PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Cisco CBRFIR (300-215) Practice Questions

Pass your Cisco CyberOps Professional — Conducting Forensic Analysis and Incident Response Using Cisco Technologies (300-215 CBRFIR) v1.2 exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

An IR team wants to isolate a compromised host from the network immediately while preserving the ability to continue remote investigation. Which Cisco Secure Endpoint capability enables this?

A
B
C
D
to track
Same family resources

Explore More Cisco Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CCNA

Practice QuestionsStudy GuideCheat SheetFlashcards4 videos4 blogs

Cisco CCST Networking

Practice QuestionsStudy GuideCheat SheetFlashcards2 videos2 blogs

CyberOps Associate

Practice Questions1 video1 blog

Cisco CCST Cybersecurity

Practice Questions1 video1 blog

CCIE Enterprise

Practice Questions

CCNP Collaboration

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoBest Cable Testers for Network Technicians in 2026: Klein VDV526-200 vs Fluke vs TRENDnetVideoCCNA 200-301 Exam Topics and Lab Blueprint (2026)VideoCCNA 200-301 Study Plan: Pass in 3-5 Months (2026)VideoCCNA vs CompTIA Network+ 2026: Which to Take FirstArticleFREE Cisco CCST Cybersecurity (100-160) Exam Guide 2026: Pass First Try20 min readArticleCCNA vs CompTIA Network+ 2026: Which to Take First13 min readArticleCCNA 200-301 Exam Topics and Lab Blueprint (2026)12 min readArticleCCNA 200-301 Study Plan: Pass in 3-5 Months (2026)15 min read
2026 Statistics

Key Facts: Cisco CBRFIR (300-215) Exam

~55–65 items

Exam Questions

Cisco 300-215 CBRFIR blueprint

90 minutes

Exam Duration

Cisco

~825/1000

Approximate Cut Score

Cisco scaled scoring (not officially published)

$300 USD

Exam Fee

Cisco / Pearson VUE

Professional

Certification Level

Cisco CyberOps Professional

3 years

Certification Validity

Cisco recertification policy

The Cisco 300-215 CBRFIR exam has approximately 55–65 questions in 90 minutes and costs $300 USD at Pearson VUE. Cisco uses scaled scoring (approximately 825/1000 cut score) and does not publish a fixed percentage. Five domains: Fundamentals 20%, Forensics Techniques 20%, Incident Response Techniques 30%, Forensics Processes 15%, Incident Response Processes 15%. It is one of two CyberOps Professional concentration exams — combined with 350-201 CBRCOR it earns the Cisco CyberOps Professional certification, valid for 3 years.

