article · Certification difficulty & pass rates

ISC2 CC Pass Rate: What ISC2 Publishes

ISC2 publishes CC exam outline and passing-grade facts, not a candidate pass rate. Use official facts, role evidence, AI context, and readiness checks.

Build my personalized career plan

Researched by RoleMath Research. Every figure on this page traces to the official source shown next to it.

ISC2 CC pass rate: what ISC2 publishes and what to use instead

By the RoleMath Editorial Team · Last updated 2026-07-05. Every figure traces to a cited source; we sell none of the options discussed. Draft pending human review.

The honest ISC2 CC pass-rate answer is not a percentage. ISC2 publishes useful Certified in Cybersecurity facts: the official exam outline, current effective date, an upcoming September 1, 2026 outline change, CAT format, 2-hour length, 100-125 items, item type, passing grade, domain weights, Pearson VUE delivery, entry-level positioning, no-work-experience-required access, and AI-security concepts inside the outline. ISC2 does not publish a public CC candidate pass-rate percentage in the reviewed source text. For planning, the better evidence is the official exam outline, role task context, employer-language samples, AI-aware security workflow context, and a readiness plan that tests security vocabulary and basic triage rather than a rumored pass-rate number.

Key takeaways

  • ISC2 publishes CC exam-outline facts and a 700-out-of-1000 passing grade, not a public candidate pass-rate percentage.
  • The current outline is effective October 1, 2025, and ISC2 says a new CC exam outline takes effect September 1, 2026.
  • The source-backed planning facts are CAT delivery, 2 hours, 100-125 items, multiple-choice and advanced item types, Pearson VUE testing, 199 USD exam-fee context, and no work experience required.
  • The study map is Security Principles 26%, BC/DR/Incident Response Concepts 10%, Access Controls Concepts 22%, Network Security 24%, and Security Operations 18%.
  • Employer-language samples can guide labs and vocabulary, but they are not representative demand, market share, salary, placement, or certification ROI evidence.
  • AI is now part of CC study context, but AI usage data is descriptive workflow context, not proof that CC changes employment demand or guarantees opportunity.

The short answer: ISC2 gives a passing grade, not a pass rate

Do not plan CC from a pass-rate percentage unless the source shows a transparent dataset with candidate population, denominator, exam version, attempt type, and date range. RoleMath does not have that evidence. The official evidence says something narrower: ISC2 publishes a passing grade of 700 out of 1000 points, plus exam format and domain facts. That is not the same thing as the share of candidates who pass.

This distinction matters because CC is entry-level. Public pages can make the number sound high because the credential is beginner-friendly, or low because the page is selling prep. Neither framing is useful unless the number has a real denominator and a primary source.

Official-source status

The official ISC2 CC outline was live checked on 2026-07-05. It lists an effective date of October 1, 2025 and includes a notice that the CC exam will be based on a new outline effective September 1, 2026. That makes timing important: if you are scheduling near that change, confirm which outline applies before you buy training or schedule the exam.

The same official outline supports the exam facts this page uses: CAT delivery, 2-hour length, 100-125 items, multiple-choice and advanced item types, passing grade of 700 out of 1000 points, language availability, Pearson VUE testing center, and five domain weights. The pass-rate ledger records what the outline does not publish: a public candidate pass-rate percentage.

What ISC2 publishes for CC

CC factCurrent RoleMath treatmentPlanning use
CredentialCC - Certified in CybersecurityConfirms the entry cybersecurity credential.
Experience postureNo work experience requiredAccess context, not a readiness guarantee.
Exam codeCCConfirms the exam identity used in RoleMath seed rows.
Exam formatCAT, 100-125 items, multiple choice and advanced item typesPractice pacing and format context, not pass-rate evidence.
Length2 hoursTime-management context.
Passing grade700 out of 1000 pointsA passing-grade rule, not the share of candidates who pass.
Domain weightsFive weighted domainsStudy coverage map.
Cost199 USD exam-fee rowBudget context, not ROI. Confirm before purchase.
Outline changeNew outline effective September 1, 2026Prep materials should match your exam date.

