The new Cisco CCIE Security exam content has improved the logical structure of the topics and is more aligned with Cisco’s security solutions portfolio and security job roles in the market. The new written and lab exams v5.0 will be available for testing from January 31, 2017.

Cisco updated CCIE Security written and lab exams to version 5.0, aligning the topics with its current security solutions portfolio. The new version also utilizes the new modular and unified exam topics format, including the assessment of evolving technologies, which was introduced with the CCIE Data Center certification version 2.0.

The new CCIE Security exam curriculum comprises six domains:

  1. Perimeter Security and Intrusion Prevention
  2. Advanced Threat Protection and Content Security
  3. Secure Connectivity and Segmentation
  4. Identity Management , Information Exchange and Access
  5. Infrastructure Security, Virtualization, and Automation
  6. Evolving Technologies (written exam only)

The new segmentation into these six domains was done to improve the logical structure of the topics and to align them with Cisco’s security solutions portfolio.

The last day to take the written exam 350-018 using its corresponding v4.0 exam topics is July 24, 2016. As of July 25, 2016, the written exam 350-018 using the v4.1 exam topics that includes Evolving Technologies domain will be available. The last day to test using lab exam v4.0 is January 30, 2017.

What's new in CCIE Security version 5.0?

The v5.0 exam introduces the latest technologies and solutions, such as NGIPS, AMP, APIC-EM, and information exchange, to keep the new unified exam topics relevant to the cutting-edge customer-based production deployment.

Compared with v4.0, the study domains were also renamed, reshuffled, and combined to focus more on technologies than on hardware and to create a logical structure that reflects the actual security solutions deployment.

CCIE Security Exam Changes

Topics removed in v4.0

Topics added in v5.0

  • Legacy IPS Appliance
  • Easy VPN


  • Advanced Threat Protection
  • Virtualization
  • Automation
  • Information Exchange
  • Evolving Technologies


Hardware and software changes between v4.0 and v5.0.

v4.0 Hardware and Software

v5.0 Hardware and Software


  • Routers
    • ISR 3825: 15.1(3)T3
    • ISR 1841: 15-2.T1
    • ISR 2951-G2: 15.1(3)T3
  • Catalyst Switches
    • 3560-E: 122-55.SE5
    • 3750-X: 150-1.SE2
  • ASAs
    • 5512-X: 8.6(1)
    • 5510: 8.4(3),8.2(5)
  • IPS
    • 4240: 7.0(7)E4
  • WSA
    • S170: 7.1.3-021
  • WLC
    • 2504:
  • AP
    • 1242G: 124-25e

Virtual Machines

  • ISE: 1.1.1
  • ACS: 5.3
  • Test PC: Windows 7
  • AD: Windows Server 2008


Virtual Machines

  • Security Appliances
    • Cisco Identity Services Engine (ISE): 2.1.0
    • Cisco Secure Access Control System (ACS):
    • Cisco Web Security Appliance (WSA): 9.2.0
    • Cisco Email Security Appliance (ESA): 9.7.1
    • Cisco Wireless Controller (WLC): 8.0.133
    • Cisco Firepower Management Center Virtual Appliance: 6.0.1 and/or 6.1
    • Cisco Firepower NGIPSv: 6.0.1
    • Cisco Firepower Threat Defense: 6.0.1
  • Core Devices
    • IOSv L2: 15.2
    • IOSv L3: 15.5(2)T
    • Cisco CSR 1000V Series Cloud Services Router: 3.16.02.S
    • Cisco Adaptive Security Virtual Appliance (ASAv): 9.6.1
  • Others
    • Test PC: Microsoft Windows 7
    • Active Directory: Microsoft Windows Server 2008
    • Cisco Application Policy Infrastructure Controller Enterprise Module : 1.2
    • Cisco Unified Communications Manager: 8.6.(1)
    • FireAMP Private Cloud
    • AnyConnect 4.2

Physical Devices

  • Cisco Catalyst Switch: C3850-12S 16.2.1
  • Cisco Adaptive Security Appliance: 5512-X: 9.6.1
  • Cisco 2504 Wireless Controller: 2504:
  • Cisco Aironet: 1602E: 15.3.3-JC
  • Cisco Unified IP Phone: 7965: 9.2(3)


About the new CCIE Security v5.0 Exam

The CCIE Security version 5.0 exam unifies written and lab exam topics into a unique curriculum, while explicitly disclosing which domains pertain to which exam, and the relative weight of each domain.

CCIE Security Written Exam

The Cisco CCIE Security Written Exam (400-251) version 5.0 is a two-hour test with 90–110 questions that validate professionals who have the expertise to describe, design, implement, operate, and troubleshoot complex security technologies and solutions. Candidates must understand the requirements of network security, how different components interoperate, and translate it into the device configurations. The exam is closed book and no outside reference materials are allowed.

In comparison with the previous version, the v5.0 exam will include a new educational approach ensuring that Expert-level candidates demonstrate knowledge and skills with evolving technologies such as network programmability, cloud, and the Internet of Things. The intent is to ensure that certified experts are well equipped to participate in meaningful discussions with business leaders about these new technical areas that greatly influence businesses globally.

CCIE Security Lab Exam

The Cisco CCIE Security Lab Exam version 5.0 is an eight-hour, hands-on exam that requires a candidate to plan, design, implement, operate, and troubleshoot complex security scenarios for a given specification. Knowledge of troubleshooting is an important skill and candidates are expected to diagnose and solve issues as part of the CCIE lab exam.

The web-based delivery infrastructure supporting the v5.0 lab exam is very similar to v4.0. The format of the lab exam itself, however, has changed significantly. The v5.0 lab exam now comprises three modules:

  1. Troubleshooting Module: The Troubleshooting module delivers incidents that are independent of each other, meaning that the resolution of one incident does not depend on the resolution of another. The topology that is used in the Troubleshooting module is different from the topology that is used in the Configuration module.
  2. Diagnostic Module: The new Diagnostic module is one hour long, and its main objective is to assess the skills required to properly diagnose network issues without having device access.
  3. Configuration Module: The Configuration module provides a setup very similar to an actual production network. It includes security components providing various layers of security at various points in the network. Though the major part of the module is based on virtual instances of Cisco security appliances, the candidate may be asked to work with the physical devices as well.

The modules in the lab exam are delivered in a fixed sequence: the Troubleshooting module, followed by the Diagnostic module, and lastly, the Configuration module. 

More information

For more information about the new CCIE Security exam, visit the official Cisco CCIE Security website or contact our team.

‹ back