Cisco Certified CyberOps Associate (200-201 CBROPS) Practice Exam
Validates the foundational skills of a security operations center (SOC) analyst: security concepts, security monitoring, host-based analysis, network intrusion analysis, and security policies and procedures. Focused on defensive blue-team knowledge for monitoring, detecting, and responding to threats.
Practice 730 exam-style Cisco Certified CyberOps Associate (200-201 CBROPS) questions with full answer explanations, then take timed mock exams that score like the real thing.
Question bank reviewed Jul 2026.
What the Cisco Certified CyberOps Associate (200-201 CBROPS) exam covers
- Security Concepts146 questions
- Security Monitoring182 questions
- Host-Based Analysis146 questions
- Network Intrusion Analysis146 questions
- Security Policies and Procedures110 questions
Free Cisco Certified CyberOps Associate (200-201 CBROPS) sample questions
A sample of 10 questions with answers and explanations. Sign up free to practice all 730.
-
A CVSS Base metric captures the level of access an attacker must already possess on the target system, such as none, low, or high privileges, before they can successfully exploit a given vulnerability. Which metric is this?
- AScope
- BPrivileges RequiredCorrect
- CAttack Vector
- DAttack Complexity
✓ Correct answer: BPrivileges Required is the CVSS Base metric that expresses the level of access rights, rated None, Low, or High, that an attacker must possess on the vulnerable system before successfully carrying out an attack, exactly as described. Scope instead reflects whether exploitation impacts resources beyond the vulnerable component itself, Attack Complexity reflects conditions beyond attacker control needed for success, and Attack Vector reflects the path used to reach the vulnerability, none of which describe prior attacker privilege level.
Why the other options are wrong- AScope reflects whether an exploited vulnerability can impact resources beyond its own security authority, not the attacker's prior privilege level.
- CAttack Vector reflects the network, adjacent, local, or physical path to the vulnerability, not the attacker's prior privilege level.
- DAttack Complexity reflects conditions beyond the attacker's control needed for exploitation, not the attacker's required prior access.
-
A monitoring sensor receives a mirrored copy of network traffic, analyzes it for malicious patterns, and raises an alert, but the original packets continue to their destination untouched. What is this sensor?
- AAn inline intrusion prevention system
- BAn out-of-band intrusion detection systemCorrect
- CA reverse proxy server security appliance
- DA next generation network firewall appliance
✓ Correct answer: BAn IDS is deployed passively, typically off a SPAN port or tap, so it only ever sees a copy of traffic. It can alert on malicious activity but has no mechanism to drop or block the original packets, which continue unimpeded. This is the key contrast with an inline IPS.
Why the other options are wrong- AAn inline IPS sits directly in the traffic path so it can drop malicious packets, not merely receive a mirrored copy.
- CA reverse proxy terminates and relays connections on behalf of servers; it does not passively monitor a mirrored traffic feed.
- DA next generation firewall enforces policy on live traffic passing through it rather than passively analyzing a mirrored copy.
-
A phishing investigation finds that inbound messages originate from the domain micros0ft-support.com, using a zero in place of the letter o, closely mimicking a well known vendor's name in the sender address. What technique does the attacker's domain choice represent?
- AFast flux DNS infrastructure rotating among many hosting providers
- BDNS amplification abusing an open resolver against a victim
- CDNS cache poisoning corrupting resolution of the vendor's real domain
- DTyposquatting a lookalike domain to impersonate a trusted brandCorrect
✓ Correct answer: DTyposquatting registers domain names that closely resemble a legitimate brand, often through character substitution such as a zero for the letter o, so recipients glancing at the sender address believe the mail is genuine. This technique is commonly paired with phishing campaigns because it does not require compromising the real vendor's infrastructure at all.
Why the other options are wrong- AFast flux describes rapidly rotating IP addresses for resilience, not the choice of a visually similar domain name for impersonation.
- BDNS amplification abuses open resolvers to flood a victim with traffic and has no connection to registering a lookalike sender domain.
- CCache poisoning would corrupt resolution of the vendor's actual, legitimate domain rather than requiring the attacker to register a separate lookalike domain.
-
How does the Online Certificate Status Protocol (OCSP) improve on CRL checking for certificate validation?
- AIt removes the requirement for a public key field
- BIt lets a client query one certificate's live statusCorrect
- CIt permanently caches a decision with no more checks
- DIt removes the need for a certificate authority
✓ Correct answer: BRather than fetching and parsing a potentially large CRL, a client using OCSP sends a request about one specific certificate and receives a quick good, revoked, or unknown response, reducing bandwidth and latency. OCSP does not eliminate the need for a CA, does not remove the certificate's public key requirement, and responses are typically time-bound rather than cached permanently.
Why the other options are wrong- ACertificates still require a public key regardless of whether OCSP or CRL checking is used.
- COCSP responses are time-bound and are periodically re-checked, not cached permanently.
- DOCSP still relies on a certificate authority or its designated responder; it does not eliminate the CA.
-
Which detection method establishes a profile of normal network or user activity and generates alerts when observed behavior deviates significantly from that profile?
- AAnomaly-based detectionCorrect
- BReputation-based detection
- CPolicy-based detection
- DSignature-based detection
✓ Correct answer: AAnomaly (behavioral) detection first builds a statistical baseline of what normal activity looks like for a host, user, or network segment, then continuously compares live activity against that baseline. Significant deviations, such as unusual data volumes or access times, are flagged as potential threats even without a known signature. This makes it valuable for catching novel or insider threats that pattern-matching tools would miss.
Why the other options are wrong- BReputation-based detection evaluates the trust score of an external source such as an IP or domain, not behavioral deviation.
- CPolicy-based detection checks activity against administratively defined rules of acceptable use rather than a learned statistical baseline.
