Introducing the new CCNP Security certification
New exams go live on February 24, 2020
To earn CCNP Security, you pass two exams:
Core Exam
Concentration exams
REQUIRED EXAMS
Core exam:
350-701 SCOR Implementing and Operating Cisco Security Core Technologies (SCOR)
Concentration exams (choose one):
300-710 SNCF Securing Networks with Cisco Firepower Next Generation Firewall (SSNGFW)
300-715 SISE Securing Networks with Cisco Firepower Next-Generation IPS (SSFIPS)
Implementing and Configuring Cisco Identity Services Engine (SISE)
300-720 SESA Securing Email with Cisco Email Security Appliance (SESA)
300-725 SWSA Securing the Web with Cisco Web Security Appliance (SWSA)
300-730 SVPN Implementing Secure Solutions with Virtual Private Networks (SVPN)
300-735 SAUTO Implementing Automation for Cisco Security Solutions (SAUI)
Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)
Associated Certifications:
Exam overview
This exam tests your knowledge of implementing and operating core security technologies, including:
Course Content
1.0 Security Concepts 25%
Explain common threats against on-premises and cloud environments
Compare common security vulnerabilities such as software bugs, weak and/or hardcoded passwords, SQL injection, missing encryption, buffer overflow, path traversal, cross-site scripting/forgery
Describe functions of the cryptography components such as hashing, encryption, PKI, SSL, IPsec, NAT-T IPv4 for IPsec, pre-shared key and certificate based authorization
Compare site-to-site VPN and remote access VPN deployment types such as sVTI, IPsec, Cryptomap, DMVPN, FLEXVPN including high availability considerations, and AnyConnect
Describe security intelligence authoring, sharing, and consumption
Explain the role of the endpoint in protecting humans from phishing and social engineering attacks
Explain North Bound and South Bound APIs in the SDN architecture
Explain DNAC APIs for network provisioning, optimization, monitoring, and troubleshooting
Interpret basic Python scripts used to call Cisco Security appliances APIs
2.0 Network Security 20%
Compare network security solutions that provide intrusion prevention and firewall capabilities
Describe deployment models of network security solutions and architectures that provide intrusion prevention and firewall capabilities
Describe the components, capabilities, and benefits of NetFlow and Flexible NetFlow records
Configure and verify network infrastructure security methods (router, switch, wireless)
Implement segmentation, access control policies, AVC, URL filtering, and malware protection
Implement management options for network security solutions such as intrusion prevention and perimeter security
Configure AAA for device and network access
Configure secure network management of perimeter security and infrastructure devices
Configure and verify site-to-site VPN and remote access VPN
3.0 Securing the Cloud 15%
Identify security solutions for cloud environments
Compare the customer vs. provider security responsibility for the different cloud service models
Describe the concept of DevSecOps (CI/CD pipeline, container orchestration, and security
Implement application and data security in cloud environments
Identify security capabilities, deployment models, and policy management to secure the cloud
Configure cloud logging and monitoring methodologies
Describe application and workload security concepts
4.0 Content Security 15%
Implement traffic redirection and capture methods
Describe web proxy identity and authentication including transparent user identification
Compare the components, capabilities, and benefits of local and cloud-based email and web solutions (ESA, CES, WSA)
Configure and verify web and email security deployment methods to protect on-premises and remote users (inbound and outbound controls and policy management)
Configure and verify email security features such as SPAM filtering, antimalware filtering, DLP, blacklisting, and email encryption
Configure and verify secure internet gateway and web security features such as blacklisting, URL filtering, malware scanning, URL categorization, web application filtering, and TLS decryption
Describe the components, capabilities, and benefits of Cisco Umbrella
Configure and verify web security controls on Cisco Umbrella (identities, URL content settings, destination lists, and reporting)
5.0 Endpoint Protection and Detection 10%
Compare Endpoint Protection Platforms (EPP) and Endpoint Detection & Response (EDR) solutions
Explain antimalware, retrospective security, Indication of Compromise (IOC), antivirus, dynamic file analysis, and endpoint-sourced telemetry
Configure and verify outbreak control and quarantines to limit infection
Describe justifications for endpoint-based security
Describe the value of endpoint device management and asset inventory such as MDM
Describe the uses and importance of a multifactor authentication (MFA) strategy
Describe endpoint posture assessment solutions to ensure endpoint security
Explain the importance of an endpoint patching strategy
6.0 Secure Network Access, Visibility, and Enforcement 15%
Describe identity management and secure network access concepts such as guest services, profiling, posture assessment and BYOD
Configure and verify network access device functionality such as 802.1X, MAB, WebAuth
Describe network access with CoA
Describe the benefits of device compliance and application control
Explain exfiltration techniques (DNS tunneling, HTTPS, email, FTP/SSH/SCP/SFTP, ICMP, Messenger, IRC, NTP)
Describe the benefits of network telemetry
Describe the components, capabilities, and benefits of these security products and solutions
Securing Networks with Cisco Firepower (SNCF 300-710)
Associated Certifications:
Exam Description
This exam tests a candidate's knowledge of Cisco Firepower® Threat Defense and Firepower®, including policy configurations, integrations, deployments, management and troubleshooting.
