Cisco Certified CyberOps Associate (200-201 CBROPS) Study Guide
The Cisco Certified CyberOps Associate (200-201 CBROPS) validates the foundational skills of an entry-level security operations center (SOC) analyst: understanding security concepts, monitoring network traffic, analyzing hosts, investigating intrusions, and following security policies and procedures. It targets aspiring Tier 1 analysts and blue-team defenders who monitor, detect, and respond to threats. The exam is defensive in focus, emphasizing detection frameworks, evidence handling, and structured incident response over offensive techniques.
Reviewed Jul 2026.
Domain 1: Security Concepts
- The CIA triad defines security goals: confidentiality protects data from unauthorized disclosure, integrity ensures data is not altered, and availability guarantees authorized users can access resources when needed.
- The CVSS Base score is split into an Exploitability sub-score (Attack Vector, Attack Complexity, Privileges Required, User Interaction) and an Impact sub-score (Confidentiality, Integrity, and Availability Impact).
- Privileges Required is a CVSS Base metric rated None, Low, or High that describes the access an attacker must already hold on the target before exploiting the vulnerability; Scope reflects whether exploitation affects resources beyond the vulnerable component.
- The CVSS Temporal metric group adjusts the Base score for factors that change over a vulnerability's life, such as Exploit Code Maturity, Remediation Level, and Report Confidence; the Environmental group reflects an individual organization's context.
- A vulnerability is a weakness (such as an unpatched library) that exists whether or not it is targeted; a threat is a potential danger, and an exploit is the actual method that takes advantage of the weakness.
- An attack vector is the path or method used to gain access or deliver a payload (for example phishing email or removable USB media), while the attack surface is the total set of exposed entry points.
- Reducing the attack surface means proactively removing unnecessary exposure by disabling unused services, closing open ports, and eliminating unneeded accounts, which shrinks the opportunities for an attacker.
- Malware types differ by behavior: a virus attaches to a host program and needs user execution to spread, a worm self-replicates across networks without a host, a trojan poses as legitimate software and does not self-replicate, and a rootkit hides its presence.
- Ransomware encrypts victim files and demands payment for the decryption key, a direct attack on availability and integrity.
- Threat actors range from low-skilled script kiddies who use existing tools for thrills or reputation, up to organized crime, hacktivists, insiders, and nation-state actors with greater resources and intent.
- Phishing variants scale by target: generic phishing casts wide, spear phishing targets specific individuals, and whaling targets high-value executives such as a CFO or CEO.
- Symmetric ciphers like AES and 3DES use one shared secret key for both encryption and decryption; asymmetric cryptography uses a public/private key pair.
- Ephemeral Diffie-Hellman (including elliptic-curve ECDHE) generates a fresh temporary key pair each session to provide forward secrecy, while a keyed-hash message authentication code (HMAC) combines a secret key with a hash to prove both integrity and authenticity.
- Network security controls have trade-offs: an inline IPS can block malicious traffic in real time but is a potential point of failure and latency, while a forward proxy hides internal client IPs and caches frequently requested content, and access models include MAC, DAC, RBAC, and ABAC.
Domain 2: Security Monitoring
- Security telemetry falls into data types including full packet capture, session data, transaction data, extracted content, alert data, and statistical data, each with different storage cost and investigative value.
- Statistical data (such as an average, baseline, or top-talkers report) is computed by analyzing other data rather than captured directly off the wire, while session data (for example a NetFlow record) summarizes a conversation with addresses, ports, protocol, and counters but no payload.
- Full packet capture stores complete payloads and consumes far more storage than payload-free session data; pairing an alert with the full packet capture lets an analyst confirm whether a rule match reflects genuinely malicious traffic.
- Extracted content is data carved directly out of the traffic stream, such as a recovered file or spreadsheet reassembled from captured packets.
- Statistical and alert data have the smallest footprint of the data types because both are brief computed or triggered records rather than per-packet or per-flow copies.
- Signature-based detection matches known patterns and misses novel attacks, while anomaly-based detection compares activity against a baseline and can flag previously unseen behavior that has no existing signature.
- Deep packet inspection (DPI) examines actual packet content but cannot meaningfully inspect encrypted payloads without decryption, and it adds processing overhead by examining every byte.
- Break-and-inspect (SSL/TLS decryption) appliances present their own certificate trusted via an installed CA so they can decrypt traffic for signature-based inspection, at the cost of added infrastructure and privacy considerations.
- TLS 1.3 encrypts the Certificate message, reducing the visibility that passive monitoring tools previously had into server certificate details.
- Encrypted traffic can still be analyzed without decryption using flow metadata, certificate reputation, and JA3 fingerprinting, which identifies a client application or malware family from the parameters in its TLS ClientHello.
- Log sources are categorized by origin: perimeter sources like NGFW session logs and IPS signature alerts log independent control decisions, while host-based sources like EDR telemetry and application/server logs are generated on the endpoint itself.
