Cisco Certified Network Associate CCNA Cybersecurity Quick Facts (2025)

Exam Domain Breakdown

Domain 1: Security Concepts (20% of the exam)

1.1 Describe the CIA triad

1.1 summary: This section introduces the foundation of information security through the concepts of confidentiality, integrity, and availability. You will explore how each component forms a key pillar in securing digital systems and how maintaining a balance between them leads to resilient and trustworthy networks.

The exam highlights practical applications of the CIA triad across varied environments. By connecting these abstract principles to real-world examples, you will learn how encryption, access management, and redundancy strategies help achieve optimal security posture.

1.2 Compare security deployments

1.2 summary: This section covers common network, endpoint, and application protection methods in diverse deployment models. You will examine agentless and agent-based systems, traditional versus next-generation antivirus, and how SIEM, SOAR, and log management contribute to unified defense.

Through comprehensive comparison, you will gain insight into containerized, virtual, and cloud security environments. Understanding how each deployment approach aligns with operational goals enables you to recommend the best solutions for enterprise needs.

1.3 Describe security terms

1.3 summary: This area focuses on the vocabulary and frameworks that cybersecurity professionals use to identify and mitigate threats. It includes key ideas such as malware analysis, threat intelligence, and threat modeling, along with advanced techniques like threat hunting and reverse engineering.

Emphasis is placed on understanding how terms like risk, actor, and anomaly detection translate into daily security operations. By blending these concepts, you will develop the analytical mindset needed for DevSecOps and run book automation environments.

1.4 Compare security concepts

1.4 summary: This section distinguishes essential terms including risk, threat, vulnerability, and exploit. It provides a clear sense of how these components interact in risk assessment and reduction strategies.

You will explore how accurate identification and prioritization of vulnerabilities directly affects mitigation plans. This understanding helps enhance proactive defense through precise evaluation of emerging threats.

1.5 Describe the principles of the defense-in-depth strategy

1.5 summary: Here, you will learn how layered defense strategies work to provide complete protection. The principle emphasizes overlapping controls to detect, delay, and deter adversarial actions across system boundaries.

You will see how combining firewalls, intrusion prevention, access control, and encryption creates multiple security barriers. Mastering these tactics ensures you can build solutions that maintain posture even when individual components are challenged.

1.6 Compare access control models

1.6 summary: This part explains key methods for managing identity and permissions, including discretionary, mandatory, role-based, and attribute-based access control. The focus is understanding which model is most appropriate in specific use cases.

As you progress, you will connect these models to concepts like authentication, authorization, accounting, and rule or time-based access control. This knowledge supports secure user management and policy enforcement across systems.

1.7 Describe terms as defined in CVSS

1.7 summary: The section provides insight into the Common Vulnerability Scoring System and how to interpret elements such as attack vector, complexity, privileges, and user interaction. This structured approach helps assess vulnerabilities effectively.

Through practical interpretation, you will evaluate environmental and temporal metrics to understand risk levels. This builds confidence in making data-driven decisions for prioritizing remediation.

1.8 Identify the challenges of data visibility (network, host, and cloud) in detection

1.8 summary: You will study the varying challenges of maintaining data visibility across networks, hosts, and cloud environments. Understanding where data originates and how it is processed enhances detection accuracy.

The exam expects you to identify solutions for bridging visibility gaps. You will learn to use analytic tools and data flow strategies to maintain awareness across all operational layers.

1.9 Identify potential data loss from traffic profiles

1.9 summary: This task explores how network traffic analysis helps identify potential data exfiltration. You will distinguish between normal and suspicious traffic signatures that may indicate leakage.

Developing this skill allows you to proactively prevent data loss. By recognizing subtle changes in traffic profiles, you strengthen organizational data protection policies.

1.10 Interpret the 5-tuple approach to isolate a compromised host in a grouped set of logs

1.10 summary: This section demonstrates how to use source and destination addresses, ports, and protocols to pinpoint abnormal communication patterns. The 5-tuple method provides a structured way to trace threats.

Applying this approach helps analysts efficiently isolate compromised hosts and respond effectively. Understanding these components enables swift containment and reduced incident impact.

1.11 Compare rule-based detection vs. behavioral and statistical detection

1.11 summary: The focus here is to appreciate the strengths of signature versus behavioral detection methods. You will learn when rule-based systems excel and when anomaly detection adds greater flexibility.

