§ update history

What's changed.

A running record of certifications added, banks revised, and platform improvements. Most recent first.

May 2026 (most recent)

CCNA added. Cisco's Certified Network Associate (200-301 v1.1) is now live, bringing the canonical networking-vendor credential to Certmesa for the first time. The bank targets the Cisco 200-301 v1.1 exam topics. Catalog grows from 32 to 33 across 13 vendor families; Cisco joins the vendor list as a new section; a new networking discipline chip is introduced (cybersecurity stays at 17 because CCNA is networking, not cybersecurity).

  • Certification added: CCNA, Cisco Certified Network Associate (150 questions, 6 domains). Question allocation matches Cisco's published 200-301 v1.1 weights to the percentage point: Network Fundamentals 20.0% (30 questions, target 20%), Network Access 20.0% (30, target 20%), IP Connectivity 25.3% (38, target 25%), IP Services 10.0% (15, target 10%), Security Fundamentals 14.7% (22, target 15%), Automation and Programmability 10.0% (15, target 10%). Pass threshold set to 82.5% reflecting the widely cited 825/1000 community estimate (Cisco does not publish the exact CCNA cut score officially).
  • The bank emphasizes the Cisco IOS specifics that separate CCNA from CompTIA Network+: the canonical 'show ip route' output with route source codes (C connected, L local /32, S static, O OSPF, R RIP, D EIGRP, B BGP) and the trust ranking of administrative distances (connected 0, static 1, EIGRP internal 90, OSPF 110, IS-IS 115, RIP 120, EIGRP external 170, BGP internal 200); the default-route forwarding rule (longest prefix match wins, AD breaks ties, metric within a protocol breaks intra-protocol ties); single-area OSPFv2 with neighbour state progression Down / Init / 2-Way / ExStart / Exchange / Loading / Full, DR and BDR election by OSPF priority then router-id with the router-id selection cascade (explicit 'router-id', highest loopback, highest active interface), the OSPF cost formula (reference bandwidth / interface bandwidth with the legacy 100 Mbps reference and the recommended 'auto-cost reference-bandwidth' bump), OSPF network types (point-to-point skips DR / BDR; broadcast and NBMA elect them), and passive-interface; first-hop redundancy with Cisco-proprietary HSRP (active / standby with virtual MAC patterns 0000.0C07.AC.xx for v1 and 0000.0C9F.F.xxx for v2), IETF VRRP (master / backup), and Cisco-proprietary GLBP (load-sharing across multiple Active Virtual Forwarders).
  • Coverage of the canonical CCNA network access topics: VLANs in the normal range 1-1005 with VLAN 1 default and 1006-4094 extended range, voice VLAN learned by IP phones via CDP / LLDP-MED while the PC stays on the access VLAN, 802.1Q trunking with the native VLAN concept and best-practice deconfiguration of DTP via 'switchport nonegotiate', CDP as Cisco-proprietary vs LLDP / IEEE 802.1AB as the open-standard equivalent, EtherChannel with LACP (IEEE 802.3ad / 802.1AX, modes active / passive) vs PAgP (Cisco-proprietary, modes desirable / auto), Rapid PVST+ with port roles root / designated / alternate / backup and port states discarding / learning / forwarding (Rapid PVST+ collapsing 802.1D's disabled / blocking / listening into one discarding state), PortFast plus BPDU Guard for access ports, the WLC and CAPWAP tunnel between lightweight APs and the WLC with DTLS-encrypted control plane, AP modes local / FlexConnect / sniffer / monitor / mesh, LAG between WLC and access switches, and the WLC GUI WLAN-creation workflow (SSID, dynamic-interface / VLAN mapping, WPA2 / WPA3 security setting, QoS profile).
  • Coverage of the canonical CCNA security and IP-services topics: device access control with 'enable secret' (type 5 MD5 default or modern type 8 / 9), 'login local' against 'username ... secret ...' entries on VTY lines with 'transport input ssh' after 'ip ssh version 2' and an RSA key from 'crypto key generate rsa'; access-list semantics (numbered standard 1-99 / 1300-1999 matching source IP only, numbered extended 100-199 / 2000-2699 matching source / destination / protocol / port, the implicit deny at the end, place standard ACLs near the destination and extended ACLs near the source); Layer-2 security with DHCP snooping (trusted vs untrusted ports building a binding table), Dynamic ARP Inspection / DAI consuming the DHCP snooping table, and port security with violation modes protect / restrict / shutdown; AAA with TACACS+ on TCP 49 and full-payload encryption ideal for per-command authorisation vs RADIUS on UDP 1812 / 1813 with password-only encryption; WPA / WPA2-CCMP / WPA3-SAE wireless security; NAT with the inside local / inside global / outside local / outside global terminology and PAT (NAT overload); NTP client and master configuration; DHCP DORA with 'ip helper-address' relay and 'ip address dhcp' client mode; SNMP GET / SET / TRAP / INFORM and SNMPv3 vs SNMPv2c; syslog severities 0 Emergency through 7 Debug with 'logging host' and 'logging trap'; QoS PHB classification / marking / queuing / policing (drop or remark) vs shaping (buffer and rate-limit).
  • Coverage of the automation and programmability domain increasingly emphasized in v1.1: traditional per-device CLI vs controller-based networking with centralised intent; software-defined architecture (underlay as the physical IP-routed network, overlay as the logical VXLAN-encapsulated topology, fabric as the combined system); generative AI for assistive Q&A and explanation vs predictive ML for anomaly detection and AIOps; REST APIs with the canonical CRUD-to-HTTP-verb mapping (Create = POST, Read = GET, Update = PUT or PATCH, Delete = DELETE), common authentication schemes (Bearer token, OAuth 2.0, API key, Basic auth, mTLS), and JSON / XML / YAML data encoding; configuration management tools (Ansible as agentless push using SSH or WinRM with YAML playbooks and idempotency, Puppet / Chef as agent-based pull, Terraform as declarative infrastructure provisioning with HCL and a state file); JSON syntax fundamentals (objects in curly braces, arrays in square brackets, the supported value types string / number / boolean / null / object / array, no built-in date type). Real exam: ~100 questions in 120 minutes with multiple choice, multiple response, drag-and-drop, fill-in-the-blank, testlet, simlet, and performance-based simulation items. This simulator is multiple-choice only.
  • Generation note: distractor length parity, canonical Cisco terminology preserved verbatim (Cisco IOS, CDP and LLDP, IEEE 802.1Q trunking, EtherChannel with LACP and PAgP, Rapid PVST+, OSPFv2 with DR / BDR / LSDB / LSA types, HSRP / VRRP / GLBP, TACACS+ / RADIUS, WPA / WPA2-CCMP / WPA3-SAE, CAPWAP, FlexConnect, Cisco SD-Access fabric, Catalyst Center, REST / CRUD, Ansible / Terraform, JSON), no em-dashes, and balanced answer-position distribution were enforced from first draft. Audit shows 0 leakers across all 150 questions after light post-draft tuning (3 initial flags fixed by minor wording changes; no Strategy-B distractor padding needed). Fullscreen real-exam simulator at /certs/ccna/exam.html with a 100-question / 120-minute real-exam mode plus 25 / 50 / full-bank practice modes, mark-for-review, navigation grid, per-domain results, and post-exam explanations. Hero stats updated 32->33 certs, vendor families 12->13 (Cisco added), new networking discipline chip created (CCNA is the first cert in it).

May 2026 (earlier)

PT0-003 added. CompTIA's PenTest+ (V3) is now live, bringing the authorised penetration tester role to Certmesa. The bank targets the PT0-003 V3 objectives launched by CompTIA on December 17, 2024 (which retired the prior PT0-002 on June 17, 2025). Catalog grows from 31 to 32 across 12 vendor families; cybersecurity discipline reaches 17 cards; CompTIA vendor section grows from 5 to 6 exams (A+ Core 1, A+ Core 2, Network+, Security+, CySA+, PenTest+).

  • Certification added: PT0-003, CompTIA PenTest+ V3 (150 questions, 5 domains). Question allocation matches CompTIA's published PT0-003 weights to the percentage point: Engagement Management 13.3% (20 questions, target 13%), Reconnaissance and Enumeration 21.3% (32, target 21%), Vulnerability Discovery and Analysis 17.3% (26, target 17%), Attacks and Exploits 34.7% (52, target 35%), Post-exploitation and Lateral Movement 13.3% (20, target 14%). Pass threshold set to 83% matching CompTIA's published 750/900 scaled cut score (identical anchor to Security+ and CySA+).
  • The bank emphasizes the professional pentester role distinctions that separate PT0-003 from Security+ / CySA+: the documents that govern an authorised engagement (MSA as the master framework, SOW for specific scope, ROE for operational details, NDA for confidentiality, and the signed authorisation letter as the 'get-out-of-jail-free' document); legal and ethical compliance (mandatory reporting obligations for child sexual abuse material / CSAM, regulatory frameworks PCI-DSS for cardholder data / HIPAA for US PHI / GLBA for financial / SOC 2 / GDPR for EU personal data / FISMA for US federal); collaboration and communication (peer review of findings, defined escalation paths, communication triggers including domain-admin compromise and discovery of prior compromise, risk articulation in business terms); penetration test reports (executive summary for non-technical leadership, technical findings with reproduction steps and evidence, CVSS v3.1 base / temporal / environmental components with the canonical severity bands None 0.0 / Low 0.1-3.9 / Medium 4.0-6.9 / High 7.0-8.9 / Critical 9.0-10.0, EPSS for exploit-probability complement, remediation prioritisation by business impact, retesting after fixes, and secure delivery and retention of the report).
  • Coverage of the canonical reconnaissance and enumeration toolset: passive recon via OSINT (Shodan for internet-exposed devices, theHarvester for emails / subdomains / hosts, Maltego for graph-based visualisation, recon-ng as a modular framework, Amass passive mode and crt.sh for subdomain discovery, the Wayback Machine for historical web content, Google dorks); active recon (Nmap with the canonical flag set -sS / -sT / -sU / -sV / -sC / -A / -O / -p / -p- / -Pn / -T0-T5, NSE script categories including safe / default / discovery / vuln / intrusive / brute, masscan for huge ranges, banner grabbing); DNS enumeration via dig AXFR / dnsrecon / dnsenum / Sublist3r / Subfinder; web recon via gobuster / ffuf / dirb / wfuzz / feroxbuster / whatweb / Wappalyzer plus robots.txt and sitemap.xml; packet analysis with Wireshark display filters and tcpdump BPF; and script modification in Python sockets / Requests / Scapy, PowerShell with AMSI and Constrained Language Mode considerations, Bash for / while loops with curl, and Ruby for Metasploit modules.
  • Coverage of the vulnerability-discovery scanner surface area including the analysis paradigms SAST against source / bytecode at rest, DAST against the running app, IAST combining static and runtime with instrumentation, SCA against declared third-party libraries (Snyk, OWASP Dependency-Check, Dependabot), IaC scanning with Checkov / tfsec / KICS for Terraform / CloudFormation, container scanning with Trivy / Grype / Clair / Snyk Container; commercial and open-source discovery tools including Nessus / Tenable.io, OpenVAS / Greenbone, Qualys, Rapid7 InsightVM, Nikto for web servers, Burp Suite Professional scanner, OWASP ZAP, sqlmap, Wapiti, BloodHound for AD attack-path analysis with the SharpHound collector, and searchsploit for offline Exploit-DB lookup; plus the analyst skills of validating findings through safe manual reproduction, identifying false positives, identifying false negatives, prioritising by CVSS base score combined with business impact and exploit availability and EPSS, and distinguishing vulnerabilities from misconfigurations.
  • Coverage of the canonical PT0-003 attacks-and-exploits domain (35% of the exam): network attacks including VLAN hopping via switch spoofing or double-tagging with native VLAN abuse, ARP poisoning with Ettercap, on-path / MitM, DNS spoofing, DHCP starvation and rogue DHCP, LLMNR / NBT-NS / mDNS poisoning with Responder for NetNTLMv2 hash capture, SMB relay with Impacket ntlmrelayx, NAC bypass; authentication attacks including online brute force with Hydra / Medusa, offline cracking with Hashcat / John the Ripper, password spraying, credential stuffing, pass-the-hash via Mimikatz / CrackMapExec / NetExec, pass-the-ticket, Kerberoasting against SPN-bearing accounts, AS-REP roasting against accounts without pre-authentication, golden tickets forged with the krbtgt hash and silver tickets forged with service-account hashes; host-based attacks including Linux SUID / sudo -l enumeration / kernel exploits / cron / writable PATH / Linux capabilities (CAP_SETUID, CAP_SYS_ADMIN), Windows unquoted service paths / AlwaysInstallElevated / SeImpersonatePrivilege via Potato attacks (Hot / Rotten / Juicy / RoguePotato / PrintSpoofer / GodPotato) / DLL hijacking, credential dumping with Mimikatz against LSASS / SAM / SYSTEM / ntds.dit, plus LinPEAS and WinPEAS as the canonical privesc-enumeration scripts; web application attacks against the OWASP Top 10 2021 (A01 Broken Access Control elevated from A05, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable and Outdated Components, A07 Identification and Authentication Failures, A08 Software and Data Integrity Failures including insecure deserialisation, A09 Security Logging and Monitoring Failures, A10 SSRF) plus XSS reflected / stored / DOM, CSRF, XXE, IDOR, command injection, file upload bypass, directory traversal; cloud-based attacks including IMDSv1 metadata service abuse at 169.254.169.254 with the IMDSv2 session-token mitigation, S3 bucket misconfigurations, over-permissive IAM policies with Action: * Resource: *, Docker socket exposure leading to container escape, --privileged container flags, Kubernetes default service account RBAC misuse, SSRF-to-metadata credential exfiltration; AI attacks including direct prompt injection, indirect prompt injection via retrieved documents / RAG sources, model jailbreaks bypassing safety guardrails, and training-data poisoning of fine-tune sets; wireless attacks including WPA2 four-way handshake capture via deauthentication for offline cracking, Evil Twin rogue APs, WPS PIN brute force via Reaver and Pixie Dust, and Karma-style probe-response attacks.
  • Coverage of the post-exploitation and lateral movement domain: persistence on Windows via HKCU and HKLM Run / RunOnce registry keys, scheduled tasks via schtasks.exe, WMI event subscriptions for fileless trigger-based persistence, services installed with sc.exe create for SYSTEM-level autostart, DLL search-order hijacking; persistence on Linux via user crontabs and /etc/cron.*, systemd unit files in /etc/systemd/system, SSH authorized_keys, modified shell rc files (.bashrc / .profile); web shells as a persistent backdoor; lateral movement via PsExec over SMB port 445 to ADMIN$, WMIexec over WMI / DCOM port 135, WinRM PowerShell remoting over ports 5985 / 5986, RDP over 3389, SSH-based pivoting with -L / -R / -D for local / remote / dynamic SOCKS forwards, Chisel and ligolo-ng HTTP tunnels, sshuttle, Metasploit autoroute with socks_proxy, Cobalt Strike beacons over named pipes; Active Directory attack-path mapping with BloodHound and the SharpHound collector identifying Kerberoastable users, unconstrained delegation, and ACL abuse (GenericAll / GenericWrite / WriteDACL); cleanup and artefact removal in line with returning the environment to its pre-test state while preserving evidence in the tester's records; and documentation including a chronological attack narrative, timestamped screenshots with command-output transcripts, hash values for evidence integrity, chain of custody for forensic artefacts, and remediation tied to each finding. Real exam: maximum 90 questions in 165 minutes, with multiple-choice plus performance-based items. This simulator is multiple-choice only.
  • Generation note: distractor length parity, canonical CompTIA / industry terminology preserved verbatim throughout (Nmap with its full flag set, Metasploit Framework written in Ruby, Burp Suite, OWASP ZAP, Wireshark, Mimikatz, Responder, BloodHound and SharpHound, sqlmap, Hydra and Medusa for online and Hashcat and John the Ripper for offline cracking, Impacket and CrackMapExec / NetExec, Cobalt Strike, Empire, LinPEAS and WinPEAS, Chisel and ligolo-ng for tunnels, the IMDSv1 / IMDSv2 session-token model, the canonical AD attacks Kerberoasting / AS-REP roasting / pass-the-hash / pass-the-ticket / golden ticket / silver ticket, OWASP Top 10 2021 with the elevated A01 Broken Access Control, CVSS v3.1 severity bands, EPSS, MITRE ATT&CK technique references, the seven-step CompTIA penetration-test process), no em-dashes, and balanced answer-position distribution were enforced from first draft. Audit shows 0 leakers across all 150 questions on initial authoring. Fullscreen real-exam simulator at /certs/pt0-003/exam.html with a 90-question / 165-minute real-exam mode plus 25 / 50 / full-bank practice modes, mark-for-review, navigation grid, per-domain results, and post-exam explanations. Hero stats updated 31->32 certs, cybersecurity discipline 16->17, CompTIA vendor 5->6 exams.

