Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation for Each Option:

A. Routed mode (Incorrect):
Routed mode configures the Cisco ASA as a Layer 3 device, performing routing and NAT functions while inspecting traffic between interfaces. It does not provide separation of management on a shared appliance, as all configurations are managed in a single context without virtualization. This mode is suitable for standard firewall deployments but fails to meet the requirement for isolated customer management. (Reference: Cisco ASA Configuration Guide, Routed Mode Overview, cisco.com.)

B. Transparent mode (Incorrect):
Transparent mode operates the ASA as a Layer 2 bridge, allowing traffic to pass without changing IP addresses, ideal for insertion without network reconfiguration. However, it does not support separation of management on a shared appliance, as it maintains a single configuration context. This mode focuses on stealthy deployment but cannot isolate management for multiple customers, making it unsuitable. (Reference: Cisco ASA Transparent Mode Guide, cisco.com.)

C. Multiple context mode (Correct):
Multiple context mode virtualizes a single Cisco ASA into multiple independent firewalls, each with its own security policies, configurations, and management interfaces. This enables the mall to provide isolated security services to customers on a shared appliance while maintaining separation of management, ensuring compliance and security isolation. It meets the need for multi-tenancy on one device. (Reference: Cisco ASA Multiple Context Mode Configuration Guide, cisco.com; Web search result and .)

D. Multiple zone mode (Incorrect):
Multiple zone mode is not a recognized deployment mode for Cisco ASA. ASA supports routed, transparent, and multiple context modes, but no "multiple zone mode" exists in official documentation. This may confuse with zone-based firewall policies in other Cisco products, but it does not apply to ASA for separating management on a shared appliance, rendering this option invalid. (Reference: Cisco ASA Deployment Modes Overview, cisco.com.)

Additional Notes:
Multiple context mode is a key feature in the 350-701 SCOR exam under network security, enabling multi-tenancy for service providers like malls. As of October 02, 2025, this mode supports up to a model-dependent number of contexts (e.g., up to 250 on high-end ASAs).

Cisco Defense Orchestrator

A data breach is the intentional or unintentional release of secure or
private/confidential information to anuntrusted environment.When your credentials have
been compromised, it means someone other than you may be in possession of your
account information, such as your username and/or password.

DMVPN supports dynamic tunnel establishment, whereas sVTI does not.

reads the Active Directory logs to map IP addresses to usernames

https://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_oveviw.html

Sensitive data must remain onsite

Explanation
Cisco AMP for Endpoints' Outbreak Control feature is a proactive security mechanism that allows administrators to quickly enforce containment policies across their fleet in response to a new, high-severity global threat (an "outbreak"). It provides a set of pre-configured, draconian controls that can be activated with a single click.

Within Outbreak Control, you can create and manage specific lists to customize the lockdown behavior. The two list types are:

B. Simple Custom Detections:
This list allows you to define specific file hashes (SHA-256) that you want to either always block or always allow, regardless of the outbreak control state. This is useful for ensuring critical business applications are not blocked by a broad outbreak policy or for proactively blocking a malicious file specific to your environment.

D. Allowed Applications:
This is a crucial "safety net" list. When Outbreak Control is activated, it can be configured to block all unknown or unapproved applications. The Allowed Applications list is where you specify the trusted applications (by their file path, signer, or hash) that are exempt from this block policy. This prevents a company-wide outage by ensuring essential software like your corporate VPN client, accounting software, or other line-of-business applications continue to run.

Detailed Breakdown of Incorrect Options:

A. blocked ports:

Why it is incorrect:
Outbreak Control is focused on endpoint application and file execution control. It does not function as a host-based firewall that manages network traffic based on port numbers. Blocking ports is a separate function handled by the Windows Firewall or other network security products.

C. command and control:

Why it is incorrect:
While preventing command and control (C2) communication is a critical goal of endpoint security, it is not a specific list type within the Outbreak Control menu. C2 communication is typically blocked by the network-level security features of AMP (via the AMP cloud) or by the IPS/network sandboxing features integrated into the broader solution, not by a user-defined list in Outbreak Control.

E. URL:

Why it is incorrect:
URL filtering is a function of web security gateways (like Cisco Secure Web Appliance) or DNS security layers (like Cisco Umbrella). AMP for Endpoints is a file-centric solution that focuses on what is executing on the endpoint, not on filtering web traffic based on URLs. While it can detect malicious files downloaded from URLs, you cannot create a list of blocked/allowed URLs within the Outbreak Control feature itself.

Reference and Key Context:

Cisco AMP for Endpoints Console:
Navigating to the Outbreak Control section of the AMP console will directly show the "Allowed Applications" and "Simple Custom Detections" as the primary configurable list types.

Cisco Documentation:
The official administration guide for AMP for Endpoints details these list types under the Outbreak Control configuration steps, explaining their purpose for creating exceptions and custom blocks during a security lockdown.

Summary:
Outbreak Control is a "break-glass" containment feature. Its associated lists are designed to manage exceptions and custom rules for application execution ("Allowed Applications") and specific files ("Simple Custom Detections") to balance security and operational continuity during a crisis.

Explanation for Each Option:

A. Frontdoor (Incorrect):
Frontdoor is not a widely recognized Trojan malware attack. It may refer to an outdated file transfer tool or a misnomer, but it is not classified as a specific Trojan variant. Trojans are defined by their stealthy delivery of malicious payloads, and Frontdoor does not fit this category, making this option incorrect. (Reference: Malware Taxonomy, Cisco Security Encyclopedia.)

B. Rootkit (Correct):
A rootkit is a type of Trojan malware that provides unauthorized access to a system by concealing its presence and granting attackers administrative (root) privileges. It is delivered covertly, often as a legitimate-looking file, aligning with Trojan characteristics, making it a valid example. (Reference: Cisco Secure Endpoint Rootkit Detection Guide.)

C. Smurf (Incorrect):
A Smurf attack is a type of Denial-of-Service (DoS) attack that floods a network with ICMP echo requests using spoofed IP addresses. It is not a Trojan, as it does not involve delivering a malicious payload disguised as legitimate software, rendering this option incorrect. (Reference: Cisco DoS Mitigation Guide, Smurf Attacks.)

D. Backdoor (Correct):
A backdoor is a Trojan malware attack that creates a hidden entry point into a system, allowing attackers to bypass normal authentication and gain unauthorized access. It is typically disguised as legitimate software, fitting the Trojan definition, making it a valid example. (Reference: Cisco Malware Protection, Backdoor Threats.)

E. Sync (Incorrect):
"Sync" is not a recognized Trojan malware attack. It might be a typo or confusion with a SYN flood (a DoS attack type), which overwhelms a target with TCP SYN packets. As it does not represent a Trojan payload, this option is incorrect. (Reference: Cisco Security Threat Intelligence, SYN Floods.)

Additional Notes:
Identifying Trojan malware types is a key topic in the 350-701 SCOR exam under endpoint security. As of 02:09 PM PKT, October 02, 2025, rootkits and backdoors remain prevalent threats. For details, refer to the Cisco Secure Endpoint documentation (cisco.com) and the 350-701 Exam Blueprint (Section 2.0 Endpoint Security).

Explanation

The question is very specific:
it asks which vulnerability would help an attacker brute force their way into the systems.

Brute Force Attack:
This is a specific type of attack where an attacker systematically tries many password combinations until they find the correct one.

Weak Passwords:
This vulnerability directly enables successful brute force attacks. If passwords are short, common, predictable, or use default credentials (as mentioned in the scenario: "no defined password policy and uses several default accounts"), the number of guesses an attacker needs to make is dramatically reduced. This makes a brute-force attack practical and likely to succeed.

The unencrypted link (missing encryption) is a serious vulnerability, but it enables a different, more efficient type of attack.

Detailed Breakdown of Incorrect Options

B. lack of input validation:

Why it is incorrect:
Lack of input validation leads to vulnerabilities like SQL Injection, Cross-Site Scripting (XSS), or buffer overflows. These are attacks that exploit logic flaws in the application code. An attacker using these methods is not "brute forcing their way in" by guessing passwords; they are exploiting a programming error to bypass authentication or execute commands directly.

C. missing encryption

Why it is incorrect:
A missing encryption (unencrypted link) enables eavesdropping or credential sniffing. An attacker on the network path could capture the authentication traffic and simply read the username and password as they are transmitted in clear text. If an attacker can sniff the credentials, they don't need to brute-force them. This is a more efficient attack that bypasses the need for brute-forcing entirely. Therefore, while a critical flaw, it does not "help" a brute-force attack; it provides a superior alternative.

D. lack of file permission

Why it is incorrect:
Improper file permissions could allow an attacker who already has some access to a system to read sensitive files (like password hashes). However, this is typically a post-exploitation step or a separate attack vector. It does not directly facilitate a brute-force attack against a live login service.

Key Takeaway:

The question is very specific: "Which vulnerability would help an attacker brute force their way in?"

Brute Force is guessing passwords. Weak passwords make guessing easy and practical.

Sniffing (enabled by missing encryption) is stealing passwords, which is a different and often superior attack method.

Explanation
The key requirement in the question is that the administrator wants to identify applications on the network without having the network devices send metadata to Cisco Firepower. This excludes features that rely on Firepower's own deep packet inspection or metadata collection.

A. NetFlow:
This is the correct answer. NetFlow (and its variants like IPFIX and Flexible NetFlow) is a standard protocol for network traffic monitoring and statistics collection. Network devices (routers, switches) can be configured to export NetFlow records to a collector. These records contain information about traffic flows, including source/destination IPs, ports, and protocols. A NetFlow analysis tool can then interpret this data to infer and report on the applications in use, all without sending any proprietary metadata to the Firepower Management Center. It is a separate, standards-based data source.

Why the other options are incorrect:

B. Packet Tracer:
This is a troubleshooting tool within Firepower and ASA devices used to simulate how a packet would be processed by the configuration (ACLs, NAT, etc.). It does not provide a network-wide view of application usage.

C. Network Discovery:
This is a specific feature within Cisco Firepower that relies on metadata sent to it. Firepower uses various methods, including its own deep packet inspection and the analysis of metadata from sensors, to build a map of hosts, services, and applications on the network. This is explicitly what the administrator is trying to avoid.

D. Access Control:
This is the core policy enforcement feature of Firepower. While Access Control policies can be used to see traffic that they block or allow, the visibility they provide is a byproduct of the Firepower platform inspecting the traffic itself. It requires the network device (Firepower Threat Defense appliance, etc.) to send data to the Firepower Management Center, which is against the stated requirement.

Reference:
This distinction is covered in the architecture of network visibility tools. The fundamental difference is:

Firepower Network Discovery & Application Detectors: These are proprietary, deep-packet inspection based technologies that require the sensor to process and send data to the FMC.

NetFlow: An industry-standard flow export protocol. The data is collected and analyzed independently of the Firepower application identification engine.

In summary, if the goal is to identify applications without using Firepower's native metadata-based discovery, the administrator must use an external source of traffic data, and NetFlow is the standard method for achieving this.