View CBROPS 200-201 Exam Questions

Filter by Domain

View Mode

Question 11

Q: 11

What ate two categories of DDoS attacks? (Choose two.)

Options

Discussion

Jordan K. Feb 27, 2026 5:41 pm

D or E. I remember "reflected" and "direct" from my studies, but scanning sounds almost right for attacks in general. Not totally sure since some practice questions mention scanning too.

Ajay Q. Feb 15, 2026 12:10 am

Option B but D also makes sense. Anyone else pick B for scanning?

Jason W. Feb 24, 2026 8:24 pm

Its D and E, kinda confused but think that's what my notes say. Can someone confirm?

Be respectful. No spam.

Correct Answer:

D, E

Explanation

DDoS attacks are divided into two categories: reflected and direct. Reflected attacks use a third-party

system to amplify the attack traffic and send it to the target. For example, an attacker can send a

spoofed request to a DNS server, which will reply with a large amount of data to the target’s IP

address. Direct attacks send the attack traffic directly from the attacker’s system or a botnet to the

target. For example, an attacker can send a large number of SYN packets to the target’s port,

exhausting its resources. Reference := Cisco Cybersecurity Operations Fundamentals, Module 1:

Security Concepts, Lesson 1.3: Common Network Application Operations and Attacks, Topic 1.3.4:

Denial-of-Service Attacks

Question 12

Q: 12

An automotive company provides new types of engines and special brakes for rally sports cars. The company has a database of inventions and patents for their engines and technical information Customers can access the database through the company's website after they register and identify themselves. Which type of protected data is accessed by customers?

Options

Discussion

Cameron D. Mar 2, 2026 7:48 am

Option A

Liam Q. Mar 2, 2026 8:30 am

Yeah, it's A here since patents and inventions are classic intellectual property. None of the other options really fit that context. Pretty confident about this, but let me know if you see it differently.

Alex Mar 1, 2026 2:43 am

Not totally sure but pretty sure it's A. Anyone else think so?

Be respectful. No spam.

Correct Answer:

Explanation

IP data stands for Intellectual Property data, which is any data that represents the creations of the

mind, such as inventions, patents, designs, or artistic works. IP data is protected by law and has

commercial value for its owners. In this case, the automotive company has a database of IP data for

their engines and technical information, which customers can access after they register and identify

themselves. Reference := Cisco Cybersecurity Operations Fundamentals, Module 1: Security

Concepts, Lesson 1.2: Data Protection, Topic 1.2.1: Data Types

Question 13

Q: 13

How is attacking a vulnerability categorized?

Options

Discussion

Ethan Feb 15, 2026 11:09 pm

Option C makes sense since exploitation is literally when the attacker takes advantage of a vulnerability. The other phases are about delivery, persistence or objectives, not the actual attack step. I think that's spot on but I'm open if anyone disagrees.

Owen C. Feb 19, 2026 8:07 pm

C here since exploitation is when someone actually attacks a weakness. Delivery and installation are different steps, not about hitting the vuln directly. Pretty confident but willing to hear counterpoints.

Ishaan M. Mar 1, 2026 3:00 am

Pretty sure C here since exploitation is all about using vulnerabilities. The other phases come before or after this step in the attack lifecycle. Makes sense with what I've seen on Cisco practice too, but open to other takes.

Logan Q. Feb 17, 2026 12:30 am

B not A. Exploitation (C) is when attackers actually use a vuln, saw something similar in exam reports.

Reese C. Feb 13, 2026 1:46 pm

C matches the exploitation phase. No doubt on this one.

Parker Mar 3, 2026 5:43 am

C That's the exploitation phase in the attack lifecycle. Pretty sure that's what Cisco expects here.

Be respectful. No spam.

Correct Answer:

Explanation

Attacking a vulnerability is categorized as exploitation, which is the third phase of the cyberattack

lifecycle. Exploitation is the process of taking advantage of a vulnerability in a system, application, or

network to gain access, escalate privileges, or execute commands. Action on objectives, delivery, and

installation are other phases of the cyberattack lifecycle, but they do not involve attacking a

vulnerability. Action on objectives is the final phase, where the attacker achieves their goal, such as

stealing data, disrupting services, or destroying assets. Delivery is the second phase, where the

attacker delivers the malicious payload, such as malware, phishing email, or malicious link, to the

target. Installation is the fourth phase, where the attacker installs the malicious payload on the

compromised system or network to maintain persistence or spread laterally. Reference: What is a

Cyberattack? | IBM, Recognizing the seven stages of a cyber-attack - DNV

Question 14

Q: 14

Which attack method intercepts traffic on a switched network?

