Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/200-201/page_188_img_2.jpg Refer to the exhibit. An engineer received a ticket to analyze unusual network traffic. What is occurring?

regular network traffic; no suspicious activity

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/200-201/page_46_img_1.jpg What is the potential threat identified in this Stealthwatch dashboard?

There are two active data exfiltration alerts.

A policy violation is active for host 10.10.101.24.

A host on the network is sending a DDoS attack to another inside host.

There are two active data exfiltration alerts.

A policy violation is active for host 10.201.3.149.

View CBROPS 200-201 Exam Questions

Q: 1

What is the difference between the ACK flag and the RST flag in the NetFlow log session?

Options

Discussion

Skyler P. Feb 28, 2026 11:59 am

Option D

Ben M. Feb 24, 2026 7:33 pm

Seen similar questions in Cisco official guides. D is correct here, since ACK acknowledges receipt and RST does abrupt termination. Labs or mock exams show this pattern a lot, pretty sure that's the distinction.

Nathan T. Feb 13, 2026 7:56 am

Aaron Q. Feb 20, 2026 6:36 am

Olivia D. Feb 24, 2026 8:54 pm

C is off here, D is correct since ACK just confirms packet receipt and RST means the connection gets cut immediately. Easy to mix those up, but pretty sure D matches TCP basics. Agree?

Mason N. Feb 15, 2026 5:25 am

C/D? I get why D makes sense but could see C tripping people up on the actual test.

Piya Feb 22, 2026 11:12 pm

Its D here. ACK is for confirming receipt of segments, RST is used when the session needs to be killed off quickly. Pretty sure that's what NetFlow logs will show, open to corrections if I'm missing something.

Nina D. Feb 15, 2026 8:03 am

I think this is same as a common exam questions. on a practice test, I'd go with B here.

Leo N. Feb 19, 2026 1:53 am

Had something like this in a mock, D is the right one.

NoahG Feb 21, 2026 7:10 pm

Nah, it's not B here. D is right because RST means an abrupt end, whereas ACK just confirms receipt of data. B mixes up the order, common trap on exam practice. I think D fits the TCP flag behavior best.

Be respectful. No spam.

Q: 2

Which attack is the network vulnerable to when a stream cipher like RC4 is used twice with the same key?

Options

Discussion

Jack S. Feb 14, 2026 1:23 am

C or A. I'm kind of split here, since if you reuse the keystream attackers could spot patterns in the ciphertexts (so C), but I've also seen arguments that forgery (A) is possible if you manipulate outputs. Still, stream cipher key reuse usually points to ciphertext-only attacks. Anyone disagree?

Nathan V. Feb 15, 2026 8:52 pm

Feels like C, since reusing a stream cipher key (like RC4) lets attackers analyze just ciphertexts to recover info about the plaintext. A is tempting but it's more about forging, not just ciphertext analysis. Pretty sure that's the classic weakness for key reuse. Open if anyone has a different take.

SeasonedOps9502 Feb 13, 2026 9:59 am

Its C

SteadySec3469 Feb 13, 2026 11:39 pm

Option C makes sense here. With stream ciphers like RC4, reusing the same key means attackers can analyze only ciphertexts to find patterns due to how XOR works. Pretty sure this is the weakness they test for, but let me know if you disagree.

Zoe A. Feb 22, 2026 2:18 pm

Its C, since attackers can XOR ciphertexts encrypted with the same RC4 key and start figuring out underlying plaintext without needing to see any actual plaintext. That's a textbook ciphertext-only attack scenario. Not 100 percent but that's what most practice exams point to for this type of question. If someone has a real-world counter, open to hear it.

Aisha V. Feb 22, 2026 12:04 am

This is one of those nitpicky cases, since if you reuse an RC4 key on different streams, attackers can perform a ciphertext-only attack by XORing the ciphertexts together. That leaks info about the underlying plaintexts even if they never see any actual plaintext. Option C fits best here, but if plaintexts were ever exposed, other attacks might come into play. Pretty sure C is what they're after.

