Cisco SCOR 350-701 Practice Test

Cisco SCOR 350-701 is the core exam used for CCNP Security and related Cisco security paths. It tests security architecture, network security, cloud security, content security, endpoint protection, secure access, visibility, enforcement, and automation judgment.

This page includes 12 original sample questions for initial review. Full IT Mastery practice for Cisco SCOR is not live yet; use the preview to test fit and use the Notify me form if this is your target route.

What this route should test

• selecting security controls for network, cloud, endpoint, identity, and application scenarios
• reasoning through visibility, segmentation, policy enforcement, threat detection, and response workflow
• interpreting secure access, VPN, zero-trust, email/web security, and endpoint-protection choices
• recognizing where automation improves consistency, evidence collection, and response

Sample Exam Questions

These questions are original IT Mastery preview items. They are written for SCOR-style security architecture and operations judgment, not as official Cisco exam questions.

Question 1

Topic: segmentation

A company wants to limit lateral movement between user workstations, development servers, and payment systems. Which design choice best supports this goal?

• A. One unrestricted VLAN for all systems
• B. Segmentation with policy enforcement between zones
• C. Shared local administrator passwords
• D. No logging on internal traffic

Best answer: B

Explanation: Segmentation reduces lateral movement by separating systems into zones and controlling allowed flows. It should be paired with logging, identity, and policy enforcement.

Question 2

Topic: secure access

Remote users need access to private applications, but the organization wants decisions based on user identity, device posture, and application risk. Which concept best fits?

• A. Anonymous public access
• B. A shared VPN account for all users
• C. Static routes only
• D. Zero-trust or identity-aware access controls

Best answer: D

Explanation: Secure access designs increasingly evaluate identity, device posture, context, and application risk instead of trusting a user only because they reached the network.

Question 3

Topic: cloud security

A workload in a public cloud allows inbound management access from the internet. What should be reviewed first?

• A. Exposure of management ports, source restrictions, identity controls, logging, and bastion or private-access options
• B. The virtual machine naming convention only
• C. The billing currency
• D. Whether dashboards are blue

Best answer: A

Explanation: Exposed management access is high risk. Review network rules, identity, MFA, logs, private access patterns, bastions, and least privilege before focusing on cosmetic items.

Question 4

Topic: endpoint protection

An endpoint tool detects a suspicious process creating persistence and connecting to an unfamiliar domain. What should happen next?

• A. Ignore the alert because outbound traffic is normal
• B. Delete all logs
• C. Triage endpoint evidence, network indicators, scope, and containment actions
• D. Give the endpoint broader privileges

Best answer: C

Explanation: Endpoint alerts should be correlated with process, persistence, network, user, and threat-intelligence evidence. Containment depends on severity and scope.

Question 5

Topic: email security

Users receive messages that spoof a trusted domain and include a credential-harvesting link. Which controls are relevant?

• A. Email authentication, URL analysis, user reporting, filtering, and incident response workflow
• B. Disabling all inbound email permanently
• C. Ignoring user reports
• D. Sharing credentials through email

Best answer: A

Explanation: Phishing defense combines technical controls and process. Authentication, filtering, URL analysis, user reporting, removal, and response all contribute.

Question 6

Topic: visibility

A security team cannot determine whether blocked traffic is a scan, a misconfiguration, or a compromised host. What capability is most useful?

• A. Removing all event context
• B. Disabling firewall logging
• C. Accepting every alert as critical
• D. Correlated logs, flow data, endpoint context, and baseline behavior

Best answer: D

Explanation: Security visibility requires context. Correlation across network, endpoint, identity, and baseline data helps separate malicious behavior from misconfiguration or noise.

Question 7

Topic: VPN

A site-to-site VPN is established, but only one subnet can communicate. What should be checked?

• A. Encryption domains, routing, ACLs, NAT exemption, and matching tunnel selectors or policies
• B. The wallpaper on the firewall console
• C. Whether DNS names are uppercase
• D. The user’s browser cache only

Best answer: A

Explanation: VPN connectivity depends on matching traffic selectors or proxy IDs, routing, ACLs, NAT behavior, and policy. One working subnet suggests the tunnel exists but policy/path matching may be incomplete.

Question 8

Topic: automation

A team wants to quarantine hosts automatically after high-confidence malware alerts while preserving evidence. What design concern is most important?

• A. No approval or audit record for any action
• B. Deleting evidence immediately
• C. Safe playbook logic, confidence thresholds, rollback, audit logging, and evidence preservation
• D. Randomizing quarantine behavior

Best answer: C

Explanation: Security automation should be controlled and observable. Quarantine actions need reliable triggers, audit logs, evidence preservation, exception handling, and rollback procedures.

Question 9

Topic: identity

An administrator account is used from two countries within ten minutes. What should the security team do?

• A. Treat impossible travel as an identity-risk signal and investigate authentication context
• B. Ignore it because admins travel often
• C. Disable all identity logging
• D. Publish the account password

Best answer: A

Explanation: Impossible-travel patterns can signal credential compromise. Investigation should review MFA, source IPs, device context, session activity, and privileged actions.

Question 10

Topic: secure network design

A guest wireless network should provide internet access without reaching corporate internal applications. What is the best design direction?

• A. Bridge guests directly into the employee VLAN
• B. Give guests shared employee credentials
• C. Disable all firewall policy
• D. Isolate guest traffic with separate segmentation, policy, and internet-only egress

Best answer: D

Explanation: Guest access should be isolated from corporate resources. Segmentation, policy controls, authentication or captive portal behavior, and monitoring help enforce intended access.

Question 11

Topic: web security

A user clicks a malicious link that attempts to download a payload from a newly registered domain. Which control can help reduce this risk?

• A. DNS or web security filtering with reputation, category, and malware controls
• B. Public administrator passwords
• C. No URL inspection
• D. Unrestricted browser execution

Best answer: A

Explanation: DNS and web security controls can block access to known or suspicious malicious destinations, enforce policy, and provide investigation logs.

Question 12

Topic: policy enforcement

A firewall rule was added for a temporary vendor test and never removed. What process would reduce this risk?

• A. No rule review
• B. Permanent temporary rules
• C. Change records with owners, expiration, review, and recertification
• D. Allow-any rules for convenience

Best answer: C

Explanation: Firewall policy should have ownership, business justification, expiration for temporary access, review cycles, and recertification to reduce accumulated risk.

SCOR readiness checklist

Related pages

• Cisco CyberOps Associate 200-201
• Cisco ENCOR 350-401
• ISC2 CISSP