Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation for Each Option:

A. Single methods of authentication can be compromised more easily than MFA (Correct):
Organizations should migrate to Multi-Factor Authentication (MFA) because relying on a single authentication method (e.g., password) is more vulnerable to attacks like phishing or brute force. MFA combines two or more factors (e.g., something you know, have, or are), significantly increasing security by requiring multiple compromise points, justifying the migration. (Reference: Cisco Secure Identity Services, MFA Benefits.)

B. Biometrics authentication leads to the need for MFA due to its ability to be hacked easily (Incorrect):
Biometrics (e.g., fingerprints, facial recognition) is one factor in MFA, often considered secure, but it can be spoofed (e.g., with fake fingerprints). The need for MFA arises from the vulnerability of any single factor, not specifically biometrics being easily hacked, making this option a misrepresentation of the rationale. (Reference: Cisco Duo Biometric Security Guide.)

C. MFA methods of authentication are never compromised (Incorrect):
No authentication method, including MFA, is entirely immune to compromise (e.g., through sophisticated attacks like SIM swapping or man-in-the-middle). MFA reduces risk but does not eliminate it, so claiming it is never compromised is inaccurate and does not justify migration based on an unrealistic expectation. (Reference: NIST SP 800-63B, MFA Guidelines.)

D. MFA does not require any piece of evidence for an authentication mechanism (Incorrect):
MFA requires at least two pieces of evidence from different categories (e.g., password and a mobile device), which is the opposite of the statement. This misunderstanding of MFA’s definition makes it an incorrect reason for migration, as it contradicts the core concept of multiple factors. (Reference: Cisco Identity Services Engine MFA Overview.)

Additional Notes:
Migrating to MFA is a key topic in the 350-701 SCOR exam under endpoint security. As of 11:35 AM PKT, October 02, 2025, it is a recommended best practice to enhance security. For details, refer to the Cisco Secure Access documentation (cisco.com) and the 350-701 Exam Blueprint (Section 2.0 Endpoint Security).

Explanation:
The script is using the API for Cisco Advanced Malware Protection (AMP) for Endpoints. By breaking down the code, we can see its exact function: API Target: 'https://api.amp.cisco.com/v1/computers'

This endpoint is used to get a list of all computers (endpoints) that are managed by the AMP for Endpoints cloud.

Data Extraction:
The script loops through each computer in the response (for computer in response.json['data']).

For each computer, it accesses the 'network_addresses' dictionary.

It then loops through each network interface in that dictionary and extracts three specific pieces of information:

mac (MAC address)

ip (IPv4 address)

ipv6 (IPv6 address)

Conclusion:
The script's sole purpose is to query the AMP cloud and print out the MAC, IP, and IPv6 addresses for every network interface on every computer that AMP for Endpoints is aware of. This is the definition of gathering network interface information.

Why the other options are incorrect:

A) get the process and PID information from the computers in the network is INCORRECT.
The script is querying the /v1/computers endpoint, which returns general computer inventory data. To get process and PID information, you would need to query a different endpoint, such as one related to event trajectories or specific process events.

B) create an SNMP pull mechanism for managing AMP is INCORRECT.
The script uses a REST API with HTTP GET requests and authentication via Client ID and API Key. This has nothing to do with the SNMP protocol.

C) gather network telemetry information from AMP for endpoints is too vague and therefore INCORRECT.
While the network interface data is a form of telemetry, the term "network telemetry" in the context of AMP typically refers to detailed traffic and connection data that can be gathered from the network (e.g., from ISE or Stealthwatch), not the static interface inventory of an endpoint. The script is performing a very specific, limited query for interface addresses, not gathering broad telemetry.

Reference:
Cisco AMP for Endpoints API Reference Guide: The documentation for the /v1/computers endpoint confirms that it returns a list of computers and their properties, including the network_addresses field which contains the mac, ip, and ipv6 addresses for each interface.

Explanation
This question is asking about a specific capability within Cisco Advanced Malware Protection (AMP) for Endpoints that allows security teams to investigate potential security incidents after initial detection.

A. retrospective detection:
This is the correct answer. Retrospective Security is a powerful feature of Cisco AMP that continuously analyzes and correlates all activity on an endpoint—including telemetry, file executions, network connections, and intrusion events—after they have occurred. If a file, IP address, or domain is later determined to be malicious (e.g., through new threat intelligence), AMP can retroactively search through its historical data to find every endpoint that was affected. This allows an analyst to see the full scope of a potential breach, answering the critical questions: "Where did this start?" and "How far did it spread?"

