O'Reilly logo
live online training icon Live Online training

Cisco Certified CyberOps Associate Crash Course

200-201 CBROPS

Topic: Security
Ron Taylor

The Cisco Certified CyberOps Associate Crash Course serves as comprehensive 2-day training for anyone interested in taking and passing the 200-201 CBROPS exam. Ron Taylor, Cisco Press author and trainer, has created this fast-paced live training course to help you learn about every objective in the new CyberOps Associate exam. This training will also help network professionals interested in learning the skills required to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats.

We’ll start with an introduction to the new Cisco Certified CyberOps Associate certification. You will then quickly dive into the core objectives and cybersecurity foundation topics that you need to study to pass the exam. The CBROPS exam tests a candidate’s knowledge and skills related to security concepts, security monitoring, host-based analysis, network intrusion analysis, and security policies and procedures. This live and interactive training is designed to help you prepare for the CBROPS exam.

What you'll learn-and how you can apply it

  • Security Concepts
  • Security Monitoring
  • Host-Based Analysis
  • Network Intrusion Analysis
  • Security Policies and Procedures

This training course is for you because...

  • You are interested in cybersecurity and Cisco security technologies
  • You are preparing for the CBROPS Exam
  • You want to learn the different topics needed to prepare for the CBROPS Exam


  • Course participants should have a basic understanding of computing and networking.

Course Set-up

Recommended Preparation

Recommended Follow-up

About your instructor

  • Ron Taylor has been in the Information Security field for almost 20 years. Ten of those years were spent in consulting. In 2008, he joined the Cisco Global Certification Team as an SME in Information Assurance. In 2012, he moved into a position with the Security Research & Operations group, where his focus was mostly on penetration testing of Cisco products and services. He was also involved in developing and presenting security training to internal development and test teams globally. Additionally, he provided consulting support to many product teams as an SME on product security testing. He then spent some time as a Incident Manager for the Cisco Product Security Incident Response Team (PSIRT). His current role is a Security Architect specializing in Cisco’s security product line. . He has held a number of industry certifications including GPEN, GWEB, GCIA, GCIH, GWAPT, RHCE, CCSP, CCNA, CISSP, and MCSE. Ron has also authored books and video courses, is Cofounder and President of the Raleigh BSides Security Conference, and a founding member of the Red Team Village at Defcon.


The timeframes are only estimates and may vary according to how the class is progressing


Security Concepts (1hr)

  • Describe the CIA triad
  • Compare Security deployments
  • Describe Security terms
  • Compare security concepts
  • Describe the principles of the defense-in-depth strategy
  • Compare access control models
  • Describe terms as defined in CVSS
  • Identify the challenges of data visibility (network, host, and cloud) in detection
  • Identify potential data loss from provided traffic profiles
  • Interpret the 5-tuple approach to isolate a compromised host in a grouped set of logs
  • Compare rule-based detection vs. behavioral and statistical detection

Security Monitoring (1.5 hr)

  • Identify the types of data provided by security monitoring technologies
  • Describe the impact of these technologies on data visibility
  • Describe the uses of these data types in security monitoring
  • Describe network attacks, such as protocol-based, denial of service, distributed denial of service, and man-in-the-middle
  • Describe web application attacks, such as SQL injection, command injections, and cross-site scripting
  • Describe social engineering attacks
  • Describe endpoint-based attacks, such as buffer overflows, command and control (C2), malware, and ransomware
  • Describe evasion and obfuscation techniques, such as tunneling, encryption, and proxies
  • Describe the impact of certificates on security (includes PKI, public/private crossing the network, asymmetric/symmetric)
  • Identify the certificate components in a given scenario

Host-Based Analysis (1.5 hr)

  • Describe the functionality of these endpoint technologies in regard to security monitoring
  • Identify components of an operating system (such as Windows and Linux) in a given scenario
  • Describe the role of attribution in an investigation
  • Identify type of evidence used based on provided logs
  • Compare tampered and untampered disk image
  • Interpret operating system, application, or command line logs to identify an event
  • Interpret the output report of a malware analysis tool (such as a detonation chamber or sandbox)


Network Intrusion Analysis (2 hr)

  • Map the provided events to source technologies
  • Compare impact and no impact for specified items
  • Compare deep packet inspection with packet filtering and stateful firewall operation
  • Compare inline traffic interrogation and taps or traffic monitoring
  • Compare the characteristics of data obtained from taps or traffic monitoring and transactional data (NetFlow) in the analysis of network traffic
  • Extract files from a TCP stream when given a PCAP file and Wireshark
  • Identify key elements in an intrusion from a given PCAP file
  • Interpret the fields in protocol headers as related to intrusion analysis
  • Interpret common artifact elements from an event to identify an alert
  • Interpret basic regular expressions

Security Policies and Procedures (2 hr)

  • Describe management concepts
  • Describe the elements in an incident response plan as stated in NIST.SP800-61
  • Apply the incident handling process (such as NIST.SP800-61) to an event
  • Map elements to steps of analysis based on the NIST.SP800-61
  • Map the organization stakeholders against the NIST IR categories (CMMC, NIST.SP800-61)
  • Describe concepts as documented in NIST.SP800-86
  • Identify elements used for network profiling
  • Identify elements used for server profiling
  • Identify protected data in a network
  • Classify intrusion events into categories as defined by security models, such as Cyber Kill Chain Model and Diamond Model of Intrusion
  • Describe the relationship of SOC metrics to scope analysis (time to detect, time to contain, time to respond, time to control)