Ivy S. Feb 17, 2026 10:22 pm

C , A is tricky but reusing RC4 keys mainly enables ciphertext-only attacks. Trap for those picking forgery.

SeasonedEngineer9138 Mar 1, 2026 9:12 am

A, I think. If the same RC4 key is reused, wouldn't that let you forge valid ciphertexts by manipulating the keystream? Not totally confident but that's my pick.

Mia F. Feb 17, 2026 10:54 pm

Nathan Q. Feb 24, 2026 10:44 pm

A is wrong, C. If you reuse a stream cipher key, attackers just need ciphertexts to break it-classic ciphertext-only vulnerability. Pretty sure this matches what I've seen in exam reports.

Be respectful. No spam.

Q: 3

Which step in the incident response process researches an attacking host through logs in a SIEM?

Options

Discussion

Ava A. Feb 15, 2026 3:39 am

Checking SIEM logs to investigate a host happens during detection and analysis. Option A matches what you'd do first after spotting suspicious activity. Saw similar on a practice test, pretty sure it's A.

Mason J. Feb 15, 2026 7:09 pm

Makes sense to pick A here, since checking the SIEM logs is all about detecting and analyzing the threat. You can't really contain until you've figured out what's happening. Pretty sure that's what Cisco wants, but feel free to jump in if you disagree.

Adam L. Feb 18, 2026 10:38 pm

A tbh, researching the logs in SIEM is part of figuring out what happened which falls under detection and analysis. Containment would come after you know enough to act. Pretty sure that's how Cisco breaks it down, but open if someone thinks different.

Olivia Mar 3, 2026 2:50 am

I don't think it's D. Investigating hosts in SIEM logs is classic detection and analysis (A), not containment, which comes after. Trap is thinking you'd go right to action just by reviewing logs-logs are for figuring out what's happening.

Zoe U. Feb 25, 2026 8:18 pm

Why not D here if the logs directly trigger containment actions? Is it always just analysis?

NoahB Feb 21, 2026 6:18 am

A , D is tempting but log research is classic detection and analysis not containment.

Zoe W. Feb 16, 2026 4:27 am

C or D but leaning toward D. I remember from some official practice that containment sometimes needs reviewing SIEM logs to limit the threat. Not 100% though, maybe check the guide if you have it.

Aisha Feb 23, 2026 2:21 pm

A or D... Cisco always flips the IR steps, but researching SIEM logs is classic detection and analysis (A) in their playbook. Never seen log research in containment. Anyone got official doc that says otherwise?

CarefulTester7904 Feb 21, 2026 7:18 pm

That's A for sure.

Emma C. Feb 16, 2026 10:18 am

A not D. Looking at SIEM logs matches detection and analysis, not containment. It's easy to mix those up but containment's when you actually act on the findings.

Be respectful. No spam.

Q: 4

Which security monitoring data type requires the largest storage space?

Options

Discussion

FocusedAuditor2999 Feb 15, 2026 4:44 am

Option D makes sense because full packet capture stores every bit of network traffic, not just metadata or summaries. Compared to session or transaction data, this takes up way more disk space. I think that's what Cisco wants here, unless they've changed something recently. Open to correction if anyone has seen otherwise.

Parker Q. Mar 2, 2026 10:42 am

Option D. saw a similar question in an old exam report and it was full packet capture for max storage every time.

DirectEngineer7304 Mar 2, 2026 4:55 pm

Nah, D. Full packet capture needs way more space since it keeps every bit of network traffic, not just metadata or summaries. Statistical data (B) can grow but it's always aggregated and way smaller than saving raw payloads. Seen similar exam practice stick with D for this one, unless there's some weird scope I missed.

CarefulCandidate8519 Feb 27, 2026 7:16 pm

A is wrong, D. Full packet capture fills up storage way faster than the other options.

