50 Cisco Certified Network Professional Security Practice Questions: Question Bank 2025

A security analyst needs to explain the purpose of "defense in depth" to a new IT team. Which description best matches the concept?

A network engineer is reviewing a set of firewall policies and wants to apply a best-practice rule evaluation order. Which policy approach is recommended to reduce risk while keeping operations manageable?

An organization wants to enforce secure remote access for employees using a VPN. Which feature most directly improves authentication security beyond passwords alone?

A SOC analyst is reviewing an alert that an endpoint attempted to connect to a known command-and-control domain. Which control is primarily responsible for detecting and blocking malicious domains at the DNS layer?

A company is migrating several internal web applications to a public cloud. Security requires that only corporate users on managed devices can access the apps, and authentication must be centralized. Which design best meets the requirement?

Users report intermittent drops on an IPsec site-to-site VPN. The logs show Phase 1 succeeds, but Phase 2 frequently renegotiates and fails after key lifetimes expire. Which misconfiguration is the most likely cause?

An enterprise wants to reduce lateral movement within the campus network. The design must scale across many access switches and should not require large numbers of VLANs. Which approach best fits?

A security engineer is validating that endpoint telemetry is sufficient for incident response. Which data source provides the most direct visibility into process execution and parent/child relationships on endpoints?

A company is building a security architecture for a hybrid environment. Requirement: enforce consistent access policy to SaaS applications, detect risky sign-ins, and automatically restrict access based on user risk and device compliance. Which solution combination best meets the requirement?

A SOC receives multiple alerts indicating encrypted outbound traffic to rare external destinations from a user VLAN. The firewall is configured to allow outbound HTTPS, and the SOC wants to identify malware beaconing without decrypting all traffic. Which approach is most appropriate?

An organization wants to reduce the attack surface by blocking outbound connections to newly registered domains and known malware distribution sites, while still allowing business-critical web access. Which Cisco solution best fits this requirement?

A security engineer needs to ensure that a VPN user connecting with Cisco AnyConnect is allowed access only if the endpoint has disk encryption enabled and an approved antivirus running. Which feature is designed to enforce this requirement?

Which statement best describes the primary purpose of micro-segmentation in a zero trust architecture?

Users report intermittent access to a SaaS application. Packet captures show DNS queries returning different IPs across sites, and some sites connect to an IP that is blocked by the company. The SaaS uses multiple CDNs and rapidly changing endpoints. What is the BEST control approach?

A company uses Cisco Secure Endpoint. The SOC wants to quickly contain a suspected compromised laptop that is currently off-network and not connected to VPN. Which action is most effective once the endpoint checks in?

A network uses Cisco ISE for 802.1X. Some printers cannot perform 802.1X and must be placed in a restricted VLAN with access only to print servers. Which ISE approach is BEST practice for these devices?

A Cisco Firepower Threat Defense deployment uses multiple security zones. The engineer notices that a malware file was detected by AMP but the connection was still allowed because the file was not blocked. Which configuration change most directly ensures the file is blocked on future downloads?

The SOC wants to correlate user identity with network flows to investigate data exfiltration and to enforce policy based on user/group. Which combination provides the MOST direct visibility and enforcement capability in a Cisco enterprise environment?

A company is designing a hybrid-cloud security architecture. Workloads in the cloud must be able to use the same security policies as on-prem, and east-west traffic between cloud subnets requires inspection without hairpinning back to the data center. Which design best meets the requirement?

A financial organization must implement segmentation so that only specific application tiers can communicate, and policy must follow workloads even if IP addresses change. They want scalable enforcement across both physical and virtual infrastructure. Which approach best satisfies these constraints?

A security engineer wants to reduce the risk of credential replay from a phishing campaign against VPN users. The solution must validate user identity beyond passwords and adapt to user risk (location, device posture). Which approach best meets the requirement?

A SOC analyst is tuning telemetry in Cisco Secure Network Analytics (Stealthwatch). They need to identify internal hosts beaconing periodically to rare external destinations over long periods. Which detection method is most appropriate?

A company is deploying a new branch site and wants to prevent lateral movement between user VLANs and a point-of-sale (POS) VLAN while keeping routing simple. Which control is the most appropriate first step?

An organization uses Cisco Secure Client (AnyConnect) for remote access. Users authenticate successfully, but they cannot reach internal resources because only internet traffic works. Split tunneling is disabled by policy. What is the most likely cause?

A cloud security architect wants to enforce that only managed corporate devices can access a SaaS application, and they also want to apply DLP controls to prevent uploads of sensitive data. Which combination best meets the requirements?

A malware incident response team suspects a compromised workstation is using DNS tunneling for data exfiltration. Which indicator would most strongly support DNS tunneling when reviewing logs?

A company is using Cisco ISE for network access control. They want to ensure that corporate Windows devices receive full access only if they are joined to the domain and have a valid certificate, while BYOD devices should be placed in a restricted posture-assessment network. Which design best achieves this?

An enterprise deploys a next-generation firewall with SSL decryption. After enabling decryption, users report intermittent failures accessing several banking sites and some applications that use certificate pinning. The business requires maintaining access while still decrypting as much traffic as possible. What is the best practice remediation?

A network uses VRF segmentation for multiple business units. A new requirement states that only specific shared services (DNS, NTP, patch servers) must be reachable across VRFs, and all other inter-VRF traffic must be denied by default. Which architecture pattern best meets this requirement while keeping controls auditable?

A security team is designing endpoint detection coverage for a mixed environment (Windows, macOS, Linux). They need to detect fileless attacks and lateral movement techniques with high fidelity and be able to isolate hosts quickly. Which capability is the most critical to prioritize?

A security engineer must ensure that only security analysts can access Cisco SecureX orchestration workflows that trigger response actions (for example, isolating an endpoint). Which approach best enforces least privilege?

A firewall engineer is troubleshooting why inbound HTTPS traffic to a published web server is not reaching the DMZ host. The NAT and ACL appear correct, but packet captures show the TCP handshake completes and then the connection is immediately reset by the firewall. Which feature is the most likely cause?

A company is deploying Duo for administrative access to network devices. They want to minimize changes on each device while still enforcing MFA for all admin logins. Which design is the best fit?

An organization wants to reduce the risk of compromised credentials being used to access a cloud application from unmanaged devices. Which control most directly addresses this requirement?

A SOC uses Cisco Secure Network Analytics (Stealthwatch) and sees a host making a small number of connections to many external IPs on the same destination port over a short period. Which behavior does this most likely indicate?

An engineer is designing segmentation with Cisco ISE and TrustSec. The requirement is to assign access policy based on user identity and endpoint type, and to propagate that policy across the network without relying on IP subnet boundaries. Which mechanism best meets this goal?

A security team wants to detect and block malware that uses HTTPS to reach a command-and-control server. They need visibility into the URL and file transfers while maintaining user privacy and limiting decryption to a defined set of categories. Which solution approach best satisfies the requirement?

During an endpoint incident response, the SOC wants to quickly contain a suspected compromised laptop while preserving forensic evidence and keeping the user’s system powered on. Which action is most appropriate?

A company uses a cloud access security broker (CASB) for SaaS control. They need to prevent sensitive data uploads to personal cloud storage while allowing uploads to approved corporate storage, even when both services use HTTPS. Which CASB deployment mode best fits this requirement for real-time enforcement?

A security engineer wants to quickly reduce the risk of lateral movement inside the campus network without redesigning IP addressing. Which approach best aligns with this goal?

A remote-access VPN user authenticates successfully but cannot reach internal resources. The VPN headend shows the user is connected and has an IP address from the VPN pool. Which issue is the MOST likely cause?

A company is adopting a CASB to control SaaS usage. They want to discover unsanctioned cloud applications and assess risk using existing web proxy logs, without forcing endpoint changes. Which CASB deployment mode fits BEST?

In a zero trust design, which statement BEST describes the recommended approach to access decisions?

An organization wants to ensure that a compromised endpoint cannot authenticate to other systems using harvested credentials stored in memory. Which control MOST directly addresses this risk on modern endpoints?

A security team is tuning intrusion policies and wants to reduce false positives for a critical business application while still blocking known exploits. Which approach is BEST practice?

A company uses 802.1X with MAB fallback on access switches. They observe that IP phones authenticate successfully, but the attached PCs behind the phones are intermittently placed into the voice VLAN. Which configuration is MOST likely missing or incorrect?

An engineer is designing a secure workload architecture in a public cloud where instances must not have public IP addresses, but administrators still need secure management access. Which design choice BEST meets this requirement?

A SOC wants to enforce a policy that blocks encrypted traffic to newly registered domains while still allowing business-critical TLS connections. They also need visibility into the requested domain name without decrypting all traffic. Which capability BEST supports this requirement?

A financial institution requires that network segmentation policy follows a user’s role across wired, wireless, and VPN access methods, and must be enforced consistently at multiple enforcement points. Which architecture BEST satisfies this requirement?