The CCSP Is Changing in August 2026 — Here's What You Need to Know
The Big Picture
ISC2 is releasing an updated CCSP exam outline effective August 1, 2026. If you're studying for the CCSP right now or planning to sit in the next few months, this affects your timeline and your study plan. Let's cut through the noise and talk about what's actually changing, what isn't, and what it means for your prep.
The short version: this is the first major CCSP update to weave AI security across all six domains. It's not a different exam. It's the same exam with a modern lens. Cloud security doesn't exist in a vacuum anymore, and the exam outline is catching up to what cloud security professionals are actually dealing with in 2026.
What's Staying the Same
Before anyone panics, let's start with the stuff that hasn't moved. The exam structure is identical. You're still looking at six domains, 100 to 150 questions in a Computerized Adaptive Testing format, a three-hour time limit, and a passing score of 700 out of 1000. None of that changed.
The experience requirements are the same too. You still need five years of cumulative paid work experience in IT, with three of those years in information security and at least one year in one or more of the six CCSP domains. An associate path is still available if you don't meet the experience requirement yet.
And the fundamental focus of the exam hasn't shifted. This is still a cloud security certification. The six domains still cover cloud concepts, architecture, design, data security, platform and infrastructure security, application security, operations, and legal and compliance. If you've been studying cloud security fundamentals, that knowledge is still the backbone of the exam.
What's New: AI Security Across Every Domain
Here's where it gets interesting. ISC2 didn't bolt on a seventh domain about AI. Instead, they integrated AI and machine learning security considerations into each of the existing six domains. This is a smarter approach than creating a standalone section because in practice, AI security isn't a separate discipline — it's a set of considerations that touches everything from infrastructure to compliance.
Here's what that looks like domain by domain.
Domain 1: Cloud Concepts, Architecture, and Design
The new outline adds evaluation criteria for cloud service providers that host AI workloads. You'll need to understand what high-performance compute enclaves look like for AI model training — how GPU clusters are provisioned, isolated, and secured in a multi-tenant cloud environment. This isn't about knowing how to train a model. It's about knowing what questions to ask when your organization wants to run AI training jobs on a CSP's infrastructure.
Domain 2: Cloud Data Security
Data security picks up new ground around protecting data lakes and training datasets. If an organization is building machine learning models, those training sets are high-value targets — poison the training data and you poison the model. The new outline also covers homomorphic encryption and differential privacy as protection mechanisms during inference, which is when a deployed model is processing real data and generating predictions. These aren't theoretical concepts anymore. They're showing up in cloud provider offerings and in vendor security assessments.
Domain 3: Cloud Platform and Infrastructure Security
This domain now includes securing virtualization and containerization specifically for ML model deployment. If you've worked with Kubernetes in a cloud environment, the concepts are familiar — but the attack surface is different when you're running model serving infrastructure. Micro-segmentation for AI compute clusters is explicitly called out, meaning you need to understand how to isolate AI workloads from the rest of the environment at the network level.
Domain 4: Cloud Application Security
Domain 4 is where the most visibly "AI-specific" content lives. The new outline covers inference attacks at the application layer — adversarial inputs designed to make models produce incorrect outputs. It also addresses securing AI-augmented applications, which is the reality for most organizations now: you're not building standalone AI systems, you're embedding AI capabilities into existing applications. And yes, prompt injection defense is in there. If your organization deploys anything with a language model behind it, prompt injection is a real attack vector, and the exam now expects you to understand how to mitigate it.
Domain 5: Cloud Security Operations
Operations picks up AI and ML as tools for threat hunting — using machine learning to identify anomalous patterns in cloud telemetry. But the more interesting addition is model drift detection as a security incident. When a deployed model's behavior changes over time without an intentional update, that could be degradation or it could be a sign of data poisoning or model tampering. Treating drift as a security event rather than just a performance issue is a significant conceptual shift, and the new exam expects you to understand why it matters.
Domain 6: Legal, Risk, and Compliance
The compliance domain now includes regulatory requirements for automated data processing, which means you need to understand what GDPR says about automated decision-making, what the EU AI Act requires for high-risk AI systems, and how explainability requirements affect cloud-deployed models. This is the domain where AI security meets governance, and it's where a lot of organizations are struggling right now. The exam is reflecting that reality.
What This Means for Your Study Plan
The practical question everyone is asking: what do I study?
If you're sitting for the exam before August 1, 2026, study the current outline. Full stop. The current exam is the current exam. Don't try to study both outlines. Focus on what you'll actually be tested on.
If you're sitting for the exam on or after August 1, 2026, study the new outline. The AI security topics are woven into each domain, so they'll show up throughout the exam rather than being concentrated in one section. That means you can't skip them and hope to make up points elsewhere.
Here's the thing that should calm some nerves: the core cloud security knowledge is the same across both versions. The new outline is an overlay, not a replacement. If you understand cloud architecture, data protection, infrastructure security, application security, operations, and compliance — you have the foundation. The AI content is a new dimension applied to that existing foundation. You're not starting over. You're extending what you already know.
Don't Rush to Avoid It
I'm already seeing people in study groups talking about rushing to sit before August 1 to avoid the AI topics. I'd push back on that for a couple of reasons.
First, if rushing means you sit before you're ready, you're trading a topic you don't want to study for a failing score. That's not a good trade. The exam doesn't care why you sat early. It only cares whether you demonstrated competency.
Second, AI security knowledge is increasingly required in cloud security roles regardless of what's on a certification exam. If you're a CCSP holder, your employers and clients expect you to have an informed opinion on how AI workloads should be secured in cloud environments. The new exam reflects what the market already expects. Avoiding the topic on the exam doesn't mean you get to avoid it at work.
Third, the new exam better reflects what employers actually need. When a hiring manager sees CCSP on your resume after August 2026, they'll know you were tested on AI security. That's a differentiator, not a burden. It makes the certification more valuable, not less.
We're Ready. You Should Be Too.
TheCertCoach's CCSP track is already built for the August 2026 outline. Our study modules, practice questions, and exam simulations cover every domain including the new AI security integration. If you're planning to sit after August 1, you're studying the right material from day one.
The CCSP is one of the most respected cloud security certifications in the industry, and this update makes it more relevant, not less. Whether you're starting fresh or adding CCSP to an existing certification portfolio, the path is the same: understand the domains, practice the reasoning, and sit when you're ready.