NDG Online Courses and Labs
Partner Logo

CCNA Cybersecurity Operations

Gain the skills needed to monitor, detect and respond to cybersecurity threats with hands-on labs.

  •    39.95 USD
  •   Six Month Access

Lab Details

The CCNA Cyber Ops curriculum prepares you for opportunities in security operation centers as an analyst or incident responder. The hands-on labs focus on the skills needed to monitor, detect and respond to cybersecurity threats. Topics include cryptography, host-based security analysis, security monitoring, computer forensics, attack methods and incident reporting and handling.

The NDG CCNA Cyber Ops Lab Service was developed by the Network Development Group (NDG) to take advantage of the improved flexibility and course management capabilities in the Cisco Networking Academy® learning environment. These labs are hosted by NDG and are being offered as supplementary learning material for the CCNA Cyber Ops course in the Cisco Networking Academy for Instructor-Led Training (ILT).

How to Enroll

The CCNA Cyber Ops course and labs are available as exclusively from Cisco Networking Academy as an instructor-led course for a fee. Access and enrollment is provided through the Cisco Networking Academy.

Module List

Chapter 2: Windows Operating System Lab - Identify Running Processes

In this lab, you will explore processes. Processes are programs or applications in execution. You will explore the processes using Process Explorer in the Windows Sysinternals Suite. You will also start and observer a new process. Lab - Exploring Processes, Threads, Handles, and Windows Registry

In this lab, you will explore the processes using Process Explorer in the Windows Sysinternals Suite. You will also explore threads and handles. A thread is a unit of execution in a process. A handle is an abstract reference to memory blocks or objects managed by an operating system. You will use Process Explorer in Windows SysInternals Suite to explore the threads and handles. Lastly, you will explore Windows Registry, a hierarchical database that stores most of the operating systems and desktop environment configuration settings. Lab - Create User Accounts

In this lab you will create and modify user accounts in Windows. Lab - Using Windows PowerShell

Powershell is a powerful automation tool. It is both a command console and a scripting language. In this lab, you will use the console to execute some of the commands that are available in both the command prompt and PowerShell. Lab - Windows Task Manager

In this lab you will explore Task Manager and manage processes from within Task Manager. The Task Manager is a system monitor that provides information about the processes and programs running on a computer. It also allows the termination of processes and programs and modification of process priority. Lab - Monitor and Manage System Resources in Windows

In this lab, you will use administrative tools to monitor and manager Windows system resources

Chapter 3: Linux Operating System Lab - Working with Text Files in the CLI

Before you can work with text files in Linux, you must get familiar with text editors. Text editors are one of the oldest categories of applications created for computers, Linux has many different text editors with various features and functions. Lab - Getting Familiar with the Linux Shell

The shell is the term used to refer to the command interpreter in Linux. Also known as the Terminal, Command Line, and Command Prompt, the shell is a very powerful way to interact with a Linux computer. Lab - Linux Servers

Servers are essentially programs written to provide specific information upon request. Clients, which are also programs, reach out to the server, place the request and wait for server response. Many different client-server communication technologies can be used, with the most common being IP networks. This lab focuses on IP network-based servers and clients. Lab - Locating Log Files

Log files are files used by computers to log events. Software programs, background processes, services, or transactions between services, including the operating system itself, may generate such events. Log files are dependent on the application that generates them. Log files are dependent on the application that generates them. It is up to the application developer to conform to log file convention. Software documentation should include information on its log files. Lab - Navigating the Linux Filesystem and Permission Settings

The Linux filesystem is on of its most popular features. While Linux supports many different types of filesystems, this lab focuses on the ext family, one of the most common filesystems found on Linux.

