ISC2 CC pass rate: what ISC2 publishes and what to use instead
By the RoleMath Editorial Team · Last updated 2026-07-05. Every figure traces to a cited source; we sell none of the options discussed. Draft pending human review.
The honest ISC2 CC pass-rate answer is not a percentage. ISC2 publishes useful Certified in Cybersecurity facts: the official exam outline, current effective date, an upcoming September 1, 2026 outline change, CAT format, 2-hour length, 100-125 items, item type, passing grade, domain weights, Pearson VUE delivery, entry-level positioning, no-work-experience-required access, and AI-security concepts inside the outline. ISC2 does not publish a public CC candidate pass-rate percentage in the reviewed source text. For planning, the better evidence is the official exam outline, role task context, employer-language samples, AI-aware security workflow context, and a readiness plan that tests security vocabulary and basic triage rather than a rumored pass-rate number.
Key takeaways
- ISC2 publishes CC exam-outline facts and a 700-out-of-1000 passing grade, not a public candidate pass-rate percentage.
- The current outline is effective October 1, 2025, and ISC2 says a new CC exam outline takes effect September 1, 2026.
- The source-backed planning facts are CAT delivery, 2 hours, 100-125 items, multiple-choice and advanced item types, Pearson VUE testing, 199 USD exam-fee context, and no work experience required.
- The study map is Security Principles 26%, BC/DR/Incident Response Concepts 10%, Access Controls Concepts 22%, Network Security 24%, and Security Operations 18%.
- Employer-language samples can guide labs and vocabulary, but they are not representative demand, market share, salary, placement, or certification ROI evidence.
- AI is now part of CC study context, but AI usage data is descriptive workflow context, not proof that CC changes employment demand or guarantees opportunity.
The short answer: ISC2 gives a passing grade, not a pass rate
Do not plan CC from a pass-rate percentage unless the source shows a transparent dataset with candidate population, denominator, exam version, attempt type, and date range. RoleMath does not have that evidence. The official evidence says something narrower: ISC2 publishes a passing grade of 700 out of 1000 points, plus exam format and domain facts. That is not the same thing as the share of candidates who pass.
This distinction matters because CC is entry-level. Public pages can make the number sound high because the credential is beginner-friendly, or low because the page is selling prep. Neither framing is useful unless the number has a real denominator and a primary source.
Official-source status
The official ISC2 CC outline was live checked on 2026-07-05. It lists an effective date of October 1, 2025 and includes a notice that the CC exam will be based on a new outline effective September 1, 2026. That makes timing important: if you are scheduling near that change, confirm which outline applies before you buy training or schedule the exam.
The same official outline supports the exam facts this page uses: CAT delivery, 2-hour length, 100-125 items, multiple-choice and advanced item types, passing grade of 700 out of 1000 points, language availability, Pearson VUE testing center, and five domain weights. The pass-rate ledger records what the outline does not publish: a public candidate pass-rate percentage.
What ISC2 publishes for CC
| CC fact | Current RoleMath treatment | Planning use |
|---|---|---|
| Credential | CC - Certified in Cybersecurity | Confirms the entry cybersecurity credential. |
| Experience posture | No work experience required | Access context, not a readiness guarantee. |
| Exam code | CC | Confirms the exam identity used in RoleMath seed rows. |
| Exam format | CAT, 100-125 items, multiple choice and advanced item types | Practice pacing and format context, not pass-rate evidence. |
| Length | 2 hours | Time-management context. |
| Passing grade | 700 out of 1000 points | A passing-grade rule, not the share of candidates who pass. |
| Domain weights | Five weighted domains | Study coverage map. |
| Cost | 199 USD exam-fee row | Budget context, not ROI. Confirm before purchase. |
| Outline change | New outline effective September 1, 2026 | Prep materials should match your exam date. |
That is enough to build a useful readiness plan. It is not enough to publish a candidate pass-rate percentage, salary claim, ROI claim, placement claim, or job guarantee.
