Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation:
The "hybrid" mode for an ESA specifically refers to its integration with Cisco Secure Email Cloud. This model is designed for organizations that are not ready to fully migrate to a cloud email security solution but want to leverage cloud benefits.

D) It provides email security while supporting the transition to the cloud is CORRECT.
In hybrid mode, the on-premises ESA acts as the primary mail gateway. It can be configured to offload specific security functions, like scanning for certain types of threats or performing sandboxing (Outbreak Filters), to the Cisco cloud. This allows an organization to maintain its existing on-premises infrastructure and control while gradually leveraging the scale, advanced analytics, and always-up-to-date protections of the cloud, facilitating a smoother long-term transition.

Why the other options are incorrect:

A) You can fine-tune its settings to provide the optimum balance between security and performance for your environment is INCORRECT.
While fine-tuning is possible on an ESA, this is a capability of the appliance itself in any deployment mode (standalone, centralized, hybrid), not the primary benefit specific to "hybrid mode."

B) It provides the lowest total cost of ownership by reducing the need for physical appliances is INCORRECT.
Hybrid mode still requires a physical (or virtual) on-premises ESA appliance. A "lowest TCO" argument is typically made for a full cloud solution (SaaS), which eliminates the need for on-premises hardware and its associated maintenance.

C) It provides maximum protection and control of outbound messages is INCORRECT.
Control of outbound messages is a function of Data Loss Prevention (DLP) policies, which can be implemented on the ESA regardless of its deployment mode. "Maximum protection" is subjective, but hybrid mode's primary benefit is the blend of on-premises and cloud, not a specific focus on outbound control.

Reference:
Cisco ESA Administration Guide, "Hybrid Services": The official documentation describes the hybrid model as a way to "combine the power of the cloud with the control of an on-premises appliance" and "support your cloud journey."

Explanation
This question is about a specific policy type within the Cisco Firepower Management Center (FMC) used for managing Firepower Threat Defense (FTD) devices.

A Platform Service Policy (also referred to as a "Policy Assignment" for device settings) is a policy that contains configurations for the underlying operating system and platform-level settings of the managed FTD device. These are settings that are often standardized across many devices in a deployment.

Examples of settings configured in a Platform Service Policy include:

SSH and Telnet access settings

SNMP configuration

Syslog settings

DHCP server settings

User accounts

Interface parameters (like enabling passive FTP)
Because these are foundational settings that are often identical for groups of firewalls (e.g., all internal firewalls, all DMZ firewalls), a single Platform Service Policy can be created and then shared across multiple managed devices, which is exactly what the question describes.

Why the other options are incorrect:

A. Group Policy:
This is a term primarily used in Cisco ASA for Remote Access VPNs. A Group Policy defines connection parameters for groups of remote access users (like IP pools, split-tunneling rules). It is not used for defining device-level platform settings in FMC.

B. Access Control Policy:
This is the core policy that defines the firewall rules—what traffic is allowed, blocked, or trusted. It controls traffic flow and inspection, but it does not define the underlying platform services of the managed device itself.

C. Device Management Policy:
This is not a standard policy type in FMC. While you manage devices, the specific policy for platform-level services is the "Platform Service Policy."

Reference:
The function of the Platform Service Policy is defined in the FMC configuration guide.

The Cisco Firepower Management Center Configuration Guide explains that you use Platform Settings policies to "configure the underlying platform settings for the devices in your deployment" and that you can "assign the same policy to multiple devices," which promotes configuration consistency. This directly matches the description in the question.

Explanation for Each Option:

A. mirror port (Incorrect):
A mirror port (e.g., SPAN or port mirroring) is a network switch feature that copies traffic to a monitoring device. It is not a cloud provider mechanism for sending telemetry from a public cloud environment, making it unsuitable for this scenario. (Reference: Cisco Switch SPAN Configuration Guide.)

B. Flow (Incorrect):
"Flow" is a generic term for network traffic data and is not a specific mechanism provided by cloud providers for telemetry. It lacks the context of a standardized cloud telemetry solution, rendering this option incorrect. (Reference: Cisco NetFlow Overview.)

C. NetFlow (Incorrect):
NetFlow is a Cisco-proprietary protocol for collecting IP traffic information, typically implemented on network devices. While some cloud providers may support NetFlow-like features, it is not a native cloud provider mechanism for sending telemetry from a public cloud, making this option incorrect. (Reference: Cisco NetFlow Configuration Guide.)

