Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Cisco 300-215 CBRFIR Practice Questions

Pass your Cisco CBRFIR: Conducting Forensic Analysis and Incident Response Using Cisco Technologies for Cybersecurity (300-215) v1.2 exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Cisco does not publish official pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which statement BEST captures the role of hash values in evidence handling?

A
B
C
D
to track
Same family resources

Explore More Cisco Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CCNA

Practice QuestionsStudy GuideFlashcards
2 videos2 blogs

Cisco CCST Networking

Practice QuestionsStudy Guide
2 blogs

CyberOps Associate

Practice Questions
1 blog

Cisco CCST Cybersecurity

Practice Questions
1 blog

CCIE Enterprise

Practice Questions

CCNP Collaboration

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoBest Cable Testers for Network Technicians in 2026: Klein VDV526-200 vs Fluke vs TRENDnetVideoCCNA 200-301 Study Plan: Pass in 3-5 Months (2026)ArticleCCNA 200-301 Study Plan: Pass in 3-5 Months (2026)15 min readArticleBest Cable Testers for Network Technicians in 2026: Klein VDV526-200 vs Fluke vs TRENDnet14 min readArticleFREE Cisco CCST Cybersecurity (100-160) Exam Guide 2026: Pass First Try20 min readArticleFREE Cisco CCST Networking (100-150) Exam Guide 2026: Pass First Try, Domains, Cost, CCNA Path26 min read
2026 Statistics

Key Facts: Cisco 300-215 CBRFIR Exam

~55-65

Exam Questions

Cisco 300-215 CBRFIR

90 min

Exam Duration

Cisco

~825/1000

Approximate Cut Score

Cisco scaled scoring

$300

Exam Fee

Cisco / Pearson VUE

Professional

Level (CyberOps Concentration)

Cisco CyberOps Professional

3 years

Certification Validity

Cisco recertification cycle

The Cisco 300-215 CBRFIR exam has approximately 55-65 questions delivered in 90 minutes with a $300 USD fee at Pearson VUE. Cisco does not publish a fixed passing percentage; scoring is scaled with the practical cut score commonly cited around 825/1000. Domains: Fundamentals (20%), Forensics Techniques (20%), Incident Response Techniques (30%), Forensics Processes (15%), and Incident Response Processes (15%). It is one of two CyberOps Professional concentration exams — passing 300-215 plus 350-201 CBRCOR earns the Cisco CyberOps Professional certification and the Cisco Certified Specialist - CyberOps Forensic Analysis and Incident Response badge, valid for 3 years.

