View 350-201 Exam Questions

Q: 1

A company’s web server availability was breached by a DDoS attack and was offline for 3 hours because it was not deemed a critical asset in the incident response playbook. Leadership has requested a risk assessment of the asset. An analyst conducted the risk assessment using the threat sources, events, and vulnerabilities. Which additional element is needed to calculate the risk?

Options

Q: 2

What is needed to assess risk mitigation effectiveness in an organization?

Options

Discussion

Ajay I. Mar 13, 2026 10:43 am

Option C makes sense because just following standards or tracking KPIs doesn't directly tell you if controls are actually reducing risk cost-effectively. For risk mitigation, the effectiveness of controls vs their expense is what matters. I've seen similar questions in practice tests, and they focus on actual control outcomes not just inventory or compliance numbers. Pretty sure C is right here, unless I'm missing something.

Parker U. Mar 19, 2026 4:17 pm

D tbh, because an updated list of vulnerable systems (D) helps you spot ongoing exposure and new risks. C looks tempting but feels more like a cost review step than actual effectiveness monitoring. Not 100% sure, anyone see it differently?

Alex Q. Feb 28, 2026 8:38 pm

C , D is tempting but just knowing vulnerabilities doesn't show if controls actually mitigate risk. Anyone disagree?

Karan G. Mar 4, 2026 1:46 am

I think C, had something like this in a mock exam and C was the best match there too.

SkylerU Mar 2, 2026 1:04 am

Don't think it's C. D fits if you're talking about keeping track of what systems are still at risk.

Meera Mar 19, 2026 1:38 am

Anyone else think option B could apply if the focus is on regulatory requirements, not just risk reduction?

Luna H. Mar 2, 2026 11:30 am

C, seen this on other practice exams too. D is a trap since just listing assets doesn't measure if controls actually work.

SkepticalOps8158 Mar 18, 2026 7:46 pm

Pretty sure it should be C. To see if risk mitigation is really working, you have to look at whether the controls are actually cost-effective and reducing risk, not just if systems are documented (D is more about asset inventory). Seen similar questions in practice material. Anyone see an argument for B here?

Leo Feb 28, 2026 3:59 pm

Not sure D fits, since effectiveness means checking if controls actually make a difference. C is what Cisco pushes here.

Be respectful. No spam.

Q: 3

The physical security department received a report that an unauthorized person followed an authorized individual to enter a secured premise. The incident was documented and given to a security specialist to analyze. Which step should be taken at this stage?

Options

Discussion

SanjayT Mar 19, 2026 4:10 pm

D . The specialist needs to map the attacker's route before figuring out assets touched or changing controls. That's standard investigation flow. Pretty sure that's what they're looking for here, but could see how B might confuse some folks.

Ravi H. Mar 3, 2026 8:39 pm

D . Specialist needs to trace the intruder's movement before jumping to controls or asset inventory. B is tempting but you can't ID handled assets until you know where they went, right? Open to disagreement though.

FriendlyArchitect3009 Mar 16, 2026 4:56 am

Why not B here? Seen something similar in exam reports but wasn't 100% on D over B.

Morgan N. Mar 8, 2026 5:46 pm

Makes sense to focus on tracking movement in this context. D

Vikram O. Mar 17, 2026 8:11 pm

Don't think it's A or B since those are more about asset identification, not tracking intrusion. C is a control change, which is done after analysis. I'd definitely choose D here, as the first thing for a security specialist is tracing the attacker's movement to see what areas or systems could be impacted. Pretty standard IR process, but correct me if I'm missing something.

Maya S. Mar 16, 2026 1:36 am

A is wrong, D. First step for the specialist is tracing where the unauthorized person moved inside, not listing assets yet.

Arjun O. Mar 17, 2026 3:07 am

Its D. You want to figure out where the unauthorized person went inside, track their movement first. That way you can assess risk and any potential exposure. Pretty sure that's the right IR step here.

Be respectful. No spam.

Q: 4

What is the purpose of hardening systems?

