Visit here for our full Cisco 350-701 exam dumps and practice test questions.
Question 141:
Which Cisco technology enables behavioral analytics to detect internal threats and abnormal traffic flows by analyzing NetFlow and telemetry data from the entire network?
A Cisco Threat Grid
B Cisco Stealthwatch
C Cisco AMP for Endpoints
D Cisco ISE
Answer: B
Explanation:
Cisco Stealthwatch, now branded as Cisco Secure Network Analytics, is a comprehensive network-visibility and behavior-analytics platform that leverages flow telemetry—including NetFlow, IPFIX, and Encrypted Traffic Analytics (ETA)—to detect anomalous activity indicative of insider threats, data exfiltration, or compromised devices. Unlike signature-based systems, Stealthwatch establishes baselines of normal network behavior and applies machine learning and behavioral analytics to identify deviations that may signal malicious activity.
Stealthwatch passively collects flow records from routers, switches, firewalls, and cloud workloads, then correlates this telemetry with identity data from Cisco ISE. This integration provides contextual visibility of “who is doing what, when, and where,” enabling security teams to prioritize alerts based on host and user behavior. The Security Analytics Engine scores threats automatically, and integration with SecureX allows for rapid incident response and automated workflows.
Option A, Cisco Threat Grid, focuses on dynamic malware analysis and sandboxing rather than network-flow analytics. Option C, AMP for Endpoints, detects file- and process-level threats on hosts but does not provide network-wide behavioral visibility. Option D, Cisco ISE, enforces identity-based access policies but does not analyze traffic flows.
Stealthwatch identifies unusual traffic patterns, such as unexpected external connections, sudden spikes in data transfer, or anomalous lateral movement, which may evade traditional perimeter defenses. It supports hybrid and cloud environments, integrates with Cisco Telemetry Broker, and strengthens Zero Trust visibility across the enterprise.
Therefore, B is correct because Cisco Stealthwatch provides network-wide behavioral analytics using telemetry to detect internal and external threats while maintaining full enterprise visibility.
Question 142:
Which Cisco solution integrates with Cisco Secure Firewall and Cisco SecureX to automatically detonate suspicious files in a sandboxed environment and generate detailed behavioral analysis reports?
A Cisco Threat Grid
B Cisco AMP for Endpoints
C Cisco Umbrella
D Cisco Secure Network Analytics
Answer: A
Explanation:
Cisco Threat Grid is Cisco’s advanced malware analysis and sandboxing platform designed to detect, analyze, and respond to suspicious files in a secure and controlled environment. When a file is submitted to Threat Grid, it is executed within an isolated sandbox that mimics real operating systems, allowing the system to safely observe its behavior without risking production networks. This dynamic analysis focuses on runtime actions such as process creation, file modifications, registry edits, DLL injection, and outbound network connections. By monitoring these behaviors, Threat Grid generates a comprehensive behavioral profile and assigns a threat score that reflects the likelihood of malicious intent.
One of the platform’s key strengths is its ability to generate actionable indicators of compromise (IOCs) from this analysis. These IOCs—such as malicious URLs, file hashes, registry changes, and network endpoints—can then be shared across Cisco’s ecosystem through SecureX, enabling coordinated threat response. For example, unknown files detected on endpoints via AMP for Endpoints or forwarded by Cisco Secure Firewall can automatically be submitted to Threat Grid for detonation. Once the sandbox verdict is known, AMP or Firepower can take automated actions, such as quarantining the file, blocking the related network activity, or applying retrospective remediation to already infected endpoints.
Option B, AMP for Endpoints, provides endpoint protection using file reputation, behavioral monitoring, and retrospective detection but relies on Threat Grid for in-depth sandboxing of unknown files. Option C, Cisco Umbrella, provides DNS-layer protection and web security but does not perform file detonation or behavior analysis. Option D, Cisco Secure Network Analytics (Stealthwatch), focuses on monitoring network traffic and detecting anomalies but does not provide file-level inspection or dynamic malware analysis.
Threat Grid enhances malware detection by correlating local behavioral data with Cisco Talos global threat intelligence. This allows it to detect zero-day threats, polymorphic malware, and sophisticated attacks that traditional signature-based solutions might miss. APIs and integrations enable automation, allowing security teams to submit files, retrieve analysis reports, and trigger playbook-driven responses without manual intervention.
Question 143:
In a Cisco Secure Firewall deployment, what is the main function of Application Visibility and Control (AVC)
A Encrypts application data for confidentiality
B Identifies and classifies traffic by application, user, and risk level to enforce policies
C Provides malware sandboxing and detonation
D Performs endpoint posture assessment
Answer: B
Explanation:
Cisco’s Application Visibility and Control (AVC) enhances firewall capabilities by providing deep packet inspection and contextual awareness, allowing administrators to see which applications are running on the network, who is using them, and their associated risk levels. Unlike traditional port- or IP-based filtering, AVC leverages the NBAR2 engine and Layer 7 application signatures to identify thousands of applications—even those that use dynamic ports, encryption, or tunneling. This granular visibility enables security teams to enforce precise policies based on application type rather than just network parameters.
With AVC, organizations can prioritize mission-critical applications while limiting or throttling bandwidth-heavy recreational traffic, such as streaming or peer-to-peer file sharing. It also helps identify and block high-risk or unauthorized applications, reducing attack surfaces and improving compliance posture. The telemetry collected by AVC can feed into Cisco SecureX and analytics platforms, providing detailed reporting and actionable insights for incident response or capacity planning.
Option A is incorrect because AVC does not encrypt traffic; it analyzes it. Option C, Threat Grid, performs sandbox-based malware analysis rather than application visibility. Option D, Cisco ISE posture checks, focuses on device compliance and identity-based access control, not application identification.
AVC integrates with Quality of Service (QoS) mechanisms to enforce traffic shaping and bandwidth allocation, ensuring that network performance aligns with business priorities. It also complements Cisco Firepower features, including intrusion prevention and URL filtering, by providing context-aware enforcement at the application layer.
Therefore, B is correct because Cisco AVC delivers comprehensive application-layer identification and enforcement, a core capability of next-generation firewalls. It aligns with SCOR’s Network Security domain by enabling policy-driven control, visibility, and risk management for network applications, ensuring secure and optimized use of enterprise resources.
Question 144:
Which protocol does Cisco Identity Services Engine (ISE) primarily use for device authentication in 802.1X network access control?
A RADIUS
B TACACS+
C LDAP
D SNMP
Answer: A
Explanation:
RADIUS (Remote Authentication Dial-In User Service) is the core protocol that Cisco Identity Services Engine (ISE) uses to implement network access authentication, authorization, and accounting (AAA), particularly in 802.1X environments. When a user or device attempts to connect to a wired or wireless network, the network access device—such as a switch or wireless controller—acts as the authenticator. It forwards the credentials securely to ISE over UDP ports 1812 (authentication) and 1813 (accounting) using the RADIUS protocol. This process ensures that only authorized users and devices can gain network access, forming the foundation of identity-based security.
ISE validates credentials against external identity stores such as Active Directory, LDAP, or internal ISE databases. It can also leverage certificate authorities for certificate-based authentication. RADIUS supports multiple Extensible Authentication Protocol (EAP) methods, including EAP-TLS, PEAP, and EAP-FAST, providing flexible and secure mutual authentication between endpoints and the network. Once authentication succeeds, ISE enforces dynamic policies, which can include assigning VLANs, applying downloadable access control lists (dACLs), or marking endpoints with Security Group Tags (SGTs) for TrustSec-based segmentation.
Option B, TACACS+, is primarily used for administrative access to network devices rather than enforcing network access for users or endpoints. Option C, LDAP, is an identity directory protocol that provides lookup services but does not handle the transport or AAA functions of 802.1X. Option D, SNMP, is designed for network monitoring and management rather than authentication or authorization.
RADIUS also integrates tightly with posture assessment modules in ISE. These modules evaluate device health, such as antivirus status, patch levels, and encryption compliance, before granting access. Non-compliant devices can be quarantined or redirected to remediation portals. By combining RADIUS-based authentication with adaptive access policies, ISE enables a Zero Trust Network Access (ZTNA) model, ensuring that access is continuously verified based on identity, device compliance, and context such as location and time of day.
Therefore, A is correct because RADIUS is the underlying protocol that allows Cisco ISE to provide secure, identity-driven network access control. It enables robust 802.1X authentication, dynamic authorization, and detailed accounting, all of which are critical for enforcing enterprise-wide Zero Trust security principles while maintaining flexibility for diverse network environments.
Question 145:
Which Cisco cloud-based service provides DNS-layer protection by blocking access to malicious domains before connections are established?
A Cisco Umbrella
B Cisco Stealthwatch
C Cisco AMP for Endpoints
D Cisco Secure Firewall
Answer: A
Explanation:
Cisco Umbrella provides cloud-delivered DNS-layer security, serving as a first line of defense against threats before they reach the network or endpoints. When a device makes a DNS request, Umbrella evaluates the domain against Cisco Talos’ global threat intelligence. Any requests to malicious or suspicious domains are blocked immediately, preventing access to phishing sites, malware distribution points, and command-and-control servers. This proactive approach stops threats early in the attack chain, reducing exposure without requiring on-premises appliances or heavy inspection.
