When I designed our first Security+ program back in the early 2000s, the question students asked most often wasn’t about CISSP or CCNA. It was simpler than that. They wanted to know which cert would prove to a hiring manager that they understood cybersecurity well enough to be trusted with a real job. For most of the last fifteen years, the honest answer was Security+. That’s still true for a lot of candidates. But in 2026, there’s another option that gets brought up in almost every advising call I sit in on, and that’s the ISC2 Certified in Cybersecurity, usually shortened to CC.
The CC is interesting to me as an instructional designer because of what it represents. ISC2, the same organization behind CISSP, built an entry-level cert from scratch and then gave away over a million free exam vouchers to grow the cybersecurity workforce. That program is wrapping up in May 2026, which changes the math for new candidates. The cert itself isn’t going anywhere though. If anything, the way it’s positioned in the hiring funnel is becoming more important, not less. This article walks through what’s actually on the CC exam, how it differs from what most students assume going in, and how to study for it the right way the first time.
The CC exam isn’t a watered down CISSP. It’s a different kind of test for a different kind of candidate, and treating it like a mini CISSP is the fastest way to fail it.
What Is the ISC2 Certified in Cybersecurity (CC) Certification?
The ISC2 Certified in Cybersecurity (CC) is an entry level certification that proves a candidate understands the foundational concepts a junior security professional uses on the job. It was created by ISC2 in 2022 to address a specific problem in the hiring pipeline. There were millions of people interested in cybersecurity careers but no widely accepted credential they could earn before having industry experience. CC fills that slot. No prior work experience is required. The minimum age is 16. The exam is the same regardless of whether you came from IT, finance, retail, or a career change after years in another field.
What makes the CC unusual is its origin. ISC2 launched it with a program called One Million Certified in Cybersecurity, offering free training and free exam vouchers to one million people worldwide. That program exceeded its goal. ISC2 reports that over 65,000 people earned the CC through the free pathway, and 65 percent of CC holders surveyed are currently working in cybersecurity roles with another 22 percent in IT positions. The free public enrollment period closes on May 20, 2026, though existing voucher holders have until December 31, 2026 to sit the exam.
After the free program closes, the CC continues as a paid exam in the standard ISC2 catalog. The exam fee is $199 in major markets, plus a $50 annual maintenance fee once you’re certified. ISC2 has signaled that the CC is the foundational cert in its long-term portfolio, sitting below SSCP, CCSP, CGRC, and CISSP. That position matters when you’re thinking about long-term career paths. The CC creates a clean track upward into more advanced ISC2 credentials, and ISC2 members report 35 percent higher salaries than non-members across the industry.
What Are the Five ISC2 CC Exam Domains?
The CC exam covers five domains drawn directly from junior-level cybersecurity job tasks. The current exam outline took effect October 1, 2025, and ISC2 has announced a refreshed outline effective September 1, 2026. The domain structure below reflects the current outline. If you’re testing after September 1, 2026, pull the updated outline from the ISC2 site before you start studying.
If you’ve taught this material as long as I have, one thing jumps out. The weights tell you where to spend your study time, but they also tell you what ISC2 thinks an entry level practitioner actually needs to know. Half the exam is Security Principles and Network Security combined. That ratio is intentional. The other domains test important concepts, but they sit on top of the foundation those two domains build.
How Does the ISC2 CC Exam Format Work?
The CC uses Computerized Adaptive Testing, often called CAT. You get 100 to 125 questions over a 2 hour window. Passing requires a scaled score of 700 out of 1000. The adaptive engine adjusts question difficulty based on your performance, so two candidates sitting the same exam won’t see the same questions. Once you’ve answered a question, you cannot go back to it. That last detail catches new candidates off guard more than anything else in the test format.
From a curriculum design standpoint, CAT scoring rewards consistent answering more than perfect answering. The test isn’t trying to count how many you got right against a fixed answer key. It’s trying to find your knowledge ceiling. If you’re guessing badly on early questions, you’ll see easier questions and the system will conclude you’re at the lower end of the scale. If you answer the early questions with confidence, the system will probe higher, and your score climbs with each correct answer at the harder tier. The implication for study is that nailing the fundamentals matters more than memorizing edge cases.
A note about exam length. CAT exams end either when the system has enough data to confidently score you or when you hit the question maximum. Some candidates pass at 100 questions and the test ends. Others get the full 125. Neither outcome tells you whether you passed. ISC2 doesn’t release your scaled score immediately for a pass result. You’ll know within minutes whether you passed, but the actual numeric score is confidential.
What Will the ISC2 CC Cost After the Free Program Ends?
The CC exam fee is $199 in standard ISC2 regions after the free program closes. That’s lower than Security+ at $404 and well below most paid entry-level security certifications on the market. Add the $50 annual maintenance fee once you certify, and the first-year all-in cost is around $249 if you self-study. Most candidates also pick up an official ISC2 textbook ($40 to $60) or practice exam access from a third party provider ($30 to $80). A solo, self-paced candidate can realistically certify for under $350 total.
Boot camps and structured training programs run higher because they include instructor-led delivery, lab time, and exam preparation built around the current outline. A boot camp makes sense for candidates who need accountability or who don’t have a strong self-study background. For students transitioning from non-technical careers, having an instructor walk through Network Security concepts is often the difference between passing on the first attempt and burning through retakes. Retakes cost the full exam fee each time, so the calculus on training tends to favor structured delivery for newer candidates.
One financial detail worth knowing. ISC2 caps exam attempts at four per twelve-month period. After a failed attempt, there’s a thirty day wait before you can retest the first time, sixty days after a second failure, and ninety days after a third. Plan your study window with the assumption you’ll pass on the first attempt, but build a small budget buffer for one retake just in case.
Who Should Actually Pursue the ISC2 CC?
In my advising calls, three groups consistently get the most value from the CC. The first is career changers coming from non-technical fields. Healthcare professionals, finance staff, teachers, retail managers. People with strong work histories who need a credible cybersecurity credential on a resume that otherwise wouldn’t get past an applicant tracking system. The CC tells a hiring manager this person took the field seriously enough to pass an exam from the same body that issues CISSP. That signal carries weight even when the candidate has zero direct security experience.
Then there’s the college student bucket, particularly seniors finishing IT, computer science, or cybersecurity programs. CC alongside a degree creates a clean entry point into SOC analyst, security analyst, and junior compliance roles. Sitting the CC before graduation puts a candidate ahead of classmates who graduate with the degree alone. Recruiters at the entry level read certs as proof of self-direction, and CC reads as the right kind of proof. For more on what those entry roles actually look like day-to-day, our piece on what a SOC analyst does all day walks through the work in detail.
The last group worth singling out is IT professionals making a sideways move into security. Help desk staff, junior sysadmins, network engineers without a security focus. These candidates already have the technical foundation. The CC formalizes what they’ve absorbed on the job and gives them a credential that hiring managers in security teams recognize. For this group, the CC is usually a fast win, somewhere in the 30 to 60 hour range because the network and operations material isn’t new.
Who should skip it? If you’re already holding CompTIA Security+ or above, the CC probably doesn’t gain you much. The CC sits below Security+ in technical depth, and if your resume already shows a higher cert from the same career stage, adding CC reads as backwards. Same goes for candidates targeting penetration testing or red team roles. Those tracks need PenTest+ or technical hands-on credentials, and the CC is too theoretical for what hiring managers in offensive security are looking for. Our getting started in cybersecurity guide covers how the entry level certs map to different career tracks if you’re still picking your direction.
How Should You Study for the ISC2 CC Exam?
Most candidates need 40 to 80 hours of study time. Career changers with no IT background should plan closer to 80, sometimes 100 hours. Candidates with networking or IT experience can often pass in 30 to 40. The number that matters more than total hours is consistency. Two hours a day for six weeks beats twenty hours one weekend and then nothing for a month. ISC2’s adaptive course is built around spaced repetition, and that approach works better in short daily sessions.
I’ve watched a lot of students prep for ISC2 exams, and the ones who pass on the first attempt usually follow a similar pattern. They start with the official ISC2 exam outline, not a third party study guide. The outline tells you exactly what’s testable. Anything outside it isn’t on the exam. Then they read through the official ISC2 textbook or course material once, slowly, taking notes by hand. Hand-written notes force you to summarize in your own words, which builds the kind of understanding that survives test-day pressure.
Practice questions come after a content pass, not during it. Doing practice questions before you’ve learned the material teaches you to recognize correct answers without understanding why they’re correct. That doesn’t work on the actual exam because CAT will push you into harder questions where the wrong answers look almost identical to right ones. Practice should be diagnostic, identifying which domains are weak so you can go back and re-read those sections.
One concept that trips up almost every CC candidate is the ISC2 way of thinking. ISC2 exam questions test the ISC2 perspective on security, not how a specific organization happens to handle things. A question about access control will have an answer that aligns with ISC2 doctrine, which may not match how your current employer does things. When you’re choosing between two answers that both seem reasonable, pick the one that matches the textbook. This mental shift takes practice. It’s one of the main reasons strong technical candidates sometimes fail the CC on their first attempt.
A studying habit that works: Build a one-page summary sheet for each domain as you finish it. Just key terms, definitions in your own words, and a few example scenarios. Five domains, five summary sheets. The week before the exam, your entire review is reading those five sheets each morning. Anything you can’t explain from the sheet alone gets a flag and goes back into deeper study.
ISC2 CC vs CompTIA Security+: Which Should You Get First?
This is the most common question I get from career changers. Both certs target entry-level cybersecurity, but they’re built for different purposes. The CC leans heavily on conceptual knowledge in vendor-neutral terms, with most of the test asking whether you can think through a security problem the way ISC2 wants you to think through it. Security+ goes further into hands-on territory. It includes performance-based questions where you configure or troubleshoot something in a simulated environment, and it carries DoD 8140 baseline status for federal and military security roles. If your career goal includes any government contracting or military-adjacent work, Security+ is required and CC is optional.