Options

Q: 5

Refer to the exhibit.

An engineer received multiple reports from employees unable to log into systems with the error: The Group Policy Client service failed to logon – Access is denied. Through further analysis, the engineer discovered several unexpected modifications to system settings. Which type of breach is occurring?

Options

Discussion

TaylorW Mar 17, 2026 6:56 am

C. not D. The login failure alone looks like denial-of-service, but those unexpected system setting changes are classic signs of a privilege escalation attempt. This kind of scenario pops up on practice tests a lot. Anyone else think D is a red herring here?

Karan O. Mar 9, 2026 3:58 pm

Option C classic privilege escalation scenario. Really clear question, similar to ones I’ve seen in other practice sets.

Luna N. Mar 12, 2026 8:57 pm

C . If the question just mentioned login issues without the settings changes, I'd say D, but that twist about unexpected modifications usually means someone got elevated rights. Similar questions on some practice sets flip between those two, so it really depends on how much emphasis you put on the system config part.

Olivia Z. Mar 16, 2026 6:09 am

D . Users can't log in, which looks like a denial-of-service to me. The setting changes throw me off a bit, but if no rights were actually escalated, DoS fits the symptoms here. Could be missing something though, open to pushback.

Aisha I. Mar 1, 2026 3:07 pm

Its C. D is tricky but system setting changes usually mean someone got more rights, not just blocking users from logging in. Saw a similar question on practice, pretty sure it's C.

Alex O. Mar 1, 2026 11:32 am

C , the changes to system settings are a giveaway for privilege escalation. D looks tempting because of the login error, but those setting modifications are classic escalation signs from similar exam questions.

Parker L. Mar 19, 2026 10:48 am

D is what I'd pick, since users are actually being denied login access. System modifications could support privilege escalation, but the immediate impact feels like a denial-of-service. Not 100 percent sure though-open to other views.

Zoe F. Mar 14, 2026 2:24 am

Pretty sure it's C. Privilege escalation fits because of the system setting changes, that's a key sign from similar practice exams. You see DoS errors, but with those mods it's usually more than just denial-of-service. Disagree?

Reese Mar 4, 2026 9:33 am

C , those unexpected system setting changes point to someone gaining extra rights they shouldn't have (priv escalation). Denial-of-service is more about just blocking users, but this looks like access abuse. Open to other takes!

FocusedAuditor2168 Mar 11, 2026 4:24 pm

Be respectful. No spam.

Q: 6

An engineer is investigating several cases of increased incoming spam emails and suspicious emails from the HR and service departments. While checking the event sources, the website monitoring tool showed several web scraping alerts overnight. Which type of compromise is indicated?

Options

Q: 7

Refer to the exhibit.

An engineer is analyzing this Vlan0386-int12-117.pcap file in Wireshark after detecting a suspicious network activity. The origin header for the direct IP connections in the packets was initiated by a google chrome extension on a WebSocket protocol. The engineer checked message payloads to determine what information was being sent off-site but the payloads are obfuscated and unreadable. What does this STIX indicate?

Options

Discussion

Reese Mar 5, 2026 9:47 pm

C. not D. Malware is tempting but the clue is about obfuscated payloads that aren’t UTF-8, which can mean data leak via odd encoding. Similar exam questions tend to push toward C here.

Jack W. Mar 13, 2026 5:34 am

C tbh. I remember similar scenarios mentioned in the official guide and practice tests where if payloads are obfuscated instead of readable UTF-8, it's a classic sign of data leakage, not confirmed malware. WebSockets by themselves aren't enough to call out malware activity unless you have more context. Pretty sure C is what they're after here but open to other ideas.

ThoughtfulAuditor9968 Mar 14, 2026 1:38 am

D , seen similar on some practice labs and official study guide questions where unreadable WebSocket payloads hinted at malware traffic.

Karan Mar 3, 2026 4:21 pm

Option C looks most likely to me. Payloads that aren't readable UTF-8 and appear obfuscated suggest possible data exfil, not just normal extension behavior. Not 100% sure, could be some rare legit case but that's my read.