Arjun G. Feb 21, 2026 8:39 pm

D , full packet capture takes the most storage by far compared to the rest.

Olivia N. Feb 25, 2026 4:40 am

D imo, similar question popped up in my exam practice and full packet capture always eats storage the fastest.

DirectNeteng1702 Feb 22, 2026 6:18 pm

Session data and transaction data are way lighter than full packet captures. D, not B. Saw this on a practice set and full packet capture always needed the most storage, since it's literally raw network traffic.

Jason K. Feb 27, 2026 6:45 pm

D imo. Full packet capture flips the answer since it stores all packet contents not just metadata or summaries.

Owen Feb 13, 2026 11:58 am

Its D, and you can double-check that in the official Cisco guide or by running some packet capture labs. Pretty sure every practice exam points to full packet capture using way more space than the rest. Disagree?

FriendlyEngineer6036 Feb 23, 2026 9:30 am

Full packet capture (D) eats up way more storage than the others. You're saving every single bit for all packets, not just summaries or metadata. Unless you're doing something weird with retention, D is the clear storage hog here. Pretty sure that's what Cisco aims for on this kind of question-someone correct me if I'm off.

Be respectful. No spam.

Q: 5

Which security technology allows only a set of pre-approved applications to run on a system?

Options

Discussion

Nora B. Feb 16, 2026 7:21 pm

Option C is the one here. Application-level whitelisting only lets pre-approved apps execute, while B (host-based IPS) generally catches known threats but doesn't default-deny by app name. I see why B trips people up, but it's not actually a whitelist. Makes sense?

Neha X. Feb 28, 2026 8:01 am

C’s the best fit. Only application-level whitelisting actually defaults to allowing just approved apps, while HIPS might block bad stuff but doesn’t always default-deny. Pretty sure that matches the question’s wording, unless I missed a trick.

Sara E. Feb 28, 2026 9:14 pm

Nah, I don’t think it’s B. C fits because whitelisting lets only approved apps run, so nothing else starts by default. Blacklisting is the trap answer since it just blocks specific bad apps instead of allowing only the safe ones. Anyone see a reason to pick B?

Luna S. Feb 14, 2026 8:51 am

C vs B-have seen similar questions in practice where some argue host-based IPS can restrict apps, but only C (application-level whitelisting) strictly allows execution of pre-approved software. B can block bad behavior but isn't always default-deny. Pretty sure C is what they want unless they're focusing on device rules, not just app list control. Someone disagree?

Grace I. Feb 22, 2026 1:57 pm

Cisco makes this sound complicated just to test whitelisting basics, C imo

Ishaan E. Feb 19, 2026 10:01 pm

C tbh. Blacklisting (A) lets most things run unless specifically blocked, so it's a trap here. Whitelisting is the one that only allows what you specify. Pretty sure that's what the question wants.

Arjun Z. Feb 28, 2026 5:41 pm

Honestly, Cisco loves their buzzwords but this one's straight up C

Mia C. Feb 28, 2026 5:32 am

Remember seeing a similar scenario from labs, pretty sure it's C. Only application-level whitelisting blocks anything not pre-approved. B monitors for bad behavior, but doesn't default deny every app. Anyone disagree?

Sam K. Feb 17, 2026 2:14 am

C here.

Jack C. Feb 18, 2026 5:55 am

Yeah, C here. Only application-level whitelisting strictly enforces approved apps only. B could block stuff too but not by default.

Be respectful. No spam.

Q: 6

What makes HTTPS traffic difficult to monitor?

Options

Discussion

Avery Feb 26, 2026 6:20 pm

Option D

Jamie I. Feb 13, 2026 1:07 pm

I don't think it's A, since SSL interception is actually used to help monitor HTTPS traffic, not make it harder. The real issue is D, encryption, which scrambles the data and keeps packet inspection from working out of the box. Some folks trip up here because A looks tempting but it's really D. Pretty confident unless there's a weird trick.