Sample Cisco 300-215 CBRFIR Practice Questions

Try these sample questions to test your Cisco 300-215 CBRFIR exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1According to the order of volatility (RFC 3227), which data source must be collected FIRST during live response on a running host?
A.Contents of physical disk
B.Routing tables and ARP cache
C.CPU registers and cache
D.System log files on disk
Explanation: RFC 3227 defines the order of volatility from most to least volatile. CPU registers and cache are the most volatile and disappear first, so they must be captured before RAM, network state, processes, files, and disk. Disk artifacts persist and are collected last.
2Which of the following is a NON-volatile data source on a typical Windows endpoint?
A.Process list in RAM
B.TCP connection table
C.NTFS Master File Table on disk
D.ARP cache
Explanation: The NTFS Master File Table (MFT) is stored on the disk volume and persists across reboots, making it non-volatile. Process lists, TCP tables, and ARP caches all live in kernel memory and are lost when the host powers off.
3An analyst needs to determine which programs were recently executed on a Windows 10 endpoint, even after the user deleted them. Which artifact should be examined?
A.Prefetch files in C:\Windows\Prefetch
B.Recycle Bin in C:\$Recycle.Bin
C.Hosts file in C:\Windows\System32\drivers\etc
D.pagefile.sys in C:\
Explanation: Windows Prefetch (.pf) files are written to C:\Windows\Prefetch when an executable runs and record the path, run count, and last eight run timestamps. They persist after the executable is deleted and are a primary execution artifact for IR.
4Which Windows registry hive contains user-specific configuration such as Run keys and recently opened documents?
A.HKEY_LOCAL_MACHINE
B.HKEY_CURRENT_USER
C.HKEY_CLASSES_ROOT
D.HKEY_PERFORMANCE_DATA
Explanation: HKEY_CURRENT_USER (HKCU) is loaded from NTUSER.DAT and holds the active user's profile, including Software\Microsoft\Windows\CurrentVersion\Run, RecentDocs, and ComDlg32 keys used to track per-user activity.
5Which NTFS metadata file records all transactions to the volume and is used to roll back partially completed operations after a crash?
A.$MFT
B.$LogFile
C.$UsnJrnl
D.$Bitmap
Explanation: $LogFile is the NTFS transactional log used by the file system to roll back or commit metadata operations after a crash. $MFT stores file metadata, $UsnJrnl tracks higher-level change notifications, and $Bitmap tracks cluster allocation.
6Which Linux file contains a per-user list of commands previously typed at the bash shell?
A./var/log/syslog
B.~/.bash_history
C./etc/passwd
D./proc/self/cmdline
Explanation: Bash writes per-user command history to ~/.bash_history (file path controlled by HISTFILE). It is a high-value artifact for showing what an attacker ran interactively, although attackers commonly clear it or set HISTFILE=/dev/null.
7On a modern macOS system using APFS, which database records every Spotlight-indexed file system event such as create, rename, and delete?
A.FSEvents
B.KnowledgeC.db
C.Quarantine.db
D.syslog.archive
Explanation: FSEvents (stored under /.fseventsd) is a per-volume database that records every file system event — create, modify, rename, delete — and is a primary timeline source for macOS forensics. KnowledgeC.db tracks application activity, not raw file events.
8An attacker uses a stolen administrative credential to log on to multiple servers via SMB shares using PsExec. Which MITRE ATT&CK technique BEST describes this lateral movement?
A.T1566 Phishing
B.T1021 Remote Services
C.T1486 Data Encrypted for Impact
D.T1078 Valid Accounts
Explanation: T1021 Remote Services covers movement using legitimate remote-access protocols such as SMB/Windows Admin Shares (T1021.002), RDP (T1021.001), and SSH. PsExec uses SMB and the ADMIN$ share to copy and execute a service binary on the target.
9Which MITRE ATT&CK technique is associated with adversaries adding a registry Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence?
A.T1547 Boot or Logon Autostart Execution
B.T1068 Exploitation for Privilege Escalation
C.T1027 Obfuscated Files or Information
D.T1486 Data Encrypted for Impact
Explanation: T1547 covers persistence via boot or logon autostart, with sub-technique T1547.001 specifically dedicated to Registry Run Keys / Startup Folder. Run keys execute their value at user logon, which is why they remain a top persistence artifact.
10An adversary compresses a malicious payload, base64-encodes it, and embeds it inside a PowerShell EncodedCommand. Which MITRE ATT&CK technique covers this behavior?
A.T1027 Obfuscated Files or Information
B.T1021 Remote Services
C.T1078 Valid Accounts
D.T1003 OS Credential Dumping
Explanation: T1027 (Obfuscated Files or Information) is the defense-evasion technique that includes encoding, encryption, packing, and steganography to hide payloads from static detection. Base64 + compressed PowerShell is the canonical example.

About the Cisco 300-215 CBRFIR Exam

Cisco 300-215 CBRFIR (Conducting Forensic Analysis and Incident Response Using Cisco Technologies for Cybersecurity) is a CyberOps Professional concentration exam. It validates the ability to apply digital forensics fundamentals, OS internals (Windows, Linux, macOS), and MITRE ATT&CK to incident response; perform disk and memory acquisition with FTK Imager, dd, and LiME; analyze memory with Volatility (pslist, psscan, netscan, malfind, mftparser); build super-timelines with Plaso/log2timeline; parse browser, registry, and event log artifacts; capture and analyze packets with Wireshark and tcpdump; cover mobile and cloud forensics fundamentals; lead IR triage, scoping, containment, eradication, and recovery using Cisco Secure Endpoint, Cisco XDR, and SecureX/XDR Automation; and apply NIST SP 800-86 forensic methodology and NIST SP 800-61r2 incident response lifecycle from preparation through post-incident review.