May 2026 (earlier)

ITIL4-F added. PeopleCert's ITIL 4 Foundation is now live, bringing the IT service management body of knowledge to Certmesa for the first time. The bank targets the current PeopleCert ITIL 4 Foundation syllabus. Catalog grows from 30 to 31 across 12 vendor families; process improvement discipline grows from 1 to 2 cards. PRINCE2-F has been migrated from its former AXELOS card to the same PeopleCert vendor section (PeopleCert acquired the full AXELOS portfolio in 2021), so ITIL4-F and PRINCE2-F now sit side by side; the AXELOS vendor section is retired and the vendor-family count stays at 12.

  • Certification added: ITIL4-F, ITIL 4 Foundation (160 questions, 6 domains). Question allocation matches the PeopleCert syllabus weighting: Service Management Concepts 12% (19 questions), The Four Dimensions of Service Management 5% (8), The ITIL Service Value System 12% (19), The Seven Guiding Principles 12% (19), The Service Value Chain 10% (15), ITIL Practices 50% (80, covering all 15 in-detail practices). Pass threshold set to 65% matching the real PeopleCert ITIL 4 Foundation cut score (26 out of 40).
  • The bank emphasizes the canonical ITIL 4 vocabulary that separates Foundation from earlier ITIL versions: the definition of a service as "a means of enabling value co-creation by facilitating outcomes customers want to achieve without the customer having to manage specific costs and risks"; utility (fitness for purpose) vs warranty (fitness for use, covering availability / capacity / continuity / security); the four service relationship roles (sponsor, customer, user, service provider); the Service Value System with its five components (guiding principles, governance, service value chain, practices, continual improvement); opportunity and demand as SVS inputs and value as SVS output; the six interconnected Service Value Chain activities (Plan, Improve, Engage, Design and transition, Obtain/build, Deliver and support); the four dimensions of service management (Organisations and people, Information and technology, Partners and suppliers, Value streams and processes) plus the PESTLE external factors that act on them; and the seven guiding principles (Focus on value, Start where you are, Progress iteratively with feedback, Collaborate and promote visibility, Think and work holistically, Keep it simple and practical, Optimize and automate) applied universally across the SVS.
  • Coverage of the 15 in-detail Foundation practices: Continual improvement (with the seven-step model and continual improvement register / CIR); Change enablement (three change types: standard / normal / emergency, change authority concept); Incident management (unplanned interruption, impact + urgency priority, major incident handling); Problem management (the three phases problem identification / problem control / error control with known errors and workarounds); Service request management (pre-defined user-initiated requests); Service desk (multi-channel single point of contact); Service level management (business-based targets, SLA / OLA / underpinning contract, watermelon SLAs); Information security management (CIA triad of confidentiality / integrity / availability, risk-based balance of controls); Relationship management (strategic and tactical stakeholder links); Supplier management (single sourcing vs multi-sourcing vs insourcing vs outsourcing strategies); IT asset management / ITAM (financial and contractual lifecycle of assets); Monitoring and event management (event types informational / warning / exception); Release management (release vs deployment decoupling, dark launches with feature flags, DevOps integration); Service configuration management / SCM (configuration items, CMDB, accuracy challenges); and Deployment management (big-bang / phased / pull / continuous delivery patterns). Real exam: 40 multiple-choice questions in 60 minutes, closed book. This simulator matches the format exactly.
  • Generation note: distractor length parity, canonical ITIL 4 terminology preserved verbatim (Service Value System / SVS, Service Value Chain / SVC, the four dimensions, the seven guiding principles, the 34 practices in three categories of general management / service management / technical management, the seven-step continual improvement model, the three change types, the three problem-management phases, configuration items, configuration management database / CMDB, workarounds and known errors, SLA / OLA / underpinning contract, watermelon SLAs, release vs deployment, the CIA triad), no em-dashes throughout, balanced answer-position distribution, and the strict 1.3x / +15-char distractor-length-parity threshold (the same rule applied retroactively to the five most recently-built banks in the May 2026 length-leak remediation) enforced from the first draft. Audit shows 0 leakers across all 160 questions on initial authoring. Fullscreen real-exam simulator at /certs/itil4-f/exam.html with a 40-question / 60-minute real-exam mode plus 25 / 50 / full-bank practice modes, mark-for-review, navigation grid, per-domain results, and post-exam explanations. Hero stats updated 30->31 certs, process improvement discipline 1->2. The AXELOS vendor block was merged into a new PeopleCert vendor block (since PeopleCert has owned both ITIL and PRINCE2 since 2021); vendor-family count stays at 12.

May 2026 (earlier)

SAP-C02 added. The AWS Certified Solutions Architect - Professional bank is now live, completing the AWS architect ladder (CLF-C02 fundamentals -> SAA-C03 associate -> SAP-C02 professional) plus the security specialty (SCS-C03). The bank targets the May 2026 SAP-C02 exam guide. Catalog grows from 29 to 30 across 12 vendor families; cloud discipline reaches 6 cards; AWS vendor section grows from 3 to 4.

  • Certification added: SAP-C02, AWS Solutions Architect - Professional (150 questions, 4 content domains). Question allocation matches AWS's published SAP-C02 weights to the percentage point: Design Solutions for Organizational Complexity 26.0% (39 questions, target 26%), Design for New Solutions 29.3% (44, target 29%), Continuous Improvement for Existing Solutions 24.7% (37, target 25%), Accelerate Workload Migration and Modernization 20.0% (30, target 20%). Pass threshold set to 75% matching AWS's published 750/1000 scaled cut score.
  • The bank emphasizes the professional-level architect distinctions that separate SAP-C02 from SAA-C03: organizational complexity at scale (AWS Transit Gateway hub-and-spoke with RAM sharing; Direct Connect Resiliency Toolkit tiers from Development to Maximum; transit / public / private VIFs; Route 53 Resolver inbound and outbound endpoints for hybrid DNS; AWS PrivateLink and service / private / gateway VPC endpoints; AWS Organizations with SCPs, OUs, and the Tenant Root Group; AWS Control Tower landing zones with management / Log Archive / Audit accounts and Account Factory; IAM Identity Center with external IdP federation; CloudTrail organization trails; multi-Region KMS keys; AWS Config conformance packs; AWS Security Hub aggregator across accounts; AWS Audit Manager for SOC / PCI / ISO / HIPAA / FedRAMP evidence collection); the four canonical DR patterns (Backup-and-Restore, Pilot Light, Warm Standby, Multi-Site active-active) with RTO / RPO trade-offs; AWS Elastic Disaster Recovery / DRS; and the Well-Architected Framework's six pillars (Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, Sustainability).
  • Coverage of the canonical new-solution design topics: CloudFormation StackSets and change sets, AWS CDK, AWS SAM for serverless apps, AWS Systems Manager Session Manager / Patch Manager / Parameter Store / Automation; Route 53 routing policies (simple, weighted, latency, failover, geolocation, geoproximity, multi-value answer) with health checks; the Aurora Global Database / DynamoDB Global Tables / RDS Multi-AZ ladder of HA / DR; Aurora Serverless v2 with 0.5-ACU step elasticity; Amazon S3 storage class catalog (Standard / Standard-IA / One Zone-IA / Intelligent-Tiering / Glacier Instant Retrieval / Glacier Flexible Retrieval / Glacier Deep Archive); Object Lock Compliance vs Governance, Object Ownership Bucket Owner Enforced (default since 2023); EBS volume types gp3 / io2 Block Express with up to 256,000 IOPS; Amazon EFS performance modes plus Lifecycle Management with IA / Archive; Amazon FSx for Lustre / Windows / NetApp ONTAP / OpenZFS; ElastiCache for Redis / Memcached; Amazon SQS FIFO with deduplication and message-group ordering, SNS fan-out with subscription filtering, EventBridge with custom buses / partner buses / archive-replay, Step Functions Standard and Express; AWS Lambda Provisioned Concurrency and SnapStart for cold-start mitigation; API Gateway REST / HTTP / WebSocket with private endpoints; Compute Savings Plans flexibility vs EC2 Instance Savings Plans depth; Spot for fault-tolerant workloads.
  • Coverage of the continuous-improvement and migration topics: CloudWatch Synthetics canaries, ServiceLens + X-Ray service maps, AWS Config auto-remediation via SSM Automation documents, CodeDeploy Blue/Green with linear / canary traffic shifting and alarm-based automatic rollback, AWS Backup organization-level policies with Vault Lock for WORM immutability, AWS Compute Optimizer (EC2 / EBS / ASG / Lambda / ECS-Fargate / RDS) and Cost Anomaly Detection ML-based monitoring, IAM Access Analyzer external-access AND unused-access analyzers, Amazon Macie sensitive-data discovery, Amazon Detective entity-relationship graphs, AWS Health Dashboard with EventBridge automation, Amazon VPC Reachability Analyzer, the AWS 7Rs migration framework (Retire, Retain, Relocate, Rehost, Replatform, Repurchase, Refactor) with Migration Hub as portfolio control plane, AWS Application Migration Service / MGN replacing CloudEndure, Application Discovery Service agent / agentless, AWS Database Migration Service / DMS with Schema Conversion Tool / SCT for heterogeneous migrations, AWS DataSync / Snow Family / Transfer Family / S3 Transfer Acceleration data-movement options, AWS App2Container for replatform / refactor; and modernization to serverless (Lambda + API Gateway + DynamoDB + Step Functions + EventBridge), containers (ECS / EKS / Fargate / App Runner), and purpose-built databases (DynamoDB / Aurora / DocumentDB / Neptune / Timestream / Keyspaces / OpenSearch / Redshift / ElastiCache).
  • Real exam: 65 scored + 10 unscored items = 75 total in 180 minutes. Question types include multiple choice (one correct + three distractors) and multiple response (two-plus correct out of five-plus options). This simulator is single-answer multiple-choice only; the real-exam single-answer-to-multi-response ratio is historically roughly 4 to 1. Fullscreen real-exam simulator at /certs/sap-c02/exam.html with a 65-question / 180-minute real-exam mode plus 25 / 50 / full-bank practice modes, mark-for-review, navigation grid, per-domain results, and post-exam explanations.
  • Generation note: distractor length parity, canonical AWS service names preserved verbatim throughout (Amazon S3, Amazon EC2, Amazon EBS, AWS KMS, AWS IAM, AWS IAM Identity Center, AWS Organizations, AWS Control Tower, AWS Transit Gateway, AWS Direct Connect, AWS Resource Access Manager / RAM, Amazon VPC, AWS PrivateLink, Amazon Route 53 / Route 53 Resolver, AWS Trusted Advisor, AWS Compute Optimizer, AWS Cost Explorer, AWS Budgets, AWS Cost Anomaly Detection, AWS Security Hub, AWS Config, Amazon GuardDuty, Amazon Inspector, Amazon Macie, Amazon Detective, AWS Audit Manager, AWS Backup, AWS Elastic Disaster Recovery / DRS, Aurora Global Database, DynamoDB Global Tables, Amazon ElastiCache, AWS Lambda Provisioned Concurrency / SnapStart, Amazon API Gateway, Amazon SQS / SNS / EventBridge / Step Functions, Amazon ECS / EKS / Fargate, AWS App Runner, AWS Migration Hub, AWS Application Migration Service / MGN, AWS Application Discovery Service, AWS DMS / SCT, AWS DataSync, AWS Snow Family, AWS Transfer Family, AWS Storage Gateway, Amazon FSx for Lustre / Windows / NetApp ONTAP / OpenZFS, AWS Network Firewall, AWS Shield / Shield Advanced, AWS WAF, AWS Firewall Manager, AWS Well-Architected Tool, the 7Rs migration framework), no em-dashes, and balanced answer-position distribution were enforced from first draft. Hero stats updated 29->30 certs, cloud discipline 5->6, AWS vendor 3 exams->4 exams.

