Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

ETHOS detection engine

Explanation for Each Option:

A. cloud web services (Incorrect):
Cloud web services in Cisco AMP for Endpoints refer to the use of cloud-based threat intelligence and analysis (e.g., via Cisco Threat Grid) to enhance endpoint protection. This deployment involves sending data to the public cloud, which does not keep data within the network perimeter, making this option unsuitable. (Reference: Cisco AMP Cloud Web Services Overview.)

B. network AMP (Incorrect):
Network AMP focuses on securing network traffic using appliances or virtual sensors (e.g., Firepower devices) to detect and block malware. While it operates within the network, it is not a specific deployment architecture for endpoints and does not inherently keep endpoint data within the perimeter, as it relies on cloud correlation, rendering this option incorrect. (Reference: Cisco AMP for Networks Datasheet.)

C. private cloud (Correct):
The private cloud deployment architecture for Cisco AMP for Endpoints allows organizations to host the AMP infrastructure within their own data center or private cloud environment. This keeps all endpoint data, including file analysis and threat intelligence, within the network perimeter, ensuring compliance and security for sensitive environments, meeting the requirement. (Reference: Cisco AMP Private Cloud Deployment Guide.)

D. public cloud (Incorrect):
Public cloud deployment of Cisco AMP for Endpoints relies on Cisco’s cloud infrastructure to process and store data, such as file submissions and threat verdicts. This approach sends data outside the network perimeter to the public cloud, which contradicts the goal of keeping data within the network, making this option incorrect. (Reference: Cisco AMP Public Cloud Overview.)

Additional Notes:
AMP deployment architectures are a key topic in the 350-701 SCOR exam under endpoint security. As of 11:50 AM PKT, October 02, 2025, private cloud options are critical for perimeter security. For details, refer to the Cisco AMP for Endpoints Deployment Guide (cisco.com) and the 350-701 Exam Blueprint (Section 2.0 Endpoint Security).

Explanation for Each Option:

A. Enable client-side scripts on a per-domain basis (Incorrect):
Enabling client-side scripts on a per-domain basis (e.g., via Content Security Policy) can help mitigate some XSS risks by restricting script sources, but it is not a preventive measure on its own. It is a control mechanism, not a direct prevention technique, making this option less effective and incorrect as a primary measure. (Reference: OWASP XSS Prevention Cheat Sheet, CSP Usage.)

B. Incorporate contextual output encoding/escaping (Correct):
Contextual output encoding/escaping converts untrusted input into a safe format (e.g., HTML entities like < to <) based on the context (HTML, JavaScript, etc.) to prevent execution of malicious scripts. This is a fundamental preventive measure against cross-site scripting (XSS), making it a correct choice. (Reference: OWASP XSS Prevention, Output Encoding.)

C. Disable cookie inspection in the HTML inspection engine (Incorrect):
Disabling cookie inspection in an HTML inspection engine would reduce security, as cookies can be exploited in XSS attacks (e.g., session hijacking). This is a counterproductive action, not a preventive measure, rendering this option incorrect. (Reference: Cisco Secure Web Appliance Cookie Security.)

D. Run untrusted HTML input through an HTML sanitization engine (Correct):
HTML sanitization removes or neutralizes malicious code (e.g., <script> tags) from untrusted input before it is processed or rendered. This is a proactive preventive measure against XSS by ensuring only safe content is executed, making it a correct choice. (Reference: OWASP HTML Sanitization Guide.)

E. Same Site cookie attribute should not be used (Incorrect):
The "SameSite" cookie attribute (e.g., Lax or Strict) mitigates XSS by preventing cookies from being sent in cross-site requests, reducing session hijacking risks. Suggesting it should not be used is the opposite of a preventive measure, making this option incorrect. (Reference: OWASP Secure Cookie Attributes.)

Additional Notes:
Preventing XSS is a key topic in the 350-701 SCOR exam under content security. As of 11:45 AM PKT, October 03, 2025, encoding and sanitization are critical defenses.

Cisco Cloudlock

Explanation
The key phrases in the question are:

"exfiltration of credit card numbers"

"not being stored on-premise"

"protect sensitive data throughout the full environment"

This indicates the data is likely in cloud applications (like Salesforce, Microsoft 365, or Google Workspace) or being transmitted to cloud services, and the company needs to discover, monitor, and protect it wherever it resides.

B. Cloudlock:
This is the correct answer. Cisco Cloudlock is a Cloud Access Security Broker (CASB). Its primary functions are perfectly suited for this scenario:

Data Loss Prevention (DLP): It can scan cloud applications to discover and classify sensitive data like credit card numbers, even if they aren't supposed to be there.

Cloud DLP: It can monitor user activity in real-time and block or alert on attempts to exfiltrate this data (e.g., downloading a file containing credit cards to a personal device, or sharing it externally).