These courses, Securing Networks with Cisco Firepower, and Securing Network with Cisco Firepower Next-Generation Intrusion Prevention System help candidates prepare for this exam.
The following topics are general guidelines for the content likely to be included on the exam.
Course Content
1.0 Deployment 30%
1.1 Implement NGFW modes
1.2 Implement NGIPS modes
1.3 Implement high availability options
1.4 Describe IRB configurations
2.0 Configuration 30%
2.1 Configure system settings in Cisco Firepower Management Center
2.2 Configure these policies in Cisco Firepower Management Center
2.3 Configure these features using Cisco Firepower Management Center
2.4 Configure objects using Firepower Management Center
2.5 Configure devices using Firepower Management Center
3.0 Management and Troubleshooting 25%
3.1 Troubleshoot with FMC CLI and GUI
3.2 Configure dashboards and reporting in FMC
3.3 Troubleshoot using packet capture procedures
3.4 Analyze risk and standard reports
4.0 Integration 15%
4.1 Configure Cisco AMP for Networks in Firepower Management Center
4.2 Configure Cisco AMP for Endpoints in Firepower Management Center
4.3 Implement Threat Intelligence Director for third-party security intelligence feeds
4.4 Describe using Cisco Threat Response for security investigations
4.5 Describe Cisco FMC PxGrid Integration with Cisco Identify Services Engine (ISE)
4.6 Describe Rapid Threat Containment (RTC) functionality within Firepower Management Center
Implementing and Configuring Cisco Identity Services Engine (SISE 300-715)
Associated Certifications:
Exam Description
This exam tests a candidate's knowledge of Cisco Identify Services Engine,
1.0 Architecture and Deployment 10%
2.0 Policy Enforcement 25%
2.1 Configure native AD and LDAP
2.2 Describe identity store options
2.3 Configure wired/wireless 802.1X network access
2.4 Configure 802.1X phasing deployment
2.5 Configure network access devices
2.6 Implement MAB
2.7 Configure Cisco TrustSec
2.8 Configure policies including authentication and authorization profiles
3.0 Web Auth and Guest Services 15%
3.1 Configure web authentication
3.2 Configure guest access services
3.3 Configure sponsor and guest portals
4.0 Profiler 15%
5.0 BYOD 15%
5.1 Describe Cisco BYOD functionality
5.2 Configure BYOD device on-boarding using internal CA with Cisco switches and Cisco wireless LAN controllers
5.3 Configure certificates for BYOD
5.4 Configure blacklist/whitelist
6.0 Endpoint Compliance 10%
6.1 Describe endpoint compliance, posture services, and client provisioning
6.2 Configure posture conditions and policy, and client provisioning
6.3 Configure the compliance module
6.4 Configure Cisco ISE posture agents and operational modes
6.5 Describe supplicant, supplicant options, authenticator, and server
7.0 Network Access Device Administration 10%
7.1 Compare AAA protocols
7.2 Configure TACACS+ device administration and command authorization
Securing Email with Cisco Email Security Appliance (SESA 300-720)
Associated Certifications:
Exam Description
This exam tests a candidate's knowledge of Cisco Email Security Appliance, including
Course Content
1.0 Cisco Email Security Appliance Administration 15%
1.1. Configure Cisco Email Security Appliance features
1.2. Describe centralized services on a Cisco Content SMA
1.3. Configure mail policies
2.0 Spam Control with Talos SenderBase and Antispam 15%
2.1 Control spam with Talos SenderBase and Antispam
2.2 Describe graymail management solution
2.3 Configure file reputation filtering and file analysis features
2.4 Implement malicious or undesirable URLs protection
2.5 Describe the bounce verification feature
3.0 Content and Message filters 20%