Umbrella functions as a secure recursive DNS resolver, providing protection for all devices, including roaming users, via AnyConnect or SD-WAN integration. It also supports policy enforcement for acceptable use and generates visibility into all outbound DNS traffic, enabling organizations to detect anomalous behavior and shadow IT usage.
Option B, Cisco Stealthwatch, focuses on behavioral traffic analysis but does not block DNS requests. Option C, AMP for Endpoints (Cisco Secure Endpoint), protects at the device level after a threat has already reached the endpoint. Option D, Cisco Firepower, inspects packets and traffic flows but does not inherently provide DNS-layer threat prevention.
By operating at the DNS layer, Umbrella embodies the preventive security principles of Cisco’s Secure Access Service Edge (SASE) model, combining DNS, web filtering, and global threat intelligence in a lightweight, cloud-native solution. This approach scales easily across distributed and remote environments while maintaining low latency and high availability.
Therefore, A is correct because Cisco Umbrella proactively blocks malicious destinations at the DNS layer, offering scalable, cloud-based protection that prevents threats before they reach the network or endpoints. This early-stage intervention reduces risk, complements downstream security solutions, and provides organizations with improved visibility and policy enforcement across all users and devices.
Question 146:
A security analyst notices several hosts connecting periodically to the same rare external IP. Which Cisco solution best detects this threat using network-flow telemetry?
A Cisco AMP for Endpoints
B Cisco Stealthwatch
C Cisco Umbrella
D Cisco ISE
Answer: B
Explanation:
Cisco Stealthwatch, now part of Cisco Secure Network Analytics, provides advanced network behavior analysis by monitoring flow telemetry such as NetFlow, IPFIX, and Encrypted Traffic Analytics (ETA). Instead of relying on signatures, Stealthwatch establishes baselines of normal network behavior for devices and users, then uses machine learning to detect anomalies like unusual data transfers, beaconing, lateral movement, or suspicious internal connections that could indicate compromised hosts or insider threats.
Option A, AMP for Endpoints, focuses on detecting malware and file-based threats on individual devices. Option C, Umbrella, provides DNS-layer protection and blocks malicious domains before a connection occurs. Option D, Cisco ISE, enforces identity-based access policies but does not analyze network flows for anomalies. None of these solutions perform the comprehensive behavioral analysis of traffic patterns that Stealthwatch offers.
Stealthwatch assigns risk scores to hosts based on abnormal activity, helping security teams prioritize investigations. Its dashboards provide detailed visualization of traffic flows, highlighting suspicious communications between internal systems or with external endpoints. By integrating with Cisco ISE and SecureX, Stealthwatch can automate responses—such as quarantining devices, blocking traffic, or triggering alerts—reducing Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
This capability makes Stealthwatch an essential component in detecting stealthy threats that bypass traditional signature-based security tools. It enables organizations to gain continuous network visibility, maintain situational awareness, and enforce proactive threat detection across on-premises, hybrid, and cloud environments.
Therefore, B is correct because Cisco Stealthwatch delivers behavioral analytics for network traffic, exposing hidden threats and anomalies invisible to traditional signature-based security measures, while providing context-rich insights and automated response capabilities.
Question 147:
What is the main advantage of using certificate-based authentication instead of pre-shared keys (PSKs) in IPsec VPNs?
A Certificates are shorter keys
B PSKs cannot use AES encryption
C Certificates enable scalable key management and non-repudiation
D PSK requires external hardware
Answer: C
Explanation:
Certificate-based authentication for IPsec VPNs leverages a Public Key Infrastructure (PKI) to authenticate peers, providing stronger and more scalable security than pre-shared keys (PSKs). In this approach, each device presents a digital certificate issued by a trusted Certificate Authority (CA). The certificate contains the device’s public key and identity information, allowing the peer to verify authenticity without manually exchanging secret keys. This mechanism also supports revocation, renewal, and automatic trust establishment through the CA hierarchy.
PSKs, while simpler, become cumbersome in large networks because every peer must share the same secret key, or unique keys must be distributed manually. This increases administrative overhead and the risk of compromise. In contrast, certificate-based authentication scales efficiently, as new devices can be issued certificates and revoked centrally without touching existing tunnels. Certificates also provide non-repudiation, ensuring that the identity of the authenticated peer is cryptographically verifiable.
