Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Cisco 350-201 CBRCOR Practice Questions

Pass your Cisco CBRCOR: Performing CyberOps Using Cisco Security Technologies (350-201) v1.2 exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Cisco does not publish official pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which Python library is commonly used in security automation scripts to query Active Directory or LDAP-compliant directories?

A
B
C
D
to track
Same family resources

Explore More Cisco Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CCNA

Practice QuestionsStudy GuideFlashcards
2 videos2 blogs

Cisco CCST Networking

Practice QuestionsStudy Guide
2 blogs

CyberOps Associate

Practice Questions
1 blog

Cisco CCST Cybersecurity

Practice Questions
1 blog

CCIE Enterprise

Practice Questions

CCNP Collaboration

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoBest Cable Testers for Network Technicians in 2026: Klein VDV526-200 vs Fluke vs TRENDnetVideoCCNA 200-301 Study Plan: Pass in 3-5 Months (2026)ArticleCCNA 200-301 Study Plan: Pass in 3-5 Months (2026)15 min readArticleBest Cable Testers for Network Technicians in 2026: Klein VDV526-200 vs Fluke vs TRENDnet14 min readArticleFREE Cisco CCST Cybersecurity (100-160) Exam Guide 2026: Pass First Try20 min readArticleFREE Cisco CCST Networking (100-150) Exam Guide 2026: Pass First Try, Domains, Cost, CCNA Path26 min read
2026 Statistics

Key Facts: Cisco 350-201 CBRCOR Exam

~90-110

Exam Questions

Cisco 350-201 CBRCOR

120 min

Exam Duration

Cisco

~825/1000

Approximate Cut Score

Cisco scaled scoring (not officially published)

$400

Exam Fee

Cisco / Pearson VUE

Professional

Level (CyberOps Core)

Cisco CyberOps Professional

3 years

Certification Validity

Cisco recertification cycle

The Cisco 350-201 CBRCOR (v1.2) is the core exam of the Cisco CyberOps Professional certification track. The exam runs 120 minutes with approximately 90-110 questions and a $400 USD fee through Pearson VUE; Cisco does not publish a passing score, but the practical cut score is commonly reported around 825/1000. Domains: Fundamentals (20%), Techniques (30%), Processes (30%), and Automation (20%) covering MITRE ATT&CK, NIST 800-61, Cisco XDR/SecureX, SIEM/EDR/NDR operations, threat hunting, malware analysis, and SOAR. Pairing CBRCOR with one concentration exam (300-215 CBRFIR or 300-220 CBRTHD) earns the CyberOps Professional certification, valid for 3 years.

Sample Cisco 350-201 CBRCOR Practice Questions

Try these sample questions to test your Cisco 350-201 CBRCOR exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which element of the CIA triad is directly violated when an attacker successfully decrypts and reads sensitive data from a stolen backup tape?
A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
Explanation: Confidentiality ensures information is disclosed only to authorized parties. When an attacker reads sensitive data they should not have access to, confidentiality is broken. The data has not been altered (integrity) and remains accessible to legitimate users (availability), so only confidentiality is impacted.
2Risk in the classic SOC formulation is most commonly expressed as which relationship?
A.Risk = Threat + Vulnerability
B.Risk = Threat x Vulnerability x Asset Value
C.Risk = Likelihood / Impact
D.Risk = Vulnerability - Mitigation
Explanation: Most SOC and risk-management bodies of knowledge express risk as a multiplicative function of threat (likelihood of an event), vulnerability (the weakness that allows the event), and asset value (impact). All three factors must be present and non-zero to produce meaningful risk.
3Which NIST Cybersecurity Framework function is responsible for developing and implementing the activities required to take action regarding a detected cybersecurity event?
A.Identify
B.Protect
C.Detect
D.Respond
Explanation: The Respond function covers response planning, communications, analysis, mitigation, and improvements once an event is detected. Identify, Protect, and Detect occur before an event is confirmed, while Recover follows the response activities.
4An organization installs a web application firewall (WAF) in front of its public site to block SQL injection attempts. Which control category does this BEST represent?
A.Detective
B.Corrective
C.Preventive
D.Deterrent
Explanation: Preventive controls stop an incident from occurring. A WAF that blocks malicious requests before they reach the web server prevents the attack from succeeding. While the WAF also logs and detects, its primary function in this scenario is to prevent.
5Within the MITRE ATT&CK framework, what is the relationship between a tactic and a technique?
A.A tactic is a specific tool; a technique is the platform it runs on
B.A tactic is the adversary's goal; a technique is how the goal is achieved
C.A tactic is a sub-step of a technique
D.A tactic and technique are synonyms in ATT&CK
Explanation: ATT&CK uses tactics (TA####) to describe the adversary's why or goal at a phase (e.g., TA0001 Initial Access), and techniques (T####) to describe the how (e.g., T1566 Phishing). Sub-techniques (T####.###) further refine techniques.
6Which Cyber Kill Chain phase covers an adversary establishing a persistent foothold by deploying malware that maintains presence across reboots?
A.Delivery
B.Exploitation
C.Installation
D.Command and Control
Explanation: The Installation phase of the Lockheed Martin Cyber Kill Chain is where the adversary installs malware that persists on the target. Exploitation triggered the code, but Installation is the step that establishes persistence (e.g., service, scheduled task, registry Run key).
7In the Diamond Model of Intrusion Analysis, the four core features are Adversary, Capability, Infrastructure, and Victim. Which feature would a registered C2 domain BEST map to?
A.Adversary
B.Capability
C.Infrastructure
D.Victim
Explanation: Infrastructure represents the physical or logical resources (domains, IPs, drop sites, email accounts) used by the adversary to deliver capabilities. A C2 domain is a classic infrastructure indicator.
8A SOC analyst opens a ticket for a single failed login from a known administrator from a corporate-managed laptop on the company VPN. Which incident classification is MOST appropriate?
A.Critical confirmed compromise
B.False positive / informational
C.Malware outbreak
D.Insider threat
Explanation: A single failed login from a known admin on a managed device using corporate VPN is routine noise and most accurately classified as informational/false-positive at triage. Incident classification helps the SOC prioritize true incidents over benign events.
9Which SOC role is primarily responsible for tuning detection rules, building correlation logic, and reducing false positives over time?
A.Tier 1 SOC analyst
B.Detection engineer
C.Threat hunter
D.SOC manager
Explanation: Detection engineers translate threat hunting outcomes, intel, and ATT&CK techniques into durable, version-controlled detections (Sigma, Splunk, Cisco XDR/SecureX rules) and continuously tune them. Tier 1 triages alerts, hunters search for unknowns, and managers oversee operations.
10Which control type is BEST illustrated by an isolated network segment used for an unpatched legacy server that cannot be remediated?
A.Detective
B.Corrective
C.Compensating
D.Deterrent
Explanation: Compensating controls reduce risk when the primary control (patching) cannot be implemented. Network isolation around an unpatched legacy server compensates for the missing patch. Compensating controls are formally recognized in PCI DSS and ISO 27001.