- DSignature-based detection compares activity to a fixed database of known attack patterns rather than a learned baseline.
-
A 'technique' in MITRE ATT&CK describes:
- AThe specific method used to achieve a given tacticCorrect
- BThe overall business objective of the attacking organization
- CThe legal custody chain required for handling evidence
- DThe volatility ranking assigned to a piece of forensic data
✓ Correct answer: AWhile a tactic describes the why, a technique describes the how, detailing a particular method such as spearphishing attachments or process injection used to achieve that tactical goal. Techniques can be further broken down into sub-techniques for even greater specificity.
Why the other options are wrong- BA business objective describes organizational motive, not the technical method captured by an ATT&CK technique.
- CEvidence custody chains are a forensic handling practice unrelated to the ATT&CK technique definition.
- DVolatility ranking is an evidence-collection principle, not part of the ATT&CK technique definition.
-
The Diamond Model's 'infrastructure' feature would most likely include which artifact from an intrusion event?
- AThe exploit code specifically used against a vulnerable service
- BThe specific business unit whose data was targeted
- CThe command-and-control domain used to relay stolen dataCorrect
- DThe threat actor group's known aliases and handles
✓ Correct answer: CInfrastructure encompasses the physical or logical communication paths the adversary uses, such as C2 domains, IP addresses, or hosting servers, to deliver capabilities or exfiltrate data. This is distinct from the adversary's identity or the tools that make up their capability.
Why the other options are wrong- AExploit code represents the capability feature, since it is the technical tool used in the attack.
- BThe targeted business unit represents the victim feature, not the infrastructure used by the adversary.
- DKnown aliases identify the threat actor, which falls under the adversary feature, not infrastructure.
-
A web application firewall inspects HTTP request bodies for a known malicious keyword, but an attacker sends the request using chunked transfer encoding, splitting the keyword across multiple small chunks so the full pattern never appears contiguously in any single chunk. Which concept does this exploit?
- AManipulating an HTTP header field so payload segmentation defeats pattern matchingCorrect
- BTunneling the HTTP request inside an unrelated network protocol entirely
- CEncrypting the entire HTTP request body so its content cannot be read by the sensor at all
- DRandomizing the source port of the HTTP request to evade session tracking
✓ Correct answer: AChunked transfer encoding is controlled through an HTTP header directive that changes how the body is delimited and delivered, and an attacker can exploit this framing to split a known-bad keyword across multiple chunk boundaries so no single chunk contains the full contiguous pattern a signature is looking for. A sensor must fully reassemble the chunked body before inspecting it to reliably catch this technique.
Why the other options are wrong- BThis scenario does not wrap HTTP inside another protocol entirely, it manipulates how the existing HTTP body is chunked and delivered.
- CChunked encoding does not encrypt content, it only changes how the body is delimited and transmitted, leaving the data itself in plaintext.
- DSource port randomization affects session tracking, not how the request body's keyword pattern is split across chunk boundaries.
-
Which two limitations apply to relying solely on flow data for intrusion detection, without supplementing it with other data sources? (Choose two.)
- ASampled export configurations may miss low volume malicious activity entirelyCorrect
- BIt cannot reveal the specific exploit code or malware payload used in an attackCorrect
- CIt cannot record which source and destination IP addresses communicated
- DIt is unable to record how many packets or bytes were exchanged in a session
✓ Correct answer: A, BSince flow records never capture packet contents, any detection that depends on reading the actual payload is impossible from flow data alone, and when sampling is enabled, activity generating only a handful of packets can slip through unrecorded entirely. Both are genuine, well-known limitations of flow-only monitoring.
Why the other options are wrong- CSource and destination IP addresses are core fields that flow records always include as part of the flow key.
- DByte and packet counts are standard fields that flow records are specifically designed to capture.
-
What is the primary mission of a Product Security Incident Response Team (PSIRT)?
- ATo respond to phishing emails reported by employees using the corporate email system
- BTo physically secure data center facilities against unauthorized entry and theft attempts
- CTo monitor internal network traffic for signs of compromise on employee workstations
- DTo manage and coordinate disclosure of vulnerabilities found in the vendor's own productsCorrect
✓ Correct answer: DA PSIRT focuses outward on the security of the products or services a company builds and sells, handling vulnerability reports from researchers and customers, coordinating fixes, and publishing advisories. This differs from a CSIRT, which protects the organization's own internal infrastructure.
Why the other options are wrong- AHandling employee-reported phishing emails is typically an internal CSIRT or security operations function, not the PSIRT's product-focused mission.
- BPhysical security of data center facilities is handled by a facilities or physical security team, unrelated to product vulnerability coordination.
- CMonitoring internal workstation traffic for compromise is internal network defense, which falls to the CSIRT or SOC, not the PSIRT.
Cisco Certified CyberOps Associate (200-201 CBROPS) practice exam FAQ
How many questions are in the Cisco Certified CyberOps Associate (200-201 CBROPS) practice exam on CertGrid?
CertGrid has 730 practice questions for Cisco Certified CyberOps Associate (200-201 CBROPS), covering 5 exam domains. The real Cisco Certified CyberOps Associate (200-201 CBROPS) exam has about 95 questions.
What is the passing score for Cisco Certified CyberOps Associate (200-201 CBROPS)?
The Cisco Certified CyberOps Associate (200-201 CBROPS) exam passing score is 750, and you have about 120 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.
Are these official Cisco Certified CyberOps Associate (200-201 CBROPS) exam questions?
No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of Cisco Certified CyberOps Associate (200-201 CBROPS), with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.
Can I practice Cisco Certified CyberOps Associate (200-201 CBROPS) for free?
Yes. You can start practicing Cisco Certified CyberOps Associate (200-201 CBROPS) for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.