1. Home
    2. »
  2. IT Security
    3. » SSCP Certified: My Honest Take on ISC2's Hands-On Cert

SSCP Certified: My Honest Take on ISC2's Hands-On Cert

- Posted in IT Security by - Permalink

The last few months I spent my time to get the SSCP, the Systems Security Certified Practitioner certification from ISC2. Now that I finally have it, the digital badge is sitting on my LinkedIn, and the post-exam adrenaline is well and truly gone, I figured it was time to write down what I actually think about it.

A quick FYI before we start: this isn't a "how to pass the SSCP in 30 days" post. There are a thousand of those already. This is a candid look at what the cert is, what it isn't, who I think should bother with it, and a few things about the whole ISC2 ecosystem that I find a little strange.

Who am I?

Some context before I get into it. I'm a security professional with about five years of experience. I started on the help desk, moved into general IT administration, and ended up in security about three years ago; all at the same company. My day-to-day is mostly running a Windows environment with on-prem Active Directory, around 100 servers and 600 clients. So I am hands-on, but I lean more "infrastructure with security responsibilities" than "pure SOC analyst" or "pure pentester". Worth knowing, because where you sit in the security landscape changes how a cert like SSCP feels.

What the SSCP actually is

If you don't know the cert: SSCP is ISC2's hands-on practitioner certification, sitting one rung below the famous CISSP. It covers seven domains, ranging from access controls and cryptography to incident response and network security. The official requirement is one year of work experience in one of those domains or a relevant degree, which counts as the year. If you don't have either, you can pass the exam and become an "Associate of ISC2" while you get the experience.

The exam is in CAT (Computerized Adaptive Testing) format: 100 to 125 questions, two hours. You need a scaled 700 out of 1000 to pass. The format adapts as you go: the better you do, the harder the next questions get, and the system stops once it's confident enough about your level.

One thing worth checking before you commit: the SSCP can only be taken in person at a Pearson VUE testing centre. There is no remote or at-home proctoring option for it. That sounds obvious, but Pearson VUE coverage seems uneven globally. Someone in my training group discovered there wasn't a single test centre in their entire country, which meant a flight and accommodation on top of the cert costs. So if you live somewhere off the beaten path, look up the nearest centre before you book anything.

How I ended up doing it

The short version: my employer sponsored it. The full package: exam voucher, official study materials, and a virtual instructor-led training that ran one full week, 8 hours a day. If I had to pay all of that out of pocket, this blog post would probably have a very different tone, so let me get that disclaimer out of the way upfront.

For some price context: at the time (October 2025) the package exam + virtual instructor-led training was around 2.000€. That's a hefty price tag for a cert. Whether it's worth it depends a lot on your financial situation and how much you value structured training over self-study.

The training itself was solid. A live instructor who actually kept the room engaged, asking questions, running quick quizzes, sharing real-world examples, plus Q&A at the end of each day. The slide decks tracked the official ISC2 outline, and we had break-out discussions where people from very different backgrounds (sysadmins, SOC analysts, one guy who already had his CISSP, and one guy who was clearly only there because his employer made him) compared notes on how they'd actually approach things. If we'd just covered access controls, someone would ask "okay, but who's actually responsible for physical access controls in your company?" and suddenly you were learning something the book wouldn't teach you.

After the training I still put in plenty of self-study time. Practice questions, re-reading the weaker domains, the usual routine. The official ISC2 study guide is dense and dry but accurate. I supplemented it with the practice exams from ISC2 and honestly, those are... okay. They mimic the question style and phrasing well, but you should not expect any of those questions to actually appear on the exam. Treat them as a "get used to the format" exercise, not as a content study tool. Don't lean on them too heavily.

Scheduling the exam

One practical decision that mattered more than I expected: I booked my exam for one week after the virtual training finished.

That week I worked my normal day job and used the evenings for review. Two things in particular: more practice exams (yes, the ISC2 ones I just complained about.. flawed, but still useful for getting the pacing and format into your bones), and rewatching the recordings of the training calls. The recordings ended up being the bigger surprise. Hearing the instructor walk through a concept for a second time, now with my own slightly improved understanding of the material, made things click that hadn't fully landed the first time around. The Q&A side-conversations from the other students were also genuinely valuable on a second pass. Context that I'd half-tuned-out the first time often turned out to be exactly what I needed.

