ISACA · CCOA
Validates technical cybersecurity skills across five domains: technology essentials, cybersecurity principles and risk, adversarial tactics and techniques, incident detection and response, and securing assets, combining knowledge-based and hands-on performance-based questions.
Questions
593
Duration
240 minutes
Passing Score
450/800
Difficulty
AssociateLast Updated
Feb 2026
Use this CCOA practice exam to prepare for Certified Cybersecurity Operations Analyst (CCOA) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 593 questions for ISACA CCOA, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Certified Cybersecurity Operations Analyst (CCOA) is a technical cybersecurity credential introduced by ISACA in early 2025, designed to validate the operational skills required by security analysts working in modern threat environments. It bridges a recognized gap in the certification landscape by combining traditional knowledge-based multiple-choice questions with hands-on, performance-based questions that require candidates to work with real open-source tools such as Security Onion and Kibana. The credential was named Professional Certification Program of the Year in the 2025 Cybersecurity Breakthrough Awards, reflecting rapid industry recognition since its launch.
Spanning five globally validated domains — Technology Essentials, Cybersecurity Principles and Risk, Adversarial Tactics and Techniques, Incident Detection and Response, and Securing Assets — the CCOA assesses both conceptual understanding and practical ability. Candidates must demonstrate proficiency in areas ranging from cloud and network fundamentals to forensic analysis, malware investigation, and vulnerability remediation, making it one of the few associate-level credentials to rigorously test applied, hands-on cybersecurity competency.
The CCOA is targeted at early- to mid-career cybersecurity professionals with approximately two to three years of experience in security operations. It is particularly well-suited for individuals working as or aspiring to become Cybersecurity Analysts, Information Security Analysts, SOC (Security Operations Center) Analysts, Vulnerability Analysts, and Incident Response Analysts.
The exam is open to anyone with an interest in cybersecurity — there are no formal prerequisites — making it accessible to career changers and recent graduates who can demonstrate technical proficiency through self-study or bootcamp training. It is especially valuable for those seeking to distinguish themselves in a competitive SOC hiring market or to formalize practical skills acquired on the job.
ISACA does not impose formal prerequisites to register for the CCOA exam; it is open to all candidates. However, ISACA recommends that candidates have approximately two to three years of hands-on experience in a cybersecurity operations role before attempting the exam, as the performance-based questions require familiarity with real-world tools and workflows.
Candidates should be comfortable with core networking concepts (TCP/IP, protocols, ports), operating systems (Windows and Linux command-line interfaces), cloud infrastructure basics, and scripting fundamentals. Prior exposure to SIEM platforms, log analysis, and basic incident response procedures will be highly beneficial, particularly given that Domain 4 (Incident Detection and Response) accounts for 34% of the exam weight. To earn the full CCOA certification designation, candidates must apply within five years of passing the exam.
The CCOA exam consists of 115 scored multiple-choice questions and 25 performance-based questions, for a total of 140 questions. The performance-based questions present candidates with simulated, hands-on scenarios using open-source cybersecurity tools, assessing practical skills rather than purely theoretical recall. The exam has a time limit of 240 minutes (4 hours).
The exam is computer-based and can be taken either at an authorized PSI testing center globally or via remote proctoring. Registration is continuous — candidates can register at any time and schedule a testing appointment as early as 48 hours after payment. The passing score is 450 out of 800. Exam fees are $399 for ISACA members and $499 for non-members. Eligibility established at registration remains valid for 12 months.
The CCOA addresses a well-documented gap in technical, operations-focused cybersecurity credentials and has gained rapid traction since its 2025 launch — LinkedIn listed nearly 2,000 CCOA-preferred job postings within six months of the credential's release, with demand concentrated at MSSPs and enterprise security teams in the U.S., U.K., Canada, and India. Early salary data indicates the credential can increase compensation offers by 5–10%, with the average advertised salary for a certified SOC Tier II analyst in the United States at approximately $104,000. The U.S. Bureau of Labor Statistics projects 33% employment growth for information security analysts over the coming decade, and ISACA's 2025 research found that 70% of CISOs expect SOC headcount to grow in the near term.
