You Can Pass This Exam For Free
Choose Your Study Path
You have minimal exposure to cybersecurity concepts. You use a computer for work but have never thought deeply about security risks or best practices.
Exam Overview
Format
58 questions, 60 minutes of actual exam time (90-minute appointment includes NDA, survey, and feedback). Multiple choice and scenario-based questions from a business user perspective. Note: the exam is currently in beta with general availability expected in July 2026.
Scoring
Scaled score 100-1000. Passing: 700. No penalty for wrong answers — always answer every question.
Domains & Weights
- Understand Cybersecurity Concepts27%
- Understand Cybersecurity Risks and Threats33%
- Apply Basic Security Practices to Protect the Organization28%
- Report and Respond to Security Incidents12%
Registration
$99 USD. Available at Pearson VUE testing centers or online proctored from home. Exam fee is $99 USD.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Understand Cybersecurity Concepts
This domain covers foundational cybersecurity knowledge that every business professional should have. You need to understand the shared responsibility model, key security terms and definitions, the benefits of MFA and password managers, and emerging threats like deepfakes. It also tests your understanding of organizational security policies and data-handling standards.
Key Topics
Must-Know Concepts
- Cybersecurity shared responsibility model: security is not just IT's job — every employee shares responsibility for protecting organizational data and systems
- Employee security awareness activities: recognizing phishing, reporting suspicious activity, completing security training, following policies, and practicing good password hygiene
- Accountability practices: understanding your role in protecting data, following policies, and accepting responsibility for security-related actions in your daily work
- Security and privacy policies applicable to your work tasks, including acceptable use policies, data handling procedures, and privacy expectations
- Types of data that should NEVER be shared with public AI tools: confidential business data, customer PII, financial records, trade secrets, and internal strategic documents
- Benefits of password managers: generate strong unique passwords, eliminate password reuse, securely store credentials, and auto-fill login forms
- MFA benefits: adds a second verification layer so stolen passwords alone cannot compromise accounts. Know the three factor types: knowledge, possession, biometric
- Business processes that may be targeted by threat actors: financial transactions, vendor payments, executive communications, customer data access, and HR processes
- Risks of remote work: unsecured home networks, shoulder surfing in public spaces, shared devices, physical document exposure, and distraction-based social engineering
- Why software updates and security patches are critical: they fix known vulnerabilities that attackers actively exploit. Delaying updates increases risk
- Impact of security events like ransomware: business disruption, data loss, financial costs, reputational damage, regulatory penalties, and customer trust erosion
- Key definitions: vulnerability (weakness), threat (potential danger), risk (likelihood and impact), encryption (data protection through encoding), exploit (method to leverage a vulnerability)
Common Exam Traps
Understand Cybersecurity Risks and Threats
The heaviest domain at 30-35% of the exam. Covers identifying common cybersecurity risks, detecting indicators of malicious activity, evaluating digital communications for legitimacy, and understanding access controls. This domain is scenario-heavy: expect questions presenting workplace situations where you must identify the threat or choose the correct response.
Key Topics
Must-Know Concepts
- Public Wi-Fi risks: eavesdropping, man-in-the-middle attacks, rogue hotspots, session hijacking. Use VPN when possible and avoid accessing sensitive data on public networks
- Social engineering techniques: phishing (deceptive messages), pretexting (fabricated scenarios), baiting (enticing offers/items), tailgating (following authorized personnel into secure areas)
- Malware indicators: unexpected system slowdowns, unusual pop-ups, programs launching without user action, unexplained file changes, disabled security software, unexpected network activity
- Insider threat indicators: accessing data outside normal job duties, downloading large amounts of data, working unusual hours without justification, expressing dissatisfaction and having access to sensitive systems
- Abnormal system behavior or infection symptoms: computer running unusually slow, browser redirects, new toolbars or programs appearing, disabled antivirus, files becoming encrypted
- How to identify suspicious emails: mismatched sender addresses, urgency or fear tactics, unexpected attachments, generic greetings, grammatical errors, requests for credentials or payment
- How to identify malicious links: hovering to check actual URL, looking for misspelled domains, checking for HTTP vs HTTPS, being wary of shortened URLs
- Verifying legitimacy of requests: always verify requests for access, payments, or sensitive data through a separate known channel. Never trust the contact information in the suspicious message itself
- Identifying privacy and security risks in communications: requests for personal information, pressure to bypass normal procedures, unusual urgency, requests to keep actions secret
- Access controls: limiting access to systems and data based on job role and need-to-know. Principle of least privilege — only grant the minimum access needed to perform a task
Common Exam Traps
Apply Basic Security Practices to Protect the Organization
This domain tests your ability to apply practical security measures in daily work. Covers device and account security, sensitive data protection through classification and labeling, safe internet and data-handling practices, and backup and recovery fundamentals. Questions focus on what you should DO, not what technology does behind the scenes.
Key Topics
Must-Know Concepts
- Securing remote and mobile devices: use strong passwords or biometrics, enable MFA, lock screens when stepping away, keep software updated, use VPN on public networks, encrypt device storage
- Securing workspaces: clean desk policy, locking computer when unattended, securing physical documents, being aware of shoulder surfing, not leaving devices unattended in public
- Recognizing and classifying sensitive data: understand what makes data sensitive (PII, financial records, health data, trade secrets) and how to identify it in daily work
- Sensitivity labeling types and when to apply each: Public (approved for external sharing), Internal (for employees only), Confidential (restricted to specific teams), Highly Confidential (strictest controls, need-to-know only)
- Rights management: controls that restrict copying, printing, forwarding, or editing of protected documents. Understand when and why these restrictions are applied
- Proper data-handling techniques: collecting only necessary data, using secure transfer methods, storing data in approved locations, following retention schedules, properly destroying data when no longer needed
- Data lifecycle management: collect, use, transfer, store, retain, and destroy. Know appropriate practices for each phase
- Ensuring data is backed up: understand why regular backups matter, that backups should be stored separately from primary data, and that backup procedures support incident recovery
- Basic recovery measures: know what to do when data is lost or a system fails — contact IT, avoid attempting fixes that could worsen the situation, follow organizational recovery procedures
Common Exam Traps
Report and Respond to Security Incidents
The smallest domain but critical for the exam. Tests your ability to recognize when to report, what information to include, which channels to use, and what immediate actions to take during a data breach. This domain is highly scenario-based: expect questions presenting incidents where you must choose the correct response sequence.
Key Topics
Must-Know Concepts
- Situations that require reporting: phishing attempts (even if not clicked), lost or stolen devices, unauthorized access to systems or data, suspicious emails or messages, observed policy violations
- Information to include in a report: date and time of the incident, type of incident (phishing, lost device, unauthorized access), what data or systems were affected, actions already taken, and any evidence preserved
- Appropriate reporting channels: IT help desk, dedicated incident reporting form, security team email, or phone — use the channel designated by your organization, not personal email or social media
- Immediate steps when a breach occurs: stop sharing the affected data, disconnect compromised devices from the network, notify IT or the security team immediately, preserve evidence, do not attempt to investigate or fix on your own
- When escalation is required: sensitive data exposure (PII, financial, health data), ransomware incidents, suspected compromise of executive accounts, any incident that may affect customers or regulatory compliance
- What NOT to do during an incident: do not try to track down the attacker, do not pay a ransom without authorization, do not delete evidence, do not continue using a compromised system, do not delay reporting
Common Exam Traps
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.