Cisco CCNP Security SCOR 350-701

Every later SCOR topic (VPN, firewall TLS inspection, ISE EAP-TLS, AMP signing) builds on the same cryptographic primitives. Get the names + key sizes + use cases right cold.

• Symmetric ciphers: same key encrypts + decrypts. Fast. AES with 128 / 192 / 256-bit keys is the modern default. 3DES and DES are deprecated — flag on the exam if you see them in "modern" answers.
• Asymmetric (public-key) ciphers: two-key pair. Public encrypts / verifies; private decrypts / signs. RSA (2048-bit minimum, 4096 preferred for long-lived) and ECC (256-bit ECC ≈ 3072-bit RSA strength, much faster).
• Hybrid encryption: use asymmetric to exchange a symmetric session key, then symmetric for bulk data. TLS, IPsec IKE, and Cisco AnyConnect all use this — asymmetric is too slow for the payload.
• Hashes: one-way fixed-length digests. SHA-256 / SHA-384 / SHA-3 are modern. MD5 and SHA-1 are broken — never in a security answer.
• HMAC: hash + secret key. Provides BOTH integrity AND authenticity (vs plain hash which provides only integrity). Used in IKE Phase 1 + IPsec AH / ESP authentication.
• Quantum-safe outlook: NIST post-quantum standards (ML-KEM, ML-DSA) emerging. Not on current SCOR but worth knowing context — RSA / ECC are vulnerable to quantum.

Site-to-site IPsec tunnel: IKEv2 negotiates a shared symmetric key using ECDH key exchange (asymmetric). Phase 2 then encrypts user payload with AES-256-GCM (symmetric), authenticated with HMAC-SHA-384 built into GCM. Identity authenticated via RSA-2048 digital signatures bound to X.509 certificates. Modern, exam-safe configuration.

PKI is the trust substrate. SCOR tests every component by name + the trust flow between them.

• Certificate Authority (CA): root-of-trust that signs certificates. Root CA at the top of the chain; intermediate CAs sign end-entity certs to keep the root offline + safe.
• Registration Authority (RA): validates identities before the CA issues. Often the enterprise IdP (Active Directory). Separation of duties: RA verifies, CA signs.
• Certificate Revocation List (CRL): signed list of revoked cert serial numbers, distributed periodically. Devices fetch + cache. Old design — CRL can be megabytes.
• OCSP (Online Certificate Status Protocol): real-time revocation check per certificate. Faster, scales better than CRL. Modern default.
• OCSP Stapling: server fetches its own OCSP response from CA and "staples" it to the TLS handshake — client doesn't query OCSP independently. Reduces CA load + latency.
• SCEP (Simple Certificate Enrollment Protocol): enrolls devices for certificates over HTTP. Used by Cisco ASA + AnyConnect + IOS routers to obtain certificates from a CA without manual cert export.

Enterprise PKI: offline Root CA (powered down, in a safe). Two intermediate CAs (one for VPN / one for 802.1X) issue end-entity certs. RA integrated with Active Directory validates user identity before any cert request. OCSP responder answers live revocation queries; the ASA's AnyConnect VPN does OCSP Stapling for client efficiency. Cisco routers + ASAs auto-enrol via SCEP to the intermediate VPN CA at install time.

Cisco devices validate chains every time they accept a cert. PCKE knows the chain walk, common-name vs SAN, key usage, and what makes a chain valid.

• Certificate chain: end-entity cert → intermediate CA cert(s) → root CA cert (which must be pre-installed in the validator's trust store).
• Subject Alternative Name (SAN): modern X.509 extension that lists valid hostnames / IPs / email addresses. CN (Common Name) is legacy — browsers ignore CN if SAN present.
• Key Usage + Extended Key Usage: declares what the cert can do — Digital Signature, Key Encipherment, Server Auth, Client Auth, IP Security End System. Mismatched usage = chain fail.
• Validity window: not-before + not-after timestamps. Both must include the current moment. Frequent SCOR scenario: clock drift causes cert validation failure.
• Cert pinning: hardcoded expected cert / public key in the client. Prevents MITM even if a CA is compromised. Common on mobile banking apps.
• Trust store: the set of trusted root CA certs preinstalled on a device. Linux + Windows + Cisco IOS all have their own. Custom trust store needed for private PKI.

