The CCSP exam is changing twice in close succession. Since October 1, 2025, the CCSP has used Computerized Adaptive Testing (CAT) exclusively, replacing the old fixed-form exam. On August 1, 2026, the CCSP transitioned to an entirely new exam outline that adds explicit AI and machine learning security content across multiple domains, including OWASP LLM Top 10 coverage. If you are currently studying for the CCSP, both changes affect you directly. The CAT format is already live and applies to your exam right now. The August 1 content update determines whether your current study materials will match what is actually tested.
This guide explains exactly what changed, what is changing next, and what you should do depending on where you are in your preparation right now.
CCSP Exam Changes: Quick Reference Timeline
| Date | Change | Type |
| August 1, 2022 | Domain content and weights revised | Content update |
| August 1, 2024 | Exam shortened from 4 hours / 150 questions to 3 hours / 125 questions | Structural update |
| October 1, 2025 | Transitioned to Computerized Adaptive Testing (CAT) exclusively | Format update |
| August 1, 2026 | New exam outline with AI/ML security content added | Content update |
Two changes are relevant to candidates testing in 2026. The CAT format is already in effect for every CCSP exam taken since October 1, 2025. The August 1, 2026 outline update is the next change and is the one most candidates do not yet know about.
Change 1: The CCSP Is Now Computerized Adaptive Testing (CAT)
Since October 1, 2025, the CCSP exam is administered exclusively in CAT format. The linear, fixed-form version is no longer offered. This is the same format the CISSP has used since April 2024.
What CAT Means in Practice
| Detail | CAT Format (Current) |
| Question count | Variable — 100 to 150 questions |
| Scored questions | Minimum 100 — the rest are pretest (unscored) items |
| Pretest questions | 25 unscored items, included in the first 100 questions, not identifiable |
| Maximum exam time | 3 hours |
| How it works | Each question is selected based on your performance on previous questions |
| Domains tested | Same six domains — no change to content scope from this update |
| When the exam ends | When the algorithm reaches a confidence threshold for pass or fail, when you run out of questions, or when time expires |
How CAT Actually Works
Each candidate starts with a question calibrated to be answerable by someone at the passing standard. Based on your answer, the algorithm recalculates your estimated ability level and selects the next question to be approximately 50 percent likely for you to answer correctly at that ability level. Answer correctly and the next question gets harder. Answer incorrectly and the next question gets easier. This continues until the algorithm reaches statistical confidence about whether your ability is above or below the passing standard.
What this means for your exam experience:
The exam can end at the minimum 100 questions if the algorithm is confident in a pass or fail result early. It can extend to 150 questions if your performance keeps you near the passing threshold. Two candidates with the same underlying knowledge level can receive a different number of questions and still both pass.
The early-question impact is real. Because the algorithm builds its confidence interval progressively, performance on the early questions matters more than performance on later questions. A poor start makes it mathematically harder to recover within the same exam, even if your answers improve later. This does not mean early questions are worth more points in isolation. It means the algorithm’s early estimate shapes the difficulty trajectory of your entire exam.
The good news: the content has not changed because of CAT. The CAT transition is a delivery format change, not a content change. The same six domains and the same general content scope from the August 2024 update still apply. If you have been studying using current materials, CAT does not require you to study anything different. It changes how questions are delivered, not what is tested.
Change 2: The August 1, 2026 New Exam Outline
This is the change most candidates currently studying do not know about, and it is the one that actually requires action.
Effective August 1, 2026, the CCSP exam will be based on an entirely new exam outline, confirmed directly on ISC2’s official CCSP Certification Exam Outline page. This update follows ISC2’s Job Task Analysis (JTA) process, a periodic structured review where practicing CCSP holders confirm what the credential should test based on what cloud security professionals actually do in their roles today.
What Is Changing
| Aspect | What We Know |
| Domain structure | Remains six domains — no structural overhaul |
| Format | Remains CAT — 100 to 150 questions, 3 hours |
| Domain weights | May shift slightly to reflect current job responsibilities |
| New content focus | Explicit AI and machine learning security topics added across multiple domains |
| Specific additions | AI/ML application risk, OWASP LLM Top 10, AI-aware DDoS and WAF protection for AI endpoints |
| Overall characterization | A content refresh, not a structural overhaul |
The Six CCSP Domains Under the New Outline
| Domain | Focus Area | New AI/ML Content |
| Domain 1: Cloud Concepts, Architecture and Design | Cloud computing concepts, reference architecture, secure design principles, shared responsibility model | New subtopic on AI computing reference architectures |
| Domain 2: Cloud Data Security | Data lifecycle, storage architectures, classification, encryption, key management, DLP | New subtopic on AI/ML data security considerations |
| Domain 3: Cloud Platform and Infrastructure Security | Physical and logical infrastructure, virtualization security, IAM, BCDR | AI-aware infrastructure security controls |
| Domain 4: Cloud Application Security | Secure SDLC, cloud-native app security, API security, IAM for applications | AI/ML application risk and OWASP LLM Top 10 explicitly added |
| Domain 5: Cloud Security Operations | Operations management, logging, monitoring, vulnerability management, incident response | AI-aware monitoring and DDoS/WAF protection for AI endpoints using machine learning detection |
| Domain 6: Legal, Risk and Compliance | Legal frameworks, privacy regulations, audits, risk management, contracts, vendor governance | AI governance and regulatory considerations for AI systems in the cloud |
The OWASP LLM Top 10 addition is the most concrete confirmed change. This is the OWASP Top 10 for Large Language Model Applications — covering risks like prompt injection, training data poisoning, model denial of service, and insecure plugin design. Its explicit inclusion in Domain 4 (Cloud Application Security) signals that ISC2 now expects CCSP holders to understand security risks specific to LLM-based applications deployed in cloud environments — a direct reflection of how rapidly generative AI has been adopted in enterprise cloud architectures since the last major content update in 2022.