Cameron I. Feb 13, 2026 1:35 am

Encryption (D) is what actually prevents easy inspection, since it scrambles payload data so you can't just capture and read it. Stuff like SSL interception (A) is a workaround, not the blocker. I think D is right for what the question asks, but open if anyone sees it differently.

EmmaR Feb 14, 2026 5:08 am

D , A is actually a method to bypass that difficulty not cause it.

Sara Feb 28, 2026 2:02 am

Nah, not A since SSL interception actually helps monitor. D is correct, encryption hides the data and makes monitoring tough.

Nina C. Feb 15, 2026 3:00 pm

B , packet header size seems like a common trap for this kind of question.

CuriousReviewer3547 Mar 3, 2026 12:07 pm

Had something like this in a mock, D fits best. The encryption in HTTPS is what blocks you from seeing the actual content of packets unless you do SSL decryption. Not 100% but that's how I remember it.

Hannah J. Feb 28, 2026 12:59 am

Maybe D. Encountered almost the same question in practice, and it's always encryption that blocks inspection of HTTPS payload. SSL interception (A) is actually used to get around that problem. Not 100% if there’s a trick but pretty sure D.

Aisha Mar 1, 2026 7:38 pm

D gets my pick here. Encryption is what actually hides the content in HTTPS sessions, making packet inspection a pain. SSL interception (A) is more of a monitoring workaround than an obstacle. Pretty sure D’s right but let me know if you see it differently.

CaseyB Feb 26, 2026 8:08 am

D , since encryption is the reason we can't just inspect HTTPS payloads. SSL interception (A) actually helps break that barrier, not create it. That's how Cisco explains it too. Correct me if I'm missing something.

Be respectful. No spam.

Q: 7

Refer to the exhibit.

Which kind of attack method is depicted in this string?

Options

Discussion

Layla O. Feb 13, 2026 10:05 pm

Option A since official study materials and practice exams both flag javascript: in IMG tags as cross-site scripting.

Luke A. Feb 16, 2026 1:35 pm

Not B, A. The string uses an <IMG SRC=javascript:...> tag, which is textbook cross-site scripting (XSS), not SQL injection or MITM. B is a bit of a trap here since the code looks odd at first glance, but it's about browser code execution, not interception or DB queries. Pretty sure A is right, open to more input if I missed something.

Ravi S. Feb 18, 2026 9:02 pm

Seen this style before in some exam reports, went with A.

Aisha U. Feb 27, 2026 11:59 pm

C/A? Saw similar on exam report, went with A since it's classic XSS pattern.

Arjun Feb 23, 2026 10:27 pm

Always get tripped up on these, C or A

Amelia U. Mar 2, 2026 8:54 am

Not sure how anyone gets B or D here, that image string is textbook XSS not SQL injection.

Ava U. Mar 1, 2026 12:15 am

Maya P. Mar 2, 2026 9:26 am

A is right here. Official exam guide and practice tests both emphasize XSS when you see a javascript: in tags. Let me know if someone saw a different pattern, but pretty sure it’s A.

Adam Feb 24, 2026 10:33 pm

Jordan O. Mar 1, 2026 5:36 am

Nah, I don’t think it’s C. That string looks like classic cross-site scripting (so A) since nothing SQL related shows up.

Be respectful. No spam.

Q: 8

Refer to the exhibit.

Refer to the exhibit. An engineer received a ticket to analyze unusual network traffic. What is occurring?

Options

Discussion

Drew Mar 2, 2026 2:05 pm

I don't think it's B, since data exfiltration usually doesn't cause such a big traffic spike. A.

Nathan B. Feb 14, 2026 5:08 am

I think A, since that's what most official practice tests lean toward for traffic spike scenarios. Wouldn't hurt to double check with Cisco's official guide or lab sim if you're unsure though.