AnyConnect client validating ASA's server cert: ASA presents its cert + intermediate CA cert. Client walks chain: end-entity → intermediate → root (must be in client's trust store). Checks: signature on each link, not-after > now > not-before, intended-host (SAN includes the VPN hostname), Key Usage includes Server Auth, OCSP response confirms not-revoked. Any fail = handshake rejected. ASA itself does the mirror validation on client cert during EAP-TLS auth.

IPsec is the foundation. SCOR asks the IKEv1 vs IKEv2 distinction, the Phase 1/Phase 2 flow, and the transport vs tunnel mode choice — all in nearly every VPN scenario.

• IKEv1 (legacy): Phase 1 (Main mode = 6 messages or Aggressive mode = 3) sets up the IKE SA. Phase 2 (Quick mode) sets up IPsec SAs. Doesn't natively support NAT-T or EAP — kludges added later.
• IKEv2 (modern): single 4-message exchange establishes both IKE SA + first IPsec SA. Built-in NAT-T, EAP support, MOBIKE for mobility, dead-peer detection. The default for new designs.
• Phase 1 SA parameters: encryption (AES), hash (SHA-256), DH group (14+ for production, 19/20/21 for ECC), authentication method (PSK or RSA-Sig), lifetime.
• Phase 2 SA parameters: encryption + integrity (AES-GCM combines both — preferred), PFS DH group, lifetime, proxy IDs (which traffic the SA protects).
• Transport vs Tunnel mode: Transport encrypts only the payload (preserves original IP header) — used for host-to-host. Tunnel encrypts the entire packet + adds new IP header — used for gateway-to-gateway. SCOR scenarios almost always tunnel.
• NAT-T (NAT Traversal): wraps IPsec ESP in UDP (port 4500) when NAT detected. Automatic in IKEv2; opt-in IKEv1.

Site-to-site VPN, HQ ↔ branch over NAT'd internet: IKEv2 with Phase 1: AES-256, SHA-384, DH group 19 (ECP-256), RSA-Sig auth. Phase 2: AES-256-GCM (encryption + integrity combined), PFS group 19. Tunnel mode. NAT-T automatically negotiated to UDP/4500. Dead-peer detection at 30s. The exam-canonical modern configuration.

Manual site-to-site VPN doesn't scale past ~10 sites. Cisco's answer is DMVPN — dynamic mesh via NHRP + mGRE — and FlexVPN, the IKEv2-based modern equivalent.

• DMVPN Phase 1: hub-and-spoke only. All spoke traffic goes hub → spoke. Multipoint GRE (mGRE) on hub, point-to-point GRE on spokes. NHRP registers spokes with hub.
• DMVPN Phase 2: spoke-to-spoke direct tunnels. NHRP resolves spoke's underlying IP; spokes build on-demand tunnels. Hub still routes initial packets.
• DMVPN Phase 3: hub sends NHRP redirect to spokes — spokes install short-cut routes and bypass hub for subsequent flows. The exam-favoured modern phase.
• FlexVPN: IKEv2-based unified VPN framework. Replaces DMVPN + GETVPN + remote-access VPN with one configuration model. Newer Cisco IOS XE default.
• GETVPN: Group Encrypted Transport VPN — key server distributes encryption keys to all group members. Used over MPLS where the underlying transport is already private. No tunnel overhead.
• EIGRP / OSPF over DMVPN: dynamic routing over the multipoint tunnel. Tune timers (EIGRP hello 5s / hold 15s) for sub-30s failover.

100-branch enterprise: DMVPN Phase 3 over the internet for redundant connectivity (active connection is MPLS). Hub at HQ has mGRE tunnel interface. Spokes registered via NHRP. EIGRP runs over the tunnel for dynamic routing. When branch A calls branch B: initial packet via hub, hub sends NHRP redirect, A + B establish direct spoke-to-spoke tunnel. All branch tunnels use IPsec profiles (IKEv2 + AES-256-GCM). For 5-year roadmap, plan migration to FlexVPN — unifies with remote-access AnyConnect.

