CCO-F Exam Domains
6 domains. 180 minutes. Every question is a scenario you will face in production. This is exactly what the exam tests and how to prepare for it.
180
Minutes
6
Domains
100%
Scenario-Based
70%
Passing Score
How the Exam Works
The CCO-F is a 3-hour, scenario-based exam. You will be presented with realistic enterprise scenarios and asked to make architectural decisions, identify security flaws, calculate risk, trace protocol behavior, and design compliance-ready systems. Every question requires applied reasoning. There are no vocabulary flashcard questions, no "which of the following best describes" prompts, and no trick wording. If you can operate at the foundational level, you will pass. If you only memorized definitions, you will not.
Domain Weights
Exam Composition
Detailed Breakdown
Exam Domains
Security Architecture and Zero Trust Design
This is the heaviest domain because architecture is where production security succeeds or fails. You will design security architectures for realistic enterprise scenarios, identify architectural flaws, and demonstrate that you understand why defense-in-depth matters more than any individual control.
Competencies Tested
- ✓ D1.1 Design a Zero Trust architecture for a multi-site enterprise with hybrid cloud infrastructure
- ✓ D1.2 Implement microsegmentation strategies that balance security with operational performance
- ✓ D1.3 Evaluate and select identity providers, MFA implementations, and conditional access policies
- ✓ D1.4 Identify architectural vulnerabilities in existing network diagrams and propose remediations
- ✓ D1.5 Design east-west traffic inspection and lateral movement prevention controls
- ✓ D1.6 Architect defense-in-depth strategies that account for control failure at every layer
- ✓ D1.7 Map security architecture decisions to business risk tolerance and operational requirements
Sample Scenario Type
"A regional bank with 12 branches is migrating from a hub-and-spoke VPN to a Zero Trust model. Their current architecture relies on perimeter firewalls and VLAN segmentation. They have 3 legacy applications that cannot support modern authentication. Design the target architecture, identify the migration risks, and propose a phased transition plan that maintains security during the migration."
Risk Quantification and Threat Analysis
Security decisions without quantified risk are guesses. This domain tests whether you can translate security events and architectural decisions into financial risk metrics that executives and boards can act on. You will use FAIR methodology, build threat models, and calculate annualized loss expectancy for realistic scenarios.
Competencies Tested
- ✓ D2.1 Apply FAIR (Factor Analysis of Information Risk) to quantify loss exposure for specific threat scenarios
- ✓ D2.2 Calculate annualized loss expectancy (ALE) using threat event frequency and loss magnitude
- ✓ D2.3 Build threat models using STRIDE/PASTA for enterprise applications and infrastructure
- ✓ D2.4 Prioritize remediation efforts based on quantified risk reduction per dollar spent
- ✓ D2.5 Translate technical risk findings into board-level risk language with financial impact projections
- ✓ D2.6 Evaluate threat intelligence feeds and map adversary TTPs to organizational attack surface
- ✓ D2.7 Distinguish between qualitative risk theater and quantitative risk analysis in real assessment outputs
Sample Scenario Type
"A healthcare organization processes 2.3 million patient records annually. A vulnerability scan found an unpatched Apache Struts instance exposed to the internet. Using FAIR methodology, quantify the annualized loss exposure for this specific vulnerability. Include threat event frequency estimation, primary and secondary loss magnitude, and a risk-adjusted recommendation for the CISO on remediation priority vs. the $180K budget remaining this quarter."
Cryptographic Operations and Protocol Security
Cryptography is not about memorizing key sizes. It is about understanding how protocols behave in production, diagnosing failures from packet traces, and planning for the post-quantum transition. You will trace real handshakes, identify misconfigurations, and evaluate cryptographic implementation decisions.
Competencies Tested
- ✓ D3.1 Trace a TLS 1.3 handshake from ClientHello to Application Data and identify where failures occur
- ✓ D3.2 Diagnose certificate chain validation failures in production environments
- ✓ D3.3 Evaluate cipher suite configurations and identify weak or deprecated selections
- ✓ D3.4 Assess post-quantum cryptography readiness: NIST PQC standards (ML-KEM, ML-DSA, SLH-DSA) and migration timelines
- ✓ D3.5 Design key management architectures for multi-environment deployments (HSM, KMS, envelope encryption)
- ✓ D3.6 Identify cryptographic implementation anti-patterns (ECB mode, static IVs, key reuse, timing side-channels)
Sample Scenario Type
"You are given a Wireshark capture of a TLS connection that is failing intermittently between two microservices. The ClientHello shows TLS 1.3 with supported_versions, but the connection resets after ServerHello. Identify the root cause from the handshake trace, explain the failure mechanism, and specify the configuration change needed to resolve it."
Cloud-Native Security Architecture
Most enterprise workloads are cloud-native now. This domain tests whether you can secure them. You will review AWS Landing Zones, evaluate IAM policies, design container security strategies, and identify misconfigurations that lead to breaches. No on-premise network diagrams here.
