Free Cisco 350-201 Practice Questions 2026 | Performing CyberOps Using Core Security Technologies (CBRCOR)

An engineer receives a report that indicates a possible incident of a malicious insider sending company information to outside parties. What is the first action the engineer must take to determine whether an incident has occurred?

A. Analyze environmental threats and causes

B. Inform the product security incident response team to investigate further

C. Analyze the precursors and indicators

D. Inform the computer security incident response team to investigate further

An engineer received an alert of a zero-day vulnerability affecting desktop phones through which an attacker sends a crafted packet to a device, resets the credentials, makes the device unavailable, and allows a default administrator account login. Which step should an engineer take after receiving this alert?

A. Initiate a triage meeting to acknowledge the vulnerability and its potential impact

B. Determine company usage of the affected products

C. Search for a patch to install from the vendor

D. Implement restrictions within the VoIP VLANS

A SOC analyst detected a ransomware outbreak in the organization coming from a malicious email attachment. Affected parties are notified, and the incident response team is assigned to the case. According to the NIST incident response handbook, what is the next step in handling the incident?

A. Create a follow-up report based on the incident documentation.

B. Perform a vulnerability assessment to find existing vulnerabilities.

C. Eradicate malicious software from the infected machines.

D. Collect evidence and maintain a chain-of-custody during further analysis.

A security incident affected an organization’s critical business services, and the customerside web API became unresponsive and crashed. An investigation revealed a spike of API call requests and a high number of inactive sessions during the incident. Which two recommendations should the engineers make to prevent similar incidents in the future? (Choose two.)

A. Configure shorter timeout periods.

B. Determine API rate-limiting requirements.

C. Implement API key maintenance.

D. Automate server-side error reporting for customers.

E. Decrease simultaneous API responses.

A cloud engineer needs a solution to deploy applications on a cloud without being able to manage and control the server OS. Which type of cloud environment should be used?

A. IaaS

B. PaaS

C. DaaS

D. SaaS

A SOC analyst is investigating a recent email delivered to a high-value user for a customer whose network their organization monitors. The email includes a suspicious attachment titled “Invoice RE: 0004489”. The hash of the file is gathered from the Cisco Email Security Appliance. After searching Open Source Intelligence, no available history of this hash is found anywhere on the web. What is the next step in analyzing this attachment to allow the analyst to gather indicators of compromise?

A. Run and analyze the DLP Incident Summary Report from the Email Security Appliance

B. Ask the company to execute the payload for real time analysis

C. Investigate further in open source repositories using YARA to find matches

D. Obtain a copy of the file for detonation in a sandbox

An engineer is developing an application that requires frequent updates to close feedback loops and enable teams to quickly apply patches. The team wants their code updates to get to market as often as possible. Which software development approach should be used to accomplish these goals?

A. continuous delivery

B. continuous integration

C. continuous deployment

D. continuous monitoring

The network operations center has identified malware, created a ticket within their ticketing system, and assigned the case to the SOC with high-level information. A SOC analyst was able to stop the malware from spreading and identified the attacking host. What is the next step in the incident response workflow?

A. eradication and recovery

B. post-incident activity

C. containment

D. detection and analysis

Engineers are working to document, list, and discover all used applications within an organization. During the regular assessment of applications from the HR backup server, an engineer discovered an unknown application. The analysis showed that the application is communicating with external addresses on a non- secure, unencrypted channel. Information gathering revealed that the unknown application does not have an owner and is not being used by a business unit. What are the next two steps the engineers should take in this investigation? (Choose two.)

A. Determine the type of data stored on the affected asset, document the access logs, and engage the incident response team.

B. Identify who installed the application by reviewing the logs and gather a user access log from the HR department.

C. Verify user credentials on the affected asset, modify passwords, and confirm available patches and updates are installed.

D. Initiate a triage meeting with department leads to determine if the application is owned internally or used by any business unit and document the asset owner.

A SOC team is investigating a recent, targeted social engineering attack on multiple employees. Cross- correlated log analysis revealed that two hours before the attack, multiple assets received requests on TCP port 79. Which action should be taken by the SOC team to mitigate this attack?

A. Disable BIND forwarding from the DNS server to avoid reconnaissance.

B. Disable affected assets and isolate them for further investigation.

C. Configure affected devices to disable NETRJS protocol.

D. Configure affected devices to disable the Finger service.