Cisco Certifications

CCNP Security
Blueprint Revisions

Products and technologies are evolving faster than ever before. To keep up with the fast pace, we are
introducing a new agile process that will allow us to align our exams faster with these changes: minor
revisions. Minor revisions will provide us with the agility and speed that are necessary to adjust our
programs to match industry changes and the evolution of technologies. Minor revisions will allow us to
update track details (exam blueprint, equipment list, and software) more frequently while keeping overall
changes to a minimum (up to 20%). These revisions allow us to ensure our content stays relevant, and
they minimize learning curves between revisions.

The main objective of a minor revision is to:

• Further scope out the exam blueprint by ensuring exam objectives are clear.
• Introduce new blueprint tasks to ensure exams stay relevant.
• Phase out old(er) products and/or technology solutions that are less relevant today.
• Update equipment and/or software.

Visit www.cisco.com/go/certroadmap to review the holistic roadmap across all Cisco Certifications.

The CCNP Security exam portfolio is going through a minor revision. Although the overall domains within
the exam blueprints have not changed, with this minor revision, we added and removed technology
solutions to ensure exam relevancy.

Refer to www.cisco.com/go/CertRoadmap for the list of exam topics covered in the updated CCNP
Security exams portfolio and for more information about the CCNP Security certification program.

Cisco and Cisco logo are trademarks or registered of Cisco and/or its affiliates in the U.S. and other countries.
To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
Cisco © and/or its affiliates. All rights reserved. 1
 Cisco Certifications

CCNP Security
CCNP Security – Executive Summary

The new minor revision for CCNP Security allows us to keep the domain closely aligned with today’s
commonly adopted Cisco Security technologies and solutions. To modernize the blueprint, relevant
technologies that enterprise engineers regularly use in the field were added, and outdated topics were
removed.

Below is a comprehensive summary of the Security exam portfolio.

Exam Name Acronym Exam Number Review

Implementing and Operating Cisco Security Core Technologies SCOR 350-701 Updated to v1.1
Securing Networks with Cisco Firewalls SNCF 300-710 Updated to v1.1
Implementing and Configuring Cisco Identity Services Engine SISE 300-715 Updated to v1.1
Securing Email with Cisco Secure Email Gateway SESA 300-720 Updated to v1.1
Securing the Web with Cisco Secure Web Appliance SWSA 300-725 Updated to v1.1
Implementing Secure Solutions with Virtual Private Networks SVPN 300-730 Updated to v1.1
Automating and Programming Cisco Security Solutions SAUTO 300-735 Updated to v1.1
Designing and Implementing Secure Cloud Access for Users and Endpoints SCAZT 300-740 NEW exam v1.0

A detailed review of each exam follows below.

Security product names were updated across all exams:

• Cisco Firepower is now Cisco Secure Firewall.
• Cisco Firepower Management Center is now Cisco Secure Firewall Management Center.
• Cisco AMP for Networks is now Cisco Secure Firewall Malware Defense.
• Cisco AMP for Endpoints is now Cisco Secure Endpoint.
• Cisco Email Security Appliance is now Cisco Secure Email Gateway.
• Cisco Web Security Appliance is now Cisco Secure Web Appliance.
• Cisco Security Management Appliance is now Cisco Secure Email and Web Manager.
• Cisco Stealthwatch is now Cisco Secure Network Analytics.
• Cisco Stealthwatch Cloud is now Cisco Secure Cloud Analytics.
• Cisco ThreatGRID is now Cisco Secure Malware Analytics.
• Cognitive Threat Analytics is now Cognitive Intelligence.
• Cisco AnyConnect is now Cisco Secure Client.

Cisco and Cisco logo are trademarks or registered of Cisco and/or its affiliates in the U.S. and other countries.
To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
Cisco © and/or its affiliates. All rights reserved. 2
 Cisco Certifications

CCNP Security
Implementing and Operating Cisco Security Core Technologies v1.1
350-701 SCOR
Compared to v1.0, all domains (Security Concepts, Network Security, Securing the Cloud, Content
Security, Endpoint Protection and Detection, and Secure Network Access, Visibility, and Enforcement)
remain identical. Several tasks were expanded to include hybrid and cloud solutions; NetConf, RestConf,
and APIs were added to network management, and endpoint antimalware was expanded.