D. VPC flow logs (Correct):
VPC flow logs, available from cloud providers like AWS, Azure, and Google Cloud, capture information about IP traffic going to and from network interfaces in a Virtual Private Cloud (VPC). Configuring VPC flow logs sends telemetry to a security device (e.g., Cisco Secure Cloud Analytics) for behavioral analysis of host activity, meeting the goal. (Reference: AWS VPC Flow Logs Documentation, Cisco Secure Cloud Analytics Integration.)

Additional Notes:
Configuring cloud telemetry for behavioral analysis is a key topic in the 350-701 SCOR exam under cloud security. As of 4:15 PM PKT, October 03, 2025, VPC flow logs are a standard mechanism.

Ensure that antivirus and anti malware software is up to date

Summary
The question focuses on the role of the endpoint itself (the user's device) in protecting against phishing. Phishing attacks often trick users into clicking malicious links or opening infected attachments. While network and email security solutions are the first line of defense, the endpoint's local software is the last line of defense, responsible for detecting and neutralizing malicious payloads that reach the device.

Correct Option:

D. Ensure that antivirus and anti malware software is up to date:
This is the primary direct role of the endpoint. Modern endpoint protection software (like Cisco Secure Endpoint) includes signatures and behavioral analysis to detect and block known phishing payloads, such as malware downloaded from a phishing link or contained in an attachment. Keeping this software updated ensures it can recognize the latest threats, providing crucial on-device protection.

Incorrect Option:

A. Use Cisco Stealthwatch and Cisco ISE Integration:
This describes a network-based security control. Stealthwatch (network traffic analysis) and ISE (access control) work together to detect compromised endpoints and restrict their network access. This is an important security function, but it is not a role performed by the endpoint itself.

B. Utilize 802.1X network security to ensure unauthorized access to resources:
This is a network access control mechanism. 802.1X authenticates a user/device before granting network access. It helps prevent unauthorized devices from connecting but does not directly protect a user from the content of a phishing email they receive after being authenticated.

C. Use machine learning models to help identify anomalies and determine expected sending behavior:
This describes the function of a cloud-based email security gateway (like Cisco Secure Email). This technology scans emails before they reach the user's endpoint to identify and quarantine phishing attempts. The endpoint itself does not perform this large-scale, sender-behavior analysis.

Reference
Cisco Secure Endpoint Data Sheet: https://www.cisco.com/c/en/us/products/security/advanced-malware-protection/endpoint-data-sheet.html (This outlines how the endpoint software provides protection by blocking malware, which is the final payload of many phishing attacks, fulfilling its role as the last line of defense).

cross-site scripting

Summary
The question asks about an attack type that commonly uses alternate encoding, like hexadecimal, to evade detection. Attackers use encoding to disguise malicious input, making it appear benign to simple security filters. The goal is to obfuscate the payload so that it passes through initial defenses but is still executed correctly by the target application or system.

Correct Option

C. cross-site scripting:
Cross-site scripting (XSS) attacks frequently use alternate encoding to hide malicious scripts. An attacker will encode a script tag or malicious JavaScript using hexadecimal, Unicode, or Base64 to bypass web application firewalls (WAFs) and input validation filters that scan for specific character patterns like <script>. The web browser, however, will decode and execute the script, successfully carrying out the attack.

Incorrect Option

A. Smurf:
A Smurf attack is a specific type of distributed denial-of-service (DDoS) attack that uses ICMP echo request (ping) packets sent to a network's broadcast address. It relies on IP spoofing and network amplification, not on the obfuscation of payload content through character encoding.

B. distributed denial of service:
While DDoS attacks may use various techniques, they primarily focus on overwhelming a target with a massive volume of traffic or connection requests. The packets themselves are typically valid and do not require content obfuscation through encoding to achieve their goal of consuming bandwidth or resources.

D. rootkit exploit:
A rootkit is a type of malware designed to gain privileged access to a system while hiding its presence. While rootkits may use packing or encryption to evade antivirus detection, the act of exploitation (gaining initial access) does not typically rely on alternate character encoding like hexadecimal within the initial attack vector in the same pervasive way that XSS and SQL injection do.

Reference
Cisco Secure Firewall Management Center Documentation: https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v660/Introduction_to_Security_Intelligence.html (Cisco security documentation for web application firewalls and intrusion prevention systems details how they are designed to decode and normalize obfuscated inputs, specifically to defend against encoded attacks like XSS).

