Cisco Intermediate

200-201

CCNA CyberOps (Understanding Cisco Cybersecurity Operations Fundamentals)

The Cisco Certified CyberOps Associate (200-201 CBROPS) validates knowledge and skills needed to work with a Security Operations Center (SOC) team. This certification is designed for cybersecurity analysts and threat hunters who monitor, detect, analyze, and respond to security incidents.

The exam covers fundamental security concepts, security monitoring techniques, host-based analysis, network intrusion analysis, and security policies and procedures. Candidates must understand security event monitoring, security data analysis, intrusion event categories, common attack techniques, network and host telemetry, packet capture tools (Wireshark, tcpdump), endpoint security technologies, incident response processes, security information and event management (SIEM) systems, and security orchestration, automation, and response (SOAR) platforms.

This certification is ideal for SOC analysts, security analysts, incident responders, cybersecurity specialists, and network security engineers who need to understand the fundamentals of cybersecurity operations. It provides foundational knowledge for those pursuing advanced security certifications and careers in cybersecurity operations.

Updated Feb 2024 Cybersecurity

95

Въпроси

6

Пробни тестове

83%

Минимален резултат

50

Прегледи

0

Общо опити

0%

Ср. резултат

0%

Процент на успеваемост

0

Дискусии

Пробни тестове Флаш карти Теми на изпита Пищов

€5.00

CCNA CyberOps Practice Exam 1

Comprehensive 50-question practice exam for the Cisco 200-201 CCNA CyberOps certification.

50 Q 90 минути 70%

Пробно караме

€5.00

CCNA CyberOps Practice Exam 2

Comprehensive 50-question practice exam for the Cisco 200-201 CCNA CyberOps certification.

50 Q 90 минути 70%

Пробно караме

€5.00

CCNA CyberOps Practice Exam 3

Comprehensive 50-question practice exam for the Cisco 200-201 CCNA CyberOps certification.

50 Q 90 минути 70%

Пробно караме

€5.00

CCNA CyberOps Practice Exam 4

Comprehensive 50-question practice exam for the Cisco 200-201 CCNA CyberOps certification.

50 Q 90 минути 70%

Пробно караме

€5.00

CCNA CyberOps Practice Exam 5

Comprehensive 50-question practice exam for the Cisco 200-201 CCNA CyberOps certification.

50 Q 90 минути 70%

Пробно караме

€5.00

CCNA CyberOps Practice Exam 6

Comprehensive 50-question practice exam for the Cisco 200-201 CCNA CyberOps certification.

50 Q 90 минути 70%

Пробно караме

Отключете цялото съдържание за 200-201

6 Пробен/и тест/ове + Флаш карти — 3 месеца достъп

€39.99 €26.99 Спестете 30%

или включено в месечен абонамент / пакет съдържание

200-201 Cheat Sheet

Кратък справочник - 6 раздели

Безплатен достъп

200-201 CBROPS Exam Details

Detail	Value
Exam Code	200-201 CBROPS
Full Name	Understanding Cisco Cybersecurity Operations Fundamentals
Duration	120 minutes
Number of Questions	95 – 105 questions
Passing Score	750 – 850 / 1000 (variable)
Question Format	Multiple choice, multiple response, drag-and-drop
Exam Fee	$330 USD
Certification	Cisco Certified CyberOps Associate

Domain Weight Breakdown

Domain	Weight
1.0 Security Concepts	20%
2.0 Security Monitoring	25%
3.0 Host-Based Analysis	20%
4.0 Network Intrusion Analysis	20%
5.0 Security Policies and Procedures	15%

Certification Path & Exam Strategy

The 200-201 CBROPS is the single exam required for the Cisco Certified CyberOps Associate certification. It validates a candidate's ability to work as a junior-level cybersecurity analyst within a Security Operations Center (SOC). The certification covers security event monitoring, alert triage, incident response procedures, and the analysis of host-based and network-based intrusions.

After earning CyberOps Associate, candidates can pursue the CyberOps Professional certification (300-215 CBRFIR + 300-220 CBRTHD). There is no prerequisite for this exam, but Cisco recommends familiarity with networking fundamentals (CCNA-level knowledge), basic Linux/Windows administration, and an understanding of TCP/IP protocols.

