Cisco CyberOps Sample Questions for 350-201 Exam Mastery

1. chmod 666

2. chmod 774

3. chmod 775

4. chmod 777

1. Exclude the step “BAN malicious IP” to allow analysts to conduct and track the remediation

2. Include a step “Take a Snapshot” to capture the endpoint state to contain the threat for analysis

3. Exclude the step “Check for GeoIP location” to allow analysts to analyze the location and the associated risk based on asset criticality

4. Include a step “Reporting” to alert the security department of threats identified by the SOAR reporting engine

1. Determine the assets to which the attacker has access

2. Identify assets the attacker handled or acquired

3. Change access controls to high risk assets in the enterprise

4. Identify movement of the attacker in the enterprise

1. Implement a new workflow within SOAR to create tickets in the incident response system, assign problematic certificate update requests to server owners, and register change requests.

2. Integrate a PKI solution within SOAR to create certificates within the SOAR engines to track, update, and monitor problematic certificates.

3. Implement a new workflow for SOAR to fetch a report of assets that are outside of the PKI zone, sort assets by certification management leads and automate alerts that updates are needed.

4. Integrate a SOAR solution with Active Directory to pull server owner details from the AD and send an automated email for problematic certificates requesting updates.

1. Remove the shortcut files

2. Check the audit logs

3. Identify affected systems

4. Investigate the malicious URLs

1. No database files were disclosed

2. The database files were disclosed

3. The database files integrity was violated

4. The database files were intentionally corrupted, and encryption is possible

1. Run and analyze the DLP Incident Summary Report from the Email Security Appliance

2. Ask the company to execute the payload for real time analysis

3. Investigate further in open source repositories using YARA to find matches

4. Obtain a copy of the file for detonation in a sandbox

1. Move the IPS to after the firewall facing the internal network

2. Move the IPS to before the firewall facing the outside network

3. Configure the proxy service on the IPS

4. Configure reverse port forwarding on the IPS

1. Identify the business applications running on the assets

2. Update software to patch third-party software

3. Validate CSRF by executing exploits within Metasploit

4. Fix applications according to the risk scores

1. Mask PAN numbers

2. Encrypt personal data

3. Encrypt access

4. Mask sales details

1. It does not cover the costs to restore stolen identities as a result of a cyber attack

2. It does not cover the costs to hire forensics experts to analyze the cyber attack

3. It does not cover the costs of damage done by third parties as a result of a cyber attack

4. It does not cover the costs to hire a public relations company to help deal with a cyber attack

1. customer data

2. internal database

3. internal cloud

4. Internet

1. compromised insider

2. compromised root access

3. compromised database tables

4. compromised network

1. accessing the Active Directory server

2. accessing the server with financial data

3. accessing multiple servers

4. downloading more than 10 files

1. Host a discovery meeting and define configuration and policy updates

2. Update the IDS/IPS signatures and reimage the affected hosts

3. Identify the systems that have been affected and tools used to detect the attack

4. Identify the traffic with data capture using Wireshark and review email filters

1. use of the Nmap tool to identify the vulnerability when the new code was deployed

2. implementation of a firewall and intrusion detection system

3. implementation of an endpoint protection system

4. use of SecDevOps to detect the vulnerability during development

1. Run the program through a debugger to see the sequential actions

2. Unpack the file in a sandbox to see how it reacts

3. Research the malware online to see if there are noted findings

4. Disassemble the malware to understand how it was constructed

1. Move the IPS to after the firewall facing the internal network

2. Move the IPS to before the firewall facing the outside network

3. Configure the proxy service on the IPS

4. Configure reverse port forwarding on the IPS

1. Classify the criticality of the information, research the attacker’s motives, and identify missing patches

2. Determine the damage to the business, extract reports, and save evidence according to a chain of custody

3. Classify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited

4. Determine the attack surface, evaluate the risks involved, and communicate the incident according to the escalation plan