- Email security gateway logs record sender, recipient list, subject, and attachment metadata including cryptographic hashes, making them the authoritative source for scoping exactly who received a malicious message.
- Attackers hide command-and-control (C2) inside allowed protocols; DNS-based C2 delivers commands in TXT responses and returns results via crafted query names, and Tor hides the true client because the destination server only sees the exit relay's address.
- NetFlow and flow analysis reveal unusual outbound patterns such as regular low-volume connections indicative of beaconing or a heavily outbound-skewed byte ratio indicative of exfiltration, and typosquatting lookalike domains that substitute characters (such as a zero for the letter o) are commonly paired with phishing.
Domain 3: Host-Based Analysis
- The order of volatility dictates collecting the most fragile evidence first: CPU cache and registers, then RAM contents and active network state, before durable data like disk contents that survive longer.
- Endpoint detection and response (EDR) records detailed host telemetry across many event types to support retrospective investigation, while antivirus can be signature-based or behavioral, the latter flagging malicious runtime behavior even without a known signature.
- A host-based firewall enforces allowed ports, protocols, and remote addresses directly on the server, giving host-level control that persists even if the machine moves between networks.
- MITRE ATT&CK organizes adversary behavior into tactics and techniques and publishes separate matrices for enterprise IT, mobile, and industrial control systems; process injection is cataloged under defense evasion and privilege escalation.
- The Diamond Model of Intrusion Analysis links four core features of an event: adversary, capability, infrastructure, and victim.
- On Windows, the registry root HKEY_CURRENT_USER maps to the logged-on account's settings, and autostart persistence commonly lives in the CurrentVersion\Run key and the Services configuration key.
- Windows registry hives include the SAM hive, the Security Account Manager database of local accounts and password hashes.
- Key Windows security event IDs include 4624 (successful logon, with logon type and source), 1102 (the Security audit log was cleared), and process-creation events that record parent PID and command line to reveal parent-child relationships.
- On Linux, systemd is the init process running as PID 1 and is the ancestor of every other process; systemctl status <service> shows a unit's run state, main PID, and a tail of its journal entries in one view.
- Linux file permissions use chmod numeric notation where an optional leading digit sets special bits: 4 for SUID, 2 for SGID, and 1 for the sticky bit, so a mode like 4755 sets SUID on an executable.
- Linux investigative tools include lsof to list open files, ss to map sockets to processes, lsattr to reveal extended attributes like immutability, and chattr +i to set that immutable protection.
- A tampered /etc/hosts file can override DNS resolution by mapping a legitimate domain name to an attacker-controlled IP address.
- A running process object owns the address space, handles, and threads of a program; legitimate core Windows processes such as lsass.exe and svchost.exe are frequently mimicked or hollowed by malware.
- Sandboxing executes suspicious files in an isolated environment to observe behavior, complementing static analysis and hashing for malware triage.
Domain 4: Network Intrusion Analysis
- The Cyber Kill Chain phases progress from reconnaissance, weaponization, and delivery through exploitation, installation, command and control, to actions on objectives; periodic encrypted beaconing to an external host maps to the Command and Control phase.
- Beaconing malware checks in with its C2 server on a fixed timer, producing near-identical low-volume flows at consistent short intervals, a well-known flow-based indicator of C2.
- A heavily outbound-skewed byte ratio, where large volumes leave a host while little returns, is a strong indicator of data exfiltration, since normal browsing and downloads are inbound-heavy.
- Carrier-protocol tunneling smuggles C2 or data inside commonly permitted protocols; DNS tunneling and ICMP tunneling both abuse protocol fields to blend covert traffic with routine name resolution or diagnostics.
- TCP flags carry meaning during analysis: many unanswered SYNs to sequential ports (or many RST/ACK replies to one source) indicate a port scan, and the PSH flag tells the receiver to push buffered data to the application immediately.
- A vertical port scan targets many ports on one host, while a horizontal scan probes one port across many hosts; sequential unanswered SYNs to one target indicate vertical scanning.
- IP header fields identify traffic: the protocol field value 6 denotes TCP (17 denotes UDP), and matching a well-known port such as destination TCP/22 suggests the SSH service was targeted.
- Port numbers are only a convention, so inspecting the actual payload is the reliable way to confirm the true application-layer protocol in use.
- In IDS/IPS rules and logs, the value following the destination address (or after an arrow next to the destination IP, or the DPT field) specifies the destination port, and the destination IP plus destination port together identify exactly which host and service were targeted.
- NetFlow flows are unidirectional, so a single conversation produces two records, one for each direction of traffic.
- MITRE ATT&CK tactics apply to network events; gaining the first foothold via a malicious attachment maps to the Initial Access tactic.
- Event reconstruction relies on correlation: matching timestamps and identifiers across independent logs (for example a DNS query, its answer, and the subsequent HTTP session) strengthens confidence and attribution.
- Alert classification uses a confusion matrix: a true positive correctly flags genuinely malicious traffic, a false positive alerts on benign traffic, and a false negative misses a real threat.