The policy was created to send a message to quarantine instead of drop

Summary
The issue is that the Cisco Email Security Appliance (ESA) is not dropping files with an "undetermined" verdict from a new reputation service (like File Reputation from AMP). An "undetermined" verdict means the service has no record of the file's reputation. The ESA's behavior in this scenario is controlled by a specific policy setting that dictates what action to take when a definitive verdict (malicious or clean) cannot be reached.

Correct Option

A. The policy was created to send a message to quarantine instead of drop:
This is the most likely cause. The administrator likely created a policy for files with an "Undetermined" verdict but configured the action as "Quarantine" (which holds the email) rather than "Drop" (which deletes it). The ESA is functioning as configured; the issue is a mismatch between the desired outcome (dropping) and the configured policy action (quarantining).

Incorrect Option

B. The file has a reputation score that is above the threshold:
Reputation scores are used for files that have a reputation. A score above the "clean" threshold would result in the file being allowed, not dropped. An "undetermined" file, by definition, does not have a score to evaluate against a threshold.

C. The file has a reputation score that is below the threshold:
Similar to option B, this is inapplicable. An "undetermined" verdict means no reputation data exists, so there is no score to be above or below a configured threshold. The system cannot make a score-based decision.

D. The policy was created to disable file analysis:
If file analysis were disabled, the ESA would not check the file's reputation at all. The question states that a verdict of "undetermined" is being reached, which proves that the file analysis service is active and working; it just doesn't have data on that specific file.

Reference
Cisco Secure Email Gateway User Guide - File Reputation and Analysis Settings: https://www.cisco.com/c/en/us/support/security/email-security-appliance/products-user-guide-list.html (The official configuration guide explains the policy actions for File Reputation, including the separate configurable actions for Malicious, Clean, and Undetermined verdicts, confirming that the action for "Undetermined" must be explicitly set to "Drop").

Explanation:
DNS tunneling is a well-known technique used by attackers to create a covert communication channel for data exfiltration and command-and-control (C2).

A) DNS tunneling is CORRECT.
This method works by encoding stolen data into the subdomains of DNS queries. For example, instead of a normal query for google.com, malware would generate a query for *encoded_data*.attacker-domain.com. The attacker controls the authoritative DNS server for attacker-domain.com, which receives the encoded data. Responses can also be encoded in the DNS reply (e.g., in a TXT record). Because DNS is a fundamental protocol that is rarely blocked, this technique can often bypass traditional security controls.

Why the other options are incorrect:

B) DNSCrypt is INCORRECT.
DNSCrypt is a security protocol designed to encrypt DNS traffic between a client and a resolver to prevent eavesdropping and man-in-the-middle attacks. It is a defensive technology, not an attack method.

C) DNS security is INCORRECT.
This is a general term for a set of practices and technologies (like those listed below) used to protect the DNS infrastructure. It is the opposite of an exfiltration method.

D) DNSSEC is INCORRECT.
DNSSEC (Domain Name System Security Extensions) is a suite of specifications designed to protect the integrity of DNS data by providing origin authentication and data integrity. It is a security control that helps prevent DNS cache poisoning, not a method for exfiltration.

Reference:
SANS Institute & Cybersecurity Advisories: Numerous whitepapers and alerts detail DNS tunneling as a common data exfiltration technique.

5

Summary
This question involves configuring URL filtering on a security appliance like Cisco Umbrella or a Cisco Firepower NGFW. The goal is to block all websites within the "Chat and Instant Messaging" category. The reputation score is a numerical value (typically 1-100) representing a site's perceived risk, but for a straightforward category block, the objective is to block the entire category regardless of the individual reputation of sites within it.

Correct Option

C. 5:
In Cisco's URL filtering system, a reputation score of 5 is classified as "Very Poor" or "High Risk." Selecting this score for the "Chat and Instant Messaging" category means the rule will block any site in that category that has a reputation score of 5 or worse (i.e., higher numerically). Since the administrator's goal is to block the entire category, they would select the highest/worst reputation score available (in this list, 5) to ensure all sites in the category, regardless of their individual standing, are blocked. A site in this category with a "good" reputation (e.g., score of 1) would still be blocked by this rule.

Incorrect Option

A. 1:
A reputation score of 1 represents the "Excellent" or "Trustworthy" category. Configuring a block for sites with a score of 1 or worse would block nearly all internet traffic, including legitimate business sites, which is not the goal. It would not specifically target the "Chat and Instant Messaging" category effectively.