May 2026 (earlier)

AI-102 added. Microsoft's Azure AI Engineer Associate is now live, ahead of Microsoft's announced June 30, 2026 retirement of this certification. The bank targets the December 23, 2025 outline reflecting the Microsoft Foundry rebrand (formerly Azure AI Foundry), with all canonical service names preserved (Azure OpenAI in Foundry Models, Azure AI Vision in Foundry Tools, Azure AI Speech in Foundry Tools, Azure Document Intelligence in Foundry Tools, Azure Content Understanding in Foundry Tools). Catalog grows from 28 to 29 across 12 vendor families; cloud discipline reaches 5 cards; Microsoft vendor section grows from 4 to 5 (AZ-900, AZ-104, AI-102, AZ-500, SC-100).

  • Certification added: AI-102, Microsoft Azure AI Engineer (150 questions, 6 skill areas). Question allocation matches Microsoft's published 20-25 / 15-20 / 5-10 / 10-15 / 15-20 / 15-20% ranges at the midpoints, scaled to 150 questions: Plan and manage Azure AI solution 23.3% (35 questions, midpoint of 20-25%), Implement generative AI 18.7% (28, midpoint of 15-20%), Implement agentic solution 8.0% (12, midpoint of 5-10%), Implement computer vision 13.3% (20, midpoint of 10-15%), Implement NLP 18.7% (28, midpoint of 15-20%), Implement knowledge mining and info extraction 18.0% (27, midpoint of 15-20%). All six allocations land inside the published ranges. Pass threshold set to 70% matching Microsoft's published 700/1000 scaled cut score.
  • The bank emphasizes the service-selection decisions that separate AI-102 from AI-900: matching the right Foundry service to each modality (Azure OpenAI in Foundry Models for generative AI, Azure AI Vision in Foundry Tools for image / OCR, Azure AI Language for sentiment / NER / key phrases / PII / language detection, Azure AI Speech in Foundry Tools for STT / TTS / SSML / speech translation / custom speech / KWS, Azure AI Translator in Foundry Tools for text and document translation, Azure AI Document Intelligence for invoices / receipts / IDs / business cards / W-2 / layout, Azure AI Search for knowledge mining, Azure Content Understanding for multi-modal extraction, Azure AI Video Indexer for video insights, Spatial Analysis for people movement); the Foundry hub vs project distinction; provisioning patterns (single-service vs multi-service Azure AI services account, default endpoint URL .cognitiveservices.azure.com or .openai.azure.com); SDKs (azure-ai-projects, azure-ai-inference, language-specific Speech / Vision / Language); CI / CD via Bicep / ARM; container deployments for Read / Language / Speech / Document Intelligence; monitoring via diagnostic settings and platform metrics (Generated Tokens, Active Tokens); Microsoft Entra ID auth with managed identities as the recommended pattern with local-auth disabled.
  • Coverage of the Responsible AI surface area: the six Microsoft Responsible AI principles (Fairness, Reliability and Safety, Privacy and Security, Inclusiveness, Transparency, Accountability); Azure AI Content Safety in detail (text moderation, image moderation, the four harm categories Hate / Sexual / Violence / Self-Harm with the 0 / 2 / 4 / 6 severity scale, blocklists, Prompt Shields for direct user-attempt jailbreaks and indirect prompt injection from retrieved documents, Groundedness Detection for ungrounded RAG outputs, Protected Material Detection); content filters at input and output of Azure OpenAI deployments with configurable severity thresholds per category and direction; Transparency Notes and Impact Assessments under the Responsible AI Standard; and the canonical hallucination mitigations (strong grounding system messages, Groundedness Detection, citations the model must reproduce).
  • Coverage of the canonical AI-102 generative AI and agentic topics: Azure OpenAI parameter set (temperature 0-2, top_p nucleus sampling, max_tokens / max_completion_tokens, stop sequences, frequency_penalty, presence_penalty, seed for determinism); the RAG pattern with chunking / embedding / retrieval / grounding using Azure AI Search vector and hybrid queries; built-in Foundry evaluators (Groundedness, Relevance, Coherence, Fluency, Similarity, Retrieval); deployment types (Standard pay-as-you-go, Provisioned Throughput Units / PTUs for reserved capacity, Batch and Global Batch for 24-hour bulk inference); prompt-engineering techniques (system message role assignment, few-shot, chain-of-thought, structured outputs / JSON mode / json_schema, parallel tool calling, function calling); model deployments (GPT-4o multimodal, GPT-4 Vision, gpt-4o-mini for cost routing, gpt-3.5-turbo legacy, text-embedding-3-small / -large / ada-002, DALL-E 3, gpt-image-1, Whisper); fine-tuning workflow (JSONL chat-format training data, SFT, DPO); Microsoft Foundry Agent Service vs Microsoft Agent Framework; the agent lifecycle (instructions + model + tools, threads, runs with status queued / in_progress / requires_action / completed, submit_tool_outputs); built-in agent tools (File Search for RAG, Code Interpreter for sandboxed Python, function calling, browsing); and multi-agent orchestration patterns (sequential / hierarchical / peer-to-peer).
  • Coverage of the canonical computer vision, NLP, and knowledge-mining topics: Image Analysis 4.0 visualFeatures (tags, caption, denseCaptions, objects, people, smartCrops, read); Read API OCR for printed and handwritten text; Custom Vision (classification vs object detection, compact domains for edge export, prediction vs training resource separation, mAP / precision / recall metrics); Azure AI Video Indexer's insight track (transcript with diarisation, OCR on frames, scene detection, faces, topics, emotions, brands); Spatial Analysis for people occupancy / queue / dwell; Conversational Language Understanding (CLU) with intents / entities / utterances and named deployments; Custom Question Answering with follow-up prompts for multi-turn, alternate phrasings, chit-chat, multi-language mode; Custom Speech (acoustic / language / pronunciation adaptation, endpoint ID configuration in the Speech SDK); Custom Neural Voice with signed Microsoft commitment for misuse risk; SSML for prosody / voice / breaks / pronunciation; Azure AI Search architecture (index, indexer, data source, skillset, custom skill, Knowledge Store projections file / object / table, semantic ranker on Standard tier+, vector field with HNSW for kNN, hybrid BM25 + vector); Azure Document Intelligence prebuilt models (invoice, receipt, idDocument, businessCard, layout, contract, healthInsuranceCard, tax.us.w2) plus custom template vs custom neural vs composed models. Real exam: ~50 questions in 100 minutes with case studies, drag-and-drop, hot-area, build-list, and active-screen items in addition to single-answer multiple choice. This simulator is multiple-choice only.
  • Retirement note: Microsoft has announced that the AI-102 certification, exam, and renewal assessments will retire on June 30, 2026. The bank, cert page, and simulator each carry the retirement note so candidates who want this credential can plan to schedule the exam before that date. After retirement the bank remains useful as a reference and a baseline for the next-generation AI-Engineer-track exam, but the credential cannot be earned.
  • Generation note: distractor length parity, canonical Microsoft / Azure terminology preserved verbatim (Microsoft Foundry, Foundry hub vs project, Azure OpenAI in Foundry Models, Azure AI Vision in Foundry Tools, Azure AI Speech in Foundry Tools, Azure Document Intelligence in Foundry Tools, Azure Content Understanding in Foundry Tools, Azure AI Search, Azure AI Video Indexer, Spatial Analysis, Microsoft Foundry Agent Service, Microsoft Agent Framework, Provisioned Throughput Units / PTUs, prompt flow, RAG, Prompt Shields, Groundedness Detection, Responsible AI Standard, GPT-4o multimodal, text-embedding-3-small / -large, DALL-E 3, gpt-image-1, Whisper, SSML, Custom Neural Voice, Conversational Language Understanding / CLU, Custom Question Answering, Knowledge Store projections, HNSW vector indexing, semantic ranker, prebuilt-invoice / prebuilt-receipt / prebuilt-idDocument / prebuilt-layout / prebuilt-tax.us.w2), no em-dashes, and balanced answer-position distribution were enforced from first draft. Fullscreen real-exam simulator at /certs/ai-102/exam.html with a 50-question / 100-minute real-exam mode plus 25 / 50 / full-bank practice modes, mark-for-review, navigation grid, per-domain results, and post-exam explanations. Hero stats updated 28->29 certs, cloud discipline 4->5, Microsoft vendor 4 exams->5 exams.

May 2026 (earlier)

AZ-104 added. Microsoft's Azure Administrator Associate is now live, making Certmesa the first practice site to ship a published-objective-weighted bank against the April 17, 2026 AZ-104 outline. Catalog grows from 27 to 28 across 12 vendor families; cloud discipline reaches 4 cards; Microsoft vendor section grows from 3 to 4 (AZ-900 fundamentals, AZ-104 administrator, AZ-500 security engineer, SC-100 cybersecurity architect expert, plus AZ-500 retires Aug 31, 2026).