Beyond immediate job market impact, the CCOA provides a structured pathway within ISACA's certification ecosystem. Passing the CCOA exam grants a one-year educational experience waiver toward the Certified Information Security Manager (CISM) exam, enabling analysts to progress toward a governance-level credential without duplicating experience documentation. Compared to alternatives such as CompTIA Security+ (which is broader and less operationally focused) or CompTIA CySA+ (a close competitor), the CCOA differentiates itself through its mandatory hands-on lab component and ISACA's established enterprise credibility.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 593 questions.
Preview — answers shown1. A network security engineer is analyzing flow data to identify potential data exfiltration. They need to choose between NetFlow, sFlow, and IPFIX for a 10 Gbps network environment where statistical sampling is acceptable. Which protocol is MOST appropriate? (Select one!)
Explanation
sFlow is specifically designed for high-speed networks (10 Gbps and above) using statistical packet sampling, making it ideal for this scenario where sampling is acceptable. NetFlow uses flow caching for forensic accuracy but can have performance impacts at very high speeds. IPFIX provides standardized multi-vendor template-based flow collection but is not optimized specifically for high-speed sampling. The three protocols have different design philosophies and performance characteristics, so they are not identical.
2. A security operations analyst is writing a Snort intrusion detection rule to detect HTTP requests containing potential directory traversal attempts. Which rule correctly identifies requests with dot-dot-slash patterns? (Select one!)
Explanation
The correct rule uses TCP protocol for HTTP traffic, monitors traffic directed to the internal network on HTTP ports, includes flow context to_server and established for stateful inspection, uses nocase for case-insensitive matching, and follows proper Snort rule syntax. The UDP rule uses wrong protocol since HTTP uses TCP. The third option monitors traffic in the wrong direction (from internal to external). The IP protocol rule is too broad without transport layer specificity or flow context.
3. During a red team engagement, an attacker successfully obtains local administrator access on a workstation. The attacker wants to escalate to domain-level privileges by exploiting a Windows service configured with an unquoted service path containing spaces. Which MITRE ATT&CK technique does this represent? (Select one!)
Explanation
T1574.009 Path Interception by Unquoted Path is the specific MITRE ATT&CK technique for exploiting unquoted service paths containing spaces. When Windows parses an unquoted path like 'C:\Program Files\Vulnerable Service\service.exe', it tries multiple interpretations, potentially executing attacker-controlled binaries. This is a privilege escalation technique because services often run with elevated privileges. T1574.001 DLL Search Order Hijacking exploits DLL loading order, not service path parsing. T1548.002 UAC Bypass uses different techniques to bypass User Account Control. T1078.002 Domain Accounts refers to using legitimate domain credentials, not exploiting service misconfigurations.
4. A security operations team implements the Diamond Model of Intrusion Analysis during incident investigation. The team identifies command and control infrastructure (C2 domains and IP addresses) used by an APT group. Using the Diamond Model's analytical pivoting capability, which vertex should analysts investigate next to expand their understanding of the threat? (Select one!)
Explanation
The Diamond Model's analytical pivoting strength lies in using one known vertex to discover connected vertices. With infrastructure identified, analysts should pivot to all other vertices: Capability (malware communicating with this infrastructure), Adversary (threat actors operating this infrastructure), and Victim (other organizations targeted by this infrastructure). This comprehensive approach maximizes intelligence gathering. Investigating only the Victim vertex misses capability and attribution insights. Focusing solely on Capability ignores additional victims and attribution. Prioritizing only Adversary attribution misses ongoing victim targeting. The Diamond Model's power is in exploring all relationships simultaneously from the known infrastructure pivot point.
5. A healthcare organization implements the CIS Controls v8 framework. The security team has limited resources and needs to focus on essential cyber hygiene safeguards appropriate for small organizations. Which Implementation Group should the organization prioritize? (Select one!)
Explanation
Implementation Group 1 provides 56 essential cyber hygiene safeguards designed specifically for small organizations with limited resources and security expertise. IG1 represents the minimum security baseline addressing the most common attack vectors. IG2 with 130 safeguards targets mid-sized organizations with more resources and complexity. IG3 with all 153 safeguards is designed for organizations facing sophisticated threats requiring advanced security programs. Implementing all groups equally dilutes resources and prevents completion of foundational controls, reducing overall security effectiveness.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
$17.99
One-time access to this exam