Tip: Focus heavily on Security Monitoring (25%) and understand how to read packet captures, syslog output, and SIEM alerts. Be comfortable with the TCP/IP model, common ports, and the difference between various attack types.

CIA Triad

Principle	Definition	Threats	Controls
Confidentiality	Only authorized users can access data	Data breach, sniffing, social engineering	Encryption (AES, TLS), ACLs, classification
Integrity	Data has not been altered by unauthorized parties	MITM, malware modification, injection	Hashing (SHA-256, MD5), digital signatures, HMAC
Availability	Systems and data are accessible when needed	DDoS, hardware failure, ransomware	Redundancy, load balancing, backups, DR plans

SOC Roles & Responsibilities

Tier	Role	Responsibilities
Tier 1	Alert Analyst	Monitor SIEM dashboards, triage alerts, create tickets, escalate confirmed incidents
Tier 2	Incident Responder	Deep-dive analysis, correlate events, determine scope, contain threats, perform forensics
Tier 3	Threat Hunter / Expert	Proactive threat hunting, malware reverse engineering, develop detection rules, threat intel
SOC Manager	Management	Budgeting, staffing, metrics, reporting to CISO, policy enforcement

Threat Actors

Actor Type	Motivation	Sophistication	Examples
Script Kiddie	Curiosity, bragging rights	Low	Uses pre-built tools without understanding
Hacktivist	Political / social cause	Low to Medium	Anonymous, website defacement, DDoS
Cybercriminal	Financial gain	Medium to High	Ransomware groups, phishing campaigns, data theft
Insider Threat	Revenge, financial, accidental	Varies	Disgruntled employee, negligent user
Nation-State (APT)	Espionage, disruption, warfare	Very High	APT28, APT29, Lazarus Group, zero-day exploits

Security Frameworks & Standards

Framework	Purpose	Key Details
NIST CSF	Cybersecurity risk management	5 functions: Identify, Protect, Detect, Respond, Recover
NIST SP 800-61	Incident response guide	Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident
ISO 27001	Information security management (ISMS)	International standard, certifiable, risk-based approach
Cyber Kill Chain	Attack lifecycle model (Lockheed Martin)	Recon, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives
Diamond Model	Intrusion analysis	4 vertices: Adversary, Capability, Infrastructure, Victim

Cryptography Fundamentals

Type	Algorithms	Key Feature	Use Case
Symmetric	AES, 3DES, RC4, ChaCha20	Same key for encrypt/decrypt, fast	Bulk data encryption, VPN tunnels
Asymmetric	RSA, ECC, Diffie-Hellman, DSA	Public/private key pair, slower	Key exchange, digital signatures, TLS handshake
Hashing	MD5, SHA-1, SHA-256, SHA-512	One-way, fixed-length output	Integrity verification, password storage
HMAC	HMAC-SHA256, HMAC-MD5	Hash + secret key	Message authentication, integrity + authenticity

PKI (Public Key Infrastructure)

Certificate Authority (CA): Issues and signs digital certificates. Root CA is the trust anchor; subordinate/intermediate CAs sign end-entity certificates.
Digital Certificate (X.509): Contains subject name, public key, issuer (CA), validity period, serial number, and CA signature. Used in TLS/SSL to verify server identity.
Certificate Revocation: CRL (Certificate Revocation List) is a periodic list of revoked certs. OCSP (Online Certificate Status Protocol) provides real-time status checks.
TLS Handshake: Client Hello → Server Hello + Certificate → Key Exchange (asymmetric) → Session Keys (symmetric) → Encrypted Communication.

Tip: Know the difference between symmetric (fast, shared key) and asymmetric (slow, key pair) encryption. TLS uses asymmetric for key exchange, then switches to symmetric for the session.

