by an RST response. No subsequent ACK packets are observed. Which phase of the Cyber Kill Chain is the attacker most likely executing?
Reconnaissance
The SYN scan is a reconnaissance technique used to identify open ports without completing the TCP handshake. The RST response indicates the port is closed, and the lack of ACK means the handshake was intentionally not completed, characteristic of a SYN scan.
During which phase of the NIST SP 800-61 Rev 2 incident response process should an organization develop and exercise the incident response plan?
Preparation
Preparation includes creating the IR plan, team, tools, and conducting exercises. The other phases occur after an incident is detected.
An analyst is investigating a Windows host suspected of malware persistence. Which registry key is commonly used by malware to run a program every time a user logs in, located under both HKLM and HKCU?
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The Run and RunOnce keys under HKLM and HKCU are common persistence mechanisms. Malware often adds entries here to execute automatically at user logon.
Which element of the CIA triad is primarily concerned with preventing unauthorized access to data?
Confidentiality
Confidentiality is the CIA triad element that ensures data is accessible only to authorized users. It is primarily enforced through encryption (e.g., AES-256 for data at rest, TLS 1.3 for data in transit) and access control mechanisms (e.g., RBAC, ACLs). Preventing unauthorized access directly aligns with confidentiality's goal of protecting data from disclosure.
A security analyst observes repeated failed login attempts to an internal web server from multiple external IP addresses. The analyst creates a correlation rule that triggers an alert if more than 10 failed logins occur from a single source IP within 5 minutes. After deploying the rule, the analyst finds that the rule generates false positives from legitimate users who mistype passwords. Which action should the analyst take to reduce false positives while maintaining detection effectiveness?
Increase the threshold to 15 failed logins within a 10-minute window.
Option D is correct because increasing the threshold to 15 failed logins within a 10-minute window reduces false positives by allowing more mistyped attempts from legitimate users before triggering an alert, while still detecting brute-force attacks. The longer time window and higher threshold smooth out transient user errors without significantly delaying detection of sustained attack patterns.
A security analyst is investigating a host that is suspected of being used as a pivot point in a network intrusion. The analyst needs to identify which process initiated an outbound connection to a known malicious IP address. Which host-based analysis approach should the analyst use to correlate the network connection to the specific process?
Run 'netstat -b' on the Windows host to display active connections with the associated process executable.
Running 'netstat -b' on a Windows host displays active TCP connections along with the executable name of the process that created each connection. This directly correlates the outbound connection to the malicious IP with the specific process, which is exactly what the analyst needs to identify the pivot point.
An analyst reviews the ACL applied to the outside interface of a router. The analyst notices that traffic from 192.168.1.0/24 to 10.10.10.10 on port 443 is permitted, but all other traffic is denied and logged. Which of the following is a potential security issue with this ACL?
The deny statement with logging may generate excessive logs, potentially masking attacks.
The ACL has a single permit statement for traffic from 192.168.1.0/24 to 10.10.10.10 on port 443, followed by an implicit deny all that is logged. This means every packet that does not match the permit rule generates a log entry. In a production environment, even normal background noise (e.g., scans, broadcast traffic) can produce thousands of log messages per second, overwhelming syslog storage and masking malicious activity. The core issue is that logging on the deny-all can cause log flooding, not that the permit lacks logging.
Refer to the exhibit. A network analyst sees repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23. Based on the log, what type of activity is most likely occurring?
Brute force attempt on Telnet service
The log shows repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23, which is the default port for Telnet. Multiple failed connection attempts to a Telnet service indicate a brute force attack, where an attacker tries to guess credentials by repeatedly attempting to log in.
An analyst needs to establish a normal traffic pattern baseline for the network. Which activity is most appropriate for this purpose?
Capture traffic over a period of normal operation, such as a week
Option D is correct because establishing a baseline requires capturing traffic during a period of normal operation, typically over a week, to account for daily and weekly usage patterns. This baseline represents the typical volume, protocol mix, and flow characteristics, enabling the analyst to later detect deviations that may indicate security incidents. Using a representative sample from normal conditions is the foundational step in anomaly-based monitoring.