Competencies Tested
- ✓ D4.1 Audit and remediate AWS/Azure/GCP Landing Zone configurations for security gaps
- ✓ D4.2 Design least-privilege IAM policies and identify overly permissive role assumptions
- ✓ D4.3 Secure container orchestration (Kubernetes RBAC, Pod Security Standards, network policies)
- ✓ D4.4 Evaluate serverless function security: execution role scope, event injection, cold start attack surface
- ✓ D4.5 Design cross-account and multi-cloud security boundaries with service control policies
- ✓ D4.6 Implement cloud-native logging, monitoring, and detection strategies (CloudTrail, GuardDuty, CSPM)
Sample Scenario Type
"An e-commerce company runs 14 microservices on EKS across 3 AWS accounts. Their landing zone uses a shared VPC model. A recent penetration test found that a compromised pod in the payment service namespace could reach the database pods in the inventory namespace. Review the provided Kubernetes network policies and AWS security group configurations. Identify the misconfiguration, explain the attack path, and design the corrected network policy."
AI and Agent Security Foundations
No other certification covers this. Enterprises are deploying AI agents that access sensitive data, make autonomous decisions, and interact with customers and internal systems. This domain tests whether you understand the new attack surface these systems create and how to secure them at the architecture level.
Competencies Tested
- ✓ D5.1 Identify attack surfaces in LLM-based agent systems: prompt injection, tool misuse, data exfiltration via agent actions
- ✓ D5.2 Design guardrails and sandboxing for autonomous AI agents with tool access
- ✓ D5.3 Evaluate multi-agent orchestration security: inter-agent trust, privilege escalation across agent boundaries
- ✓ D5.4 Assess AI-powered attack vectors: polymorphic malware generation, deepfake social engineering, automated vuln discovery
- ✓ D5.5 Design human-in-the-loop controls for high-risk agent decisions
- ✓ D5.6 Apply OWASP Top 10 for LLMs and map mitigations to production agent architectures
Sample Scenario Type
"A financial services firm deploys a multi-agent system where Agent A handles customer queries, Agent B retrieves account data, and Agent C executes transactions. Agent A accepts natural language input from customers. Identify the attack paths that could allow a customer to escalate Agent A's prompt into unauthorized data retrieval via Agent B or unauthorized transactions via Agent C. Design the security controls needed at each agent boundary."
Compliance Architecture and Regulatory Operations
Compliance is not a checkbox exercise. It is an architecture problem. This domain tests whether you can design systems that satisfy regulatory requirements by default, not as an afterthought. You will map regulations to technical controls and design audit-ready evidence pipelines.
Competencies Tested
- ✓ D6.1 Map EU AI Act risk tiers to enterprise AI deployments and determine compliance obligations
- ✓ D6.2 Apply SR 11-7 model risk management principles to LLM-based agent systems in banking
- ✓ D6.3 Design compliance-as-code architectures that generate audit evidence automatically
- ✓ D6.4 Navigate overlapping regulatory requirements (NIS2, DORA, GDPR, industry-specific mandates)
- ✓ D6.5 Design data governance architectures that satisfy cross-border transfer and residency requirements
Sample Scenario Type
"A European bank uses an LLM-based agent for credit decisioning support. The system is deployed on AWS eu-west-1. Under EU AI Act Article 6, this qualifies as a high-risk AI system. Simultaneously, the bank's model risk team requires SR 11-7 compliance for all models influencing credit decisions. Map the technical controls needed to satisfy both regulatory frameworks concurrently. Identify where the requirements overlap and where they create conflicting obligations."
Preparation
Study Guide Mapping
The CCO-F aligns with The Agentic AI Professional Series. The books teach the concepts. The exam tests whether you can apply them under realistic conditions.
| Domain | Weight | Primary Study Material | Supplementary |
|---|---|---|---|
| D1: Security Architecture | 25% | Vol I: Foundations (Architecture, PEAS) | Vol II: Production-Grade Agents |
| D2: Risk Quantification | 20% | Vol I: Foundations (Consulting Playbooks) | Vol II: Failure Analysis |
| D3: Cryptographic Ops | 15% | Vol I: Foundations (Protocol Security) | NIST SP 800-208, FIPS 203/204/205 |
| D4: Cloud-Native Security | 15% | Vol II: Production-Grade Agents | AWS/Azure/GCP security docs |
| D5: AI/Agent Security | 15% | Vol III: Multi-Agent Systems | Vol V: Orchestration Handbook, OWASP LLM Top 10 |
| D6: Compliance Arch | 10% | Vol VII: 2026 Regulatory Wave | EU AI Act text, SR 11-7 guidance |
Individual volumes: $49 each. Complete bundle: $249.
How to Prepare
Read the study material, but do not just read it.
After each chapter, close the book and try to apply what you learned to a real system you have worked on. If you cannot, you have not learned it yet. The exam tests application, not recall.
Practice with real scenarios, not flashcards.
Set up a lab. Deploy a misconfigured Kubernetes cluster and secure it. Capture a TLS handshake and trace it. Build a threat model for an application you use at work. Run a FAIR analysis on a real vulnerability.
Spend extra time on Domain 1 and Domain 2.
Together they account for 45% of the exam. If you can architect secure systems and quantify risk with FAIR, you are halfway to passing before you touch the other four domains.
Know the 2026 landscape. Not the 2020 landscape.
Post-quantum cryptography (ML-KEM, ML-DSA), EU AI Act enforcement timelines, OWASP LLM Top 10, multi-agent attack surfaces. If your study material is older than 2024, supplement it.
Ready to Prove You Can Operate?
Apply for the beta cohort and be among the first 50 professionals to earn the CCO-F credential. Free exam voucher.