Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/200-201/page_188_img_2.jpg Refer to the exhibit. An engineer received a ticket to analyze unusual network traffic. What is occurring?

regular network traffic; no suspicious activity

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/200-201/page_46_img_1.jpg What is the potential threat identified in this Stealthwatch dashboard?

A policy violation is active for host 10.10.101.24.

A host on the network is sending a DDoS attack to another inside host.

A policy violation is active for host 10.201.3.149.

View CBROPS 200-201 Exam Questions

Filter by Domain

View Mode

Question 1

Q: 1

What is the difference between the ACK flag and the RST flag in the NetFlow log session?

Options

Discussion

CuriousAnalyst8871 Jan 9, 2026 12:57 am

D imo, ACK is always about confirming data receipt but RST is that abrupt drop/close. C trips people up because RST isn't just for confirmation, it's to quickly end sessions. Seen similar Qs in practice.

Jamie X. Jan 9, 2026 5:32 pm

I picked C because I thought RST confirmed a segment actually arrived, since it seems like a forced response. But isn't ACK the one for segment confirmation, and RST is more for dropping the session? Not 100% sure on this, open to correction.

Be respectful. No spam.

Correct Answer:

Explanation

In NetFlow log sessions within TCP connections; ACK flag is used for acknowledging that data has

been successfully received while RST flag is used when there’s an error or when closing a connection

spontaneously without following standard procedures. Reference := Cisco Cybersecurity source

documents or study guide

Question 2

Q: 2

Which attack is the network vulnerable to when a stream cipher like RC4 is used twice with the same key?

Options

Discussion

SteadySec3469 Dec 30, 2025 7:39 pm

Option C makes sense here. With stream ciphers like RC4, reusing the same key means attackers can analyze only ciphertexts to find patterns due to how XOR works. Pretty sure this is the weakness they test for, but let me know if you disagree.

Layla F. Jan 7, 2026 8:26 pm

C vs B-if the attacker somehow gets even a tiny known plaintext, doesn't this open up B as well? But with just ciphertext repeated key streams, C seems correct.

Meera R. Jan 16, 2026 5:15 pm

C tbh

Priya X. Dec 31, 2025 3:28 am

C If you reuse the same key with a stream cipher like RC4, attackers just need ciphertexts to start spotting XOR patterns, so even without plaintext they can recover info. Seen this called out in a few practice sets.

Be respectful. No spam.

Correct Answer:

Explanation

When a stream cipher like RC4 is used twice with the same key, it becomes vulnerable to a

ciphertext-only attack. In this type of attack, the attacker has access to several ciphertexts that are

encrypted with the same key but does not know anything about the plaintexts. By analyzing these

ciphertexts, an attacker can gain insights into the plaintext or even recover parts or all of

it. Reference := Cisco Cybersecurity source documents or study guide (I need to search for specific

References

as I don’t have direct access to Cisco’s proprietary content)

Question 3

Q: 3

Which step in the incident response process researches an attacking host through logs in a SIEM?

Options

Discussion

Ava A. Dec 31, 2025 11:39 pm

Checking SIEM logs to investigate a host happens during detection and analysis. Option A matches what you'd do first after spotting suspicious activity. Saw similar on a practice test, pretty sure it's A.

Layla L. Jan 7, 2026 10:52 pm

A tbh. Containment is tempting but the actual log research in SIEM falls under detection and analysis step not D.

Be respectful. No spam.

Correct Answer:

Explanation

In the incident response process, detection and analysis involve researching an attacking host

through logs in a Security Information and Event Management (SIEM) system. This step helps in

identifying, validating, and managing potential security incidents. Reference := Cisco CyberOps

Associate - Module 3: Security Monitoring

Question 4

Q: 4

Which security monitoring data type requires the largest storage space?

Options

Discussion

FocusedAuditor2999 Jan 1, 2026 12:45 am

Option D makes sense because full packet capture stores every bit of network traffic, not just metadata or summaries. Compared to session or transaction data, this takes up way more disk space. I think that's what Cisco wants here, unless they've changed something recently. Open to correction if anyone has seen otherwise.

Olivia N. Jan 11, 2026 12:40 am

D imo, similar question popped up in my exam practice and full packet capture always eats storage the fastest.

Neha W. Jan 6, 2026 3:28 pm

Ugh, Cisco loves asking this. It's D, full packet capture needs huge storage compared to stats or sessions. Pretty sure that's what they're looking for here.

Ivy L. Jan 15, 2026 9:31 am

D tbh, full packet capture always takes up more space than the others.

Sean Q. Jan 13, 2026 3:44 am

Its D, full packet capture. Official guide and labs both hammer this point home.

Be respectful. No spam.

Correct Answer:

Explanation

Full packet capture data involves storing the entire content of packets that traverse a network. This

type of data is comprehensive and allows for detailed analysis but requires a significant amount of

storage space compared to other data types like transaction, statistical, or session

data. Reference := Cisco Cybersecurity Operations Fundamentals - Module 3: Network Data and

Event Analysis

Question 5

Q: 5

Which security technology allows only a set of pre-approved applications to run on a system?

Options

Discussion

CuriousMentor9093 Jan 10, 2026 5:40 am

C imo. Whitelisting only lets approved apps run, so this matches the question exactly. Anyone go with something else?