- Deterministic analysis follows fixed rules to a definite conclusion, while probabilistic analysis uses a weighted, threshold-based scoring approach where the outcome depends on accumulated likelihood, and regular expressions parse artifacts where a bounded quantifier such as \d{1,3} matches one to three digits for an IP octet.
Domain 5: Security Policies and Procedures
- The NIST SP 800-61 incident response lifecycle has four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity.
- Detection and Analysis work includes correlating alerts to confirm a real attack, determining scope and root cause, and assigning priority based on functional and informational impact, which shapes the containment strategy that follows.
- Post-Incident Activity, commonly called the lessons-learned phase, is a retrospective review meeting held after resolution to evaluate what worked, update documentation, and improve future response.
- An incident is a confirmed violation, or imminent threat of violation, of security policy that harms the confidentiality, integrity, or availability of information; active file encryption across many hosts qualifies, whereas a single blocked probe is only an event.
- A policy is a high-level statement of intent, while a playbook is a documented process for handling a specific incident type including decision points, roles, and granular details like OS-specific isolation commands and escalation contacts.
- SOC analysts work in tiers: Tier 1 performs initial triage of incoming alerts and escalates confirmed incidents, and when a Tier 1 analyst cannot determine an alert's disposition it is escalated to Tier 2 for deeper investigation.
- Program effectiveness is measured with metrics such as mean time to detect (MTTD) and mean time to respond (MTTR); reducing MTTD shortens attacker dwell time and limits damage, so a lower dwell time reflects stronger detection and response.
- Digital forensics requires working from a copy: create a bit-for-bit forensic image using a write blocker, generate cryptographic hashes (such as MD5 and SHA-256) of both original and image to prove they match, then analyze only the copy.
- Chain of custody is the chronological documentation of who handled a piece of evidence, when, and why, and it must be preserved with secure storage and labeling for as long as the evidence might be needed, even after a case closes.
- The order-of-volatility principle applies to evidence collection: volatile RAM contents, CPU cache, and registers are lost when a system loses power, so they must be collected before durable disk data.
- Regulations and frameworks scope compliance: GDPR protects the personal data and privacy rights of individuals in the EU (applying even to non-EU organizations that handle EU residents' data), and VERIS is a standardized schema for describing security incidents.
- Personally identifiable information (PII) is data that can identify an individual, such as a Social Security number, and becomes more sensitive when paired with biometric data like fingerprints.
- Incident response is cross-functional: Human Resources handles the disciplinary and employment aspects of an insider-threat case, alongside legal, management, and communications stakeholders.
- Mobile device management (MDM) supports a bring-your-own-device (BYOD) policy by enforcing corporate security controls on enrolled personal devices.
Cisco Certified CyberOps Associate (200-201 CBROPS) exam tips
- Memorize the CVSS Base metric groups cold: know which metrics belong to Exploitability (Attack Vector, Attack Complexity, Privileges Required, User Interaction) versus Impact (Confidentiality, Integrity, Availability), and how Temporal and Environmental adjust the Base score.
- Be able to classify a scenario into the correct security data type (session, full packet capture, transaction, extracted content, alert, statistical) by asking whether the data was captured off the wire or computed from other data.
- Know the mapping frameworks precisely: the Cyber Kill Chain phases, MITRE ATT&CK tactics/techniques, and the four Diamond Model features, and practice placing a described behavior into the right one.
- For host and network questions, memorize concrete identifiers: Windows event IDs (4624, 1102), protocol field values (6 = TCP, 17 = UDP), well-known ports, chmod special bits (4/2/1), and PID 1 = systemd.
- Lock in the NIST 800-61 incident response order and the order of volatility; questions frequently test which phase an activity belongs to and which evidence to collect first.
Study guide FAQ
Is the 200-201 CBROPS exam offensive or defensive in focus?
It is defensive and blue-team focused. The exam centers on monitoring, detection, and incident response from the perspective of an entry-level SOC analyst, using frameworks like CVSS, the Cyber Kill Chain, the Diamond Model, and the NIST incident response lifecycle.
How is the CBROPS exam structured and scored?
It is a 120-minute exam covering five domains: Security Concepts, Security Monitoring, Host-Based Analysis, Network Intrusion Analysis, and Security Policies and Procedures. The passing score is 750 on a 300-to-1000 scale, and it is the single exam required for the Cisco Certified CyberOps Associate certification.
What is the difference between an event and an incident?
An event is any observable occurrence in a system or network, most of which are benign. An incident is a confirmed violation, or imminent threat of violation, of security policy that harms the confidentiality, integrity, or availability of information, and it triggers the incident response process.
Do I need hands-on lab experience or programming to pass?
You do not need to write code, but you should be comfortable reading artifacts: interpreting logs, IDS/IPS rule syntax, simple regular expressions, NetFlow records, packet fields, and basic Windows and Linux command output. Practical familiarity with these formats makes the analysis questions much easier.