3.1 Describe the functions and capabilities of content filters
3.2 Create text resources such as content dictionaries, disclaimers, and templates
3.3 Configure message filters components, rules, processing order and attachment scanning
3.4 Configure scan behavior
3.5 Configure the Cisco ESA to scan for viruses using Sophos and McAfee scanning engines
3.6 Configure outbreak filters
3.7 Configure Data Loss Prevention (DLP)
4.0 LDAP and SMTP Sessions 15%
4.1 Configure and verify LDAP servers and queries (Queries and Directory Harvest Attack)
4.2 Understand spam quarantine functions
4.3 Understand SMTP functionality
5.0 Email Authentication and Encryption 20%
5.1 Configure Domain Keys and DKIM signing
5.2 Configure SPF and SIDF
5.3 Configure DMARC verification
5.4 Configure forged email detection
5.5 Configure email encryption
5.6 Describe S/MIME security services and communication encryption with other MTAs
5.7 Manage certificate authorities
6.0 System Quarantines and Delivery Methods 15%
6.1 Configure quarantine (spam, policy, virus, and outbreak)
6.2 Utilize safelists and blocklists to control email delivery
6.3 Manage messages in local or external spam quarantines
6.4 Configure virtual gateways
Securing the Web with Cisco Web Security Appliance (SWSA 300-725)
Associated Certifications:
Exam Description
This exam tests a candidate's knowledge of Cisco Web Security Appliance, including
Course Content
1.0 Cisco WSA Features 10%
1.1 Describe Cisco WSA features and functionality
1.2 Describe WSA solutions
1.3 Integrate Cisco WSA with Splunk
1.4 Integrate Cisco WSA with Cisco ISE
1.5 Troubleshoot data security and external data loss using log files
2.0 Configuration 20%
2.1 Perform initial configuration tasks on Cisco WSA
2.2 Configure an Acceptable Use Policy
2.3 Configure and verify web proxy features
2.4 Configure a referrer header to filter web categories
3.0 Proxy Services 10%
3.1 Compare proxy terms
3.2 Describe tune caching behavior for safety or performance
3.3 Describe the functions of a Proxy Auto-Configuration (PAC) file
3.4 Describe the SOCKS protocol and the SOCKS proxy services
4.0 Authentication 10%
4.1 Describe authentication features
4.2 Configure traffic redirection to Cisco WSA using explicit forward proxy mode
4.3 Describe the FTP proxy authentication
4.4 Troubleshoot authentication issues
5.0 Decryption Policies to Control HTTPS Traffic 10%
5.1 Describe SSL and TLS inspection
5.2 Configure HTTPS capabilities
5.3 Configure self-signed and intermediate certificates within SSL/TLS transactions
6.0 Differentiated Traffic Access Policies and Identification Profiles 10%
6.1 Describe access policies
6.2 Describe identification profiles and authentication
6.3 Troubleshoot using access logs
7.0 Acceptable Use Control 10%
7.1 Configure URL filtering
7.2 Configure the dynamic content analysis engine
7.3 Configure time-based & traffic volume acceptable use policies and end user notifications
7.4 Configure web application visibility and control (Office 365, third-party feeds)
7.5 Create a corporate global acceptable use policy
7.6 Implement policy trace tool to verify corporate global acceptable use policy
7.7 Configure WSA to inspect archive file types
8.0 Malware Defense 10%
8.1 Describe anti-malware scanning
8.2 Configure file reputation filtering and file analysis
8.3 Describe Advanced Malware Protection (AMP)
8.4 Describe integration with Cognitive Threat Analytics
9.0 Reporting and Tracking Web Transactions 10%
9.1 Configure and analyze web tracking reports
9.2 Configure Cisco Advanced Web Security Reporting (AWSR)
9.3 Troubleshoot connectivity issues
Implementing Secure Solutions with Virtual Private Networks (SVPN 300-730)
