Security engineers who attempt CCNP Security expecting a deeper version of CCNA security are surprised. CCNP Security covers network security architecture at enterprise scale — firewall policy, VPN design, identity services, threat intelligence integration — not just the access control lists and port security from the associate tier.
Understanding what each component actually tests lets you study correctly rather than discovering gaps on exam day.
The CCNP Security Structure
Like CCNP Enterprise, CCNP Security requires two exams:
- SCOR (350-701): Implementing and Operating Cisco Security Core Technologies — mandatory
- Concentration — one of six options
| Concentration | Code | Focus |
|---|---|---|
| SVPN | 300-730 | Implementing Secure Solutions with VPNs |
| SISE | 300-715 | Implementing and Configuring Cisco Identity Services Engine |
| SNCF | 300-720 | Securing Email with Cisco Email Security |
| SWSA | 300-725 | Securing the Web with Cisco Web Security |
| SSFIPS | 300-710 | Securing Networks with Cisco Firepower |
| SASE | 300-740 | Cisco SASE |
The two most commonly chosen concentrations: SISE (Identity Services Engine — ISE) and SSFIPS (Firepower — Cisco's NGFW platform). Both appear regularly in enterprise environments.
SCOR (350-701): What It Actually Tests
| Domain | Weight |
|---|---|
| Security Concepts | 25% |
| Network Security | 20% |
| Cloud Security | 15% |
| Content Security | 10% |
| Endpoint Protection and Detection | 15% |
| Secure Network Access, Visibility, and Enforcement | 15% |
Security Concepts at 25% is the largest domain and the one that catches candidates who approach CCNP Security as a "configure the firewall" exam.
Cryptography and PKI
The exam tests cryptography at a depth that requires conceptual understanding, not just knowing which algorithms exist:
Symmetric vs asymmetric encryption:
- Symmetric (AES, 3DES): fast, uses same key to encrypt and decrypt. Problem: how do you securely exchange the key?
- Asymmetric (RSA, ECDH): uses public/private key pair. Slow but solves key distribution. Used to exchange a symmetric session key securely.
TLS handshake process: the exam tests what happens during TLS negotiation — cipher suite negotiation, certificate verification, key exchange. This is directly relevant to understanding where security controls intercept traffic.
PKI components:
- Certificate Authority (CA): issues and signs certificates
- Registration Authority (RA): handles enrollment requests
- OCSP: Online Certificate Status Protocol — real-time certificate revocation check
- CRL: Certificate Revocation List — periodic list of revoked certificates
Cisco Umbrella and DNS-Layer Security
Cisco Umbrella (acquired from OpenDNS) provides DNS-layer security — blocking malicious domains before connections are established.
The exam tests:
- How Umbrella works (recursive DNS resolver that checks domains against threat intelligence)
- Deployment models (DNS forwarding, roaming client)
- Integration with Cisco Secure Internet Gateway
"SCOR's coverage of Cisco Umbrella trips candidates who haven't used it. The conceptual question isn't 'what does DNS-layer security mean' — that's obvious. The exam asks about Umbrella's architecture, deployment models, and how it integrates with ISE for identity-based policy. That requires specific product knowledge." — Mike Garza, CCIE Security, CBT Nuggets instructor
Network Security (20%)
This domain covers Cisco's firewall and IPS/IDS technologies.
Cisco ASA vs Cisco Firepower NGFW
SCOR tests both legacy ASA and modern Firepower (NGFW) — understanding when and why organizations use each.
| Feature | Cisco ASA | Cisco Firepower NGFW |
|---|---|---|
| Firewall | Yes (stateful) | Yes (stateful) |
| IPS/IDS | With FirePOWER module | Native |
| Application visibility | Limited | Full (NGFW) |
| URL filtering | Limited | Full |
| Management | ASDM or CLI | Firepower Management Center (FMC) |
| AVC (App Visibility Control) | No | Yes |
NGFW capabilities tested:
- Application layer inspection (identify Netflix vs HTTP traffic)
- SSL inspection (decrypt, inspect, re-encrypt HTTPS traffic)
- File policy (block malware by file type and AMP hash reputation)
- URL category filtering
VPN on SCOR
VPN appears throughout SCOR — both in the Security Concepts domain and Network Security domain:
Site-to-Site VPN: IPsec tunnel between two endpoints. IKEv1 vs IKEv2 differences. Phase 1 (ISAKMP SA — authentication and key exchange) and Phase 2 (IPsec SA — actual data encryption).
Remote Access VPN: AnyConnect SSL VPN (most common in enterprise), DTLS for performance, split tunneling (route only corporate traffic through VPN, not all internet traffic).
FlexVPN: IKEv2-based VPN framework that supports site-to-site and remote access using a unified configuration model.
Cisco ISE Concentration (SISE 300-715)
ISE is the most enterprise-relevant concentration for security engineers who work in environments with 802.1X authentication, NAC, and identity-based access policies.
What ISE does: centralized policy engine for network access control. When a device connects to the network, ISE authenticates it (user identity + device compliance) and authorizes what it can access (VLAN assignment, ACL push, SGT tagging).
Key ISE concepts tested on SISE:
Authentication protocols:
- 802.1X (EAP): supplicant (client) → authenticator (switch/WLC) → authentication server (ISE). Uses RADIUS.
- MAB (MAC Authentication Bypass): for devices that don't support 802.1X (printers, IoT). ISE authenticates the MAC address.
- Web Authentication: for guest users — redirect to captive portal, authenticate via web form.
Authorization policies: after authentication, ISE applies authorization based on the identity. Examples:
- Employee device → assign to corporate VLAN, full access
- Contractor device → assign to contractor VLAN, limited access
- Non-compliant device (missing updates) → redirect to remediation portal
BYOD (Bring Your Own Device): ISE manages device onboarding for personal devices — certificate provisioning, device registration, policy application.
Security Group Tags (SGT): TrustSec architecture tags traffic based on source identity. Policies reference SGTs (permit SGT 10 to SGT 20) rather than IP addresses. Simplifies policy across dynamic environments where IP addresses change.
SSFIPS Concentration: Cisco Firepower
Candidates who work with Cisco Firepower NGFW find SSFIPS directly applicable to their daily work.
Firepower architecture:
- Firepower Management Center (FMC): centralized management for multiple Firepower devices. Policy creation, reporting, threat intelligence correlation.
- Firepower Threat Defense (FTD): the unified image running on hardware (Firepower 2100/4100/9300 series) or virtually. Combines ASA stateful firewall + Firepower IPS + NGFW capabilities.
SSFIPS exam content:
- Access Control Policies: ordered rules with actions (allow, trust, block, interactive block)
- Intrusion policies: Snort rule sets, preprocessors
- File policies: AMP (Advanced Malware Protection) for network file scanning
- SSL policies: traffic decryption configuration
- NAT in FTD: network address translation on the Firepower platform
Preparation Strategy for CCNP Security
CCNA Security knowledge is the minimum baseline. Candidates without ACL, VPN, and basic firewall knowledge from the associate level will struggle with SCOR depth.
Resource selection:
- Kevin Redmon's SCOR course (CBT Nuggets or INE): comprehensive video coverage
- Cisco's official SCOR exam preparation guide: covers required content with configuration examples
- Cisco DevNet Learning Labs: free labs for ISE and FMC concepts
- Boson ExSim-Max: SCOR practice questions
Concentration lab access: ISE and Firepower NGFW are enterprise products that aren't feasible to run on personal hardware. Options:
- Cisco DevNet sandbox (free, time-limited virtual ISE and FMC instances)
- INE subscription (includes preconfigured lab environments)
- Cisco VIRL/CML (subscription-based, runs virtual Cisco images)
Study time: SCOR typically requires 14-18 weeks for candidates with CCNA Security background. Concentration exams add 8-12 weeks. The ISE concentration (SISE) is knowledge-heavy; the Firepower concentration (SSFIPS) is more configuration-focused.
SCOR Domain Breakdown: What Each Percentage Means in Practice
Understanding the domain weights helps allocate study time. The table shows weights alongside representative topics — not just what the domain is called, but what question types actually appear.
| Domain | Weight | Representative Question Topics |
|---|---|---|
| Security Concepts | 25% | Cryptography (AES, RSA, ECDH), PKI, TLS handshake, attack types (MITM, replay, SQL injection), common vulnerabilities |
| Network Security | 20% | ASA vs FTD comparison, NGFWs, IPS/IDS, site-to-site IPsec, AnyConnect VPN, TrustSec SGTs |
| Cloud Security | 15% | Cloud deployment models, shared responsibility model, cloud access security brokers (CASB), Cisco Umbrella |
| Content Security | 10% | Cisco ESA (email security), Cisco WSA (web security), spam filtering, URL filtering policies |
| Endpoint Protection and Detection | 15% | Cisco AMP for Endpoints (now Secure Endpoint), EDR capabilities, malware analysis sandboxing |
| Secure Network Access, Visibility, Enforcement | 15% | ISE architecture, 802.1X, Cisco StealthWatch (now Secure Network Analytics), NetFlow analysis |
The Network Security Domain (20%): What NGFWs and IPS Actually Test
The network security domain emphasizes the architectural difference between traditional stateful firewalls and next-generation firewalls. SCOR candidates need to articulate this difference at a product level, not just conceptually.