AI-aware infrastructure protection is the second concrete addition. The new outline references administration of cloud-based DDoS protection and Web Application Firewalls that leverage machine learning to detect and block sophisticated low-and-slow attacks targeting AI endpoints. This connects Domain 5 operational security content directly to the infrastructure that powers AI workloads.
Should You Take the CCSP Before August 1, 2026?
This is the practical question every current candidate needs answered. Here is the decision framework based on where you are right now.
Decision Table
| Your Situation | Recommendation | Why |
| You are scoring 75%+ on practice exams under current materials | Schedule before August 1, 2026 | You are exam-ready under the current outline — no benefit to waiting |
| You are mid-preparation and can realistically test before August 1 | Push to finish under current outline | The current outline is well-documented with mature prep resources |
| You are early in preparation (less than 50% through current materials) | No need to rush — prepare for the new outline from the start | Trying to rush risks failing, then having to relearn AI/ML content for a retake anyway |
| You work directly with AI/ML workloads in cloud environments | Either timing works, but prioritize learning the AI/ML content regardless | This content reflects real job responsibilities you likely already encounter |
| You have not started studying yet | Wait for August 1, 2026 materials | Avoid studying from outdated outline content that will need revision |
The Honest Reality About “Rushing”
ISC2 has explicitly characterized the August 2026 update as a content refresh rather than a structural overhaul. The six domains remain the same. The CAT format remains the same. This means the overlap between the current outline and the new outline is substantial. Candidates who are well into their preparation under the current materials are not starting over if they wait — they are adding AI/ML-specific content to an otherwise stable foundation.
The candidates who benefit most from rushing before August 1 are those who are already exam-ready and simply have not scheduled yet. For everyone else, the difference between testing in July under the current outline versus testing in September under the new outline is primarily about adding one additional study topic (AI/ML security in cloud contexts) rather than relearning the certification from scratch.
What This Means If You Already Hold CCSP
If you are already CCSP certified, none of these changes affect your existing certification. The CCSP credential does not require retesting when the exam outline updates. Your certification remains valid according to its existing renewal cycle through Continuing Professional Education (CPE) credits, regardless of which exam version you originally passed.
However, CCSP holders working in cloud security roles should treat the AI/ML content additions as a signal of where the broader industry and ISC2’s assessment of practitioner responsibilities are heading. Even without a retest requirement, building familiarity with OWASP LLM Top 10 and AI-aware cloud security controls reflects genuinely current professional practice — not just exam content.
How to Prepare for the New CCSP Outline
Step 1: Confirm Which Outline Applies to Your Exam Date
Before purchasing any study materials, check the ISC2 CCSP Certification Exam Outline page directly. ISC2 publishes both the current and new outline PDFs. If your exam date is on or after August 1, 2026, you are tested on the new outline regardless of when you purchased materials.
Step 2: Build Your Foundation on the Stable Six-Domain Structure
Because the domain structure and overall scope remain consistent, the bulk of CCSP preparation — cloud architecture, data security, infrastructure security, application security, operations, and legal/risk/compliance — remains valid preparation regardless of which outline version applies to your exam.
Step 3: Add Dedicated AI/ML Security Study
Regardless of your exam date, building familiarity with these topics strengthens your CCSP knowledge and your practical cloud security skills:
| Topic | What to Know |
| OWASP LLM Top 10 | Prompt injection, training data poisoning, model denial of service, supply chain vulnerabilities, insecure plugin design, excessive agency, and the remaining items in the list |
| AI/ML application risk in cloud | How traditional cloud application security principles (Domain 4) apply differently to AI/ML applications |
| AI-aware infrastructure protection | How DDoS protection and WAF services use machine learning to detect attacks against AI endpoints specifically |
| AI governance frameworks | Emerging regulatory and compliance considerations for AI systems operating in cloud environments |
Step 4: Practice Under CAT Conditions Regardless of Content Version
The CAT format applies to every CCSP exam right now, independent of the August 2026 content update. Practicing with full-length adaptive-style question sets, rather than fixed 125-question banks, gives the most accurate preparation experience for the actual test-taking experience you will face. For current CCSP exam preparation aligned to the active exam structure, our CCSP exam preparation materials cover all six domains with detailed explanations for every question.