By linking detection techniques to response strategies, you can design a balanced monitoring approach. The result is adaptable, intelligent threat identification in evolving environments.

Domain 2: Security Monitoring (25% of the exam)

2.1 Compare attack surface and vulnerability

2.1 summary: This area introduces how the attack surface of a system relates to potential weaknesses that can be exploited. Identifying dependencies and exposure points is critical for prioritizing defenses.

You will explore techniques to minimize vulnerabilities by reducing attack surfaces through segmentation, patching, and proactive monitoring. These insights help reinforce resilience across networked infrastructures.

2.2 Identify the types of data provided by these technologies

2.2 summary: This section explains how tools such as TCP dump, NetFlow, firewalls, and content filters produce diverse data critical for analysis. Recognizing the unique insights from each data source sharpens your analytical perspective.

By evaluating how each technology contributes to situational awareness, you can create rich detection environments. Understanding data sources supports effective investigation and correlation.

2.3 Describe the impact of these technologies on data visibility

2.3 summary: This portion examines how access control mechanisms, network address translation, tunneling, and encryption affect visibility. Grasping these interactions is essential to sustaining robust monitoring.

Your exam preparation will center on mapping which techniques obscure or enhance data flow visibility. This understanding helps align inspection strategies with privacy and performance goals.

2.4 Describe the uses of these data types in security monitoring

2.4 summary: You will evaluate forms of data—full packet captures, session records, transactions, and statistical sets—and their analytical value. Each offers a distinct layer of perspective in detection workflows.

The emphasis is recognizing when to apply each data type for efficient threat identification. Mastery of this information enriches forensic visibility and security accuracy.

2.5 Describe network attacks, such as protocol-based, denial of service, distributed denial of service, and man-in-the-middle

2.5 summary: In this area, you will analyze common network-level attacks and their operational characteristics. Recognizing attack signatures allows response teams to act swiftly.

By correlating these attacks to mitigation tactics, you learn effective incident containment. This applied understanding supports network stability and trust across critical links.

2.6 Describe web application attacks, such as SQL injection, command injections, and crosssite scripting

2.6 summary: This topic explores how application vulnerabilities can be exploited through malicious input. Understanding injection and scripting attacks enhances your defense strategies.

Real-world analysis of such threats helps identify indicators within logs and traffic. You will learn preventive coding and filtering principles to reduce attack success rates.

2.7 Describe social engineering attacks (manual and generative AI)

2.7 summary: This section addresses manipulation techniques that target human behavior, now including generative AI-driven campaigns. Recognizing cues and tactics strengthens awareness and readiness.

You will study preventive communication and verification procedures. Building user training and layered defenses ensures diminished social engineering success opportunities.

2.8 Describe endpoint-based attacks, such as buffer overflows, command and control (C2), malware, and ransomware

2.8 summary: This part dives into attacks originating at the endpoint level, detailing infection mechanisms and persistence methods. Understanding these patterns enables early containment.

Analyzing malware flows and C2 communications deepens your forensic investigation skills. Applying detection at the host level ensures comprehensive system integrity.

2.9 Describe evasion and obfuscation techniques, such as tunneling, encryption, and proxies

2.9 summary: The focus here is understanding how attackers conceal activity through tunneled traffic, encrypted payloads, or proxies. You will assess visibility strategies for each method.

Being able to differentiate normal from obfuscated traffic allows timely detection of hidden threats. This skill boosts the precision of your monitoring approach.

2.10 Describe the impact of certificates on security (includes PKI, public/private crossing the network, asymmetric/symmetric)

2.10 summary: You will understand how encryption certificates establish trust and authentication. The exam highlights PKI operation and cryptographic key relationships.

Applying certificate management practices secures network exchanges. Recognizing their impacts ensures consistent protection and communication integrity.

2.11 Identify the certificate components in a given scenario

2.11 summary: This section breaks down components like cipher suites, key exchange protocols, and PKCS standards. These building blocks form the foundation of secure communication.

You will connect these elements to practical scenarios in which proper configuration maintains confidentiality. This proficiency supports trusted infrastructure deployments.