Common Attack Types

Attack	Description	CIA Impact
Phishing / Spear Phishing	Deceptive emails tricking users into revealing credentials or clicking malicious links	Confidentiality
SQL Injection	Injecting SQL commands through user input to manipulate databases	Confidentiality, Integrity
Cross-Site Scripting (XSS)	Injecting malicious scripts into web pages viewed by others	Confidentiality, Integrity
DDoS	Overwhelming a target with traffic to deny service	Availability
Man-in-the-Middle (MITM)	Intercepting communication between two parties (ARP spoofing, DNS poisoning)	Confidentiality, Integrity
Buffer Overflow	Writing data beyond buffer boundary to execute arbitrary code	All three
DNS Tunneling	Encoding data within DNS queries to exfiltrate data or bypass firewalls	Confidentiality

TCP/IP Model vs OSI Model

TCP/IP Layer	OSI Layers	PDU	Key Protocols
Application	7 Application, 6 Presentation, 5 Session	Data	HTTP, HTTPS, DNS, DHCP, FTP, SMTP, SSH, SNMP, Syslog
Transport	4 Transport	Segment	TCP (reliable, 3-way handshake), UDP (unreliable, fast)
Internet	3 Network	Packet	IPv4, IPv6, ICMP, ARP, IGMP
Network Access	2 Data Link, 1 Physical	Frame / Bits	Ethernet (802.3), Wi-Fi (802.11), ARP, PPP

Common Protocols & Ports

Port	Protocol	Transport	Description
20/21	FTP	TCP	File Transfer (20=data, 21=control)
22	SSH / SCP / SFTP	TCP	Encrypted remote access & file transfer
23	Telnet	TCP	Unencrypted remote access (insecure)
25	SMTP	TCP	Email sending
53	DNS	TCP/UDP	Domain name resolution
67/68	DHCP	UDP	Dynamic IP assignment (67=server, 68=client)
80	HTTP	TCP	Web traffic (unencrypted)
110	POP3	TCP	Email retrieval (downloads to client)
143	IMAP	TCP	Email retrieval (server-side sync)
161/162	SNMP	UDP	Network monitoring (161=agent, 162=traps)
443	HTTPS	TCP	Encrypted web traffic (TLS/SSL)
514	Syslog	UDP	Centralized logging
3389	RDP	TCP	Remote Desktop Protocol (Windows)

Tip: Memorize all ports above. The exam frequently tests your ability to identify protocols by port numbers, especially in packet captures and log analysis questions.

TCP Three-Way Handshake & Flags

Step	Direction	Flags	Description
1	Client → Server	SYN	Client initiates connection (SEQ=x)
2	Server → Client	SYN-ACK	Server acknowledges and syncs (SEQ=y, ACK=x+1)
3	Client → Server	ACK	Client confirms (ACK=y+1), connection established

TCP Flags: SYN (synchronize), ACK (acknowledge), FIN (finish/close), RST (reset/abort), PSH (push data immediately), URG (urgent pointer). SYN Flood Attack: Attacker sends many SYN packets without completing the handshake, exhausting server connection table resources.

Syslog Severity Levels

Level	Keyword	Description
0	Emergency	System is unusable
1	Alert	Immediate action needed
2	Critical	Critical conditions
3	Error	Error conditions
4	Warning	Warning conditions
5	Notification	Normal but significant
6	Informational	Informational messages
7	Debugging	Debug-level messages

Mnemonic: "Every Awesome Cisco Engineer Will Need Ice-cream Daily". Syslog format: <priority>timestamp hostname: %facility-severity-mnemonic: message. Priority = (facility × 8) + severity.

SNMP (Simple Network Management Protocol)

Version	Authentication	Encryption	Security
SNMPv1	Community string (plaintext)	None	Insecure
SNMPv2c	Community string (plaintext)	None	Insecure (improved bulk ops)
SNMPv3	Username + HMAC (MD5/SHA)	DES/AES	Secure (recommended)

Components: Manager (NMS) polls agents. Agents reside on managed devices. MIB (Management Information Base) defines the data structure. GET retrieves data, SET modifies config, TRAP sends unsolicited alerts (UDP 162).

SIEM & Log Analysis

SIEM (Security Information and Event Management): Aggregates logs from multiple sources (firewalls, IDS/IPS, servers, endpoints), normalizes data, correlates events, generates alerts, and provides dashboards for SOC analysts. Examples: Splunk, Cisco SecureX, IBM QRadar, Elastic SIEM, LogRhythm.