  • Certification added: AZ-104, Microsoft Azure Administrator (150 questions, 5 skill areas). Question allocation matches Microsoft's published 20-25 / 15-20 / 20-25 / 15-20 / 10-15% ranges at the midpoints, scaled to 150 questions: Identities & Governance 24.7% (37 questions, midpoint of 20-25%), Storage 18.7% (28, midpoint of 15-20%), Compute 24.7% (37, midpoint of 20-25%), Networking 18.7% (28, midpoint of 15-20%), Monitor & Maintain 13.3% (20, midpoint of 10-15%). All five allocations land inside the published ranges. Pass threshold set to 70% matching Microsoft's published 700/1000 scaled cut score.
  • The bank emphasizes the governance-and-RBAC distinctions that separate AZ-104 from AZ-900 and AZ-500: the four critical built-in roles (Owner = Contributor + Microsoft.Authorization/roleAssignments; Contributor = full management minus assign; Reader = */read; User Access Administrator = manage access only); RBAC additivity across inherited scopes (management group -> subscription -> resource group -> resource); custom role definitions with their assignableScopes vs actions / notActions semantics; resource locks (CanNotDelete blocks delete only, ReadOnly blocks write and delete, locks are additive and inherited); tags (50 per resource, 512 / 256 char limits, no automatic inheritance, requires Policy modify effect to enforce); resource / subscription / region moves and Azure Resource Mover; the management group hierarchy (six levels under Tenant Root Group, the canonical place to attach tenant-wide policies); the full Azure Policy effect set (Audit, Deny, Append, Modify, DeployIfNotExists, AuditIfNotExists, Disabled) and the managed-identity requirement for DeployIfNotExists / Modify remediation; initiatives / policy sets as the wrapper for compliance-framework assignments; and Cost Management budgets with action-group integration.
  • Coverage of the canonical AZ-104 storage and compute topics: storage account kinds (StorageV2, Premium block-blob / file / page-blob) and the full redundancy ladder (LRS 3 copies same zone, ZRS 3 zones in primary, GRS 6 copies inc secondary RO, RA-GRS adds read access, GZRS / RA-GZRS combine zonal + geo); the SAS hierarchy (account SAS, service SAS, user delegation SAS, stored access policies for revocation); identity-based access for Azure Files via on-prem AD DS or Microsoft Entra Kerberos; storage networking (firewall, service endpoint vs private endpoint with Private DNS zones privatelink.blob.core.windows.net); blob tiers (Hot / Cool / Cold / Archive with the 180-day minimum and Standard vs High rehydration priorities); the lifecycle / versioning / soft delete / object replication feature set; ARM template JSON ($schema, contentVersion, parameters, variables, resources, outputs) and Bicep equivalents with modules / decorators / @secure / @allowed; deployment modes (Incremental default vs Complete which deletes); VM size families (B burstable, D general-purpose, E memory, F compute, M huge memory, N GPU); disk types (Standard HDD, Standard SSD, Premium SSD, Premium SSD v2, Ultra Disk); the three availability patterns (set / zone / VMSS) and their SLA stairsteps (99.9% single VM Premium, 99.95% set, 99.99% zone); encryption at host (covers OS + data + temp disk at host layer) vs Azure Disk Encryption (BitLocker / DM-Crypt inside guest) vs SSE (transparent storage-layer); ACR SKUs (Basic, Standard, Premium with geo-replication and private endpoints); Container Apps with Dapr / KEDA / revisions; ACI for single-container quick tasks; App Service plan tiers (Free F1, Shared D1, Basic B1-B3, Standard S1-S3 first to support slots, Premium v3, Isolated v2); deployment slots and the sticky 'Deployment slot setting' marker.
  • Coverage of the canonical AZ-104 networking, monitoring, and recovery topics: VNet basics (5 reserved IPs per subnet first 4 + last 1, /29 smallest); VNet peering non-transitivity by default and the hub-and-spoke setup ('Allow gateway transit' on hub peering plus 'Use remote gateways' on spoke peering for shared VPN / ExpressRoute); public IP SKUs (Basic vs Standard with zone-redundancy, Dynamic vs Static); user-defined routes overriding system routes; NSG priorities (100-4096, lower wins) and the default rules (AllowVnetInBound 65000, AllowAzureLoadBalancerInBound 65001, DenyAllInBound 65500); the subnet-NSG-then-NIC-NSG evaluation order with both having to allow; Application Security Groups (ASGs) for rule maintenance under scale; Azure Bastion (subnet named exactly AzureBastionSubnet, /26 minimum recommended); service endpoint vs private endpoint trade-off; Standard Load Balancer requirements (Standard public IP, zone support, secure-by-default); the Network Watcher tool surface (IP Flow Verify, Next Hop, Effective Routes / Security Rules, Connection Monitor, Connection Troubleshoot, Packet Capture, Topology); the Azure Monitor metrics vs logs distinction with KQL for Log Analytics; alert signal types (metric / log / activity log / smart detection) with action groups and alert processing rules; Azure Monitor Agent (AMA) replacing the legacy Log Analytics agent (MMA); VM Insights / Container Insights / Network Insights; Recovery Services vault (VM / Files / SQL in VM / SAP HANA / on-prem MARS-MABS-DPM) vs Backup vault (Blob / Disks / PostgreSQL flexible server / Kubernetes); the Cross Region Restore feature on GRS vaults; and Azure Site Recovery's test failover / failover / commit / reprotect lifecycle. Real exam: ~50 questions in 100 minutes with case studies, drag-and-drop, hot-area, build-list, and active-screen items in addition to single-answer multiple choice. This simulator is multiple-choice only.
  • Generation note: distractor length parity, canonical Microsoft / Azure terminology preserved verbatim (Microsoft Entra ID not 'Azure AD', Microsoft Entra Connect, Conditional Access, Privileged Identity Management, Azure RBAC, ARM templates, Bicep with @secure / @allowed, StorageV2, LRS / ZRS / GRS / RA-GRS / GZRS / RA-GZRS, privatelink DNS zones, AzureBastionSubnet, GatewaySubnet, NSG priority 100-4096, DenyAllInBound 65500, Standard Load Balancer SKU, Azure Monitor Agent / AMA, Log Analytics workspace, KQL, Recovery Services vault vs Backup vault, Azure Site Recovery, Cross Region Restore), no em-dashes, and balanced answer-position distribution were enforced from first draft. Fullscreen real-exam simulator at /certs/az-104/exam.html with a 50-question / 100-minute real-exam mode plus 25 / 50 / full-bank practice modes, mark-for-review, navigation grid, per-domain results, and post-exam explanations. Hero stats updated 27->28 certs, cloud discipline 3->4, Microsoft vendor 3 exams->4 exams.

May 2026 (earlier)

220-1202 added. CompTIA's A+ Core 2 (V15) is now live, completing the A+ pair alongside Core 1 and pushing the CompTIA vendor section to 5 of 5 cards. Catalog grows from 26 to 27 across 12 vendor families; cybersecurity discipline reaches 16. The bank targets the 220-1202 V15 exam objectives launched by CompTIA on March 25, 2025, the software-side companion to Core 1.

  • Certification added: 220-1202, CompTIA A+ Core 2 (150 questions, 4 domains). Question allocation matches CompTIA's published 220-1202 weights to the percentage point: Operating Systems 28.0% (target 28%, 42 questions), Security 28.0% (28%, 42), Software Troubleshooting 23.3% (23%, 35), Operational Procedures 20.7% (21%, 31). Pass threshold set to 78% matching CompTIA's published 700/900 scaled cut score (a lower bar than Sec+ / CySA+'s 750/900 anchor, identical concept different anchor).
  • The bank emphasizes the software-side distinctions that separate A+ Core 2 from Core 1: Windows editions (Home / Pro / Pro for Workstations / Enterprise) and the upgrade matrix; install methods (clean / in-place / PXE / recovery / image); file systems (NTFS, FAT32, exFAT, ext4, APFS, HFS+, ReFS) with their specific limits (FAT32 4 GB file cap, exFAT for cross-platform flash, NTFS for ACLs / EFS / compression); partition schemes GPT vs MBR with the 2 TB MBR ceiling; the Windows tool surface area (Task Manager, Disk Management, MMC snap-ins lusrmgr.msc / secpol.msc / services.msc / eventvwr.msc / gpedit.msc / devmgmt.msc / resmon.exe / perfmon.msc, Registry Editor, MSConfig); the canonical command-line set (ipconfig /flushdns, ping, tracert, nslookup, chkdsk /f, sfc /scannow, gpupdate /force, gpresult /h, robocopy, xcopy, net use, diskpart, format, netstat -ano); PowerShell verb-noun cmdlets; macOS tooling (Time Machine, Spotlight, FileVault, Keychain Access, Gatekeeper, Boot Camp, Force Quit); Linux fundamentals (chmod octal, sudo vs su, apt vs yum vs dnf, top, grep, ls, ip); and remote-access protocols (RDP 3389, SSH 22, VNC 5900).
  • Coverage of the canonical A+ security topics tested explicitly: wireless security (WPA2-Personal with AES / CCMP, WPA3-Personal with SAE, 802.1X with EAP-TLS for enterprise, WEP / WPA / TKIP as deprecated); authentication factor categories (know / have / are / do / location) and MFA mechanics; biometrics, smart cards, hard / soft tokens, SMS, authenticator apps; AAA protocols (RADIUS, TACACS+, Kerberos KDC with TGT and service tickets); the full malware taxonomy (virus, worm, Trojan, ransomware, rootkit, spyware, adware, keylogger, fileless, cryptominer, botnet, logic bomb); social engineering (phishing, spear phishing, whaling, vishing, smishing, tailgating, evil twin, watering hole); the seven-step CompTIA malware-removal procedure (investigate -> quarantine -> disable System Restore -> remediate -> schedule scans + updates -> enable System Restore -> educate); physical security (bollards, access control vestibule formerly mantrap, badge readers, biometric locks); workstation and SOHO hardening (change defaults, disable WPS, MAC filtering, disable UPnP, port forwarding vs DMZ host); data destruction (cryptographic erase for SEDs, multipass overwrite, degaussing for magnetic only, shredding / drilling / pulverising for failed drives, certificate of destruction); encryption fundamentals (BitLocker with TPM, EFS, FileVault, hashing, AES, RSA, asymmetric vs symmetric, root CA / intermediate / self-signed); and the difference between TPM (per-host motherboard chip) and HSM (network / PCIe crypto appliance serving many systems).
  • Coverage of the operational-procedures objectives that are unique to Core 2: backup strategies (full, incremental, differential, synthetic-full) with the 3-2-1 rule (3 copies, 2 media types, 1 off-site) and the practical implications for restore sequencing; the hot vs warm vs cold site ladder for disaster recovery; power protection (UPS for runtime, surge protector for spikes, line conditioner for clean voltage, generator for hours); fire extinguisher classes (A ordinary combustibles, B flammable liquids, C electrical, D metals, K kitchen fats); ESD precautions (anti-static wrist strap, ESD mat, equipment grounding, antistatic bag); SDS / Safety Data Sheet (formerly MSDS) for chemicals; change management (RFC, change board / CAB, rollback plan, sandbox testing, impact and risk analysis); incident response and chain of custody (preserve evidence, hashing, write blocker, document handovers); and the communication and professionalism objectives (active listening, do not argue, set and meet expectations, use proper language, deal with confidential materials appropriately). Real exam: up to 90 questions in 90 minutes, multiple-choice plus drag-and-drop and PBQs. This simulator is multiple-choice only.
  • Generation note: distractor length parity, canonical CompTIA terminology preserved verbatim (Task Manager, Event Viewer, sfc /scannow, DISM /Online /Cleanup-Image /RestoreHealth, bootrec /fixmbr / /fixboot / /rebuildbcd, gpresult /h, robocopy, BitLocker, EFS, FileVault, Kerberos KDC / TGT, WPA3-SAE, 802.1X EAP-TLS, access control vestibule, the 7-step malware-removal procedure, 3-2-1 backup rule, ESD precautions, fire-extinguisher classes), no em-dashes, and balanced answer-position distribution were enforced from first draft. Fullscreen real-exam simulator at /certs/220-1202/exam.html with a 90-question / 90-minute real-exam mode plus 25 / 50 / full-bank practice modes, mark-for-review, navigation grid, per-domain results, and post-exam explanations. Hero stats updated 26->27 certs, cybersecurity discipline 15->16, CompTIA vendor 4 exams->5 exams.

May 2026 (earlier)

220-1201 added. CompTIA's A+ Core 1 (V15) is now live, anchoring the entry-level rung of the CompTIA staircase below Network+ and Security+. Catalog grows from 25 to 26 cards across 12 vendor families; cybersecurity discipline reaches 15. The bank targets the 220-1201 V15 exam objectives launched by CompTIA on March 25, 2025 (replacing the long-lived 220-1101 V14 series).