AnyConnect is the Cisco remote-access VPN client. SCOR tests authentication chains, split tunnelling, and ISE-driven posture assessment.

• Protocols: SSL/TLS for client-to-headend over TCP/443 (HTTPS-friendly through corporate firewalls). DTLS for performance (UDP). IKEv2 option exists but SSL is the default.
• Authentication methods: AAA (RADIUS/TACACS+), certificate-only, two-factor (cert + password), SAML, EAP-TLS. SCOR favours cert-based + SAML for modern designs.
• Split tunnelling: only corporate-destined traffic flows through the VPN; internet stays direct. Saves bandwidth + improves user latency. Exclude private subnets only.
• Always-On VPN: client enforces VPN connection before user can access ANY network. Combined with Trusted Network Detection (TND), auto-connects outside corporate Wi-Fi.
• Posture assessment via ISE: AnyConnect sends posture data (OS version, AV running, patch state) to ISE. ISE returns authorisation decision (allow / quarantine VLAN / deny).
• HostScan / Secure Firewall Posture: the client-side agent that collects posture data. Customisable rules per OS.

Corporate AnyConnect deployment: SSL VPN to ASA headend. Auth: SAML federation to Okta (MFA at Okta). Certificate required additionally — only corporate-issued laptops have the cert (Workload Identity-style ARP for endpoint trust). Always-On VPN with TND — turns off automatically on corporate Wi-Fi. Split tunnel exclude corporate subnets; internet stays direct. ISE posture: laptops must have CrowdStrike running + Windows Update within 30 days, else quarantine VLAN.

Cisco ASA is the legacy stateful firewall. SCOR tests access-list configuration, Modular Policy Framework, and the operational patterns that scale.

• Stateful inspection: ASA tracks connection state in a state table. Return traffic for established flows is permitted automatically — no need for reverse ACL entries.
• Security levels: 0-100 per interface. Higher level → lower allowed by default. Same-level + access between interfaces requires same-security-traffic permit.
• ACLs: applied to interface in a direction (in/out). Implicit deny at end. Order matters — first match wins. Modern ASA uses extended ACLs almost exclusively.
• Object-groups: named groups of networks / services / protocols / icmp-types. Reference in ACL entries — one ACE for "any web service to any prod web server" instead of N×M lines.
• Modular Policy Framework (MPF): class-map (identify traffic) + policy-map (apply actions) + service-policy (bind to interface). Used for inspection, QoS, application detection, threat detection.
• Inspection: protocol-aware inspection for FTP/H.323/SIP/SMTP/etc. — fixes embedded IP addresses, opens secondary connections. Enable selectively to balance security + CPU.

ASA between DMZ + internal LAN: outside security-level 0, dmz 50, inside 100. Object-groups: WEB_SERVERS (10.1.1.10-12), WEB_SERVICES (tcp/80, tcp/443). ACL inbound on outside: permit tcp any object-group WEB_SERVERS object-group WEB_SERVICES. MPF: class-map matches outbound HTTP from inside; policy-map applies HTTP inspection; service-policy applied to inside interface. Modern: prefer migrating to FTD for L7 awareness.

High-availability is a SCOR favourite. Two failover modes with very different ops models.

• Active/Standby: two ASAs share a failover IP. Active forwards traffic + replicates state to standby. Standby idle until active fails. Simpler; preferred for typical deployments.
• Active/Active (multi-context only): ASA in multi-context mode hosts multiple virtual firewalls (contexts). Half active on ASA1, half on ASA2. Each context fails over independently. Used when you need to share hardware across security zones.
• Failover link: dedicated interface between the two units for heartbeat + state replication. Encrypted with shared key. Loss of heartbeat = active assumes standby dead → split brain risk.
• Stateful failover: state table replicated synchronously. On failover, existing connections continue — no client reconnect needed.
• Stateless failover: only configuration replicated, not state. On failover, all existing connections drop + reconnect. Faster bring-up but disruptive.
• Failover triggers: heartbeat loss, interface link down, monitor configured + monitored interface fails. Threshold tunable.

Production HA: two ASA 5545-X in active/standby mode. Dedicated failover link on GigabitEthernet0/3 with shared encryption key. Stateful failover ON — state table replicated. Monitoring outside + inside interfaces. Hello interval 1s, hold time 3s (sub-5-second failover). Failover IP / standby IP pair on every data interface. Tested via deliberate fail standby command quarterly — flows continue uninterrupted.