350-701 Implementing and Operating Cisco Security Core Technologies

v1.0 v1.1
1.2 Compare common security vulnerabilities such as 1.2 Compare common security vulnerabilities such as
software bugs, weak and/or hardcoded passwords, SQL software bugs, weak and/or hardcoded passwords,
injection, missing encryption, buffer overflow, path OWASP top ten, missing encryption ciphers, buffer
traversal, cross-site scripting/forgery overflow, path traversal, cross-site scripting/forgery

1.4 Compare site-to-site and remote access VPN deployment 1.4 Compare site-to-site and remote access VPN deployment
types such as sVTI, IPsec, Cryptomap, DMVPN, FlexVPN, types and components such as virtual tunnel interfaces,
including high availability considerations and AnyConnect standards-based IPsec, DMVPN, FlexVPN, and Cisco
Secure Client including high availability considerations

2.5 Implement segmentation, access control policies, AVC, 2.5 Implement segmentation, access control policies, AVC,
URL filtering, malware protection URL filtering, malware protection, and intrusion policies

2.6 Implement management options for network security
solutions such as intrusion prevention and perimeter
security (Single vs. multidevice manager, in-band vs. out-
of-band, CDP, DNS, SCP, SFTP, and DHCP security and
risks)
2.6 Implement management options for network security
solutions (single vs. multidevice manager, in-band vs.
out-of-band, cloud vs. on-premises)

2.8 Configure secure network management of perimeter
security and infrastructure devices (secure device
management, SNMPv3, views, groups, users,
authentication, and encryption, secure logging, and NTP
with authentication)
2.8 Configure secure network management of perimeter
security and infrastructure devices such as SNMPv3,
NetConf, RestConf, APIs, secure syslog, and NTP with
authentication

3.2 Compare the customer vs. provider security

responsibility for the different cloud service models 3.2 Compare security responsibility for the different cloud
3.2.a Patch management in the cloud service models
3.2.b Security assessment in the cloud 3.2.a Patch management in the cloud
3.2.c Cloud-delivered security solutions such as 3.2.b Security assessment in the cloud
firewall, management, proxy, security
intelligence, and CASB

5.2 Explain anti-malware retrospective security, Indication of 5.2 Configure endpoint antimalware protection using Cisco
Compromise (IOC), antivirus, dynamic file analysis, and Secure Endpoint
endpoint-sourced telemetry

Cisco and Cisco logo are trademarks or registered of Cisco and/or its affiliates in the U.S. and other countries.
To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
Cisco © and/or its affiliates. All rights reserved. 3
 Cisco Certifications

CCNP Security
Securing Networks with Cisco Firewalls v1.1
300-710 SNCF
Compared to v1.0, all domains (Deployment, Configuration, Management and Troubleshooting, and
Integration) remain identical. The exam name was modified to reflect Cisco’s renaming of Cisco
Firepower to Cisco Secure Firewall. Cisco Security Analytics and Logging, Snort within Secure Firewall
Threat Defense, on premises and cloud deployments of virtual appliances, and new device management
tools were added.

300-710 Securing Networks with Cisco Firewalls

v1.0 v1.1
1.3 Implement high availability options 1.3 Implement high availability options
1.3.a Link redundancy 1.3.a Port channels
1.3.b Active/standby and active/active failover 1.3.b Failover
1.3.c Multi-instance 1.3.c Equal-Cost Multi-Path (ECMP) routing
1.3.d Static route tracking
1.3.e Clustering

1.4 Describe IRB configurations 1.4 Describe virtual appliance on-premises and cloud
deployment

2.3 Configure these features using Firepower Management 2.3 Configure these features using Secure Firewall
Center Management Center
2.3.a Network discovery 2.3.a Network discovery
2.3.b Application detectors (Open AppID) 2.3.b Application detectors
2.3.c Correlation 2.3.c Correlation
2.3.d Actions 2.3.d Encrypted visibility engine

2.6 Describe the use of Snort within Secure Firewall Threat

Defense

3.3 Troubleshoot using packet capture procedures 3.3 Troubleshoot using:

3.3.a Packet capture procedures
3.3.b Packet Tracer

3.5 Describe device management tools

3.5.a Cisco Defense Orchestrator
3.5.b Cloud-delivered Firewall Management Center
3.5.c Secure Firewall Device Manager
3.5.d Secure Firewall Management Center

