Back to Cisco CyberOps Associate 200-201

Cisco exam questions

Cisco CyberOps Associate 200-201 practice test

Practise identifying common networking hardware like routers, switches, access points, and their roles in a network.

507
practice questions
5
topics covered
200-201
exam code
Cisco
vendor

Study modes

Three ways to study

Start with the Study Sheet to learn the material, switch to Practice Tests for active recall, then take a Mock Exam to simulate the real thing.

Study Sheet

All 507 questions with correct answers and explanations already visible. Read at your own pace — no time pressure.

Start reading →

Practice Test

Answer first, then see feedback and explanation. Tracks your score per session. Best for active recall and identifying weak areas.

Mock Exam

Full timed simulation with countdown. Answers hidden until the end. Includes all question types just like the real exam.

Start mock exam →

Study Sheet

All 507 200-201 questions with answers

Every question in the bank, paginated 75 per page. Correct answers and full explanations are revealed upfront — ideal for first-pass learning and pre-exam review.

7 pages · 75 questions per page · 507 total

Domain practice

Study 200-201 by domain

Each domain has its own study sheet and practice test. Target the areas where you're weakest instead of repeating questions you already know.

All domains with question counts →

Related practice questions

Study 200-201 by topic

Topic pages go deep on individual concepts — each one covers a specific exam topic with questions, explanations, and study notes.

Courseiva uses original exam-style practice questions created for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps. Learn the difference →

Sample questions

Cisco CyberOps Associate 200-201 practice questions

Start practice test

A security analyst observes repeated failed login attempts to an internal web server from multiple external IP addresses. The analyst creates a correlation rule that triggers an alert if more than 10 failed logins occur from a single source IP within 5 minutes. After deploying the rule, the analyst finds that the rule generates false positives from legitimate users who mistype passwords. Which action should the analyst take to reduce false positives while maintaining detection effectiveness?

A security analyst is investigating a host that is suspected of being used as a pivot point in a network intrusion. The analyst needs to identify which process initiated an outbound connection to a known malicious IP address. Which host-based analysis approach should the analyst use to correlate the network connection to the specific process?

Which TWO of the following are common indicators of a denial-of-service (DoS) attack?

Question 4mediummultiple choice
Study the full ACL explanation →

An analyst reviews the ACL applied to the outside interface of a router. The analyst notices that traffic from 192.168.1.0/24 to 10.10.10.10 on port 443 is permitted, but all other traffic is denied and logged. Which of the following is a potential security issue with this ACL?

Exhibit

Refer to the exhibit.

! Output from show access-list 101
! Extended IP access list 101
!    10 permit tcp 192.168.1.0 0.0.0.255 host 10.10.10.10 eq 443
!    20 deny ip any any log
!

Which TWO of the following are indicators of a network intrusion? (Choose two.)

Refer to the exhibit. A network analyst sees repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23. Based on the log, what type of activity is most likely occurring?

Exhibit

Refer to the exhibit.

Mar  1 10:15:22 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49152) -> 10.0.0.1(23), 1 packet
Mar  1 10:15:23 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49153) -> 10.0.0.1(23), 1 packet
Mar  1 10:15:24 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49154) -> 10.0.0.1(23), 1 packet

Drag and drop the steps for the TCP three-way handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 8mediumdrag order
Open the full VLAN trunking answer →

Drag and drop the steps to configure a VLAN on a Cisco switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps for initial configuration of a Cisco IOS device after booting into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to implement a disaster recovery plan for a critical server into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 11mediumdrag order
Read the full DHCP explanation →

Drag and drop the steps for the DHCP DORA process (dynamic host configuration) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 12mediumdrag order
Review the full routing breakdown →

Drag and drop the steps to perform a password recovery on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to analyze a packet capture for suspicious activity into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

A company's security policy includes a clause that all software installed on company devices must be approved by the IT department. An employee installs an unapproved application that later causes a malware infection. Which policy was violated?

Question 15hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. An analyst configures an ACL to block traffic to a malicious host on port 443. After applying it inbound on the external interface, the analyst sees the ACL counters. What does the output indicate?

Exhibit

Refer to the exhibit.
```
Router# show ip access-lists
Extended IP access list BLOCK_MALICIOUS
    10 deny tcp any host 203.0.113.5 eq 443
    20 permit ip any any (2623 matches)
```

An analyst is reviewing a suspicious email reported by a user. The email contains an attachment 'invoice.pdf' and urges the user to open it. Which indicator is most likely to confirm it is a phishing attempt?

Refer to the exhibit. An EDR alert shows this JSON event. What is the most significant indicator of a potential malware infection?

Exhibit

Refer to the exhibit.
```
{
  "event": "Process Creation",
  "timestamp": "2024-08-01T10:00:00Z",
  "hostname": "DESKTOP-ABC123",
  "user": "jsmith",
  "process": "C:\\Users\\jsmith\\Downloads\\invoice.exe",
  "parent_process": "C:\\Windows\\explorer.exe"
}
```

Which TWO are best practices for managing SIEM alerts to reduce false positives? (Choose two.)

Which TWO types of network traffic should be analyzed to detect a data exfiltration attempt via HTTP? (Choose two.)

Refer to the exhibit. The analyst sees two IDS alerts from the same source. What should the analyst conclude?

Exhibit

Refer to the exhibit.

Event: 1, Signature: GPL TROJAN Zeus Variant Outbound Connection
Timestamp: 2023-09-15 14:23:45
Src IP: 10.0.0.25:49152 -> Dst IP: 198.51.100.10:80
Protocol: TCP
Packet: GET /gate.php HTTP/1.1
Host: malware.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0)

Event: 2, Signature: ET POLICY Outgoing HTTP Request with Suspicious User-Agent
Timestamp: 2023-09-15 14:23:46
Src IP: 10.0.0.25:49153 -> Dst IP: 198.51.100.10:80
Protocol: TCP
Packet: GET /images/logo.png HTTP/1.1
Host: malware.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0)

An analyst observes that an internal host is sending ICMP echo requests with payloads containing random data to an external IP. The payload size is larger than typical. What is the most likely technique?

Question 22hardmultiple choice
Read the full DNS explanation →

You are a security analyst for a financial institution. Over the past hour, the intrusion detection system has generated multiple alerts for outbound traffic from a single internal host (10.0.0.50) to various external IP addresses on port 443. The alerts indicate that the host is making HTTPS connections to IPs that are associated with known command and control servers. Additionally, the host has been observed making DNS queries for domains that are algorithmically generated (e.g., rgj3k2.example.com, fh7d8s.example.net). The host is a Windows 10 workstation used by an employee in the accounting department. The employee reports that they have not noticed any unusual behavior, but they did click on a link in a phishing email yesterday. The network administrator confirms that the host's firewall rules allow outbound HTTPS traffic. You have access to endpoint logs, network flow data, and packet captures. Which course of action should you take FIRST?

Which TWO of the following are valid reasons to create an exception to a security policy? (Choose two.)

Which TWO of the following are typically included in a security policy's scope statement?

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

Exam question guide

How to use these 200-201 questions

Use these questions as active recall, not passive reading. Try the question first, review the answer choices, then open the explanation and connect the result back to the exam topic.

Quick answer

Tests identification, purpose, and configuration of routers, switches, access points, and patch panels.

Identify routers, switches, and access points by function

Understand PoE and PoE+ power requirements

Differentiate managed vs unmanaged switches

Recognize cable types: Cat5e, Cat6, fiber

These 200-201 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 200-201 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.