Firepower Threat Defense is Cisco's modern NGFW. SCOR tests FTD architecture, FMC management, intrusion policies, and SSL decryption.

• FTD architecture: unified OS combining ASA stateful firewall + Snort-based IPS + URL filtering + AMP for Networks. Replaces separate ASA + Firepower module of the old days.
• Firepower Management Center (FMC): central manager for multiple FTDs. Policies authored once + pushed to many devices. Required for serious deployments — local FDM for single-device only.
• Access Control Policy (ACP): the central policy. Ordered rules: source / destination / app / URL category / user → action (allow / block / trust / monitor). Replaces ASA's separate ACLs + class-maps.
• Intrusion Policy: set of Snort rules for IPS. Base policies (Connectivity → Balanced → Security → Maximum Detection) — pick balanced + tune. Auto-updates via Talos rule sets.
• URL filtering: categorise + block by URL category (gambling, social media, malware). Combined with custom allow/block lists.
• SSL decryption: FTD terminates TLS, inspects payload, re-encrypts to destination. Requires CA cert trusted by clients + privacy / compliance review (employee browsing privacy).
• AMP for Networks: file reputation + sandboxing (Threat Grid). Integrated with FTD — files traversing the firewall checked against AMP cloud.

Enterprise NGFW: FTD pair in active/standby HA managed by FMC. Access Control Policy ordered: trust-internal-mgmt → allow corporate-apps with intrusion-policy-balanced → block-by-URL-category (Gambling, Malware) → block-uncategorised-internet from finance VLAN → default-allow. SSL decryption enabled for outbound HTTPS with corporate CA cert pushed to all endpoints. AMP for Networks scans every download. Talos rule auto-update daily.

Cisco ISE is the policy server for network access. SCOR tests the persona model — which node does what — relentlessly.

• PAN (Policy Administration Node): the management plane. Configures policies + sync to PSN. Usually 2 PANs (primary + secondary) for HA. Active/standby — only one writes at a time.
• PSN (Policy Service Node): handles live RADIUS / TACACS / posture requests. Deploy multiple PSNs near the access infrastructure for low latency. Load-balance via the access switches' RADIUS server group.
• MnT (Monitoring + Troubleshooting): collects logs from all PSNs. Two MnTs (primary + secondary) for HA. Holds Live Logs UI + reports.
• pxGrid: publish-subscribe bus. Integrates ISE with Firepower / Stealthwatch / SecureX. Shares context (user, device, SGT) across the security ecosystem.
• Standalone vs Distributed: standalone = all personas on one box (lab / small). Distributed = personas spread across multiple boxes (production). Up to 50 PSNs in distributed deployment.
• Pull replication: PSN pulls policy from PAN. If PAN unavailable, PSN runs on cached policy. New devices/users may fail auth until PAN recovers.

Mid-size enterprise: 2 PANs (primary in DC-A, secondary in DC-B). 2 MnTs (same DC layout). 4 PSNs distributed across data centres + regional offices (one per major site for latency). pxGrid node shares context with Firepower for identity-aware firewall rules. Total: 9 ISE nodes. Switches in each region have local PSN as primary RADIUS, remote PSN as secondary.

802.1X authenticates devices at the port. SCOR tests EAP method selection, MAB fallback, and the auth-fail VLAN pattern.

• 802.1X actors: supplicant (device) → authenticator (switch) → authentication server (ISE). EAP messages tunnel inside RADIUS Access-Request.
• EAP-TLS: mutual cert-based authentication. Both sides have certs. Strongest method; no password. Requires PKI deployment. Preferred for corporate-managed devices.
• PEAP-MSCHAPv2: server cert + username/password. TLS tunnel created from server cert; user credentials sent inside. Common for BYOD where deploying client certs is hard.
• EAP-FAST: Cisco's protected EAP variant using PAC files instead of server cert. Mostly legacy now; PEAP is preferred.
• MAC Authentication Bypass (MAB): fallback when supplicant absent (printer / camera / IP phone). Switch sends device's MAC address as username. ISE checks endpoint identity group + decides.
• Auth-fail / guest VLAN: port placed in restricted VLAN on auth failure or unknown MAC. Provides limited internet / captive portal access without full network access.

