Cisco CCNP Security SCOR (350-701) Study Guide
The Cisco CCNP Security SCOR (350-701) exam validates the ability to implement and operate core security technologies across network, cloud, content, and endpoint security, plus secure network access, visibility, and automation. It is a 120-minute exam (about 90-110 questions, passing score 825/1000) that serves as both the core exam for the CCNP Security certification and the qualifying exam for CCIE Security. It targets network and security engineers with several years of hands-on experience deploying Cisco security solutions.
Domain 1: Security Concepts
- The CIA triad is Confidentiality (data accessible only to authorized parties), Integrity (data is unaltered), and Availability (systems/data reachable when needed); every control maps to protecting one of these pillars.
- Zero trust assumes no implicit trust based on network location and verifies every request continuously using identity, device posture, and context before granting least-privilege access.
- AAA splits into Authentication (proving who you are), Authorization (what you may do), and Accounting (logging what you did); RADIUS combines authn/authz in one exchange while TACACS+ separates all three.
- Symmetric encryption (AES) is fast and used for bulk/VPN data confidentiality; asymmetric crypto (RSA, ECDSA, Diffie-Hellman) is slower and used to exchange session keys and for digital signatures.
- Digital signatures and HMAC both provide integrity and authenticity; HMAC uses a shared secret while a digital signature uses the sender's private key and is verified with the public key.
- Defense in depth layers multiple controls (perimeter NGFW, internal IPS, endpoint protection, segmentation, encryption) so the failure of one control does not lead to full compromise.
- A DDoS attack uses a distributed botnet to flood a target's bandwidth, CPU, or connection table, attacking the Availability pillar of the CIA triad.
- AES-GCM provides authenticated encryption (confidentiality plus integrity in one pass) and is faster on hardware than AES-CBC with separate HMAC, lowering CPU cost per Gbps.
- service password-encryption applies weak, reversible Type 7 encoding; username ... algorithm-type scrypt secret produces strong Type 9 (scrypt) hashes for local users.
- crypto key generate rsa modulus 2048 creates the RSA key pair required to enable SSH; SSHv2 should replace Telnet for management-plane access.
- show crypto ikev2 sa displays negotiated IKEv2 security associations; show crypto ipsec sa shows the IPsec SAs and encrypted packet counters.
- In a policy-based zero-trust architecture, the Policy Decision Point (PDP) evaluates trust centrally while distributed Policy Enforcement Points (PEPs) enforce the decision near each resource.
- Cisco SecureX (now folded into Cisco XDR) integrates security products for unified visibility, correlated telemetry, and faster response, reducing tool sprawl and MTTR.
- Common attack categories to know: reconnaissance, MITM, replay, phishing/social engineering, privilege escalation, buffer overflow, SQL injection, and on-path attacks; map each to the CIA pillar it threatens.
Domain 2: Network Security
- A stateful firewall tracks connection state and auto-permits return traffic of an established session; a stateless ACL evaluates each packet independently with no session awareness.
- Cisco Secure Firewall (Firepower Threat Defense / FTD) is the NGFW that adds AVC, URL filtering, Advanced Malware Protection, and Snort-based IPS on top of stateful inspection; managed by FMC or FDM.
- An IPsec site-to-site VPN uses IKE (Phase 1 negotiates the ISAKMP/IKE SA and authenticates peers; Phase 2 negotiates the IPsec SAs) and ESP to encrypt and authenticate the data.
- IKEv2 is the modern key-exchange protocol with built-in NAT traversal, EAP support, fewer messages than IKEv1, and asymmetric authentication; it replaces IKEv1 main/aggressive mode.
- DMVPN builds scalable dynamic site-to-site tunnels using mGRE, NHRP, and IPsec; Phase 3 enables direct dynamic spoke-to-spoke tunnels with NHRP redirects, removing hub data-plane bottlenecks.
- A DMZ is a segmented zone for internet-facing servers (web, mail, DNS) so a compromise there gives no direct path to the internal network.
- TACACS+ is Cisco-proprietary, runs over TCP/49, encrypts the entire payload, and separates AAA, making it preferred for device administration with per-command authorization.
- Layer 2 hardening on Cisco switches: DHCP snooping blocks rogue DHCP servers, Dynamic ARP Inspection (DAI) stops ARP spoofing, and port security limits MAC addresses per port.
- ip dhcp snooping trust marks an uplink toward a legitimate DHCP server as trusted; switchport port-security mac-address sticky learns and pins the connected MAC.
- ip arp inspection vlan 20 enables DAI for VLAN 20; DAI validates ARP packets against the DHCP snooping binding table on untrusted ports.
- Unicast Reverse Path Forwarding (uRPF) drops packets whose source address fails a return-path check, mitigating IP source-address spoofing (strict vs loose mode).
- Management-plane hardening: use SSH not Telnet, apply VTY ACLs, place management out-of-band, and use TACACS+ with role-based per-command authorization plus MFA.
- To scale Secure Firewall performance, use prefilter fastpath / hardware flow offload for trusted high-volume flows, place high-hit rules at the top of the policy, and tune the intrusion policy with Firepower Recommendations.
- Size a Secure Firewall to real throughput measured with IPS and TLS decryption enabled, since deep inspection sharply reduces rated throughput compared to plain firewalling.
Domain 3: Securing the Cloud
- The shared responsibility model splits duties: the provider secures the underlying infrastructure (hardware, hypervisor, fabric) while the customer secures data, IAM, OS, application config, and network rules; the boundary shifts across IaaS, PaaS, and SaaS.
- Cloud security best practices center on least-privilege IAM, encryption of data at rest (cloud KMS or customer-managed keys) and in transit (TLS), and network/micro-segmentation.
- A Cloud Access Security Broker (CASB) sits between users and SaaS apps to give visibility into shadow IT, enforce DLP, and apply access policy; Cisco Umbrella and Cisco Cloudlock provide CASB functions.
- Cisco Umbrella enforces DNS-layer security by resolving queries through threat-intelligence-checked recursive resolvers, blocking malicious domains before a connection is made, on or off network.
- ip name-server 208.67.222.222 208.67.220.220 points a device at the Umbrella (OpenDNS) public resolvers for DNS-layer protection.
- Cisco Secure Workload (formerly Tetration) provides application-dependency mapping and micro-segmentation, pushing host-based firewall rules into each workload's OS firewall via an agent.
- Micro-segmentation isolates workloads down to the individual VM/container with default-deny east-west policy and explicit allow rules, limiting lateral movement; policy follows the workload regardless of IP or location.
- Zero Trust Network Access (ZTNA), delivered by Cisco Secure Access, brokers per-application sessions after continuous identity and posture checks, replacing broad network-level VPN access.
- Securing cloud APIs requires strong authentication (OAuth tokens/API keys), least-privilege IAM roles, and TLS for data in transit.
- Follow least privilege with scoped IAM policies (e.g., grant only s3:GetObject) and use IAM roles with STS short-lived temporary credentials rather than long-lived access keys.
- The most common cloud-storage breach cause is a misconfigured bucket/blob left publicly accessible, not a provider failure.
- Cloud licensing models include pay-as-you-go (PAYG)/hourly marketplace consumption and Cisco Smart Licensing with a Smart Account holding shared license pools.
- For elastic cost control, auto-scale agent licensing with workloads and decommission agents when instances terminate; bake security agents into the golden image.
- Reduce cloud telemetry egress cost by aggregating, compressing, and filtering data before export and keeping analysis in-region; in cloud DLP, scope decryption selectively rather than inspecting everything.
Domain 4: Content Security
- A Secure Web Gateway (SWG) / web proxy sits inline for HTTP/HTTPS to perform URL categorization and filtering, malware scanning of downloads, and DLP; Cisco Secure Web Appliance (WSA) and cloud Umbrella SIG provide it.
- Cisco Secure Web Appliance (WSA) operates in explicit mode (clients point at the proxy) or transparent mode (traffic redirected via WCCP/PBR); explicit mode requires client/PAC configuration.
- An email security gateway (Cisco Secure Email / ESA) blocks spam, phishing, and malicious attachments/links using Talos reputation, anti-spam engines, URL filtering, and file sandboxing.
- SPF authorizes which mail servers may send for a domain (DNS TXT record), DKIM cryptographically signs messages, and DMARC ties SPF/DKIM alignment to a published policy and reporting.