Traditional firewall (ASA stateful):
- Tracks connection state (TCP SYN, SYN-ACK, ACK)
- Rules based on IP address, port, and protocol
- No application awareness — HTTP on port 8080 is the same as HTTP on port 80
Next-generation firewall (FTD/Firepower):
- All stateful firewall capabilities, plus:
- Application identification regardless of port (Netflix over port 443 is identified as Netflix, not HTTPS)
- User identity integration via ISE or Active Directory
- Intrusion prevention with Snort rule engine
- File inspection with AMP for malware detection
Cisco TrustSec and SGT architecture accounts for a meaningful portion of network security questions. TrustSec assigns Security Group Tags (SGT) to traffic based on the identity of the source. Policies are then written in terms of SGT-to-SGT relationships instead of IP-to-IP ACLs.
The advantage: in environments where IP addresses change (VMs, wireless clients, VPN users), SGT policies remain stable. A contractor SGT can be denied access to a finance server SGT regardless of which IP address the contractor received from DHCP.
Cisco StealthWatch (Secure Network Analytics) appears consistently in SCOR questions. StealthWatch collects NetFlow data from routers, switches, and firewalls to build behavioral baselines. When traffic patterns deviate — a workstation suddenly transferring 10GB externally at 2am — StealthWatch generates a security event. Key concepts tested:
- Flow Sensor: captures flow data from network devices
- Flow Collector: aggregates flow data centrally
- Management Console: analysis and alerting interface
- Integration with ISE for identity enrichment of flow data
Concentration Exam Comparison: SVPN vs SISE vs SSFIPS
Choosing the right concentration is a career decision as much as a certification decision. The three most popular concentrations map to different job roles.
| Concentration | Code | Primary Audience | Hands-on Depth |
|---|---|---|---|
| SVPN | 300-730 | Network engineers managing VPN infrastructure | High — IPsec, DMVPN, FlexVPN configuration |
| SISE | 300-715 | Security engineers deploying NAC/identity | High — ISE policy configuration, AD integration |
| SSFIPS | 300-710 | Security engineers managing Firepower | High — FMC policy creation, IPS tuning |
| SNCF | 300-720 | Email security administrators | Moderate — ESA/cloud email configuration |
| SWSA | 300-725 | Web security administrators | Moderate — WSA policy, Cisco Umbrella |
| SASE | 300-740 | Cloud security architects | Conceptual + configuration mix |
SVPN (300-730) goes deep into VPN protocols that SCOR covers only at an overview level:
- DMVPN (Dynamic Multipoint VPN): hub-and-spoke topology where spokes can communicate directly. Phase 1 (through hub), Phase 2 (direct spoke-to-spoke)
- FlexVPN: IKEv2-based framework unifying site-to-site and remote access into one configuration model
- GET VPN (Group Encrypted Transport): group key management for MPLS networks where IP addresses shouldn't change
- AnyConnect features beyond basic SSL: DART (diagnostic tool), HOSTSCAN (posture assessment), DART bundle submission
SISE (300-715) is the most knowledge-intensive concentration because ISE policies integrate multiple systems:
- Active Directory integration for user identity lookups
- PKI integration for certificate-based authentication
- MDM/EMM integration for device compliance posture
- TrustSec SGT assignment and propagation
- Guest lifecycle management (portals, sponsor workflow)
- Profiling policies for device identification (IP phone vs laptop vs IoT sensor)
"SISE is the hardest concentration to study without access to an ISE instance. The configuration is non-obvious — the policy model of authentication rules feeding authorization profiles feeding authorization policies takes real hands-on time to internalize. DevNet sandboxes help, but budgeting for a 30-day INE subscription with ISE lab access is money well spent." — Jason Gooley, CCIE Security, author of Practical Cisco Identity Services Engine
SSFIPS (300-710) is the most configuration-focused:
- FMC access control policy structure (default action, security intelligence, SSL policy, identity policy, access control rules — in that order of evaluation)
- Snort 3.0 rule structure and custom rule creation
- FTD deployment modes: routed, transparent, inline, passive
- High availability: FTD HA with FMC management, Active/Standby failover
Cisco Security Products Tested Across SCOR and Concentrations
Candidates benefit from knowing which specific Cisco products appear and what each product does at a system level.
Products appearing on SCOR (core exam):
- Cisco Firepower Threat Defense (FTD): unified firewall/IPS image for Firepower hardware and ASA 5500-X hardware
- Firepower Management Center (FMC): centralized management appliance for FTD. On-premises or virtual.