Piya Mar 15, 2026 3:50 am

Option C makes more sense here. The question just says the payloads are obfuscated, not that there’s confirmed malware or C2 activity-just a potential data leak. Not 100% though, could see why people pick D.

Maya Y. Mar 17, 2026 9:46 pm

D , unreadable payloads over WebSockets from a browser extension screams C2 comms and malware trap option.

Mia Mar 9, 2026 6:56 am

D imo. If the payloads are unreadable and using WebSockets directly from a Chrome extension, that feels like malware C2 comms to me. C could be right, but exam questions often use D when encrypted exfil is clear. Anyone see it differently?

Ajay P. Mar 18, 2026 8:49 pm

Its C here. D's a classic trap, but STIX often points to data leak if the encoding isn't UTF-8-seen something similar on other exam reports. Open if anyone thinks different.

PracticalNeteng2471 Mar 4, 2026 12:12 pm

D doesn’t fit, C . Official guides and Wireshark labs both mention encoded payloads as red flags for exfil.

Alex D. Mar 2, 2026 10:22 am

I think D. If the payloads are obfuscated and using non-standard encoding over WebSockets, could be malware talking to C2. I know C is possible but encrypted channels are classic for exfil. Not totally sure though, open to other ideas.

Be respectful. No spam.

Q: 8

What do 2xx HTTP response codes indicate for REST APIs?

Options

Discussion

ReeseW Mar 20, 2026 3:36 am

Hard to say, C. 2xx responses handle protocol-level info, like 201 for resource created or 204 for no content. Not totally sure though, maybe I'm missing something simple here.

Piya Y. Mar 4, 2026 11:54 pm

D imo, had something like this in a mock and it was successful request for REST APIs.

Riley H. Mar 16, 2026 2:52 pm

Yeah, D tbh. 2xx status codes show success for HTTP requests, so with REST APIs it means the operation worked as expected. Haven't seen any real exceptions to this. Let me know if there's a catch I'm missing.

Emma C. Mar 3, 2026 6:46 am

I kind of see why C might seem right since HTTP status codes are part of the protocol, but for REST APIs, 2xx usually signals the request was handled successfully. Not totally convinced though-depends how strict they want to be with wording here. Agree?

Taylor Mar 12, 2026 8:17 am

Option D that's what the official Cisco study guide and REST API docs both say. Check practice exams for similar questions.

RaviI Mar 19, 2026 6:29 am

D tbh, 2xx always means a successful request was received and processed. That’s how REST APIs signal things went fine, no extra steps needed from the client. Only caveat is if async or batch, but not mentioned here.

Rowan Mar 7, 2026 3:18 am

D official guide and API docs say 2xx is success. Anyone else got a different resource?

Chris N. Mar 6, 2026 10:14 pm

D imo, 2xx HTTP codes always mean the client’s request was successful. Seen this in API docs a lot, so pretty confident here.

Be respectful. No spam.

Q: 9

An engineer returned to work and realized that payments that were received over the weekend were sent to the wrong recipient. The engineer discovered that the SaaS tool that processes these payments was down over the weekend. Which step should the engineer take first?

Options

Discussion

Nina Mar 3, 2026 12:59 am

If payments were intentionally tampered with, B might be first since that's a confirmed incident. Otherwise A.

Karan T. Mar 9, 2026 7:55 am

Definitely start with A here. Need to confirm what happened with the SaaS tool before moving forward, since not every issue is a security breach. Pretty sure that's the safest first move, at least from other exam threads I've read.

Ravi K. Mar 18, 2026 11:14 pm

D imo makes sense if the focus was on fixing payments quickly, but since it's asking what to do first, A fits better because you need to figure out what happened before jumping to manual fixes. Is there a specific company policy that prioritizes incident escalation over initial investigation?