Options

Discussion

Luna A. Feb 24, 2026 4:51 pm

Probably B. ARP cache poisoning lets an attacker reroute or sniff packets on a switched network by tricking the switch’s ARP tables. Other options don’t really intercept traffic at layer 2 like this. Pretty sure that’s what they’re asking, but open to other takes.

MiaB Feb 28, 2026 8:49 pm

Its C, seen something like this in some practice tests and think official guide touches on it too.

Riley Mar 4, 2026 12:36 am

Is this covered in the official cert guide or better shown in labs? I've seen similar questions in practice exams lately.

Ryan P. Feb 13, 2026 9:13 am

Nah, not C. Pretty sure it's B since DHCP snooping is more a defense, ARP poisoning is the traffic interceptor.

FocusedNeteng4631 Mar 2, 2026 1:32 am

B tbh

Ravi Feb 27, 2026 7:54 am

C I've seen a similar question in exam reports.

Be respectful. No spam.

Correct Answer:

Explanation

ARP cache poisoning is a type of attack that intercepts traffic on a switched network by sending

spoofed ARP messages to associate the attacker’s MAC address with the IP address of a legitimate

host or gateway. This way, the attacker can redirect the traffic intended for the legitimate host or

gateway to his own device and perform a man-in-the-middle attack. Reference := Cisco Cybersecurity

Operations Fundamentals

Question 15

Q: 15

According to CVSS, what is a description of the attack vector score?

Options

Discussion

Riley P. Feb 20, 2026 10:11 am

Option C fits what I've seen in the official guide. Attack vector in CVSS gives a higher score if the exploit can be done remotely, making it more severe. If you want more examples, check labs or practice questions.

Mason E. Feb 28, 2026 3:10 pm

Call it D, had something like this in a mock and D seemed right there.

Parker E. Feb 19, 2026 12:54 am

So tired of CVSS wording tricks, but C tbh

Noah U. Feb 23, 2026 9:44 pm

Why is D tempting here? Isn't the attacker's distance already covered under the "remote" criteria CVSS uses for attack vector?

Taylor A. Feb 17, 2026 2:06 am

CVSS makes the attack vector score higher when a vulnerability can be exploited remotely. So C fits with what I remember from similar exam questions, but if I'm off let me know.

Luna N. Feb 27, 2026 7:07 pm

C tbh. D trips up a lot of folks, but CVSS scores do spike for remote attacks, not just physical proximity.

Be respectful. No spam.

Correct Answer:

Explanation

The attack vector score in the Common Vulnerability Scoring System (CVSS) reflects how a

vulnerability can be exploited. A higher score is given when the attack can be conducted remotely,

making it easier for an attacker to exploit the vulnerability without physical access to the vulnerable

component3. Reference: The CVSS specification document provides a detailed explanation of how

the attack vector score is determined, emphasizing the impact of the ease of exploitation on the

score

Question 16

Q: 16

What is data encapsulation?

Options

Discussion

Riley R. Feb 27, 2026 7:23 am

B , this is basic from the official guide and also in Cisco's exam practice.

Mia Feb 24, 2026 11:57 pm

C tbh

Anita M. Mar 4, 2026 3:46 am

D imo, unless the keyword is specifically about OSI or protocol headers, then B could be right.

Be respectful. No spam.

Correct Answer:

Explanation

Data encapsulation is a process in networking where the protocol stack of the sending host adds

headers (and sometimes trailers) to the data.

Each layer of the OSI or TCP/IP model adds its own header to the data as it passes down the layers,

preparing it for transmission over the network.

For example, in the TCP/IP model, data starts at the application layer and is encapsulated at each

subsequent layer (Transport, Internet, and Network Access) before being transmitted.

This encapsulation ensures that the data is correctly formatted and routed to its destination, where

the headers are stripped off in reverse order by the receiving host.

Reference

Networking Fundamentals by Cisco

OSI Model and Data Encapsulation Process

Understanding TCP/IP Encapsulation

Question 17

Q: 17

What is a benefit of agent-based protection when compared to agentless protection?

