16% of the August 2026 CCSP exam โ approximately 16 scored questions (CAT format)
| Detail | Info |
|---|---|
| Certification | CCSP โ Certified Cloud Security Professional (ISC2) |
| New Outline Effective | August 1, 2026 |
| Exam Format | Computerized Adaptive Testing (CAT) โ since October 2025 |
| Questions | 100โ150 (~25 unscored pretest items) |
| Duration | 3 hours |
| Passing Score | 700 out of 1000 |
| Testing Provider | Pearson VUE |
| Domains | 6 domains |
| Domain | Topic | Weight | ~Questions |
|---|---|---|---|
| 1 | Cloud Concepts, Architecture & Design | 17% | ~17 |
| 2 | Cloud Data Security | 20% | ~20 |
| 3 | Cloud Platform & Infrastructure Security | 17% | ~17 |
| ★ 4 | Cloud Application Security <this page> | 16% | ~16 |
| 5 | Cloud Security Operations | 17% | ~17 |
| 6 | Legal, Risk & Compliance | 13% | ~13 |
Note: Domain 4 weight decreased from 17% โ 16% in the August 2026 outline. Total = 100%.
The majority of successful breaches target application-layer weaknesses โ injection flaws, broken authentication, and misconfigured APIs. The CCSP exam tests whether candidates can identify and mitigate these in cloud-native architectures.
With LLM applications proliferating across cloud platforms, ISC2 explicitly added the OWASP LLM Top-10 to Domain 4. Candidates must understand prompt injection, training data poisoning, and excessive agency risks.
Security testing is now embedded in CI/CD pipelines. CCSP candidates must know SAST, DAST, IAST, and SCA and when each applies in the development lifecycle โ a core exam theme.
Federated identity, SSO, CASB, and MFA are foundational to cloud security. Domain 4.7 tests practical knowledge of how these controls are designed and enforced in multi-cloud environments.
Deep-dive across all 7 subdomains of Domain 4 (August 2026 outline)
LLM01 Prompt Injection is the highest-priority risk: attackers manipulate LLM inputs to override system instructions or exfiltrate data. LLM08 Excessive Agency occurs when an LLM can take actions beyond what is necessary, amplifying any compromise.
| Methodology | Cadence | Security Integration |
|---|---|---|
| Waterfall | Sequential, single release | Security testing at end (penetration test gate) |
| Agile | Iterative sprints (2โ4 weeks) | Security requirements in each sprint; threat model per feature |
| DevSecOps | Continuous delivery | SAST/DAST/SCA automated in CI/CD; security as code |
| Method | Knowledge | When Used | Finds |
|---|---|---|---|
| Blackbox | No internal knowledge | External pen test, user acceptance | Externally visible vulnerabilities |
| Whitebox | Full source code access | Internal code review, audit | Logic flaws, hidden back doors |
| SAST | Source code (static) | CI/CD pipeline โ before build | Code-level flaws without running app |
| DAST | Running app (dynamic) | CI/CD pipeline โ staging/test | Runtime issues, auth failures, injection |
| IAST | Agent inside running app | QA environment | Hybrid of SAST + DAST; real-time |
| SCA | Dependency manifest | CI/CD โ on every build | Vulnerable open-source components (CVEs) |
| Component | Purpose | Key Capability |
|---|---|---|
| WAF | Web Application Firewall | Filters HTTP/HTTPS traffic; blocks OWASP Top-10 attacks at Layer 7 |
| DAM | Database Activity Monitoring | Monitors SQL queries; detects unauthorized access and SQL injection |
| XML Firewall | XML/SOAP Message Validation | Validates XML schema; protects SOAP web services from malformed messages |
| API Gateway | Centralized API Management | Auth enforcement, rate limiting, logging, transformation, routing |
| Load Balancer | Traffic Distribution | DDoS mitigation, SSL termination, health checks, horizontal scaling |
| Concept | Description | Protocol/Tool |
|---|---|---|
| Federated Identity | Trust relationship between IdP and service provider; users authenticate once to the IdP | SAML 2.0, OIDC |
| Identity Provider (IdP) | Central authority that authenticates users and issues tokens/assertions | Okta, Azure AD, Auth0 |
| SSO | Single Sign-On: one authentication grants access to multiple applications | SAML 2.0, OIDC/OAuth 2.0 |
| MFA | Multi-Factor Authentication: something you know + have + are | TOTP, FIDO2/WebAuthn |
| CASB | Cloud Access Security Broker: enforces security policies between users and CSPs | Microsoft Defender for Cloud Apps, Netskope |
Six mnemonics to lock in Domain 4 concepts before exam day
Spoofing โ impersonating another user or system
Tampering โ modifying data or code without authorization
Repudiation โ denying an action occurred (no audit trail)
Information Disclosure โ unauthorized data exposure
Denial of Service โ making a resource unavailable
Elevation of Privilege โ gaining unauthorized higher-level access
SAST (Static) โ reads the source code without running it; catches issues early in CI/CD
DAST (Dynamic) โ runs the application and attacks it like an outsider; finds runtime issues
IAST (Interactive) โ rides along inside the running app via instrumentation agents; hybrid approach
SCA (Software Composition Analysis) scans dependency manifests for known CVEs โ use it on every build.
The highest-priority LLM risks: Prompt Injection (LLM01), Insecure Output Handling (LLM02), training data Errors/Poisoning (LLM03), and Model DoS (LLM04).
LLM01 Prompt Injection is the #1 risk: attacker injects instructions into the prompt to override system behavior. LLM08 Excessive Agency means the model is given too much autonomy โ it can take damaging actions if compromised.
A CASB (Cloud Access Security Broker) sits between users and cloud applications โ just like TSA sits between travelers and the aircraft. It inspects traffic, enforces policy, discovers shadow IT (unauthorized apps employees use), and prevents data leakage.