Enterprise port-security: switch port configured with 802.1X as primary auth method, MAB as fallback. EAP-TLS for corporate laptops (cert via SCEP from internal CA). PEAP for BYOD phones. MAB profiles for printers + cameras (manually added to ISE endpoint identity group, allowed only on management VLAN). Auth-fail VLAN provides captive-portal guest internet. ISE policy: corporate-cert → VLAN 100 (full access); BYOD → VLAN 200 (internet only); printers → VLAN 300 (mgmt); unknowns → guest VLAN.

TrustSec replaces VLAN + ACL-based segmentation with tag-based ACL — Security Group Tags. SCOR tests the tag propagation model + SGACL enforcement.

• Security Group Tag (SGT): 16-bit value applied to traffic based on identity (user / device / role). E.g., SGT 10 = Finance, SGT 20 = HR.
• SGACL: ACL based on source-SGT + destination-SGT pair. Centrally defined in ISE; pushed to enforcement devices. Replaces N×M IP-based ACLs with a single SGT × SGT matrix.
• Inline tagging: SGT carried in Cisco Meta-Data (CMD) field added to Ethernet frame. Only Cisco TrustSec-capable hardware processes it. Devices in path that don't support TrustSec just forward the frame normally.
• SXP (SGT Exchange Protocol): peer-to-peer protocol for sharing IP-to-SGT bindings to non-TrustSec-capable devices (legacy switches, ASA, firewalls). TCP-based.
• Classification methods: tag assigned at ingress — static (binding on access port), dynamic (RADIUS during 802.1X), VLAN-to-SGT mapping, IP-to-SGT via SXP.
• Enforcement: SGACL applied at egress on TrustSec-capable enforcement point. Cisco Catalyst, Nexus, Firepower, ISR/ASR can all enforce.

Replace VLAN-based segmentation with TrustSec. SGTs: Employee (10), Contractor (20), IoT (30), Guest (40). SGACL matrix in ISE: Employee→AnyServer (allow), Contractor→ProductionDB (deny), IoT→Internet (allow), IoT→Internal (deny), Guest→Internet only. Classification: RADIUS during 802.1X auth assigns SGT based on user role. SXP peers from access switches to a Firepower at the data centre — Firepower enforces SGACL even though intermediate switches lack TrustSec.

Umbrella is Cisco's cloud-delivered security platform. SCOR tests DNS-layer enforcement + the broader Secure Internet Gateway (SIG) bundle.

• Umbrella DNS: point endpoint DNS at Umbrella's anycast resolvers (208.67.222.222 / 208.67.220.220). Umbrella blocks malicious / categorised domains at lookup time. Works regardless of where the user is.
• Roaming Client: agent on laptops that forces DNS through Umbrella even off corporate network. Combined with AnyConnect for unified protection.
• Identity: tie DNS lookups to user identity via AD integration → policy + reporting per user, not just per IP.
• Umbrella SIG: bundles DNS-layer + Secure Web Gateway (full proxy) + Cloud Firewall (L3-L7) + CASB (Cloudlock) + IPS. The cloud-side SASE building block.
• Tunneling to SIG: sites connect via IPsec / GRE / DX (no per-user agent). Full-tunnel option vs DNS-only.
• Investigate: threat intelligence research console — query a domain / IP / file hash for threat verdict + WHOIS + connected indicators. Used by incident responders.

Enterprise deploys Umbrella DNS on every endpoint via the Roaming Client. Policy: identity-based via AD — Finance group blocked from social media; Engineering allowed; everyone blocked from gambling, malware, phishing categories. SIG full-tunnel for branch offices over IPsec — replaces hairpin-to-HQ for internet egress with direct-to-cloud security. Investigate queried on every flagged domain during incident response.

Email is the #1 attack vector. Cisco's Secure Email Gateway (ESA) + the email-authentication trio is canonical SCOR content.

