View NSK200 Exam Questions

Q: 11

You use Netskope to provide a default Malware Scan profile for use with your malware policies. Also, you want to create a custom malware detection profile. In this scenario, what are two additional requirements to complete this task? (Choose two.)

Options

Discussion

Sanjay S. Feb 19, 2026 7:55 am

Not sure why C isn't right here. Option B and C.

Ivy N. Mar 1, 2026 12:45 am

D imo, but is the focus on 'default' or 'custom' profile requirements? That would totally change which two I pick.

Alex T. Feb 16, 2026 12:50 am

Option B and C. The question asks for additional requirements, so remediation or quarantine profiles sound needed when customizing detection.

Luna C. Feb 26, 2026 5:41 am

I see why a lot of folks think B or C, but I keep coming back to A and D. The profile setup part asks for hash lists, not remediation stuff. I think that's the trick here. Disagree?

QuickConsultant7481 Feb 17, 2026 11:21 am

You've got to add both a custom hash allowlist (A) and a blocklist (D) when making your own malware detection profile in Netskope. It lets you tune false positives and make sure known threats get blocked. Pretty sure remediation and quarantine are handled elsewhere, not as core detection profile steps. Anyone see it different?

Meera U. Feb 26, 2026 12:09 am

A and D here. Custom detection profile setup in Netskope always needs hash lists for allow/deny, not remediation or quarantine profiles, those are separate steps. Pretty sure that's what the question is aiming at, but let me know if you disagree.

Ravi Mar 6, 2026 9:03 pm

A and D tbh, C trips people up but remediation isn’t required to build the profile itself.

MethodicalSec4552 Feb 28, 2026 1:48 pm

Probably A and D here, since creating a custom malware detection profile is all about adding custom hash allowlist and blocklist. Remediation or quarantine steps come afterwards, not at this setup stage. Pretty sure this lines up with Netskope docs but open if anyone disagrees.

Cameron Mar 3, 2026 4:20 pm

Isn’t B a common distractor here? You really just need the hash allowlist and blocklist for custom profiles, not remediation steps.

Parker A. Mar 1, 2026 12:03 am

No doubt here, A and D are the two you need for a custom malware detection profile setup.

Be respectful. No spam.

Correct Answer:

A, D

Explanation

When creating a custom malware detection profile in Netskope, the primary method of customization beyond selecting detection engines is to add organization-specific intelligence. This is accomplished by using custom file hash lists. A blocklist (also known as a blacklist) contains hashes of files known to be malicious, ensuring they are always blocked. An allowlist (or whitelist) contains hashes of known-good files, such as proprietary internal applications, to prevent false positives. Both are distinct and fundamental components that can be added to a malware detection profile to tailor its detection logic, making them key requirements for this task.

Why Incorrect

B. Add a quarantine profile.

A quarantine profile is only required if you choose "Quarantine" as a response action. A custom detection profile can be created to use other actions like "Alert" or "Block," which do not require it.

C. Add a remediation profile.

"Remediation profile" is not a standard, configurable object within the Netskope Threat Protection module. Remediation actions (like block, quarantine, alert) are configured directly within the policy or detection profile.

References

1. Netskope Official Documentation

"Threat Protection": In the Netskope UI and corresponding help documentation

the configuration for a new Malware Detection Profile is located under Policies > Threat Protection > Malware Detection. The creation wizard explicitly provides separate sections to add "Allowlist" and "Blocklist" file hash lists. This demonstrates that both are distinct

expected components for customizing a profile.

2. Netskope Official Documentation

"Create a Malware Detection Profile": The documentation outlines the steps for creating a profile. It specifies that under the "File Hashes" section

an administrator can select pre-configured hash lists for both the Allowlist and Blocklist. This confirms that preparing these lists is a key part of the customization process. The documentation also shows that selecting a "Quarantine Profile" is an optional "On-Detection" action

not a mandatory requirement for creating the profile itself.

Q: 12

You are implementing tenant access security and governance controls for privileged users. You want to start with controls that are natively available within the Netskope Cloud Security Platform and do not require external or third-party integration. Which three access controls would you use in this scenario? (Choose three.)

Options

Discussion

Sofia R. Feb 21, 2026 5:20 pm

A B C

AlexK Feb 19, 2026 3:22 pm

My pick: A B C. D (MFA) looks tempting but it's not native here.

Rowan H. Feb 26, 2026 10:41 am

ABC fits since IP allowlisting, login attempt limits, and RBAC are all built into Netskope without extra integrations. D (MFA) needs a third-party connector, not native. Pretty sure that's what they're after but open to corrections.

