Back to Cisco CyberOps Associate 200-201 questions

Scenario-based practice

Hard Difficulty Questions

Practise Cisco CyberOps Associate 200-201 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
200-201
exam code
Cisco
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related 200-201 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A company's security policy includes a clause that all software installed on company devices must be approved by the IT department. An employee installs an unapproved application that later causes a malware infection. Which policy was violated?

Question 2hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. An analyst configures an ACL to block traffic to a malicious host on port 443. After applying it inbound on the external interface, the analyst sees the ACL counters. What does the output indicate?

Exhibit

Refer to the exhibit.
```
Router# show ip access-lists
Extended IP access list BLOCK_MALICIOUS
    10 deny tcp any host 203.0.113.5 eq 443
    20 permit ip any any (2623 matches)
```
Question 3hardmulti select
Full question →

Which TWO are best practices for managing SIEM alerts to reduce false positives? (Choose two.)

Question 4hardmultiple choice
Full question →

An analyst observes that an internal host is sending ICMP echo requests with payloads containing random data to an external IP. The payload size is larger than typical. What is the most likely technique?

Question 5hardmultiple choice
Read the full DNS explanation →

You are a security analyst for a financial institution. Over the past hour, the intrusion detection system has generated multiple alerts for outbound traffic from a single internal host (10.0.0.50) to various external IP addresses on port 443. The alerts indicate that the host is making HTTPS connections to IPs that are associated with known command and control servers. Additionally, the host has been observed making DNS queries for domains that are algorithmically generated (e.g., rgj3k2.example.com, fh7d8s.example.net). The host is a Windows 10 workstation used by an employee in the accounting department. The employee reports that they have not noticed any unusual behavior, but they did click on a link in a phishing email yesterday. The network administrator confirms that the host's firewall rules allow outbound HTTPS traffic. You have access to endpoint logs, network flow data, and packet captures. Which course of action should you take FIRST?

Question 6hardmulti select
Full question →

Which TWO of the following are valid reasons to create an exception to a security policy? (Choose two.)

Question 7hardmultiple choice
Full question →

A network engineer is designing a segmented network to protect a sensitive database. The database must be accessible only from a specific application server. Which security concept best describes this design?

Question 8hardmulti select
Full question →

A security analyst is reviewing the firewall log exhibit. The analyst suspects that this traffic might be part of a command-and-control (C2) communication based on the packet size and the timing of similar events. Which TWO additional pieces of evidence would most strongly support the suspicion of C2 traffic?

Exhibit

Refer to the exhibit.

```
Event: Firewall log entry
Time: 2023-10-05 14:23:45
Source IP: 192.168.1.50
Destination IP: 203.0.113.5
Source Port: 49152
Destination Port: 443
Protocol: TCP
Action: ALLOW
Bytes: 1452
Flags: ACK
```
Question 9hardmultiple choice
Full question →

An organization's security policy requires that all network traffic be inspected by an intrusion prevention system. However, encrypted traffic is bypassing inspection. Which change to the policy would best address this issue?

Question 10hardmultiple choice
Full question →

Based on the exhibit, what is the most likely type of attack being observed?

Exhibit

Refer to the exhibit.

Event: 02/15/2023 14:32:10
Src IP: 10.10.10.50
Dst IP: 203.0.113.5
Protocol: TCP
Flags: SYN
Length: 60 bytes

(Repeated 100 times in the last 2 seconds)
Question 11hardmultiple choice
Full question →

A SOC analyst is tuning an IPS rule that detects SQL injection attempts. The rule currently generates a high number of alerts, most of which are false positives caused by legitimate web application traffic containing SQL-like keywords. The analyst wants to reduce false positives without missing actual attacks. Which approach is most effective?

Question 12hardmultiple choice
Full question →

Refer to the exhibit. A security analyst is analyzing a Windows host that is communicating with an external server at 192.168.1.50. Based on the output, which process is likely malicious?

Exhibit

Refer to the exhibit.

C:\Users\Admin> tasklist /svc
Image Name                     PID Services
========================= ======== ============================================
svchost.exe                    1236 BrokerInfrastructure, DcomLaunch, PlugPlay
svchost.exe                    1420 RpcSs, LanmanWorkstation, Dhcp, NlaSvc
svchost.exe                    1508 WpnService, WpnUserService
notepad.exe                    2344 N/A
cmd.exe                        2568 N/A
powershell.exe                 2792 N/A

C:\Users\Admin> netstat -anob | findstr 192.168.1.50
  TCP    192.168.1.100:49152    192.168.1.50:443    ESTABLISHED     2792
  TCP    192.168.1.100:49153    192.168.1.50:80     ESTABLISHED     1420
Question 13hardmultiple choice
Full question →

A security analyst observes a sudden spike in outbound traffic from a critical server to an external IP address on TCP port 443. The server is a web application server that normally only receives inbound connections. Which type of intrusion is most likely occurring?

Question 14hardmultiple choice
Full question →

A security engineer is designing a network to prevent an attacker who gains access to a web server from easily pivoting to the internal database server. Which architecture best achieves this goal?

Question 15hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst reviews this ACL on a firewall between a DMZ (10.0.1.0/24) and internal network (10.0.2.0/24). What is the effect of this ACL?

Exhibit

Refer to the exhibit.
```
! Access-list for DMZ to Inside
access-list DMZ_TO_INSIDE extended permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 eq 3306
access-list DMZ_TO_INSIDE extended deny ip any any
```
Question 16hardmulti select
Full question →

Which THREE are common indicators of a distributed denial-of-service (DDoS) attack? (Choose three.)

Question 17hardmultiple choice
Full question →

An organization uses a SIEM that ingests logs from multiple sources. The analysts are overwhelmed with alerts, many of which are false positives. Which strategy best reduces alert fatigue without increasing risk?

Question 18hardmultiple choice
Full question →

An analyst is investigating a host that is beaconing to a known malicious domain every 60 seconds. The host also shows outbound connections to multiple IPs on port 443. To confirm the beaconing, which data source is most useful?

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

You are a SOC analyst at a mid-sized company. The company uses a SIEM that ingests logs from firewalls, IDS, and endpoints. Over the past week, you've noticed a gradual increase in outbound traffic from several internal hosts to IP addresses in a foreign country during non-business hours. The traffic is primarily on port 443. The IDS has not generated any alerts. The firewall logs show the connections are established. You check the endpoints and find no unusual processes running. However, the outbound connections persist. What is the most likely explanation and the best next step?

Question 20hardmulti select
Full question →

Which THREE are typical sources of log data used in security monitoring? (Choose three.)

These 200-201 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 200-201 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.