Questions

100 scored questions

Time Limit

90 minutes

Passing Score

Cisco does not publish a fixed passing score (scaled scoring; commonly cited ~825/1000)

Exam Fee

$300 (Cisco / Pearson VUE)

Cisco 300-215 CBRFIR Exam Content Outline

20%

Fundamentals

Forensic and IR concepts/definitions, RFC 3227 order of volatility, volatile vs non-volatile data, Windows internals (Registry HKLM/HKCU/HKCR, NTFS $MFT/$LogFile/$UsnJrnl, VSS, Prefetch, ShellBags, AmCache, ShimCache), Linux internals (procfs, sysfs, journald, audit.log, bash_history, .ssh artifacts), macOS internals (HFS+/APFS, FSEvents, KnowledgeC.db, Quarantine, Unified Logs), MITRE ATT&CK techniques (T1021 lateral movement, T1547 persistence, T1068 privilege escalation, T1027 defense evasion), evidence preservation, chain of custody, and legal considerations (search warrant, consent, plain view)

20%

Forensics Techniques

Disk imaging (FTK Imager E01/DD/S01, dd with conv=noerror,sync), memory acquisition (LiME, WinPmem, Magnet RAM Capture), Volatility 3 plugins (pslist, psscan, netscan, malfind, dlllist, hashdump, mftparser, timeliner), Plaso/log2timeline super-timelines, browser artifacts (Chrome History, Firefox places.sqlite, IE/Edge ESE), registry parsing with RegRipper, Windows event IDs (4624, 4625, 4688, 4720, 4769), Sysmon (EID 1/3/7/11/13/19-21), Wireshark display filters (http.request.method, tls.handshake.type, dns.qry.name), tcpdump BPF expressions, mobile (iOS sandbox + APFS, Android Debug Bridge, GrayKey), cloud (AWS CloudTrail, Azure Activity Log, GCP Audit Logs, snapshot acquisition)

30%

Incident Response Techniques

Initial triage and scoping, containment (network segmentation, quarantine VLAN, ISE CoA, host isolation via Cisco Secure Endpoint), eradication (rootkit removal, attacker account/persistence cleanup, image reinstall), recovery (validation, monitoring), Cisco Secure Endpoint Investigation (Orbital live osquery), Cisco Talos IOC enrichment, Cisco XDR unified investigation, SecureX/XDR Automation playbooks, threat hunting in Splunk SPL (4624/4625/4688/4769, Sysmon EID 1/7/13/19-21), Stealthwatch ETA, Umbrella + Investigate DNS hunting, IOC vs IOA development and dissemination (STIX/TAXII), lateral movement (T1021), persistence (T1547), privilege escalation (T1068), credential access (T1003.001 LSASS, T1003.002 SAM, Kerberoasting at 4769)

15%

Forensics Processes

NIST SP 800-86 forensic methodology phases (Collection, Examination, Analysis, Reporting), defensible report writing with reproducibility and contemporaneous notes, Executive Summary versus Technical Findings, working with Legal/HR on internal investigations, evidence handling, hashing (MD5/SHA-256), chain-of-custody documentation including date/time/evidence ID/releaser/recipient/reason, legal hold and spoliation, admissibility considerations

15%

Incident Response Processes

NIST SP 800-61r2 lifecycle (Preparation; Detection & Analysis; Containment, Eradication & Recovery; Post-Incident Activity), CSIRT structure and staffing models (insourced, hybrid, outsourced), Incident Commander and Communications Lead roles, stakeholder communication and reporting cadence (hourly/twice-daily during high-severity), tabletop exercises versus red/purple team engagements, post-incident review and lessons-learned reports with named owners and due dates, MTTD/MTTC/MTTR metrics, threat intelligence integration into IR (Talos, STIX/TAXII)