Sample Cisco CBRFIR (300-215) Practice Questions

Try these sample questions to test your Cisco CBRFIR (300-215) exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which MITRE ATT&CK technique ID represents the use of LSASS memory dumping to harvest credential material on Windows?
A.T1003.001
B.T1059.001
C.T1547.001
D.T1021.002
Explanation: T1003.001 is the MITRE ATT&CK sub-technique for OS Credential Dumping via LSASS Memory. Attackers use tools such as Mimikatz, ProcDump, or direct API calls to extract NTLM hashes and Kerberos tickets from lsass.exe. This is one of the most commonly detected post-exploitation steps in enterprise IR.
2During a live Windows IR, an analyst wants to identify all DLLs loaded by a suspicious process. Which Volatility 3 plugin is most appropriate?
A.pslist
B.netscan
C.dlllist
D.malfind
Explanation: The Volatility 3 `dlllist` plugin walks each process's PEB (Process Environment Block) and lists all DLLs mapped into its virtual address space, including the full path, load address, and size. This is the correct tool for enumerating per-process loaded modules during memory triage.
3An analyst needs to capture a memory image from a live Linux system without installing a kernel module. Which command accomplishes this using a loadable module approach?
A.insmod lime.ko path=/mnt/usb/memory.lime format=lime
B.dd if=/dev/mem of=/mnt/usb/memory.img bs=4096
C.volatility -f /proc/kcore imageinfo
D.cat /proc/kallsyms > /mnt/usb/kallsyms.txt
Explanation: LiME (Linux Memory Extractor) is a loadable kernel module acquired with `insmod`. The `path` parameter specifies the output destination (local file or TCP socket) and `format=lime` uses the LiME format, which Volatility 3 understands natively. It provides complete, accurate memory capture including kernel-mapped regions.
4What does Cisco Secure Endpoint's 'Device Trajectory' feature provide during an IR investigation?
A.A chronological timeline of file, process, and network events on a specific endpoint
B.A network flow map of all hosts communicating with a compromised endpoint
C.A list of all IoCs matched against Talos threat intelligence feeds
D.A live packet capture session triggered from the management console
Explanation: Device Trajectory in Cisco Secure Endpoint presents a chronological event timeline — combining file create/execute/delete events, process execution chains, and network connections — specific to a single endpoint. Analysts use it to reconstruct the attack sequence and pivot to related indicators during IR.
5According to NIST SP 800-61r2, which activity occurs during the 'Post-Incident Activity' phase of the IR lifecycle?
A.Identifying the initial attack vector and isolating affected systems
B.Restoring systems to normal operation and confirming eradication
C.Conducting a lessons-learned meeting and updating the IR plan
D.Activating the incident response team and declaring a severity level
Explanation: NIST SP 800-61r2 defines Post-Incident Activity as the final phase where the team conducts a lessons-learned meeting (ideally within two weeks), documents what occurred, updates policies and detection capabilities, and captures metrics such as MTTD and MTTC. This continuous improvement loop is critical to maturing the IR program.
6A forensic analyst is creating a super-timeline of activity on a compromised Windows host. Which tool is most appropriate for this task?
A.Plaso / log2timeline
B.RegRipper
C.FTK Imager
D.Wireshark
Explanation: Plaso (the engine behind log2timeline) parses dozens of artifact sources — NTFS $MFT, Windows event logs, Prefetch, ShellBags, browser history, recycle bin, and more — to produce a single unified CSV or JSON timeline sorted by timestamp. This super-timeline capability is essential for correlating events during complex IR investigations.
7Which Windows event ID should an analyst correlate to identify Kerberoasting activity in the Security event log?
A.4769
B.4624
C.4688
D.4720
Explanation: Event ID 4769 (A Kerberos service ticket was requested) is logged by the domain controller when a Kerberos TGS request occurs. Kerberoasting is detected by filtering 4769 events where the Ticket Encryption Type is 0x17 (RC4-HMAC) and the account requesting the ticket is not a service account, indicating an attacker attempting to crack the offline hash.
8What is the primary purpose of the chain of custody in digital forensics?
A.To provide a continuous, auditable record of evidence handling from collection to court
B.To document the cryptographic hash of each evidence item
C.To define the order in which volatile data must be collected
D.To authorize the forensic examiner to access privately owned devices
Explanation: Chain of custody is a procedural record that documents who collected an evidence item, when, where, how it was stored, and every person who had access to it. This unbroken documentation is required to demonstrate that evidence was not altered or tampered with, which is essential for admissibility in legal proceedings.
9An IR team wants to isolate a compromised host from the network immediately while preserving the ability to continue remote investigation. Which Cisco Secure Endpoint capability enables this?
A.Host Isolation
B.File Trajectory
C.Orbital Advanced Search
D.Threat Grid sandbox detonation
Explanation: Cisco Secure Endpoint's Host Isolation feature blocks all network traffic to and from the endpoint except for the management connection back to the Secure Endpoint cloud infrastructure. This lets the IR team contain the threat without physically removing the machine from the network, and they can continue running Orbital queries and observing the endpoint remotely.
10Which NIST SP 800-86 phase focuses on identifying relevant information within the collected forensic data?
A.Collection
B.Examination
C.Analysis
D.Reporting
Explanation: The Analysis phase of NIST SP 800-86 is where the examiner interprets the data identified during Examination, draws conclusions, and correlates findings to answer investigative questions. The Examination phase merely reduces data volume by identifying potentially relevant data; Analysis assigns meaning to it.