SkepticalCandidate7657 Mar 1, 2026 11:42 pm

Option D (MFA) seems like a solid pick too, since it's recommended, but pretty sure Netskope requires external integration for MFA. Trap option there. ABC fits native controls best.

PracticalTester4304 Feb 22, 2026 7:55 pm

C or D, labs and official doc help but I'm stuck on which is truly native here.

Aaron X. Feb 16, 2026 3:58 am

Definitely A, B, C on this one. Those are all native controls in Netskope without pulling in outside integrations for MFA or advanced behavior analytics. Not 100% if E might've tripped me up at first but pretty sure it's not an option here. Disagree?

Ravi P. Feb 23, 2026 1:58 pm

A B C for sure, official docs and exam samples both call these out as native controls.

Avery Feb 15, 2026 2:40 pm

B tbh, official guide and practice labs both highlight only A B C for built-in controls.

DirectEngineer861 Feb 20, 2026 1:39 am

Yeah, looks like A B C to me. Only those are natively built into the platform, the others need extra setup or aren’t available. Pretty sure that's how Netskope expects it, but ok if someone disagrees.

Anita G. Feb 20, 2026 8:11 pm

A B C imo. Only those are natively available in Netskope, since MFA (D) requires external integration. Saw a similar question in some practice tests, and it always points to built-in features first. If I remember right, E isn't a native option either. Correct me if I'm missing anything.

Be respectful. No spam.

Correct Answer:

A, B, C

Explanation

The question requires identifying three native access controls within the Netskope platform for securing privileged user access, without needing third-party integration.

1. IP allowlisting (A) is a native feature allowing administrators to restrict access to the Netskope management UI to a specific set of source IP addresses.

2. Login attempts (B) configuration is part of the native password policy settings, which can lock an administrator's account after a specified number of failed login attempts.

3. Applying roles (C), or Role-Based Access Control (RBAC), is a core, native function that limits an administrator's permissions to only what is necessary for their job, following the principle of least privilege.

These three controls are configured directly within the Netskope tenant's settings.

Why Incorrect

D. Multi-factor authentication to verify a user's authenticity.

This typically requires integration with an external SAML 2.0 Identity Provider (IdP) like Okta or Azure AD, which violates the "no external or third-party integration" constraint.

E. History-based access control based on past security actions.

This is not a standard, named feature within Netskope for controlling administrative access to the tenant UI. Access controls are primarily role-based, not dynamically history-based for administrators.

References

1. Netskope Official Documentation

"Role-Based Access Control (RBAC)": This document details the built-in roles (e.g.

Tenant Admin

Read Only Admin

Policy Admin) and the process for creating custom roles. It states

"Netskope provides role-based access control (RBAC) to the Netskope UI. You can assign roles to admin users that have a set of privileges." This supports option C.

2. Netskope Official Documentation

"Configure Security Settings": This section outlines several native security configurations.

Under the "Password Policy" subsection

it describes the ability to "Lockout admin after [N] failed login attempts

" which directly supports option B.

Under the "Allowed IP Addresses" subsection

it explains how to "Add an IP address

range

or subnet to the allowlist for UI and REST API access

" which directly supports option A.

3. Netskope Official Documentation

"Configure SSO for Admin Login": This guide explains that enabling SSO and MFA for administrators involves configuring a SAML 2.0 integration with an external Identity Provider. This confirms that option D requires an external integration

making it an incorrect choice based on the question's constraints.

Q: 13

You are currently migrating users away from a legacy proxy to the Netskope client in the company’s corporate offices. You have deployed the client to a pilot group; however, when the client attempts to connect to Netskope, it fails to establish a tunnel. In this scenario, what would cause this problem?

Options

Discussion

Leo J. Feb 19, 2026 11:44 pm

Makes sense to pick B, since UDP 443 is needed for the DTLS tunnel with Netskope. If the firewall blocks it, no tunnel forms at all. Pretty sure that's the main reason, unless TCP fallback's in use.

Ava C. Mar 5, 2026 5:26 pm

Option B for this one. UDP 443 is required for the initial DTLS tunnel, and if that’s blocked, the client can’t even negotiate a fallback unless TCP fallback is enabled (which isn’t mentioned here). Pretty sure C would only matter if all access to EPoT was denied, not just DTLS. Open to arguments if anyone sees it differently.

Taylor Feb 26, 2026 9:44 pm

Pretty sure it's B, since UDP 443 needs to be open for the DTLS tunnel and that's usually blocked by firewalls in corporate environments. Nothing else here would fully prevent the client from connecting at this stage. Agree?

