Cisco

CCIE Security

Cisco Certified Internetwork Expert Security

Expert 350-701 SCOR (written qualifier) + CCIE Security Lab Content Available

The ultimate expert-level security certification — prove real-world mastery in an 8-hour lab.

Practice CCIE Security Questions Study Notes Exam Topics
Exam Code
350-701 SCOR (written qualifier) + CCIE Security Lab
Duration
120 min (written) / 8 hours (lab)
Questions
90–110 (written) / Practical scenarios (lab)
Passing Score
825 / 1000 (written) / Variable cut score (lab)
Validity
3 years
Exam Cost
$400 USD (written) + $1,600 USD (lab)
Overview

About CCIE Security

The Cisco CCIE Security certification is the most respected expert-level security credential in the networking industry. It validates deep, hands-on skills across the entire Cisco security portfolio, from advanced firewall configuration and complex VPN topologies to identity management, threat protection, and security automation. Candidates must pass the 350-701 SCOR written exam and then sit the 8-hour CCIE Security lab exam, which presents complex, real-world security scenarios requiring configuration, troubleshooting, and optimisation under time pressure. The lab tests advanced ASA/FTD firewall skills, FlexVPN and DMVPN phase 1-3, Cisco ISE posture/profiling/guest, infrastructure hardening, Cisco Secure Endpoint, Stealthwatch, and Python/Ansible security automation — making it one of the most technically demanding certifications available.

Prerequisites
CCNP Security or equivalent deep security experience Expert-level knowledge of Cisco ASA, FTD, and Firepower Management Center Deep experience with Cisco ISE, RADIUS/TACACS+, and 802.1X deployments Strong understanding of IPsec, IKEv2, DMVPN, and FlexVPN Typically 5–7 years of security engineering experience recommended
Exam Domains

What you need to know

6 domains, 70 objectives. Click a domain to expand its topics.