Use the domain weights as the study map
The official domain weights are more useful than a pass-rate rumor because they show where the exam spends attention. Security Principles is 26 percent, Network Security is 24 percent, Access Controls Concepts is 22 percent, Security Operations is 18 percent, and Business Continuity, Disaster Recovery and Incident Response Concepts is 10 percent.
That map says CC is broad. It is not a deep SOC analyst lab exam, but it is also not only vocabulary. You need the security triad, risk and controls, identity and access concepts, networking basics, common threats, security infrastructure, incident response ideas, data handling, hardening, monitoring, and policy awareness. If your study plan ignores networking or access control, the domain weights show the gap.
Why CC pass-rate folklore is weak evidence
A usable CC pass-rate source would identify the data owner, exam version, candidate population, time window, attempt type, retake handling, and denominator. It would also distinguish an official passing grade from a population statistic. Without that, a single percentage can be more misleading than helpful.
CC is especially vulnerable to weak numbers because it is beginner-friendly and popular with career changers. A page can claim most people pass because the exam is entry-level. Another page can claim many fail because the reader is supposed to buy prep. RoleMath is not quoting those numbers here because unsupported repetition makes weak evidence look stronger.
What CC is actually trying to signal
CC is a foundational cybersecurity signal. ISC2 positions it for newcomers, career changers, students, recent graduates, and people entering cybersecurity without direct IT experience. The official page says no work experience is required, which makes the credential accessible. That does not mean the exam is automatic or that the credential creates a job outcome.
The strongest CC use case is specific: you need a structured way to prove that core cybersecurity concepts are no longer abstract. You can explain security principles, access controls, network-security basics, incident response and continuity concepts, security operations, and the security implications of AI systems. That is a credible starting point. It is weaker if you expect it to replace hands-on troubleshooting, networking practice, scripting, ticket work, or SOC tool exposure.
Use role evidence instead of pass-rate folklore
For cybersecurity role context, RoleMath maps Cybersecurity Analyst and SOC Analyst to Information Security Analysts. O*NET task context includes planning security measures, monitoring virus reports, using encryption and firewalls, performing risk assessments, modifying access status, reviewing security-procedure violations, documenting security procedures, regulating access, and promoting security awareness.
For entry movement, support and networking still matter. Help Desk Technician and IT Support Specialist map to Computer User Support Specialists, where ONET tasks include diagnosing problems, answering user questions, setting up equipment, installing or repairing hardware or software, and maintaining support records. Network Administrator maps to Network and Computer Systems Administrators, where ONET tasks include maintaining networks, backups and recovery, diagnosing network problems, monitoring systems, and implementing network security.
Those task families give CC a practical role bridge. The credential can organize basic security concepts, but the evidence a reader should build is still concrete: ticket notes, access-control examples, incident-response summaries, network diagrams, vulnerability notes, monitoring screenshots, and documented remediation practice.
BLS context: useful, but not a CC outcome
The BLS data is occupation context, not certification-outcome evidence. RoleMath's current packets use May 2025 national OEWS data: Information Security Analysts at 190,650 employment and a 129,180 USD median annual wage, Computer User Support Specialists at 717,190 employment and a 61,860 USD median annual wage, and Network and Computer Systems Administrators at 314,340 employment and a 99,130 USD median annual wage.
The outlook context is also occupation-level. RoleMath's current packets show Information Security Analysts at 28.5 percent projected employment change for 2024-2034 with 16 thousand annual openings, Computer User Support Specialists at -3.7 percent with 40.8 thousand annual openings, and Network and Computer Systems Administrators at -4.2 percent with 14.3 thousand annual openings.
None of those numbers means CC pays those salaries or creates those openings. They help readers understand the role families around the credential and decide whether CC is a starting point, a support-to-security bridge, or too introductory for their target.
Employer-language evidence: what postings emphasize
RoleMath's employer-language pilot is qualitative and not representative demand. Current summaries show Cybersecurity Analyst with 59 matched postings and recurring terms such as cybersecurity, NIST, CISSP, SIEM, incident response, threat intelligence, FedRAMP, Python, AWS, Azure, vulnerability management, Splunk, EDR, and CrowdStrike. SOC Analyst has 77 matched postings with cybersecurity, SIEM, incident response, EDR, threat intelligence, threat hunting, Splunk, Python, AWS, Azure, CrowdStrike, PowerShell, Linux, and problem solving.