Both PSK and certificate-based IPsec VPNs can use strong encryption algorithms such as AES; the key difference lies in identity validation and scalability. Certificates enable automated, policy-driven authentication aligned with enterprise security best practices and SCOR exam objectives on cryptography and VPN deployment.
Therefore, C is correct because certificate-based IPsec authentication delivers stronger, centrally managed, and scalable security compared with PSKs, supporting automated trust, revocation, and non-repudiation in complex VPN deployments.
Question 148:
To ensure only compliant corporate laptops access Wi-Fi, which Cisco technology should be implemented?
A Site-to-Site VPN
B 802.1X with RADIUS and posture assessment via ISE
C SSL VPN via browser
D IPsec Remote-Access VPN with PSK
Answer: B
Explanation:
The combination of 802.1X authentication and Cisco Identity Services Engine (ISE) posture assessment provides a comprehensive, policy-driven approach to network access control, ensuring that only authorized and compliant devices can connect to enterprise networks. When a device attempts to access a network—whether via wired LAN or wireless WLAN—the 802.1X protocol functions as the authentication mechanism. The network access device, such as a switch or wireless controller, acts as an authenticator and forwards the user or device credentials to ISE over the RADIUS protocol. ISE then validates these credentials against internal user stores, Active Directory, or certificate authorities, enforcing authentication policies and ensuring that only legitimate users or devices are granted access.
Beyond authentication, ISE’s posture assessment evaluates the health and compliance of the endpoint. It examines multiple parameters, including antivirus status, operating system version, patch level, disk encryption, firewall settings, and other security controls. Devices that fail to meet organizational security policies can be quarantined into remediation VLANs or restricted access groups. This allows administrators to enforce security dynamically while providing a controlled environment for remediation, ensuring that non-compliant devices do not introduce vulnerabilities into the network.
This integration is central to Cisco’s Zero Trust Network Access (ZTNA) model, which assumes that devices and users should not be inherently trusted, even if they are inside the corporate perimeter. By continuously validating identity and device posture before and during network access, 802.1X combined with ISE helps organizations implement the principle of least privilege, mitigating risks from compromised endpoints or unauthorized users.
Unlike Site-to-Site VPNs or SSL VPNs, which primarily provide secure remote access, 802.1X with ISE directly governs local network access, applying security policies at the point of connection. The solution supports scalable policy enforcement across large enterprise environments, integrating with Cisco TrustSec to assign Security Group Tags (SGTs) for granular, identity-based access segmentation.
Therefore, 802.1X authentication paired with Cisco ISE posture assessment is the preferred solution for dynamic, context-aware network admission. It ensures that only authorized users and devices that meet compliance requirements are allowed access, providing a secure, continuously monitored, and policy-driven approach to modern network security. This makes it a critical component in achieving Zero Trust and reducing organizational risk.
Question 149:
In the cloud-security shared-responsibility model, which task remains the customer’s duty under Infrastructure as a Service (IaaS)?
A Physical data-center security
B Hypervisor patching
C Virtual-machine operating-system security
D Core network fabric maintenance
Answer: C
Explanation:
Under the Infrastructure as a Service (IaaS) model, the responsibility for security is shared between the cloud provider and the customer, following the shared responsibility model. The provider manages and secures the underlying physical infrastructure, including data centers, networking, servers, storage, and the virtualization layer that enables multitenancy. This ensures that the foundation on which services run is hardened against physical and network-based threats.
However, the customer retains full responsibility for securing everything that runs on top of that infrastructure. This includes the guest operating systems, applications, middleware, and data. Customers must implement OS hardening, patch management, and antivirus protections within their virtual machines. They are also responsible for application security, configuring firewalls, managing identity and access controls (IAM), encrypting sensitive data, and monitoring for suspicious activity within their workloads. Failure to secure these layers can expose the organization to vulnerabilities, even if the underlying infrastructure is fully managed and hardened by the provider.
Options A, B, and D, which relate to physical security, hypervisor management, and network infrastructure protection, fall under the cloud provider’s responsibility in the IaaS model. This distinction is critical because it clarifies where the provider’s duties end and where the customer’s duties begin, preventing gaps in security coverage.
For SCOR candidates, understanding this division is essential under the Cloud Security domain. It highlights the importance of actively managing OS and application security, even when leveraging cloud infrastructure, and reinforces the need for policies, monitoring, and compliance checks at the customer-controlled layers.
Therefore, C is correct because in an IaaS environment, customers retain responsibility for securing the operating systems, applications, and data they deploy, while the provider secures the foundational physical and virtualization infrastructure. This shared model ensures clarity in accountability and strengthens overall cloud security posture.