• ESA pipeline: connection filtering (RBL) → antispam → antivirus → outbreak filters → content filters → DLP. Each stage's verdict feeds the next.
• SPF (Sender Policy Framework): DNS TXT record listing IP addresses permitted to send mail for your domain. Receiver checks sender's IP against the SPF record. Hard fail = reject.
• DKIM (DomainKeys Identified Mail): sender signs message with private key; receiver verifies via public key in DNS. Detects in-flight tampering + spoofing.
• DMARC: policy that says what to do when SPF + DKIM fail. p=quarantine or p=reject. Receiver also reports aggregated data back via rua= address.
• Forged Email Detection (FED): ESA looks at display name vs From address mismatch ("CEO Name" <attacker@gmail.com>). Common phishing pattern.
• Outbreak Filters: Talos-driven — when a new phish campaign starts, Talos pushes rules that quarantine matching messages cluster-wide.

Inbound email pipeline: ESA receives → checks RBL (blocked sender) → antispam → antivirus → SPF hard fail check on sender → DKIM signature verification → DMARC p=reject for failures → FED rules for display-name-spoofing of execs → outbreak filters quarantine zero-hour phishing → content filters for DLP-banned terms. Outbound: ESA signs every message with DKIM private key + DMARC reports collected at dmarc-reports@company.com.

WSA is the on-prem secure web gateway; AMP is the file-reputation + sandbox add-on. SCOR tests proxy modes + the retrospective-detection feature.

• WSA proxy modes: explicit proxy (client configured to send through WSA) vs transparent proxy (WCCP redirects traffic to WSA). Transparent invisible to clients; explicit requires PAC file / GPO.
• SSL decryption: WSA intermediates TLS — client trusts WSA cert; WSA terminates + inspects + re-encrypts to destination. Requires CA cert pushed to all endpoints.
• URL filtering categories: Talos-maintained, ~85 categories (Adult, Gambling, Streaming, etc.). Apply per identity / group via policy.
• AMP file reputation: SHA-256 hash of each downloaded file checked against AMP cloud. Returns clean / malicious / unknown verdict. Real-time blocking on malicious.
• Threat Grid sandbox: unknown files submitted for dynamic analysis in cloud sandbox. Behavioural verdict in ~5 minutes.
• Retrospection: AMP cloud re-evaluates files seen in the past as new intelligence arrives. A file that was clean yesterday can be flagged as malicious today — endpoints with Secure Endpoint receive an alert + isolation trigger.

Corporate web proxy: WSA in transparent mode via WCCP from upstream router. SSL decryption ON for outbound HTTPS (corporate CA pushed to all endpoints; bypass list for banking + healthcare URLs for privacy). URL filtering: blocks Gambling / Malware / P2P-File-Sharing for all; Social-Media + Streaming blocked for Finance group, allowed for Marketing. AMP file reputation on every download — malicious blocks immediately. Unknown files → Threat Grid sandbox. Two days later, retrospection alerts that yesterday's downloaded file from a marketing site was reclassified as malicious → endpoints isolated, files deleted via Secure Endpoint.

Cloud security shifts the line between provider and customer responsibility. CASB protects SaaS data. SCOR tests both at the design-question level.

• Shared responsibility by service tier: IaaS — you own OS + above. PaaS — you own apps + data. SaaS — you own data + access control. Cisco-stack tools fit at different layers.
• CASB (Cloud Access Security Broker): sits between users + SaaS apps to enforce policy. Two modes: API-based (CASB queries SaaS APIs to see what's happening) and inline (proxy-based, traffic flows through CASB).
• Cloudlock: Cisco's API-based CASB. Connects to Office 365 / Salesforce / Google Workspace / Slack / Dropbox via their APIs. Discovers risky third-party apps, DLP-classifies data, flags compromised accounts.
• Use cases: "we use Office 365 — who's sharing PII externally?" (Cloudlock scans + alerts). "Shadow IT — what SaaS are people using?" (CASB discovery from logs).
• Posture management: CASB also assesses SaaS configuration drift — "Salesforce admins should not have 'View All Data' permission". Continuous evaluation.
• Pair with SIG: CASB for SaaS-data protection + SIG for traffic protection + Umbrella DNS for everywhere-on = the SASE building blocks.