  • Certification added: 220-1201, CompTIA A+ Core 1 (150 questions, 5 domains). Question allocation matches CompTIA's published 220-1201 weights to the percentage point: Mobile Devices 13.3% (target 13%, 20 questions), Networking 23.3% (23%, 35), Hardware 24.7% (25%, 37), Virtualization and Cloud Computing 10.7% (11%, 16), Hardware and Network Troubleshooting 28.0% (28%, 42). Pass threshold set to 75% matching CompTIA's published 675/900 scaled cut score (the A+ cut score is lower than Sec+/CySA+'s 750/900 anchor).
  • The bank emphasizes the technician-level distinctions that separate A+ Core 1 from later CompTIA exams: hands-on hardware identification (RAM types DDR4 vs DDR5, ECC vs non-ECC, SODIMM vs DIMM; M.2 form factors including 2280; PCIe x1/x4/x8/x16 lanes; ATX 24-pin and PCIe 6+2 connectors; USB-C with DisplayPort Alt Mode and USB PD); CompTIA's canonical port/protocol table (DNS 53, DHCP 67-68, HTTPS 443, SSH 22, SMB 445, LDAP 389/636, RDP 3389, IMAP 993, POP3 995, SNMP 161); RAID 0/1/5/6/10 fault-tolerance characteristics; the laser-printer imaging process; and the CompTIA 6-step troubleshooting methodology (identify, theorize, test, plan, verify, document) which is the single most frequently tested workflow across the exam.
  • Coverage of the canonical A+ topics tested explicitly: wireless standards including 802.11 a/b/g/n/ac/ax (Wi-Fi 6) and be (Wi-Fi 7) with their frequencies (2.4 GHz, 5 GHz, 6 GHz), WPA2/WPA3, RFID and NFC, Bluetooth pairing; RFC 1918 private addressing and APIPA; cable types Cat 5e/6/6a/7/8 with shielding terminology and fibre single-mode vs multi-mode (SC/LC/MTRJ connectors); NIST SP 800-145 cloud service models (IaaS / PaaS / SaaS / FaaS) and deployment models (public / private / hybrid / community); Type 1 vs Type 2 hypervisors (ESXi / Hyper-V / Xen vs VirtualBox / VMware Workstation / Parallels); BIOS vs UEFI and TPM; PSU 80 PLUS efficiency and modular vs non-modular; mobile-device hardware replacement (digitizer, battery safety with lithium-ion swelling cautions); and the canonical troubleshooting toolset (multimeter, PSU tester, cable tester, loopback plug, tone generator and probe, anti-static wrist strap, ESD mat).
  • Real exam: up to 90 questions in 90 minutes, multiple-choice plus drag-and-drop and performance-based items (PBQs). This simulator is multiple-choice only; PBQs cannot be reproduced statically. Fullscreen real-exam simulator at /certs/220-1201/exam.html with a 90-question / 90-minute real-exam mode plus 25 / 50 / full-bank practice modes, mark-for-review, navigation grid, per-domain results, and post-exam explanations.
  • Generation note: distractor length parity, canonical CompTIA terminology preserved verbatim (USB-C, USB PD, DisplayPort Alt Mode, Wi-Fi 6E, IaaS / PaaS / SaaS, BIOS vs UEFI, RAID 0/1/5/6/10, RFC 1918, APIPA, the 6-step troubleshooting methodology), no em-dashes, and balanced answer-position distribution were enforced from first draft. Hero stats updated 25->26 certs, cybersecurity discipline 14->15, CompTIA vendor 3 exams->4 exams.

May 2026 (earlier)

AIGP added. The first IAPP certification on the platform, opening a new ai_governance discipline (now 7 of 7 disciplines covered) and bringing the catalog to 25 of 25 cards across 12 vendor families. The bank targets the IAPP AIGP Body of Knowledge effective February 2026; the AIGP credential certifies professionals in responsible AI management across the U.S., EU, and other jurisdictions.

  • Certification added: AIGP, IAPP Certified AI Governance Professional (150 questions, 4 BoK domains). IAPP does not publish exact per-domain weights for the AIGP exam (the integrated exam blueprint specifies a min/max items per domain). Question allocation is centered on the typical AIGP guidance ranges: Foundations of AI governance 22.0%, Laws/standards/frameworks applicable to AI 29.3% (the largest because Domain II covers existing privacy laws + other existing laws + AI-specific laws + standards/tools), Govern AI development 24.0%, Govern AI deployment and use 24.7%. Pass threshold set to 70% as the conventional anchor; IAPP does not publish a fixed cut score (passing scores are set per administration via psychometric methods). Real exam: 100 multiple-choice items in 3 hours, includes case studies and the occasional multi-select item (the bank uses single-select only since the engine renders one-correct-answer items).
  • The bank emphasizes the vocabulary and frameworks the AIGP exam tests directly: trustworthy-AI pillars (fairness, accountability, transparency, explainability, privacy, robustness, safety, human oversight); AI-vs-AGI distinction; ML categories (supervised/unsupervised/reinforcement); foundation models / generative AI / LLMs; bias types (historical, representation, measurement, aggregation, evaluation, deployment); fairness metrics (equal opportunity, demographic parity, calibration, predictive parity); explainability methods (SHAP, LIME, Integrated Gradients, Grad-CAM); AI lifecycle phases; AI governance committees, AI inventory, AI use policy, RACI, risk appetite; the difference between transparency (disclosure of AI use) and explainability (understandability of mechanisms); AI-specific risks (hallucination, prompt injection, jailbreak, adversarial examples, data poisoning, model inversion, membership inference).
  • Coverage of the canonical laws, standards, and frameworks tested explicitly: GDPR Article 22 (automated individual decision-making) and Article 35 (DPIA), EU AI Act 4-tier risk classification (unacceptable/prohibited, high-risk, limited-risk/transparency, minimal/no risk), Article 5 prohibitions, Annex III high-risk, GPAI obligations and systemic-risk additions, conformity assessment, and FRIA for certain deployers, plus extraterritorial reach and phased application, NYC Local Law 144 (AEDT bias audit + candidate notice), Colorado AI Act SB 24-205 (effective Feb 1 2026), White House AI Bill of Rights Blueprint (5 principles), US EO 14110 (Biden, Oct 2023, REVOKED by EO 14179 in Jan 2025), Council of Europe AI Treaty (May 2024, first internationally binding AI treaty), G7 Hiroshima AI Process Code of Conduct, Bletchley Declaration (Nov 2023), White House Voluntary Commitments (July 2023), Singapore Model AI Governance Framework, plus existing-law application (FTC Section 5, EEOC/Title VII, COPPA, HIPAA BAAs, ECOA/Reg B for credit).
  • Coverage of the canonical standards and tools: NIST AI RMF 1.0 with the four functions GOVERN-MAP-MEASURE-MANAGE plus the NIST AI 600-1 Generative AI Profile, ISO/IEC 42001:2023 (AI management system standard, certifiable), ISO/IEC 23894:2023 (AI risk management), ISO/IEC 22989 (AI concepts and terminology), OECD AI Principles (the five 2019/2024 values), IEEE 7000-series ethics standards, model cards, datasheets for datasets, system cards, AIBOM (AI Bill of Materials), DPIA vs AIIA vs FRIA, privacy-preserving ML (differential privacy, federated learning, secure multi-party computation, homomorphic encryption), and post-deployment monitoring metrics (data drift, data quality, latency, computational, output quality - matching the IAPP example multi-select item).
  • Generation note: distractor length parity, canonical IAPP / NIST / ISO / OECD / EU terminology preserved verbatim, and balanced answer-position distribution (38/38/37/37) were enforced from first draft. Two of the IAPP example items from the AIGP study guide are included verbatim in the bank (the explainability definition and the AI impact assessment purpose) since IAPP publishes them as canonical reference. The "uniquely longest correct answer" rate is on the higher side because AIGP correct answers tend to be compound governance-pattern descriptions ("X plus Y plus Z plus oversight") which makes them inherently longer than the simpler distractors; this matches the pattern seen on the CCSP and CySA+ banks. Hero stats updated 24->25 certs, 11->12 vendors (IAPP added), 6->7 disciplines (ai_governance added).

May 2026 (earlier)

CCSP added. ISC2's senior cloud-security credential is now live, completing the ISC2 staircase from CC entry-level to CISSP enterprise-senior to CCSP cloud-architect-senior. Catalog grows from 23 to 24; cybersecurity discipline reaches 14 cards. The bank targets the October 1, 2025 CCSP Exam Outline (the outline candidates take through July 31, 2026); a new outline takes effect August 1, 2026 and will be addressed in a future bank revision.

  • Certification added: CCSP, ISC2 Certified Cloud Security Professional (200 questions, 6 domains). Question allocation matches ISC2's published weights EXACTLY: Cloud Concepts/Architecture/Design 17.0% (target 17%), Cloud Data Security 20.0% (20%), Cloud Platform & Infrastructure Security 17.0% (17%), Cloud Application Security 17.0% (17%), Cloud Security Operations 16.0% (16%), Legal/Risk/Compliance 13.0% (13%). Pass threshold set to 70% matching the published 700/1000 cut score; the real exam uses Computerized Adaptive Testing (CAT) with 100-150 items in 3 hours.
  • The bank emphasizes the cloud-specific distinctions that separate CCSP from CISSP: NIST SP 800-145 five essential cloud characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service); the five cloud roles (customer, provider, partner, broker, regulator); shared responsibility per cloud category (IaaS/PaaS/SaaS); the CSA Cloud Data Lifecycle (Create -> Store -> Use -> Share -> Archive -> Destroy); cloud-native data protection patterns (tokenization vs encryption, anonymization vs pseudonymization vs masking, format-preserving encryption, homomorphic encryption, differential privacy, confidential computing/TEE); cryptographic erase as the practical sanitization method when physical media access is restricted; tenant partitioning vs hypervisor escape; the cloud management plane as the high-value target; and reversibility/portability as exit-assurance concepts unique to cloud contracting.
  • Coverage of the canonical CCSP frameworks tested explicitly: ISO/IEC 27017 (cloud security controls), ISO/IEC 27018 (public-cloud PII processor protection), ISO/IEC 27036 (supplier relationships including supply chain), ISO/IEC 27050 (eDiscovery), FIPS 140-2/140-3 (cryptographic module certification with EAL-style levels), Common Criteria / ISO 15408 (Evaluation Assurance Levels EAL 1-7), SOC 1 / SOC 2 / SOC 3 (Type I vs Type II) with SSAE 18 as the US standard and ISAE 3402 / 3000 as the international counterparts, CSA STAR registry tied to the CCM, threat-modeling families (STRIDE, DREAD, PASTA, ATASM), OWASP Top 10 (2021) with A01 Broken Access Control as the new #1, CWE/SANS Top 25, OWASP ASVS for verification, SAFECode for secure coding, ITIL / ISO 20000-1 processes (change/incident/problem/configuration/SLM/CSI), NERC CIP/HIPAA/HITECH/PCI DSS/SOX/GDPR Article 33 72-hour notification, and the canonical risk-treatment quadrant (avoid/mitigate/transfer/accept).
  • Coverage of cloud-specific architecture topics: virtual hardware security (Type 1 vs Type 2 hypervisor, vTPM, microsegmentation, NSGs vs WAFs vs API gateways), confidential computing (Intel SGX/TDX, AMD SEV-SNP, Arm CCA), HSM vs TPM (HSM serves crypto operations to apps, TPM anchors single-host integrity), CASB four pillars (visibility/compliance/data security/threat protection), federated identity (SAML 2.0 / OIDC), JIT privileged access (PIM/PAM with approval/recording), bastion hosts as canonical admin-broker (Azure Bastion, AWS Systems Manager Session Manager), DNSSEC for DNS integrity, the differences between data owner/controller and data custodian/processor under GDPR, and the difference between MSA / SLA / SOW in cloud contracting.
  • Generation note: distractor length parity, canonical ISC2/CSA/NIST/ISO terminology (NIST 5 essential characteristics, SaaS/PaaS/IaaS, OWASP Top 10/CWE Top 25, STRIDE/DREAD/PASTA, ISO 27001/27017/27018/27036/27050, FIPS 140-2/3, SSAE 18 / SOC 1/2/3, ISAE 3402, ITIL, GDPR/HIPAA/HITECH/PCI/SOX/NERC CIP), and balanced answer-position distribution (50/50/50/50) were enforced from first draft. The "uniquely longest correct answer" rate is on the higher side because CCSP correct answers heavily favor compound multi-control patterns ("X plus Y plus Z") which makes them inherently longer than the simpler distractors; this matches the pattern seen on the CySA+ and SC-100 banks. Hero stats updated 23->24 certs, cybersecurity discipline 13->14, ISC2 vendor 2 exams->3 exams.

May 2026 (earlier)

CS0-003 added. CompTIA's SOC-analyst-level credential is now live, completing the CompTIA staircase from Network+ baseline to Security+ baseline to CySA+ analyst-level. Catalog grows from 22 to 23; cybersecurity discipline reaches 13 cards. The bank targets the CySA+ V3 (CS0-003) outline launched June 6, 2023; CS0-003 is expected to retire in 2026, but candidates with planned exam dates this year still need practice material aligned to the live exam.

