PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Cisco CyberOps Professional Practice Questions

Pass your Cisco Certified CyberOps Professional — 350-201 CBRCOR exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

What does the STRIDE threat category 'Tampering' refer to in threat modeling?

A
B
C
D
to track
Same family resources

Explore More Cisco Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CCNA

Practice QuestionsStudy GuideCheat SheetFlashcards4 videos4 blogs

Cisco CCST Networking

Practice QuestionsStudy GuideCheat SheetFlashcards2 videos2 blogs

CyberOps Associate

Practice Questions1 video1 blog

Cisco CCST Cybersecurity

Practice Questions1 video1 blog

CCIE Enterprise

Practice Questions

CCNP Collaboration

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoBest Cable Testers for Network Technicians in 2026: Klein VDV526-200 vs Fluke vs TRENDnetVideoCCNA 200-301 Exam Topics and Lab Blueprint (2026)VideoCCNA 200-301 Study Plan: Pass in 3-5 Months (2026)VideoCCNA vs CompTIA Network+ 2026: Which to Take FirstArticleFREE Cisco CCST Cybersecurity (100-160) Exam Guide 2026: Pass First Try20 min readArticleCCNA vs CompTIA Network+ 2026: Which to Take First13 min readArticleCCNA 200-301 Exam Topics and Lab Blueprint (2026)12 min readArticleCCNA 200-301 Study Plan: Pass in 3-5 Months (2026)15 min read
2026 Statistics

Key Facts: Cisco CyberOps Professional Exam

~90-110

Exam Questions

Cisco 350-201 CBRCOR

120 min

Exam Duration

Cisco

~825/1000

Approximate Cut Score

Cisco scaled scoring (not officially published)

$400

Exam Fee

Cisco / Pearson VUE

Professional

Certification Level

Cisco CyberOps Professional track

3 years

Certification Validity

Cisco recertification cycle

Cisco 350-201 CBRCOR is the core exam for Cisco CyberOps Professional. It runs 120 minutes with ~90-110 questions and costs $400 at Pearson VUE. Paired with one concentration exam (300-215 CBRFIR or 300-220 CBRTHD), it earns the CyberOps Professional credential valid for 3 years. Domains: Fundamentals (20%), Techniques (30%), Processes (30%), Automation (20%).

