CCNA Cybersecurity Operations (200-201 CBROPS)
Validates knowledge and skills for security concepts, security monitoring, host-based analysis, network intrusion analysis, and security policies and procedures. Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CCNACBR) v1.2.
What the CCNA Cybersecurity Operations (200-201 CBROPS) exam covers
Domains and their approximate weight on the exam.
Security Concepts
20%CIA triad. Security deployments: network, endpoint, application systems; agent-based and agentless protections; legacy antivirus and antimalware; SIEM, SOAR, log management. Security terms: threat intelligence, threat hunting, malware analysis, threat actor, run book automation, reverse engineering, sliding window anomaly detection, principle of least privilege, zero trust, threat intelligence platform. Access control models: discretionary, mandatory, nondiscretionary, role-based, rule-based, time-based; AAA. CVSS terms: attack vector, attack complexity, privileges required, user interaction, scope. Risk (scoring, weighting, reduction, assessment), threat, vulnerability, exploit. Defense-in-depth strategy. Data visibility challenges (network, host, cloud). Data loss from traffic profiles. 5-tuple approach to isolate compromised host. Rule-based vs behavioral and statistical detection.
Security Monitoring
25%Attack surface vs vulnerability. Data types from TCP dump, NetFlow, next-gen firewall, traditional stateful firewall, application visibility and control, web content filtering, email content filtering. Impact on visibility: ACLs, NAT/PAT, tunneling, TOR, encryption, P2P, encapsulation, load balancing. Uses of full packet capture, session data, transaction data, statistical data, metadata, alert data. Network attacks: protocol-based, DoS, DDoS, man-in-the-middle. Endpoint-based attacks: buffer overflow, C2, malware, ransomware. Web application attacks: SQL injection, command injection, XSS. Social engineering. Evasion and obfuscation: tunneling, encryption, proxies. Certificate components: cipher-suite, X.509, key exchange, protocol version, PKCS. Impact of certificates on security: PKI, public/private keys, asymmetric/symmetric.
Host-Based Analysis
20%Endpoint technologies: host-based intrusion detection, antimalware and antivirus, host-based firewall, application-level allow listing/block listing, systems-based sandboxing (Chrome, Java, Adobe Reader). OS components (Windows, Linux). Attribution: assets, threat actor, IOCs, IOAs, chain of custody. Evidence types: best, corroborative, indirect. Tampered vs untampered disk image. Interpreting OS, application, command line logs. Malware analysis tool output: hashes, URLs, systems/events/networking.
Network Intrusion Analysis
20%Mapping events to source technologies: IDS/IPS, firewall, network application control, proxy logs, antivirus, NetFlow. Impact: false positive, false negative, true positive, true negative, benign. Deep packet inspection vs packet filtering vs stateful firewall. Inline traffic interrogation vs taps/traffic monitoring. Taps/transactional data vs NetFlow. Extracting files from TCP stream (PCAP, Wireshark). Key elements in PCAP: source/destination address, ports, protocols, payloads. Protocol headers: Ethernet, IPv4, IPv6, TCP, UDP, ICMP, DNS, SMTP/POP3/IMAP, HTTP/HTTPS/HTTP2, ARP. Artifact elements: IP, ports, process, system API calls, hashes, URI/URL. Basic regular expressions.
Security Policies and Procedures
15%Management concepts: asset, configuration, mobile device, patch, vulnerability management. Incident response plan (NIST SP800-61): preparation, detection and analysis, containment/eradication/recovery, post-incident analysis. Incident handling process. Stakeholders (NIST IR, CMMC). Evidence concepts (NIST SP800-86): collection order, data integrity, preservation, volatile data. Network profiling: throughput, session duration, ports, critical asset address space. Server profiling: listening ports, logged-in users, processes, tasks, applications. Protected data: PII, PSI, PHI, intellectual property. Intrusion models: Cyber Kill Chain, Diamond Model. SOC metrics: time to detect, contain, respond, control.
How CertSim helps you pass
Realistic questions
Scenario-based questions aligned to the official CCNA Cybersecurity Operations (200-201 CBROPS) objectives.
AI explanations
Understand why each answer is right or wrong, with deep-dive explanations.
Readiness analytics
Track your score by domain and know when you are ready for exam day.
Start preparing for CCNA Cybersecurity Operations (200-201 CBROPS) today
Free to start. Practice realistic questions and track your readiness.
Start free