Log Source	What It Reveals	Key Fields
Firewall Logs	Allowed/denied traffic, policy violations	src/dst IP, port, action, rule ID
Proxy / Web Logs	URL requests, user-agent strings, HTTP status	URL, method, status code, bytes
Windows Event Logs	Logon/logoff, process creation, policy changes	Event ID, source, user, timestamp
DNS Logs	Domain lookups (detect C2, tunneling, DGA)	Query name, type, response, client IP
IDS/IPS Alerts	Signature matches, anomalies	Signature ID, severity, src/dst, payload

Packet Analysis & Wireshark

Wireshark is the primary tool for deep packet inspection. SOC analysts use it to analyze captured PCAP files, identify anomalous traffic patterns, extract artifacts, and validate SIEM alerts.

Wireshark Filter	Purpose
ip.addr == 10.0.0.1	Show all traffic to/from 10.0.0.1
tcp.port == 443	Show HTTPS traffic
tcp.flags.syn == 1 && tcp.flags.ack == 0	Show SYN packets only (detect SYN scan/flood)
dns.qry.name contains "evil"	Filter DNS queries containing a keyword
http.request.method == "POST"	Show HTTP POST requests (data exfil, logins)
tcp.analysis.retransmission	Show retransmitted packets (network issues)

Tip: Wireshark display filters use a dot notation (e.g., tcp.port) while capture filters use BPF syntax (e.g., port 80). Know the difference for the exam.

NetFlow / IPFIX

NetFlow: Cisco protocol that collects IP traffic statistics as flows. A flow is defined by 5-tuple: source IP, destination IP, source port, destination port, protocol. Does not capture full packet content (unlike PCAP) but provides metadata about traffic patterns, volumes, and conversations.

Use cases: Bandwidth monitoring, anomaly detection, identifying top talkers, detecting data exfiltration, baseline traffic analysis
IPFIX: IETF standard based on NetFlow v9, vendor-neutral alternative
sFlow: Sampling-based alternative (samples 1 in N packets), lower overhead
Key difference: NetFlow provides flow metadata (who talked to whom), PCAP provides full payload content. Use NetFlow for broad visibility, PCAP for deep investigation.

Regex for Log Parsing (Common Patterns)

Pattern	Regex	Matches
IPv4 Address	\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}	192.168.1.1
Email Address	[\w.-]+@[\w.-]+\.\w+	[email protected]
MAC Address	([0-9A-Fa-f]{2}:){5}[0-9A-Fa-f]{2}	aa:bb:cc:dd:ee:ff
URL	https?://[\w./-]+	https://example.com/path
Failed Login	Failed password for .* from \d+\.\d+\.\d+\.\d+	SSH brute force in auth.log

Key metacharacters: . (any char), * (0+ repeats), + (1+ repeats), ? (0 or 1), \d (digit), \w (word char), ^ (start), $ (end), [ ] (character class), | (alternation).

IDS vs IPS

Feature	IDS (Intrusion Detection)	IPS (Intrusion Prevention)
Placement	Out-of-band (passive, copy of traffic)	Inline (active, traffic flows through)
Action	Detects and alerts only	Detects, alerts, AND blocks
Latency Impact	None (passive monitoring)	Adds latency (inline inspection)
Failure Mode	Fail-open (traffic continues)	Fail-open or fail-close (configurable)

Detection Method	How It Works	Strengths / Weaknesses
Signature-Based	Matches traffic against known attack patterns	Fast, low false positives; cannot detect unknown/zero-day attacks
Anomaly-Based	Compares traffic to a learned baseline of normal behavior	Can detect zero-day; higher false positive rate, needs training period
Policy-Based	Triggers on violations of administrator-defined rules	Precise; requires manual rule definition and maintenance

HIDS vs NIDS: Host-based IDS monitors a single host (file integrity, process activity, logs). Network-based IDS monitors network segments (packet inspection). Examples: Snort (NIDS/NIPS), Suricata (NIDS), OSSEC (HIDS), Cisco Secure IPS (NIPS).

Malware Types & Analysis

Malware Type	Behavior	Key Indicators
Virus	Attaches to files, requires user action to spread	Modified file hashes, altered executables
Worm	Self-replicating, no host file needed, spreads via network	High network traffic, rapid spread across hosts
Trojan	Disguised as legitimate software, opens backdoor	Unexpected outbound connections, new services
Ransomware	Encrypts files, demands ransom for decryption key	Mass file encryption, ransom notes, .encrypted extensions
Rootkit	Hides deep in OS (kernel/boot level), persistent access	Hidden processes, modified system binaries, stealth behavior
RAT (Remote Access Trojan)	Provides remote control to attacker	Outbound C2 beacons, reverse shell connections
Fileless Malware	Executes in memory, no files on disk	PowerShell abuse, WMI events, registry persistence

Analysis methods: Static analysis – examine without execution (strings, hashes, PE headers, disassembly). Dynamic analysis – run in sandbox and observe behavior (network calls, file changes, registry mods). Sandboxing tools: Cuckoo Sandbox, Cisco Threat Grid, Any.run, Joe Sandbox.

