CertGrid
Cisco Certification

Cisco CCNP Security SCOR (350-701) Practice Exam

Validates implementing core security technologies — network/cloud/content security, endpoint protection, secure access, and automation.

Practice 299 exam-style Cisco CCNP Security SCOR (350-701) questions with full answer explanations, then take timed mock exams that score like the real thing.

Start practicing free Sign in
299
Practice questions
100
On the real exam
825
Passing score
120 min
Exam length

What the Cisco CCNP Security SCOR (350-701) exam covers

Free Cisco CCNP Security SCOR (350-701) sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 299.

  1. Question 1Security Concepts

    Which model assumes no implicit trust and verifies every access request?

    • AZero trustCorrect
    • BImplicit internal trust
    • CPerimeter-only trust
    • DOpen access
    ✓ Correct answer: A

    Zero trust assumes no implicit trust, verifying every access request and device before granting access regardless of network location. This implementation meets security requirements and industry best practices. B (Implicit internal trust) is incorrect because does not provide the specific security capability that Zero trust delivers. C (Perimeter-only trust) is incorrect because does not provide the specific security capability that Zero trust delivers.

  2. Question 2Securing the Cloud

    Which protects against malicious domains by enforcing DNS-layer security?

    • AA patch panel
    • BA modem
    • CCisco UmbrellaCorrect
    • DA hub
    ✓ Correct answer: C

    Cisco Umbrella blocks DNS resolution of known-malicious domains before client connections are established. This control protects systems and data from unauthorized access and compromise.

    Why the other options are wrong
    • AA (A patch panel) is incorrect because is hardware infrastructure, not a security service or policy mechanism. B (A modem) is incorrect because is hardware infrastructure, not a security service or policy mechanism.
  3. Question 3Securing the Cloud

    To control cost when running Cisco Secure Firewall (FTDv) in the cloud, which licensing model bills only for the hours the instance runs?

    • APer-VLAN charges on the switch
    • BPay-as-you-go (PAYG) / hourly marketplace licensingCorrect
    • CA one-time DNS registration fee
    • DPerpetual on-prem appliance licensing
    ✓ Correct answer: B

    Pay-as-you-go (PAYG) / hourly marketplace licensing directly provides the required security capability. This implementation meets security requirements and industry best practices.

    Why the other options are wrong
    • AA (Per-VLAN charges on the switch) is incorrect because does not provide the specific security capability that Pay-as-you-go (PAYG) / hourly marketplace licensing delivers.
    • CC (A one-time DNS registration fee) is incorrect because handles network services but not the security control or authentication required.
  4. Question 4Network Security

    On a Cisco switch, which command enables port security and restricts a port to a single dynamically learned MAC that survives reboot?

    • Aswitchport port-security violation shutdown
    • Bswitchport port-security mac-address stickyCorrect
    • Cswitchport mode access
    • Dswitchport port-security maximum 10
    ✓ Correct answer: B

    switchport port-security mac-address sticky directly provides the required security capability. This implementation meets security requirements and industry best practices.

    Why the other options are wrong
    • AA (switchport port-security violation shutdown) is incorrect because does not provide the specific security capability that switchport port-security mac-address sticky delivers. C (switchport mode access) is incorrect because does not provide the specific security capability that switchport port-security mac-address sticky delivers.
  5. Question 5Security Concepts

    When designing a zero-trust architecture, what is the recommended relationship between the policy decision point (PDP) and the policy enforcement point (PEP)?

    • APDP and PEP must always run on the same physical device for security
    • BThe PDP evaluates trust/policy centrally while distributed PEPs enforce the decision close to each resourceCorrect
    • CThe PEP makes all trust decisions and the PDP only logs them
    • DBoth must be placed only at the internet perimeter
    ✓ Correct answer: B

    the PDP evaluates trust/policy centrally while distributed PEPs enforce the decision close to each resource verifies the identity of a user, device, or system through credentials. This implementation meets security requirements and industry best practices.