How to Pass the Cisco 300-215 CBRFIR Exam

What You Need to Know

  • Passing score: Cisco does not publish a fixed passing score (scaled scoring; commonly cited ~825/1000)
  • Exam length: 100 questions
  • Time limit: 90 minutes
  • Exam fee: $300

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Cisco 300-215 CBRFIR Study Tips from Top Performers

1Memorize the RFC 3227 order of volatility (CPU registers and cache, RAM, network state, processes, file system, removable media, archival) — the exam tests it directly
2Know the NIST SP 800-86 four phases (Collection, Examination, Analysis, Reporting) and NIST SP 800-61r2 four phases (Preparation; Detection & Analysis; Containment, Eradication & Recovery; Post-Incident Activity) cold
3Map common Windows event IDs to the IR scenario: 4624 logon, 4625 failed logon, 4688 process creation, 4720 user created, 4769 Kerberos service ticket (Kerberoasting indicator)
4Learn the canonical Volatility 3 plugins for memory triage: pslist, psscan (for hidden processes), netscan, malfind (process injection), dlllist, hashdump, mftparser, timeliner
5Understand Cisco Secure product naming changes: Secure Endpoint = formerly AMP, Stealthwatch = Secure Network Analytics, Cisco XDR has absorbed SecureX threat response and orchestration
6Practice Wireshark display filters (http.request.method == "POST", tls.handshake.type, dns.qry.name) and tcpdump BPF (tcp port 443 and host 10.1.1.1) — both are common scenario items

Frequently Asked Questions

What is the Cisco 300-215 CBRFIR exam?

Cisco 300-215 CBRFIR (Conducting Forensic Analysis and Incident Response Using Cisco Technologies for Cybersecurity) is a CyberOps Professional concentration exam (v1.2). It validates digital forensics, incident response, and threat hunting skills using NIST SP 800-86, NIST SP 800-61r2, MITRE ATT&CK, and the Cisco Secure portfolio (Secure Endpoint, XDR, Umbrella, Stealthwatch, Talos).

How many questions are on the 300-215 exam?

The Cisco 300-215 CBRFIR exam has approximately 55-65 questions delivered in 90 minutes. Question types include multiple choice (single and multiple response), drag-and-drop, and scenario-based items. Cisco does not publish the exact item count per exam form.

What is the passing score for Cisco 300-215?

Cisco does not publish an exact passing percentage for 300-215. Cisco professional exams are scored on a 300-1000 scale with the practical cut score commonly reported around 825/1000. Cisco may adjust cut scores between forms based on item difficulty.

How much does the Cisco 300-215 exam cost?

The Cisco 300-215 CBRFIR exam costs $300 USD at Pearson VUE. The exam can be taken at a physical Pearson VUE test center or online via OnVUE proctored delivery. Local pricing and taxes may apply.

What certification does 300-215 earn?

Passing 300-215 alone earns the Cisco Certified Specialist - CyberOps Forensic Analysis and Incident Response badge. Combined with 350-201 CBRCOR (the CyberOps Professional core exam), it earns the full Cisco CyberOps Professional certification, valid for 3 years.

How long should I study for Cisco 300-215?

Plan for 80-160 hours of focused study over 2-4 months. Core resources: official Cisco CBRFIR exam topics, the Cisco CBRFIR course (or Cisco U. learning path), NIST SP 800-86 and 800-61r2, MITRE ATT&CK, hands-on with Volatility, FTK Imager, dd, LiME, Wireshark/tcpdump, and Cisco XDR/Secure Endpoint/Umbrella/Stealthwatch. Aim for 85%+ on full-length mocks before scheduling.

What domains and weights are on the 300-215 exam?

The five 300-215 domains are: Fundamentals 20%, Forensics Techniques 20%, Incident Response Techniques 30%, Forensics Processes 15%, and Incident Response Processes 15%. Incident Response Techniques is the largest single domain — focus heavily on Cisco Secure Endpoint, Cisco XDR, threat hunting with MITRE ATT&CK, and IOC/IOA development.