That is enough to build a useful readiness plan. It is not enough to publish a candidate pass-rate percentage, salary claim, ROI claim, placement claim, or job guarantee.

Use the domain weights as the study map

The official domain weights are more useful than a pass-rate rumor because they show where the exam spends attention. Security Principles is 26 percent, Network Security is 24 percent, Access Controls Concepts is 22 percent, Security Operations is 18 percent, and Business Continuity, Disaster Recovery and Incident Response Concepts is 10 percent.

That map says CC is broad. It is not a deep SOC analyst lab exam, but it is also not only vocabulary. You need the security triad, risk and controls, identity and access concepts, networking basics, common threats, security infrastructure, incident response ideas, data handling, hardening, monitoring, and policy awareness. If your study plan ignores networking or access control, the domain weights show the gap.

Why CC pass-rate folklore is weak evidence

A usable CC pass-rate source would identify the data owner, exam version, candidate population, time window, attempt type, retake handling, and denominator. It would also distinguish an official passing grade from a population statistic. Without that, a single percentage can be more misleading than helpful.

CC is especially vulnerable to weak numbers because it is beginner-friendly and popular with career changers. A page can claim most people pass because the exam is entry-level. Another page can claim many fail because the reader is supposed to buy prep. RoleMath is not quoting those numbers here because unsupported repetition makes weak evidence look stronger.

What CC is actually trying to signal

CC is a foundational cybersecurity signal. ISC2 positions it for newcomers, career changers, students, recent graduates, and people entering cybersecurity without direct IT experience. The official page says no work experience is required, which makes the credential accessible. That does not mean the exam is automatic or that the credential creates a job outcome.

The strongest CC use case is specific: you need a structured way to prove that core cybersecurity concepts are no longer abstract. You can explain security principles, access controls, network-security basics, incident response and continuity concepts, security operations, and the security implications of AI systems. That is a credible starting point. It is weaker if you expect it to replace hands-on troubleshooting, networking practice, scripting, ticket work, or SOC tool exposure.

Use role evidence instead of pass-rate folklore

For cybersecurity role context, RoleMath maps Cybersecurity Analyst and SOC Analyst to Information Security Analysts. O*NET task context includes planning security measures, monitoring virus reports, using encryption and firewalls, performing risk assessments, modifying access status, reviewing security-procedure violations, documenting security procedures, regulating access, and promoting security awareness.

For entry movement, support and networking still matter. Help Desk Technician and IT Support Specialist map to Computer User Support Specialists, where ONET tasks include diagnosing problems, answering user questions, setting up equipment, installing or repairing hardware or software, and maintaining support records. Network Administrator maps to Network and Computer Systems Administrators, where ONET tasks include maintaining networks, backups and recovery, diagnosing network problems, monitoring systems, and implementing network security.

Those task families give CC a practical role bridge. The credential can organize basic security concepts, but the evidence a reader should build is still concrete: ticket notes, access-control examples, incident-response summaries, network diagrams, vulnerability notes, monitoring screenshots, and documented remediation practice.

BLS context: useful, but not a CC outcome

The BLS data is occupation context, not certification-outcome evidence. RoleMath's current packets use May 2025 national OEWS data: Information Security Analysts at 190,650 employment and a 129,180 USD median annual wage, Computer User Support Specialists at 717,190 employment and a 61,860 USD median annual wage, and Network and Computer Systems Administrators at 314,340 employment and a 99,130 USD median annual wage.

The outlook context is also occupation-level. RoleMath's current packets show Information Security Analysts at 28.5 percent projected employment change for 2024-2034 with 16 thousand annual openings, Computer User Support Specialists at -3.7 percent with 40.8 thousand annual openings, and Network and Computer Systems Administrators at -4.2 percent with 14.3 thousand annual openings.