The adjacent routes are just as useful for beginners. Help Desk Technician has 74 matched postings with troubleshooting, Windows, ServiceNow, Active Directory, macOS, VPN, Jira, DNS, cybersecurity, customer support, TCP/IP, and Cisco. Network Administrator has 94 matched postings with BGP, Cisco, troubleshooting, OSPF, network security, DNS, TCP/IP, Python, firewall, Azure, VPN, AWS, and Ansible.
Use those samples as vocabulary and lab direction. Do not use posting counts as market size, demand share, salary, placement, or ROI. The useful signal is that CC vocabulary needs to connect to SIEM, incident response, access control, networking, identity, troubleshooting, and documentation evidence.
How AI changes CC study and entry security work
AI belongs in the CC discussion for two reasons. First, ISC2's own outline now integrates AI security concepts across all five domains. The outline describes themes such as protecting AI assets, recognizing automated threats, governance and risk for AI systems, model poisoning and data integrity, automated detection, AI service-account access, AI-powered monitoring, segmentation for AI environments, SIEM alert fatigue, and data leakage from public AI tools.
Second, AI changes how beginners study and work. It can explain a control, turn an incident scenario into a checklist, draft a security-awareness note, summarize a network threat, or quiz you on access-control terms. It can also hallucinate policy, recommend unsafe remediation, misread logs, or normalize copying sensitive data into public tools.
RoleMath's current AI usage seed cites Anthropic's 2026 Economic Index. For May 2026, Information Security Analysts show 23.90 percent augmentation-labeled and 76.10 percent automation-labeled Claude conversations. Computer User Support Specialists show 34.38 percent augmentation and 65.62 percent automation. Network and Computer Systems Administrators show 31.90 percent augmentation and 68.10 percent automation. That is descriptive usage data, not a job-loss forecast, demand measure, or CC value claim.
A readiness plan that beats pass-rate guessing
Use a readiness plan tied to the official outline and role evidence. Step 1: confirm whether your exam date uses the October 1, 2025 outline or the September 1, 2026 outline. Step 2: copy the five domain weights into a checklist and give extra attention to Security Principles, Network Security, and Access Controls. Step 3: build short notes for CIA, risk, controls, authentication, MFA, least privilege, business continuity, incident response, network threats, segmentation, logging, monitoring, data handling, hardening, and security awareness. Step 4: create small artifacts: an access-control example, an incident triage checklist, a network-threat summary, a password-policy critique, and a data-leakage warning for public AI tools. Step 5: use AI to quiz you and generate scenarios, but verify definitions, policies, and technical recommendations against primary sources. Step 6: compare your artifacts against SOC, cybersecurity analyst, support, and network administrator employer language before scheduling.
That sequence gives you a better decision than a pass-rate number. It turns CC into a readiness and role-fit question instead of a bet on an unsupported statistic.
Bottom line: CC is a foundation decision, not a pass-rate bet
The bottom line is simple: ISC2 publishes CC exam-outline facts and a passing grade, not a public candidate pass-rate percentage. Do not choose or avoid CC because a page gives you an unsupported percentage.
Choose CC when you want a structured, entry-friendly cybersecurity foundation and can pair it with evidence: security vocabulary, network basics, access-control examples, incident-response notes, monitoring concepts, and AI-risk awareness. Do not treat it as a cybersecurity job guarantee, salary claim, ROI claim, or substitute for hands-on troubleshooting and security practice. RoleMath keeps this page draft/noindex until human source review clears the claim framing and presentation for launch.
Frequently asked questions
Does ISC2 publish a CC pass rate?
RoleMath does not have a sourceable public ISC2 CC candidate pass-rate percentage. ISC2 publishes exam outline, format, domain weights, and passing-grade facts, not the share of candidates who pass.
Is the CC passing grade the same thing as a pass rate?
No. A passing grade is the score standard a candidate must meet. A pass rate is the share of candidates who pass. ISC2 publishing 700 out of 1000 points does not tell you what percentage of candidates pass.