Question 150:
Which OWASP Top 10 category refers to flaws where untrusted input is sent to an interpreter, leading to unintended command execution?
A. Broken Access Control
B. Injection
C. Insecure Design
D. Security Misconfiguration
Answer: B
Explanation:
Injection vulnerabilities—like SQL, OS, or LDAP injection—arise when an application directly incorporates user input into commands or queries without proper validation or sanitization. This allows attackers to manipulate the underlying interpreter to execute unintended actions, such as retrieving sensitive data, modifying records, or escalating privileges within the system. For example, an unsanitized SQL query could allow an attacker to bypass authentication or extract confidential database contents, while a poorly handled OS command input could let them execute arbitrary shell commands.
Effective defenses focus on eliminating the unsafe handling of user input. Input validation ensures only expected characters or formats are accepted, while parameterized queries or prepared statements prevent user input from being interpreted as executable code. Additionally, applying the principle of least privilege for database or system accounts limits the potential impact even if an injection attempt succeeds.
In the context of Cisco SCOR, understanding injection vulnerabilities aligns with the domains of threat mitigation, secure application development, and endpoint protection. Recognizing the risk vectors and mitigation strategies helps security professionals design more resilient systems and evaluate threat exposure in enterprise environments.
Therefore, B is correct because injection flaws occur due to improper input handling, enabling attackers to execute malicious commands or queries that compromise application or system security.
Question 151:
In a Cisco SDN architecture, which type of API provides communication from the controller to network devices to push configuration and collect state information?
A Northbound API
B Southbound API
C Eastbound API
D Westbound API
Answer: B
Explanation:
In a Software-Defined Networking (SDN) architecture, the Southbound API is the interface responsible for communication between the SDN controller and the underlying network devices such as routers, switches, and access points. This API enables the controller to push configurations, gather operational data, and enforce centralized policy decisions dynamically. Protocols like OpenFlow, NETCONF, RESTCONF, and gRPC are common southbound interfaces used in Cisco SDN solutions.
Option A, Northbound API, connects the controller to applications and orchestration layers that consume network services through automation scripts or dashboards. Option C and D, Eastbound and Westbound APIs, handle controller-to-controller communication in distributed or federated SDN architectures.
For example, in Cisco DNA Center, southbound communication to network devices is typically achieved through NETCONF or CLI over SSH to apply configurations programmatically. Similarly, Cisco ACI (Application Centric Infrastructure) uses southbound APIs to communicate with Nexus switches through the APIC controller.
The significance of southbound APIs lies in their ability to decouple the control plane from the data plane. This separation allows centralized policy enforcement, reduced operational complexity, and consistent configuration management—core principles of SDN. Within the Cisco 350-701 SCOR exam, understanding SDN APIs is essential for the Security Automation and Programmability domain, which focuses on modern infrastructure management through automation.
Therefore, B is correct, because Southbound APIs provide the communication channel that allows SDN controllers to configure, monitor, and manage network devices dynamically, enabling centralized, software-driven control across the infrastructure.
Question 152:
Which Cisco product provides DNS-layer protection by identifying malicious domains and blocking user access before the connection is established?
A Cisco Secure Email Gateway
B Cisco Umbrella
C Cisco Secure Endpoint
D Cisco Secure Firewall**
Answer: B
Explanation:
Cisco Umbrella delivers DNS-layer security by blocking malicious, phishing, and command-and-control (C2) domains before a user’s device connects to them. Acting as a recursive DNS resolver, Umbrella intercepts DNS requests from users and compares them to threat intelligence data from Cisco Talos, which maintains one of the world’s largest databases of malicious domains and IPs. If a domain is flagged as dangerous, Umbrella prevents resolution, effectively stopping the threat at the earliest possible stage.
This “first line of defense” approach provides protection without installing software or requiring SSL interception. For remote and roaming users, AnyConnect or Umbrella roaming client ensures protection even outside the corporate perimeter. Umbrella integrates seamlessly with Cisco SecureX, providing a unified security view across DNS, web, and firewall telemetry.
Option A, Cisco Secure Email Gateway, focuses on email scanning and phishing defense. C, Cisco Secure Endpoint (formerly AMP for Endpoints), protects endpoints from malware but does not provide DNS-based prevention. D, Cisco Secure Firewall, performs application-level packet inspection but not DNS filtering by default.
Within the SCOR exam, Cisco Umbrella represents Cisco’s vision for cloud-native security and the Secure Access Service Edge (SASE) model, combining DNS, secure web gateway, and CASB capabilities for comprehensive protection.
