Home/cisco/Free Cisco 200-201 Actual Exam Questions

Free Cisco 200-201 Actual Exam Questions

The questions for this exam were last updated on January 9, 2026

Dumps Box (DumpsBox) offers up-to-date practice exam questions for CBROPS 200-201 certification exam which are developed and validated by Cisco subject domain experts certified in Cisco 200-201 . These practice questions are update regularly as we keep an eye on any recent changes in CBROPS 200-201 syllabus, and when there is update our team quickly adjusts the questions. This commitment to providing the best quality exam prep material to certification aspirants is what makes DumpsBox.com the best certification exam prep website. On top of that, our strong, yet strictly moderated, community based feedback keeps the content clean and current. Each question has helpful community discussion that provides it extra perspective and introduces helpful resources for better exam preparation. This also saves students from other outdated practice questions or illicit exam dumps that can have adverse affects on career. Browse through our Cisco 200-201 exam questions and pass your exam on first try.

Question No. 1
What is a difference between SIEM and SOAR?
Select one option, then reveal solution.
Top comments
EB
Ethan B.
2026-02-19

B/C? The question says "adjusted in response to threats," which sounds like a warning sign before anything actually happens, matching precursor. But initial event might also mean what sets the attack in motion, so trigger fits that too.

0
WV
Will V.
2026-02-14

C imo since the question says “initial event,” it points to the moment something actually kicks off, not just a warning or sign, so “trigger” fits better than “precursor.”

0
Question No. 2
What is the role of indicator of compromise in an investigation?
Select one option, then reveal solution.
Top comments
AN
Andre N.
2026-02-18

B imo, delivery usually means sending the payload, which isn’t happening here. So it can’t be B. It’s definitely before exploitation, so reconnaissance (C) still feels right.

0
FU
Farhan U.
2026-02-12

C vs A? The scan is definitely about gathering info, so it fits reconnaissance (C). Actions on objectives (A) usually means the attacker is already inside and doing their main goal, which this isn’t. Since it’s just scanning, not exploiting or delivering anything, C makes the most sense here.

0
Question No. 3
Which security model assumes an attacker within and outside of the network and enforces strict
verification before connecting to any system or resource within the organization?
Select one option, then reveal solution.
Top comments
SY
Shoaib Y.
2026-02-20

C. Labeling and recording evidence has to happen right when you collect it to make sure everything stays legit. If you wait until examination or reporting, there’s a risk the data could get mixed up or tampered with. Preservation starts from the moment you handle the evidence.

0
EB
Ethan B.
2026-02-15

It’s C for sure. Labeling and recording happen as soon as you collect the data; you can’t wait until examination or reporting without risking contamination or losing the chain of custody.

0
Question No. 4
Which of these describes SOC metrics in relation to security incidents?
Select one option, then reveal solution.
Top comments
AB
Ash B.
2026-02-19

C The source port 80 shows it's likely a server responding to the client at a high destination port, which matches common TCP behavior in web traffic.

0
AG
Amit G.
2026-02-14

Amit G. imo, option C fits better since port 80 is usually the server’s source port replying back, and the high port 49098 would be the client’s destination port in that case.

0
Question No. 5
Which type of data collection requires the largest amount of storage space?
Select one option, then reveal solution.
Top comments
RG
Rizwan G.
2026-02-06

Maybe B makes sense too because data normalization specifically targets cleaning and structuring data, which includes removing unwanted events to keep things consistent. D feels broader and less specific here.

0
RG
Rizwan G.
2026-02-04

I think D makes more sense because data protection is all about maintaining integrity, which includes removing faulty or corrupted IPS events. Not just cleaning like normalization, but actively safeguarding the data. D

0
Question No. 6
Which option describes indicators of attack?
Select one option, then reveal solution.
Top comments
II
Imran I.
2026-02-20

C/D? MAC is more about system or admin control, not owners, and DAC lets owners decide access. D sounds off since MAC isn’t just object-based but policy-based, so C seems clearer here.

0
II
Imran I.
2026-02-05

Maybe C makes sense too because MAC is generally enforced by the system or security policies set by administrators, not the owners themselves. DAC usually gives the owner control over permissions, which matches the idea that it’s less rigid and more user-driven. A is close but the way it phrases MAC being controlled by an administrator doesn’t fully capture that it’s enforced by the system or a central policy, so C seems like a clearer distinction here.