If I had to give one piece of scheduling advice, it's this: book your exam close to the end of the training, not weeks later. Everything the instructor said, the discussions, the small "oh, interesting" moments from break-outs, all of that is still fresh in your head if you sit the exam soon afterwards, and it helps immensely on the day. Wait too long and the fade kicks in fast. A week of evening review was enough to consolidate the material; much longer and I'd have been re-learning it from cold instead of just sharpening it.

What I actually think of it

What I liked

The live training was genuinely the best part I had not done a virtual instructor-led course in years, and I had forgotten how much better it is than a self-paced video grind. Eight hours a day for a full week is really intense, but having someone you could interrupt with a stupid question, who would then turn it into a discussion the whole room benefited from, was worth every euro. If you have the budget, or if you can get your employer to sponsor it, I would highly recommend going the instructor-led route over self-study. The official materials are perfectly fine, but they cannot answer "but what does that look like in a real Windows environment?" The instructor can.

The breadth forces you out of your corner SSCP covers a lot of ground: cryptography fundamentals, network protocols, IAM concepts, incident response basics, risk frameworks, physical security, BCP/DR, application security, the lot. Even if you work across several domains like I do, there are always areas you've quietly been ignoring. For me, the cryptography domain was a useful refresher - I work with TLS and AD-related crypto every day, but I had never really sat down and properly understood the theory behind block cipher modes or the failure conditions of common protocols. The risk management and BCP/DR sections were similar: things I had touched on or know the protocols to but never thought about systematically. Going through this kind of structured curriculum forces you to actually fill the gaps you have been pretending don't exist.

Concepts beat product depth This is something the cert reinforced for me, and I think it's worth saying out loud: in security, knowing concepts in depth matters far more than knowing one specific technology super deeply. Vendors come and go, products get rebranded or killed off, and today's hot tool will be legacy in five years. But the underlying concepts, how authentication actually works, why a key exchange protocol is or isn't secure, what segmentation is really protecting you from, those don't change. The SSCP leans hard into a vendor-neutral, concept-first approach, and after going through the curriculum I'm fully sold on it. Knowing EntraID IAM inside out is useful; understanding the principles of identity and access management in a way that survives switching to GCP, Azure, or whatever comes next is more useful. Same for crypto: knowing how to drive OpenSSL is a skill, knowing why a particular cipher mode is appropriate for your threat model is a way of thinking. The cert pushed me much more firmly toward the second.

The exam questions are mostly fair Some are tricky, sure, but I never felt I was being tested on trivia. There were no gotcha questions about a vendor product nobody uses, no obscure CVEs from 2003. Most questions are scenario-based: here is a situation, here are four reasonable-looking options, what is the best response. And "best" is doing some heavy lifting there.. more on that in a second. The CAT format itself was less stressful than I expected. I'd assumed an adaptive exam would feel punishing, but in practice you just answer the question in front of you and move on. You don't even know exactly when it will end, which is oddly relaxing once you accept it.

You come out with a mental map This is the hardest one to articulate, but it might be the most valuable. Before the SSCP I knew lots of things about security, but as a bunch of disconnected islands. After it, I had an actual structure to hang those islands on. When I read about a new attack technique now, I can usually slot it into the right domain in my head and reason about which controls would or wouldn't help. That kind of mental scaffolding is exactly what a generalist cert should give you, and SSCP delivers it.

What I didn't like

It claims to be hands-on, but you have to think like a manager The SSCP is marketed as the practitioner cert, the one for people actually doing the day-to-day work. In practice, the exam wants you to abstract one level up almost constantly. A lot of questions reward you for stepping back and looking at the bigger picture, even when the "obvious" technical fix is right there in front of you. This isn't necessarily wrong, good security people should think strategically, but it does feel a bit dishonestly marketed if you go in expecting a deep technical exam. If you're more of a "let me get in there and fix it" person, you will need to consciously suppress that instinct.

You will need to develop the "ISC2 mindset" This is closely related to the previous point, but specific to how the exam scores you. There's a recurring pattern: you get a scenario, then four answers. One is clearly wrong. Two are technically correct. One is almost correct but has a minor flaw. Now you have to pick the "best" of the two correct ones and ISC2 has a definite preference about what "best" means.

For example, you might get a question where the choices include something like "implement a SIEM, set up alerts, create the relevant playbooks, and train your team to use it" versus "perform a risk assessment, identify your critical assets, and implement controls based on the results". Both are valid answers. ISC2 wants the second one almost every time. Risk-first, then controls. Strategy before tooling. Once you internalise that pattern, your practice scores jump noticeably, which is itself a slightly weird thing to admit about a "knowledge" exam.