Therefore, B is correct, because Cisco Umbrella uses DNS-layer enforcement and Talos intelligence to block malicious destinations before a connection is made, protecting users on and off the network.
Question 153:
A company’s endpoint security platform isolates a laptop after detecting suspicious process behavior and network connections. This action aligns with which Cisco 350-701 SCOR exam domain?
A. Network Security
B. Endpoint Protection and Detection
C. Secure Network Access, Visibility, and Enforcement
D. Content Security
Answer: B
Explanation:
This scenario represents the Endpoint Protection and Detection domain of the Cisco 350-701 SCOR exam, which focuses on securing hosts through advanced endpoint defense mechanisms such as Cisco Secure Endpoint (AMP for Endpoints). Endpoint detection and response (EDR) solutions like Secure Endpoint continuously monitor system processes, file behaviors, and registry changes to detect and contain threats that bypass traditional antivirus measures.
When suspicious activity is detected—such as privilege escalation, process injection, or beaconing to malicious IPs—the system can automatically isolate the endpoint from the network. This isolation prevents lateral movement and data exfiltration while allowing forensic analysis. Integration with Cisco SecureX and Cisco Orbital enables automation, centralized threat hunting, and endpoint telemetry correlation.
Option A focuses on perimeter defense; C relates to NAC solutions like Cisco ISE; and D handles web/email inspection, not endpoint behavior.
In Cisco’s layered security architecture, endpoint protection forms the final line of defense in a Zero Trust model, ensuring continuous monitoring and rapid containment of compromised assets. This domain’s key topics include malware protection, retrospective detection, sandboxing integration (with Threat Grid), and behavioral analytics.
Therefore, B is correct, because endpoint isolation and behavioral-based threat detection fall squarely within the Endpoint Protection and Detection objectives of the SCOR exam.
Question 154:
Which statement best describes the Zero Trust security model as implemented in Cisco architectures?
A. All internal users are trusted by default, external users are denied
B. Every user and device must be authenticated and authorized before gaining access, regardless of network location
C. Firewalls alone provide adequate perimeter defense
D. VPNs automatically ensure Zero Trust compliance
Answer: B
Explanation:
The Zero Trust security model is based on the principle of “never trust, always verify.” It assumes no implicit trust for any device, user, or application—whether inside or outside the corporate perimeter. Every access attempt must be authenticated, authorized, and continuously validated based on identity, device posture, and contextual data.
Cisco implements Zero Trust through technologies like Cisco ISE (for network access control), Cisco Duo (for multi-factor authentication), Cisco Secure Firewall, and SecureX (for integrated visibility and automation). Together, these solutions enforce consistent identity verification, least-privilege access, and adaptive policy enforcement.
Option A contradicts Zero Trust philosophy by allowing implicit internal trust. C and D are partial security mechanisms but do not encompass Zero Trust’s continuous verification and segmentation requirements.
Zero Trust also includes microsegmentation using Cisco SD-Access and analytics from Stealthwatch to detect anomalous lateral movement. This model aligns with SCOR domains such as Secure Network Access and Security Concepts.
Therefore, B is correct, because the Zero Trust model enforces continuous verification and least privilege, ensuring that access is granted only after identity and context are validated, regardless of network location.
Question 155:
What is the benefit of sharing Indicators of Compromise (IOCs) among multiple Cisco security platforms through SecureX?
A. Reduces network performance by increasing log volume
B. Allows consistent, automated threat detection and coordinated response across devices
C. Eliminates the need for firewalls
D. Prevents the use of encryption on endpoints
Answer: B
Explanation:
In modern cybersecurity ecosystems, timely and accurate threat detection is critical for reducing organizational risk and preventing widespread compromise. One of the most effective tools for achieving this is the use of Indicators of Compromise (IOCs). IOCs are pieces of forensic data that indicate a potential or confirmed intrusion. They can include malicious IP addresses, domains, URLs, file hashes, registry keys, or any other artifacts associated with suspicious activity. By identifying and monitoring these indicators, security teams can detect early signs of compromise, investigate incidents more efficiently, and implement proactive defenses before an attacker achieves significant impact.
Cisco leverages IOCs extensively across its security portfolio, integrating them into a unified platform through Cisco SecureX. SecureX serves as the connective layer among Cisco security solutions—such as Cisco Secure Endpoint, Umbrella, Firepower, Stealthwatch (Secure Network Analytics), and Identity Services Engine (ISE)—allowing threat intelligence to be shared automatically and in real-time. This integration ensures that when one product detects a malicious indicator, all relevant security controls can react immediately. For example, if Secure Endpoint identifies a file hash associated with ransomware, that IOC can be pushed to Umbrella to block connections to command-and-control servers, to Firepower to filter network traffic, and to Stealthwatch to monitor for related anomalous activity across the network.