  • Certification added: CS0-003, CompTIA Cybersecurity Analyst (CySA+) V3 (150 questions, 4 domains). Question allocation matches CompTIA's published weights to within rounding: Security operations 32.7% (target 33%), Vulnerability management 30.7% (30%), Incident response management 20.0% (20%), Reporting and communication 16.7% (17%). Pass threshold set to 83% matching CompTIA's published 750/900 scaled cut score (the same anchor used for SY0-701; CompTIA uses identical scaled cut scores across most of its certifications).
  • The bank emphasizes the analyst-level distinctions that separate CySA+ from Security+: SIEM correlation rules versus single-source alerts; SOAR playbooks versus manual runbooks; threat hunting (hypothesis-driven, IOC-driven, TTP-driven) versus reactive monitoring; CVSS v3.1 vector breakdown (AV/AC/PR/UI/S/C/I/A) versus a single severity number; CVSS v4.0 changes (new Threat metric group plus Supplemental metrics replacing the v3.1 Temporal group); validating findings before remediation versus patching every finding; risk-acceptance documentation; SLO-based remediation cadence; and the analyst's role in stakeholder communication (executive summaries, holding statements, GDPR Article 33 72-hour notification, board-level metrics).
  • Coverage of the canonical CySA+ frameworks tested explicitly: Lockheed Martin Cyber Kill Chain (7 phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives), Diamond Model of Intrusion Analysis (Adversary, Capability, Infrastructure, Victim), MITRE ATT&CK (tactics vs techniques, sub-techniques, ATT&CK Navigator for coverage mapping, specific technique IDs like T1550.002 Pass-the-Hash and the TA0001-TA0011 tactic IDs), OSSTMM, OWASP Testing Guide, NIST SP 800-61 incident-response phases (Preparation; Detection & Analysis; Containment, Eradication, and Recovery; Post-Incident Activity), STRIDE and PASTA threat modeling, David Bianco's Pyramid of Pain (TTPs are the most painful indicator to change), the Admiralty Code for source/information confidence, TLP for sharing, STIX/TAXII for machine-readable threat intel, sector ISACs (E-ISAC, FS-ISAC, H-ISAC), and the canonical IR metrics (MTTD, MTTR, dwell time, RTO, RPO).
  • Coverage of the most-tested CySA+ tooling and tool-output interpretation: Wireshark display filters (http.request, udp.port == 53), tcpdump capture syntax, SIEM correlation versus aggregation, VirusTotal hash search versus file upload caveat, email header analysis (Received headers in reverse-chronological order, SPF/DKIM/DMARC alignment), Python regex for log parsing, PowerShell -EncodedCommand obfuscation and Get-ADGroupMember enumeration, Nmap -A flag, Nikto for OSS web scanning, Metasploit as multipurpose framework, Prowler for AWS CSPM audits, OWASP ZAP/Burp Suite for DAST, WinDbg/x64dbg for debugging, Volatility for memory forensics, EDR host-isolation APIs, write blockers and order of volatility, chain of custody, and the difference between SAST/DAST/SCA in a CI pipeline.
  • Generation note: distractor length parity, canonical CompTIA / vendor terminology (CVSS metric names, ATT&CK technique IDs, NIST 800-61 phases, STRIDE/PASTA, MTTD/MTTR/RTO/RPO, SPF/DKIM/DMARC), and balanced answer-position distribution were enforced from first draft. The "uniquely longest correct answer" rate is on the higher side (130/150) because CySA+ correct answers tend to be technically descriptive (multi-control-set defenses, multi-phase frameworks) while distractors can stay shorter; this matches the pattern seen on the AWS/Microsoft service-name-heavy banks. Hero stats updated 22->23 certs, cybersecurity discipline 12->13, CompTIA vendor 2 exams->3 exams.

May 2026 (earlier)

HCTA-004 added. The first HashiCorp certification on the platform, opening a new automation discipline (now 6 of 6 disciplines covered) and bringing the catalog to 22 of 22 cards across 11 vendor families. The bank targets the Terraform Associate (004) outline, which tests on Terraform 1.12 and explicitly includes HCP Terraform content; older 003 versions of the exam are not in scope.

  • Certification added: HCTA-004, HashiCorp Certified: Terraform Associate (004) (150 questions, 8 exam sections). HashiCorp does not publish per-section weights for the Terraform Associate exam, so question allocation is loosely proportional to the sub-objective count of each section, with extra emphasis on the most-tested practical areas: Terraform configuration (30), Core Terraform workflow (22), Terraform state management (20), Terraform fundamentals (18), Terraform modules (18), HCP Terraform (18), Infrastructure as Code (12), Maintain infrastructure (12). Pass threshold set to 70% as the conventional anchor; HashiCorp does not publish a fixed cut score (the passing score is set per administration via psychometric methods).
  • The bank explicitly covers all four 004-new topics documented in the certification guide: 4f the depends_on meta-argument and the create_before_destroy / prevent_destroy / ignore_changes / replace_triggered_by lifecycle rules; 4g validation of configuration using custom conditions (variable validation blocks, lifecycle preconditions, lifecycle postconditions); 4h ephemeral values and write-only arguments (and the broader sensitive-data story including HashiCorp Vault as the canonical secrets provider); and 8c how to organize and use HCP Terraform workspaces and projects (the projects layer is a 004-era addition that groups workspaces and lets variable sets and access policies apply at a higher level).
  • Coverage of the most-tested Terraform Associate distinctions: declarative vs imperative IaC and what idempotency means in practice; provider plugin architecture and the required_providers source/version syntax (~> 1.0 vs >= 1.0 vs = 1.0); the .terraform.lock.hcl file (commit it) versus terraform.tfstate (do not commit); resource vs data block (CRUD vs read-only); implicit dependencies via attribute references vs explicit depends_on for hidden dependencies; variable precedence (defaults < env < tfvars < -var-file < -var); type system (list vs set vs map vs object vs tuple); for expressions and the splat operator; dynamic blocks for repeating nested config; module sources (local ./, registry <NS>/<NAME>/<PROV>, git::https with ?ref= and //subdir, app.terraform.io for HCP Terraform); module variable scope (no global namespace, parent and child connect only via inputs and outputs); the local backend vs remote backends with native vs DynamoDB locking; partial backend configuration with -backend-config; terraform_remote_state for cross-config sharing; drift detection via terraform plan -refresh-only and persistence via terraform apply -refresh-only; the import block vs the legacy terraform import CLI command and the -generate-config-out flag; terraform state list / show / mv / rm; TF_LOG levels (TRACE/DEBUG/INFO/WARN/ERROR) and TF_LOG_PATH; the cloud {} block in HCL; HCP Terraform workspaces, projects, variable sets, run triggers, Sentinel and OPA policy, agents, run tasks, cost estimation, and notification configurations.
  • Bank uses canonical HashiCorp / HCL terminology verbatim throughout: HCP Terraform (the post-2024 name; Terraform Cloud is preserved only where the rebrand is explicitly relevant), HCL, terraform.tfstate, terraform.tfstate.backup, .terraform.lock.hcl, required_providers, required_version, depends_on, lifecycle, validation, precondition, postcondition, ephemeral, terraform_remote_state, Sentinel, OPA, the cloud block. No em-dashes anywhere in the bank.
  • New automation discipline added to the catalog filter (chip count 1 with HCTA-004 today, room for the Terraform Authoring & Operations Professional and other infrastructure-automation credentials later). Hero stats updated: 21->22 certs, 10->11 vendors (HashiCorp added), 5->6 disciplines. Generation note: distractor length parity, canonical terminology, and balanced answer-position distribution were enforced from first draft, not from a rewrite pass.

May 2026 (earlier)

SC-100 added. Microsoft's senior cybersecurity credential is now live, completing the Microsoft vendor section (AZ-900 + AZ-500 + SC-100 = 3 of 3) and pushing the catalog from 20 to 21 cards. Cybersecurity discipline reaches 12 cards. The bank targets the April 27, 2026 SC-100 skills outline, the most recent published outline at the time of the bank build, with explicit focus on architect-level design/recommendation/evaluation rather than configuration.

  • Certification added: SC-100, Microsoft Certified: Cybersecurity Architect Expert (175 questions, 4 skill areas). Question allocation lands inside each Microsoft published weight range: Design solutions that align with security best practices and priorities 22.9% (range 20-25%), Design security operations, identity, and compliance capabilities 31.4% (range 30-35%), Design security solutions for infrastructure 23.4% (range 20-25%), Design security solutions for applications and data 22.3% (range 20-25%). Pass threshold set to 70% matching the published 700/1000 scaled cut score; 120-minute proctored exam.
  • SC-100 sits at the expert level, capping the Microsoft security path. Question style emphasises BEST/MOST-aligned design choices over single-tool configurations: which framework to cite (MCRA vs MCSB vs CAF vs WAF), which Defender plan to recommend, how to layer controls across identity-network-data, and which posture metric to brief leadership with. The bank rejects cartoon distractors in favour of REAL adjacent Microsoft products (other Defender XDR components, other Purview pillars, other Entra capabilities) so wrong answers train the candidate's discrimination between similar tools.
  • Bank uses canonical post-2024 Microsoft naming verbatim throughout: Microsoft Entra ID (not Azure AD), Microsoft Defender XDR (not Microsoft 365 Defender), Microsoft Defender for Cloud (not Azure Security Center), Microsoft Sentinel (not Azure Sentinel), Microsoft Purview, Microsoft Priva, Microsoft Intune, Microsoft Entra Internet Access and Microsoft Entra Private Access (the 2024 SSE/ZTNA products that replace Application Proxy and legacy VPN), Microsoft Entra ID Governance, Microsoft Defender External Attack Surface Management (Defender EASM), Microsoft Security Exposure Management, and Microsoft Defender for Cloud Permissions Management (CIEM). Older terms appear only as deliberately-wrong distractors.
  • Coverage of the most-tested SC-100 distinctions: MCRA vs MCSB vs CAF Secure vs WAF Security pillar (architecture vs control catalog vs methodology vs design pillar); Zero Trust pillars (Identities, Devices, Apps, Data, Infrastructure, Network) and the three principles (verify explicitly, least privilege, assume breach); Enterprise Access Model tier separation and PAW design; MCRR Rapid Modernization Plan (RaMP) sequencing privileged access first; ransomware resiliency with immutable + isolated-identity backups; Defender CSPM (paid: attack path analysis, agentless scanning, exposure insights) vs foundational CSPM (free); Defender for Servers Plan 2 features (JIT, FIM, agentless scan, MDE auto-deploy); Defender XDR cross-domain correlation across Defender for Identity, Defender for Endpoint, Defender for Office 365, Defender for Cloud Apps; Microsoft Sentinel SIEM patterns (per-region workspaces, cross-workspace queries, MITRE ATT&CK page, UEBA, Fusion, automation rules + Logic Apps SOAR); Conditional Access with continuous access evaluation (CAE) and authentication strength; Microsoft Entra ID Governance lifecycle workflows + access packages + access reviews; Defender for Cloud Permissions Management (CIEM) right-sizing across Azure/AWS/GCP; Microsoft Entra Internet Access vs Microsoft Entra Private Access (SSE/ZTNA replacing VPN and Application Proxy); Microsoft Defender for IoT passive sensors for OT/ICS; Azure Front Door Premium + WAF + Private Link origin pattern; Always Encrypted vs TDE vs Dynamic Data Masking vs Row-Level Security; immutable blob storage vs soft delete; Azure Key Vault Premium / Managed HSM for HSM-backed keys; managed identities and workload identity federation (OIDC) replacing client secrets.
  • The bank reflects the April 27, 2026 skills measured update, including specific named additions: Microsoft Cybersecurity Reference Recommendations (MCRR) alongside MCRA, Microsoft Security Exposure Management on top of Defender EASM, Microsoft Entra Internet Access and Microsoft Entra Private Access as named SSE/ZTNA products, Microsoft Priva for privacy/SRR, and the Microsoft Defender for Cloud AI workloads protection plan plus Azure AI Content Safety with Prompt Shields. Generation note: distractor length parity, canonical terminology, and balanced answer-position distribution were enforced from first draft, not from a rewrite pass.

May 2026 (earlier)

SCS-C03 added. The third AWS cert on the platform (alongside CLF-C02 and SAA-C03), and the senior security engineer track. Catalog grows from 19 to 20 cards; cybersecurity discipline reaches 11 cards. The bank targets the current SCS-C03 outline, which replaced SCS-C02 on December 2, 2025, so the candidate practices against what the live exam tests today.