Domain 3: Host-Based Analysis (20% of the exam)

3.1 Describe the functionality of these endpoint technologies in regard to security monitoring utilizing rules, signatures, and predictive AI

3.1 summary: Here, you will analyze host-based detection tools and how rules and AI enhance their potency. Understanding intrusion detection and antimalware functionality is key.

Learning predictive analysis ensures real-time defense improvements. You will grasp how machine learning refines signature-based protection for adaptable endpoint security.

3.2 Identify components of an operating system (such as Windows and Linux) in a given scenario

3.2 summary: This section reinforces operating system fundamentals critical for security analysis. You will trace how processes, users, and services interconnect.

Evaluating OS-level logs strengthens event correlation. Recognizing system components enhances troubleshooting and detection processes.

3.3 Describe the role of attribution in an investigation

3.3 summary: Attribution links threats to actors and motives. Understanding indicators of compromise and attack guides analytical reasoning.

You will explore evidence categorization under threat intelligence frameworks. This structure refines your investigative accuracy during forensic analysis.

3.4 Identify type of evidence used based on provided logs

3.4 summary: You will learn to classify logs as best, corroborative, or indirect evidence during investigations. Differentiation strengthens collection strategy.

This knowledge builds sound case documentation skills. Evaluating diverse log sources ensures you capture the most decisive artifacts.

3.5 Interpret operating system, SIEM, SOAR platform, application, or command line logs to identify an event

3.5 summary: Students will practice identifying key indicators within varied log sources. Recognizing event patterns provides strong detection capability.

Linking SIEM and SOAR output to actionable insights turns raw data into timely security action. The ability to interpret events quickly enables efficient resolution.

3.6 Interpret the output report of malware analysis tools such as a detonation chamber or sandbox

3.6 summary: This area introduces sandbox workflows and dynamic analysis. Understanding output elements ensures accurate report interpretation.

You will practice connecting observed behavior to broader infection patterns. These insights enhance assurance in mitigation recommendations.

3.7

3.7 summary: This section examines artifacts including hashes, URLs, and network event identifiers. Recognizing patterns across system and log data builds correlation skills.

You will learn to link artifacts to threat behaviors effectively. Mastery of this assessment process improves detection accuracy and incident response synchronization.

Domain 4: Network Intrusion Analysis (20% of the exam)

4.1 Map the provided events to source technologies

4.1 summary: This section focuses on mapping observed network events back to IDS, IPS, and logging systems. You will understand how technologies support evidence association.

Developing this cross-technology correlation strengthens analytical efficiency. Recognizing source relationships clarifies context during network incident review.

4.2 Compare impact and no impact for these items

4.2 summary: You will study detection validity using categories such as false positives and true negatives. This evaluation enhances accuracy in alert management.

Applying impact analysis ensures resources are prioritized wisely. Understanding result implications reduces unnecessary investigation time.

4.3 Compare deep packet inspection with packet filtering and stateful firewall operation

4.3 summary: This topic explains how deep packet inspection examines payload content compared with traditional filtering. You will see how these approaches complement each other.

The focus is balancing depth and performance when configuring monitoring environments. Knowledge of inspection layers informs efficient policy creation.

4.4 Compare inline traffic interrogation and taps or traffic monitoring

4.4 summary: Understanding inline and passive monitoring structures enables optimal detection deployment. Inline interrogation can enforce controls, whereas taps capture unaltered data.

You will analyze how these setups impact latency, fidelity, and visibility. Selecting the appropriate approach supports continuous network monitoring.

4.5 Compare the characteristics of data obtained from taps or traffic monitoring and transactional data (NetFlow) in the analysis of network traffic

4.5 summary: This part highlights differences between raw, captured packets and flow-based summaries. Both have roles in identifying anomalies and performance issues.

Using them together allows efficient data correlation. You will learn which metric suits speed or depth depending on investigative needs.

4.6 Extract files from a TCP stream when given a PCAP file and Wireshark

4.6 summary: You will gain exposure to file extraction from packet captures using analysis tools. This exercise connects theory with digital forensics practice.

Recognizing data sequences in a stream helps rebuild incident evidence. This ability is practical for malware identification and validation.

4.7 Identify key elements in an intrusion from a given PCAP file

4.7 summary: The focus is isolating elements such as addresses and ports that reveal attack details. You will strengthen interpretation of PCAP-based data.