Options

Discussion

Sean T. Feb 16, 2026 11:19 am

C makes sense here. Agent-based runs locally so it can see all device traffic, pretty sure that’s the key point.

Sofia Q. Feb 23, 2026 9:19 am

C tbh, clear question and good focus on endpoint local detection advantage.

Be respectful. No spam.

Correct Answer:

Explanation

Agent-based protection is a type of endpoint security that uses software agents installed on the

devices to monitor and protect them. Agent-based protection can collect and detect all traffic locally,

which means it can operate without relying on a network connection or a centralized server. Agent-

based protection can also provide more granular and comprehensive visibility and control over the

devices. Reference: https://learningnetworkstore.cisco.com/on-demand-e-learning/understandingcisco-cybersecurity-operations-fundamentals-cbrops-v1.0/CSCU-LP-CBROPS-V1-028093.html

(Module 2: Security Concepts, Lesson 2.3: Endpoint Security)

Question 18

Q: 18

An engineer must configure network systems to detect command-and-control communications by decrypting ingress and egress perimeter traffic and allowing network security devices to detect malicious outbound communications. Which technology must be used to accomplish this task?

Options

Discussion

Neha H. Mar 5, 2026 7:01 am

C tbh. Digital certificates let devices decrypt and inspect SSL/TLS traffic for threats, which is what the question wants. Not totally confident, but that's usually how C2 detection works at the perimeter.

SaraV Feb 18, 2026 8:32 pm

Not B, C. Saw a similar question on a practice test and certificates are what let perimeter devices decrypt traffic for inspection.

PriyaY Feb 16, 2026 8:09 pm

Jordan H. Feb 27, 2026 8:43 pm

Had something like this in a mock before, it's C. Digital certificates are needed for decryption on perimeter devices so they can scan the traffic. Pretty straightforward if you're familiar with SSL/TLS inspection. Let me know if anyone picked differently.

Maya O. Feb 13, 2026 10:22 am

C

Official Cisco guides cover how digital certificates enable decryption for inspecting encrypted traffic. Practice labs are helpful to see how this lets network security devices catch command-and-control stuff. Pretty sure C is right, but open for discussion.

Be respectful. No spam.

Correct Answer:

Explanation

Digital certificates are essential for decrypting ingress and egress perimeter traffic, as they provide

the necessary encryption keys for secure communications. By using digital certificates, network

security devices can inspect the decrypted traffic to detect any malicious outbound communications

that may indicate command-and-control activity.

Question 19

Q: 19

What is the difference between a threat and a risk?

Options

Discussion

SteadyLead2853 Feb 23, 2026 9:14 pm

I don't think D is right, that's more about exposure. A matches what Cisco highlights as a threat definition in the docs.

Logan N. Mar 2, 2026 10:49 am

A or D? Saw a similar question in exam reports, pretty sure it's A.

Avery P. Mar 2, 2026 7:07 pm

It’s A here. Had something like this in a mock and they focus on threats being the potential danger that could exploit a vulnerability, not the actual exposure or impact (risk covers that). Cisco always splits these two definitions up on their blueprints. Pretty confident but open to other takes if anyone interprets it differently.

Be respectful. No spam.

Correct Answer:

Explanation

A threat represents a potential danger that could exploit a weakness in a system while risk is

associated with the potential impact or loss that could occur if a threat exploits a vulnerability in the

system. So, option A which states “Threat represents a potential danger that could take advantage of

a weakness in a system” is correct. Reference := Cisco Certified CyberOps Associate Overview

Question 20

Q: 20

Which type of attack occurs when an attacker is successful in eavesdropping on a conversation between two IP phones?

Options

Discussion

Mason Z. Feb 28, 2026 5:32 pm

D imo, since eavesdropping between endpoints fits man-in-the-middle. Anyone disagree?

Be respectful. No spam.

Correct Answer:

Explanation

A man-in-the-middle attack occurs when a third party intercepts and potentially alters the

communication between two parties (in this case, two IP phones) without them knowing. This type

of attack can lead to eavesdropping, where the attacker can gain unauthorized access to sensitive

data being communicated between the two parties. Reference := Cisco Cybersecurity Operations

Fundamentals - Module 5: Endpoint Threat Analysis and Computer Forensics

Question 11 of 20 · Page 2 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE