Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Network Intrusion Analysis practice sets

200-201 Network Intrusion Analysis • Complete Question Bank

200-201 Network Intrusion Analysis — All Questions With Answers

Complete 200-201 Network Intrusion Analysis question bank — all 0 questions with answers and detailed explanations.

99
Questions
Free
No signup
Certifications/200-201/Practice Test/Network Intrusion Analysis/All Questions
Question 1mediummultiple choice
Read the full Network Intrusion Analysis explanation →

During a network intrusion analysis, a security analyst observes repeated TCP SYN packets sent to a range of ports on a target host, each followed by an RST response. No subsequent ACK packets are observed. Which phase of the Cyber Kill Chain is the attacker most likely executing?

Question 2hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst reviewing network alerts notices a rule triggered for 'ET SCAN NMAP -sU scan' based on traffic to a Linux server. The packet capture shows multiple UDP packets to various ports, and for closed ports, the server responds with ICMP Destination Unreachable (Port Unreachable). Which type of scan is being performed, and how should the analyst classify this alert?

Question 3easymultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst is investigating an alert that indicates a potential SQL injection attack. Which of the following HTTP request patterns is most indicative of a SQL injection attempt?

Question 4mediummultiple choice
Read the full DNS explanation →

An analyst detects traffic from an internal host that periodically sends small DNS queries to a domain with high entropy subdomains (e.g., 'a3k9f2.example.com'). The domain is not on any blocklist, and the query intervals are consistent every 60 seconds. Which technique is most likely being used?

Question 5mediummultiple choice
Read the full Network Intrusion Analysis explanation →

During an incident response, an analyst extracts a file from a PCAP using Wireshark's 'Export Objects' feature. The file contains shellcode that uses NOP sleds and encodes a reverse shell command. Which Cyber Kill Chain phase does this file represent?

Question 6hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst is investigating lateral movement and observes SMB authentication attempts from host A to multiple other hosts using NTLM authentication with a hash value instead of a password. Which attack technique is most likely being used?

Question 7mediummultiple choice
Read the full Network Intrusion Analysis explanation →

A network analyst is examining a PCAP file and applies the Wireshark display filter 'http.request'. The results show several POST requests to '/login.php' with parameters containing 'username=admin&password=secret'. What type of attack is indicated?

Question 8easymultiple choice
Read the full Network Intrusion Analysis explanation →

An intrusion detection system alerts on traffic that appears to be a command and control (C2) beacon. Which of the following characteristics is most typical of beaconing traffic?

Question 9hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst detects a large outbound FTP transfer from a sensitive server to an external IP address not previously seen. The file being transferred is a compressed archive containing database dumps. Which Cyber Kill Chain phase is most directly indicated?

Question 10mediummultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst is reviewing PCAP data and sees a TCP stream with interactive shell commands such as 'whoami', 'ls -la', and 'cat /etc/passwd'. The session appears to be bidirectional with a remote IP. Which type of attack is most likely occurring?

Question 11easymultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst receives an alert for 'ET WEB_SERVER Possible SQL Injection Attempt' triggered by a URL parameter containing ' OR 1=1--'. After investigating, the analyst confirms that the web application is not vulnerable to SQL injection and the request was a benign test. How should this alert be classified?

Question 12mediummultiple choice
Read the full Network Intrusion Analysis explanation →

During an intrusion analysis, an analyst identifies that an attacker used a domain generation algorithm (DGA) to resolve C2 domains. Which of the following traffic patterns is most consistent with DGA?

Question 13mediummulti select
Read the full DNS explanation →

A security analyst is investigating a suspected data exfiltration incident. Which TWO of the following indicators are most consistent with exfiltration over DNS?

Question 14hardmulti select
Read the full Network Intrusion Analysis explanation →

An analyst is analyzing a PCAP from a compromised host. Which THREE of the following are common indicators of exploitation attempts in network traffic?

Question 15mediummulti select
Read the full Network Intrusion Analysis explanation →

An analyst is examining network alerts for lateral movement. Which TWO of the following are typical indicators of lateral movement using SMB?

Question 16easymultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst observes repeated ICMP port unreachable responses from a target host. The source IP is sending packets to multiple UDP ports. Which type of scan is most likely being performed?

Question 17mediummultiple choice
Read the full Network Intrusion Analysis explanation →

During an intrusion analysis, a SOC analyst reviews logs showing an outbound connection from an internal host to an external IP at 03:00 AM every 60 seconds. The traffic is HTTPS to a suspicious domain with a high entropy name. Which phase of the Cyber Kill Chain does this activity represent?

Question 18mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst is reviewing alerts from an IDS. A signature matched 'script' and 'alert' in HTTP request parameters. The analyst inspects the packet and sees <script>alert('XSS')</script> in the URI. What is the most accurate classification of this alert?

Question 19easymultiple choice
Read the full Network Intrusion Analysis explanation →

In a PCAP analysis, an analyst uses the filter 'http.request.uri contains "UNION"' and finds multiple HTTP requests with 'SELECT' and 'UNION SELECT' in the URI parameter. Which type of attack is likely occurring?

Question 20hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst examines PCAP and sees multiple SMB sessions from internal host 10.1.1.10 to 10.1.1.20, 10.1.1.30, and 10.1.1.40 within seconds. The NTLM authentication contains a hash parameter that is identical across sessions. Which lateral movement technique is most likely being used?

Question 21mediummultiple choice
Read the full DNS explanation →

An analyst observes a series of DNS queries for subdomains like 'ZGVzdGluYXRpb24= .malicious.com' where the subdomain part appears base64-encoded. The volume of DNS traffic from a single host is unusually high. Which exfiltration technique is most likely in use?

Question 22hardmultiple choice
Read the full Network Intrusion Analysis explanation →

During incident response, an analyst extracts files from a PCAP using Wireshark's Export Objects feature. One extracted file is a PDF that triggers an IDS alert for 'Exploit:PDF/HeapSpray'. Which technique does this alert describe?

Question 23mediummultiple choice
Read the full Network Intrusion Analysis explanation →

A SOC analyst sees an alert for 'Possible SQL Injection' on a web server. Reviewing the PCAP, the analyst finds the parameter 'id=1 OR 1=1' in the HTTP request. However, the web server returns a normal page with no signs of compromise. What is the correct classification?

Question 24easymultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst captures traffic and sees a TCP connection with only a SYN packet and an RST response. No SYN-ACK is observed. Which scan technique is this?

Question 25hardmultiple choice
Read the full Network Intrusion Analysis explanation →

A threat hunter identifies a binary that uses a Domain Generation Algorithm (DGA) to create domain names like 'eksdghf23.com', 'mzncxv89.net' each day. The malware contacts these domains over HTTPS. Which phase of the Cyber Kill Chain is most directly associated with this technique?

Question 26mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst reviews network logs and sees a large outbound FTP transfer of 500 MB from a workstation to an external IP at 2:00 AM. The workstation regularly sends 10 MB daily. What should the analyst suspect?

Question 27mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst filters PCAP with 'tcp.stream eq 0' and sees an interactive shell session with commands like 'whoami', 'ls -la', 'cd /etc'. The session originated from an HTTP POST to a web shell. Which type of attack is this?

Question 28mediummulti select
Read the full Network Intrusion Analysis explanation →

An analyst identifies an alert for 'ET TROJAN Win32/DarkComet RAT Beacon'. The analyst confirms the host is infected. Which TWO phases of the Cyber Kill Chain have been completed prior to this C2 beacon? (Choose two.)

Question 29hardmulti select
Read the full Network Intrusion Analysis explanation →

A SOC analyst is investigating a suspected data exfiltration. Which THREE indicators in network traffic are most consistent with exfiltration? (Choose three.)

Question 30hardmulti select
Read the full Network Intrusion Analysis explanation →

An analyst is reviewing PCAP from a network intrusion. The attacker used a payload with ROP gadgets and shellcode. Which TWO exploitation indicators are associated with this attack? (Choose two.)

Question 31easymultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst observes an alert triggered by a single SYN packet to a closed port. The packet did not complete a TCP handshake. What type of attack does this most likely indicate?

Question 32easymultiple choice
Read the full Network Intrusion Analysis explanation →

During alert triage, an analyst determines that an alert fired but no actual attack or malicious activity occurred on the network. How should this alert be classified?

Question 33mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst reviews PCAP traffic and sees a series of HTTP POST requests from an internal host to an external IP at exactly 60-second intervals. The payload size is consistent. Which phase of the Cyber Kill Chain does this activity most likely represent?

Question 34mediummultiple choice
Read the full Network Intrusion Analysis explanation →

While analyzing a PCAP, an analyst uses the Wireshark filter 'http.request' and finds a URI parameter containing '%27%20UNION%20SELECT%201,2,3%20--'. What type of attack is indicated?

Question 35mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst detects multiple SMB authentication attempts from a single internal host to several other internal hosts using NTLM hashes instead of plaintext passwords. Which technique is most likely being used?

Question 36mediummultiple choice
Read the full DNS explanation →

An analyst notices that a DNS query for 'www.attacker.com' contains a long subdomain with Base64-encoded data. This activity is observed every 5 minutes. What exfiltration technique is most likely in use?

Question 37mediummultiple choice
Read the full Network Intrusion Analysis explanation →

In a PCAP, an analyst sees a large outbound data transfer over FTP to an external IP address during non-business hours. The source host is a database server. Which phase of the Cyber Kill Chain does this represent?

Question 38mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst is reviewing PCAP and sees a TCP stream with a Wireshark filter 'tcp.stream eq 0'. The conversation shows an interactive shell session with commands like 'whoami' and 'ls'. This is most likely evidence of what?

Question 39hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst examines a PCAP and finds a series of UDP packets sent to multiple ports on a target. The target responds with ICMP 'Destination Unreachable (Port Unreachable)' messages for each port. What type of scan is being performed?

Question 40hardmultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst is investigating a potential exploit. The PCAP shows a HTTP POST request containing a long string of characters that, when decoded, reveals a series of return-oriented programming (ROP) gadgets. What is the likely purpose of this payload?

Question 41hardmultiple choice
Read the full Network Intrusion Analysis explanation →

During a forensic analysis, an analyst uses NetworkMiner to extract files from a PCAP. One of the extracted files contains a PE executable with a known signature of a malware variant. Which phase of the Cyber Kill Chain does the file transfer most likely represent?

Question 42easymultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst detects HTTPS traffic to a domain that was registered only 24 hours ago and has no web content. The traffic occurs at odd hours and with consistent packet sizes. What technique is likely being used for C2?

Question 43mediummulti select
Read the full Network Intrusion Analysis explanation →

An analyst identifies a series of SMB authentication attempts from a compromised host to multiple internal servers. The authentication uses NTLM hashes. Which TWO techniques are most likely being used for lateral movement? (Select 2)

Question 44hardmulti select
Read the full DNS explanation →

During an incident, an analyst observes the following in PCAP: (1) DNS queries with random-looking subdomains to a known malicious domain, (2) large outbound FTP transfers of .zip files, (3) HTTP POST requests with Base64-encoded data in the body. Which THREE exfiltration techniques are being used? (Select 3)

Question 45mediummulti select
Read the full Network Intrusion Analysis explanation →

An analyst reviews a PCAP and sees HTTP requests containing script tags and event handlers such as 'onload' and 'onerror'. Additionally, the URI contains 'alert(1)'. Which TWO types of attacks are indicated? (Select 2)

Question 46easymultiple choice
Read the full Network Intrusion Analysis explanation →

In the Cyber Kill Chain, which phase involves sending a malicious attachment to a targeted user?

Question 47easymultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst receives an alert for a known malware signature in an outbound file transfer. After investigation, the file is confirmed as benign software. This alert is classified as:

Question 48mediummultiple choice
Read the full Network Intrusion Analysis explanation →

During a SYN scan, an attacker sends a SYN packet to a closed port on a target. What response does the target typically send back?

Question 49mediummultiple choice
Read the full Network Intrusion Analysis explanation →

Which type of attack is indicated by a series of SMB authentication attempts from one host to multiple other hosts in a short time frame?

Question 50mediummultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst observes periodic outbound HTTPS connections to an unusual domain that resolves to different IP addresses each time. This behavior is most indicative of:

Question 51mediummultiple choice
Read the full Network Intrusion Analysis explanation →

A PCAP contains an HTTP POST request with a parameter containing "UNION SELECT username, password FROM users". This is evidence of:

Question 52mediummultiple choice
Read the full Network Intrusion Analysis explanation →

Which Wireshark filter can be used to extract the full TCP data of a specific conversation from a PCAP?

Question 53hardmultiple choice
Read the full DNS explanation →

A network analyst finds a PCAP with a series of DNS queries for subdomains like "data12345.example.com" and "data67890.example.com" where the subdomain names appear to contain encoded base64 data. This pattern suggests:

Question 54hardmultiple choice
Read the full Network Intrusion Analysis explanation →

In a PCAP, an analyst sees an interactive shell session over TCP with irregular command prompts and responses. Which tool was likely used to generate this traffic?

Question 55hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An alert shows a high volume of outbound traffic from an internal host to an external IP using FTP. The data includes files with names matching internal document names. This activity is most likely:

Question 56mediummultiple choice
Read the full Network Intrusion Analysis explanation →

In Wireshark, which filter can be used to quickly find all HTTP requests that contain a specific keyword in the URL?

Question 57easymultiple choice
Read the full Network Intrusion Analysis explanation →

Which MITRE ATT&CK tactic corresponds to the Cyber Kill Chain phase 'Actions on Objectives'?