None of those numbers means CC pays those salaries or creates those openings. They help readers understand the role families around the credential and decide whether CC is a starting point, a support-to-security bridge, or too introductory for their target.

Employer-language evidence: what postings emphasize

RoleMath's employer-language pilot is qualitative and not representative demand. Current summaries show Cybersecurity Analyst with 59 matched postings and recurring terms such as cybersecurity, NIST, CISSP, SIEM, incident response, threat intelligence, FedRAMP, Python, AWS, Azure, vulnerability management, Splunk, EDR, and CrowdStrike. SOC Analyst has 77 matched postings with cybersecurity, SIEM, incident response, EDR, threat intelligence, threat hunting, Splunk, Python, AWS, Azure, CrowdStrike, PowerShell, Linux, and problem solving.

The adjacent routes are just as useful for beginners. Help Desk Technician has 74 matched postings with troubleshooting, Windows, ServiceNow, Active Directory, macOS, VPN, Jira, DNS, cybersecurity, customer support, TCP/IP, and Cisco. Network Administrator has 94 matched postings with BGP, Cisco, troubleshooting, OSPF, network security, DNS, TCP/IP, Python, firewall, Azure, VPN, AWS, and Ansible.

Use those samples as vocabulary and lab direction. Do not use posting counts as market size, demand share, salary, placement, or ROI. The useful signal is that CC vocabulary needs to connect to SIEM, incident response, access control, networking, identity, troubleshooting, and documentation evidence.

How AI changes CC study and entry security work

AI belongs in the CC discussion for two reasons. First, ISC2's own outline now integrates AI security concepts across all five domains. The outline describes themes such as protecting AI assets, recognizing automated threats, governance and risk for AI systems, model poisoning and data integrity, automated detection, AI service-account access, AI-powered monitoring, segmentation for AI environments, SIEM alert fatigue, and data leakage from public AI tools.

Second, AI changes how beginners study and work. It can explain a control, turn an incident scenario into a checklist, draft a security-awareness note, summarize a network threat, or quiz you on access-control terms. It can also hallucinate policy, recommend unsafe remediation, misread logs, or normalize copying sensitive data into public tools.

RoleMath's current AI usage seed cites Anthropic's 2026 Economic Index. For May 2026, Information Security Analysts show 23.90 percent augmentation-labeled and 76.10 percent automation-labeled Claude conversations. Computer User Support Specialists show 34.38 percent augmentation and 65.62 percent automation. Network and Computer Systems Administrators show 31.90 percent augmentation and 68.10 percent automation. That is descriptive usage data, not a job-loss forecast, demand measure, or CC value claim.

A readiness plan that beats pass-rate guessing

Use a readiness plan tied to the official outline and role evidence. Step 1: confirm whether your exam date uses the October 1, 2025 outline or the September 1, 2026 outline. Step 2: copy the five domain weights into a checklist and give extra attention to Security Principles, Network Security, and Access Controls. Step 3: build short notes for CIA, risk, controls, authentication, MFA, least privilege, business continuity, incident response, network threats, segmentation, logging, monitoring, data handling, hardening, and security awareness. Step 4: create small artifacts: an access-control example, an incident triage checklist, a network-threat summary, a password-policy critique, and a data-leakage warning for public AI tools. Step 5: use AI to quiz you and generate scenarios, but verify definitions, policies, and technical recommendations against primary sources. Step 6: compare your artifacts against SOC, cybersecurity analyst, support, and network administrator employer language before scheduling.

That sequence gives you a better decision than a pass-rate number. It turns CC into a readiness and role-fit question instead of a bet on an unsupported statistic.

Bottom line: CC is a foundation decision, not a pass-rate bet

The bottom line is simple: ISC2 publishes CC exam-outline facts and a passing grade, not a public candidate pass-rate percentage. Do not choose or avoid CC because a page gives you an unsupported percentage.