The key benefit of this approach is automation. IOC sharing through SecureX enables Security Orchestration, Automation, and Response (SOAR) capabilities. Playbooks can be configured to automatically enforce defensive actions without requiring manual intervention. This reduces human error, shortens response times, and ensures consistent application of security policies across multiple vectors. For instance, an IOC can trigger automated quarantining of infected endpoints, updating of firewall or access control policies in ISE, and blacklisting of malicious domains in Umbrella—all executed in parallel and in real-time. This coordinated response is especially critical in large, complex enterprises, where threats can propagate quickly if left unmitigated.
Importantly, IOC sharing complements existing security measures rather than replacing them. Traditional defenses such as endpoint antivirus, intrusion prevention systems, firewalls, and DNS filtering still operate as first-line protections. IOC propagation ensures that when a new threat is detected in any part of the ecosystem, all components are immediately informed and can act in concert. This reduces dwell time, prevents lateral movement, and limits the overall attack surface.
Furthermore, SecureX provides centralized visibility into threat intelligence and response actions. Security analysts can monitor which IOCs are active, what automated responses have been executed, and assess ongoing risk across the enterprise. Integration with Cisco Talos threat intelligence enhances IOC accuracy and relevance, allowing organizations to benefit from global threat insights while applying them locally to protect critical assets.
Within the SCOR framework, IOC sharing aligns with the Threat Detection and Response domain. It embodies the principles of proactive threat management, automation, and cross-platform integration, which are essential for effective enterprise cybersecurity operations.
Therefore, B is correct because IOC sharing through Cisco SecureX enables coordinated, automated, and real-time defenses across the Cisco Secure ecosystem. By disseminating threat intelligence, enforcing policies instantly, and integrating detection with response, organizations can improve overall security posture, reduce response times, and maintain consistent protective measures across endpoints, networks, and cloud environments, ensuring a robust and unified approach to threat management.
Question 156:
In an IPsec site-to-site VPN configuration, why is NAT Traversal (NAT-T) required when passing through devices performing Network Address Translation?
A. NAT devices corrupt IPsec ESP headers, requiring UDP encapsulation for traversal
B. NAT devices improve encryption efficiency
C. NAT-T replaces ISAKMP negotiation
D. NAT-T allows IPv6 connectivity
Answer: A
Explanation:
NAT Traversal (NAT-T) is a crucial mechanism that enables IPsec VPN traffic to traverse devices performing Network Address Translation (NAT) without breaking the VPN tunnel. Standard IPsec VPN traffic uses the ESP (Encapsulating Security Payload) protocol for data encryption and integrity. However, ESP does not include TCP or UDP port numbers in its headers. NAT devices, which modify IP addresses and sometimes ports to map multiple internal hosts to a single public IP, can disrupt ESP traffic because the cryptographic integrity check in ESP includes the original IP addresses. Any modification by a NAT device will cause the ESP packet to fail authentication, preventing the VPN tunnel from functioning correctly.
NAT-T solves this problem by encapsulating ESP packets inside UDP packets, specifically using UDP port 4500. By wrapping ESP in UDP, NAT-T allows NAT devices to handle and forward the traffic without modifying the ESP payload. This encapsulation preserves the integrity and encryption of the original IPsec traffic while maintaining compatibility with NAT routers that would otherwise break the tunnel. Both ends of the VPN must support NAT-T, and the mechanism is typically negotiated automatically during IKE Phase 1 or Phase 2.
Option B is incorrect because NAT-T does not enhance encryption strength or efficiency; its purpose is purely to ensure connectivity through NAT devices. Option C is false because NAT-T does not replace IKE (Internet Key Exchange); IKE is still required for negotiating keys and establishing the VPN tunnel. Option D is irrelevant in this context because NAT-T specifically addresses IPv4 environments where NAT is present, and it is not about general IPv6 tunneling.
NAT-T is particularly important for remote workers, branch offices, or any scenario where VPN endpoints are behind routers that perform address translation. Without NAT-T, IPsec VPNs would often fail in these environments because ESP packets cannot survive the address modifications. The feature aligns directly with the VPN and Cryptography domain in the SCOR exam, emphasizing secure, reliable connectivity in diverse network topologies.
Therefore, A is correct because NAT Traversal encapsulates IPsec ESP packets in UDP, allowing VPN traffic to traverse NAT devices without compromising authentication or encryption integrity, ensuring secure and seamless remote connectivity.