Why the other options are incorrect:

B. indication of compromise (IoC):
This is incorrect. An IoC is a piece of evidence (e.g., a file hash, a malicious IP) that suggests a network intrusion has occurred. It is the data point that you search for, not the feature that performs the correlation and searching itself.

C. file trajectory:
This is incorrect. File Trajectory is a different, though related, feature within Cisco AMP. It shows the complete history of a specific file across the entire organization—which endpoints it has been on, what it did, and where it came from. While incredibly useful, it focuses on a single file's path. Retrospective detection is the broader capability that uses this kind of data, along with other telemetry, to correlate events and identify active breaches.

D. elastic search:
This is incorrect. Elasticsearch is a general-purpose, open-source search and analytics database engine. While Cisco AMP for Endpoints may use a similar technology internally to power its backend, "Elasticsearch" is not the name of a user-facing feature or a marketed capability of the product. The term described in the question is "retrospective detection."

Reference:
This is a core feature highlighted in the Cisco AMP for Endpoints documentation and data sheets.

Cisco AMP for Endpoints Data Sheet: It explicitly describes "Retrospective Security" as the feature that "continuously tracks and analyzes file and threat activity, giving you the power to go back in time to determine the origin and scope of an attack."

In summary, the feature that performs ongoing correlation of telemetry and events to identify possible active breaches, even after the initial activity occurred, is retrospective detection.

Explanation for Each Option:

A. It encrypts data on user endpoints to protect against ransomware (Incorrect):
While data encryption can help mitigate ransomware effects, Cisco AMP for Endpoints does not primarily focus on encrypting data. Its next-generation protection relies on prevention, detection, and response, not encryption as a core feature, making this option incorrect. (Reference: Cisco AMP for Endpoints Ransomware Protection.)

B. It leverages an endpoint protection platform and endpoint detection and response (Correct):
Cisco AMP for Endpoints combines an Endpoint Protection Platform (EPP) for real-time threat prevention (e.g., antivirus, exploit prevention) with Endpoint Detection and Response (EDR) for detecting and responding to advanced threats post-infection. This dual approach provides next-generation protection, aligning with this option. (Reference: Cisco AMP for Endpoints Datasheet, EPP/EDR Integration.)

C. It utilizes Cisco pxGrid, which allows Cisco AMP to pull threat feeds from threat intelligence centers (Incorrect):
Cisco pxGrid enables secure data sharing between security products, including threat intelligence, but it is an integration framework, not the primary mechanism for AMP’s next-generation protection. The EPP/EDR combination is the core, making this option secondary and incorrect. (Reference: Cisco pxGrid Overview.)

D. It integrates with Cisco FTD devices (Incorrect):
Integration with Cisco Firepower Threat Defense (FTD) devices enhances network-level security but is not the basis for AMP’s next-generation endpoint protection. AMP’s strength lies in endpoint-specific EPP and EDR capabilities, not network device integration, rendering this option incorrect. (Reference: Cisco FTD and AMP Integration Guide.)

Additional Notes:
Understanding AMP’s next-generation protection is a key topic in the 350-701 SCOR exam under endpoint security. As of 4:05 PM PKT, October 03, 2025, its EPP/EDR approach is cutting-edge.

Explanation:
This question is about identifying the Cisco product that integrates the core functionalities of modern endpoint security.

Let's analyze each option:

Why Option A is Correct:
Cisco AMP (Advanced Malware Protection) for Endpoints is the product that directly provides this combination. It has evolved from a traditional antivirus into a full Endpoint Detection and Response (EDR) solution, which is now marketed as Cisco Secure Endpoint.

Endpoint Protection: It provides prevention capabilities like signature-based antivirus and behavioral monitoring to stop known and unknown threats.
Endpoint Detection: It continuously monitors all file and process activity on the endpoint, recording this information in a cloud timeline.
Response: If a threat is detected, it allows security analysts to investigate the entire attack scope using the timeline, contain the endpoint, and remediate the threat.

Why the Other Options are Incorrect:

Why Option B is Incorrect:
Cisco Talos is Cisco's threat intelligence and research group. It is the "brains" behind many Cisco security products. Talos analyzes global threat data to create the signatures, rules, and intelligence that power products like Cisco AMP, Firepower, and Umbrella. Talos is not a standalone product you deploy to endpoints; it is the intelligence service that feeds them.

