Choosing a Cisco CyberOps Professional Concentration Exam: CBRFIR vs CBRTHD

The Cisco CyberOps Professional certification requires two exams: the core exam and one of two concentration exams. Of course you'll have to take the core exam (CBRCOR) of course. But choosing which CyberOps Professional concentration exam will require some research on your part.

Either the CBRFIR or the CBRTHD will cover your concentration requirements. But therein lies the rub: which of the two should you take? The following tips can help you choose a concentration exam depending on your experience and your interest levels in each.

First let’s go over the CyberOps Professional certification itself.

What is the Cisco CyberOps Professional?

The CyberOps Professional is an advanced-level IT security certification provided by Cisco. People who earn this cert generally fall within the following job roles: cybersecurity engineer, cybersecurity investigator, incident manager, incident responder, and SOC analyst. The cert is valid for three years.

Earning CyberOps Professional certification consists of the CBRCOR exam and one of two concentration exams. Candidates can take either the CBRFIR or the CBRTHD. 

RELATED: How to Earn Cisco CyberOps Professional Status

The Difference Between the CBRFIR and CBRTHD

The CBRFIR focuses on the knowledge required to identify and respond to cybersecurity threats, vulnerabilities, and incidents. The CBRTHD gauges your ability to assess and apply threat modeling techniques. In plain language, the difference between the CBRFIR and the CBRTHD are as follows:

• CBRFIR — Focus on forensic analysis and incident response

• CBRTHD — Focus on threat hunting and defense

Let’s go over a couple tips to decide which one is right for you.

Tip 1: Determine Which Exam Best Speaks to Your Experience

If you are earning CyberOps Professional certification, then you presumably have a fair amount of IT security experience under your belt. Either exam will already be challenging enough without having to navigate even more uncharted waters than required.

Take a good look at the 300-215 CBRFIR and 300-220 CBRTHD exams and determine which of the two you are most likely to pass. Most IT professionals taking this exam will have at least five years of experience to draw from — these are not exams a novice should attempt. 

While this may seem obvious, often people gravitate toward which exam seems more prestigious or interesting. We will stop short of saying neither of these matters. But considering the time you’ll put into studying and the cost, choosing the exam you are most likely to pass is a smarter bet. 

Tip 2: Study Both Exam Blueprints 

There is no harm and reviewing the exam blueprints and study guides for both exams before making a decision. As with the previous tip, play to your strengths. The more you learn about each exam, the more confident you will be about which of the two to take. I recommend studying each one for about a week. Then regroup and decide which of the two is ultimately right for you. Choose whichever of the two gives you the most confidence.

Both the CBRFIR and the CBRTHD have some overlap, so it won’t be a waste of time to look over both of them. 

Tip 3: Break Down Each Domain of the Exams

A third tip to help you decide is to take an analytic approach to the decision. The following is a list of the domains for the CBRFIR:

• Fundamentals (20%)

• Forensic Techniques (20%)

• Incident Response Techniques (30%)

• Forensics Processes (15%)

• Incident Response Processes (15%)

Next, these are the domains for the CBRTHD:

• Threat Hunting Fundamentals (20%)

• Threat Modeling Techniques (10%)

• Threat Actor Attribution Techniques (20%)

• Threat Hunting Techniques (20%)

• Threat Hunting Processes (20%)

• Threat Hunting Outcomes (10%)

Review each bullet point line by line. Put a number between 1 and 5 to the right of each domain (with 5 being the most confident). Add up the number and divide it by the number of domains to get an average confidence level for each one. This will help you decide overall which exam to take.

Here’s a simple example. If you put a 5 by each domain in the CBRTHD, you would have an average score of 5. If you put a 5 for each domain in the CBRFIR, except one in which you rated your confidence at a 4, then the average is 4.8. Therefore, according to the confidence vote, you should take the CBRTHD. 

Before putting it to a confidence vote, however, I recommend studying each domain. This will give you a more knowledgeable representation of your confidence level.

Final Thoughts

One thing to take into consideration is that the CBRTHD has slightly more domains, which means you may need a broader skillset. However, with the CBRFIR, you need a slightly deeper skillset of each domain since there are only five.

Think about each exam heuristically, decide which of the two you are most likely to pass and go with that one. Good luck!