Full Environment Coverage: As a cloud-native, API-based solution, it protects data across multiple cloud services, providing visibility and control "throughout the full [cloud] environment."

Why the other options are incorrect:

A. Security Manager:
This is a network device management tool used primarily for configuring firewalls (ASA, FTD), routers, and switches. It is not a data-centric security tool and cannot discover or protect sensitive data within cloud applications.

C. Web Security Appliance (WSA):
The WSA is a web proxy that filters and secures internet traffic. While it has DLP capabilities, they are primarily focused on outbound web traffic (HTTP/HTTPS). It is not designed to scan and protect data at rest within cloud application platforms like Salesforce or Box, which is implied by "not being stored on-premise."

D. Cisco ISE (Identity Services Engine):
ISE is a network access control and policy enforcement tool. It controls who can get on the network and what they can access, but it does not have the capability to discover, classify, or prevent the exfiltration of specific data types like credit card numbers from within cloud applications.

Reference:
This aligns with the specific capabilities of the Cisco Cloudlock product within the security portfolio.

Cisco Cloudlock Data Sheet: Highlights its capabilities for cloud data security, including data discovery, classification, and DLP for cloud applications to prevent data exfiltration and comply with regulations like PCI DSS (which governs credit card data).

In summary, Cisco Cloudlock is the purpose-built tool for discovering and protecting sensitive data across cloud environments to prevent exactly the type of cloud-based exfiltration described.

Explanation:
Cisco Duo Security is a cloud-based access security platform built around multi-factor authentication (MFA). Its primary purposes are to verify user identities with high assurance and to provide secure access to applications.

Let's break down why A and D are correct and why the others are not:

A) flexibility of different methods of 2FA such as phone callbacks, SMS passcodes, and push notifications is CORRECT.
A key reason to adopt a modern MFA solution like Duo is to move beyond a single, rigid form of authentication. Duo provides a wide range of user-friendly verification methods (Duo Push, phone call, SMS, hardware tokens, biometrics) that cater to different user preferences and security requirements, making it easier to deploy and enforce MFA across the organization.

D) secure access to on-premises and cloud applications is CORRECT.
This is the fundamental business outcome of implementing Duo. By adding a second factor of authentication, Duo secures the login process for a vast ecosystem of applications, whether they are hosted in a corporate data center (on-premises) or in the cloud (like Office 365, Salesforce, AWS). It ensures that even if a password is compromised, an attacker cannot gain access without also possessing the user's second factor.

Why the other options are incorrect:

B) single sign-on access to on-premises and cloud applications is INCORRECT.
While Duo integrates with and can add MFA to Single Sign-On (SSO) solutions (like Duo Beyond, which includes SSO), the core Duo MFA service itself is not an SSO provider. SSO is a separate functionality that allows a user to log in once and access multiple applications without re-entering credentials. The base function of Duo is to add a layer of security on top of the login process, whether it's a single application or an SSO portal.

C) integration with 802.1x security using native Microsoft Windows supplicant is INCORRECT.
This describes a specific use case for network access control. While Duo can be integrated with Cisco ISE for 802.1X authentication, this is a specialized deployment and not one of the two primary, general reasons an organization would implement a solution like Duo. The core reasons are broader, focusing on application access and flexible MFA methods.

E) identification and correction of application vulnerabilities before allowing access to resources is INCORRECT.
This describes the function of a completely different class of security tools, such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) scanners, or perhaps a web application firewall (WAF). Duo's role is to ensure the user is trustworthy, not to scan the application for vulnerabilities.

Reference:

Cisco Duo Data Sheets and Solution Overviews:
These documents consistently lead with value propositions like "Secure access to all your applications, anywhere" and "A flexible multi-factor authentication experience," directly aligning with options D and A.

Cisco SCOR 350-701 Exam Objectives:
The objectives cover secure network access and identity management, emphasizing MFA as a critical control for securing application access in hybrid (on-prem/cloud) environments.

complete no configurations

The user “admin5” was configured with privilege level 5. In order
to allow configuration (enter globalconfiguration mode), we must type this
command:(config)#privilege exec level 5 configure terminalWithout this command, this user
cannot do any configuration.Note: Cisco IOS supports privilege levels from 0 to 15, but the
privilege levels which are used by default are privilege level 1 (user EXEC) and level
privilege 15 (privilege EXEC)

Explanation
Cisco ASA NetFlow Secure Event Logging (NSEL) is a stateful, high-performance logging mechanism that uses NetFlow v9 to export security events. Its configuration is policy-based.

The core of NSEL configuration involves creating a class-map to identify the traffic you want to monitor and then applying a policy-map that specifies which NetFlow events (e.g., flow create, flow deny, flow teardown) should be exported for that traffic class. Finally, this policy is applied to an interface with a service-policy command.