What CC facts are source-backed here?
The current sources support entry-level positioning, no work experience required, CAT delivery, 2-hour length, 100-125 items, multiple-choice and advanced item types, 700 out of 1000 passing grade, Pearson VUE testing, five domain weights, a September 1, 2026 outline change, and a 199 USD exam-fee row.
Is ISC2 CC hard?
CC is foundational, but not automatic. The best evidence is the official outline: security principles, incident response and continuity concepts, access control, network security, security operations, and AI-security themes. Difficulty depends on your background and preparation, not a public pass-rate rumor.
Does CC guarantee a cybersecurity job or salary?
No. BLS wage and outlook figures are occupation-level context for mapped role families, not CC salary, ROI, placement, or job-guarantee evidence.
How should I use AI while preparing for CC?
Use AI to quiz you, generate security scenarios, and review your notes, but verify definitions, policies, commands, and remediation advice against official sources. Do not paste sensitive data into public AI tools.
Related, with the cited detail
- ISC2 CC certification overview
- Free ways to study for ISC2 CC
- ISC2 CC total cost
- Is ISC2 CC hard?
- Is ISC2 CC worth it?
- Are certification pass rates real?
- Which cybersecurity certification first?
- Help desk to cybersecurity
- Cybersecurity Analyst role
- SOC Analyst role
- What employers ask for
- RoleMath planner
Sources
Figures in this article are cited to the sources named in the Citation Ledger below and on each linked cited page. This page stays draft_noindex pending human citation review.
Citation Ledger
| ID | Supports | Evidence | Source |
|---|---|---|---|
| CIT-01 | ISC2 publishes CC exam-outline facts and a passing grade, not a public candidate pass-rate percentage. | The CC exam outline was live checked on 2026-07-05. It lists the October 1, 2025 effective date, an upcoming September 1, 2026 outline change, CAT delivery, 2-hour length, 100-125 items, multiple-choice and advanced item types, passing grade of 700 out of 1000, Pearson VUE testing center, and domain weights; no candidate pass-rate percentage was found in reviewed page text. | https://www.isc2.org/certifications/cc/cc-certification-exam-outline |
| CIT-02 | The official CC page positions CC as entry-level and no-work-experience-required, but that is not a job guarantee. | The official ISC2 CC page says CC is entry-level cybersecurity, proves foundational knowledge for an entry or junior-level role, and requires no work experience. RoleMath treats this as access and positioning context, not salary, placement, or demand evidence. | https://www.isc2.org/certifications/cc |
| CIT-03 | CC domain weights should guide study planning more than pass-rate folklore. | The official CC outline lists Security Principles 26%, Business Continuity, Disaster Recovery and Incident Response Concepts 10%, Access Controls Concepts 22%, Network Security 24%, and Security Operations 18%. | https://www.isc2.org/certifications/cc/cc-certification-exam-outline |
| CIT-04 | The CC outline now includes AI security concepts, so AI impact belongs in the study discussion. | The official CC outline says foundational AI concepts are integrated across all five domains and describes AI-security themes such as AI assets, automated threats, governance, data integrity/model poisoning, AI-assisted detection, AI service-account access, AI-powered monitoring, segmentation, SIEM alert fatigue, and data leakage from public AI tools. | https://www.isc2.org/certifications/cc/cc-certification-exam-outline |
| CIT-05 | CC cost should be treated as cited exam-fee context, not ROI or salary evidence. | RoleMath's CC cost seed records 199 USD for the CC exam from the official ISC2 exam-pricing page, retrieved 2026-07-01. Training, retakes, annual maintenance fees, membership or candidate fees, taxes, vouchers, reschedule, and cancellation fees are not included in that single exam-fee row. | https://www.isc2.org/register-for-exam/isc2-exam-pricing |
| CIT-06 | Cybersecurity analyst role evidence should be occupation context, not CC outcome evidence. | O*NET's Information Security Analysts profile supports task context such as planning security measures, monitoring virus reports, using encryption and firewalls, performing risk assessments, modifying access status, reviewing security-procedure violations, documenting security procedures, regulating access, and promoting security awareness. | https://www.onetonline.org/link/summary/15-1212.00 |