Why Option C is Incorrect:
Cisco Threat Grid is a powerful malware analysis sandboxing technology. It executes suspicious files in a safe, virtual environment to analyze their behavior and produce a detailed report. While it integrates closely with Cisco AMP (AMP can automatically submit samples to Threat Grid), Threat Grid itself is not the endpoint agent. It is a supporting service for deep malware analysis.

Why Option D is Incorrect:
Cisco Umbrella is a cloud-delivered security service that acts as a secure internet gateway. It provides protection by blocking requests to malicious domains, IPs, and URLs before a connection is even established. This is a form of network-level security, not endpoint-based security. While it offers a roaming client for off-network endpoints, its primary function is DNS-layer security, not the deep endpoint detection and response provided by AMP.

Reference:
This is a fundamental product knowledge question within the Endpoint Protection and Detection domain. Understanding the distinct roles of Cisco's core security technologies—where AMP (Secure Endpoint) is the dedicated EDR platform—is essential for the 350-701 exam.

Explanation for Each Option:

A. AFL (Incorrect):
AFL (American Fuzzy Lop) is a security testing tool that uses fuzzing to identify vulnerabilities in software by providing invalid or unexpected inputs. While useful for secure development, it is a specific tool, not a collection of practices or guidelines that developers must follow to build secure applications, making this option incorrect. (Reference: AFL Fuzzing Documentation.)

B. Fuzzing Framework (Incorrect):
A fuzzing framework is a set of tools or libraries (e.g., Peach or Sulley) used to perform fuzz testing to uncover software vulnerabilities. It is a testing methodology, not a comprehensive set of development practices or guidelines for building secure applications, rendering this option unsuitable for the described solution. (Reference: Fuzzing Frameworks Overview.)

C. Radamsa (Incorrect):
Radamsa is an open-source fuzzing tool designed to generate test cases and detect software bugs or vulnerabilities. Like other fuzzing tools, it is a specific testing instrument, not a collection of secure development practices or guidelines that developers follow, making this option incorrect for the requirement. (Reference: Radamsa Project Documentation.)

D. OWASP (Correct):
The Open Web Application Security Project (OWASP) provides a collection of secure development practices, guidelines, and tools (e.g., OWASP Top Ten, Secure Coding Practices) that developers must follow to build secure applications. It offers a framework for identifying, preventing, and mitigating security risks throughout the development lifecycle, aligning with the described solution. (Reference: OWASP Secure Coding Practices.)

Additional Notes:
OWASP’s guidelines are a key topic in the 350-701 SCOR exam under secure development. As of 10:32 AM PKT, October 02, 2025, it remains a leading resource for application security. For details, refer to the OWASP website (owasp.org) and the 350-701 Exam Blueprint (Section 4.0 Automation and Development Security)

ESP

Platform as a Service because the service provider manages the operating system

Explanation:
Group Encrypted Transport VPN (GET VPN) is designed for a specific use case: securing multicast and unicast traffic over a trusted, private WAN core, such as MPLS or private IP networks.

B) GET VPN natively supports MPLS and private IP networks is CORRECT.
This is the core benefit and design goal of GET VPN. In a traditional IPsec VPN, tunnels are built between the edges of the network, which can break the native routing and multicast capabilities of the underlying WAN. GET VPN operates differently:

It encrypts the payload but leaves the original IP headers intact.

This allows the traffic to be routed natively across the MPLS or private IP cloud.

It preserves multicast functionality because the original multicast group addresses are still visible to the network core.

Why the other options are incorrect:

A) GET VPN supports Remote Access VPNs is INCORRECT.
GET VPN is strictly a site-to-site technology. FlexVPN, on the other hand, is a unified VPN solution that supports both site-to-site and remote access (client-based) VPNs.

C) GET VPN uses multiple security associations for connections is INCORRECT.
This is a characteristic of many VPNs and is not a unique benefit of GET VPN. In fact, a key feature of GET VPN is its use of a Group Security Association (GSA), which is a single, shared security association for the entire group, simplifying key management.

D) GET VPN interoperates with non-Cisco devices is INCORRECT.
GET VPN is a Cisco-proprietary technology. FlexVPN, which is based on IKEv2, has much better interoperability with non-Cisco devices that support standard IKEv2.

Reference:
Cisco GET VPN Design and Implementation Guides: These guides consistently highlight the technology's purpose of providing "end-to-end data confidentiality in a native mode" for "enterprise WANs built on a private IP or MPLS infrastructure."