Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation:
The Cisco Umbrella roaming client is a lightweight agent installed on endpoints (laptops, mobile devices) that provides security policy enforcement anywhere the device roams, not just on the corporate network.

Let's break down why B is the correct answer and the role of the other options:

B) visibility into IP-based threats by tunneling suspicious IP connections is CORRECT.
This is a key feature called Intelligent Proxy. When the roaming client identifies a connection to a suspicious or high-risk domain (based on Umbrella's threat intelligence), it can automatically route that specific connection through an Umbrella secure web gateway for full inspection and filtering. This provides deep visibility and protection for risky traffic even when the user is at a coffee shop or home, without tunneling all of their traffic.

Why the other options are incorrect:

A) the ability to see all traffic without requiring TLS decryption is INCORRECT.
No security solution can "see all traffic" without TLS decryption. Encrypted HTTPS traffic remains encrypted. The Umbrella roaming client provides security at the DNS layer for all traffic and can use the Intelligent Proxy for deeper inspection of some HTTP traffic, but it cannot see inside encrypted TLS sessions without a decryption certificate deployed to the endpoint.

C) the ability to dynamically categorize traffic to previously uncategorized sites is INCORRECT.
While Umbrella does dynamically categorize some new sites, this is a function of the Umbrella cloud service and its global intelligence, not a unique advantage of the roaming client. The client enforces the policies based on these categorizations.

D) visibility into traffic that is destined to sites within the office environment is INCORRECT.
This is the opposite of its purpose. The roaming client is designed for off-network protection. For traffic inside the office environment, you would typically use the organization's on-premises security appliances or direct traffic through the Umbrella SIG. The client often has a setting to bypass tunneling for local/internal domains.

Reference:

Cisco Umbrella Roaming Client Datasheet: The official documentation highlights the client's ability to "enforce security anywhere" and specifically describes the "Intelligent Proxy" feature that "automatically redirects risky DNS requests to a proxy for full transaction inspection."

Cisco Umbrella Deployment Guides: These guides explain that the roaming client provides layered security: DNS-layer security for all requests, with the added layer of the Intelligent Proxy for risky domains to block more threats.

interpacket variation

https://www.cisco.com/c/dam/global/en_uk/products/switches/cisco_nexus_9300_ex_platform_switches_white_paper_uki.pdf

Explanation
This question combines two distinct configuration tasks on the Cisco Email Security Appliance (ESA): administrative access and cluster management.

Requirement 1:
"Prompt users to enter two forms of information before gaining access."
This refers to Two-Factor Authentication (2FA) for administrators logging into the ESA (either via GUI or CLI).
The Cisco ESA does not have a built-in, native 2FA system. To achieve this, it must integrate with an external authentication server.
The ESA supports using RADIUS as the external authentication protocol for this purpose. By configuring the ESA to use a RADIUS server (which can then be linked to a 2FA provider like Duo Security or Cisco Duo), it can enforce the requirement for a password (first factor) and a time-based token or push notification (second factor).

Requirement 2:
"Join a cluster machine using preshared keys."
This refers to forming an AsyncOS cluster with other ESAs for centralized management and reporting.
The process of joining a cluster, including the initial configuration and the input of the preshared key (PSK), is performed through the Command Line Interface (CLI) of the ESA. The GUI is not used for this specific cluster-joining operation.


Therefore, the correct procedure is to first set up the 2FA via RADIUS in the GUI or CLI, and then use the specific CLI commands to join the cluster with the PSK.

Detailed Breakdown of Incorrect Options:

B. Enable two-factor authentication through a RADIUS server and then join the cluster by using the Cisco ESA GUI

Why it is incorrect:
While the first part (2FA via RADIUS) is correct, the second part is not. You cannot join an ESA to a cluster using the GUI. This is a CLI-only operation. The GUI is used for managing the cluster after it has been formed.

C. Enable two-factor authentication through a TACACS+ server and then join the cluster by using the Cisco ESA GUI

Why it is incorrect:
This option is wrong on both counts.
The Cisco ESA uses RADIUS, not TACACS+, for its external administrative authentication that can support 2FA.
As explained above, joining a cluster is done via the CLI, not the GUI.

D. Enable two-factor authentication through a TACACS+ server and then join the cluster by using the Cisco ESA CLI

Why it is incorrect:
This option correctly identifies using the CLI to join the cluster but incorrectly specifies TACACS+ as the protocol for 2FA. The ESA's external authentication for administrators is designed for RADIUS integration. TACACS+ is not a supported protocol for this function on the ESA.

Reference and Key Context:

Cisco ESA Administration Guide - Administrative Access:
The documentation for configuring external authentication explicitly covers RADIUS integration for administrative logins.