Chapter 4: Network Protocols and Services Lab - Tracing a Route

The traceroute (or tracert) tool is often used for network troubleshooting. By showing a list of routers traversed, it allows the user to identify the path taken to reach a particular destination on the network or across internetworks. Each router represents a point where one network connects to another network and through which the data packet was forwarded. The number of routers is known as the number of "hops" the data traveled from source to destination. Lab - Introduction to Wireshark

Wireshark is a software protocol analyzer, or "packet sniffer" application, used for network troubleshooting, analysis, software and protocol development, and education. As data streams travel over the network, the sniffer "captures" each protocol data unit (PDU) and can decode and analyze its content according to the appropriate RFC or other specifications. Lab - Using Wireshark to Examine Ethernet Frames

When learning about Layer 2 concepts, it is helpful to analyze frame header information. In the first part of this lab, you will review the fields contained in an Ethernet II frame. In Part 2, you will use Wireshark to capture and analyze Ethernet II frame header fields for local and remote traffic. Lab - Using Wireshark to Observe the TCP 3-Way Handshake

In this lab, you will use Wireshark to capture and examine packets generated between the PC browser using the HyperText Transfer Protocol (HTTP) and a web server, such as www.google.com. Lab - Exploring Nmap

Port scanning is usually part of a reconnaissance attack. There are a variety of port scanning methods that can be used. We will explore how to use the Nmap utility. Nmap is a powerful network utility that is used for network discovery and security auditing. Lab - Using Wireshark to Examine a UDP DNS Capture

When you use the Internet, you use the Domain Name System (DNS). DNS is a distributed network of servers that translates user-friendly domain names like www.google.com to an IP address. In this lab, you will communicate with a DNS server by sending a DNS query using the UDP transport protocol. You will use Wireshark to examine the DNS query and response exchanges with the same server. Lab - Using Wireshark to Examine TCP and UDP Captures

Two protocols in the TCP/IP transport layer are TCP and UDP. In Part 1 of this lab, you will use the Wireshark open source tool to capture and analyze TCP protocol header fields for FTP file transfers between the host computer and an anonymous FTP server. In Part 2 of this lab, you will use Wireshark to capture and analyze UDP header fields for TFTP file transfers between two Mininet host computers. Lab - Using Wireshark to Examine HTTP and HTTPS

HyperText Transfer Protocol (HTTP) is an application layer protocol that presents data via a web browser. With HTTP, there is no safeguard for the exchanged data between two communicating devices. With HTTPS, encryption is used via a mathematical algorithm. This algorithm hides the true meaning of the data that is being exchanged. In this lab, you will explore HTTP and HTTPS traffic using Wireshark.

Chapter 7: Network Attacks Lab - What is Going On?

For a hacker to establish a connection to a remote computer, a port must be listening on that device. This may be due to infection by malware, or vulnerability in a legitimate piece of software. A utility, such as TCPView, can be used to detect open ports, monitor them in real-time, and close active ports and processes using them. Lab - Exploring DNS Traffic

Wireshark is an open source packet capture and analysis tool. Wireshark gives a detailed breakdown of the network protocol stack. Wireshark allows you to filter traffic for network troubleshooting, investigate security issues, and analyze network protocols. Because Wireshark allows you to view the packet details, it can be used as a reconnaissance tool for an attacker. In this lab, use Wireshark to filter for DNS packets and view the details of both DNS query and response packets. Lab - Attacking a mySQL Database

SQL injection attacks allow malicious hackers to type SQL statements in a web site and receive a response from the database. This allows attackers to tamper with current data in the database, spoof identities, and other miscellaneous mischief. A PCAP file has been created for you to view a previous attack against a SQL database. In this lab, you will view the SQL database attacks and answer the questions. Lab - Reading Server Logs

Log files are an important tool for troubleshooting and monitoring. Different applications generate different log files; each one containing its own set of fields and information. While the field structure may change between log files, the tools used to read them are mostly the same. In this lab, you will learn about common tools used to read log file and practice using them.

Chapter 9: Cryptography and the Public Key Infrastructure Lab - Creating Codes

There are several encryption algorithms that can be used to encrypt and decrypt messages. Virtual Private Networks (VPNs) are commonly used to automate the encryption and decryption process. Lab - Encrypting and Decrypting Data Using OpenSSL

OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. In this lab, you will use OpenSSL to encrypt and decrypt text messages. Lab - Encrypting and Decrypting Data using a Hacker Tool

In this lab, you will configure a router to accept SSH connectivity and use Wireshark to capture and view Telnet and SSH sessions. This will demonstrate the importance of encryption with SSH. Lab - Examining Telnet and SSH in Wireshark

In this lab, you will configure a router to accept SSH connectivity and use Wireshark to capture and view Telnet and SSH sessions. This will demonstrate the importance of encryption with SSH. Lab - Hashing Things Out

Hash functions are mathematical algorithms designed to take data as input and generate a fixed-size, unique string of characters, also known as the hash. Designed to be fast, hash functions are very hard to reverse; it is very hard to recover the data that created any given hash, based on the hash alone. Another important property of hash functions is that even the smallest change done to the input data yields a completely different hash.

