Free Demo Questions

Test Online Free Cisco 200-201 Exam Questions and Answers

Practice a live sample before buying full access. This page keeps the free 200-201 question set organized by page so visitors and search engines can reach the canonical -questions.html URL directly.

Updated Feb 02, 2026 53 Questions 4 Pages

Get 200-201 Full Access

Question 16 Selectable Answer

Refer to the exhibit.

What is occurring in this network traffic?

A. High rate of SYN packets being sent from a multiple source towards a single destination I
B. High rate of ACK packets being sent from a single source IP towards multiple destination IPs.
C. Flood of ACK packets coming from a single source IP to multiple destination IPs.
D. Flood of SYN packets coming from a single source IP to a single destination I

Answer:

Question 17 Selectable Answer

Refer to the exhibit.

Which type of attack is being executed?

A. SQL injection
B. cross-site scripting
C. cross-site request forgery
D. command injection

Answer:
Explanation:
Reference: https://www.w3schools.com/sql/sql_injection.asp

Question 18 Selectable Answer

What are the two characteristics of the full packet captures? (Choose two.)

A. Identifying network loops and collision domains.
B. Troubleshooting the cause of security and performance issues.
C. Reassembling fragmented traffic from raw data.
D. Detecting common hardware faults and identify faulty assets.
E. Providing a historical record of a network transaction.

Answer:

Question 19 Selectable Answer

1.An engineer receives a security alert that traffic with a known TOR exit node has occurred on the network.
What is the impact of this traffic?

A. ransomware communicating after infection
B. users downloading copyrighted content
C. data exfiltration
D. user circumvention of the firewall

Answer:

Question 20 Selectable Answer

Which metric is used to capture the level of access needed to launch a successful attack?

A. privileges required
B. user interaction
C. attack complexity
D. attack vector

Answer:
Explanation:
Attack Vector ( AV) represents the level of access an attacker needs to have to exploit a vulnerability. It can assume four values: Network, Adjacent, Local and Physical.
Source: Official cert Guide Cisco CyberOps Associate CBROPS 200-201 Chapter7:
Introduction to Security Operations Management.

Question 21 Selectable Answer

A company is using several network applications that require high availability and responsiveness, such that milliseconds of latency on network traffic is not acceptable. An engineer needs to analyze the network and identify ways to improve traffic movement to minimize delays.
Which information must the engineer obtain for this analysis?

A. total throughput on the interface of the router and NetFlow records
B. output of routing protocol authentication failures and ports used
C. running processes on the applications and their total network usage
D. deep packet captures of each application flow and duration

Answer:

Question 22 Selectable Answer

The SOC team has confirmed a potential indicator of compromise on an endpoint. The team has narrowed the executable file's type to a new trojan family. According to the NIST Computer Security Incident Handling Guide, what is the next step in handling this event?

A. Isolate the infected endpoint from the network.
B. Perform forensics analysis on the infected endpoint.
C. Collect public information on the malware behavior.
D. Prioritize incident handling based on the impact.

Answer:
Explanation:
refence: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

Question 23 Selectable Answer

What specific type of analysis is assigning values to the scenario to see expected outcomes?

A. deterministic
B. exploratory
C. probabilistic
D. descriptive

Answer:

Question 24 Selectable Answer

An engineer is addressing a connectivity issue between two servers where the remote server is unable to establish a successful session. Initial checks show that the remote server is not receiving an SYN-ACK while establishing a session by sending the first SYN.
What is causing this issue?

A. incorrect TCP handshake
B. incorrect UDP handshake
C. incorrect OSI configuration
D. incorrect snaplen configuration

Answer:
Explanation:
Reference: https://www.sciencedirect.com/topics/computer-science/three-way-handshake#:~:text=The%20TCP%20handshake,as%20shown%20in%20Figure%203.8

Question 25 Selectable Answer

Which type of data consists of connection level, application-specific records generated from network traffic?

A. transaction data
B. location data
C. statistical data
D. alert data

Answer:

Question 26 Selectable Answer

A threat actor penetrated an organization's network.
Using the 5-tuple approach, which data points should the analyst use to isolate the compromised host in a grouped set of logs?

A. event name, log source, time, source IP, and host name
B. protocol, source IP, source port, destination IP, and destination port
C. event name, log source, time, source IP, and username
D. protocol, log source, source IP, destination IP, and host name

Answer:
Explanation:
Reference: https://blogs.cisco.com/security/the-dreaded-5-tuple

Question 27 Selectable Answer

Refer to the exhibit.

During the analysis of a suspicious scanning activity incident, an analyst discovered multiple local TCP connection events.
Which technology provided these logs?

A. antivirus
B. proxy
C. IDS/IPS
D. firewall

Answer:

Question 28 Selectable Answer

What are the two differences between stateful and deep packet inspection? (Choose two)

A. Stateful inspection is capable of TCP state tracking, and deep packet filtering checks only TCP source and destination ports
B. Deep packet inspection is capable of malware blocking, and stateful inspection is not
C. Deep packet inspection operates on Layer 3 and 4. and stateful inspection operates on Layer 3 of the OSI model
D. Deep packet inspection is capable of TCP state monitoring only, and stateful inspection can inspect TCP and UD
E. Stateful inspection is capable of packet data inspections, and deep packet inspection is not

Answer:

Question 29 Selectable Answer

Refer to the exhibit.

Which type of log is displayed?

A. IDS
B. proxy
C. NetFlow
D. sys

Answer:
Explanation:
You also see the 5-tuple in IPS events, NetFlow records, and other event data. In fact, on the exam you may need to differentiate between a firewall log versus a traditional IPS or IDS event. One of the things to remember is that traditional IDS and IPS use signatures, so an easy way to differentiate is by looking for a signature ID (SigID). If you see a signature ID, then most definitely the event is a traditional IPS or IDS event.

Question 30 Selectable Answer

Which event is user interaction?

A. gaining root access
B. executing remote code
C. reading and writing file permission
D. opening a malicious file

Answer:

Current Exam

200-201

Cisco
Understanding Cisco Cybersecurity Operations Fundamentals

View Full 200-201 Package