Reese T. Mar 2, 2026 10:57 pm

I think it's B. Blocking UDP 443 stops the DTLS tunnel so Netskope can't connect at all.

Maya I. Mar 1, 2026 6:24 pm

B, not C. Saw a similar question in an exam report and blocking UDP 443 breaks the DTLS tunnel every time, no tunnel forms without it.

Nina X. Feb 14, 2026 9:57 am

C/D? If TCP fallback is disabled on the pilot config, C starts to make more sense. Otherwise B.

Ravi L. Mar 3, 2026 9:00 pm

B makes the most sense here. If the firewall is blocking UDP 443, Netskope's DTLS tunnel won't even get off the ground. No mention of TCP fallback, so C isn't it. Pretty sure that's what breaks the pilot group, unless I'm missing something.

Meera Y. Feb 24, 2026 1:11 am

B tbh. Official guides plus lab testing around firewalls and protocol handling helped me spot UDP 443 as the showstopper here.

Casey Feb 27, 2026 9:14 pm

Sounds like B here. Blocking UDP 443 stops DTLS entirely, so the tunnel won't come up if fallback isn't allowed on the client. Pretty sure that's what they're asking for, but I get why some folks think C too depending on config. Agree?

Cameron Feb 19, 2026 10:03 am

C , had something like this in a mock where blocking EPoT caused tunnel fail.

Be respectful. No spam.

Q: 14

Your organization has three main locations with 30.000 hosts in each location. You are planning to deploy Netskope using iPsec tunnels for security. What are two considerations to make a successful connection in this scenario? (Choose two.)

Options

Discussion

Alex Feb 16, 2026 5:38 pm

Definitely has to be C and D here. With 30k hosts per site, you're gonna need to consider tunnel load and redundancy-browser or OS type doesn't really flip the answer unless it was about endpoint support.

Logan H. Feb 24, 2026 12:40 pm

Feels like C and D

Parker V. Feb 19, 2026 6:22 am

These Netskope exam questions always spin in circles, it's C and D.

AdamD Feb 23, 2026 5:12 pm

Had something like this in a mock. Pretty sure C and D are right since you need to plan for enough capacity (host count) and have redundancy with multiple POPs. Don't think browsers or OS come into play for IPsec tunnel sizing. Anyone disagree?

Arjun A. Feb 17, 2026 6:11 pm

B tbh, OS compatibility can mess with IPsec tunnels so I'd pick B and D.

Drew G. Feb 19, 2026 4:42 am

C/D tbh, tunnel capacity and redundant POPs are what you need for big envs like this.

Arjun P. Feb 26, 2026 6:25 pm

C and D tbh. Option B is tempting but it's a trap for tunnel planning on this scale.

Nina Mar 5, 2026 12:33 am

I don’t think B is right here, even though OS can matter. The question is about making the IPsec tunnels work reliably at scale, so C (redundant POPs) and D (number of hosts) are what really count. OS/browser come into play more for client-side app issues. Agree?

Morgan M. Feb 22, 2026 12:28 pm

D imo, you gotta consider number of hosts and redundant POPs for large scale. C and D.

Zoe L. Feb 18, 2026 11:31 am

B and D. OS compatibility can cause headaches in big rollouts especially with IPsec client configs, plus you always have to plan for the number of hosts scaling.

Be respectful. No spam.

Correct Answer:

C, D

Explanation

For a large-scale deployment with 30,000 hosts per location, capacity planning and high availability are critical for success. The number of hosts (D) is a primary factor in determining the required bandwidth for the IPsec tunnel and ensuring the selected Netskope Points of Presence (POPs) can handle the traffic volume. To maintain a resilient and continuous connection, it is a standard best practice to configure tunnels to redundant POPs (C). This involves setting up a primary tunnel to one POP and a secondary (failover) tunnel to another, ensuring service continuity if the primary POP becomes unavailable.

Why Incorrect

A. browsers in use: IPsec operates at the network layer (Layer 3). The tunnel forwards traffic from the network gateway, making the specific browser on an endpoint irrelevant to the tunnel's establishment.

B. operating systems: The IPsec tunnel is configured between a network device (e.g., firewall) and Netskope, not the individual hosts. Therefore, the operating system on the endpoints is not a consideration.

References

1. Netskope Official Documentation

"IPsec Configuration Guide": In the section on "High Availability

" the guide explicitly recommends configuring tunnels to both a primary and a secondary POP for failover and redundancy. This directly supports option C.

2. Netskope Official Documentation

"Netskope NewEdge": The documentation on the NewEdge architecture and deployment planning emphasizes sizing considerations. The section on "Bandwidth and Sizing" states that the number of users (hosts) is a key metric for calculating the required bandwidth and selecting appropriate POPs to ensure performance. This directly supports option D.