- DMARC policy p=none only monitors and reports; p=quarantine sends failing mail to spam; p=reject blocks it outright, so p=none does not stop spoofed mail by itself.
- Cisco Umbrella DNS-layer security blocks resolution of malicious domains before any session is established, protecting on- and off-network clients with minimal latency.
- SenderBase Reputation Score (SBRS) / IP Reputation lets the ESA reject obvious spam and invalid senders at connection time before expensive deep content scanning.
- Anti-spam scanning uses SenderBase/IPAS reputation with threshold actions to quarantine or drop spam based on the computed score.
- TLS/SSL decryption (SSL interception) terminates the client's TLS session, inspects the plaintext for malware/DLP/URL policy, then re-encrypts; it requires a trusted CA cert on clients and a defined privacy policy.
- Use selective decryption: bypass sensitive categories (banking, healthcare), pinned/critical apps, and trusted update domains, decrypting only what policy requires for both performance and privacy.
- Certificate or public-key pinned connections must be excluded from TLS decryption because the MITM certificate breaks pin validation and the app will fail.
- Cisco Secure Email and Secure Web Appliance both draw threat intelligence from Cisco Talos to identify malicious URLs, files, and senders.
- Improve cloud SWG performance and cost with distributed cloud points of presence close to users, object caching, and bypassing decryption for trusted update domains, avoiding backhaul hairpinning.
- A cloud-delivered SWG applies consistent policy at a nearby cloud edge for direct internet access, reducing latency versus backhauling all traffic to a central data center.
Domain 5: Endpoint Protection and Detection
- Traditional antivirus relies on signature matching and misses novel/fileless threats; EDR adds continuous behavioral monitoring of process, file, network, and registry activity for detection and response.
- Cisco Secure Endpoint (formerly AMP for Endpoints) is a cloud-managed EDR/AV using Talos intelligence and cloud file reputation to detect, block, and investigate malware.
- Retrospective security is Secure Endpoint's signature feature: it records file activity continuously and, when Talos later flags a file as malicious, identifies every endpoint that saw it and can quarantine after the fact.
- Device trajectory and file trajectory visualizations trace a file's path and process lineage across hosts to reconstruct lateral movement and scope an incident.
- Application allow-listing (default-deny, only approved software runs) is among the strongest endpoint controls but breaks legitimate-but-unlisted updates and scripts if not carefully maintained.
- Custom Detections - Simple uses a Blocked Application List to block files by SHA-256 hash; Advanced Custom Detections use signatures for broader matching.
- EDR behavioral detection flags suspicious patterns such as rapid mass file encryption (ransomware) or Word spawning PowerShell to download a payload (living-off-the-land), independent of signatures.
- Endpoint hardening combines disk encryption (BitLocker) for data at rest, EDR for behavioral detection/response, patch management to close exploited vulnerabilities, and least privilege to limit blast radius.
- Upon detection, EDR can perform host-based isolation/quarantine to cut the endpoint off the network while preserving it for investigation.
- Cisco Talos is Cisco's threat-intelligence organization that enriches Secure Endpoint, Secure Email, Secure Web, and firewall products with global threat data.
- The Secure Endpoint connector includes an ISE Posture module integration so ISE can perform endpoint posture assessment and drive network access decisions.
- Reduce endpoint agent overhead by adding exclusions for trusted high-I/O applications and scheduling full scans during off-hours; tune cloud lookup/telemetry to send only necessary events.
- Control endpoint security cost with subscription/consumption licensing reallocated as the workforce fluctuates, and use tiered telemetry retention (rich short-term, critical events long-term).
- Correlated endpoint telemetry reconstructs the full attack chain (initial access through impact) for faster, more accurate scoping than isolated alerts.
Domain 6: Secure Network Access, Visibility, Enforcement
- Cisco Identity Services Engine (ISE) is the NAC/policy platform acting as a RADIUS/TACACS+ server that enforces 802.1X, profiling, posture assessment, and segmentation (TrustSec SGTs).
- IEEE 802.1X is port-based access control with three roles: supplicant (endpoint), authenticator (switch/AP), and authentication server (ISE/RADIUS), carrying EAP over LAN (EAPOL) before the port opens.