  • Certification added: SCS-C03, AWS Certified Security - Specialty (170 questions, 6 content domains). Question allocation matches AWS's published weights exactly: Detection 16.5% (range 16%), Incident Response 14.1% (14%), Infrastructure Security 18.8% (18%), Identity and Access Management 20.6% (20%), Data Protection 18.2% (18%), Security Foundations and Governance 14.7% (14%). Pass threshold set to 75% matching the published 750/1000 scaled cut score.
  • SCS-C02 to SCS-C03 transition: AWS retired SCS-C02 on December 1, 2025; SCS-C03 has been in use since December 2, 2025. The bank explicitly covers all SCS-C03 NEW topics that did not exist in SCS-C02: Open Cybersecurity Schema Framework (OCSF) integration with Amazon Security Lake (Skill 3.1.4), GenAI OWASP Top 10 for LLM Applications protections via Amazon Bedrock Guardrails (Skill 3.2.7), inter-resource encryption for Amazon EMR/EKS/SageMaker AI/Nitro (Skill 5.1.3), differences between imported key material and AWS-generated key material in AWS KMS (Skill 5.3.3), Amazon CloudWatch Logs data protection policies and Amazon SNS message data protection (Skill 5.3.4), and AWS Private Certificate Authority across regions (Skill 5.3.5).
  • Coverage of the most-tested SCS-C03 distinctions: Amazon GuardDuty plans (Foundational, Runtime Monitoring, Malware Protection for EBS) and EventBridge automation; AWS Security Hub control-based scoring across standards (FSBP, CIS, PCI DSS, NIST 800-53); Amazon Macie sensitive data discovery; CloudTrail organization trails and CloudTrail Lake; VPC Flow Logs vs Transit Gateway flow logs vs Route 53 Resolver query logs; AWS WAF managed rule groups vs Shield Advanced (DRT, cost protection, DDoS); Network Firewall vs security groups vs NACLs (stateful/stateless); Systems Manager Session Manager vs EC2 Instance Connect vs Bastion (no inbound ports); AWS IAM Identity Center permission sets and SAML/SCIM federation with external IdPs; SCPs vs RCPs vs declarative policies and AI service opt-out; the confused deputy problem and External ID; KMS multi-region keys, Bucket Keys, External Key Stores (XKS), and the imported-vs-AWS-generated key trade-off; S3 Object Lock GOVERNANCE vs COMPLIANCE mode; AWS Backup Vault Lock; AWS Audit Manager evidence collection; AWS Control Tower landing zones with the canonical management/log-archive/audit account split.
  • The bank uses canonical post-2024 AWS service names verbatim throughout: AWS IAM Identity Center (not AWS SSO), Amazon SageMaker AI (not just SageMaker per the 2024 rename), AWS Private Certificate Authority (not ACM PCA), Amazon Q Developer (formerly CodeWhisperer). Older terms appear only as deliberately-wrong distractors or in explanatory context noting the rename. This matches what the live exam tests against and avoids confusing candidates with retired naming.

May 2026 (earlier)

AZ-500 added. Second Microsoft cert on the platform (alongside AZ-900), and the cybersecurity discipline grows to 10 cards. Catalog grows from 18 to 19. Important retirement notice: Microsoft has announced that AZ-500, related certification, and renewal assessments retire on August 31, 2026, at 11:59 PM Central Standard Time. Candidates who pass before that date receive the credential under normal renewal terms; the bank is published despite the upcoming retirement so candidates with planned exam dates this summer have practice material aligned to the current January 22, 2026 skills outline.

  • Certification added: AZ-500, Microsoft Certified: Azure Security Engineer Associate (174 questions, 4 skill areas). Question allocation lands inside the centre of each Microsoft published weight range: Secure identity and access 18.4% (range 15-20%), Secure networking 23.6% (range 20-25%), Secure compute/storage/databases 23.6% (range 20-25%), Secure Azure with Microsoft Defender for Cloud and Microsoft Sentinel 35.1% (range 30-35%). Pass threshold set to 70% matching the published 700/1000 scaled cut score. 100-minute proctored exam.
  • Bank uses canonical post-2023 Microsoft naming verbatim throughout: Microsoft Entra ID (not Azure AD), Microsoft Defender for Cloud (not Azure Security Center), Microsoft Sentinel (not Azure Sentinel). Older terms appear only as deliberately-wrong distractors. This matches what the live exam tests against and avoids confusing candidates with retired terminology.
  • Coverage of the most-tested AZ-500 distinctions: Azure RBAC vs Microsoft Entra roles (different control planes); JIT VM access and Azure Bastion vs direct public IP exposure; Service Endpoints vs Private Endpoints (and Private Link service for the producer side); NSGs vs ASGs vs Azure Firewall rule types (NAT, Network, Application); Disk encryption layering (Azure Disk Encryption with BitLocker/dm-crypt, encryption at host, confidential disk encryption); Storage protection layering (soft delete + versioning + immutable + BYOK + double encryption); SQL data protection layering (TDE at rest, TLS in transit, Always Encrypted in use, Dynamic Data Masking at presentation); Conditional Access policy structure (assignments, conditions, grant/session controls); MFA and phishing-resistant FIDO2; managed identities vs service principals; Microsoft Defender plans (Servers Plan 1/2, SQL, Storage, Containers, Resource Manager, APIs, DevOps, Key Vault); Defender CSPM (paid) vs foundational CSPM (free); attack path analysis and governance; Microsoft Sentinel data connectors, analytics rules, hunting queries, watchlists, UEBA, automation rules, and SOAR playbooks via Logic Apps.
  • The bank reflects the January 22, 2026 skills measured update, including the Microsoft Cloud Security Benchmark (MCSB) which replaced the older Azure Security Benchmark v3, and Microsoft Defender External Attack Surface Management (EASM). The change log between the previous skills outline and the current one shows only minor changes (Manage Microsoft Entra application access & managed identities, Plan and implement advanced security for compute, and Configure and manage threat protection by using Microsoft Defender for Cloud); the bank targets the current outline.

May 2026 (earlier)

CSSGB added. The first ASQ certification on the platform, and the first process-improvement-discipline cert. With CSSGB live, every catalog card is now AVAILABLE: the platform reaches 18 of 18 certs across 11 vendor families and 5 disciplines. Bank built against the published ASQ Body of Knowledge (2022 BoK, currently in effect).

  • Certification added: CSSGB, ASQ Certified Six Sigma Green Belt (166 questions, 6 BoK sections). Question allocation scales the official ASQ BoK weighting exactly: Overview (11→18), Define (20→33), Measure (20→33), Analyze (18→30), Improve (16→26), Control (15→25). The real exam scores 100 questions over 4h18min; the bank's 1.66x scaling preserves relative emphasis while giving substantial practice depth per section.
  • Pass threshold set to 70%. ASQ does not publish a fixed cut score for CSSGB; it is scored using a criterion-referenced (Angoff) method per administration with the implied threshold widely estimated at 70-75%. 70% is a defensible practice anchor.
  • The bank is built around the cognitive levels specified in the BoK (Bloom's-Revised: Remember, Understand, Apply, Analyze, Evaluate, Create). Lower-cognition topics get definition/recognition questions; higher-cognition topics get scenario, calculation, and judgment questions. This mirrors the real exam's testing depth per topic.
  • Coverage of canonical Six Sigma terminology and tools that the BoK calls out by name: DMAIC and DfSS (DMADV, IDOV); FMEA with RPN = S x O x D and the inverse Detection scale; SIPOC; QFD; CTQ tree; Kano model categories (Must-be, Performance, Excitement, Indifferent); Pareto charts and the vital few; the 8 wastes (DOWNTIME); 5S (Sort/Set/Shine/Standardize/Sustain); Cp = (USL-LSL)/(6 sigma) and Cpk; Pp/Ppk and the 1.5-sigma shift; six sigma = 3.4 DPMO long-term; the seven control charts (X-bar/R, X-bar/s, ImR, median, p, np, c, u); SMED for changeover; kaizen and kaizen blitz; PDCA (attributed to Shewhart and popularized by Deming); TPM with OEE; Andon and Jidoka; first/second/third-party audits; Tuckman team stages; RACI; NGT and brainstorming.
  • Card text updated: "Lean Six Sigma Green Belt" was renamed to "Certified Six Sigma Green Belt" matching ASQ's official naming (the official cert is not "Lean Six Sigma" although Lean tools are heavily covered). Phase count changed from "5 (DMAIC)" to "6" reflecting the BoK's actual 6 sections (Overview + DMAIC).

May 2026 (earlier)

CFA L1 added. The first CFA Institute certification on the platform, and the first finance-discipline cert. The bank uses an authentic 3-answer-choice (A/B/C) format throughout, matching how the real CFA Level I exam is written; this is the first cert on the platform that does not use 4 options.

  • Certification added: CFA L1, CFA Institute Chartered Financial Analyst Level I (180 questions, 10 topics). The total exactly matches the real exam length (180 questions across two 135-minute sessions). Topic weighting sits at the centre of each published official range: Ethical and Professional Standards 16.7% (range 15-20%), Quantitative Methods 7.2% (6-9%), Economics 7.2% (6-9%), Financial Statement Analysis 12.2% (11-14%), Corporate Issuers 7.2% (6-9%), Equity Investments 12.2% (11-14%), Fixed Income 12.2% (11-14%), Derivatives 6.7% (5-8%), Alternative Investments 8.3% (7-10%), Portfolio Management 10.0% (8-12%). All weights fall within the official ranges.
  • Three answer choices (not four): the engine in assets/quiz.js renders q.o.length options dynamically, so 3-option questions render as A/B/C without engine changes. The shuffle mechanism handles 3-option arrays correctly. The bank's question objects use a:0/1/2 instead of a:0/1/2/3. Answer-index distribution after rebalance: 60 each across {0, 1, 2}. The 3-option format is important for authentic preparation; practising with 4 options would be misleading.
  • Pass threshold set to 70%. CFA Institute does not publish a fixed cut score; the Minimum Passing Score (MPS) is set per administration via the modified Angoff method and is widely estimated at 65-70%. 70% is a defensible practice anchor; passing this benchmark gives candidates strong confidence going into the real exam, where pass rates have historically been 35-45% (so the bar is meaningful).
  • Question style uses canonical CFA stem phrasings throughout: "most likely", "least likely", "best characterized as", "best described as", and the two formal item formats from the exam guide (sentence completion with three unique choices, and direct questions with three unique choices). FSA questions follow IFRS unless explicitly stated as US GAAP, matching the real exam's convention. Coverage of common L1 testing patterns: ethics scenarios mapped to specific Standards (I-VII); time value of money including perpetuities and NPV; CAPM with beta and Sharpe/Treynor/IR ratios; bond pricing including duration and convexity; futures vs forwards distinctions; put-call parity; LBO structure; commodity roll yield; and the IPS as the foundation of the portfolio management process.

May 2026 (earlier)

PSM I added. The first Scrum.org certification on the platform, and the project-management discipline now has 4 of 4 cards available (PMP, CAPM, PRINCE2-F, and PSM I). Bank targets the Scrum Guide November 2020 edition, which is what Scrum.org tests against; the older 2017 Guide is not in scope.

  • Certification added: PSM I, Scrum.org Professional Scrum Master I (180 questions, 4 domains: Theory/Values/Framework 17%, Scrum Team 28%, Scrum Events 28%, Artifacts and Done 28%). Pass threshold set to 85% matching the real PSM I cut score (68 of 80 questions, 60-minute timebox), the highest threshold of any cert on the platform.
  • The bank reflects the November 2020 Scrum Guide changes that PSM I tests directly: the Scrum Team is now ONE team with no separate "Development Team" sub-team; "self-organizing" was replaced by "self-managing"; the Product Goal was introduced as the commitment for the Product Backlog (commitments now exist for all three artifacts: Product Goal, Sprint Goal, Definition of Done); Sprint Planning has three topics (Why/What/How); the Daily Scrum's three classic questions are no longer prescribed; and the Scrum Master is described as "a true leader who serves" rather than "servant leader". Older 2017 Guide phrasing is intentionally absent.
  • Coverage of the most-tested PSM I distinctions: the three pillars (transparency, inspection, adaptation) vs the five values (commitment, focus, openness, respect, courage); accountability boundaries (Product Owner orders the Product Backlog and is the only role that can cancel a Sprint; Scrum Master is accountable for team effectiveness and Scrum being understood; Developers own the Sprint Backlog and are accountable for the Done Increment); the Sprint as a container event for all other events; multiple Increments may be created within a Sprint; only Done work (meeting the Definition of Done) is part of the Increment; the Sprint Goal is a commitment that does not change but the work to achieve it can be renegotiated; Definition of Done can become more stringent over time but not less.
  • Question style emphasises common Scrum misconceptions tested at PSM I: the Daily Scrum is for the Developers (not a status meeting for the PO/SM/management); the Scrum Master does not assign tasks (Developers self-manage); the Product Owner cannot override the Developers' technical "How"; the Sprint Backlog is owned by the Developers and updated throughout the Sprint; stakeholders attend Sprint Review (not Sprint Retrospective); Scrum is purposefully incomplete and immutable; Scrum is founded on empiricism AND lean thinking (both, not just one).

May 2026 (earlier)

PRINCE2 Foundation (V7) added. The first AXELOS/PeopleCert certification on the platform, and the first methodology cert that is delivery-approach-agnostic (it tailors to predictive, hybrid, or agile). Bank built against PRINCE2 7 (the 2023 release), not the older v6 syllabus.