Choose CC when you want a structured, entry-friendly cybersecurity foundation and can pair it with evidence: security vocabulary, network basics, access-control examples, incident-response notes, monitoring concepts, and AI-risk awareness. Do not treat it as a cybersecurity job guarantee, salary claim, ROI claim, or substitute for hands-on troubleshooting and security practice. RoleMath keeps this page draft/noindex until human source review clears the claim framing and presentation for launch.

Frequently asked questions

Does ISC2 publish a CC pass rate?

RoleMath does not have a sourceable public ISC2 CC candidate pass-rate percentage. ISC2 publishes exam outline, format, domain weights, and passing-grade facts, not the share of candidates who pass.

Is the CC passing grade the same thing as a pass rate?

No. A passing grade is the score standard a candidate must meet. A pass rate is the share of candidates who pass. ISC2 publishing 700 out of 1000 points does not tell you what percentage of candidates pass.

What CC facts are source-backed here?

The current sources support entry-level positioning, no work experience required, CAT delivery, 2-hour length, 100-125 items, multiple-choice and advanced item types, 700 out of 1000 passing grade, Pearson VUE testing, five domain weights, a September 1, 2026 outline change, and a 199 USD exam-fee row.

Is ISC2 CC hard?

CC is foundational, but not automatic. The best evidence is the official outline: security principles, incident response and continuity concepts, access control, network security, security operations, and AI-security themes. Difficulty depends on your background and preparation, not a public pass-rate rumor.

Does CC guarantee a cybersecurity job or salary?

No. BLS wage and outlook figures are occupation-level context for mapped role families, not CC salary, ROI, placement, or job-guarantee evidence.

How should I use AI while preparing for CC?

Use AI to quiz you, generate security scenarios, and review your notes, but verify definitions, policies, commands, and remediation advice against official sources. Do not paste sensitive data into public AI tools.

Related, with the cited detail

Sources

Figures in this article are cited to the sources named in the Citation Ledger below and on each linked cited page. This page stays draft_noindex pending human citation review.