Question 58mediummulti select
Read the full Network Intrusion Analysis explanation →

A security analyst is investigating a PCAP that shows multiple failed SMB authentication attempts from a single host to different IP addresses, followed by a successful authentication. Which TWO techniques are likely being used?

Question 59hardmulti select
Read the full Network Intrusion Analysis explanation →

A PCAP contains the following patterns: (1) A TCP connection with a complete handshake to an external IP on port 443, (2) periodic data transfers every 60 seconds of approximately 1 KB, (3) the domain name in the TLS SNI field is generated by a DGA. Which THREE indicators are present?

Question 60mediummulti select
Read the full Network Intrusion Analysis explanation →

An analyst identifies HTTP traffic containing the string "<script>alert('XSS')</script>" in the URL parameter. Which TWO attack types are likely being attempted?

Question 61easymultiple choice
Read the full Network Intrusion Analysis explanation →

During the Cyber Kill Chain, which phase involves sending a malicious attachment to a target user via email?

Question 62mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst observes repeated TCP SYN packets to various ports on a target IP with no SYN-ACK responses. What type of scan is most likely being performed?

Question 63hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An intrusion detection system alerts on HTTP traffic containing the string 'UNION SELECT' in the URI parameter. This is most indicative of what type of attack?

Question 64mediummultiple choice
Read the full Network Intrusion Analysis explanation →

During alert triage, an analyst determines that an alert was triggered by legitimate administrative activity. How should this alert be classified?

Question 65mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst notices periodic HTTP GET requests to a suspicious domain every 60 seconds. The payload size is small and consistent. This behavior is characteristic of which phase of the Cyber Kill Chain?

Question 66easymultiple choice
Read the full Network Intrusion Analysis explanation →

In network forensics, which Wireshark filter would be used to reconstruct a TCP conversation between two hosts?

Question 67hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst detects an attack where the attacker uses NTLM authentication with a hashed password instead of the plaintext password. This technique is known as:

Question 68mediummultiple choice
Read the full DNS explanation →

Which of the following is a common indicator of DNS tunneling used for exfiltration?

Question 69mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst analyzing a PCAP sees a series of TCP connections where the client sends data with interactive patterns and receives commands. This is most likely indicative of:

Question 70easymultiple choice
Read the full Network Intrusion Analysis explanation →

In the MITRE ATT&CK framework, TTPs are mapped to:

Question 71hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst observes a large outbound FTP transfer to an external IP address from a server that normally does not generate such traffic. This is most likely an indicator of:

Question 72mediummultiple choice
Read the full Network Intrusion Analysis explanation →

Which tool can be used to extract files from a PCAP file for further analysis?

Question 73mediummulti select
Read the full Network Intrusion Analysis explanation →

An analyst is investigating a potential malware infection. Which TWO of the following are indicators of command and control (C2) communication?

Question 74hardmulti select
Read the full Network Intrusion Analysis explanation →

During an incident response, an analyst finds evidence of lateral movement. Which THREE of the following are common techniques used for lateral movement?

Question 75easymulti select
Read the full Network Intrusion Analysis explanation →

Which TWO of the following are valid classifications for alerts during triage?

Question 76easymultiple choice
Read the full Network Intrusion Analysis explanation →

During network intrusion analysis, an analyst reviews logs and observes an alert for a TCP SYN scan. Which characteristic of a SYN scan would the analyst look for in packet captures?

Question 77easymultiple choice
Read the full DNS explanation →

An analyst is investigating a potential DNS tunneling attack. Which characteristic in DNS traffic would most likely indicate DNS tunneling?

Question 78easymultiple choice
Read the full Network Intrusion Analysis explanation →

In the Cyber Kill Chain model, which phase involves delivering the exploit to the target, such as via email attachment or malicious link?

Question 79mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst is reviewing a PCAP and sees multiple HTTP requests with the parameter 'id=1 UNION SELECT username,password FROM users'. What type of attack is being attempted?

Question 80mediummultiple choice
Read the full Network Intrusion Analysis explanation →

During a network intrusion investigation, an analyst notices repeated SMB authentication attempts from a single host to multiple other hosts using different usernames. Which type of activity does this pattern suggest?

Question 81mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst is monitoring network traffic and observes a host making outbound HTTPS connections to a domain that appears to be generated by a Domain Generation Algorithm (DGA). Which phase of the Cyber Kill Chain best describes this activity?

Question 82mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst is investigating a PCAP file and wants to reconstruct a conversation between two hosts. Which Wireshark filter would be most appropriate to follow the entire TCP stream?