  • Certification added: PRINCE2-F, PRINCE2 Foundation Version 7 (175 questions, 4 domains: Principles/People/Tailoring 23%, Practices 40%, Processes 29%, Project Performance 9%). Pass threshold set to 60% matching the real PRINCE2 7 Foundation cut score (36 of 60 questions on the live exam), unlike the 70% used for most other certs.
  • PRINCE2 7 (released 2023) introduced three changes the bank reflects throughout: Themes were renamed to Practices (the seven practices are now Business Case, Organizing, Plans, Quality, Risk, Issues, Progress — note "Change" theme has been merged into the Issues practice); Sustainability is the seventh project performance target alongside time, cost, quality, scope, benefits, and risk; and the People aspect is explicit, covering leadership, team development, and communication. Older v6 terminology (themes, six performance targets) does not appear in the bank.
  • Coverage of canonical PRINCE2 7 terminology: 7 principles (continued business justification, learn from experience, defined roles/responsibilities/relationships, manage by stages, manage by exception, focus on products, tailor to suit), 7 practices, 7 processes (Starting up a Project, Directing a Project, Initiating a Project, Controlling a Stage, Managing Product Delivery, Managing a Stage Boundary, Closing a Project), management products (Project Brief, PID, Stage Plan, Team Plan, Exception Plan, Highlight Report, Checkpoint Report, Exception Report, End Stage Report, End Project Report, Lessons Report, Risk Register, Issue Register, Quality Register, Daily Log, Lessons Log, Configuration Item Records), and the four management approaches created during IP (Risk, Quality, Communication, Change Control).
  • Question allocation drills into specific Foundation-exam-tested distinctions: time-driven vs event-driven controls (Highlight Report vs Exception Report; Checkpoint Report vs End Stage Assessment), tolerance hierarchy (corporate -> Board -> PM -> Team Manager), threat responses (avoid/reduce/transfer/accept/escalate) vs opportunity responses (exploit/enhance/share/accept/escalate), the three issue types (request for change, off-specification, problem/concern), product-based planning's four steps, the project board interest split (business/user/supplier), and tailoring rules (principles never tailored; processes always applied but scope/formality tailored).

May 2026 (earlier)

CAPM added. The PMI vendor section is now complete (PMP + CAPM both available). CAPM gives a much wider scope than PMP: business analysis is the second-largest domain, agile and predictive get equal billing, and PM fundamentals dominate the weighting.

  • Certification added: CAPM, PMI Certified Associate in Project Management (150 questions, 4 domains). Question distribution matches the CAPM ECO 2023 weighting (Project Management Fundamentals and Core Concepts 36%, Predictive Plan-Based Methodologies 17%, Agile Frameworks/Methodologies 20%, Business Analysis Frameworks 27%). Pass threshold set to 70% as the conventional anchor for practice tests; the real exam uses scaled scoring without a published cut score.
  • Business analysis weighting (27%) is unusually heavy for a PMI exam and reflects the JTA-driven 2023 ECO redesign. The bank takes BA seriously rather than treating it as an afterthought: stakeholder roles (process owner vs process manager vs product owner vs product manager), elicitation techniques (workshops, interviews, surveys, prototyping), the requirements traceability matrix, the product roadmap, and acceptance criteria are all covered head-on.
  • Coverage of canonical PMI/PMBOK 7 terminology: 12 PMBOK 7 principles, 8 performance domains, 5 conflict resolution techniques (Withdraw/Avoid, Smooth/Accommodate, Compromise/Reconcile, Force/Direct, Collaborate/Problem Solve with Collaborate generally preferred), threat responses (Avoid/Transfer/Mitigate/Accept), opportunity responses (Exploit/Enhance/Share/Accept), Earned Value formulas (CV = EV − AC, SV = EV − PV, CPI = EV/AC, SPI = EV/PV), Scrum events and roles, and the four agile families that the ECO calls out by name (Scrum, Kanban, Extreme Programming, Scaled Agile Framework).
  • Generation note: bank written with distractor length parity, canonical terminology, and balanced answer-position distribution enforced from first draft, not from a rewrite pass. Distractors are real adjacent PM/agile/BA concepts (other PMBOK performance domains, other agile ceremonies, other elicitation techniques) rather than cartoon-bad alternatives.

May 2026 (earlier)

PMP added. The first project management certification on the platform, opening up a new discipline beyond IT certs. The PMI vendor section now has 1 of 2 cards available (CAPM remains soon).

  • Certification added: PMP, PMI Project Management Professional (200 questions, 3 domains). Question distribution exactly matches the PMI January 2021 outline weighting (People 42%, Process 50%, Business Environment 8%). Pass threshold set to 70% as the conventional anchor for practice tests; the real exam uses scaled scoring with categorical ratings (Above Target / Target / Below Target / Needs Improvement) per domain.
  • Predictive/Agile balance: per the 2021 PMP exam update, about half the real exam covers predictive/waterfall approaches and the other half covers agile/hybrid. The bank reflects this 50/50 split throughout all three domains rather than treating agile as a footnote.
  • Question style is scenario-based "BEST first action" reflecting PMP's manager's mindset. The right answer is typically PM-led, collaborative, root-cause-seeking, and value-focused. Wrong answers are typically avoidant, blame-shifting, escalating prematurely, or technical-fix-first when the issue is people.
  • Coverage emphasises directly-tested concepts: Tuckman team development stages (Forming → Storming → Norming → Performing → Adjourning); the five PMBOK conflict resolution techniques (Withdraw/Avoid, Smooth/Accommodate, Compromise/Reconcile, Force/Direct, Collaborate/Problem Solve, with Collaborate generally preferred); Earned Value Management formulas (CV=EV−AC, SV=EV−PV, CPI=EV/AC, SPI=EV/PV, EAC=BAC/CPI); risk strategies (Avoid/Transfer/Mitigate/Accept for threats; Exploit/Enhance/Share/Accept for opportunities); communication channels formula n(n−1)/2; Scrum events and roles (sprint planning, daily Scrum, sprint review, retrospective; product owner, Scrum Master, team); servant leadership.

May 2026 (earlier)

AZ-900 added. Microsoft's Azure Fundamentals is now live, expanding cloud coverage beyond AWS and adding the first Microsoft cert.

  • Certification added: AZ-900, Microsoft Azure Fundamentals (150 questions, 3 skill areas). Question distribution matches the January 14, 2026 outline weighting (Cloud Concepts 28%, Azure Architecture and Services 37%, Azure Management and Governance 35%). Pass threshold set to 70% to match the 700/1000 cut score.
  • Naming reflects current Microsoft branding: Microsoft Entra ID (formerly Azure AD), Microsoft Entra Domain Services (formerly Azure AD DS), Microsoft Defender for Cloud (formerly Azure Security Center + Azure Defender), Microsoft Purview (formerly Azure Purview). One question explicitly tests rebrand recognition since this is a known exam pattern.
  • Coverage emphasises distinctions the exam tests directly: Azure Policy vs RBAC vs resource locks (different governance layers), Region vs Availability Zone vs Region Pair, Cost Management vs Pricing Calculator vs TCO Calculator, Azure Arc vs Azure Stack (project-into-Azure vs run-Azure-on-prem), IaaS/PaaS/SaaS responsibility boundaries.

May 2026 (earlier)

CISSP added. The senior cybersecurity credential is now live. ISC2's vendor section is complete (CC + CISSP both available), and the cybersecurity vendor section now has 9 of 9 cards available.

  • Certification added: CISSP, ISC2 Certified Information Systems Security Professional (200 questions, 8 domains). Question distribution exactly matches the ISC2 CISSP Exam Outline weighting (Risk Management 16%, Asset Security 10%, Architecture 13%, Network Security 13%, IAM 13%, Assessment 12%, Operations 13%, Software Security 10%). Pass threshold set to 70% to match the 700/1000 scaled cut score.
  • Question style mixes the famous "BEST answer" / manager's-mindset pattern (where two or more options are technically correct but only one is most appropriate given scenario constraints) with direct factual questions for security models, cryptanalytic attacks, and AAA terminology. Both styles appear on the real CISSP CAT exam.
  • AI security integration: per the current CISSP outline, AI security concepts are distributed across all 8 domains (data poisoning under Asset Security, prompt injection and Explainable AI under Architecture, AI in NDR under Network Security, behavioural biometrics under IAM, AI red teaming under Assessment, model drift under Operations, AI-assisted coding risks under Software Security).
  • Per-session default raised to 25 (vs 20 for other certs) reflecting CISSP's longer exam length (100-150 items, 3 hours, computer adaptive). The session-length selector still allows 10/20/50/Full bank.

May 2026 (earlier)

ISC2 Certified in Cybersecurity (CC) added. The first ISC2 cert and first vendor-neutral entry-level credential on the platform.

  • Certification added: CC, ISC2 Certified in Cybersecurity (150 questions, 5 domains). Question distribution exactly matches the ISC2 CC Exam Outline weighting (Security Principles 26%, BC/DR/IR 10%, Access Controls 22%, Network Security 24%, Security Operations 18%). Pass threshold set to 70% to match the 700/1000 cut score.
  • Question depth matches CC's actual entry-level character rather than being artificially harder. CC is designed for newcomers without prior IT experience; questions test foundational vocabulary and concept recognition (CIA triad, MFA factors, access control models, port basics, ISC2 Code of Ethics canon order) rather than scenario-deep judgement.
  • Note: ISC2 announced a new CC Exam Outline effective September 1, 2026 that integrates AI security concepts (model poisoning, model drift, AI access controls, LLM data leakage). This bank targets the current outline (effective Oct 1, 2025); a refresh will be needed when the new outline takes effect.

May 2026 (earlier)

Network+ added. CompTIA's networking baseline is now live, completing the Net+/Sec+ pair that many candidates take together.

  • Certification added: N10-009, CompTIA Network+ V9 (150 questions, 5 domains). Question distribution exactly matches the CompTIA exam objectives weighting (Networking Concepts 23%, Network Implementation 20%, Network Operations 19%, Network Security 14%, Network Troubleshooting 24%). Pass threshold set to 80% to match the 720/900 scaled cut score.
  • Question style mixes scenario-based judgement (troubleshooting, design choices) with direct recall where the exam tests it (port numbers, OSI layer placement, subnet math). Several questions test the canonical 7-step troubleshooting methodology in order, which appears repeatedly on the real exam.
  • Stats grid spacing fix: cells now have horizontal padding so the numbers and labels are not flush against the frame border or vertical dividers.

May 2026 (continued)

Security+ added; session-length selector live. CompTIA Security+ is the first vendor-neutral cert on the platform.

  • Certification added: SY0-701, CompTIA Security+ (150 questions, 5 domains). Question distribution exactly matches the CompTIA exam objectives weighting (General Concepts 12%, Threats & Vulnerabilities 22%, Architecture 18%, Operations 28%, Program Management 20%). Pass threshold set to 83% to match the 750/900 scaled cut score, the highest in the catalog. Questions test scenario-based judgement on access control models, Zero Trust components, social engineering techniques, vulnerability indicators, incident response phases, risk metrics (SLE/ALE/ARO), and the dense acronym vocabulary the real exam emphasises.
  • Note on PBQs: the real SY0-701 exam includes Performance-Based Questions (drag-and-drop network diagrams, log analysis, configuration screens). The Certmesa engine is multiple-choice only, so PBQ-style scenarios are written as text-based questions that test the same underlying knowledge. Cert page discloses this.
  • Platform: session-length selector added to all cert pages. Users can pick 10 / 20 / 50 / Full bank for any cert, replacing the fixed-length sessions. Defaults stay at the per-cert recommended value (10 for CrowdStrike, 20 for AWS and Security+) and reset on each visit.

May 2026 (earlier)

AWS coverage. Both AWS certifications are now live with scenario-based banks.

  • Certification added: SAA-C03, AWS Certified Solutions Architect - Associate (200 questions, 4 domains). Question distribution exactly matches the exam guide weighting (Secure 30%, Resilient 26%, High-Performing 24%, Cost-Optimized 20%). Pass threshold set to 72% to match the official 720/1000 cut score. Questions are scenario-driven, requiring the candidate to weigh constraints (RPO/RTO, cost, operational overhead) and choose the best-fit AWS design.
  • Bank revised: CLF-C02 rebuilt from softball identification questions to 211 scenario-based questions matching real exam difficulty. Domain weighting brought into line with the exam guide (Cloud Concepts 23%, Security 32%, Tech 34%, Billing 11%). Distractors are now closely-related services rather than obvious wrong answers.
  • Practice session length set to 20 questions for both AWS certs to better match real exam pacing.

May 2026

Launch. First release of Certmesa, focused on the CrowdStrike Falcon analyst path.

  • Certification added: CCFA, Certified Falcon Administrator (100 questions, 8 domains).
  • Certification added: CCFR, Certified Falcon Responder (100 questions, 6 domains).
  • Certification added: CCFH, Certified Falcon Hunter (100 questions, 7 domains).
  • Certification added: CCIS, Certified Identity Specialist (100 questions, 12 domains).
  • Certification added: CCCS, Certified Cloud Specialist (100 questions, 7 domains).
  • Aggregate counter dashboard published at stats, showing test starts, completions and average scores per certification. No personal data collected.
  • Privacy notice published. Imprint published in compliance with French LCEN article 6-III.
  • Thirteen further certifications across CompTIA, ISC², AWS, Microsoft, PMI, AXELOS, Scrum.org, CFA Institute and ASQ pre-staged for upcoming addition.