Indicators of Compromise (IoCs)

IoC Type	Examples	Where to Look
Network-Based	Unusual outbound traffic, beaconing patterns, connections to known-bad IPs/domains, DNS anomalies (DGA domains), large data transfers at odd hours	NetFlow, firewall logs, DNS logs, proxy logs
Host-Based	Unknown processes, modified system files, new scheduled tasks, registry changes, unexpected services, file hash mismatches	Process list, file system, registry, event logs
Email-Based	Suspicious attachments, phishing URLs, spoofed sender addresses, header anomalies	Email gateway logs, header analysis
Behavioral	Multiple failed logins, privilege escalation attempts, lateral movement, access at unusual times	SIEM correlation rules, authentication logs

MITRE ATT&CK Framework

MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. It provides a common language for describing attacks and helps defenders map detection coverage.

Tactic (What)	Example Techniques (How)
Reconnaissance	Active scanning, search open websites, gather victim info
Initial Access	Phishing (T1566), exploit public-facing app, drive-by compromise
Execution	PowerShell (T1059.001), command-line, scripting, user execution
Persistence	Registry run keys, scheduled tasks, boot/logon autostart, web shell
Privilege Escalation	Exploitation for privilege escalation, access token manipulation
Defense Evasion	Obfuscation, disabling security tools, masquerading, rootkits
Credential Access	Brute force, credential dumping (Mimikatz), keylogging
Lateral Movement	Remote services (RDP, SSH, SMB), pass-the-hash, WMI
Collection	Data from local system, email collection, screen capture
Command & Control	DNS tunneling, HTTPS C2, encrypted channels, domain fronting
Exfiltration	Exfil over C2 channel, over web, to cloud storage, DNS
Impact	Data encryption (ransomware), data destruction, service stop

Tip: The exam expects you to map observed behavior to tactics and techniques. Understand the difference between a tactic (the goal) and a technique (how the goal is achieved).

Windows Forensic Artifacts

Artifact	Location / Tool	What It Reveals
Event Logs	Event Viewer, %SystemRoot%\System32\winevt\Logs\	Security (4624 logon, 4625 failed, 4688 process creation), System, Application
Registry	HKLM, HKCU, regedit	Autorun entries (Run/RunOnce), installed software, USB history, user activity
Prefetch	C:\Windows\Prefetch\*.pf	Programs executed, run count, last execution timestamp
Processes	Task Manager, tasklist, Process Explorer	Running processes, parent-child relationships, loaded DLLs
Network Connections	netstat -anob	Active connections, listening ports, associated processes

Linux Forensic Artifacts

Artifact	Location / Command	What It Reveals
Auth Logs	/var/log/auth.log (Debian) or /var/log/secure (RHEL)	Login attempts (success/fail), sudo usage, SSH access
Syslog	/var/log/syslog or /var/log/messages	System events, kernel messages, service status
Processes	ps aux, top, /proc/[pid]/	Running processes, command-line arguments, memory maps
Network	ss -tulnp, netstat -tulnp	Listening ports, established connections, associated PIDs
Cron Jobs	/etc/crontab, /var/spool/cron/, crontab -l	Scheduled tasks (persistence mechanism)
Bash History	~/.bash_history	Commands executed by user (may be cleared by attacker)
File Permissions	ls -la, find / -perm -4000 (SUID)	Unusual SUID/SGID files can indicate privilege escalation

Incident Response Process (NIST SP 800-61)

Phase	Activities	Key Outputs
1. Preparation	Develop IR plan, build IR team, deploy tools (SIEM, forensics), training, playbooks	IR policy, communication plan, tool readiness
2. Detection & Analysis	Monitor alerts, triage events, determine scope/severity, collect evidence, identify IoCs	Confirmed incident, severity classification, evidence preservation
3. Containment, Eradication & Recovery	Short-term containment (isolate), long-term containment (patch), eradicate root cause, restore systems, verify	Contained threat, clean systems, validated recovery
4. Post-Incident Activity	Lessons learned meeting, update procedures, improve detection, document timeline, retain evidence	Post-mortem report, updated playbooks, metrics

Tip: The exam loves asking about the correct order of IR phases and what happens in each. Remember: you must DETECT before you CONTAIN, and always do a LESSONS LEARNED session afterward.