CCSP vs CISSP: How the 2026 Changes Compare
ISC2 is updating two major certifications in close succession during 2026 — and the pattern is informative for understanding ISC2’s overall direction.
| Certification | 2026 Change | Date | Type |
| CCSP | New exam outline with AI/ML security content | August 1, 2026 | Content refresh |
| CC (Certified in Cybersecurity) | New exam outline with AI concepts across all five domains | September 1, 2026 | Content refresh |
| CISSP | No scheduled change | N/A | Stable — last updated April 2024, already includes current AI and zero trust content |
The pattern is clear. ISC2 is systematically integrating AI and machine learning security content across its certification portfolio, starting with the entry-level CC and the cloud-focused CCSP in 2026. The CISSP already underwent this integration in its April 2024 update and has no scheduled change. This means CISSP holders are not facing a similar transition, while CCSP and CC candidates in 2026 are the first cohorts to encounter AI-integrated content in these specific credentials.
For professionals deciding between CISSP and CCSP as their next certification, our CISSP vs CCSP comparison covers the complete picture of how these two credentials differ in scope, career direction, and now, update timing.
FAQS
What is changing with the CCSP exam in 2026?
Two changes affect CCSP candidates in 2026. First, since October 1, 2025, the CCSP exam uses Computerized Adaptive Testing (CAT) exclusively with 100 to 150 variable questions in up to 3 hours. Second, effective August 1, 2026, the CCSP transitions to a new exam outline that adds explicit AI and machine learning security content, including OWASP LLM Top 10 coverage, while keeping the same six-domain structure.
Is the CCSP CAT format already in effect?
Yes. Since October 1, 2025, every CCSP exam is administered in CAT format. The previous fixed-form linear exam (3 hours, 125 questions) is no longer offered. If you are scheduling a CCSP exam now, you are taking the CAT version regardless of the August 2026 content update.
Should I take the CCSP before August 1, 2026?
It depends on your preparation status. If you are scoring 75 percent or above on practice exams under current materials, schedule before August 1 since you are already exam-ready. If you are early in your preparation, there is no benefit to rushing — prepare with the new outline in mind from the start, since the change is a content refresh rather than a structural overhaul and most of your current studying remains valid either way.
What new content is being added to the CCSP in August 2026?
The most concrete confirmed additions are OWASP LLM Top 10 content in Domain 4 (Cloud Application Security), AI/ML application risk considerations, AI-aware infrastructure security including machine learning-based DDoS protection and WAF for AI endpoints, and AI governance considerations in the legal and compliance domain. The six-domain structure and overall weighting remain largely consistent.
Will the CCSP domains change in August 2026?
No. ISC2 has confirmed the CCSP keeps its six-domain structure. The August 2026 update is described as a content refresh that adds AI and machine learning security topics across existing domains rather than restructuring the domains themselves.
Does CAT make the CCSP harder?
ISC2 states CAT is a more precise and efficient evaluation based on the same content outline as the previous linear exam. The content tested is not harder. However, the adaptive nature means early-question performance shapes the difficulty trajectory of your exam, and the variable question count (100 to 150) means some candidates face more questions than others to reach the same confidence threshold.
If I already passed CCSP, do I need to retest under the new outline?
No. Existing CCSP certifications remain valid under their normal renewal cycle through Continuing Professional Education credits. The August 2026 outline change applies only to candidates testing on or after that date — it does not require existing certified professionals to retest.
How does the August 2026 CCSP update compare to the CISSP?
The CISSP has no scheduled 2026 update. Its most recent update was April 2024, which already integrated current AI and zero trust security content and completed its transition to CAT format across all languages. CCSP and CC (Certified in Cybersecurity) are the two ISC2 credentials receiving content refreshes in 2026, with CCSP updating August 1 and CC updating September 1.
What is the OWASP LLM Top 10 and why does it matter for CCSP?
The OWASP LLM Top 10 is a list of the most critical security risks for applications built on large language models, including prompt injection, training data poisoning, model denial of service, and insecure plugin design. Its addition to the CCSP Domain 4 outline reflects how widely LLM-based applications have been adopted in enterprise cloud environments and signals that cloud security professionals are now expected to understand these risks as part of standard application security practice.
Where can I find the official CCSP exam outline?
ISC2 publishes the current and new CCSP Certification Exam Outline as downloadable PDFs directly on isc2.org. The page explicitly states the effective date of August 1, 2026 for the new outline and provides both current and updated versions for candidates to compare.