About the Cisco 350-201 CBRCOR Exam

Cisco 350-201 CBRCOR (Performing CyberOps Using Cisco Security Technologies) is the core exam for the Cisco CyberOps Professional certification. It validates a SOC operator's ability to apply cybersecurity fundamentals (CIA, risk, NIST CSF, MITRE ATT&CK, Cyber Kill Chain, Diamond Model, control types), execute techniques (threat hunting, hardening, SIEM/EDR/NDR operations, microsegmentation, threat intelligence, AI-powered analytics, cloud-native security), follow disciplined processes (STRIDE/PASTA threat modeling, static and dynamic malware analysis, digital forensics, CVSS/EPSS-based vulnerability triage, NIST 800-61 incident response lifecycle, chain of custody), and automate the SOC (SOAR playbooks, Cisco SecureX/XDR orchestration, REST APIs, Python, STIX/TAXII, DevSecOps SAST/DAST/SCA).

Assessment

Approximately 90-110 multiple-choice, drag-and-drop, and scenario items in 120 minutes covering Fundamentals (20%), Techniques (30%), Processes (30%), and Automation (20%)

Time Limit

120 minutes

Passing Score

Variable cut score (Cisco does not publish; commonly cited ~825/1000)

Exam Fee

$400 (Cisco / Pearson VUE)

Cisco 350-201 CBRCOR Exam Content Outline

20%

Fundamentals

Cybersecurity ops concepts and the CIA triad, risk = threat x vulnerability x asset value, ALE/SLE/ARO risk metrics, SOC tools (SIEM, EDR, NDR, TIP) and roles, incident classification + prioritization, attack frameworks (MITRE ATT&CK tactics/techniques/sub-techniques, Cyber Kill Chain, Diamond Model), security control types (preventive, detective, corrective, compensating, deterrent), and NIST CSF Identify/Protect/Detect/Respond/Recover

30%

Techniques

Threat hunting hypotheses + methodology (hypothesis-driven, IoA-based, TTP-based), hardening machine images (CIS Benchmarks for Linux/Windows/macOS, container hardening with rootless/distroless/read-only fs, Kubernetes NetworkPolicy), security posture via SIEM (Splunk, QRadar), EDR (Cisco Secure Endpoint, CrowdStrike, SentinelOne), NDR (Cisco Secure Network Analytics formerly Stealthwatch with ETA, Darktrace), segmentation + microsegmentation (Cisco Secure Workload formerly Tetration, Illumio), TIPs (MISP, Anomali, ThreatConnect), IoC vs IoA indicators, AI-powered analytics + anomaly detection, and cloud-native security (CSPM, CWPP, CIEM, CASB) plus serverless considerations