- MAC Authentication Bypass (MAB) authenticates non-supplicant devices (printers, cameras) by their MAC address and is combined with device profiling to apply the right authorization while keeping the port under policy.
- ISE Monitor Mode (open authentication with logging) identifies devices that would fail authentication so policy gaps are fixed before Closed/Low-Impact mode enforces and blocks production traffic.
- TACACS+ is preferred for device administration because it separates AAA and supports granular per-command authorization; RADIUS is preferred for network access (802.1X) and end-user authentication.
- Cisco Secure Network Analytics (formerly Stealthwatch) ingests NetFlow/IPFIX/NSEL telemetry and applies behavioral analytics to detect exfiltration, insider threats, and anomalies without inline inspection.
- dot1x system-auth-control enables 802.1X globally on a switch; access-session port-control auto (or authentication port-control auto) makes the port actively authenticate supplicants.
- aaa group server radius ISE-GRP defines a named RADIUS server group, and radius server ISE with address ipv4 defines an individual server entry.
- aaa authentication login default group tacacs+ local authenticates admins via TACACS+ with fallback to the local database if the server is unreachable.
- destination 10.0.0.50 under flow exporter EXP sends NetFlow records to the Secure Network Analytics (Stealthwatch) Flow Collector.
- Scale ISE with a distributed deployment: dedicated Policy Service Nodes (PSNs) placed near users, plus right-sized license tiers and purging of stale endpoints.
- Build NAC resiliency with multiple ISE/RADIUS servers in HA and a critical-authentication (critical VLAN/ACL) failover policy so a single PSN failure does not block authentication.
- Reduce RADIUS and telemetry load with authentication session caching, tuned reauthentication timers, flow deduplication, and sampled NetFlow on high-rate core links.
- ISE posture assessment with quarantine checks endpoint compliance (AV, patches, configuration) and places non-compliant devices in a remediation VLAN/dACL until they pass.
Cisco CCNP Security SCOR (350-701) exam tips
- Know the Cisco product portfolio by both current and legacy names: Secure Firewall (FTD/Firepower), Secure Endpoint (AMP), Secure Email (ESA), Secure Web Appliance (WSA), Secure Network Analytics (Stealthwatch), Secure Workload (Tetration), and Umbrella, since questions use either name.
- Be fluent in the CLI snippets: 802.1X (dot1x system-auth-control, access-session port-control auto, mab), AAA/RADIUS/TACACS+ groups, NetFlow exporters, crypto key generation, and IKEv2/IPsec show commands.
- For IPsec questions, separate IKE Phase 1 (peer auth, ISAKMP SA) from Phase 2 (IPsec SAs/ESP), and know DMVPN Phase 3 enables direct spoke-to-spoke tunnels.
- Distinguish RADIUS vs TACACS+ (network access vs device admin, combined vs separated AAA, UDP vs TCP, partial vs full payload encryption) - it is a recurring distractor pair.
- Expect scenario questions on cost, performance, and scaling (selective TLS decryption, flow offload, distributed PSNs/SWG PoPs, consumption licensing); pick the option that preserves security while reducing overhead, not the one that disables inspection.
Study guide FAQ
How many questions are on the SCOR 350-701 exam and what is the passing score?
The exam runs 120 minutes with roughly 90 to 110 questions, and the passing score is 825 on Cisco's 300-1000 scaled scoring. Cisco does not publish a fixed item count, so plan your pacing around the time limit, about a minute per question.
Does SCOR have a hands-on lab component?
No. SCOR 350-701 is a multiple-choice and item-format written exam with no live lab. However, it tests configuration knowledge heavily, so you must recognize and interpret Cisco IOS/FTD/ISE CLI and understand expected output, even though you do not type commands.
What does passing SCOR earn me, and what comes next?
Passing SCOR alone earns the Cisco Certified Specialist - Security Core certification and is the qualifying core exam for both CCNP Security (pair it with one security concentration exam) and the CCIE Security written requirement.
How much should I focus on automation and programmability for this exam?
Automation is a smaller but real part of the blueprint embedded across domains: know REST API concepts, JSON data format, the difference between configuration management tools, and Cisco's use of APIs (for example FMC and ISE REST APIs) for security automation. It is not the largest domain, so prioritize network, content, and endpoint security first.