Question 157:
Which type of attack involves sending excessive TCP SYN packets to a server, exhausting its resources and preventing legitimate access?
A. Cross-site scripting (XSS)
B. SQL Injection
C. SYN Flood
D. Phishing
Answer: C
Explanation:
A SYN Flood is a Denial-of-Service (DoS) attack that exploits the TCP handshake process. The attacker sends a large number of TCP SYN packets with spoofed or nonexistent source IP addresses. The server allocates resources for each half-open connection and waits for the final ACK packet, which never arrives. Eventually, the server’s backlog queue fills, preventing new legitimate connections.
Option A, XSS, injects malicious scripts into web pages; B, SQL Injection, targets databases; D, Phishing, deceives users into revealing credentials. Only C matches the resource exhaustion behavior of a SYN flood.
Cisco mitigates SYN floods through rate limiting, TCP intercept, firewall SYN cookies, and Cisco Secure Firewall threat defense policies. Detection can also be enhanced using Stealthwatch telemetry to observe traffic anomalies.
Therefore, C is correct, because a SYN Flood attack overwhelms a server’s connection queue by sending numerous incomplete TCP handshakes, leading to service denial.
Question 158:
In a containerized cloud environment, which security control ensures that only verified, approved container images are deployed to production?
A. Image signing and registry policy enforcement
B. Disabling container logs
C. 802.1X authentication for containers
D. Host-based firewalls
Answer: A
Explanation:
Image signing and registry policy enforcement ensure the integrity and authenticity of container images before deployment. Each image is cryptographically signed, and the container runtime validates the signature against a trusted registry or certificate authority. This process guarantees that only verified and unaltered images are used in production.
Option B is insecure—logs should be retained for auditing. C is not applicable to containers, and D provides host-level security, not image validation.
Cisco solutions like Secure Workload (formerly Tetration) and Secure Cloud Analytics support container workload visibility, policy enforcement, and runtime protection. Image signing complements these by preventing tampered or malicious images from entering the CI/CD pipeline.
Therefore, A is correct, because image signing and registry enforcement protect against tampering and unauthorized deployment, ensuring workload integrity in cloud-native environments.
Question 159:
Which Cisco platform provides centralized security orchestration and automation across multiple Cisco and third-party products?
A. Cisco SecureX
B. Cisco Stealthwatch
C. Cisco Umbrella
D. Cisco Secure Client
Answer: A
Explanation:
Cisco SecureX is Cisco’s Security Orchestration, Automation, and Response (SOAR) platform that unifies visibility, automates workflows, and integrates telemetry from multiple Cisco and third-party tools. It acts as a central security dashboard that connects Cisco products such as Secure Firewall, Umbrella, Secure Endpoint, ISE, and Stealthwatch.
Through SecureX Orchestration, analysts can automate complex workflows like blocking malicious domains, quarantining infected hosts, or sharing IOCs across systems without manual intervention. It accelerates incident response and reduces mean time to detect (MTTD) and respond (MTTR).
Option B provides network analytics, C focuses on DNS-layer protection, and D is an endpoint VPN client.
SecureX exemplifies Cisco’s move toward integrated, API-driven security ecosystems and is a key topic in SCOR’s Security Automation and Visibility domain.
Therefore, A is correct, because SecureX enables centralized orchestration, visibility, and automation across Cisco’s security portfolio, streamlining detection and response.
Question 160:
What is the primary benefit of network segmentation in enforcing the principle of least privilege?
A. Reduces number of firewall rules
B. Allows all users unrestricted access
C. Limits lateral movement by isolating resources and users based on need
D. Eliminates endpoint security requirements
Answer: C
Explanation:
Network segmentation divides the network into smaller, isolated segments or zones based on function, sensitivity, or user role. By restricting communication between these zones, organizations enforce the principle of least privilege, ensuring users and systems can only access resources necessary for their role.
This approach reduces the attack surface and limits lateral movement of threats—if one segment is compromised, the attacker cannot easily move to others. Segmentation can be implemented using VLANs, VRFs, or microsegmentation in Cisco SD-Access and Secure Workload platforms.
Option A is false—segmentation may increase rule granularity. B and D contradict least-privilege goals.
Segmentation supports Zero Trust principles by enforcing policy at every boundary. Cisco ISE, Stealthwatch, and Firepower collaborate to implement dynamic, identity-based segmentation with continuous monitoring.
Therefore, C is correct, because segmentation limits access to only necessary resources, containing threats and upholding least-privilege principles—core to secure network architecture in the Cisco 350-701 SCOR exam.