Jack U. Jan 15, 2026 11:42 pm

Probably C here. Application-level whitelisting only lets authorized applications run, blocking everything else automatically. It's more restrictive than blacklisting since it denies by default unless something is explicitly allowed. I remember this from the official guide and some labs. Pretty sure that's what they're asking for, but happy to hear if anyone disagrees.

Be respectful. No spam.

Correct Answer:

Explanation

Application-level whitelisting is a security technology that allows only a set of pre-approved

applications to run on a system, and blocks any other unauthorized or malicious programs. This can

prevent malware, ransomware, zero-day exploits, and other threats from compromising the system.

Application-level whitelisting is also known as application control or application

allowlisting. Reference := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)

v1.0, Module 3: Host-Based Analysis, Lesson 3.2: Endpoint Security Technologies, Topic 3.2.3:

Application Whitelisting, page 3-20.

Question 6

Q: 6

What makes HTTPS traffic difficult to monitor?

Options

Discussion

Skyler I. Jan 2, 2026 6:43 am

Hmm, I'd go with A here. SSL interception actually makes it harder to monitor because it complicates the analysis process and can even break things if not set up correctly. Maybe I'm missing something but this seems right to me, unless others see it different.

Ajay C. Dec 31, 2025 4:38 pm

Its D, encryption is the main thing that makes HTTPS traffic so tough to inspect. Without breaking SSL/TLS, you can't really see inside the payload. Pretty sure that's what Cisco wants here. If someone disagrees let me know.

Piya Jan 10, 2026 2:23 pm

Be respectful. No spam.

Correct Answer:

Explanation

HTTPS uses SSL/TLS encryption to secure data transmission over the internet. This encryption makes

it difficult to monitor HTTPS traffic because the data packets are encrypted making them unreadable

to anyone trying to intercept or monitor the data without proper decryption keys. Reference := Cisco

CyberOps Associate

Question 7

Q: 7

Refer to the exhibit.

Which kind of attack method is depicted in this string?

Options

Discussion

Olivia J. Jan 8, 2026 9:00 pm

Saw something exactly like this in a practice exam, it's A.

Nina Jan 8, 2026 4:32 pm

Option C for me. That string looks like it's trying to send something to the backend, almost like it's manipulating a database if you mess with it. Maybe I'm off, but this feels more SQL injection than anything else.

Parker G. Dec 31, 2025 6:52 pm

Be respectful. No spam.

Correct Answer:

Explanation

The image shows a piece of code within a bordered rectangular area.

It is a string of HTML code that appears to be an example of an attack, specifically “<IMG

SRC=j%41vascript:alert(‘attack’)>”.

The code suggests an attempt to execute JavaScript within an image source attribute, indicative of a

cross-site scripting attack.

Question 8

Q: 8

Refer to the exhibit.

Refer to the exhibit. An engineer received a ticket to analyze unusual network traffic. What is occurring?

Options

Discussion

QuietEngineer7607 Jan 2, 2026 5:46 am

B tbh

Be respectful. No spam.

Correct Answer:

Explanation

Question 9

Q: 9

Refer to the exhibit.

What is the potential threat identified in this Stealthwatch dashboard?

Options

Discussion

Amelia C. Jan 1, 2026 5:59 pm

C for sure. Official Cisco guides and lab walkthroughs both point to data exfiltration showing up strong in these Stealthwatch questions.

Zoe M. Jan 5, 2026 3:19 am

I don’t think it’s D, it’s actually C. The Stealthwatch dashboard clearly lists two active data exfiltration alerts, which stands out more than just a policy violation. Trap is picking the host-specific violations, but exfil alert is the bigger risk.

Jason R. Jan 6, 2026 10:31 pm

Its C, saw a similar question show two active data exfiltration alerts in the dashboard. Pretty common on Stealthwatch reports.

Be respectful. No spam.

Correct Answer:

Explanation

The exhibit shows a Stealthwatch dashboard displaying information on alarming hosts, alarms by

type, and today’s alarms. On the left side under “Top Alarming Hosts,” there are five host IP

addresses listed with their respective categories indicating different types of alerts including ‘Data

Hoarding’ and ‘Exfiltration.’ In “Alarms by Type” section at center top part of image shows bar graphs

representing various alarm types including ‘Crypto Violation’ with their respective counts. On right

side under “Today’s Alarms,” there’s a table showing the details of each alarm such as the host IP, the

alarm type, the severity, and the time. The potential threat identified in this dashboard is that there

are two active data exfiltration alerts, one for host 10.201.3.149 and another for host 10.10.101.24.

Data exfiltration is the unauthorized transfer of data from a compromised system to an external

destination, such as a command and control server or a malicious actor. This can result in data loss,

breach of confidentiality, and damage to the organization’s reputation and assets. Reference := Cisco

Cybersecurity Operations Fundamentals - Module 7: Network and Host Forensics

Question 10

Q: 10

Refer to the exhibit.

Which alert is identified from this packet capture?

Options

Discussion

Aisha T. Jan 15, 2026 5:50 pm

C or D but guessing C here. Packets show a bunch of password attempts, looks like brute-forcing to me. Not 100% though.

Be respectful. No spam.

Correct Answer:

Explanation

The screenshot shows multiple POP requests with the command PASS, which is typically used for

password entry. The rapid succession and variation of these requests suggest an attempt to guess the

password, characteristic of a brute-force attack. Remember, always verify with additional data or

context when possible, as packet captures can contain vast amounts of information and may require

thorough analysis for accurate interpretation.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE