🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
200-201
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
200-201 Cisco Systems Coming Soon

CCNA Cybersecurity

The Cisco Certified CyberOps Associate (200‑201) exam validates an analyst’s ability to monitor, detect, analyze, and respond to security events across security, host, and network layers, using industry‑standard tools and procedures.

120
Minutes
$330
Exam Cost

Who Should Take This

It is intended for security‑operations analysts who have at least one year of SOC experience and seek to formalize their expertise. Candidates typically hold roles such as SOC analyst, incident responder, or junior threat hunter and aim to advance toward senior analyst or security engineering positions.

What's Covered

1 All domains in the Cisco Certified CyberOps Associate (200-201) exam: Security Concepts
2 , Security Monitoring
3 , Host-Based Analysis
4 , Network Intrusion Analysis
5 , and Security Policies and Procedures

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

60 learning goals
1 Domain 1: Security Concepts
4 topics

Describe the CIA triad and security principles

  • Describe the CIA triad and explain how confidentiality, integrity, and availability objectives guide security control selection, risk assessment, and incident classification in SOC operations.
  • Describe security concepts including defense-in-depth, least privilege, separation of duties, need-to-know, and zero trust and explain how each principle reduces risk in enterprise environments.

Describe common threats and attack techniques

  • Describe the cyber kill chain phases (reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives) and explain how defenders can disrupt each phase.
  • Describe the MITRE ATT&CK framework including tactics, techniques, and procedures (TTPs) and explain how SOC analysts use ATT&CK matrices to classify observed adversary behaviors.
  • Identify common malware types including viruses, worms, trojans, ransomware, rootkits, cryptominers, and fileless malware and describe their infection vectors, persistence mechanisms, and impact.
  • Describe common web application attacks including SQL injection, cross-site scripting (XSS), CSRF, directory traversal, and command injection and explain how each exploits application vulnerabilities.

Describe cryptography and PKI concepts

  • Compare symmetric encryption (AES, 3DES) and asymmetric encryption (RSA, ECDSA) by evaluating key management, performance characteristics, and typical use cases in enterprise security.
  • Describe hashing algorithms (MD5, SHA-1, SHA-256, SHA-3) and explain their role in password storage, file integrity verification, digital signatures, and how collision vulnerabilities affect security.
  • Describe PKI components including certificate authorities, registration authorities, certificate revocation lists, OCSP, and how TLS/SSL certificate chains establish trust for secure communications.

Describe network protocol security concepts

  • Describe TCP/IP protocol stack security implications including protocol vulnerabilities, common exploitation techniques at each layer, and how protocol design affects attack surface.
  • Describe common network services (DHCP, DNS, HTTP, SMTP, FTP) and their security implications including service misconfigurations, protocol weaknesses, and attack opportunities at each service layer.
  • Describe the difference between signature-based, anomaly-based, and behavior-based detection approaches and explain how each method balances detection accuracy with false positive rates.
2 Domain 2: Security Monitoring
4 topics

Describe security monitoring data sources

  • Identify security monitoring data sources including network packet captures, NetFlow/IPFIX records, firewall logs, IDS/IPS alerts, proxy logs, DNS logs, and endpoint detection logs.
  • Describe network telemetry technologies including NetFlow, sFlow, and IPFIX and explain how flow data provides visibility into traffic patterns, top talkers, and anomalous communication for security analysis.
  • Describe the role of full packet capture versus flow-based analysis in security monitoring and evaluate when each approach is appropriate for detection, investigation, and evidence collection.

Describe SIEM concepts and operation

  • Describe SIEM system architecture including log collection, normalization, indexing, correlation rules, alert generation, and dashboard visualization for centralized security event management.
  • Apply SIEM search and filter operations to investigate security alerts by constructing queries, correlating events across log sources, and identifying patterns indicative of malicious activity.
  • Analyze SIEM correlation rules and alert tuning strategies to differentiate true positive alerts from false positives and determine appropriate analyst response actions based on alert severity.

Describe security event and alert analysis

  • Describe indicators of compromise (IoCs) including malicious IP addresses, domain names, file hashes, URL patterns, and behavioral indicators and explain how they are used in threat detection.
  • Apply threat intelligence feeds and reputation services to enrich security alerts with contextual information about known threat actors, campaigns, and malicious infrastructure.
  • Analyze a security monitoring scenario to classify events as true positive, false positive, true negative, or false negative and recommend appropriate investigation or tuning actions.

Describe security monitoring architecture

  • Describe the security onion architecture layers including full packet capture, session data extraction, transaction-level logs, statistical analysis, and alert generation for comprehensive network security monitoring.
  • Describe network security monitoring deployment architectures including TAP versus SPAN port mirroring, inline versus passive sensor placement, and considerations for encrypted traffic inspection.
3 Domain 3: Host-Based Analysis
3 topics

Describe Windows and Linux OS security concepts

  • Describe Windows operating system security components including User Account Control (UAC), Windows Defender, BitLocker, Windows Firewall, and Event Viewer for host-based security monitoring.
  • Describe Linux operating system security components including iptables/nftables, SELinux/AppArmor, auditd, syslog, and user/group permission models for host-based security monitoring.
  • Describe file system structures for Windows (NTFS, MFT, alternate data streams) and Linux (ext4, inode table, file permissions) and explain forensically relevant artifacts in each file system.
  • Describe common persistence mechanisms used by adversaries on Windows (scheduled tasks, services, registry Run keys, startup folders) and Linux (crontab, systemd services, init scripts, LD_PRELOAD) systems.

Analyze endpoint artifacts for security investigation

  • Analyze Windows event logs (Security, System, Application) to identify suspicious authentication events, privilege escalation attempts, service installations, and scheduled task modifications.
  • Analyze Windows registry artifacts including Run/RunOnce keys, services, installed software, USB device history, and user activity to identify persistence mechanisms and system modifications.
  • Analyze Linux log files (/var/log/auth.log, syslog, kern.log, secure) to identify unauthorized login attempts, sudo abuse, cron job modifications, and suspicious process execution.
  • Apply process investigation techniques using Task Manager, Process Explorer, ps, top, and lsof to identify suspicious processes, their network connections, loaded modules, and parent-child relationships.

Describe malware analysis fundamentals

  • Compare static and dynamic malware analysis methods and describe how each approach reveals file properties, embedded strings, behavioral indicators, and network communication patterns.
  • Describe sandbox analysis environments for safe malware execution and explain how automated sandboxes capture file system changes, registry modifications, network callbacks, and process behaviors.
  • Describe common malware evasion techniques including obfuscation, packing, polymorphism, living-off-the-land binaries (LOLBins), and fileless execution and explain how each technique challenges detection.
4 Domain 4: Network Intrusion Analysis
4 topics

Analyze network protocol traffic

  • Analyze TCP three-way handshake and connection teardown sequences in packet captures to identify normal versus abnormal connection behavior including SYN floods, RST attacks, and half-open connections.
  • Analyze DNS query and response packets to identify suspicious activity including DNS tunneling, domain generation algorithms (DGA), fast-flux DNS, and queries to known malicious domains.
  • Analyze HTTP/HTTPS traffic patterns in packet captures and proxy logs to identify web-based attacks, command-and-control communication, data exfiltration, and suspicious user-agent strings.
  • Analyze SMTP, POP3, and IMAP email protocol traffic to identify phishing delivery, malicious attachments, header spoofing, and unauthorized email relay activity in packet captures.
  • Analyze ICMP traffic patterns to identify reconnaissance activity including ping sweeps, traceroute mapping, and ICMP tunneling used for covert data exfiltration channels.

Use packet capture and analysis tools

  • Apply Wireshark display filters to isolate specific traffic by protocol, IP address, port number, and conversation to investigate security incidents from pcap files.
  • Apply tcpdump command-line options to capture network traffic with specific BPF filters, save captures to pcap files, and perform basic protocol analysis on Linux-based security monitoring platforms.

Identify common network attack patterns

  • Identify network reconnaissance patterns including port scans (SYN, FIN, XMAS), OS fingerprinting, service enumeration, and vulnerability scanning by analyzing IDS alerts and packet capture data.
  • Identify Layer 2 network attacks including ARP spoofing/poisoning, MAC flooding, VLAN hopping, and DHCP starvation by analyzing switch logs, ARP tables, and packet captures.
  • Analyze a network intrusion scenario to trace the attack progression from initial reconnaissance through exploitation, lateral movement, and data exfiltration using multiple log and packet capture sources.

