The Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS) exam is a 120-minute assessment that is associated with the Cisco Certified CyberOps Associate certification. The CBROPS exam tests a candidate’s knowledge and skills related to security concepts, security monitoring, host-based analysis, network intrusion analysis, and security policies and procedures. The course, Understanding Cisco Cybersecurity Operations Fundamentals, helps candidates to prepare for this exam.

This exam tests your knowledge and skills related to:

  • Security concepts
  • Security monitoring
  • Host-based analysis
  • Network intrusion analysis
  • Security policies and procedures
Who should take this exam?
  • For anyone who wishes to gain a practical skillset in mitigating the risk from, malware, Trojans, hackers, tracker, cybercriminals and all online threats.
  • For anyone studying for the Cisco CyberOps Associate CBROPS 200-201 certification exam.
Learning Path 

Cisco offers a number of certifications in various fields. There are many levels of certifications in Cisco such as entry, associate, specialist, professional, expert, architect. Each level incorporated many certifications in it.

To schedule your exam

  • Log into your account at Pearson VUE.
  • Select Proctored Exams and enter the exam number, 200-201.
  • Follow the prompts to register.

Also Read : CCNP Enterprise Advanced Routing ENARSI 300-410 Official Cert Guide :: Download

CyberOps Associate (200-201 CBROPS) Course Outline

CISCO has divided the syllabus into various sections. The CyberOps Associate (200-201 CBROPS) exam includes its objectives and sub-topics in it. The detailed course outline is mentioned below:

Domain 1: Security concepts

1.1 Describe the CIA triad

1.2 Compare security deployments

1.3 Describe security terms

1.4 Compare security concepts

1.5 Describe the principles of the defense-in-depth strategy (Cisco Reference: Security Principles)

1.6 Compare access control models

1.7 Describe terms as defined in CVSS

Cisco Reference: Common Vulnerability Scoring System

  • Attack vector
  • Attack complexity
  • Privileges required
  • User interaction
  • Scope

1.8 Identify the challenges of data visibility (network, host, and cloud) in detection

1.9 Identify potential data loss from provided traffic profiles

1.10 Interpret the 5-tuple approach to isolate a compromised host in a grouped set of logs

1.11 Compare rule-based detection vs. behavioral and statistical detection

Domain 2: Security monitoring

2.1 Compare attack surface and vulnerability

2.2 Identify the types of data provided by these technologies

2.3 Describe the impact of these technologies on data visibility

2.4 Describe the uses of these data types in security monitoring

  • Full packet capture
  • Session data
  • Transaction data
  • Statistical data
  • Metadata
  • Alert data

2.5 Describe network attacks, such as protocol-based, denial of service, distributed denial of service, and man-in-the-middle (Cisco Reference: Basic Network Attacks, DDoS Attack)

2.6 Describe web application attacks, such as SQL injection, command injections, and cross-site scripting (Cisco Reference: Understanding SQL Injection, Understanding Cross-Site Scripting (XSS) Threat Vectors)

2.7 Describe social engineering attacks

2.8 Describe endpoint-based attacks, such as buffer overflows, command and control (C2), malware, and ransomware (Cisco Reference: Endpoint Security, Cisco Ransomware Defense)

2.9 Describe evasion and obfuscation techniques, such as tunneling, encryption, and proxies (Cisco Reference: Network IPS Evasion Techniques)

2.10 Describe the impact of certificates on security (includes PKI, public/private crossing the network, asymmetric/symmetric)

2.11 Identify the certificate components in a given scenario

Domain 3: Host-based analysis

3.1 Describe the functionality of these endpoint technologies in regard to security monitoring

3.2 Identify components of an operating system (such as Windows and Linux) in a given scenario

3.3 Describe the role of attribution in an investigation

3.4 Identify type of evidence used based on provided logs

  • Best evidence
  • Corroborative evidence
  • Indirect evidence

3.5 Compare tampered and untampered disk image

3.6 Interpret operating system, application, or command line logs to identify an event (Cisco Reference: Identifying Incidents Using Firewall and Cisco IOS Router Syslog Events)

3.7 Interpret the output report of a malware analysis tool (such as a detonation chamber or sandbox)

Cisco Reference: Advanced Malware Protection (AMP)

  • Hashes
  • URLs
  • Systems, events, and networking
Domain 4: Network intrusion analysis

4.1 Map the provided events to source technologies

4.2 Compare impact and no impact for these items

4.3 Compare deep packet inspection with packet filtering and stateful firewall operation (Cisco Reference: Deep Packet Inspection in the Data Center, Stateful Firewall Overview, Cisco Application Visibility and Control (AVC))

4.4 Compare inline traffic interrogation and taps or traffic monitoring

4.5 Compare the characteristics of data obtained from taps or traffic monitoring and transactional data (NetFlow) in the analysis of network traffic (Cisco Reference: Cisco Network Analysis Module)

4.6 Extract files from a TCP stream when given a PCAP file and Wireshark (Cisco Reference: Configuring TCP, Configuring Packet Capture)

4.7 Identify key elements in an intrusion from a given PCAP file

Cisco Reference: Intrusion Detection: Cisco IDS Overview

4.8 Interpret the fields in protocol headers as related to intrusion analysis

Cisco Reference: Working with Intrusion Events

  • Ethernet frame
  • IPv4, IPv6

4.9 Interpret common artifact elements from an event to identify an alert

  • IP address (source / destination) , Client and server port identity
  • Process (file or registry) , System (API calls)
  • Hashes , URI / URL

4.10 Interpret basic regular expressions (Cisco Reference: Regular Expression Reference)

Domain 5: Security policies and procedures

5.1 Describe management concepts

5.2 Describe the elements in an incident response plan as stated in NIST.SP800-61

5.3 Apply the incident handling process (such as NIST.SP800-61) to an event

5.4 Map elements to these steps of analysis based on the NIST.SP800-61

  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident analysis (lessons learned)

5.5 Map the organization stakeholders against the NIST IR categories (CMMC, NIST.SP800-61)

Cisco Reference: Cisco and the NIST Cybersecurity Framework

  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident analysis (lessons learned)

5.6 Describe concepts as documented in NIST.SP800-86

5.7 Identify these elements used for network profiling

  • Total throughput
  • Session duration
  • Ports used
  • Critical asset address space

5.8 Identify these elements used for server profiling

5.9 Identify protected data in a network

  • PII
  • PSI
  • PHI
  • Intellectual property

5.10 Classify intrusion events into categories as defined by security models, such as Cyber Kill Chain Model and Diamond Model of Intrusion (Cisco Reference: Working with Intrusion Events, Diamond Model of Intrusion Analysis)

5.11 Describe the relationship of SOC metrics to scope analysis (time to detect, time to contain, time to respond, time to control)

Exam Policies

The candidate should visit the CISCO official website for understanding the terms and policies of the CISCO. The exam terms and policies include various important information such as age requirements and policies concerning minors, candidate identification and authentication, rights and responsibilities, Confidentiality and agreements, etc.

Download Ebook

CCNA CyberOPS 200-201