Citation Ledger

IDSupportsEvidenceSource
CIT-01ISC2 publishes CC exam-outline facts and a passing grade, not a public candidate pass-rate percentage.The CC exam outline was live checked on 2026-07-05. It lists the October 1, 2025 effective date, an upcoming September 1, 2026 outline change, CAT delivery, 2-hour length, 100-125 items, multiple-choice and advanced item types, passing grade of 700 out of 1000, Pearson VUE testing center, and domain weights; no candidate pass-rate percentage was found in reviewed page text.https://www.isc2.org/certifications/cc/cc-certification-exam-outline
CIT-02The official CC page positions CC as entry-level and no-work-experience-required, but that is not a job guarantee.The official ISC2 CC page says CC is entry-level cybersecurity, proves foundational knowledge for an entry or junior-level role, and requires no work experience. RoleMath treats this as access and positioning context, not salary, placement, or demand evidence.https://www.isc2.org/certifications/cc
CIT-03CC domain weights should guide study planning more than pass-rate folklore.The official CC outline lists Security Principles 26%, Business Continuity, Disaster Recovery and Incident Response Concepts 10%, Access Controls Concepts 22%, Network Security 24%, and Security Operations 18%.https://www.isc2.org/certifications/cc/cc-certification-exam-outline
CIT-04The CC outline now includes AI security concepts, so AI impact belongs in the study discussion.The official CC outline says foundational AI concepts are integrated across all five domains and describes AI-security themes such as AI assets, automated threats, governance, data integrity/model poisoning, AI-assisted detection, AI service-account access, AI-powered monitoring, segmentation, SIEM alert fatigue, and data leakage from public AI tools.https://www.isc2.org/certifications/cc/cc-certification-exam-outline
CIT-05CC cost should be treated as cited exam-fee context, not ROI or salary evidence.RoleMath's CC cost seed records 199 USD for the CC exam from the official ISC2 exam-pricing page, retrieved 2026-07-01. Training, retakes, annual maintenance fees, membership or candidate fees, taxes, vouchers, reschedule, and cancellation fees are not included in that single exam-fee row.https://www.isc2.org/register-for-exam/isc2-exam-pricing
CIT-06Cybersecurity analyst role evidence should be occupation context, not CC outcome evidence.O*NET's Information Security Analysts profile supports task context such as planning security measures, monitoring virus reports, using encryption and firewalls, performing risk assessments, modifying access status, reviewing security-procedure violations, documenting security procedures, regulating access, and promoting security awareness.https://www.onetonline.org/link/summary/15-1212.00
CIT-07Support work can be a feeder route into cybersecurity, but CC does not guarantee support employment.O*NET's Computer User Support Specialists profile supports task context such as overseeing computer systems, setting up equipment, reading technical manuals, diagnosing problems, answering user questions, installing or repairing equipment, entering commands, and maintaining support records.https://www.onetonline.org/link/summary/15-1232.00
CIT-08Network-administration context is relevant to CC because Network Security is a large official domain.O*NET's Network and Computer Systems Administrators profile supports task context around maintaining networks, backups and recovery, diagnosing hardware/software/network problems, monitoring systems, network security, and network performance.https://www.onetonline.org/link/summary/15-1244.00
CIT-09RoleMath uses O*NET database downloads as the official task, skill, and technology source family for role evidence.The O*NET database is the public dataset behind RoleMath's occupation task and tool extraction. RoleMath cites profile pages for reader verification and the database for bulk evidence.https://www.onetcenter.org/database.html
CIT-10Occupation pay context for CC-adjacent roles must not be treated as a CC salary outcome.RoleMath's current role packets use BLS OEWS May 2025 national context: Information Security Analysts with 190,650 employment and 129,180 USD median annual wage; Computer User Support Specialists with 717,190 employment and 61,860 USD median annual wage; and Network and Computer Systems Administrators with 314,340 employment and 99,130 USD median annual wage.https://www.bls.gov/oes/special-requests/oesm25nat.zip
CIT-11Occupation outlook context is not live posting demand and not a CC outcome.BLS Employment Projections in RoleMath's current packets show 2024-2034 projected employment change and annual openings for mapped occupation families: Information Security Analysts at 28.5% and 16 thousand annual openings, Computer User Support Specialists at -3.7% and 40.8 thousand annual openings, and Network and Computer Systems Administrators at -4.2% and 14.3 thousand annual openings.https://www.bls.gov/emp/ind-occ-matrix/occupation.xlsx
CIT-12Employer-language samples can guide cybersecurity practice without becoming representative demand evidence.RoleMath's public ATS employer-language pilot is qualitative and not representative demand. Current summaries show Cybersecurity Analyst with 59 matched postings, SOC Analyst with 77, IT Security Operations Specialist with 108, Help Desk Technician with 74, IT Support Specialist with 36, and Network Administrator with 94. Recurring terms include cybersecurity, SIEM, incident response, threat intelligence, NIST, IAM, vulnerability management, EDR, Splunk, Linux, DNS, TCP/IP, troubleshooting, and network security.https://developers.greenhouse.io/job-board; https://developers.ashbyhq.com/docs/public-job-posting-api; https://hire.lever.co/developer/documentation#postings; https://www.workday.com/
CIT-13AI usage data for mapped security/support work is descriptive workflow context, not a job-loss or demand forecast.RoleMath's AI usage seed cites Anthropic's 2026 Economic Index. For May 2026, Information Security Analysts show 23.90% augmentation-labeled and 76.10% automation-labeled Claude conversations; Computer User Support Specialists show 34.38% augmentation and 65.62% automation; Network and Computer Systems Administrators show 31.90% augmentation and 68.10% automation.https://www.anthropic.com/research/economic-index-june-2026-report
CIT-14The Anthropic Economic Index dataset requires attribution and does not prove employment demand.The Anthropic Economic Index dataset is published on Hugging Face under CC-BY. RoleMath uses it as one AI-usage signal, not as proof of labor demand, job loss, personal fit, or certification value.https://huggingface.co/datasets/Anthropic/EconomicIndex
CIT-15General AI-exposure research should be framed as task-overlap context, not a personal employment forecast.Eloundou et al. estimate broad task exposure to large language model capabilities, but exposure is task overlap and not a direct prediction that a specific learner will lose or get a job.https://www.science.org/doi/10.1126/science.adj0998