| CIT-07 | Support work can be a feeder route into cybersecurity, but CC does not guarantee support employment. | O*NET's Computer User Support Specialists profile supports task context such as overseeing computer systems, setting up equipment, reading technical manuals, diagnosing problems, answering user questions, installing or repairing equipment, entering commands, and maintaining support records. | https://www.onetonline.org/link/summary/15-1232.00 |
| CIT-08 | Network-administration context is relevant to CC because Network Security is a large official domain. | O*NET's Network and Computer Systems Administrators profile supports task context around maintaining networks, backups and recovery, diagnosing hardware/software/network problems, monitoring systems, network security, and network performance. | https://www.onetonline.org/link/summary/15-1244.00 |
| CIT-09 | RoleMath uses O*NET database downloads as the official task, skill, and technology source family for role evidence. | The O*NET database is the public dataset behind RoleMath's occupation task and tool extraction. RoleMath cites profile pages for reader verification and the database for bulk evidence. | https://www.onetcenter.org/database.html |
| CIT-10 | Occupation pay context for CC-adjacent roles must not be treated as a CC salary outcome. | RoleMath's current role packets use BLS OEWS May 2025 national context: Information Security Analysts with 190,650 employment and 129,180 USD median annual wage; Computer User Support Specialists with 717,190 employment and 61,860 USD median annual wage; and Network and Computer Systems Administrators with 314,340 employment and 99,130 USD median annual wage. | https://www.bls.gov/oes/special-requests/oesm25nat.zip |
| CIT-11 | Occupation outlook context is not live posting demand and not a CC outcome. | BLS Employment Projections in RoleMath's current packets show 2024-2034 projected employment change and annual openings for mapped occupation families: Information Security Analysts at 28.5% and 16 thousand annual openings, Computer User Support Specialists at -3.7% and 40.8 thousand annual openings, and Network and Computer Systems Administrators at -4.2% and 14.3 thousand annual openings. | https://www.bls.gov/emp/ind-occ-matrix/occupation.xlsx |
| CIT-12 | Employer-language samples can guide cybersecurity practice without becoming representative demand evidence. | RoleMath's public ATS employer-language pilot is qualitative and not representative demand. Current summaries show Cybersecurity Analyst with 59 matched postings, SOC Analyst with 77, IT Security Operations Specialist with 108, Help Desk Technician with 74, IT Support Specialist with 36, and Network Administrator with 94. Recurring terms include cybersecurity, SIEM, incident response, threat intelligence, NIST, IAM, vulnerability management, EDR, Splunk, Linux, DNS, TCP/IP, troubleshooting, and network security. | https://developers.greenhouse.io/job-board; https://developers.ashbyhq.com/docs/public-job-posting-api; https://hire.lever.co/developer/documentation#postings; https://www.workday.com/ |
| CIT-13 | AI usage data for mapped security/support work is descriptive workflow context, not a job-loss or demand forecast. | RoleMath's AI usage seed cites Anthropic's 2026 Economic Index. For May 2026, Information Security Analysts show 23.90% augmentation-labeled and 76.10% automation-labeled Claude conversations; Computer User Support Specialists show 34.38% augmentation and 65.62% automation; Network and Computer Systems Administrators show 31.90% augmentation and 68.10% automation. | https://www.anthropic.com/research/economic-index-june-2026-report |
| CIT-14 | The Anthropic Economic Index dataset requires attribution and does not prove employment demand. | The Anthropic Economic Index dataset is published on Hugging Face under CC-BY. RoleMath uses it as one AI-usage signal, not as proof of labor demand, job loss, personal fit, or certification value. | https://huggingface.co/datasets/Anthropic/EconomicIndex |
| CIT-15 | General AI-exposure research should be framed as task-overlap context, not a personal employment forecast. | Eloundou et al. estimate broad task exposure to large language model capabilities, but exposure is task overlap and not a direct prediction that a specific learner will lose or get a job. | https://www.science.org/doi/10.1126/science.adj0998 |