1. clear perspective into the risk position of an organization

2. improved visibility on quantifiable information

3. improved mitigation techniques for unknown threats

4. clear procedures and processes for organizational risk

1. diagnostic

2. qualitative

3. predictive

4. statistical

1. Mask PAN numbers

2. Encrypt personal data

3. Encrypt access

4. Mask sales details

1. continuous delivery

2. continuous integration

3. continuous deployment

4. continuous monitoring

1. customer data

2. internal database

3. internal cloud

4. Internet

1. System maintenance is delegated to software systems

2. Comprehensive initial designs support robust systems

3. Scripts and manual configurations work together to ensure repeatable routines

4. System downtime is grouped and scheduled across the infrastructure

1. x-frame-options

2. x-content-type-options

3. x-xss-protection

4. x-test-debug

1. Identify the business applications running on the assets

2. Update software to patch third-party software

3. Validate CSRF by executing exploits within Metasploit

4. Fix applications according to the risk scores

1. Modify the alert rule to “output alert_syslog: output log”

2. Modify the output module rule to “output alert_quick: output filename”

3. Modify the alert rule to “output alert_syslog: output header”

4. Modify the output module rule to “output alert_fast: output filename”

1. Perform a vulnerability assessment

2. Conduct a data protection impact assessment

3. Conduct penetration testing

4. Perform awareness testing

1. Create a rule triggered by 3 failed VPN connection attempts in an 8-hour period

2. Create a rule triggered by 1 successful VPN connection from any nondestination country

3. Create a rule triggered by multiple successful VPN connections from the destination countries

4. Analyze the logs from all countries related to this user during the traveling period

1. Limit the number of API calls that a single client is allowed to make

2. Add restrictions on the edge router on how often a single client can access the API

3. Reduce the amount of data that can be fetched from the total pool of active clients that call the API

4. Increase the application cache of the total pool of active clients that call the API

1. Assess the network for unexpected behavior

2. Isolate critical hosts from the network

3. Patch detected vulnerabilities from critical hosts

4. Perform analysis based on the established risk factors

1. Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack

2. Identify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities

3. Review the server backup and identify server content and data criticality to assess the intrusion risk

4. Perform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious

1. domain belongs to a competitor

2. log in during non-working hours

3. email forwarding to an external domain

4. log in from a first-seen country

1. aligning access control policies

2. exfiltration during data transfer

3. attack using default accounts

4. data exposure from backups

1. Contain the malware

2. Install IPS software

3. Determine the escalation path

4. Perform vulnerability assessment

1. incident response playbooks

2. asset vulnerability assessment

3. report of staff members with asset relations

4. malware analysis report

1. Remove the shortcut files

2. Check the audit logs

3. Identify affected systems

4. Investigate the malicious URLs

1. Run the program through a debugger to see the sequential actions

2. Unpack the file in a sandbox to see how it reacts

3. Research the malware online to see if there are noted findings

4. Disassemble the malware to understand how it was constructed

1. Use command ip verify reverse-path interface

2. Use global configuration command service tcp-keepalives-out

3. Use subinterface command no ip directed-broadcast

4. Use logging trap 6

1. Utilize the SaaS tool team to gather more information on the potential breach

2. Contact the incident response team to inform them of a potential breach

3. Organize a meeting to discuss the services that may be affected

4. Request that the purchasing department creates and sends the payments manually

1. Create an ACL on the firewall to allow only TLS 1.3

2. Implement a proxy server in the DMZ network

3. Create an ACL on the firewall to allow only external connections

4. Move the webserver to the internal network

1. diagnostic

2. qualitative

3. predictive

4. statistical

1. with a key log file using per-session secrets

2. using an RSA public key

3. by observing DH key exchange

4. by defining a user-specified decode-as

1. x-frame-options

2. x-xss-protection

3. x-content-type-options

4. x-test-debug

1. NetFlow and event data

2. event data and syslog data

3. SNMP and syslog data

4. NetFlow and SNMP

1. DDoS attack

2. phishing attack

3. virus outbreak

4. malware outbreak

1. DLP for data in motion

2. DLP for removable data

3. DLP for data in use

4. DLP for data at rest

1. Implement a new workflow within SOAR to create tickets in the incident response system, assign problematic certificate update requests to server owners, and register change requests.

2. Integrate a PKI solution within SOAR to create certificates within the SOAR engines to track, update, and monitor problematic certificates.

3. Implement a new workflow for SOAR to fetch a report of assets that are outside of the PKI zone, sort assets by certification management leads and automate alerts that updates are needed.

4. Integrate a SOAR solution with Active Directory to pull server owner details from the AD and send an automated email for problematic certificates requesting updates.

1. HIPAA

2. FISMA

3. COBIT

4. PCI DSS

It is the core exam for the Cisco Certified CyberOps Professional credential, testing advanced knowledge in cybersecurity operations, threat analysis, and incident response.

To earn the CyberOps Professional certification, you must pass the 350-201 CBRCOR (core exam) and one Cisco concentration exam focused on cybersecurity operations.

There are no formal prerequisites, but Cisco recommends 3–5 years of experience in cybersecurity operations or security analysis.

The 350-201 CBRCOR exam costs $400 USD, and each concentration exam costs $300 USD.

The exam typically includes 90–110 questions.

It covers threat hunting, digital forensics, security monitoring, network intrusion analysis, and automation.

It is an advanced-level exam, requiring strong knowledge of cybersecurity tools, analytics, and response frameworks.

Most professionals take 10–12 weeks of preparation, depending on experience and study hours.

You can work as a Security Analyst, SOC Engineer, Cybersecurity Consultant, or Incident Response Specialist.

Professionals typically earn between $95,000–$140,000 annually, depending on skills and experience.