CAT Pacing and 100-125 Item Strategy

CAT Pacing and Item Strategy

Your final review must mirror the real delivery format. The current ISC2 Certified in Cybersecurity (CC) exam outline took effect October 1, 2025, and a new outline becomes effective September 1, 2026. The exam now uses computer adaptive testing (CAT), allows 120 minutes, delivers 100 to 125 items, and applies a scaled 700 out of 1000 passing grade. The registration fee is US$199. The five domain weights are Security Principles 26%, Business Continuity/Disaster Recovery/Incident Response 10%, Access Control Concepts 22%, Network Security 24%, and Security Operations 18%.

Do not rely on forum pass-rate claims, and never convert 700/1000 into a flat percentage.

How CAT Differs From a Linear Exam

CAT picks each next item based on your running ability estimate. A correct answer tends to raise difficulty; a miss tends to lower it. Two consequences matter for strategy: items often feel hard even when you are passing (the engine is probing your ceiling), and you generally cannot skip and return. Treat each item as a one-way decision unless the interface explicitly offers review.

Pacing Reality

120 minutes across 100 items averages about 72 seconds each; across 125 items about 58 seconds each. That is an average, not a quota. A crisp definition item may take 20 seconds; a multi-clause scenario may take 90.

The stem verb is decisive. First, best, most likely, and most appropriate each demand a different answer from the same fact set. "First action during active malware spread" is containment, even if eradication is technically superior, because eradication is not first.

A Four-Step Reading Script

Use a fixed internal script so anxiety does not rewrite the question for you.

Worked example. "A user connected to VPN can reach an internal server by IP address but not by hostname." The networking backdrop tempts a firewall upgrade, but the symptom ("IP works, name fails") is name resolution, so the answer is internal Domain Name System (DNS) configuration. Worked example. "An attacker silently alters invoice routing numbers." The harm is to integrity, not availability, so the control protects integrity (hashing, change detection).

Worked example. "A contractor still has system access after the project closed." The issue is account lifecycle management and least privilege, fixed by deprovisioning, not by stronger authentication.

Timing Discipline Checkpoints

Because you cannot see the item total in advance, plan for the worst case of 125.

• By item 25: at least 90 minutes should remain.
• By item 60: roughly half your clock should remain.
• If stuck: make one deliberate elimination pass, choose the best survivor, and continue. Rereading a stem five times burns time without adding information.

State the decision out loud in your head: "Verb is first; threat is active; therefore contain." Then commit. Do not try to reverse-engineer whether the adaptive engine "thinks" you are passing; that guess is noise and wastes seconds.

Common Traps

• Choosing the longest or most technical option by reflex.
• Treating availability incidents (Distributed Denial of Service) and integrity incidents (data tampering) as interchangeable.
• Answering the scenario you imagined instead of the final sentence actually asked.
• Spending two minutes on a low-confidence item early, then rushing the last ten.

The goal of the final review is steady accuracy under a clock. Practice with mixed question sets, not single-domain drills, because the live exam can jump from access control to network threats to business continuity between consecutive items.

Marking the Decision, Not the Doubt

When two options survive elimination, do not flip back and forth hoping for certainty that will not arrive. Instead, name the discriminator in one short phrase and let it decide.

For an access-control item, the discriminator is often "does the stem describe proving who someone is, or deciding what they may do?" For an incident item, it is "is the threat still active, or already over?" For a network item, it is "is the symptom about reachability, about name resolution, or about a flood of traffic?" Naming the discriminator turns a vague feeling into a testable rule, and a rule produces a faster, more defensible choice than re-reading the same four options a sixth time.

A final note on confidence: the adaptive engine is designed so that a passing candidate still misses a meaningful share of items, because it keeps probing your limit. Expecting to feel sure on every question is the wrong target. The right target is to apply the same disciplined method on every item regardless of how the previous one felt, so that one shaky question never spills its anxiety into the next three. Steady method beats streaky confidence on a CAT exam.