Associated Certifications:
Exam Description
This exam tests a candidate's knowledge of implementing secure remote communications with Virtual Private Network (VPN) solutions including
Course Content
1.0 Site-to-site Virtual Private Networks on Routers and Firewalls 15%
1.1 Describe GETVPN
1.2 Implement DMVPN (hub-and-spoke and spoke-to-spoke on both IPv4 & IPv6)
1.3 Implement FlexVPN (hub-and-spoke on both IPv4 & IPv6) using local AAA
2.0 Remote access VPNs 20%
2.1 Implement AnyConnect IKEv2 VPNs on ASA and routers
2.2 Implement AnyConnect SSLVPN on ASA and routers
2.3 Implement Clientless SSLVPN on ASA and routers
2.4 Implement Flex VPN on routers
3.0 Troubleshooting using ASDM and CLI 35%
3.1 Troubleshoot IPsec
3.2 Troubleshoot DMVPN
3.3 Troubleshoot FlexVPN
3.4 Troubleshoot AnyConnect IKEv2 and SSL VPNs on ASA and routers
3.5 Troubleshoot Clientless SSLVPN on ASA and routers
4.0 Secure Communications Architectures 30%
4.1 Identify functional components of GETVPN, FlexVPN, DMVPN, and IPsec for site-to-site VPN solutions
4.2 Identify functional components of FlexVPN, IPsec, and Clientless SSL for remote access VPN solutions
4.3 Identify VPN technology based on configuration output for site-to-site VPN solutions
4.4 Identify VPN technology based on configuration output for remote access VPN solutions
4.5 Identify split tunneling requirements for remote access VPN solutions
4.6 Design site-to-site VPN solutions
4.7 Design remote access VPN solutions
4.8 Identify Elliptic Curve Cryptography (ECC) algorithms
Automating and Programming Cisco Security Solutions (SAUTO 300-735)
Associated Certifications
Exam Description
This exam tests a candidate's knowledge of implementing Security automated solutions, including programming concepts
Course Content
1.0 Network Programmability Foundation 10%
1.1 Utilize common version control operations with git (add, clone, push, commit, diff, branching, and merging conflict)
1.2 Describe characteristics of API styles (REST and RPC)
1.3 Describe the challenges encountered and patterns used when consuming APIs synchronously and asynchronously
1.4 Interpret Python scripts containing data types, functions, classes, conditions, and looping
1.5 Describe the benefits of Python virtual environments
1.6 Explain the benefits of using network configuration tools such as Ansible and Puppet for automating security platforms
2.0 Network Security 35%
2.1 Describe the event streaming capabilities of Firepower Management Center eStreamer API
2.2 Describe the capabilities and components of these APIs
2.3 Implement firewall objects, rules, intrusion policies, and access policies using Firepower Management Center API
2.4 Implement firewall objects, rules, intrusion policies, and access policies using Firepower Threat Defense API (also known as Firepower Device Manager API)
2.5 Construct a Python script for pxGrid to retrieve information such as endpoint device type, network policy and security telemetry
2.6 Construct API requests using Stealthwatch API
3.0 Advanced Threat & Endpoint Security 30%
3.1 Describe the capabilities and components of these APIs
3.2 Construct an Umbrella Investigate API request
3.3 Construct AMP for endpoints API requests for event, computer, and policies
3.4 Construct ThreatGRID APIs request for search, sample feeds, IoC feeds, and threat disposition
4.0 Cloud, Web, and Email Security 25%
4.1 Describe the capabilities and components of these APIs
4.2 Construct Stealthwatch cloud API request for reporting
4.3 Construct an Umbrella Reporting and Enforcement API request
4.4 Construct a report using Cisco Security Management Appliance API request (email and web)