About the Cisco CBRFIR (300-215) Exam

Cisco 300-215 CBRFIR (Conducting Forensic Analysis and Incident Response Using Cisco Technologies for Cybersecurity) is the CyberOps Professional forensics and IR concentration exam. It validates skills across disk, memory, and network forensics; NIST SP 800-86 methodology; NIST SP 800-61r2 IR lifecycle; MITRE ATT&CK technique mapping; Cisco Secure Endpoint investigation; Cisco XDR unified response; and IOC/IOA development using STIX/TAXII. Passing this exam earns the Cisco Certified Specialist — CyberOps Forensic Analysis and Incident Response badge and, combined with 350-201 CBRCOR, the full Cisco CyberOps Professional certification.

Questions

100 scored questions

Time Limit

90 minutes

Passing Score

Cisco does not publish a fixed passing score (scaled scoring; approximately 825/1000 commonly cited)

Exam Fee

$300 USD (Cisco / Pearson VUE)

Cisco CBRFIR (300-215) Exam Content Outline

20%

Fundamentals

RFC 3227 order of volatility, volatile vs non-volatile data, Windows NTFS/$MFT/$UsnJrnl/$LogFile/VSS/Prefetch/ShellBags/Amcache/Shimcache, Linux /proc and sysfs, macOS APFS/KnowledgeC.db/LaunchDaemons, MITRE ATT&CK tactics and techniques, evidence preservation, chain of custody, and legal considerations

20%

Forensics Techniques

FTK Imager E01/DD, dd conv=noerror sync, write blockers, LiME/WinPmem acquisition, Volatility 3 plugins (pslist/psscan/netscan/malfind/dlllist/hashdump/mftparser/timeliner), Plaso/log2timeline super-timelines, registry (NTUSER.DAT/Amcache.hve/RegRipper), Windows event IDs (4624/4688/4769), Sysmon EID 1/3/7/11, Wireshark display filters, tcpdump BPF, mobile (adb/iOS GrayKey), and cloud forensics (AWS CloudTrail/GCP Audit Logs)

30%

Incident Response Techniques

IR triage and scoping, synchronized containment, Cisco Secure Endpoint Device/File Trajectory and Host Isolation, Cisco Orbital osquery queries, Cisco XDR unified investigation and automation playbooks, Cisco Umbrella Investigate, Stealthwatch behavioral alarms, Cisco Talos IOC enrichment, threat hunting in Splunk SPL, STIX 2.1/TAXII 2.1 IOC sharing, and MITRE ATT&CK-mapped IOC/IOA development

15%

Forensics Processes

NIST SP 800-86 four phases (Collection, Examination/reduction, Analysis, Reporting), reproducible technical findings, executive summary structure, MD5/SHA-256 evidence hashing, chain-of-custody form requirements, legal hold and spoliation, and admissibility standards

15%

Incident Response Processes

NIST SP 800-61r2 four phases, CSIRT models (centralized/distributed/coordinating), synchronized containment strategy, stakeholder communication plans (Legal/HR/Executive/PR/Regulatory), tabletop exercise design, post-incident lessons-learned reports with action items, and MTTD/MTTC/MTTR SOC metrics

How to Pass the Cisco CBRFIR (300-215) Exam

What You Need to Know

  • Passing score: Cisco does not publish a fixed passing score (scaled scoring; approximately 825/1000 commonly cited)
  • Exam length: 100 questions
  • Time limit: 90 minutes
  • Exam fee: $300 USD

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Cisco CBRFIR (300-215) Study Tips from Top Performers

1Know NIST SP 800-86 four phases (Collection, Examination, Analysis, Reporting) and NIST SP 800-61r2 four phases (Preparation; Detection and Analysis; Containment, Eradication and Recovery; Post-Incident Activity) — both frameworks are tested directly
2Memorize key Volatility 3 plugins and their purpose: pslist vs psscan (DKOM detection), netscan (network connections bypassing rootkit hooks), malfind (injection), dlllist (loaded modules), hashdump (credentials), timeliner (memory timeline)
3Map Windows event IDs to IR scenarios: 4624 (logon), 4625 (failed logon), 4688 (process creation), 4769 (Kerberos TGS — Kerberoasting uses encryption type 0x17), 4720 (account created), 1102 (Security log cleared)
4Understand Cisco product naming: Secure Endpoint = formerly AMP; Stealthwatch = Secure Network Analytics; Cisco XDR absorbed SecureX threat response and orchestration
5Learn the difference between IOC (specific artifact: file hash, IP, domain) and IOA (behavioral pattern: encoded PowerShell, LSASS access, WMI lateral movement) — IOAs are more resilient to attacker evasion
6Practice tcpdump BPF syntax (host X and tcp port Y, not port Z) and Wireshark display filters (tls.handshake.type == 1 for ClientHello/SNI, dns.qry.name for DNS hunting)

Frequently Asked Questions

What is the Cisco 300-215 CBRFIR exam?

Cisco 300-215 CBRFIR (Conducting Forensic Analysis and Incident Response Using Cisco Technologies for Cybersecurity) is a CyberOps Professional concentration exam (v1.2). It validates digital forensics, incident response, and threat hunting skills using NIST SP 800-86, NIST SP 800-61r2, MITRE ATT&CK, Volatility 3, and the Cisco Secure portfolio including Secure Endpoint, XDR, Umbrella, Stealthwatch, and Talos.

How many questions are on the Cisco 300-215 exam?

The Cisco 300-215 CBRFIR exam has approximately 55–65 questions delivered in 90 minutes. Question types include multiple choice (single and multiple response), drag-and-drop, and scenario-based items. Cisco does not publish the exact item count per exam form.

What is the passing score for 300-215 CBRFIR?

Cisco does not publish an exact passing percentage for 300-215. Cisco professional exams use scaled scoring on a 300–1000 scale with the practical cut score commonly cited around 825/1000. Cisco adjusts cut scores between exam forms based on item difficulty calibration.

How much does the 300-215 CBRFIR exam cost?

The Cisco 300-215 CBRFIR exam costs $300 USD at Pearson VUE. The exam can be taken at a physical Pearson VUE test center or online via OnVUE proctored delivery. Local pricing and applicable taxes may vary.

What domains are covered on the 300-215 CBRFIR exam?

The five CBRFIR domains are: Fundamentals (20%), Forensics Techniques (20%), Incident Response Techniques (30%), Forensics Processes (15%), and Incident Response Processes (15%). The largest single domain is Incident Response Techniques — focus heavily on Cisco Secure Endpoint, Cisco XDR, threat hunting with MITRE ATT&CK, and IOC/IOA development with STIX/TAXII.

What certification does the 300-215 exam earn?

Passing 300-215 alone earns the Cisco Certified Specialist — CyberOps Forensic Analysis and Incident Response specialist badge. Combined with 350-201 CBRCOR (the CyberOps Professional core exam), it earns the full Cisco CyberOps Professional certification, valid for 3 years with Cisco's continuing education program.

How long should I study for the 300-215 CBRFIR exam?

Plan 80–160 hours of focused study over 2–4 months. Core resources include: official Cisco CBRFIR exam topics, the Cisco CBRFIR course or Cisco U. learning path, NIST SP 800-86 and 800-61r2, MITRE ATT&CK framework, hands-on practice with Volatility 3, FTK Imager, dd, LiME, Wireshark, tcpdump, and the Cisco XDR/Secure Endpoint/Umbrella/Stealthwatch product suite. Target 85%+ on full-length practice exams before scheduling.