200-201 · topic practice

Scenario practice questions

Practise Cisco CyberOps Associate 200-201 Scenario practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
11 questionsDomain: Scenario

What the exam tests

What to know about Scenario

Scenario questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Scenario exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Scenario questions

11 questions · select your answer, then reveal the explanation

Refer to the exhibit. An analyst sees this syslog message from a Cisco ASA. What does this log entry indicate?

Exhibit

Refer to the exhibit.
```
Mar  1 12:34:56 192.168.1.100 %ASA-4-106023: Deny tcp src outside:10.0.0.1/54321 dst inside:192.168.1.100/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
```
Question 2easymultiple choice
Read the full Scenario explanation →

An analyst notices that a host is sending large amounts of data to an external IP address on TCP port 22 during non-business hours. What is the most likely activity?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An analyst sees these log messages on a Cisco router. The source IP 10.0.0.2 is an internal server. What is the most likely explanation?

Exhibit

Refer to the exhibit.

! Output from show logging on Cisco IOS router
Mar  1 10:00:00: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 10.0.0.2(12345) -> 192.168.1.1(80), 1 packet
Mar  1 10:00:01: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 10.0.0.2(12346) -> 192.168.1.1(80), 1 packet
Mar  1 10:00:02: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 10.0.0.2(12347) -> 192.168.1.1(80), 1 packet
Mar  1 10:00:03: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 10.0.0.2(12348) -> 192.168.1.1(80), 1 packet

An analyst reviews the Cisco ASA syslog message shown in the exhibit. What does this entry indicate?

Exhibit

Refer to the exhibit.
%ASA-4-106023: Deny tcp src outside:203.0.113.45/56789 dst inside:10.1.1.100/80 by access-group "outside_in"
Question 5mediummultiple choice
Read the full Scenario explanation →

A help desk receives a phone call from someone claiming to be from IT and requesting a password reset. What type of attack is this?

Question 6mediummultiple choice
Read the full Scenario explanation →

A security analyst is investigating a potential data exfiltration incident. The analyst notices that a server is sending encrypted data to an external IP address during non-business hours. The server is supposed to only communicate with internal systems. What is the best immediate action?

Question 7easymultiple choice
Read the full Scenario explanation →

An analyst is monitoring network traffic and sees a sudden spike in outbound data transfer from an internal server to an external IP that is known to be malicious. What is the most likely scenario?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A critical security patch for a widely exploited vulnerability is released. The patch requires a system reboot during business hours. According to change management policy, what is the best procedure?

Question 9easymultiple choice
Read the full NAT/PAT explanation →

You are monitoring network traffic and notice a sudden spike in outbound UDP traffic from a single internal host to various external IPs on port 123 (NTP). The traffic pattern shows a high volume of small packets. The host in question is a Linux server that does not run any NTP services. The IDS does not generate any alerts for this traffic. Which type of attack is most likely occurring?

Question 10mediummultiple choice
Read the full VPN explanation →

You are a security analyst at a healthcare organization. The organization uses Cisco Stealthwatch for network visibility and a SIEM for event correlation. You receive an alert that a medical records database server (IP 10.0.3.20) is communicating with an external IP (198.51.100.100) on port 22 (SSH) at 2:00 AM. The database server should have no outbound SSH connections; only remote administration is allowed from a management subnet via VPN. You check Stealthwatch and see that the connection duration is 30 minutes and the volume of data transferred is 500 MB. The database server logs show no local account logins at that time. The firewall logs show that the connection was initiated from the database server. The incident response team has been alerted. What is the most likely scenario and your immediate action?

Question 11easymultiple choice
Read the full VPN explanation →

You are a security analyst at a mid-sized company. The company uses a SIEM to collect logs from firewalls, IDS, and servers. Recently, the SIEM generated an alert for a potential brute-force attack against the company's VPN server. The alert is based on a correlation rule that triggers when more than 30 failed authentication attempts from a single source IP occur within 10 minutes. You investigate and see that the source IP is 203.0.113.50, which is a known IP address of a partner company that uses the VPN for remote access. The failed attempts are all from the same username 'john.doe'. You also notice that the attempts are happening every 5 seconds, exactly 6 attempts per minute. The partner company has a policy that locks accounts after 3 failed attempts. Based on this scenario, what is the most likely cause of the alert?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Scenario sessions

Start a Scenario only practice session

Every question in these sessions is drawn from the Scenario domain — nothing else.

Related practice questions

Related 200-201 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 200-201 exam test about Scenario?
Scenario questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Scenario questions in a focused session?
Yes — the session launcher on this page draws every question from the Scenario domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 200-201 topics?
Use the topic links above to move to related areas, or go back to the 200-201 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 200-201 exam covers. They are not copied from any real exam or dump site.