A SOC analyst is analyzing NetFlow data and notices a sudden spike in outbound traffic from a single internal host to an external IP address during non-business hours. The traffic volume is significantly higher than the baseline. Which suspicion is most likely?
Data exfiltration is occurring
A sudden increase in outbound traffic to a single external IP, especially outside business hours, often indicates data exfiltration.
A SOC analyst is reviewing a NetFlow record and sees that a single internal IP has communicated with multiple external IPs on port 445 (SMB) within a short time frame. Which type of activity is most likely indicated?
SMB scanning or worm propagation
Port 445 is used by SMB for file sharing, but a single internal IP communicating with many external IPs in a short time frame is characteristic of scanning or worm propagation. Worms like EternalBlue exploit SMB vulnerabilities to spread rapidly, generating many outbound connections to random or sequential external IPs on port 445. This pattern is not typical of normal file sharing, which involves sustained connections to known servers.
During a security assessment, a SOC analyst notices an IDS/IPS alert with a severity of 'High' for a signature named 'ET TROJAN Win32.Vobfus Checkin'. The alert shows source IP 10.0.0.5 and destination IP 203.0.113.50 on port 443. What is the most likely interpretation of this alert?
A compromised host attempting to communicate with a command-and-control server over encrypted traffic
The signature 'ET TROJAN Win32.Vobfus Checkin' is a known detection rule for the Vobfus trojan family, which typically establishes command-and-control (C2) communications over HTTPS (port 443) to exfiltrate data or receive instructions. The high severity indicates the IDS/IPS has matched traffic patterns or JA3 hashes associated with this malware's C2 beaconing, making it highly likely that the host at 10.0.0.5 is compromised and communicating with a malicious server at 203.0.113.50.
A company's security policy includes a clause that all software installed on company devices must be approved by the IT department. An employee installs an unapproved application that later causes a malware infection. Which policy was violated?
Acceptable Use Policy
The Acceptable Use Policy (AUP) defines what activities and software are permitted on company devices. By installing an unapproved application without IT authorization, the employee violated the AUP, which directly led to the malware infection. This policy is the primary control for preventing unauthorized software installations that bypass security baselines.
Refer to the exhibit. A security policy states that all remote desktop (RDP) and Telnet access from external networks must be blocked. Does the above access-list comply with the policy?
Yes, because it denies RDP and Telnet.
Option A is correct because the access-list explicitly denies TCP port 3389 (RDP) and TCP port 23 (Telnet), which matches the security policy requirement to block all remote desktop and Telnet access from external networks. The implicit deny at the end of the access-list ensures that any traffic not explicitly permitted is blocked, so the policy is fully enforced.
Refer to the exhibit. An analyst configures an ACL to block traffic to a malicious host on port 443. After applying it inbound on the external interface, the analyst sees the ACL counters. What does the output indicate?
The ACL is not blocking traffic because the deny line has 0 matches.
Option B is correct because the ACL counters show 0 matches for the deny line that is intended to block traffic to the malicious host on port 443. This indicates that no traffic matching the deny condition has been processed by the ACL, meaning the rule is not being triggered. Since the ACL is applied inbound on the external interface, traffic from the external network destined for the malicious host should match the deny line if it is correctly configured; the 0 matches suggest the ACL is not blocking the intended traffic.
An analyst is reviewing a suspicious email reported by a user. The email contains an attachment 'invoice.pdf' and urges the user to open it. Which indicator is most likely to confirm it is a phishing attempt?
The email was sent from a domain that looks like 'arnazon.com'.
The most definitive indicator of a phishing attempt is a spoofed sender domain that mimics a legitimate company (e.g., 'arnazon.com' instead of 'amazon.com'). This is a classic typosquatting technique used to deceive users into trusting the email's origin. While other elements like logos or PDF attachments can be part of a phishing campaign, they are not inherently malicious and are commonly used in legitimate business communications.