Evidence Handling & Chain of Custody

Order of Volatility: Collect most volatile evidence first: 1) CPU registers/cache, 2) RAM/memory, 3) Network state/connections, 4) Running processes, 5) Disk (file system), 6) Remote logs, 7) Physical media/backups
Chain of Custody: Document who collected the evidence, when, how, where it was stored, and who had access. Any break in the chain can invalidate evidence in legal proceedings.
Forensic Imaging: Create bit-for-bit copy (dd, FTK Imager). Always work on the copy, never the original. Verify with hash (MD5/SHA-256) to prove integrity.
Write Blocker: Hardware or software device that prevents modification of the original evidence during acquisition.

Vulnerability Management Lifecycle

Step	Activity	Tools / Methods
1. Discover	Inventory all assets (hardware, software, services)	Nmap, asset management, CMDB
2. Scan	Run vulnerability scans against all assets	Nessus, Qualys, OpenVAS, Rapid7
3. Assess	Prioritize findings by risk (CVSS, asset value, exploitability)	CVSS scoring, threat intelligence
4. Remediate	Patch, reconfigure, or mitigate vulnerabilities	Patch management, WAF, compensating controls
5. Verify	Re-scan to confirm remediation effectiveness	Follow-up scan, penetration testing
6. Report	Document findings, track metrics, report to management	Dashboards, compliance reports

CVSS (Common Vulnerability Scoring System)

Score Range	Severity	Example
0.0	None	Informational finding
0.1 – 3.9	Low	Information disclosure with limited impact
4.0 – 6.9	Medium	XSS requiring user interaction
7.0 – 8.9	High	Remote code execution with authentication required
9.0 – 10.0	Critical	Unauthenticated remote code execution (e.g., Log4Shell 10.0)

CVSS Metric Groups: Base (attack vector, complexity, privileges, user interaction, scope, CIA impact), Temporal (exploit maturity, remediation level, report confidence), Environmental (modified base + asset importance). CVE = unique vulnerability identifier (e.g., CVE-2021-44228). CWE = weakness category (e.g., CWE-79 XSS).

Access Control Models

Model	Description	Example
DAC (Discretionary)	Owner decides who gets access (most flexible, least secure)	Linux file permissions (rwx), Windows NTFS ACLs
MAC (Mandatory)	System enforces access based on labels/clearances (most restrictive)	SELinux, military classification (Top Secret, Secret)
RBAC (Role-Based)	Access based on assigned roles, not individual identity	Active Directory groups, cloud IAM roles
ABAC (Attribute-Based)	Access based on attributes (user, resource, environment, action)	Allow access if department=HR AND time=business_hours

Compliance & Regulatory Frameworks

Standard	Scope	Key Requirement
PCI DSS	Payment card data	Protect cardholder data, 12 requirements, quarterly scans
HIPAA	Healthcare (US)	Protect PHI (Protected Health Information), breach notification
GDPR	EU personal data	Right to erasure, data minimization, 72-hour breach notification
SOX	Financial reporting (US)	Internal controls for financial data, audit trails

Security Tools Comparison

Tool	Category	Purpose	Key Detail
Wireshark	Packet Analysis	Deep packet inspection, protocol analysis	GUI, reads PCAP files, display/capture filters
tcpdump	Packet Capture	Command-line packet capture	BPF syntax, lightweight, saves to PCAP
Snort	NIDS/NIPS	Signature-based intrusion detection/prevention	Open-source, rule-based, inline or passive mode
Suricata	NIDS/NIPS	Multi-threaded IDS/IPS	Snort-compatible rules, multi-threaded, built-in protocol parsing
Nmap	Network Scanner	Port scanning, host discovery, service detection	SYN scan (-sS), OS detection (-O), NSE scripts
Nessus	Vulnerability Scanner	Identify known vulnerabilities in systems	Plugin-based, CVSS scoring, compliance audits
Splunk	SIEM	Log aggregation, search, correlation, dashboards	SPL query language, real-time alerts, apps
OSSEC	HIDS	Host-based intrusion detection, file integrity monitoring	Open-source, agent-based, log analysis, rootkit detection
Cisco Secure IPS	NIPS	Cisco's network IPS solution	Integrated with Firepower, Talos intelligence feeds
Cisco SecureX	XDR / Platform	Unified visibility across Cisco security portfolio	Threat response, orchestration, built-in integrations