3. Netskope Official Documentation

"Secure Web Gateway Deployment Guide": In the chapter covering traffic steering methods

the IPsec section highlights that planning must account for the total number of users and their expected traffic load to prevent performance bottlenecks. This reinforces the importance of considering the number of hosts (D).

Q: 15

Your company asks you to use Netskope to integrate with Endpoint Detection and Response (EDR) vendors such as Crowdstrike. Which two requirements are needed for a successful integration and sharing of threat data? (Choose two.)

Options

Discussion

Nina F. Feb 24, 2026 10:19 pm

A and C. Device classification (B) feels like a decoy since it's not really needed for the EDR integration itself, just for separate device-based controls. You definitely need an API Client ID for Crowdstrike integration and a remediation profile to decide on response actions. Open to other views if I'm missing something though.

Ivy F. Feb 17, 2026 2:31 pm

I don’t think it’s A. B and C make more sense to me since API Client ID handles the connection, and device classification seems important for identifying what endpoints are actually reporting threats. Correct me if I’m off base.

Skyler H. Mar 1, 2026 6:47 am

Not convinced by B, it's easy to mix up device classification with policy stuff, but for threat exchange the actual requirements are A and C.

DirectCandidate5025 Feb 24, 2026 1:04 pm

Its A and C

PracticalNeteng1316 Mar 3, 2026 2:14 am

Option B, Device classification. Thought that was needed to sync devices before threat sharing, but not positive.

Ben F. Feb 19, 2026 4:54 am

B and C

Jason X. Mar 6, 2026 8:45 pm

Pretty sure it's A and C. You need the remediation profile to define what actions to trigger in Crowdstrike, and the API Client ID for the integration itself. B looks like a trap here since device info isn't needed just for threat data sharing. Disagree?

Kevin Y. Feb 25, 2026 5:18 pm

I’d say B and C here. Device classification seems like a step before you can share threat intel, plus you always need the API Client ID. A looks tempting but not sure it's strictly needed.

IvyN Mar 3, 2026 11:58 pm

A and C tbh. You need a remediation profile to define the actions, and API Client ID is standard for connecting to another platform like Crowdstrike. Device classification or custom log parser aren't required for this integration.

Sofia D. Feb 17, 2026 7:15 am

Its A and C for this one, right? I remember something about needing an API Client ID for the data-sharing connection, and remediation profiles sound familiar from a similar question. Not totally sure on the log parser or device classification parts. If anyone has actually set this up let me know if that matches your experience.

Be respectful. No spam.

Correct Answer:

A, C

Explanation

Integrating Netskope with an Endpoint Detection and Response (EDR) solution like Crowdstrike is accomplished through Netskope's Cloud Threat Exchange (CTE). A successful integration for sharing threat data requires two key components:

1. API Credentials: To establish a secure, authenticated connection between the Netskope platform and the EDR vendor's cloud platform, API credentials are required. For Crowdstrike, this specifically involves generating a Client ID and a Client Secret from the Crowdstrike Falcon console.

2. Action/Remediation Configuration: To make the threat sharing functional, you must define what action the EDR should take when it receives threat intelligence from Netskope. This is configured in Netskope as an action or remediation profile, which specifies responses like "Quarantine Host" or "Block Hash."

Why Incorrect

B. Device classification: This feature categorizes endpoints (e.g., managed/unmanaged) for policy enforcement, but it is not a direct technical requirement for establishing the API-based threat-sharing integration itself.

D. Custom log parser: This is used for Netskope's Cloud Log Ingestion (CLS) to parse logs from unsupported applications. EDR integration uses pre-built API connectors via Cloud Threat Exchange, not log parsing.

References

1. Netskope Official Documentation

"Configure CrowdStrike Falcon Plugin for CTE": This guide explicitly lists the prerequisites for the integration. Under the "Prerequisites" section

it states: "To configure the CrowdStrike Falcon plugin

you need the Client ID and Client Secret from your CrowdStrike Falcon account." This directly supports the requirement for an API Client ID (C).

2. Netskope Official Documentation

"Cloud Threat Exchange": This document describes the workflow for CTE. It explains that after configuring a plugin

you must "Create business rules to share threat intelligence... When a rule is triggered

CTE performs the action defined in the rule." The configuration of these actions (e.g.

quarantine host) is functionally a Remediation Profile (A) that dictates the response of the integrated EDR system. The "Configure a Business Rule" section in the Crowdstrike plugin guide shows the step where an "Action" must be selected.

Question 11 of 20 · Page 2 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE