CCSP - Failed TWICE. I'm done.
Hey peeps.
Failed the CCSP yesterday on my second attempt with a 681 (700 required to pass).
My first attempt scored a ~618.
I took the exam the first time after completing my Master's Degree in Information Assurance with a focus on cloud security and using the ISC2 Official CCSP Study Guide by Ben Malisow. The official study guide is worse than useless. If I had completely memorized every single page of the study guide, I would only know about 20% of the material presented on the test.
After the first failure, I began a hardcore study program that included the following:
Maybe 5% of the test questions I used appeared on the actual exam in some form. So, the practice questions will create a very false sense of confidence.
THE EXAM:
As others have noted, it is a poor quality test. Many questions are constructed with poor grammar (obviously from someone for whom english is not a first language). There are probably 10 questions or so written specifically to confuse or deceive you with the wording. There were MANY questions on REST and SOAP APIs that were more detailed than ANY of the information about REST and SOAP in the study materials. You will either need to be an application developer and intimately know how to use these APIs or use a separate programming resource to study how they work and why. There are matchy-match questions about what security standards/laws go with what country (easy if you memorize - but be sure to memorize ALL of them). There were two sets of questions (about 4-5 each) based on a detailed real-world scenario and how to accomplish a specific goal in the MOST secure manor. I have no idea how I did on these because either every option seemed right or none of them did. The study material spend a LOT of time on which storage types go with which platform, but the questions on the test on these topics are all asked in ways the material doesn't prepare you for (i.e. don't expect to be able to match volume and object storage with IAAS). If you are security professional active in the field, I would say you are at the greatest disadvantage for this exam - because you may know a right way to do something but the test question is looking for the answer based on the CCSP CBK, not the "real world."
I have $1500 in test and materials now and I will NOT be attempting it a third time. There would be no satisfaction for me to pass the test on a third attempt, and if I failed it a third time I would probably drive into oncoming traffic.
I have a number of colleagues who have passed the exam after taking the ISC week-long bootcamp class with the exam at the end. I assume the ISC instructor basically gives you the info for the test questions they know will be on the test since it's their exam. If your goal is to get the cert to check a box or get the credential, I would recommend doing the bootcamp. These forums are full of stories of very competent security pros who didn't pass this exam the first time around, so you're likely looking at $1200 to take it twice anyway. Might as well go all the way on the bootcamp cost and feed the ISC money machine.
Failed the CCSP yesterday on my second attempt with a 681 (700 required to pass).
My first attempt scored a ~618.
I took the exam the first time after completing my Master's Degree in Information Assurance with a focus on cloud security and using the ISC2 Official CCSP Study Guide by Ben Malisow. The official study guide is worse than useless. If I had completely memorized every single page of the study guide, I would only know about 20% of the material presented on the test.
After the first failure, I began a hardcore study program that included the following:
- CCSP All-in-One Exam Guide by Daniel Carter w/ 300 Study Questions (AWESOME BOOK! Best study guide period).
- Cloud Security Alliance Guide (https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/csaguide.v3.0.pdf)
- Secloud Guru Practice Exams (https://www.secloud.guru)
- ISC Study App for iPhone
Maybe 5% of the test questions I used appeared on the actual exam in some form. So, the practice questions will create a very false sense of confidence.
THE EXAM:
As others have noted, it is a poor quality test. Many questions are constructed with poor grammar (obviously from someone for whom english is not a first language). There are probably 10 questions or so written specifically to confuse or deceive you with the wording. There were MANY questions on REST and SOAP APIs that were more detailed than ANY of the information about REST and SOAP in the study materials. You will either need to be an application developer and intimately know how to use these APIs or use a separate programming resource to study how they work and why. There are matchy-match questions about what security standards/laws go with what country (easy if you memorize - but be sure to memorize ALL of them). There were two sets of questions (about 4-5 each) based on a detailed real-world scenario and how to accomplish a specific goal in the MOST secure manor. I have no idea how I did on these because either every option seemed right or none of them did. The study material spend a LOT of time on which storage types go with which platform, but the questions on the test on these topics are all asked in ways the material doesn't prepare you for (i.e. don't expect to be able to match volume and object storage with IAAS). If you are security professional active in the field, I would say you are at the greatest disadvantage for this exam - because you may know a right way to do something but the test question is looking for the answer based on the CCSP CBK, not the "real world."
I have $1500 in test and materials now and I will NOT be attempting it a third time. There would be no satisfaction for me to pass the test on a third attempt, and if I failed it a third time I would probably drive into oncoming traffic.
I have a number of colleagues who have passed the exam after taking the ISC week-long bootcamp class with the exam at the end. I assume the ISC instructor basically gives you the info for the test questions they know will be on the test since it's their exam. If your goal is to get the cert to check a box or get the credential, I would recommend doing the bootcamp. These forums are full of stories of very competent security pros who didn't pass this exam the first time around, so you're likely looking at $1200 to take it twice anyway. Might as well go all the way on the bootcamp cost and feed the ISC money machine.
Comments
In regards to the bootcamp I'll be curious which one they took, because the official ISC2 6 of my coworkers took was a rehash of the training guide provided in the class and the instructor provided zero inside knowledge that would be of benefit for passing.
https://www.youtube.com/watch?v=5fsm-QbN9r8
Almost as if (ISC)2 envies EC-Council's poor products and processes and decided to go down to the same level of quality or should I say inferiority with their most recent and hyped offering.
It also throws me off from putting enough efforts into preparations. If I don't respect the exam I tend not to perform well and vice versa, even for particularly hard exams I prepare very thoroughly and pass them with high scores if I respect them a lot. Not the case with CCSP because of that.
And why would I respect it, if (ISC)2 doesn't seem to respect it enough to proof read and offers us a half-baked product?
Nah - certainly not verbatim. In the case of the CISSP, the sample questions on practice exams much more closely resemble the form and complexity of the actual test questions. I found the sample questions in the study books and on the websites to be nothing like the actual test.
Do you have suggestions for prepping for the SOAP and REST content? Or did you already have this knowledge from experience as a developer?
I'm cool with that - I just need to know WHAT material to study.
and yes the test is ****.
CompTIA Linux+[ ] Bachelor's Degree
Security Operations-Below Proficiency
Communications & Network Security-Below Proficiency
Asset Security-Near ProficiencySecurity Engineering-Near Proficiency
Identity and Access Management-Near Proficiency
Security Assessment and Testing-Near Proficiency
Security and Risk Management- Above Proficiency
Software Development Security-Above Proficiency.
This book comes with some practice questions and practice exams that I also utilized. Much like your experience, the questions on the exam were nothing like the questions on the practice tests.
It was a very challenging exam and I wasn't sure if I had passed it until I read the printout. You may want to consider getting the book I referenced and giving it another shot.
Congrats, can you share more details about your material (probably in another thread) ?
If you have not, suggest you pass CISSP first as CCSP builds on it. There is a different mindset to cloud security. In typical on prem environments, a CISSP has control over almost everything. In a cloud environment, a lot of on prem security controls are not applicable, new controls are needed, you share resources with others, forensics is difficult and cross border jurisdictions come into play.
FWIW, my primary study guide was CCSP AIO, with CBK and ENISA guides as reference. But I do have experience deploying to AWS and used to develop and manage web sites for large customers.
Failed CCNA 2x "combination exam", then decided to split the exam in two then passed. So it took me 4 attempts to pass CCNA!!!!!
Failed LFCS 3x and passed on the 4th
Failed CCIE DC written 1x, I was not even ready and moved to a security role so I did not per sue it any further. I only took it to see where I was at.
Failed CISSP 3x , passed on the 4th.
Failed eCPPT Pentester Exam 2x and passed on 3rd attempt
Taking OSCP Oct 2nd, and I would not be shocked if I failed it. But i have plans on taking it every month until I pass and I don't care if it takes nother 4-6 months of retaking it.
You need to learn how to use your failures in life in order to get ahead and move forward. Stop seeing everyone's achievements, start seeing their journey.
Goodluck!
Courses: VHL (3 month pass)
Certs: OSCP (in-progress), AZ-500 (in-progress), MS-500, Pentester Academy - CRTE
B.S. Geography - Business Minor
MicroMasters - CyberSecurity
Professional Certificate - IT Project Management
Extracted from the official ISC2 Forum:
[FONT="]For the CCSP and HCISPP:[/FONT]
- If you don’t pass the exam the first time, you can retest after 90 days.
- If you don’t pass a second time, you can retest after an additional 90 days.
- If you don’t pass a third time, you can retest after 180 days from your most recent exam attempt
I am sure that this applies for the 4th as well. ^I am really hoping to schedule my exam near the end of the month judging on how I get through the practice questions. I've pretty much read through all the guides above but its only a matter of understanding/synthesizing the info that I've read for the last while. It is definitely a tough one, just trying to clear this exam before the end of the year. Last score I got was about 685 or so.
Cheers,
D
2019 Goals: eCPPT
Achieved: CCSP, OCP Java SE 11 Developer, CISSP, Linux+/LPIC-1, CCSKv4, OCE Java EE 6 JPA Developer, CSSLP, Server+, Cloud+, Arcitura Certified Cloud Professional, CASP, Mobility+, Storage+, Android Certified Application Developer, OCP Java SE 8 Programmer, Security+, OCM Java SE 6 Developer, B.S. and M.S. in Computer Science
After all the fumbling around during the sign-in process, I finally sat down and got to my first question. The very first question was a question not in the study material. I thought, maybe this is the first of the 25 non-testable questions, but the 2nd came, 3rd, 4th, and more and more, I realized, this test was going to have other aspects, like actual dev experience. However, there is a gap there. I can be an InfoSec Officer, and not necessarily know all the aspects of developing an app for a cloud environment. This test almost expects you to know more about apps than InfoSec, Cloud Infrastructures, and regulations. There were waaaay more questions about dev that they explain to you in the training material. I didn't even get asked about STRIDE, ISO 20017, 18, CSA, NIST and other cloud-specific areas one would expect in a cloud cert test. Maybe one here and there. About 50% of my questions were app related. Not sure how it works, if I just got a shuffle of the test with more app/dev related questions, but it felt very off. I felt like I had studied for the wrong test.
Now, I am not saying they cheated me on this. But I studied official materials pretty thoroughly. The questions were poorly written. When you study and use support guides like Sybex and Cybrary, they emphasize on how the questions mean something specific, or not at all depending on the wording. But some of the wording was so vague it felt like more than one were answers, and even choosing the BEST answer became rather difficult, especially in areas not in the study material.
I utilized all my time, down the very last seconds to cross-check answers, and in the end, I did not pass.
Now again, I don't necessarily feel cheated, I did learn a lot, but I feel a bit misdirected by the study material vs what the test actually is.
One side of me is telling me " I need to study harder and dive into other aspects" but another is bugging me about the misdirect. I almost feel like they wanted me to fail on my first time so I can have a "moment of clarity" about what else I need to know, and so I can cough up $600 for a retake. I can't help but feel that way.
Am I going to give up? Hell naw. I owe this to myself. While the CCSK is a lot easier and cheaper to get, ISC2 CCSP is always mentioned as the top cloud cert. Plus we're moving more and more into a cloud space in InfoSec. So I am not quitting; I got this far. But the way the test was structured was a pretty disheartening.
CISSP | CISM | CISA | CASP | SSCP | Sec+ | Net+ | A+
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS SA-A, CCSK
2020 goals: AWS Security Specialty, AWAE or SLAE, CISSP-ISSAP?
You were just 19 points away on the 2nd attempt. I know you can do it!!!
Goals: CCNA, RHCSA, VCP6-DCV
Degree: A.S. Network Administration
Pursuing: B.S. in I.T. Web and Mobile Development Concentration
"It's not good when it's done, it's done when it's good" ~ Danny Carey