While OpenSSL can be used to generate and compare hashes, other tools are available. Some of these tools are also included in this lab. Lab - Certificate Authority Stores

As the web evolved, so did the need for security. HTTPS (where the ‘S’ stands for security) along with the concept of a Certificate Authority was introduced by Netscape back in 1994 and is still used today. In this lab, you will list all the certificates trusted by your browser and use hashes to detect possible man-in-the-middle attacks.

Chapter 12: Intrusion Data Analysis Lab - Snort and Firewall Rules

In a secure production network, network alerts are generated by various types of devices such as security appliances, firewalls, IPS devices, routers, switches, servers, and more. The problem is that not all alerts are created equally. For example, alerts generated by a server and alerts generated by a firewall will be different and vary in content and format. Lab - Convert Data into a Universal Format

Log entries are generated by network devices, operating systems, applications, and various types of programmable devices. A file containing a time-sequenced stream of log entries is called a log file. The terminology used in the log entries often varies from source to source. It is often desirable to have a consistent and uniform terminology in logs generated by different sources.

The term normalization refers to the process of converting parts of a message, in this case a log entry, to a common format. In this lab, you will use command line tools to manually normalize log entries. In Part 2, the timestamp field will be normalized. In Part 3, Security Onion logs will be prepared. Lab - Regular Expression Tutorial

A regular expression (regex) is a pattern of symbols that describes data to be matched in a query or other operation. Regular expressions are constructed similarly to arithmetic expressions, by using various operators to combine smaller expressions. There are two major standards of regular expression, POSIX and Perl. In this lab, you will use an online tutorial to explore regular expressions. You will also describe the information that matches given regular expressions. Lab - Extract an Executable from a PCAP

Looking at logs is very important but it is also important to understand how network transactions happen at the packet level. In this lab, you will analyze the traffic in a previously captured pcap file and extract an executable from the file. Lab - Interpret HTTP and DNS Data to Isolate Threat Actor

MySQL is a popular database used by numerous web applications. Unfortunately, SQL injection is a common web hacking technique. It is a code injection technique where an attacker executes malicious SQL statements to control a web application's database server. Domain name servers (DNS) are directories of domain names, and they translate the domain names into IP addresses. This service can be used to exfiltrate data.

In this lab, you will perform an SQL injection to access the SQL database on the server. You will also use the DNS service to facilitate data exfiltration. Lab - Isolated Compromised Host Using 5-Tuple

The 5-tuple is used by IT administrators to identify requirements for creating an operational and secure network environment. The components of the 5-tuple include a source IP address and port number, destination IP address and port number, and the protocol in use.

In this lab, you will exploit a vulnerable server using known exploits. You will also review the logs to determine the compromised hosts and file.


Today's organizations are challenged with rapidly detecting cybersecurity breaches and effectively responding to security incidents. Teams of people in Security Operations Centers (SOCs) keep a vigilant eye on security systems, protecting their organizations by detecting and responding to cybersecurity threats. CCNA Cyber Ops prepares candidates to begin a career working with associate-level cybersecurity analysts within SOCs.

In addition, the United States Department of Defense (DoD) has approved Cisco CCNA Cyber Ops Certification for inclusion in the DoD 8570.01-M for the CCSP Analyst and CCSP Incident Responder categories.

CCNA Cyber Ops Certification

Instructor Information

CCNA Cyber Ops course is available exclusively through Cisco Networking Academy as an instructor-led course. The optional NDG Lab Service can be enabled via the Cisco Networking Academy LMS. Once enabled, learners will see additional lab activities in the CCNA Cyber Ops course table of contents. Clicking on lab activities will launch the NDG Lab Service directly from the Cisco LMS. When a learner launches a lab for the first time, they will be presented with payment options and create and NDG account for lab support.
Demo Content

Join the Cisco Networking Academy

Learn more about CCNA Cybersecurity Operations

FAQ - Creating courses and adding learners

The CCNA Cyber Ops Labs are also available with NETLAB+.

Teaching Options