CiscoProfessional Level2026 Updated

Cisco Certified Network Professional – Security

Updated May 1, 202612 min readWritten by Certsqill experts

Quick facts — CCNP Security

Exam cost

$400 USD (core) + $300 USD (concentration)

Questions

90–110 items (core)

Time limit

120 minutes (core)

Passing score

Variable by concentration

Valid for

3 years

Testing

Pearson VUE

Who this exam is for

The Cisco Certified Network Professional – Security certification is designed for professionals who work with or want to work with Cisco technologies in a professional capacity. It is taken by cloud engineers, DevOps practitioners, IT administrators, and technical professionals looking to validate their expertise.

You do not need extensive prior experience to attempt it, but you will benefit from hands-on familiarity with the subject matter. The exam tests applied knowledge and architectural judgment, not just memorization. If you can reason about trade-offs and real-world scenarios, structured practice will handle the rest.

Domain breakdown

The CCNP Security exam is built around official domains, each with a fixed percentage of the question pool. This distribution should directly inform how you allocate your study time.

Domain

Weight

Focus areas

Security Concepts

25%

Common security principles, cryptography concepts, public key infrastructure, VPN types, network security models, and software-defined security concepts.

Network Security

20%

Cisco IOS security hardening, Cisco Firepower NGFW deployment and policy configuration, IPS signatures and tuning, and network segmentation with VLANs and ACLs.

Securing the Cloud

17%

Cloud security posture, Cisco Umbrella DNS-layer security, cloud access security broker (CASB) concepts, and securing workloads in cloud environments.

Content Security

17%

Cisco Secure Email configuration, web proxy security with Cisco Secure Web Appliance, URL filtering, anti-spam, and email authentication (DMARC/DKIM/SPF).

Endpoint Protection & Detection

13%

Cisco Secure Endpoint (formerly AMP for Endpoints) deployment, EDR capabilities, malware detection techniques, and endpoint telemetry.

Secure Network Access, Identity & NAC

Cisco ISE architecture and deployment, 802.1X authentication, RADIUS/TACACS+ policies, TrustSec policy enforcement, and network access control.

Note the domain with the highest weight — many candidates under-invest here because it feels conceptual. In practice, this is where the exam is most precise, with scenario-based questions that test specifics.

What the exam actually tests

This is not a memorization exam. Questions require applied judgment under constraints. Almost every question includes a scenario with explicit requirements and asks you to select the most appropriate solution.

Here are examples of the question types you will encounter:

Cisco Firepower Policy Configuration

An administrator needs to block all outbound traffic to known malicious IP addresses using Cisco Firepower. Which policy component should be configured?

Know Cisco Firepower policy hierarchy: Access Control Policy → Security Intelligence (IP/URL/DNS blocking) → Intrusion Policy → File Policy. Security Intelligence blocks known bad IPs/URLs before ACP evaluation.

Cisco ISE Policy Sets

A company wants to enforce different network access policies for employees using corporate laptops vs. personal devices. Which Cisco ISE feature enables this differentiation?

Cisco ISE uses Policy Sets: each set contains Authentication Policy and Authorization Policy rules. Profiling identifies device type; posture assessment checks compliance state; authorization policies assign SGTs or dACLs.

TrustSec vs MACsec Distinction

Which Cisco technology provides hop-by-hop encryption of traffic between network devices within the campus network?

MACsec (IEEE 802.1AE) provides Layer 2 hop-by-hop encryption. TrustSec provides SGT-based policy enforcement (tagging + filtering) but does NOT encrypt traffic by itself. This distinction is a frequent exam trap.

How to prepare — 4-week study plan

This plan assumes one hour per weekday and roughly 30 minutes of lighter review on weekends. It is calibrated for someone with some relevant experience. If you are starting from zero, add an extra week before Week 1 to familiarise yourself with the basics.

Week 1: Security Concepts & Network Security

Review cryptographic fundamentals at a network engineer level: PKI, certificate types, VPN protocols (IKEv2, SSL)
Study Cisco Firepower NGFW: appliance models, deployment modes (routed, transparent, inline), and policy types
Practice Cisco IOS security hardening: control-plane policing, DHCP snooping, Dynamic ARP Inspection, and IP Source Guard
Complete 80 practice questions on Domains 1 & 2

Week 2: Cloud Security & Content Security

Study Cisco Umbrella: DNS-layer security, intelligent proxy, and roaming client deployment
Cover Cisco Secure Email: inbound/outbound mail policies, anti-spam engines, DMARC enforcement, and email encryption
Study Cisco Secure Web Appliance: HTTPS inspection, URL categories, application visibility, and proxy modes
Complete 80 practice questions on cloud and content security domains

Week 3: Endpoint Security & Cisco ISE

Study Cisco Secure Endpoint: connector deployment, exclusion policies, outbreak control, and retrospective security
Master Cisco ISE: policy sets, authentication policies (802.1X, MAB, WebAuth), and authorization profiles
Study TrustSec: SGT assignment, SGACL policy, MACsec vs TrustSec distinction, and SXP protocol
Complete 100 practice questions on Domains 5 & 6

Week 4: Concentration Exam & Final Review

Select and study your concentration exam: SVPN (VPN), SNCF (Firepower), SISE (ISE), or SESA (Email Security)
Complete 2 full mock exams for the SCOR core exam under timed conditions
Review all Cisco product naming changes: AMP → Secure Endpoint, Stealthwatch → Secure Network Analytics
Focus on Cisco-specific terminology — exam answers often hinge on correct Cisco product feature names

Common mistakes candidates make

These patterns appear repeatedly among candidates who resit this exam. Knowing them in advance is worth several percentage points.

Confusing TrustSec with MACsec

TrustSec is a Cisco framework for SGT-based policy enforcement — it tags traffic but does not encrypt it natively. MACsec is IEEE 802.1AE and provides actual Layer 2 hop-by-hop encryption. These are used together but are distinct technologies.

Mixing up Cisco Umbrella and Cisco Secure Email capabilities

Umbrella operates at the DNS and web layer to block threats before connection. Secure Email protects the email channel specifically. Some candidates confuse URL filtering between the two products — Umbrella filters all web traffic, Secure Email filters email-borne URLs.

Weak on Cisco ISE policy sets and authorization profiles

Cisco ISE is deeply tested on CCNP Security. Know the difference between Authentication Policy (who are you?), Authorization Policy (what can you access?), and the role of profiling, posture, and SGT assignment in policy outcomes.

Not studying the chosen concentration exam

CCNP Security requires one core exam (SCOR) plus one concentration. Many candidates over-prepare for core and underprepare for their chosen concentration. Budget equal time for both — the concentration can be harder than the core.

Is Certsqill right for you?

Honestly: Certsqill is built for candidates who have already done some studying and want to convert knowledge into exam performance. If you have never touched the subject, start with a foundational course first — then come to Certsqill when you are ready to practice.

Where Certsqill is strong: question depth, AI-powered explanations, and domain analytics. Every question is mapped to the exam blueprint. When you get something wrong, the AI tutor explains why the right answer is right and why each wrong answer fails under the specific constraints in the question.

Where Certsqill is not a replacement: video courses and hands-on labs. Use Certsqill to test and sharpen — not as your first exposure to a topic you have never encountered.

Ready to start practicing?

720 CCNP Security questions. AI tutor. 5 mock exams. 7-day free trial.