Firewall Types Comparison

Type	Inspection Level	Capabilities
Packet Filtering	Layer 3-4 (IP, port)	Stateless, fast, basic ACL rules, no session tracking
Stateful Inspection	Layer 3-4 (with state)	Tracks connection state (SYN/ACK), allows return traffic
Application Proxy	Layer 7	Full protocol analysis, breaks and rebuilds connections
NGFW (Next-Gen)	Layer 3-7	Deep packet inspection, app awareness, IPS, URL filtering, threat intelligence, TLS inspection

Encryption Protocol Comparisons

Protocol	Layer	Encryption	Use Case
TLS 1.2/1.3	Transport (Layer 5-6)	AES-GCM, ChaCha20	HTTPS, secure email, API security
IPsec	Network (Layer 3)	AES, 3DES + HMAC	Site-to-site VPN, remote access VPN
SSH	Application (Layer 7)	AES, ChaCha20	Secure remote access, SFTP, SCP
WPA2/WPA3	Data Link (Layer 2)	AES-CCMP / AES-GCMP	Wireless network security

Alert Classification

Classification	Definition	SOC Impact
True Positive (TP)	Alert fired, real attack occurred	Correct detection – investigate and respond
False Positive (FP)	Alert fired, but no real attack	Wastes analyst time – tune detection rules
True Negative (TN)	No alert, no attack	Normal operation – working as expected
False Negative (FN)	No alert, but real attack occurred	Missed detection – most dangerous, improve signatures

Tip: False Negatives are the most dangerous because a real attack goes undetected. False Positives cause alert fatigue but are less harmful. Tuning rules aims to minimize both.

Network Defense in Depth

Layer	Security Controls
Perimeter	NGFW, IPS, DDoS mitigation, DMZ, proxy servers
Network	Network segmentation, VLANs, ACLs, NAC (802.1X), VPN
Endpoint	EDR/AV, host firewall, patch management, disk encryption
Application	WAF, input validation, secure coding, code review
Data	Encryption at rest/transit, DLP, classification, access controls
User	MFA, security awareness training, least privilege, strong passwords

Cisco Security Product Portfolio

Product	Function	Key Feature
Cisco Secure Firewall (Firepower)	NGFW + IPS	Application visibility, Snort-based IPS, URL filtering, Talos feeds
Cisco Secure Endpoint (AMP)	EDR	Endpoint detection & response, file trajectory, retrospective security
Cisco Umbrella	DNS Security / CASB	DNS-layer protection, blocks malicious domains before connection
Cisco Secure Email	Email Gateway	Anti-phishing, anti-spam, malware scanning, DLP
Cisco ISE	NAC / AAA	802.1X, posture assessment, guest access, TrustSec SGT
Cisco Stealthwatch	NTA (Network Traffic Analysis)	NetFlow-based anomaly detection, encrypted traffic analytics
Cisco Talos	Threat Intelligence	Largest commercial threat intel team, feeds all Cisco security products
Cisco SecureX	XDR Platform	Unified visibility, threat response orchestration, built-in integrations

Key Acronyms Quick Reference

Acronym	Full Name
SOC	Security Operations Center
SIEM	Security Information and Event Management
IDS / IPS	Intrusion Detection System / Intrusion Prevention System
NGFW	Next-Generation Firewall
EDR	Endpoint Detection and Response
XDR	Extended Detection and Response
NAC	Network Access Control
DLP	Data Loss Prevention
APT	Advanced Persistent Threat
IoC	Indicator of Compromise
TTP	Tactics, Techniques, and Procedures
CVSS	Common Vulnerability Scoring System
CVE	Common Vulnerabilities and Exposures
PCAP	Packet Capture
NTA	Network Traffic Analysis