🔥
Perimeter Security & Intrusion Prevention
Advanced ASA/FTD, Snort IPS rules, intrusion policy tuning, and firewall clustering/HA.
20%
  • Configure and verify advanced Cisco ASA features (transparent mode, multi-context mode, failover)
  • Configure and verify ASA active/standby and active/active failover with stateful replication
  • Configure and verify Cisco FTD inline, passive, and tap deployment modes
  • Configure and verify FTD access control policies with URL, application, and file inspection
  • Configure and verify FTD intrusion policies using Snort 3 rule sets and variable sets
  • Write and tune custom Snort rules (rule header, options, content matches, PCRE)
  • Configure and verify FTD SSL/TLS decryption policies (known-key, re-signed certificate)
  • Configure and verify FTD NAT (manual NAT, auto NAT, identity NAT, twice NAT)
  • Configure and verify Cisco FMC device management, high availability, and domain separation
  • Implement FTD clustering for scalability (Spanned EtherChannel, individual interface mode)
  • Troubleshoot complex ASA/FTD connectivity issues (captures, packet tracer, syslogs, dashboards)
  • Configure and verify FTD QoS policies for traffic prioritisation at the perimeter
🔐
Secure Connectivity & Segmentation
Advanced IPsec/IKEv2, DMVPN phases 1–3, FlexVPN, GET VPN, MACsec, and TrustSec.
20%
  • Configure and verify IKEv2 site-to-site VPN between Cisco routers and ASA/FTD
  • Configure and verify DMVPN Phase 1 (hub-and-spoke), Phase 2 (direct spoke-to-spoke), and Phase 3 (hierarchical NHRP)
  • Configure and verify DMVPN with IPsec using profiles and dynamic crypto maps
  • Configure and verify DMVPN routing integration (EIGRP, OSPF, BGP over tunnel interfaces)
  • Configure and verify Cisco FlexVPN (IKEv2 smart defaults, VTI, AAA-based spoke authorisation)
  • Configure and verify GET VPN (GDOI, key server, group member) for private WAN encryption
  • Configure and verify remote access VPN using AnyConnect with IKEv2 and SSL
  • Configure and verify AnyConnect posture assessment, split tunnelling, and always-on VPN
  • Configure and verify MACsec (IEEE 802.1AE) on switch-to-switch and switch-to-host links
  • Configure and verify TrustSec (SGT tagging, SGACL enforcement, SXP protocol)
  • Troubleshoot complex IPsec/IKEv2 issues (phase 1 mismatches, phase 2 policy, dead peer detection)
  • Implement network micro-segmentation strategies using VRF, VLAN, and TrustSec
🏛️
Infrastructure Security
Control plane policing, uRPF, BGP security (RPKI), management plane hardening, and CoPP.
15%
  • Configure and verify comprehensive Control Plane Policing (CoPP) policies with per-protocol rate limiting
  • Configure and verify uRPF (Unicast Reverse Path Forwarding) strict and loose modes
  • Describe RPKI (Resource Public Key Infrastructure) for BGP route origin validation
  • Configure and verify BGP security features (prefix filtering, AS-path filtering, max-prefix limits)
  • Configure and verify management plane hardening (SSH, SNMPv3, HTTPS, AAA, role-based access)
  • Configure and verify TACACS+ for device administration with command-level authorisation
  • Configure and verify RADIUS for network access authentication
  • Implement logging best practices (centralised syslog, SNMP trap correlation, NTP authentication)
  • Configure and verify IPv6 security features (RA guard, DHCPv6 guard, IPv6 ND inspection)
  • Describe and implement 802.1Q VLAN security (pruning, native VLAN hardening, double-tagging prevention)
  • Configure and verify DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard
  • Implement lawful intercept and span-based network monitoring in compliance scenarios
🔑
Identity Management, Information Exchange & Access Control
Advanced Cisco ISE (posture, profiling, guest, BYOD), RADIUS/TACACS+, 802.1X EAP methods, pxGrid, and TrustSec.
20%
  • Configure and verify Cisco ISE node deployment (PAN, MnT, PSN) and high availability (secondary PAN, PSN groups)
  • Configure and verify RADIUS authentication and authorisation policies in ISE for network access
  • Configure and verify TACACS+ device administration policies in ISE (command sets, shell profiles)
  • Configure and verify 802.1X wired with EAP-TLS (certificate-based), PEAP-MSCHAPv2, and EAP-FAST
  • Configure and verify ISE posture assessment (AnyConnect agent, compliance conditions, remediation)
  • Configure and verify ISE profiling with multiple probes (RADIUS, DHCP, DNS, NetFlow, SNMP, HTTP)
  • Configure and verify ISE guest portal (sponsored guest, self-registration, social login)
  • Configure and verify ISE BYOD onboarding (MDM integration, certificate provisioning)
  • Configure and verify pxGrid for sharing identity context with FMC, Stealthwatch, and third-party tools
  • Configure and verify Change of Authorization (CoA) for dynamic policy re-evaluation
  • Describe ISE PassiveID for agentless user identity tracking (AD agent, WMI, syslog probes)
  • Troubleshoot complex ISE authentication issues (failed authentications, missing attributes, policy mismatch)
🛡️
Advanced Threat Protection
Cisco Secure Endpoint (AMP), Threat Grid sandboxing, Stealthwatch analytics, and encrypted traffic analysis.
15%
  • Describe and configure Cisco Secure Endpoint deployment (connector, policy, group structure)
  • Explain AMP file disposition (clean, malicious, unknown) and the retrospective detection mechanism
  • Configure and verify AMP device trajectory and file trajectory for threat investigation
  • Describe Cisco Threat Grid sandboxing (dynamic analysis, behavioural indicators, threat score)
  • Describe Cisco Secure Network Analytics (Stealthwatch) architecture (SMC, Flow Collectors)
  • Configure and verify Stealthwatch flow collection and host group policies
  • Describe Encrypted Traffic Analytics (ETA) and the use of JA3/JA3S fingerprinting
  • Describe Cisco Talos threat intelligence feeds and their integration into security products
  • Explain the concept of indicators of compromise (IoC) and threat hunting methodologies
  • Describe the Cisco SecureX platform for unified threat investigation and response workflows
  • Configure and verify threat intelligence sharing using STIX/TAXII standards
  • Describe the MITRE ATT&CK framework and its application to threat detection and response
🤖
Automation
Security automation with Python, Cisco ISE APIs, Cisco FMC REST APIs, and Ansible security modules.
10%
  • Write Python scripts to interact with the Cisco ISE ERS API (create endpoints, policies, guests)
  • Write Python scripts to interact with the Cisco FMC REST API (access control policy management)
  • Describe the Cisco FMC API structure (domains, objects, policies, deployment)
  • Write and execute Ansible playbooks using Cisco ASA modules (cisco.asa collection)
  • Write and execute Ansible playbooks using Cisco IOS security modules
  • Describe the Cisco SecureX API for threat investigation and incident automation
  • Describe SOAR concepts and integration with Cisco security products for automated response
  • Interpret JSON and YAML data returned from security product REST APIs
  • Describe the use of Python for parsing Syslog and NetFlow data for automated threat detection
  • Write a Python script to pull threat intelligence from Cisco Umbrella Investigate API
Resources

Study & Practice

Practice CCIE Security Questions Official Cisco CCIE Security Page CCIE Security v6.1 Lab Exam Topics Cisco Learning Network — CCIE Security Community Official Cisco Certification Tracking Book your Official Cisco CCIE Lab Exam