Describe IDS/IPS concepts and signatures

  • Describe IDS/IPS detection methods including signature-based, anomaly-based, and policy-based detection and explain how Snort/Suricata rules match traffic patterns to generate security alerts.
  • Interpret Snort rule syntax including header fields (action, protocol, source/destination IP and port) and rule options (content, pcre, sid, rev) to understand what traffic patterns trigger IDS alerts.
5 Domain 5: Security Policies and Procedures
4 topics

Describe incident response processes

  • Describe the NIST SP 800-61 incident response lifecycle including preparation, detection and analysis, containment eradication and recovery, and post-incident activity phases.
  • Apply incident classification frameworks to categorize security incidents by type (malware, DoS, unauthorized access, data breach), severity level, and business impact for appropriate escalation.
  • Describe SOC operational models including tiered analyst structure (Tier 1/2/3), escalation procedures, shift handoff processes, and the role of playbooks and runbooks in standardized response.
  • Analyze a security incident scenario to determine the appropriate containment strategy, identify evidence sources for collection, and recommend eradication and recovery actions.
  • Describe the role of threat intelligence sharing standards including STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Intelligence Information) in automated IOC distribution.

Describe digital forensics and evidence handling

  • Describe the order of volatility for digital evidence collection and explain why volatile data (memory, network connections, processes) must be captured before non-volatile data (disk, logs, backups).
  • Describe chain of custody procedures including evidence identification, secure collection, documentation, hashing for integrity verification, secure storage, and transfer protocols for legal admissibility.

Describe compliance and risk management

  • Describe the NIST Cybersecurity Framework (CSF) core functions (Identify, Protect, Detect, Respond, Recover) and explain how organizations use the framework to assess and improve security posture.
  • Identify major compliance requirements including PCI DSS, HIPAA, GDPR, SOX, and FISMA and describe how each framework affects security monitoring, data handling, and incident reporting obligations.
  • Describe vulnerability management processes including scanning schedules, CVSS scoring interpretation, remediation prioritization, patch management coordination, and exception handling procedures.
  • Evaluate a risk assessment scenario by identifying assets, threats, and vulnerabilities to calculate risk ratings and recommend appropriate risk treatment options (accept, mitigate, transfer, avoid).
  • Describe security audit concepts including internal versus external audits, audit scope definition, evidence collection, findings classification, and how audit results drive security improvement initiatives.

Describe post-incident activities

  • Describe post-incident review activities including root cause analysis, timeline reconstruction, lessons learned documentation, control gap identification, and incident response plan updates.
  • Describe metrics and key performance indicators for SOC operations including mean time to detect (MTTD), mean time to respond (MTTR), alert volume, false positive rate, and incident closure rate.

Scope

Included Topics

  • All domains in the Cisco Certified CyberOps Associate (200-201) exam: Security Concepts (20%), Security Monitoring (25%), Host-Based Analysis (20%), Network Intrusion Analysis (20%), and Security Policies and Procedures (15%).
  • Security operations center (SOC) analyst knowledge including threat landscape, attack vectors, cryptography concepts, security monitoring tools, SIEM operation, log analysis, and event correlation.
  • Host-based analysis skills including operating system internals (Windows and Linux), endpoint forensics, malware analysis basics, file system artifacts, registry analysis, and process/service investigation.
  • Network intrusion analysis including packet capture analysis with Wireshark, NetFlow examination, IDS/IPS alert investigation, network protocol analysis, and common network attack pattern recognition.
  • Security policies and procedures including incident response processes, NIST frameworks, compliance requirements, risk assessment, vulnerability management, and digital forensics evidence handling.

Not Covered

  • Advanced penetration testing, exploit development, and red team operations covered in offensive security certifications.
  • Enterprise security architecture design, security product deployment, and security infrastructure engineering beyond SOC analyst scope.
  • Advanced malware reverse engineering using disassemblers, debuggers, and code decompilation tools beyond basic static and dynamic analysis.
  • Cloud security architecture, container security, and DevSecOps pipeline implementation beyond basic awareness.
  • Advanced digital forensics including mobile device forensics, memory forensics tool development, and expert-level chain of custody procedures.

Official Exam Page

Learn more at Cisco Systems

Visit

200-201 is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

Cisco®, CCNA®, CCNP®, CCIE®, and related marks are registered trademarks of Cisco Technology, Inc. Cisco does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.