Morgan C. Feb 20, 2026 9:11 am

Its A, the traffic spike is classic denial-of-service pattern. Data exfiltration would look different. Pretty sure, but exhibit could always mislead.

Parker O. Feb 26, 2026 5:01 pm

B . That spike can easily be large data exfiltration, not just a DoS trap. I think A is too obvious.

Nora K. Feb 24, 2026 11:50 am

Option B. I think data exfiltration fits since unusual network traffic could be a sign of sensitive data being sent out, especially if direction isn’t clear on the exhibit. Not entirely sure though, A might just be a trap choice here. Anyone see it differently?

Layla Feb 20, 2026 2:10 am

Makes sense to choose A here. The big traffic spike looks a lot more like typical denial-of-service than exfiltration.

Luna M. Mar 4, 2026 6:21 am

Seriously Cisco makes these exhibits way too vague sometimes, but A

Chloe X. Feb 28, 2026 4:08 am

I don’t think B fits here, since data exfiltration usually shows smaller, sustained outbound flows. The traffic spike in the exhibit looks more like a flood, classic for a denial-of-service attack (A). Regular traffic (C) is a trap option. Open to other thoughts if I missed something on the graph.

Sofia Feb 18, 2026 10:55 pm

A is the one here. Big traffic spike like that usually means denial-of-service, not exfiltration, since exfil tends to be quieter or sustained over time. Regular traffic wouldn't cause a sudden surge. Not 100% without seeing more details in the exhibit, but A makes sense for the exam.

Ivy R. Mar 4, 2026 8:17 am

C/D? If they showed more on direction, I'd be more sure, but C doesn't fit with that big spike either.

Be respectful. No spam.

Q: 9

Refer to the exhibit.

What is the potential threat identified in this Stealthwatch dashboard?

Options

Q: 10

Refer to the exhibit.

Which alert is identified from this packet capture?

Options

Discussion

Neha I. Feb 13, 2026 12:17 am

C tbh, those repeated PASS commands scream brute-force attack.

Jordan Mar 3, 2026 8:52 am

C. not B. ARP poisoning is a common trap here, but the PASS commands signal brute-force for sure.

Sean H. Feb 14, 2026 6:39 pm

B , I get why everyone says C for the brute-force since there are PASS commands, but with ARP in the options and a packet capture, ARP poisoning sometimes looks similar at first glance if you spot weird address changes. Maybe a bit of a trap if you're not careful. Someone confirm if I'm off, but that's my pick here.

Nora V. Mar 1, 2026 12:06 am

Saw this exact scenario in my exam last year, it's C

Riley Z. Feb 22, 2026 12:00 am

Its C. Saw a really similar scenario in my practice questions-multiple PASS commands in POP3 packets usually point to brute-force attempts, not ARP stuff. Little unsure since ARP poisoning is a classic distractor, but pretty sure about brute-force here. Somebody correct me if you read it differently.

Quinn Q. Feb 22, 2026 8:19 pm

B or maybe A. The presence of ARP in the options makes B tempting, especially in a packet capture context. Feels like a possible trap for those focused on higher layers. I think B makes more sense if you're watching for L2 issues.

Noah R. Feb 20, 2026 11:57 am

Sean Feb 25, 2026 9:48 am

Its C, brute-force attack. Seeing all those PASS commands in a row is classic brute-force behavior with POP3. Not really ARP or MITM from the info shown, at least as I read packet captures like this. Pretty sure on C but let me know if I missed something.

Grace Feb 28, 2026 5:30 pm

C seen this a lot in practice dumps, brute-force is the alert flagged with those PASS attempts.

Morgan Mar 2, 2026 5:37 am

C not B. ARP poisoning looks tempting if you're focused on layer 2 stuff in the pcap, but all those PASS commands showing up points way more to brute-force. Seen similar exam questions, pattern matches C best here.

Be respectful. No spam.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE