200-201 · topic practice

Network Intrusion Analysis practice questions

Practise Cisco CyberOps Associate 200-201 Network Intrusion Analysis practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Network Intrusion Analysis

What the exam tests

What to know about Network Intrusion Analysis

Network Intrusion Analysis questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Network Intrusion Analysis exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Network Intrusion Analysis questions

20 questions · select your answer, then reveal the explanation

During a network intrusion analysis, a security analyst observes repeated TCP SYN packets sent to a range of ports on a target host, each followed by an RST response. No subsequent ACK packets are observed. Which phase of the Cyber Kill Chain is the attacker most likely executing?

An analyst reviewing network alerts notices a rule triggered for 'ET SCAN NMAP -sU scan' based on traffic to a Linux server. The packet capture shows multiple UDP packets to various ports, and for closed ports, the server responds with ICMP Destination Unreachable (Port Unreachable). Which type of scan is being performed, and how should the analyst classify this alert?

A security analyst is investigating an alert that indicates a potential SQL injection attack. Which of the following HTTP request patterns is most indicative of a SQL injection attempt?

Question 4mediummultiple choice
Read the full DNS explanation →

An analyst detects traffic from an internal host that periodically sends small DNS queries to a domain with high entropy subdomains (e.g., 'a3k9f2.example.com'). The domain is not on any blocklist, and the query intervals are consistent every 60 seconds. Which technique is most likely being used?

During an incident response, an analyst extracts a file from a PCAP using Wireshark's 'Export Objects' feature. The file contains shellcode that uses NOP sleds and encodes a reverse shell command. Which Cyber Kill Chain phase does this file represent?

An analyst is investigating lateral movement and observes SMB authentication attempts from host A to multiple other hosts using NTLM authentication with a hash value instead of a password. Which attack technique is most likely being used?

A network analyst is examining a PCAP file and applies the Wireshark display filter 'http.request'. The results show several POST requests to '/login.php' with parameters containing 'username=admin&password=secret'. What type of attack is indicated?

An intrusion detection system alerts on traffic that appears to be a command and control (C2) beacon. Which of the following characteristics is most typical of beaconing traffic?

An analyst detects a large outbound FTP transfer from a sensitive server to an external IP address not previously seen. The file being transferred is a compressed archive containing database dumps. Which Cyber Kill Chain phase is most directly indicated?

A security analyst is reviewing PCAP data and sees a TCP stream with interactive shell commands such as 'whoami', 'ls -la', and 'cat /etc/passwd'. The session appears to be bidirectional with a remote IP. Which type of attack is most likely occurring?

An analyst receives an alert for 'ET WEB_SERVER Possible SQL Injection Attempt' triggered by a URL parameter containing ' OR 1=1--'. After investigating, the analyst confirms that the web application is not vulnerable to SQL injection and the request was a benign test. How should this alert be classified?

During an intrusion analysis, an analyst identifies that an attacker used a domain generation algorithm (DGA) to resolve C2 domains. Which of the following traffic patterns is most consistent with DGA?

Question 13mediummulti select
Read the full DNS explanation →

A security analyst is investigating a suspected data exfiltration incident. Which TWO of the following indicators are most consistent with exfiltration over DNS?

An analyst is analyzing a PCAP from a compromised host. Which THREE of the following are common indicators of exploitation attempts in network traffic?

An analyst is examining network alerts for lateral movement. Which TWO of the following are typical indicators of lateral movement using SMB?

A security analyst observes repeated ICMP port unreachable responses from a target host. The source IP is sending packets to multiple UDP ports. Which type of scan is most likely being performed?

During an intrusion analysis, a SOC analyst reviews logs showing an outbound connection from an internal host to an external IP at 03:00 AM every 60 seconds. The traffic is HTTPS to a suspicious domain with a high entropy name. Which phase of the Cyber Kill Chain does this activity represent?

An analyst is reviewing alerts from an IDS. A signature matched 'script' and 'alert' in HTTP request parameters. The analyst inspects the packet and sees <script>alert('XSS')</script> in the URI. What is the most accurate classification of this alert?

In a PCAP analysis, an analyst uses the filter 'http.request.uri contains "UNION"' and finds multiple HTTP requests with 'SELECT' and 'UNION SELECT' in the URI parameter. Which type of attack is likely occurring?

An analyst examines PCAP and sees multiple SMB sessions from internal host 10.1.1.10 to 10.1.1.20, 10.1.1.30, and 10.1.1.40 within seconds. The NTLM authentication contains a hash parameter that is identical across sessions. Which lateral movement technique is most likely being used?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Network Intrusion Analysis sessions

Start a Network Intrusion Analysis only practice session

Every question in these sessions is drawn from the Network Intrusion Analysis domain — nothing else.

Related practice questions

Related 200-201 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 200-201 exam test about Network Intrusion Analysis?
Network Intrusion Analysis questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Network Intrusion Analysis questions in a focused session?
Yes — the session launcher on this page draws every question from the Network Intrusion Analysis domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 200-201 topics?
Use the topic links above to move to related areas, or go back to the 200-201 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 200-201 exam covers. They are not copied from any real exam or dump site.