4.4 Describe using Cisco Threat Response for security 4.4 Describe using SecureX for security investigations
investigations
4.7 Describe Cisco Security Analytics and Logging

Cisco and Cisco logo are trademarks or registered of Cisco and/or its affiliates in the U.S. and other countries.
To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
Cisco © and/or its affiliates. All rights reserved. 4
 Cisco Certifications

CCNP Security
Implementing and Configuring Cisco Identity Services Engine v1.1
300-715 SISE
Compared to v1.0, all domains (Architecture and Deployment, Policy Enforcement, Web Auth and Guest
Services, Profiler, BYOD, Endpoint Compliance, and Network Access Device Administration) remain
identical. The technologies added to the blueprint are zero-touch provisioning, SAML IDP, Rest ID, and
IBNS.

350-715 Implementing and Configuring Cisco Identity Services Engine

v1.0 v1.1
1.3 Describe hardware and virtual machine performance
specifications

1.4 Describe zero-touch provisioning

2.2 Describe identity store options 2.2 Describe identity store options
2.2.a LDAP 2.2.a LDAP
2.2.b AD 2.2.b AD
2.2.c PKI 2.2.c PKI
2.2.d OTP 2.2.d Multifactor authentication
2.2.e Smart Card 2.2.e Local
2.2.f Local 2.2.f SAML IDP
2.2.g Rest ID

2.3 Configure wired/wireless 802.1X network access 2.3 Configure wireless network access using 802.1X

2.4 Configure 802.1X phasing deployment 2.4 Configure wired network access using 802.1X and IBNS
2.0
2.5 Configure network access devices

Cisco and Cisco logo are trademarks or registered of Cisco and/or its affiliates in the U.S. and other countries.
To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
Cisco © and/or its affiliates. All rights reserved. 5
 Cisco Certifications

CCNP Security
Securing Email with Cisco Secure Email Gateway v1.1
300-720 SESA
Compared to v1.0, all domains (Administration, Spam Control with Talos SenderBase and Antispam,
Content and Message Filters, LDAP and SMTP Sessions, Email Authentication and Encryption, and System
Quarantines and Delivery Methods) remain identical. The exam name was modified to reflect Cisco’s
renaming of Cisco Email Security Appliance to Cisco Secure Email Gateway. Virtual machines, certificate
authorities, and logging were added to the blueprint, along with configuring Secure Email Gateway and
Secure Email Threat Defense.

300-720 Securing Email with Cisco Secure Email Gateway

v1.0 v1.1
1.1. Configure Cisco Email Security Appliance features 1.1. Configure Cisco Secure Email Gateway features
1.1.a Hardware performance specifications 1.1.a Hardware and virtual machine performance
1.1.b Initial configuration process specifications
1.1.c Routing and delivery features 1.1.b Initial configuration process
1.1.d GUI 1.1.c Routing and delivery features
1.1.d GUI
1.1.e Manage certificate authorities
1.1.f Logging

1.4 Integrate Cisco Secure Email Gateway with SecureX

1.5 Configure Cisco Secure Email Threat Defense

5.7 Manage certificate authorities 5.7 Configure Cisco Secure Email

Cisco and Cisco logo are trademarks or registered of Cisco and/or its affiliates in the U.S. and other countries.
To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
Cisco © and/or its affiliates. All rights reserved. 6
 Cisco Certifications

CCNP Security
Securing the Web with Cisco Secure Web Appliance v1.1
300-725 SWSA
Compared to v1.0, all domains (Features, Configuration, Proxy Services, Authentication, Decryption
Policies to Control HTTPS Traffic, Differentiated Traffic Access Policies and Identification Profiles,
Acceptable Use Control, Malware Defense, and Reporting and Tracking Web Transactions) remain
identical. The exam name was modified to reflect Cisco’s renaming of Cisco Web Security Appliance to
Cisco Secure Web Appliance. High availability, transparent proxy, the System Health Dashboard, and REST
API support were added to the blueprint and the dynamic content analysis engine was removed.