A company uses Office 365 + Salesforce + Slack. Cloudlock connected via API to all three. Policies: alert when SharePoint document tagged "PII" shared externally; alert when Salesforce admin role granted; auto-quarantine if Cloudlock detects compromised account (impossible travel pattern in OAuth tokens). Combined with Umbrella SIG tunnel from corporate sites + Roaming Client on laptops — three Cisco services compose into a SASE architecture.

Secure Workload (formerly Tetration) provides microsegmentation by deploying agents on every workload + analysing flow telemetry to generate policy. SCOR tests its deployment model + comparison to TrustSec.

• Software agents: on every workload (Windows / Linux / Solaris / containers). Captures all flows + process info. Reports to Secure Workload cluster.
• Application Dependency Mapping (ADM): ML analyses captured flows + clusters workloads by communication patterns. Generates suggested policy: "web tier talks to app tier on 8080 — allow".
• Microsegmentation enforcement: the agent applies host firewall rules (iptables / Windows Firewall). No network changes — pure host-based segmentation.
• Policy lifecycle: Discover (analyse flows) → Define (generate policies) → Verify (run in alert mode to find missed flows) → Enforce. Iterate until clean.
• vs TrustSec: TrustSec = SGT in network packet, enforced by network devices. Secure Workload = host firewall, enforced by host. Both complement; pick by where you can deploy.
• Multi-cloud: Secure Workload agents run in AWS / Azure / GCP / on-prem. Single policy across hybrid — replaces per-cloud security-group sprawl.

Lift-and-shift hybrid datacentre with 5000 workloads across on-prem + AWS. Deploy Secure Workload agents on every workload. Run ADM for 4 weeks to discover natural application clusters. Define microsegmentation policies per cluster — e.g., billing app's web tier talks to app tier on 8080 + 9000 only; app tier talks to DB on 5432. Run in alert mode for 2 weeks to catch missed flows; tune. Enforce mode locks down — zero-trust east-west even between VMs on the same VLAN.

Containers + APIs are the modern attack surface. SCOR added container security + OWASP API Top 10 awareness to the syllabus.

• Image scanning: static analysis of container images for known CVEs + secrets + misconfigurations. Run at build time + registry time + admission time.
• Image signing: sign images at build (e.g., cosign / Notary) — registry stores signature. Admission controller refuses unsigned images.
• Kubernetes RBAC: Role + RoleBinding for namespace scope; ClusterRole + ClusterRoleBinding for cluster scope. Least-privilege Service Account per workload.
• Network Policies: Kubernetes-native pod-to-pod traffic rules. Default deny + explicit allow per namespace / pod label.
• DevSecOps shift-left: security checks in CI pipeline — SAST (static), SCA (dependencies), secret scanning, image scanning. Fail build on critical findings; fix before merge.
• OWASP API Security Top 10: Broken Object-Level Auth (BOLA), Broken Auth, Excessive Data Exposure, Lack of Rate Limiting, Mass Assignment, Security Misconfiguration, Injection, Improper Asset Mgmt, Insufficient Logging, SSRF. API-specific risk model — separate from web Top 10.

A microservices app on Kubernetes: CI runs image scan (Trivy + Snyk) on every build; fails if critical CVEs. Images signed via cosign using Sigstore-backed key. Cluster admission controller (Connaisseur / Sigstore Policy Controller) refuses unsigned images. RBAC per service account — only required verbs on required resources. Network Policies default-deny per namespace; explicit allow rules per service. APIs documented + tested for OWASP API Top 10 — rate-limited by API Gateway, JWT auth, BOLA tested via authZ test suite.

Secure Endpoint is Cisco's EDR. SCOR tests the trajectory + retrospection features that distinguish EDR from traditional AV.

• Connector: lightweight agent on Windows / Mac / Linux / Android / iOS. Reports process executions, file hashes, network connections, registry changes to the AMP cloud.
• File trajectory: graph view of every host that has touched a specific file hash + when. Used to scope a malware incident — "this file landed on 47 hosts via 3 attack vectors".
• Device trajectory: per-host timeline of process / file / network activity. Used to reconstruct what an attacker did on a specific machine.
• Retrospective detection: AMP cloud re-evaluates seen files when new intel arrives. A file clean yesterday → flagged today → automatic alert + isolation across all endpoints.
• Threat Grid integration: unknown files submitted to Threat Grid sandbox; behavioural verdict feeds back to Secure Endpoint. Verdict shared across the customer's entire fleet.
• Endpoint isolation: SecureX or admin-driven action — connector cuts all network except to the AMP cloud. Used to contain a compromised host while preserving forensic visibility.