- Cisco Identity Services Engine (ISE): NAC and policy engine — handles 802.1X, MAB, BYOD, SGT assignment
- Cisco Umbrella: DNS-layer security and CASB for cloud access
- Cisco Secure Endpoint (formerly AMP for Endpoints): EDR/EPP for malware detection on hosts
- Cisco Secure Network Analytics (formerly StealthWatch): NetFlow-based behavioral analytics
- Cisco SecureX: unified security operations platform integrating Cisco security products with shared telemetry
Products primarily tested on concentrations:
- Cisco Email Security Appliance (ESA): SNCF concentration — anti-spam, anti-malware, DLP for email
- Cisco Web Security Appliance (WSA): SWSA concentration — web proxy, URL filtering, malware scanning
- Cisco AnyConnect Secure Mobility Client: appears across SCOR and SVPN — VPN client software
- Cisco Duo: MFA platform, appears in SCOR and SISE contexts for multi-factor authentication
Preparation Resources Specific to CCNP Security
For SCOR (350-701):
- Omar Santos' CCNP Security SCOR 350-701 Official Cert Guide (Cisco Press, 2021) — covers all six domains with configuration examples
- CBT Nuggets SCOR course (Kevin Redmon): 30+ hours of video covering concepts and configuration
- Cisco DevNet Sandbox: free ISE, FMC, and Umbrella sandboxes at developer.cisco.com/site/sandbox
For SISE (300-715):
- Jason Gooley's Practical Cisco Identity Services Engine — product-level reference beyond exam scope but builds real understanding
- Cisco ISE Administration Guide (free on Cisco.com) — the authoritative reference for configuration details
- INE SISE course — one of the few resources with structured ISE lab exercises
For SSFIPS (300-710):
- Cisco FMC Configuration Guide (free on Cisco.com) — required reading for policy configuration details
- David Hucaby's Firepower content on CBT Nuggets
- DevNet FTD sandbox: allows FMC access for policy practice without hardware
Study time allocation:
- SCOR: 14-18 weeks from CCNA Security background, 18-24 weeks from general CCNA
- Any concentration: 8-12 weeks with relevant job experience, 12-16 weeks without
See also: CCNP Enterprise: how to prepare for the core and concentration exams, Cisco CyberOps Associate: entry-level security certification for SOC roles]
References
- Cisco. CCNP Security — Certification Overview and Exam Topics. Cisco, 2024. https://learningnetwork.cisco.com/s/ccnp-security
- Cisco. Cisco Firepower Management Center Configuration Guide. Cisco Documentation, 2024. https://www.cisco.com/c/en/us/support/security/firepower-management-center/products-installation-and-configuration-guides-list.html
- Cisco. Cisco Identity Services Engine Administrator Guide. Cisco Documentation, 2024. https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-and-configuration-guides-list.html
- Redmon, Kevin. Cisco SCOR 350-701 — Implementing and Operating Cisco Security Core Technologies. CBT Nuggets, 2024. (Comprehensive SCOR video course)
- Boson Software. ExSim-Max for Cisco SCOR 350-701 Practice Exams. Boson, 2024. https://www.boson.com
- Santos, Omar. CCNP Security SCOR 350-701 Official Cert Guide. Cisco Press, 2021. ISBN: 978-0136634775. (Official Cisco Press exam reference for SCOR)
Frequently Asked Questions
Which CCNP Security concentration is most valuable for enterprise security engineers?
SISE (Cisco ISE) and SSFIPS (Cisco Firepower) are most applicable in enterprise environments. ISE is present in almost every enterprise doing 802.1X network access control. Firepower NGFW is Cisco's primary enterprise firewall. Both concentrations directly validate skills used in real enterprise security operations.
What does SCOR 350-701 cover that CCNA Security doesn't?
SCOR goes significantly deeper on cryptography (TLS handshake, PKI), Cisco-specific security products (Umbrella, ISE, Firepower, AMP), cloud security concepts, and endpoint protection. It also covers security architecture and design principles that CCNA Security doesn't address.
Do I need real Cisco ISE equipment to study for SISE?
No. Cisco DevNet provides free sandbox access to virtual ISE instances. INE and other training providers include pre-configured ISE lab environments in their subscriptions. The Cisco DevNet sandbox is free but time-limited — book specific lab sessions when you need them.
What is the difference between ASA and Firepower NGFW on SCOR?
ASA provides stateful firewall functionality. Firepower NGFW adds application visibility and control, intrusion prevention, SSL inspection, URL filtering, and file policy with malware detection. SCOR tests when each is appropriate and the architectural differences between them.
How long does CCNP Security preparation take?
SCOR requires 14-18 weeks for candidates with CCNA Security background. Each concentration adds 8-12 weeks. SSFIPS (Firepower) tends to take longer due to the configuration depth required. SISE requires significant time with actual ISE sandbox labs to develop the product-specific knowledge tested.