How I Failed My First Cybersecurity Certification
I used to think the ISC2 CC was just a “lightweight” theory-based certification. Three days of revision should have been enough.
While struggling with some CTF challenges, I started to feel a bit burned out. I scrolled through LinkedIn and saw people constantly sharing about certifications in the industry—prestigious ones like OSCP, CISSP, or more entry-level options such as CCNA or eJPT (often considered a lighter version of OSCP).
I really wanted to challenge myself with those certifications, but I was afraid of failing and wasting money.
So the question was: is there any certification with similar pressure but zero cost?
After some research, I came across a very reputable certification from ISC2. Just hearing the name ISC2 already signals credibility—it’s the organization behind legendary certifications like CISSP and SSCP, and is considered one of the world’s leading non-profit associations for information security professionals.
And the certification I’m talking about is Certified in Cybersecurity, abbreviated as CC.
1. What Is the ISC2 CC Certification?
If you search Google with questions like “What certifications should I get for entry-level cybersecurity?” or “How do I get into cybersecurity?”, chances are this certification will show up.
The ISC2 CC is designed for beginners entering the cybersecurity field. At first, I thought it mainly covered basic theory. Honestly, I felt it was not that different from taking a driving license test—just memorize the theory, understand some basic concepts, and you’d be fine.
That was… until I failed 😇.
ISC2 CC doesn’t ask you to hack a server. Instead, it tests whether you understand how security operates within an organization.
Anyone can study for and take this exam for free through the “One Million Certified in Cybersecurity” program on the ISC2 website. The registration process is straightforward: just book a suitable exam date and show up.
Exam Domains Overview
To prepare for this certification, you need to master the following five domains:
Domain 1: Security Principles
Covers fundamental principles such as the CIA triad, ethical codes, and core security concepts.Domain 2: Incident Response, Business Continuity, and Disaster Recovery Concepts
Focuses on planning and responding to security incidents, ensuring organizations can recover and continue operating normally.Domain 3: Access Control Concepts
Covers access control models like MAC, DAC, LAC, and RBAC.
In my opinion, this is both one of the easiest and most annoying domains—easy to confuse, hard to classify, and it appears very frequently in exam questions.Domain 4: Network Security
Includes cloud service models such as SaaS and PaaS, network architectures, and common ports and services like HTTP, SNMP, FTP, etc.Domain 5: Security Operations
Introduces basic cryptography (hashing, symmetric and asymmetric encryption), password policies, logging, monitoring, and more.
This is only a high-level summary. There’s a lot more content that I haven’t listed here.
In my opinion, knowledge accounts for only about 60% of passing this exam. The remaining 40% is all about mindset. This certification leans much more toward management and governance rather than pure technical skills—and that’s exactly why I failed.
2. How I Failed the ISC2 CC Exam
To be honest, I only had a little over three days to prepare for this exam. I assumed that since it was theory-based, studying the materials and doing a few practice tests would be enough.
It wasn’t.
Here’s my exam result:
To pass, you need at least 70/100. Although ISC2 doesn’t provide an exact score, based on the score report, I estimate I got around 600–650, just a few dozen points short of passing 😭.
Study Materials I Used
Before the exam, I:
Studied the official theory materials on the ISC2 website
Completed the mock tests provided there
Watched a YouTube series solving 200 practice questions
I also found several excellent resources that I didn’t have time to go through:
The exam experience itself was quite smooth—no technical issues at all. For those in Ho Chi Minh City, the exam is conducted at VNPro Informatics Center.
3. Lessons Learned & Exam Tips
After sitting in the exam room for two hours, I realized that the questions were very tricky in wording. Often, a single question would have two or three options that all seemed correct. If you don’t study carefully and fully grasp the ISC2 mindset, you’ll feel like every answer is right.
To do well, you must truly understand the context of each question. When you choose an answer, you should challenge yourself:
Why is this option correct?
What are its pros and cons?
Is it really the best choice?
Most questions are framed as “best in this case”, which means it’s not about choosing a correct answer—it’s about choosing the most correct one.
To achieve that, you need to put yourself in the shoes of a manager, not a hacker. And for someone who comes from a pure CTF background like me, that’s not easy at all.
If I were to prepare again, this would be my plan:
Week 1: Study the theory thoroughly
Next 2 weeks: Do mock tests from multiple sources
For every wrong question, revisit the theory
Make sure you never make the same mistake again
Once you can consistently score 80+/100 on practice exams that closely resemble the real one, you’re probably ready.
As for me, I don’t think I’ll spend another $50 to retake the exam.
That’s my entire preparation journey, along with the lessons I learned from my very first certification exam. It was a free exam, but it gave me a real taste of what an international certification feels like.
If you’re a beginner—why not give it a try?
If you’ve taken the ISC2 CC or any other cybersecurity certification, I’d love to hear about your experience in the comments.
Wishing everyone who plans to take this exam the best of luck—and hopefully you won’t repeat the same mistakes I did.
Best wishes!
Stay Updated
Get the latest posts, security insights, and tech updates delivered straight to your inbox. No spam, unsubscribe anytime.
Comments
💬 No account required — Just drop your thoughts below!