Sample Cisco CyberOps Professional Practice Questions

Try these sample questions to test your Cisco CyberOps Professional exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1A SOC analyst calculates that a database server has a Single Loss Expectancy (SLE) of $50,000 and an Annualized Rate of Occurrence (ARO) of 0.4. What is the Annualized Loss Expectancy (ALE)?
A.$20,000
B.$125,000
C.$50,400
D.$200,000
Explanation: ALE = SLE × ARO = $50,000 × 0.4 = $20,000. ALE represents the expected annual monetary loss from a specific risk. SLE is the cost of a single occurrence and ARO is how often it is expected per year.
2Which MITRE ATT&CK tactic describes the adversary's goal of trying to steal account credentials and hashes after gaining initial access?
A.Initial Access (TA0001)
B.Execution (TA0002)
C.Credential Access (TA0006)
D.Defense Evasion (TA0005)
Explanation: Credential Access (TA0006) covers adversary techniques aimed at stealing account names and passwords or hashes, such as OS Credential Dumping (T1003), Brute Force (T1110), and Unsecured Credentials (T1552). This is distinct from Initial Access, which covers how adversaries get into the environment.
3In the Lockheed Martin Cyber Kill Chain, at which phase does an adversary typically use spear-phishing to deliver a malicious attachment?
A.Reconnaissance
B.Weaponization
C.Exploitation
D.Delivery
Explanation: Delivery is the phase where the adversary transmits the weaponized bundle to the target — via spear-phishing email, malicious USB, or watering-hole attack. The email with the malicious attachment is the delivery mechanism. Weaponization precedes delivery and involves creating the exploit payload.
4The Diamond Model of intrusion analysis identifies four core features of every intrusion event. Which option correctly lists all four?
A.Adversary, Capability, Infrastructure, Victim
B.Threat, Vulnerability, Asset, Impact
C.Reconnaissance, Delivery, Exploitation, Actions on Objectives
D.Tactic, Technique, Procedure, Mitigation
Explanation: The Diamond Model (Caltagirone, Pendergast, Betz 2013) frames every intrusion as a relationship among four vertices: Adversary (the threat actor), Capability (the tools/malware/exploits used), Infrastructure (C2 servers, domains, IP space), and Victim (the target). Analysts plot these relationships to track campaigns and attribute attacks.
5Which security control type is BEST represented by a security guard posted at a data center entrance who deters unauthorized access through visible presence alone?
A.Preventive
B.Compensating
C.Corrective
D.Deterrent
Explanation: A deterrent control discourages adversaries from attempting an attack through visible consequences or presence — such as a security guard, warning signs, or CCTV cameras in plain view. Unlike preventive controls, deterrents do not technically block entry; they rely on threat of consequence to reduce the likelihood of an attempt.
6A Tier 2 SOC analyst is reviewing an alert generated by Cisco Secure Network Analytics (formerly Stealthwatch). Which core technology enables Secure Network Analytics to detect threats in encrypted traffic without decrypting it?
A.Encrypted Traffic Analytics (ETA)
B.Deep Packet Inspection (DPI)
C.NetFlow export via SNMP
D.SSL/TLS certificate pinning
Explanation: Cisco Encrypted Traffic Analytics (ETA) uses machine learning on flow telemetry metadata — such as packet length, timing, and TLS handshake characteristics — to classify encrypted traffic as malicious or benign without decrypting it. This preserves privacy while maintaining threat visibility in TLS-encrypted flows.
7During a threat hunt, an analyst forms a hypothesis based on intelligence that a nation-state group uses PowerShell with AMSI bypass techniques. Which threat hunting methodology does this BEST represent?
A.TTP-based hunting
B.Anomaly-based hunting
C.IoC-based hunting
D.Baseline-deviation hunting
Explanation: TTP-based (Tactics, Techniques, and Procedures) hunting starts from known adversary behaviors — in this case PowerShell with AMSI bypass — rather than specific indicators like file hashes or IP addresses. It uses threat intelligence about how an actor operates to form a hypothesis, then looks for evidence of those behaviors in telemetry. This approach is the most resilient because TTPs are harder for adversaries to change than IoCs.
8A security engineer is hardening a containerized application. Which combination of container security practices aligns with CIS Docker Benchmark recommendations?
A.Run containers as root; use Alpine base images; enable host networking
B.Use privileged mode for all production containers; disable AppArmor profiles
C.Run containers as non-root; use distroless or minimal base images; mount the filesystem read-only where possible
D.Use the latest tag for base images; enable host PID namespace for observability
Explanation: CIS Docker Benchmark and container security best practices require running containers as non-root users to limit blast radius, using distroless or minimal base images to reduce attack surface, and mounting filesystems read-only wherever the application does not need write access. These three controls together significantly harden the container runtime posture.
9An analyst is reviewing MISP threat intelligence for a new campaign. They notice an indicator tagged TLP:RED. What does this Traffic Light Protocol designation mean?
A.The indicator can be shared freely with any partner organization
B.The indicator can be shared within the analyst's sector/community
C.The indicator is restricted to the named recipients only — not for further distribution
D.The indicator can be shared within the analyst's organization only
Explanation: TLP:RED (Traffic Light Protocol version 2.0) restricts information to named recipients only. Recipients may not share TLP:RED data beyond those specified. This is the most restrictive TLP designation, used for sensitive intelligence that could harm the source or ongoing operations if shared more broadly.
10Which Kubernetes resource should be applied to enforce network segmentation between pods so that a compromised front-end pod cannot directly reach the database pod on port 5432?
A.ClusterRole
B.PodSecurityPolicy
C.ResourceQuota
D.NetworkPolicy
Explanation: Kubernetes NetworkPolicy objects define pod-to-pod and pod-to-external traffic rules. By creating a NetworkPolicy that restricts ingress to the database pod to only pods with a specific label (e.g., the API tier), the database port 5432 becomes unreachable from all other pods including a compromised front-end. NetworkPolicy implements microsegmentation at the Kubernetes layer.

About the Cisco CyberOps Professional Exam

The Cisco CyberOps Professional (350-201 CBRCOR) validates senior SOC analyst skills across four domains: cybersecurity fundamentals, detection and hunting techniques, forensics and IR processes, and SOC automation with Cisco XDR, REST APIs, and DevSecOps tooling.

Assessment

~90-110 multiple-choice, drag-and-drop, and scenario items in 120 minutes; Fundamentals (20%), Techniques (30%), Processes (30%), Automation (20%)

Time Limit

120 minutes

Passing Score

Variable scaled score (Cisco does not publish; commonly cited ~825/1000)

Exam Fee

$400 (Cisco / Pearson VUE)

Cisco CyberOps Professional Exam Content Outline

20%

Fundamentals

CIA triad, risk formulas (ALE/SLE/ARO), SOC roles and tools (SIEM/EDR/NDR/TIP), incident classification, MITRE ATT&CK, Cyber Kill Chain, Diamond Model, NIST CSF, and security control types

30%

Techniques

Threat hunting (hypothesis-driven, IoA-based, TTP-based), CIS Benchmark hardening, container and Kubernetes security, SIEM/EDR/NDR operations, microsegmentation (Cisco Secure Workload), threat intelligence platforms (MISP, Anomali), AI-powered analytics, and cloud-native security (CSPM/CWPP/CIEM/CASB)

30%

Processes

STRIDE and PASTA threat modeling, static malware analysis (PE/ELF, strings, entropy), dynamic malware analysis (sandbox, Cisco Secure Malware Analytics), digital forensics (Volatility, FTK/EnCase, RFC 3227 order of volatility), CVSS v3.1 and EPSS triage, NIST 800-61 IR lifecycle, chain of custody

20%

Automation

SOAR playbook design with human-on-the-loop guardrails, Cisco XDR orchestration, REST API integration (OAuth 2.0, Python/requests), STIX 2.1/TAXII 2.1, DevSecOps pipeline integration (SAST/DAST/SCA/IAST), Sigma detection-as-code, IaC scanning, secrets management

How to Pass the Cisco CyberOps Professional Exam

What You Need to Know

  • Passing score: Variable scaled score (Cisco does not publish; commonly cited ~825/1000)
  • Assessment: ~90-110 multiple-choice, drag-and-drop, and scenario items in 120 minutes; Fundamentals (20%), Techniques (30%), Processes (30%), Automation (20%)
  • Time limit: 120 minutes
  • Exam fee: $400

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Cisco CyberOps Professional Study Tips from Top Performers

1Techniques (30%) and Processes (30%) together equal 60% of the exam — dedicate the most study time to these two domains
2Drill the NIST 800-61 IR lifecycle in order: Preparation; Detection & Analysis; Containment, Eradication & Recovery; Post-Incident Activity — know that Containment/Eradication/Recovery are grouped as one phase
3Know Cisco product renames: Stealthwatch → Secure Network Analytics, AMP → Secure Endpoint, ThreatGrid → Secure Malware Analytics, Tetration → Secure Workload, SecureX → Cisco XDR (2024)
4Differentiate IoC (Indicator of Compromise — artifact after breach: hash, IP, domain) from IoA (Indicator of Attack — behavioral signal: lateral movement, credential access) for threat hunting questions
5For SOAR automation: enrich and alert fully automated; destructive actions (host isolation, account disable, mass password reset) require human approval — this design principle appears in multiple question types
6Combine CVSS v3.1 (Base/Temporal/Environmental) with EPSS (daily exploit probability score) for risk-based patch prioritization — CVSS alone is insufficient per the exam blueprint

Frequently Asked Questions

What is the Cisco CyberOps Professional 350-201 CBRCOR exam?

Cisco 350-201 CBRCOR (Performing CyberOps Using Cisco Security Technologies) is the core exam for the Cisco CyberOps Professional certification. It validates SOC operator skills in four domains: Fundamentals (20%), Techniques (30%), Processes (30%), and Automation (20%), anchored in MITRE ATT&CK, NIST 800-61, CVSS/EPSS, and the Cisco Secure portfolio including Cisco XDR.

What certification does passing 350-201 earn?

Passing 350-201 alone earns the Cisco Certified Specialist – CyberOps Core badge. Combined with one concentration exam — 300-215 CBRFIR (forensics/IR) or 300-220 CBRTHD (threat hunting) — it earns the full Cisco CyberOps Professional certification, valid for 3 years.

How many questions and how long is the 350-201 CBRCOR exam?

The exam typically contains ~90-110 questions in a 120-minute window. Question types include single- and multiple-response multiple choice, drag-and-drop, and scenario-based items. Cisco does not publish an exact item count per exam form.

What is the passing score for the 350-201 exam?

Cisco does not publish an exact passing percentage for 350-201. Professional exams are scored on a 300-1000 scale, and the practical cut score is commonly reported around 825/1000. Cisco may adjust cut scores between forms based on item difficulty.

How long should I study for Cisco 350-201 CBRCOR?

Most candidates with 2-3 years of SOC experience need 120-200 hours of focused study over 3-5 months. Prioritize Techniques (30%) and Processes (30%) — together they are 60% of the exam. Master MITRE ATT&CK, NIST 800-61, CVSS/EPSS, and Cisco XDR hands-on.

How much does the Cisco 350-201 exam cost?

The Cisco 350-201 CBRCOR exam costs $400 USD at Pearson VUE. Local taxes and pricing variations may apply. If you fail, you must wait 5 calendar days before retaking; each attempt requires the full fee.