For pure private-sector entry level work, both certs are recognized. Security+ has broader name recognition with hiring managers because it’s been around longer and has been the de facto entry cert for over a decade. CC is newer but rising fast, especially at organizations already invested in ISC2 credentials at the senior level. Hiring managers who came up through CISSP tend to recognize the CC instantly. The ones who came up through CompTIA may need a sentence or two of explanation on the resume.
My honest take after years of advising candidates. Pick the cert that aligns with your target employer. Look at job postings in your area and see which one shows up in the requirements list. That’s your answer. When neither shows up consistently, default to Security+ because of the DoD recognition and broader employer familiarity. Candidates who can do both should sit CC first. It costs less and builds the conceptual foundation that makes Security+ study easier. For a deeper look at the value of CompTIA’s option specifically, see our Security+ in 2026 analysis.
What Jobs Can You Get With the ISC2 CC?
The CC opens doors to entry-level positions that pay between $55,000 and $80,000 annually in the US based on 2025 LinkedIn and Glassdoor data. Common job titles include SOC Analyst (Tier 1), IT Security Analyst, Cybersecurity Analyst (junior level), Compliance Analyst, GRC Analyst, IT Auditor (associate), and Help Desk with security responsibilities. The CC by itself won’t land senior or specialty roles. Those require Security+, SSCP, or higher credentials plus experience.
The CC is particularly strong for GRC (governance, risk, and compliance) roles. The exam content emphasizes policies, controls, regulations, and risk management, which maps directly to compliance analyst job descriptions. Financial services, healthcare, and government contractors hire heavily into GRC, and the CC reads well on a resume for those positions. If your interest leans toward audit and compliance rather than hands-on technical security, the CC is arguably a better foundation than Security+ for that track specifically.
The other career angle worth mentioning is that the CC keeps your ISC2 path open. Down the road, when you’ve built three to five years of relevant experience, you become eligible for SSCP, CGRC, or CISSP. ISC2 lets CPE credits and study work compound across credentials, and starting with CC creates a clean record with the certifying body. For long-term cybersecurity professionals, that membership history has real value at the senior career stage.
Frequently Asked Questions About the ISC2 CC
Is the ISC2 CC still free in 2026?
New enrollments in the free One Million Certified in Cybersecurity program close on May 20, 2026. Candidates who already received a free exam voucher before that date have until December 31, 2026 to sit the exam. After the program closes, the CC exam costs $199 plus a $50 annual maintenance fee. The cert itself continues as part of the standard ISC2 catalog.
What is the passing score for the ISC2 CC exam?
The passing score is 700 out of 1000 on a scaled scoring system. The exam uses Computerized Adaptive Testing, so two candidates won’t see the same questions. ISC2 doesn’t release the numeric pass score to candidates, but you’ll know within minutes of finishing whether you passed.
Do I need work experience to take the ISC2 CC?
No. The CC has no work experience requirement, which is what makes it useful for career changers and students. The only requirements are being at least 16 years old and agreeing to the ISC2 Code of Ethics. This is one of the few cybersecurity certifications you can earn before you have any industry experience.
How long should I study for the ISC2 CC?
Most candidates need 40 to 80 hours of study time spread over 4 to 8 weeks. Career changers from non-technical backgrounds should plan closer to 80 hours. Candidates with existing IT experience often pass with 30 to 40 hours. Consistency matters more than total hours, with daily short sessions outperforming weekend cram sessions.
Is the ISC2 CC better than CompTIA Security+?
Neither is strictly better. The CC is conceptual and vendor-neutral with a focus on security principles and GRC content. Security+ includes performance-based questions and is required for DoD 8140 baseline roles in government and military work. If you’re targeting federal positions, Security+ is mandatory. For private sector entry roles, both work, and the right choice depends on which one your target employers list in job postings.
How long is the ISC2 CC certification valid?
The CC is valid for three years from the date of certification. To maintain it, you’ll need to earn 45 Continuing Professional Education (CPE) credits during the three-year cycle and pay the $50 annual maintenance fee. CPEs can come from training, conferences, articles, webinars, and volunteer work with ISC2 chapters.
What jobs can I get with just the ISC2 CC?
The CC qualifies you for entry-level roles like SOC Analyst Tier 1, IT Security Analyst, Compliance Analyst, GRC Analyst, and Help Desk with security responsibilities. US salaries for these positions typically range from $55,000 to $80,000 at the entry level. The CC by itself won’t land senior or specialty roles, which require Security+, SSCP, or higher credentials plus experience.
VP of Educational Services | Training Camp
Jeff Porch is the VP of Educational Services and Operations at Training Camp, where he leads the company's educational initiatives with a focus on accelerated learning and student success. Beyond overseeing curriculum development, Jeff serves as the lead course designer for Training Camp's CompTIA Security+ program, one of their most popular offerings. He is deeply involved in the instructional side of the business — developing certification courses, training instructors, and ensuring that complex IT concepts are delivered in ways that maximize retention and minimize time-to-certification.