Cisco ESA Administration Guide - Clustering:
The procedure for "Joining a Cluster" is clearly outlined as a series of CLI commands (clusterconfig, joincluster, entering the PSK, etc.). The guide states that you must use the CLI for this task.

Key Takeaway:
For the exam, remember these two key facts about Cisco ESA:
2FA for Admin Access: Implemented by integrating with an external RADIUS server.
Cluster Formation: The act of joining a cluster with a preshared key is performed exclusively through the CLI.

Explanation
This question tests the understanding of the roles within the Cisco Platform Exchange Grid (pxGrid) framework. pxGrid is a publish-subscribe communication bus where different systems share information.

The roles are defined as follows:

pxGrid Client:
A system that consumes (subscribes to) information from the pxGrid framework. It can also publish its own data for others to use.

pxGrid Server/Controller:
This is the central broker that manages the entire pxGrid ecosystem. Cisco ISE always acts as the pxGrid server/controller. It facilitates the connection and data exchange between all the clients.

In the integration between Cisco FMC and Cisco ISE:
Cisco ISE is the pxGrid Server. It holds the authoritative data on user and endpoint identity.

Cisco FMC acts as a pxGrid Client. It connects to the ISE pxGrid server to subscribe to and consume context information (like user-to-IP mappings, endpoint profiles, and security group tags). FMC uses this information to create more dynamic and identity-aware firewall policies.

Why the other options are incorrect:

B. server:
This role is exclusively filled by Cisco ISE (or in some cases, a dedicated pxGrid node in the ISE network). FMC cannot be the pxGrid server.

C. controller:
This is another term for the pxGrid server, which is ISE.

D. publisher:
While a pxGrid client can publish data, this is not its primary role in this specific integration. In the FMC-ISE integration, FMC's primary function is to be a subscriber (a type of client) to the identity data that ISE publishes. The term "client" encompasses this subscriber role.

Reference:
The roles in a pxGrid integration are defined in the Cisco ISE and FMC configuration guides.

As per the Cisco Firepower Management Center Configuration Guide for ISE Integration:

"The Firepower System acts as a pxGrid client... The pxGrid server (ISE) provides the Firepower System with... context information."

noncompliant

https://www.cisco.com/c/en/us/td/docs/security/ise/13/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html

Explanation:
This question tests your understanding of fundamental cybersecurity terminology. The terms "vulnerability" and "exploit" are often used together but have distinct and specific meanings.

Let's break down the correct definitions and why the other options are incorrect:

Why Option B is Correct:
This option provides the precise and standard definition of the relationship.

Vulnerability:
This is a weakness, flaw, or bug in a system, software, process, or human factor that could potentially be used to compromise security. Examples include a software bug that allows for a buffer overflow, a misconfigured firewall rule, or a lack of employee security training.

Exploit:
This is the specific tool, technique, or code that an attacker uses to take advantage of a vulnerability. It is the method of attack. For example, a piece of malware written specifically to trigger that buffer overflow bug is the exploit.

In simple terms:
The vulnerability is the unlocked door. The exploit is the act of turning the handle and walking through it.

Why the Other Options are Incorrect:

Why Option A is Incorrect:
This statement is backwards. A vulnerability is a real, existing weakness, not a "hypothetical event." The exploit is the action taken based on that real weakness.

Why Option C is Incorrect:
This reverses the cause-and-effect relationship. An exploit does not cause a vulnerability. An exploit leverages or takes advantage of a vulnerability that already exists.

Why Option D is Incorrect:
This is also incorrect because it gets the definitions backwards and misrepresents the nature of an exploit. An exploit is a real attack method, not a "hypothetical event," and it targets a vulnerability; it does not create one.

Reference:
This is a core concept within the Security Concepts domain. Understanding the distinction between a vulnerability (the weakness), a threat (the potential for someone to cause harm), and an exploit (the method used) is foundational to all security risk management and is critical for the 350-701 SCOR exam.

Explanation for Each Option:

A. The engineer is attempting to upload a hash created using MD5 instead of SHA-256 (Correct):
Cisco AMP’s simple detection mechanism requires hashes in SHA-256 format, which produces a 64-character hexadecimal string. MD5 generates a 32-character hash, and a non-zero length mismatch (e.g., 32 characters instead of 64) triggers the error. This indicates the use of an incompatible hash type, aligning with the issue. (Reference: Cisco AMP Custom Detection Guide, Hash Requirements.)

B. The file being uploaded is incompatible with simple detections and must use advanced detections (Incorrect):
Simple detection in Cisco AMP supports uploading hashes (e.g., SHA-256) for file identification, not entire files. The error specifies a hash length issue, not file incompatibility, and advanced detection is for more complex rules, not a requirement here, making this option incorrect. (Reference: Cisco AMP Simple vs. Advanced Detection.)