    Why the other options are wrong
    • AA (PDP and PEP must always run on the same physical device for security) is incorrect because does not provide the specific security capability that the PDP evaluates trust/policy centrally while distributed PEPs enforce the decision close to each resource delivers. C (The PEP makes all trust decisions and the PDP only logs them) is incorrect because does not provide the specific security capability that the PDP evaluates trust/policy centrally while distributed PEPs enforce the decision close to each resource delivers.
  6. Question 6Security Concepts

    In an IKEv2 IPsec tunnel, which Diffie-Hellman behavior provides Perfect Forward Secrecy (PFS) for the Child SA?

    • APFS is provided automatically by AES-GCM regardless of DH
    • BThe Child SA reuses the IKE SA keying material to save CPU
    • CPFS is achieved by lengthening the SA lifetime
    • DA fresh DH exchange is performed during the CREATE_CHILD_SA rekey so session keys aren't derived from the IKE SA keyCorrect
    ✓ Correct answer: D

    A fresh DH exchange is performed during the CREATE_CHILD_SA rekey so session keys aren't derived from the IKE SA key is a core security objective that prevents unauthorized disclosure of sensitive data. This implementation meets security requirements and industry best practices.

    Why the other options are wrong
    • AA (PFS is provided automatically by AES-GCM regardless of DH) is incorrect because does not provide the specific security capability that A fresh DH exchange is performed during the CREATE_CHILD_SA rekey so session keys aren't derived from the IKE SA key delivers. B (The Child SA reuses the IKE SA keying material to save CPU) is incorrect because does not provide the specific security capability that A fresh DH exchange is performed during the CREATE_CHILD_SA rekey so session keys aren't derived from the IKE SA key delivers.
  7. Question 7Secure Network Access, Visibility, Enforcement

    Which protocol exports flow records (source/dest IP, ports, bytes) from Cisco devices to a collector for traffic visibility?

    • ADHCP
    • BNTP
    • CnetFlow/IPFIXCorrect
    • DARP
    ✓ Correct answer: C

    Professional vendor-style explanation for CCNP-SCOR question 180

  8. Question 8Security Concepts

    When automating security policy provisioning, why is using a REST API with token-based authentication preferred over screen-scraping the device CLI?

    • AIt encrypts the disk on the device
    • BIt removes the need for change control
    • CIt returns structured data (JSON/XML) and stable, versioned endpoints that are reliable to parse and integrateCorrect
    • DIt eliminates the need for any authentication
    ✓ Correct answer: C

    Professional vendor-style explanation for CCNP-SCOR question 210

  9. Question 9Network Security

    Users behind a Secure Firewall (FTD) report that a newly added internal web server is unreachable, while a packet-tracer shows the connection allowed by the access policy but dropped with reason 'no route'. What is the most likely cause?

    • AThe access control rule is misordered below the default block
    • BThe FTD lacks a route to the server's subnet, so it cannot egress the connectionCorrect
    • CThe NAT rule is translating the source incorrectly
    • DTLS decryption is corrupting the session
    ✓ Correct answer: B

    Professional vendor-style explanation for CCNP-SCOR question 240

  10. Question 10Security Concepts

    Which Diffie-Hellman group offers stronger key strength using elliptic-curve cryptography for IKE negotiation?

    • AGroup 2 (1024-bit MODP)
    • BGroup 19 (256-bit ECP)Correct
    • CGroup 1 (768-bit MODP)
    • DGroup 5 (1536-bit MODP)
    ✓ Correct answer: B

    Professional vendor-style explanation for CCNP-SCOR question 270

Unlock all 299 Cisco CCNP Security SCOR (350-701) questions

Cisco CCNP Security SCOR (350-701) practice exam FAQ

How many questions are in the Cisco CCNP Security SCOR (350-701) practice exam on CertGrid?

CertGrid has 299 practice questions for Cisco CCNP Security SCOR (350-701), covering 6 exam domains. The real Cisco CCNP Security SCOR (350-701) exam has about 100 questions.

What is the passing score for Cisco CCNP Security SCOR (350-701)?

The Cisco CCNP Security SCOR (350-701) exam passing score is 825, and you have about 120 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.

Are these official Cisco CCNP Security SCOR (350-701) exam questions?

No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of Cisco CCNP Security SCOR (350-701), with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.

Can I practice Cisco CCNP Security SCOR (350-701) for free?

Yes. You can start practicing Cisco CCNP Security SCOR (350-701) for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.