0
Question No. 7
What is the difference between deep packet inspection and stateful inspection?
Select one option, then reveal solution.
Top comments
AK
Adeel K.
2026-02-20

A/D? The private key is definitely not on the certificate, so A and C can be ruled out. Between B and D, B mentions cipher suites which aren’t in certs. So D seems like the only logical choice.

0
ZK
Zain K.
2026-02-05

D imo, the cert definitely has the public key and the CA info, plus the server’s identity like CN. Private keys or cipher suites wouldn’t be part of it, so D fits best.

0
Question No. 8
What is a scareware attack?
Select one option, then reveal solution.
Top comments
PR
Peter R.
2026-02-17

It’s D since the MAC table overflow clearly signals a MAC flooding attack here.

0
MD
Mohammad D.
2026-02-14

D imo, the key is the switch's MAC table being overwhelmed with fake addresses, which matches a MAC flooding attack. ARP or DNS cache poisoning wouldn’t cause this many MAC entries to appear.

0
Question No. 9
How does agentless monitoring differ from agent-based monitoring?
Select one option, then reveal solution.
Top comments
OG
Omar G.
2026-02-10

C makes sense since SYN_RECV backlog usually means a SYN flood attack underway.

0
SA
Shah A.
2026-02-04

Can someone confirm if SYN_RECV count is unusually high here? That’s key.

0
Question No. 10
Refer to the exhibit.
CBROPS 200-201 practice exam questions
An attacker scanned the server using Nmap.
What did the attacker obtain from this scan?
Select one option, then reveal solution.
Top comments
ZK
Zain K.
2026-02-22

Not B, using web apps doesn't prevent buffer overflows at all. Variable randomization (A) helps but mainly makes exploitation harder, so C really fits best since it stops bad input from causing overflow.

0
OU
Osama U.
2026-02-18

Makes sense to rule out B and D since web apps and OS choice alone don’t stop overflows. C seems solid because cleaning inputs directly stops buffer overflow attempts at the source. That’s my pick: C.

0
Question No. 11
What is the difference between the rule-based detection when compared to behavioral detection?
Select one option, then reveal solution.
Top comments
DF
David F.
2026-02-19

Makes sense to rule out A and B since those are more about specific activities, not the network impact. D feels right since TOR is mostly used to bypass firewalls, so I’d go with D.

0
PP
Peter P.
2026-02-16

D imo, TOR’s main use is to dodge restrictions like firewalls, so the primary impact is users bypassing security controls. While data exfiltration (C) is possible, the question seems more focused on the network-level effect rather than specific malicious activities. Since the alert flags TOR exit node traffic, it’s most likely highlighting someone going around firewall rules rather than an automatic sign of ransomware or copyright issues. Without explicit signs of data theft or malware, D fits best as the direct impact.

0
Question No. 12
How is NetFlow different from traffic mirroring?
Select one option, then reveal solution.
Top comments
SH
Saad H.
2026-02-14

It’s C for me. Even if spam is active, knowing how attackers gather info helps predict and block future campaigns earlier, making reconnaissance a key phase to disrupt planning and reduce spam effectiveness.

0
MX
Michael X.
2026-02-05

It’s B. If the spam’s actively coming through, cutting it off during delivery stops it from reaching users and reduces the chance of further infection or spreading.

0
Question No. 13
An analyst is investigating an incident in a SOC environment. Which method is used to identify a
session from a group of logs?
Select one option, then reveal solution.
Top comments
OF
Osama F.
2026-02-04

C, vulnerability is the weakness, risk is what happens if it’s exploited.

0
OF
Osama F.
2026-02-02

A seems off because it separates vulnerability as just entry points, missing that it’s about weaknesses. Risk definitely includes the chance something bad happens, not just the possibility of entry.

0
Question No. 14
Why is HTTPS traffic difficult to screen?
Select one option, then reveal solution.
Top comments
HT
Hassan T.
2026-02-20

D imo, since steganography hides data inside other files making it practically indecipherable without knowing where or how to look, even if you don’t have a key or password.

0
TN
Tom N.
2026-02-12

C, because neither fragmentation nor pivoting changes the data itself; only encryption actually scrambles it so you need a key to make sense of it.

0
Question No. 15
What is an advantage of symmetric over asymmetric encryption?
Select one option, then reveal solution.
Top comments
CJ
Chris J.
2026-02-14

D, because asking those questions is classic info gathering for manipulation.

0
II
Imran I.
2026-02-02

This sounds like D because it’s about manipulating someone into revealing info, no matter if they’re successful or not. D

0