C. The hash being uploaded is part of a set in an incorrect format (Incorrect):
The error mentions a single hash not being 64 characters, not a set of hashes. While a set could have format issues, the problem is specific to the hash length, suggesting an MD5 hash rather than a formatting error, rendering this option incorrect. (Reference: Cisco AMP Bulk Hash Upload Guide.)

D. The engineer is attempting to upload a file instead of a hash (Incorrect):
The dashboard indicates a hash length issue (not 64 characters), implying a hash was uploaded, not a file. AMP’s simple detection expects a hash, and the error suggests a length mismatch (e.g., MD5), not a file upload, making this option incorrect. (Reference: Cisco AMP Detection Policy Configuration.)

Additional Notes:
Configuring custom detection policies in Cisco AMP is a key topic in the 350-701 SCOR exam under endpoint security. As of 4:19 PM PKT, October 03, 2025, SHA-256 is the required hash standard.

Explanation
Messenger protocols (like Slack, Microsoft Teams, WhatsApp, Telegram) are designed for modern communication, which inherently creates security challenges for data exfiltration.

C. Traffic is encrypted, which prevents visibility on firewalls and IPS systems:
This is a primary characteristic. These applications use strong encryption (TLS) to protect user privacy. While this is a security benefit, it also means that traditional network security devices cannot inspect the contents of the packets. They cannot see if a user is sending a harmless message or pasting a stolen database, making it extremely difficult to detect data exfiltration based on content.

E. Messenger applications cannot be segmented with standard network controls:
These applications are typically cloud-based and communicate with a wide range of IP addresses and domains that frequently change. They also often require a range of ports to function correctly. This makes it very difficult to create effective firewall rules or network segmentation policies to block them without also breaking legitimate business communication. An attacker can use the same whitelisted domains and ports that the business needs, allowing data to be smuggled out.

Why the other options are incorrect:

A. Outgoing traffic is allowed so users can communicate with outside organizations:
While true, this is a general characteristic of any outbound internet access and is not specific to the inherent properties of messenger protocols that make exfiltration hard to detect.

B. Malware infects the messenger application on the user endpoint to send company data:
This describes a specific attack vector (malware), but it is not a fundamental characteristic of the messenger protocol itself. The protocol's characteristics (encryption, hard-to-block network patterns) are what enable this malware to be effective, but the malware infection is not the characteristic.

D. An exposed API for the messaging platform is used to send large amounts of data:
While a misconfigured API is a risk, it is not a common characteristic of how these protocols are typically used for exfiltration. Most data exfiltration would occur through the standard client application that users have installed, not through a separate, exposed API.

Reference:
These challenges are discussed in the context of Data Loss Prevention (DLP) and Cloud Access Security Brokers (CASBs), which are solutions designed to address the visibility and control gaps created by encrypted, cloud-based applications like messengers.

The OU of the IKEv2 peer certificate is used as the identity when matching an IKEv2
authorization policy.

Explanation
Modern advanced antimalware capabilities, such as those in Cisco Advanced Malware Protection (AMP) for Endpoints, rely heavily on sandboxing to be an effective Endpoint Protection Platform (EPP).

A sandbox is a secure, isolated virtual environment where suspicious files can be executed and their behavior can be analyzed without risking the host system. This is crucial for detecting sophisticated, evasive malware that signature-based detection and simple blocklists would miss.

Here's how it works as part of an advanced EPP:
A file with an unknown reputation arrives on the endpoint.

The EPP sends the file to a cloud-based sandbox (like Cisco Threat Grid).

The sandbox detonates (executes) the file and observes its actions (e.g., modifying registry keys, making network connections, dropping other files).

Based on the malicious behavior observed, a verdict (malicious/clean) is generated and shared globally.

The EPP on the endpoint can then block, quarantine, or remediate the file.

This dynamic analysis is a cornerstone of "advanced" antimalware protection.

Why the other options are incorrect:

A. big data:
While big data analytics are used in the backend to correlate threats and identify patterns across the entire customer base, it is not the primary feature leveraged on the endpoint itself for analysis. Sandboxing is the direct, actionable technology for file analysis.

B. storm centers:
This is not a standard term in cybersecurity for endpoint protection.

D. blocklisting:
Blocklisting (or denylisting) is a fundamental, reactive security control that blocks known-bad hashes, URLs, or IPs. It is a component of an EPP but is not considered an "advanced" capability. Advanced protection is defined by its ability to detect unknown and zero-day threats, which is the function of sandboxing.

Reference:
The integration of sandboxing is a key differentiator for advanced endpoint security solutions.

The Cisco AMP for Endpoints data sheet highlights its integration with Cisco Secure Malware Analytics (Threat Grid), stating it "leverages sandboxing to detonate and analyze files... to uncover hidden, evasive threats." This confirms sandboxing as the critical advanced feature.