The annual maintenance fee Once you pass, congratulations! You now owe ISC2 $135 per year, every year, to keep your shiny badge valid. On top of that, you have to log Continuing Professional Education credits (60 over a three-year cycle for SSCP) by attending webinars, reading approved content, contributing to the security community, that sort of thing. I get why this exists. Security knowledge ages like milk, not wine, and a stale credential helps no one. But it does have the faint flavour of a subscription model. Knowledge as a Service.

The endorsement process.. Honestly: why? This one I want to rant about a bit, because it baffled me. Passing the exam is not enough. You passed? Great, but you do not actually receive your certification until an existing ISC2 member formally endorses you, vouching that you are a real human being with real experience and reasonable ethics.

If you are the first person in your network to get ISC2 certified, things get fun. You then have to apply directly to ISC2, who will essentially run a job-application-grade background check on you. You will have to send them one of the following: an employment contract, multiple paystubs (three for each year you claim experience), every contract extension, tax forms for each working year plus one extra, yearly performance evaluations. I am not making any of that up.

I get the intent, protect the brand, make sure the cert means something. But the execution is bizarre. I just paid hundreds of euros to take a strictly proctored exam, sat in a controlled environment with biometric checks, and passed. ISC2 already knows I am a real person, they already have my work history from the application, and they already verified my identity at the testing centre. The endorsement step on top of all of that feels less like quality control and more like a guild ceremony from a different century. The single most useful piece of advice I can give anyone starting this journey: line up your endorser before you start studying. Do not be the person who passes the exam and then has to start mailing scanned tax forms across the Atlantic.

The recognition gap Most non-security people in IT have heard of CISSP. A lot of HR systems list it as a desired credential, and recruiters know it as shorthand for "this person has been around the block". SSCP? Hit and miss. Some recruiters know exactly what it is. Others squint at it like you've put down a Pokemon card. In US federal and DoD contexts the SSCP has more visible weight (it sits on the 8570/8140 approved lists), but in the European market, and especially the German-speaking one I work in, it has a lot less name recognition. This is a shame, because it really is a solid mid-level cert. But practically speaking, "I am SSCP certified" is a line you might find yourself explaining at interviews, instead of one that opens doors on its own.

Who should bother?

After all that, here's who I'd genuinely recommend the SSCP to:

  • Junior to mid-level security folks If you already have some security experience and want to solidify your knowledge across the board, this is the right cert. It will probably overlap with what you do day-to-day, but it will also give you fresh framing, fill in gaps you didn't realise you had, and look respectable on a CV.
  • IT generalists looking to break properly into security If you're coming from a sysadmin or network background and you want to make the pivot, the SSCP is a reasonable target. Just be ready to put in serious work, especially if you don't quite have the experience requirement yet. The materials and the exam are not friendly to people trying to learn the basics from scratch.

Who I would not recommend it to:

  • Senior security engineers and architects If you're already a senior, large parts of this cert will be revision. Your time and money are probably better invested in CISSP, a vendor-specific deep dive, or a specialised cert in your area.
  • People who already came up through the CompTIA path I'm guessing here, but the content overlap between SSCP and Security+/CySA+ looks substantial. Unless you specifically want into the ISC2 ecosystem, I'd think twice.
  • Anyone hoping a cert alone will land them a job No cert is a magic ticket, and SSCP is no exception. It will support your case, but it won't make it. And honestly, if your only motivation is getting hired, you probably won't make it through the material anyway.

Final thoughts

Would I do it again? Honestly... I'm not sure. I'm glad I have it, I learned a lot from the process, and the training week was genuinely fun. It forced me to close knowledge gaps I'd been quietly avoiding and gave me a much better feel for the bigger picture, especially around process, setup and strategy. Was it transformative? Not really. Did it teach me everything I need to know about security? Not even close. But it did give me a structured, recognised baseline, and it pushed me to think more strategically than I usually have to in my day job.

If your employer is willing to sponsor it, take the offer. The training alone is worth the price tag, and the cert is a perfectly nice addition to your CV. If you're paying out of pocket, ask yourself honestly whether this is the right rung on the ladder for you, or whether something cheaper (Security+) or longer-term (saving for CISSP) fits your trajectory better. The cert is good. It's just not magic.

And don't be to scared of the certification process itself. The exam is challenging, but it's not designed to be a gatekeeper. It's designed to validate that you have a solid understanding of the material. If you know your stuff, you will pass. If you don't, you will learn a lot trying. Either way, it's a worthwhile journey if you are the right fit for it.

Tags:

Related posts

»