DirectTester1186 Feb 28, 2026 9:17 pm

Shouldn't we clarify exactly what caused the payment misdirection before alerting IR? If the SaaS tool was down and it's not confirmed as a breach, jumping straight to B seems premature. Anyone else think gathering info from the SaaS team (A) makes more sense as a first step?

QuietDev705 Mar 13, 2026 7:12 am

A is right here, not B. You need to get info from the SaaS team before escalating this as a breach.

Aaron Mar 12, 2026 4:05 am

B is wrong, A. You'd want to gather info from the SaaS tool team before escalating anything as a breach. Need details first to see if it's actually a security issue. Pretty sure that's how you'd handle it in real life, right?

NoraY Mar 1, 2026 3:55 pm

B not A

Chloe I. Mar 16, 2026 7:33 pm

Maybe A, but what if the SaaS logs are incomplete or payments show tampering? Feels like in rare edge cases B could apply.

Robin Mar 15, 2026 6:23 pm

Shouldn't we check with the SaaS tool team first to figure out what went wrong before escalating? Jumping to B seems like an easy trap here, since you don’t know the scope or if it’s a breach yet.

Sanjay Mar 9, 2026 6:47 am

I don't think it's B, since jumping straight to incident response might be a trap here. A is better because you need facts first before escalating. Saw similar logic in other exam threads. A.

Be respectful. No spam.

Q: 10

The SIEM tool informs a SOC team of a suspicious file. The team initializes the analysis with an automated sandbox tool, sets up a controlled laboratory to examine the malware specimen, and proceeds with behavioral analysis. What is the next step in the malware analysis process?

Options

Discussion

Sam X. Mar 6, 2026 6:17 am

B tbh makes sense, since after behavioral analysis you'd typically want to unpack the specimen and dig into memory forensics to see any code or artifacts loaded in RAM. You get more insight before moving on to code-level static or dynamic analysis (A). That's the standard progression from what I've seen in Cisco-style guides. Pretty sure B is right, but open to comments if I missed something.

Skyler O. Mar 9, 2026 11:21 am

I think B since unpacking and memory forensics usually come right after initial behavioral analysis. You want to get a clean look at the sample and see what's in memory before diving into static analysis or cleanup. Seen this order in some Cisco practice sets, but open to corrections.

SteadyMentor8234 Mar 13, 2026 2:20 pm

Option B fits Cisco's expected steps. Unpacking and memory forensics come right after behavioral analysis so you can get at artifacts that static/dynamic don’t catch up front. I think that's what they're aiming for here.

Alex A. Mar 3, 2026 12:13 pm

Its B here. After behavioral analysis in a sandbox, unpacking and memory forensics is next to dig deeper into what the malware is doing in memory. Pretty sure that's the Cisco workflow for this stuff, agree?

Sofia M. Mar 10, 2026 1:31 am

I see what you mean, but it's still B. Unpacking and memory forensics usually follow lab behavioral analysis in malware workflows.

Chloe J. Mar 10, 2026 8:40 am

Its B since unpacking and memory forensics follow up right after sandboxing in most analysis flows. Static or dynamic code review (A) usually comes after unpacking. Could be tripped up if you forget the order, but B fits Cisco's style.

Noah Mar 17, 2026 7:56 am

Why wouldn’t unpacking and memory forensics (B) come before code analysis here? Analyzing packed or obfuscated malware statically (A) seems premature unless the specimen’s already been fully extracted. Seen Cisco stress this order in exam reports. Anyone see it asked another way?

Morgan T. Mar 5, 2026 7:10 am

Not another step-order trap, Cisco. B, since you need to unpack and grab memory artifacts before going deep with static or dynamic analysis. Seen similar on other Cisco practice tests, but happy to hear if anyone's seen it go differently.

Amelia Mar 2, 2026 3:37 am

B (A seems tempting but static analysis usually comes after unpacking and memory forensics).

Liam P. Mar 14, 2026 6:21 am

B, not A. Unpack and memory forensics fits after behavioral stuff from what I remember.

Be respectful. No spam.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE