01. In a threat model, what does an asset represent?
a) A specific attacker technique only
b) Something of value that requires protection (system, data, service)
c) A CVSS vector string
d) An incident ticket status
02. During vulnerability triage, a team needs to combine technical severity with business context. Which two inputs most directly support risk analysis and next-step prioritization?
(Choose two.)
a) CVSS score and exploit availability/active exploitation evidence
b) Asset criticality and exposure (internet-facing vs internal)
c) Number of employees in the IT department
d) The brand of the endpoint antivirus product
03. Which two steps typically occur early in a malware analysis process?
(Choose two.)
a) Acquire and preserve the sample safely (hashing, controlled storage)
b) Disable endpoint protections to speed execution
c) Immediately deploy to production for behavior testing
d) Perform basic static analysis (strings, imports, metadata)
04. A case involves possible cloud data loss via misconfigured storage permissions. Which two investigative steps are most appropriate?
(Choose two.)
a) Review access logs and permission changes for the storage resource
b) Check endpoint screen brightness settings
c) Identify exposed objects and correlate access to identities/IPs
d) Replace the cloud provider immediately
05. Given a hardening scenario for a Linux web server image, which two actions best reduce attack surface?
(Choose two.)
a) Increase ICMP rate limits only
b) Enforce least privilege for service accounts
c) Remove/disable unused services and packages
d) Disable time synchronization (NTP)
06. What does HTTP status code 401 most commonly indicate for a REST API call?
a) Request accepted for asynchronous processing
b) Too many requests
c) Unauthorized (authentication missing/invalid)
d) Service unavailable
07. You observe the following PCAP summary from an internal host:
Repeated DNS queries to update-check[.]net every 60 seconds
Short TLS sessions to a single external IP with fixed packet sizes
What is the most likely next action to confirm suspected beaconing?
a) Validate domain reputation and correlate DNS + endpoint process telemetry
b) Disable all TLS across the enterprise
c) Delete the PCAP because it may contain sensitive data
d) Change the SIEM dashboard theme
08. Match the cloud model to the most accurate SOC consideration focus.
Items:
1. IaaS
2. PaaS
3. SaaS
Targets:
A. Provider manages application stack; customer focuses on identity, access, and data governance
B. Customer manages guest OS and workloads; provider manages physical infrastructure
C. Provider manages runtime/platform; customer focuses on app configuration and data
a) 1→A, 2→B, 3→C
b) 1→A, 2→C, 3→B
c) 1→C, 2→B, 3→A
d) 1→B, 2→C, 3→A
09. A SOAR playbook calls a REST API and receives HTTP 429. What is the best next action to keep automation reliable?
a) Retry immediately in a tight loop until it succeeds
b) Implement exponential backoff and respect rate-limit headers
c) Switch the request method from GET to TRACE
d) Disable API authentication to reduce overhead
10. Which mitigation recommendation most directly addresses a discovered control gap (missing MFA for privileged access)?
a) Implement MFA and privileged access policies for admin roles
b) Increase packet capture retention
c) Disable all privileged accounts permanently
d) Replace all endpoints with thin clients
Before you write the Cisco Cybersecurity Professional (350-201) certification exam, you may have certain doubts in your mind regarding the pattern of the test, the types of questions asked in it, the difficulty level of the questions and time required to complete the questions. These Cisco Certified Specialist - Cybersecurity Core (CBRCOR) sample questions and demo exam help you in removing these doubts and prepare you to take the test.