30%

Processes

Threat modeling (STRIDE - Spoofing/Tampering/Repudiation/Info Disclosure/DoS/Elevation; PASTA 7-stage), static malware analysis (binary disassembly, strings, PE/ELF, entropy/packing) + dynamic malware analysis (sandbox, Cisco Secure Malware Analytics formerly ThreatGrid), endpoint intrusion investigation + digital forensics (Volatility memory forensics, FTK/EnCase disk forensics, RFC 3227 order of volatility, Prefetch, MRU, Jump Lists), vulnerability triage + prioritization (CVSS v3.1 Base/Temporal/Environmental, EPSS), NIST 800-61 IR lifecycle (Preparation; Detection & Analysis; Containment, Eradication & Recovery; Post-Incident Activity), chain of custody documentation + SHA-256 hashing for evidence preservation

20%

Automation

SOAR concepts + playbook design with human-on-the-loop guardrails, Cisco SecureX ribbon + workflows, Cisco XDR (renamed/expanded SecureX in 2024) orchestration, REST API integration (OAuth 2.0 client_credentials, bearer tokens, scopes, HTTP 429 backoff), Python scripting for IR (requests, json, ldap3, paramiko), common data formats (STIX 2.1 JSON, TAXII 2.1 collections, JSON, YAML), and DevSecOps pipeline integration (SAST, DAST, SCA, IAST, Sigma detection-as-code, IaC scanning, secrets management)

How to Pass the Cisco 350-201 CBRCOR Exam

What You Need to Know

  • Passing score: Variable cut score (Cisco does not publish; commonly cited ~825/1000)
  • Assessment: Approximately 90-110 multiple-choice, drag-and-drop, and scenario items in 120 minutes covering Fundamentals (20%), Techniques (30%), Processes (30%), and Automation (20%)
  • Time limit: 120 minutes
  • Exam fee: $400

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Cisco 350-201 CBRCOR Study Tips from Top Performers

1Memorize the CIA triad and the five security control types (preventive, detective, corrective, compensating, deterrent) cold - they appear in many distractor patterns
2Drill the NIST 800-61 IR lifecycle in order: Preparation; Detection & Analysis; Containment, Eradication & Recovery; Post-Incident Activity - the third bucket is grouped together on the exam
3Know Cisco product renames: Stealthwatch -> Secure Network Analytics, AMP -> Secure Endpoint, ThreatGrid -> Secure Malware Analytics, Tetration -> Secure Workload, SecureX -> Cisco XDR (2024)
4Master MITRE ATT&CK fluency: tactics (TA####) are the why, techniques (T####) are the how, sub-techniques (T####.###) refine techniques - know T1566 Phishing, T1059 Scripting, T1003 Credential Dumping, T1055 Process Injection
5Combine CVSS v3.1 (Base/Temporal/Environmental) with EPSS (daily exploit probability) when triaging vulnerabilities - CVSS alone is insufficient for prioritization
6Automate read-only enrichment fully but keep destructive actions (account disable, host wipe, mass password reset) gated behind human approval - this is the canonical SOAR design pattern

Frequently Asked Questions

What is the Cisco 350-201 CBRCOR exam?

Cisco 350-201 CBRCOR (Performing CyberOps Using Cisco Security Technologies) is the core exam for the Cisco CyberOps Professional certification. It validates SOC operator skills across four domains: Fundamentals (20%), Techniques (30%), Processes (30%), and Automation (20%), anchored in MITRE ATT&CK, NIST 800-61, CVSS/EPSS, and the Cisco Secure portfolio (XDR, Secure Endpoint, Secure Network Analytics, Secure Malware Analytics).

How many questions are on the 350-201 exam?

The Cisco 350-201 CBRCOR exam typically has approximately 90-110 questions delivered in 120 minutes. Question types include multiple choice (single and multiple response), drag-and-drop, and scenario-based items. Cisco does not publish the exact item count per form.

What is the passing score for Cisco 350-201?

Cisco does not publish an exact passing percentage for 350-201. Cisco professional exams are scored on a 300-1000 scale, with the practical cut score commonly reported around 825/1000. Cisco may adjust cut scores between forms based on item difficulty.

How much does the Cisco 350-201 CBRCOR exam cost?

The Cisco 350-201 CBRCOR exam costs $400 USD at Pearson VUE. Local pricing and taxes may apply. CBRCOR is the core exam of the CyberOps Professional certification; passing it plus one concentration exam (300-215 CBRFIR or 300-220 CBRTHD) earns the full Professional credential.

What certification does 350-201 earn?

Passing 350-201 alone earns the Cisco Certified Specialist - CyberOps Core badge. Combined with one concentration exam (300-215 CBRFIR forensics/IR or 300-220 CBRTHD threat hunting), it earns the full Cisco CyberOps Professional certification, valid for 3 years.

How long should I study for Cisco 350-201?

Plan for 120-200 hours of focused study over 3-5 months. Core resources: official Cisco CBRCOR exam topics, the Cisco CBRCOR course (or Cisco U. learning path), MITRE ATT&CK and NIST 800-61, CVSS v3.1 and EPSS, and hands-on labs with Cisco XDR/SecureX, Secure Endpoint, Secure Network Analytics (formerly Stealthwatch), and SOAR playbooks. Aim for 85%+ on full-length mocks before scheduling.