Therefore, the statement "A flow-export event type must be defined under a policy" is accurate, as the event types (like flow-create, flow-denied) are configured within the class-map and policy-map structure.

Why the other options are incorrect:

A. To view bandwidth usage for NetFlow records, the QoS feature must be enabled.
This is incorrect. NSEL exports event-based data (session starts, stops, denies), not continuous traffic flow data for bandwidth monitoring. Enabling QoS is not a requirement for NSEL to function.

B. A sysopt command can be used to enable NSEL on a specific interface.
This is incorrect. The sysopt command is used for other ASA behaviors (like allowing VPN traffic to bypass access lists). NSEL is enabled and applied to interfaces using the flow-export and service-policy commands, not a sysopt command.

C. NSEL can be used without a collector configured.
This is incorrect. The entire purpose of NSEL is to export flow event records to an external collector. If no collector is configured with the flow-export destination command, the ASA has nowhere to send the NSEL data, rendering the feature non-functional.

Reference:

The configuration steps for NSEL are outlined in the Cisco ASA configuration guide.

As per the Cisco ASA Series CLI Configuration Guide, the steps to configure NSEL include:

(Optional) Create a class-map to identify traffic.

Create a policy-map to define the action and event types.

Within the policy-map, specify the flow-export event-type for the traffic class.

Apply the policy-map globally or to an interface.

This confirms that the flow-export event type is indeed defined within a policy structure.

Explanation for Each Option:

A. DMVPN (Incorrect):
Dynamic Multipoint VPN (DMVPN) uses a hub-and-spoke or partial mesh topology with IPsec to provide scalable VPN connectivity over public or private networks. While it supports any-to-any connectivity with spoke-to-spoke tunnels, it relies on a hub for initial routing and is less optimized for a private IP cloud requiring full mesh scalability without centralized control, making it less suitable. (Reference: Cisco DMVPN Configuration Guide.)

B. FlexVPN (Incorrect):
FlexVPN is a flexible, standards-based IPsec VPN solution that supports various topologies, including hub-and-spoke and full mesh, using IKEv2. However, it is designed for general-purpose VPNs and does not inherently optimize for a private IP cloud with any-to-any connectivity, requiring additional configuration for scalability, rendering it less ideal than a dedicated solution. (Reference: Cisco FlexVPN Deployment Guide.)

C. IPsec DVTI (Incorrect):
IPsec Dynamic Virtual Tunnel Interface (DVTI) provides a per-tunnel interface for IPsec VPNs, offering flexibility for point-to-point or hub-and-spoke designs. It is not optimized for any-to-any scalable connectivity in a private IP cloud, as it lacks the group-based encryption and mesh capabilities needed for efficient branch interconnectivity, making this option incorrect. (Reference: Cisco IPsec DVTI Overview.)

D. GET VPN (Correct):
Group Encrypted Transport VPN (GET VPN) is designed for secure VPN connectivity over a private IP cloud, using group-based encryption to enable any-to-any scalable connectivity among branch sites. It eliminates the need for point-to-point tunnels by leveraging a group key management system, making it ideal for large-scale, mesh-like networks with consistent security policies. (Reference: Cisco GET VPN Configuration Guide.)

Additional Notes:
Implementing GET VPN for branch connectivity is a key topic in the 350-701 SCOR exam under VPN technologies. As of 11:35 AM PKT, October 03, 2025, it excels in private IP cloud deployments.

Explanation:
In an SDN architecture, APIs are categorized based on the direction of communication relative to the central SDN controller.

A) SDN controller and the network elements is CORRECT.
The southbound API is the interface that the SDN controller uses to communicate down to the underlying network elements (switches, routers, access points). This API is used to push configuration, routing decisions, and policies to the devices. Examples of southbound APIs include OpenFlow, OpFlex, and NETCONF/YANG. This is the definitive role of the southbound API.

Why the other options are incorrect:

B) management console and the SDN controller is INCORRECT.
This communication path uses the northbound API. The northbound API is how applications and management tools (the "brains" or business logic) talk up to the SDN controller to request network services or pull network state information.

C) management console and the cloud and D) SDN controller and the cloud are INCORRECT.
These are general cloud management or east-west communications and are not specifically defined as "southbound" in the standard SDN model. Communication with the cloud would typically use standard REST APIs or other cloud interfaces, not the southbound API meant for controlling physical/virtual network devices.

SDN API Summary:

Southbound API: Controller → Network Devices (e.g., OpenFlow)

Northbound API: Applications/Management → Controller (e.g., REST API)

East-West API: Communication between multiple controllers (for scalability/redundancy).

Reference:

Cisco Digital Network Architecture (DNA) Center Concepts Guide: Explains the controller's role and how it uses southbound interfaces like NETCONF/YANG and CLI to communicate with network devices.

Open Networking Foundation (ONF) SDN Architecture: The foundational document that defines the SDN layers and the roles of northbound and southbound APIs.