A phish lands on 1 user. SOC investigates via Secure Endpoint device trajectory: sees the user clicked a link, browser downloaded an .exe, .exe spawned PowerShell, PowerShell beaconed to external IP. File trajectory on the .exe hash: also touched 4 other endpoints. SOC isolates all 5 from SecureX. Threat Grid sandbox analyses the .exe — confirms credential stealer. Retrospective detection fires the next day on a different file from the same campaign — auto-isolates another 3 hosts.

Stealthwatch (renamed Secure Network Analytics) ingests NetFlow + IPFIX from switches / routers / firewalls to baseline + detect anomalies. ETA detects malware in encrypted traffic without decryption.

• NetFlow: Cisco's flow-export protocol — sample-based summary of every L4 flow seen by a device. IPFIX is the IETF-standard successor. Both feed Stealthwatch.
• Flow Collector + Flow Sensor: Collectors receive flow records from network devices. Sensors are appliances that generate flow from SPAN ports on devices that can't export natively.
• Behavioral analytics: Stealthwatch baselines normal flow patterns + alerts on deviations — exfiltration (large outbound), beacon (regular C2), recon (port scan).
• Encrypted Traffic Analytics (ETA): uses TLS handshake metadata + flow timing patterns to classify encrypted flows as benign or malicious WITHOUT decryption. Privacy-preserving.
• ETA enrolment: ETA-capable switches (Catalyst 9000 family) extract the SPLT + IDP + cipher metadata from each TLS handshake; export via NetFlow v9 + IPFIX templates. Stealthwatch correlates with Talos threat intel.
• Integration: Stealthwatch alerts → SecureX incidents → Secure Endpoint isolation. Closes the loop from network visibility to host containment.

Stealthwatch Flow Collector ingests NetFlow from every Catalyst switch + ASA + FTD. Baselines: normal user uploads ~10 MB/day. Anomaly fires — user X uploads 5 GB to an external SFTP. ETA on Catalyst 9000s flags TLS flow to that endpoint as suspicious (cipher + SPLT pattern matches Talos malware family). Combined alert → SecureX incident → Secure Endpoint isolation of user X's laptop. SOC investigates via device trajectory.

SecureX is Cisco's XDR + SOAR platform. Aggregates signals from Cisco + third-party + drives orchestrated response.

• Ribbon: persistent UI element across all Cisco security products. Click any indicator (IP / file hash / domain) → SecureX pivots to investigate across all integrated tools.
• Orchestration workflows: drag-and-drop or YAML-defined automation. Triggers (incident received, IOC observed) → actions (isolate endpoint, block IP at Umbrella, post to Slack). The SOAR layer.
• Integrations: Cisco-native (Secure Endpoint, Secure Email, Firepower, Stealthwatch, Umbrella, ISE, Threat Grid) + non-Cisco (Splunk, ServiceNow, Microsoft Defender, CrowdStrike, etc.) via APIs.
• Threat hunting: proactive queries against historical telemetry. "Has anyone connected to this newly-classified malicious domain in the last 30 days?" — SecureX queries all integrated tools simultaneously.
• Incident timeline: aggregates events from all sources into one chronological view. Replaces tab-switching between consoles during investigation.
• Threat response casebook: save findings during investigation; shareable workspace for SOC team.

Daily SOC workflow: incidents flow into SecureX from Secure Email (phish), Secure Endpoint (malware), Stealthwatch (anomaly), Firepower (IPS). Analyst opens an incident — SecureX timeline shows email → click → endpoint detonation → C2 beacon (Stealthwatch) → blocked at Firepower. Ribbon pivots to investigate the C2 domain across all tools simultaneously. Orchestration workflow auto-isolates the endpoint + blocks the domain at Umbrella + creates ServiceNow ticket. Threat hunt: query "did anyone else connect to that domain in last 30 days" — finds 2 more compromised hosts.