Evidence behind this article

RoleMath turns this article into a small decision report: official credential facts, occupation context, sampled employer wording, and AI workflow evidence. Sampled postings are language evidence, not market share, salary, placement, or a hiring forecast.

Mapped roles: Cybersecurity Analyst, SOC Analyst, Help Desk Technician, IT Support Specialist

Current employer language

  • In RoleMath's public ATS sample captured 2026-06-20, Cybersecurity Analyst matched 64 heuristic postings, including 35 title/public-ready postings. Common sampled language included Cybersecurity, NIST, CISSP, SIEM, Incident response; certification mentions included Security+, CySA+, CCNA; AI-language mentions included no reviewed AI-specific terms cleared the current panel. This is qualitative employer language, not representative market demand.
  • In RoleMath's public ATS sample captured 2026-06-20, SOC Analyst matched 77 heuristic postings, including 20 title/public-ready postings. Common sampled language included Cybersecurity, SIEM, Incident response, EDR, threat intelligence; certification mentions included CySA+, Security+, CCNA; AI-language mentions included no reviewed AI-specific terms cleared the current panel. This is qualitative employer language, not representative market demand.
  • In RoleMath's public ATS sample captured 2026-06-20, Help Desk Technician matched 80 heuristic postings, including 55 title/public-ready postings. Common sampled language included Troubleshooting, Windows, ServiceNow, Active Directory, macOS; certification mentions included Security+, CompTIA A+, Network+; AI-language mentions included no reviewed AI-specific terms cleared the current panel. This is qualitative employer language, not representative market demand.

Previous-year demand: blocked until comparable repeat snapshots exist. Prediction: review-only; no public forecast is approved from this sample. Sources: Ashby Job Postings API, Greenhouse Job Board API, Lever Postings API, Teamtailor Jobs JSON Feed, Workday CXS Jobs API

AI impact context

  • Cybersecurity Analyst: 23.90% augmentation-labeled and 76.10% automation-labeled Claude usage context. Sampled AI-language terms include Anthropic, machine learning. Descriptive Claude usage data, not employment demand, not job loss, and not a personal forecast; CC-BY attribution required.
  • SOC Analyst: 23.90% augmentation-labeled and 76.10% automation-labeled Claude usage context. Sampled AI-language terms include Anthropic, LLM, machine learning, prompt engineering. Descriptive Claude usage data, not employment demand, not job loss, and not a personal forecast; CC-BY attribution required.
  • Help Desk Technician: 34.38% augmentation-labeled and 65.62% automation-labeled Claude usage context. Descriptive Claude usage data, not employment demand, not job loss, and not a personal forecast; CC-BY attribution required.

Sources: Anthropic Economic Index report: Cadences (release 2026-06-26), Canaries in the Coal Mine - recent employment effects of AI (working paper), Felten Raj and Seamans - AI Occupational Exposure (AIOE) index, GPTs are GPTs: An early look at the labor market impact potential of LLMs (Science 2024), OECD Employment Outlook 2023 - Artificial Intelligence and the Labour Market

Credential claim guardrails

Credential matches in this packet: ISC2 CC - Certified in Cybersecurity.

  • Use as evidence that ISC2 publishes passing-grade and exam-outline facts, not a public CC candidate pass-rate percentage.

No certification shown here is treated as salary, job, ROI, or pass-rate proof. Sources: ISC2 official credential page, Certified in Cybersecurity Certification Exam Outline

Ready to see how this fits your background?

RoleMath planner