Question 83mediummultiple choice
Read the full Network Intrusion Analysis explanation →

During an incident response, an analyst identifies a PCAP containing an HTTP POST request to a suspicious external IP with a large payload. The response is not typical for web applications. What type of activity is most likely occurring?

Question 84mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst reviews an alert that triggered on a network signature for 'shellcode' in a payload. The payload contains a sequence of NOP sleds followed by executable code. Which type of exploitation technique does this indicate?

Question 85mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst is analyzing a PCAP and sees multiple ICMP port unreachable responses from a target host when scanning UDP ports. What does this indicate about the scanned ports?

Question 86hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst is investigating a host that is making outbound HTTPS connections to multiple random-looking domains, each with a short TTL. The domains are not in any threat intelligence feeds. Which technique is most likely being used?

Question 87hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst identifies a PCAP with a reverse shell session. Which characteristic in the traffic would most likely indicate an interactive shell session?

Question 88mediummulti select
Read the full Network Intrusion Analysis explanation →

An analyst is triaging alerts and encounters a scenario where an IDS alerted on a network scan, but further investigation reveals the traffic was from a legitimate vulnerability scanner. Which TWO terms best describe this alert?

Question 89hardmulti select
Read the full Network Intrusion Analysis explanation →

An analyst observes a host making outbound connections to a server on TCP port 443, with traffic patterns showing small packets at regular 60-second intervals. The destination IP is in a country where the company does no business. Which THREE characteristics suggest this is C2 beaconing?

Question 90hardmulti select
Read the full Network Intrusion Analysis explanation →

An analyst is examining a PCAP for signs of pass-the-hash attack. Which THREE indicators would be consistent with pass-the-hash?

Question 91mediummultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst observes a large number of SYN packets sent to various ports on a target host, receiving RST responses for closed ports and no response for open ports. Which phase of the Cyber Kill Chain does this activity represent?

Question 92hardmultiple choice
Read the full Network Intrusion Analysis explanation →

During a PCAP analysis, a security analyst notices an HTTP request with the URI parameter 'id=1 UNION SELECT username,password FROM users--'. What is the most likely attack being attempted?

Question 93easymulti select
Read the full Network Intrusion Analysis explanation →

Which TWO of the following are typical indicators of a C2 beaconing communication?

Question 94mediummulti select
Read the full Network Intrusion Analysis explanation →

An analyst is reviewing alerts from an IDS and needs to classify them. Which THREE of the following are valid alert classification types?

Question 95mediummulti select
Read the full DNS explanation →

A network analyst is investigating a suspected DNS tunneling attack. Which THREE of the following are indicators of DNS tunneling?

Question 96mediummulti select
Read the full Network Intrusion Analysis explanation →

An analyst is examining a PCAP file for signs of lateral movement. Which TWO of the following are typical indicators of lateral movement using pass-the-hash?

Question 97easymulti select
Read the full Network Intrusion Analysis explanation →

In the Cyber Kill Chain, which TWO phases occur after the attacker establishes command and control (C2)?

Question 98hardmulti select
Read the full Network Intrusion Analysis explanation →

A security analyst is investigating a PCAP and sees the following HTTP POST request: POST /login HTTP/1.1 ... username=admin&password=letmein. Which TWO attack indicators are present?

Question 99hardmulti select
Read the full Network Intrusion Analysis explanation →

During PCAP analysis, a security analyst observes the following pattern: a series of TCP SYN packets to multiple ports on a target, followed by RST packets from the target for closed ports. Which TWO characteristics describe this scan?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

200-201 Practice Test 1 — 25 Questions→200-201 Practice Test 2 — 25 Questions→200-201 Practice Test 3 — 25 Questions→200-201 Practice Test 4 — 25 Questions→200-201 Practice Test 5 — 25 Questions→200-201 Practice Exam 1 — 20 Questions→200-201 Practice Exam 2 — 20 Questions→200-201 Practice Exam 3 — 20 Questions→200-201 Practice Exam 4 — 20 Questions→Free 200-201 Practice Test 1 — 30 Questions→Free 200-201 Practice Test 2 — 30 Questions→Free 200-201 Practice Test 3 — 30 Questions→200-201 Practice Questions 1 — 50 Questions→200-201 Practice Questions 2 — 50 Questions→200-201 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security MonitoringNetwork Intrusion AnalysisSecurity Policies and ProceduresHost-Based AnalysisSecurity Concepts

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Network Intrusion Analysis setsAll Network Intrusion Analysis questions200-201 Practice Hub