Refer to the exhibit. An EDR alert shows this JSON event. What is the most significant indicator of a potential malware infection?
The process path is in the Downloads folder.
The process path in the Downloads folder is the most significant indicator because it suggests the executable was downloaded from the internet, a common vector for malware delivery. Attackers frequently use social engineering to trick users into saving malicious files to the Downloads folder, which then execute and initiate infection chains. In EDR analysis, execution from user-writable directories like Downloads is a high-fidelity alert, as legitimate software is rarely launched from this location.
Refer to the exhibit. The analyst sees two IDS alerts from the same source. What should the analyst conclude?
The host is likely infected with malware
The correct answer is C because the IDS alerts indicate the same source IP is communicating with a known malicious domain (evil.com) using a suspicious user-agent string. This pattern of repeated connections to a known bad destination is characteristic of malware beaconing or command-and-control (C2) traffic, not a false positive or benign activity.
An analyst observes that an internal host is sending ICMP echo requests with payloads containing random data to an external IP. The payload size is larger than typical. What is the most likely technique?
ICMP tunneling
ICMP tunneling encapsulates non-ICMP data (e.g., command-and-control traffic) within ICMP echo request/reply packets. The random payload data and larger-than-typical payload size are hallmarks of this technique, as the attacker uses the ICMP protocol to bypass firewalls and exfiltrate data or establish covert communication.
You are a security analyst for a financial institution. Over the past hour, the intrusion detection system has generated multiple alerts for outbound traffic from a single internal host (10.0.0.50) to various external IP addresses on port 443. The alerts indicate that the host is making HTTPS connections to IPs that are associated with known command and control servers. Additionally, the host has been observed making DNS queries for domains that are algorithmically generated (e.g., rgj3k2.example.com, fh7d8s.example.net). The host is a Windows 10 workstation used by an employee in the accounting department. The employee reports that they have not noticed any unusual behavior, but they did click on a link in a phishing email yesterday. The network administrator confirms that the host's firewall rules allow outbound HTTPS traffic. You have access to endpoint logs, network flow data, and packet captures. Which course of action should you take FIRST?
Isolate the host from the network to prevent further C2 communication
Option A is correct because the immediate priority when confirmed C2 communication is detected is to contain the threat by isolating the host from the network. The combination of outbound HTTPS connections to known C2 servers and algorithmically generated domain (AGD) DNS queries strongly indicates active malware infection. Isolating the host (e.g., via network access control or switch port shutdown) stops data exfiltration and further command reception, which is the first step in incident response containment before any analysis or remediation.
A Linux host has an unusual cron job that runs a script from /tmp every minute. The analyst checks /etc/crontab and /var/spool/cron/ but finds nothing. Where else could the cron job be defined?
/etc/cron.d/
The cron job is defined in /etc/cron.d/ because this directory allows system administrators to drop individual cron configuration files that are parsed by the cron daemon. Unlike /etc/crontab and /var/spool/cron/ (which contain user-specific crontabs), /etc/cron.d/ is a standard location for package-maintained or custom cron jobs that run with system privileges. The fact that the analyst found nothing in the other two locations strongly suggests the job is defined in /etc/cron.d/.
During a host-based analysis, an analyst discovers a suspicious service on a Windows machine. Which tool or command can be used to query the service configuration?
sc query
The 'sc' command-line tool (Service Control) can query and modify services. 'sc query' shows the status, and 'sc qc' shows the configuration.
The 200-201 flashcard bank covers all 5 official blueprint domains published by Cisco. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Security Monitoring
Network Intrusion Analysis
Security Policies and Procedures
Host-Based Analysis
Security Concepts
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that 200-201 questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.200-201 questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective 200-201 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free 200-201 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 1000+ original 200-201 flashcards across all 5 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Cisco exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official 200-201 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included