Back to Cisco CyberOps Associate 200-201 questions

Scenario-based practice

Select Two (Multi-Select) Questions

Practise Cisco CyberOps Associate 200-201 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
200-201
exam code
Cisco
vendor

Scenario guide

How to approach select two (multi-select) questions

Multi-select questions tell you to 'Choose TWO' or 'Choose THREE'. Getting partial credit is not a thing — you must select all correct answers with no incorrect ones. The stem always states how many to choose, so trust it. These questions require precision, not best-guess elimination.

Quick answer

Select Two (Multi-Select) Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related 200-201 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymulti select
Full question →

Which TWO of the following are common indicators of a denial-of-service (DoS) attack?

Question 2mediummulti select
Full question →

Which TWO of the following are indicators of a network intrusion? (Choose two.)

Question 3hardmulti select
Full question →

Which TWO are best practices for managing SIEM alerts to reduce false positives? (Choose two.)

Question 4easymulti select
Full question →

Which TWO types of network traffic should be analyzed to detect a data exfiltration attempt via HTTP? (Choose two.)

Question 5hardmulti select
Full question →

Which TWO of the following are valid reasons to create an exception to a security policy? (Choose two.)

Question 6mediummulti select
Full question →

Which TWO of the following are typically included in a security policy's scope statement?

Question 7mediummulti select
Full question →

An organization is implementing a security policy that requires all remote access to the corporate network to be authenticated using multi-factor authentication (MFA). Which TWO of the following are valid MFA factors?

Question 8hardmulti select
Full question →

A security analyst is reviewing the firewall log exhibit. The analyst suspects that this traffic might be part of a command-and-control (C2) communication based on the packet size and the timing of similar events. Which TWO additional pieces of evidence would most strongly support the suspicion of C2 traffic?

Exhibit

Refer to the exhibit.

```
Event: Firewall log entry
Time: 2023-10-05 14:23:45
Source IP: 192.168.1.50
Destination IP: 203.0.113.5
Source Port: 49152
Destination Port: 443
Protocol: TCP
Action: ALLOW
Bytes: 1452
Flags: ACK
```
Question 9mediummulti select
Full question →

Which TWO of the following are essential components of an effective security policy framework according to Cisco best practices?

Question 10mediummulti select
Full question →

Which TWO actions are appropriate when analyzing network traffic to identify a potential data exfiltration attempt?

Question 11mediummulti select
Read the full NAT/PAT explanation →

A network security monitoring analyst is analyzing firewall logs and sees the following traffic: Source IP 10.1.1.50 to Destination IP 203.0.113.5 on port 443, protocol TCP, with a large amount of data transferred in both directions during business hours. The analyst suspects data exfiltration. Which TWO additional indicators would most strongly support this suspicion? (Choose two.)

Question 12easymulti select
Full question →

A security analyst is investigating a host that is suspected of being compromised. The analyst runs a series of commands to gather information. Which TWO of the following commands are most useful for collecting volatile data from a live Windows system? (Choose two.)

Question 13easymulti select
Full question →

Which TWO are goals of a security operations center (SOC)? (Choose two.)

Question 14mediummulti select
Full question →

Which TWO security concepts are fundamental to the principle of least privilege? (Choose two.)

Question 15hardmulti select
Full question →

Which THREE are common indicators of a distributed denial-of-service (DDoS) attack? (Choose three.)

Question 16mediummulti select
Full question →

Which TWO are common indicators of a compromised host? (Choose two.)

Question 17hardmulti select
Full question →

Which THREE are typical sources of log data used in security monitoring? (Choose three.)

Question 18mediummulti select
Full question →

Which THREE are essential components of a security monitoring strategy? (Choose three.)

Question 19hardmulti select
Full question →

Which TWO network behaviors suggest an ARP spoofing attack is occurring? (Choose two.)

Question 20mediummulti select
Full question →

Which THREE indicators are commonly found in network traffic that suggest a host is part of a botnet? (Choose three.)

These 200-201 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 200-201 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.