300-725 Securing the Web with Cisco Secure Web Appliance

v1.0 v1.1
2.2 Configure an Acceptable Use policy 2.2 Configure an access policy

3.1 Compare proxy terms 3.1 Describe deployment options

3.1.a Explicit proxy 3.1.a Explicit proxy
3.1.b Transparent proxy 3.1.b Transparent proxy
3.1.c Upstream proxy 3.1.c Upstream proxy
3.1.d Downstream proxy 3.1.d High availability

3.2 Describe tune caching behavior for safety or 3.2 Describe these features:
performance 3.2.a Tune caching
3.2.b IP spoofing
3.2.c Web proxy ports
3.2.d Range requests

4.2 Configure traffic redirection to Cisco Web Security 4.2 Configure traffic redirection to Cisco Secure Web
Appliance using explicit forward proxy mode Appliance using transparent proxy with WCCP, PBR, or an
L4 switch

7.2 Configure the dynamic content analysis engine

9.4 Interpret system health using the System Health

Dashboard

9.5 Describe REST API support

Cisco and Cisco logo are trademarks or registered of Cisco and/or its affiliates in the U.S. and other countries.
To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
Cisco © and/or its affiliates. All rights reserved. 7
 Cisco Certifications

CCNP Security
Implementing Secure Solutions with Virtual Private Networks v1.1
300-730 SVPN
Compared to v1.0, all domains (Site-to-Site Private Networks on Routers and Firewalls, Remote Access
VPNs, Troubleshooting Using ASDM and CLI, and Secure Communications Architectures) remain identical.
Implementing DMVPN and FlexVPN were expanded to include all aspects of those technologies.

300-730 Implementing Secure Solutions with Virtual Private Networks

v1.0 v1.1
1.2 Implement DMVPN (hub-and-spoke and spoke-to-spoke 1.2 Describe uses of DMVPN
on both IPv4 & IPv6)

1.3 Implement FlexVPN (hub-and-spoke on both IPv4 & IPv6) 1.3 Describes uses of FlexVPN
using local AAA

Cisco and Cisco logo are trademarks or registered of Cisco and/or its affiliates in the U.S. and other countries.
To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
Cisco © and/or its affiliates. All rights reserved. 8
 Cisco Certifications

CCNP Security
Automating and Programming Cisco Security Solutions v1.1
300-735 SAUTO
Compared to v1.0, all domains (Network Programmability Foundation; Network Security; Advanced
Threat & Endpoint Security; and Cloud, Web, and Email Security) remain identical. To modernize the
blueprint, changes were made to reflect an increased presence of Terraform in security automation.
Puppet was replaced with Terraform and the Cisco XDR solution has been added.

300-735 Automating and Programming Cisco Security Solutions

v1.0 v1.1
1.6 Explain the benefits of using network configuration tools 1.6 Explain the benefits of using network configuration tools
such as Ansible and Puppet for automating security such as Ansible and Terraform for automating security
platforms platforms

3.1 Describe the capabilities and components of these APIs 3.1 Describe the capabilities and components of these APIs
3.1.a Umbrella Investigate APIs 3.1.a Cisco Cloud Security APIs (such as Umbrella
3.1.b AMP for endpoints APIs APIs, Investigate APIs)
3.1.c ThreatGRID API 3.1.b Cisco Secure Endpoint (formerly AMP for
Endpoints) API
3.1.c Cisco Secure Malware Analytics (formerly
ThreatGRID) API
3.1.d Cisco XDR solution APIs (such as SecureX API
and Threat Response API)

3.5 Construct Cisco XDR solution API calls

3.6 Describe the orchestration capabilities of Cisco XDR

solution

Cisco and Cisco logo are trademarks or registered of Cisco and/or its affiliates in the U.S. and other countries.
To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
Cisco © and/or its affiliates. All rights reserved. 9
 Cisco Certifications

CCNP Security
Designing and Implementing Secure Cloud Access for Users and Endpoints v1.0
300-740 SCAZT

New Exam Launch:

This new concentration is focused on designing and implementing security services for the next
generations of cloud delivered applications while applying best practices for cloud security architectures,
design, operations, and service orchestration. Enterprises globally increasingly deploy applications and
services in a SaaS, hybrid, and multi-cloud environment. The cloud security engineers at these
organizations must have specialized knowledge and skills related to applications delivered through the
cloud to users on any device anywhere.

Cisco and Cisco logo are trademarks or registered of Cisco and/or its affiliates in the U.S. and other countries.
To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks.
Cisco © and/or its affiliates. All rights reserved. 10