B. 3:
A reputation score of 3 is typically "Medium" or "Suspicious." Selecting this would block sites in the category with a score of 3, 4, and 5, but it would allow sites within the "Chat and Instant Messaging" category that have a "Good" reputation (score of 1 or 2). The requirement is to block the category, not just the risky sites within it.

D. 10:
This is a distractor. The standard reputation scale for these systems is 1 (best) to 5 (worst). A score of 10 is not part of the standard reputation scoring system used in this context.

Reference
Cisco Umbrella Documentation: Understand Reputation Scores: https://docs.umbrella.com/deployment-umbrella/docs/security-levels-and-reputation-scores (This official documentation explains the reputation score scale of 1 to 5 and how policies block content based on a "block scores of X and above" logic, confirming that selecting the highest score (5) blocks all sites in a category).

Explanation for Each Option:

A. NetFlow (Incorrect):
NetFlow is a network protocol used for collecting and monitoring traffic data to analyze usage and detect anomalies. While it provides visibility into network activity, it is not designed for programming or managing networks remotely, nor does it integrate with Cisco DNA Center (DNAC) for GUI-independent control, making this option incorrect. (Reference: Cisco NetFlow Configuration Guide.)

B. desktop client (Incorrect):
A desktop client typically refers to a local application (e.g., a management tool installed on a workstation) for network configuration or monitoring. However, it does not inherently provide remote programming or monitoring capabilities outside the DNAC GUI without specific integration, and it is less flexible than API-based solutions, rendering this option unsuitable. (Reference: Cisco Network Management Tools.)

C. ASDM (Incorrect):
Adaptive Security Device Manager (ASDM) is a graphical interface for managing Cisco ASA devices. It is a GUI-based tool that requires local or remote access to the device, not a method for programming or monitoring networks outside the DNAC GUI. It lacks the programmatic flexibility needed, making this option incorrect. (Reference: Cisco ASDM User Guide.)

D. API (Correct):
The Cisco DNA Center (DNAC) API provides a programmatic interface to automate, program, and monitor network operations remotely, independent of the DNAC GUI. Using RESTful APIs, administrators can integrate DNAC with external tools or scripts, enabling management from any location with network access, fulfilling the requirement effectively. (Reference: Cisco DNA Center API Documentation.)

Additional Notes:
API usage with DNAC is a key topic in the 350-701 SCOR exam under automation. As of 09:24 AM PKT, October 02, 2025, this capability enhances network programmability. For details, refer to the Cisco DNA Center API Guide (developer.cisco.com) and the 350-701 Exam Blueprint (Section 4.0 Automation).

Exchange

Pull messaging

Summary
TAXII (Trusted Automated eXchange of Indicator Information) is an open protocol application layer standard used for the automated exchange of cyber threat intelligence (CTI) between organizations and systems. It defines how CTI information can be shared via a set of services and message exchanges. It is not an analysis or detection protocol, but a transport mechanism.

Correct Option

A. Exchange:
This is a core capability. TAXII defines specific services for sharing information. The two primary service modes are Collection (a repository from which subscribers can pull data) and Channel (a service for pushing data to subscribers). Both of these are forms of "Exchange."

B. Pull messaging:
This is a fundamental communication style supported by TAXII. In a Collection-based exchange, a TAXII Client can connect to a TAXII Server and "pull" or request threat intelligence data at defined intervals. This is a key method for clients to obtain the latest indicators from a threat intelligence feed.

Incorrect Option

C. Binding:
This is not a capability defined by the TAXII standard. TAXII specifications focus on the data models and service definitions for exchange, not on low-level network bindings.

D. Correlation:
Correlation is the function of a Security Information and Event Management (SIEM) system or an analytics engine. TAXII is solely a transport protocol for moving already-processed intelligence; it does not perform analysis or correlation of data.

E. Mitigating:
Mitigation refers to the actions taken to block or contain a threat (e.g., updating a firewall policy). TAXII is responsible for the delivery of the intelligence that might trigger a mitigation action in another system, but it does not perform the mitigation itself.

Reference
OASIS CTI TC Documentation - TAXII Specification: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti (The official TAXII specification from OASIS defines the concepts of "Services," "Collections," and "Poll" (pull) requests, which directly correspond to the capabilities of Exchange and Pull Messaging).