CASB deployment modes: API-based (out-of-band, discovers shadow IT post-facto) and inline/proxy (real-time enforcement, can block).
WAF (Web Application Firewall) is a Layer 7 firewall that inspects HTTP/HTTPS traffic and blocks common attacks (OWASP Top-10). It's the wall around the application.
API Gateway manages API routing, authentication enforcement, rate limiting, and logging. It's the intelligent door that decides who gets in and what they're allowed to request.
PASTA (Process for Attack Simulation and Threat Analysis) is a risk-centric threat modeling framework in 7 stages:
1. Define business objectives → 2. Define technical scope → 3. Decompose application → 4. Analyze threats → 5. Identify vulnerabilities → 6. Enumerate attack scenarios → 7. Risk & impact analysis
Unlike STRIDE (which categorizes threats per component), PASTA links threats back to business risk impact โ making it more executive-friendly.
10 vignette-style scenario questions โ Domain 4: Cloud Application Security
Review the concepts above and try again.
Click any card to flip it โ 8 key Domain 4 concepts
Spoofing • Tampering • Repudiation • Information Disclosure • Denial of Service • Elevation of Privilege
Mnemonic: "Students Taking Rides In Dark Elevators"
Used during design phase to identify threats per component/trust boundary.
SAST: Static โ analyzes source code without running it; finds issues before build; "shift-left."
DAST: Dynamic โ tests the running application externally; finds runtime issues, auth failures, injection.
IAST: agents inside running app โ hybrid of both; real-time instrumentation.
Attacker crafts input that overrides or manipulates the LLM's system prompt, causing it to ignore safety instructions, leak data, or take unauthorized actions.
Direct: user prompt overrides system prompt.
Indirect: malicious content in retrieved documents hijacks the model.
Mitigation: input sanitization, privilege separation, output validation.
Cloud Access Security Broker
Sits between users and cloud services. Enforces security policy in real-time.
Key functions: Shadow IT discovery, DLP enforcement, malware detection, compliance monitoring, access control.
Modes: API-connected (discovery) or inline/proxy (enforcement).
Scans dependency manifests to identify open-source components with known CVEs.
Tools: OWASP Dependency-Check, Snyk, Black Duck.
Output feeds the SBOM (Software Bill of Materials) โ inventory of all software components enabling rapid CVE response.
Run on every CI/CD build โ blocks vulnerable libraries from entering production.
API1 in OWASP API Security Top-10
Also called IDOR (Insecure Direct Object Reference).
API returns data for any object ID without verifying the requester owns or is authorized to access it.
Fix: enforce authorization checks server-side for every API endpoint โ never trust client-supplied IDs alone.
Layer 7 (application-layer) firewall that inspects and filters HTTP/HTTPS traffic.
Blocks OWASP Top-10 attacks: SQL injection, XSS, SSRF, broken access control attempts.
Deployed inline (reverse proxy) or as a cloud-native service (AWS WAF, Azure WAF).
WAF โ API Gateway: WAF blocks bad traffic; API Gateway routes and authenticates API calls.
Trust relationship between an Identity Provider (IdP) and Service Providers (SPs).
SAML 2.0: XML-based assertions; enterprise SSO; IdP issues signed assertion to SP.
OIDC: identity layer on OAuth 2.0; JWT ID tokens; used in mobile/web apps.
Enables SSO across multiple cloud applications without re-authentication.
Track your readiness across the 5 key Domain 4 topic areas
Know all four threat modeling frameworks (STRIDE, DREAD, PASTA, ATASM) and when each applies. PASTA is risk-centric and business-aligned; STRIDE categorizes by threat type; DREAD gives numeric priority scores. Understand the difference between Waterfall, Agile, and DevSecOps security integration patterns.
The exam loves distinguishing these four testing methods. Master the "when in the pipeline" aspect: SAST and SCA run before build; DAST runs against a deployed test instance; IAST instruments a running app in QA. Abuse case testing is the deliberate-misuse counterpart to use case testing.
BOLA (Broken Object Level Authorization) is the #1 API risk โ understand it deeply. Know OAuth 2.0 vs. SAML 2.0 vs. OIDC for API auth. SBOMs, code signing, and dependency scanning are the supply chain controls. Rate limiting prevents API4 (resource consumption) attacks.
Know the distinction between WAF (Layer 7 traffic filter) and API Gateway (routing + auth management). CASB modes: API-connected discovery vs. inline enforcement. For containers, understand Kubernetes namespaces + network policies for isolation, and image signing for supply chain. CASB is the primary control for shadow IT.
This is the newest testable content in the August 2026 outline. Focus on LLM01 (Prompt Injection โ most critical), LLM03 (Training Data Poisoning), LLM08 (Excessive Agency), and LLM04 (Model DoS). For API security, BOLA (API1) is the top risk. Know these by number for the exam.
Authoritative links for CCSP Domain 4 exam preparation
| Detail | Info |
|---|---|
| Domain Weight | 16% (~16 scored questions) |
| Subdomain Count | 7 subdomains (4.1โ4.7) |
| Key NEW Topics (2026) | OWASP LLM Top-10, OWASP API Security Top-10 |
| High-Frequency Topics | STRIDE, SAST/DAST/IAST, CASB, BOLA, Federated Identity, DevSecOps |
| Passing Score | 700 / 1000 |
| Exam Format | CAT โ 100โ150 questions, 3 hours, Pearson VUE |
| New Outline Effective | August 1, 2026 |
| Official URL | isc2.org/certifications/ccsp |
FlashGenius offers interactive study guides, scenario-based quiz questions, and memory-optimized flashcards for all 6 CCSP domains. Build a consistent daily practice and arrive at the exam confident.
Start Free at FlashGenius