Applying protocol analysis improves accuracy in event classification. Detecting abnormal values aids in rapid compromise detection.

4.8 Interpret the fields in protocol headers as related to intrusion analysis

4.8 summary: This section covers the format and content of Ethernet, IP, and transport-layer headers. Grasping these fundamentals improves your reading of packet data.

You will apply this understanding to identify inconsistencies or exploit patterns. Strong header analysis improves investigative intuition.

4.9 Interpret common artifact elements from an event to identify an alert

4.9 summary: Here you will assess how events reveal unique identifiers like IPs, hashes, or URIs. Connecting these components helps recognize repeated behaviors.

Organizing artifacts draws meaningful relationships between attacks. You cultivate proficiency that enhances triage workflows.

4.10 Interpret basic regular expressions

4.10 summary: This topic introduces expression syntax for matching patterns in logs and data streams. Proficiency increases efficiency in sifting large datasets.

By mastering regular expressions, you rapidly extract relevant information. This deeper visibility accelerates accurate filtering during analysis.

Domain 5: Security Policies and Procedures (15% of the exam)

5.1 Describe management concepts

5.1 summary: This section explores policy frameworks such as asset and configuration management. It highlights how ongoing maintenance preserves operational integrity.

Understanding how patch and vulnerability management tie to compliance ensures continual protection. This knowledge supports sustainable governance.

5.2 Describe the elements in an incident response plan as stated in NIST.SP800-61

5.2 summary: You will study critical elements of incident response plans, focusing on preparation and communication. These principles standardize recovery operations.

Applying structured guidelines ensures consistent and repeatable action. This preparedness fosters coordinated team response.

5.3 Apply the incident handling process such as NIST.SP800-61 to an event

5.3 summary: This part puts procedure into practice through real-world scenarios. Mapping incidents to process phases achieves measurable outcomes.

Engaging with the NIST framework enhances process maturity. It demonstrates mastery of structured security operations.

5.4 Map elements to these steps of analysis based on the NIST.SP800-61

5.4 summary: Understanding step alignment clarifies how each incident stage links to actionable outputs. Reviewing containment, eradication, and recovery promotes continuous improvement.

You will connect high-level strategy to day-to-day tasks, ensuring alignment between procedures and execution outcomes.

5.5 Map the organization stakeholders against the NIST IR categories (CMMC, NIST.SP800-61)

5.5 summary: This topic identifies how key organizational roles fit within incident response processes. Clear stakeholder mapping supports collaboration.

You will analyze integration across security and business teams to maintain compliance. This interaction enhances transparency throughout incident reporting.

5.6 Describe concepts as documented in NIST.SP800-86

5.6 summary: The focus is on forensic best practices for data collection and preservation. You will understand evidence integrity and volatile data handling.

Studying these concepts ensures evidence remains admissible and reliable. Proper preservation safeguards investigation quality.

5.7 Identify these elements used for network profiling

5.7 summary: Here you will learn why throughput, session duration, and port usage determine baseline behavior. Profiling assists in anomaly detection.

Connecting these indicators provides network awareness essential for defense. This proficiency allows efficient monitoring configuration.

5.8 Identify these elements used for server profiling

5.8 summary: This portion highlights analysis of running tasks, logged-in users, and applications. Tracking these metrics supports performance safety.

Profiling results improve security posture by detecting unapproved changes. Consistent review protects server integrity.

5.9 Identify protected data in a network

5.9 summary: Understanding personal and proprietary data types such as PII, PSI, and PHI helps with classification. These categories drive correct protection strategies.

Proper handling upholds privacy obligations. Building awareness of data sensitivity strengthens compliance frameworks.

5.10 Classify intrusion events into categories as defined by security models, such as Cyber Kill Chain Model and Diamond Model of Intrusion

5.10 summary: The topic details analytical models for intrusion tracking. These frameworks help analysts visualize attacker movements.

Comparing models builds structured reasoning applicable to investigations. This approach enhances systematic detection design.

5.11 Describe the relationship of SOC metrics to scope analysis (time to detect, time to contain, time to respond, time to control)

5.11 summary: This final section focuses on measuring SOC efficiency through response timing metrics. Quantitative evaluation supports capability improvement.

You will explore how tracking performance leads to optimized operations. Applying metrics fosters continual progress and team success.