Sign in Subscribe
cybersecurity

Acing the World's Hardest Cyber Security Exam with 3 Days of Study

Autumn Skerritt

8 min read
Acing the World's Hardest Cyber Security Exam with 3 Days of Study
Photo by Andy Kelly / Unsplash

fI passed the world's hardest cybersecurity exam with only 3 days of study.

What exam was it?

CISSP (Certified Information Systems Security Professional)

Why is it so hard

  1. The exam covers 8 domains.

The CISSP is described as a mile-wide, inch-deep. You need to know a lot of things, but not specifics.

  1. The exam is a maximum of 150 questions and 3 hours

The exam is very, very long. You could spend 3 hours on the exam.

You can either finish at 100 if you answered perfectly, or finish at 150.

  1. It uses an evil AI

The exam has an evil AI that learns what topics you suck at, and asks questions about those topics.

This means that every single question has been optimally chosen to make you fail.

If the AI cannot best you, you pass at 100.

In the worst case, you have 150 questions to try and best the AI and make it believe you are proficient in all 8 domains.

  1. It has some weird topics

Despite being a cyber security exam, you have to learn a lot of things. For example:

  • Aspirating vs ionising smoke alarms
  • Bollards or fences for physical security?
  • The difference between Radius and IPSEC
  • How GDPR laws interact with the data laws in the rest of the world
  • Bastions vs zero trust

etc etc

  1. 25 questions on the CISSP are there to trick you.

These questions do not add to your score.

They are designed to jeer at you and psychologically torture you.

These are "beta" questions, and you can tell they're beta because they are painful.

How long did it take for you to pass?

It took me around 50ish minutes (maybe 50 mins to an hour, I have no idea. I had no way to keep track of the time. I didn't see any clocks anywhere).

I started the exam at 12:30, and at 13:30 I had retrieved my items from my locker and left the building, and had turned my phone on to celebrate with my friends.

Wow! What's your background?

Instead of telling you, you can find out 😄

How many hours did you study for?

68 hours (so under 3 days of study)

I tracked every single hour I studied. I do this with Japanese learning, so I decided to do it for CISSP.

I used Toggl to track my hours.

What! That's so little

It's not "68 hours spent watching Netflix with a CISSP book in front of me"

It's 68 hours of dedicated study. I didn't do anything lazy.

I started studying in May, so this is like almost 45 minutes a day.

What did you do to study?

I studied CISSP the same way I study Japanese.

💡
Shoutout to my Japanese learning friends also taking CISSP

In Japanese, you learn the language by:

Read a book -> Make flashcards of things you don't know -> Study flashcards -> Read a book... (repeat)

Generically you can turn this into:

Test yourself -> Make flashcards of things you don't know -> Study flashcards -> Test yourself...

I did this exactly for CISSP.

I spent 50 hours in Anki (my flashcard app of choice), and 18 hours testing myself or making flashcards.

How did you test yourself?

I used https://quantumexams.com/

They have many cissp-like mock tests.

But Quantum exams is not enough.

💛
While Quantum Exam's answers do teach you things, there are still somethings worth researching individually.

It teaches you the mindset and lets you test yourself, but it doesn't teach you the material.

What study materials did you use?

My goal is not to become a CISSP.

My goal is to become the best security engineer out there.

I did not study with any CISSP specific resources.

No OSG book. No YouTube videos.

🤔
If there is NO resources on something other than CISSP, I will use a CISSP resource. I sometimes even watched a video, but skipped to the only part I needed to see 😸

If I came across something like STRIDE and wanted to learn more, I would look at general threat modelling blogs / documentation.

This blog post is excellent:

The Enchiridion of Impetus Exemplar
A vade mecum for all things Threat Modeling.
shellsharksMichael Sass

How many flashcards cards did you make?

I made 2231 flashcards.

I had studied 1971 to maturity by my test.

Maturity means Anki is sure I know that flashcard.

I have 88 flashcards I am still learning (mostly around data processing roles)

What were you scoring on Quantum Exams?

Some people use Quantum Exam scores to gauge if they are ready for the test or not, this is for you.

I sat 9 Quantum Exam tests.

  • 5 practice at 100 questions
  • 3 CAT (CAT is the evil AI)

My first ever mock practice test I scored 45% on.

🤔
I always suggest that the first step to passing a cert is to take a mock test. There is no point in learning the whole syllabus. Take a pratice test, learn what you suck at and improve.

My last practice mocks (around 3 weeks before my test) I scored 65% on.

My first CAT exam I scored 960/1000 within 1 hour.

2 days later, I scored 1000/1000 within 1 hour.

My last CAT (2 days before my exam) I scored 995/1000 within 1 hour.

In terms of points on CAT I was averaging 71%.

I also took most CAT tests while doing laundry / eating / watching Pokemon, so the fact that I scored so highly despite that was a good indication I will pass the real test.

Actual photo of me doing CAT while watching One Piece
👾
Currently there are only 750 Quantum exam questions. If you take 8 mocks you will have statically seen all questions. This is why I did so few Quantum exams and focused on Anki, so the tests could be a realistic measure to me.

So you memorised everything in CISSP?

Kinda.

Bloom's taxonomy states the first step to learning is to memorise.

Anyone that learns Japanese can tell you, you do not learn the words in Anki. You merely prime your brain to learn them from immersion.

Same for CISSP.

I did not learn things in Anki, I just memorised facts and had to synthesise applications of these factoids on the tests.

For what it's worth, my friend is studying CISSP the same way as me and he is scoring greatly on QE under 45 minutes.

We both firmly believe that everyone should use Anki for CISSP, and you should learn to apply this knowledge in QE.

Was the exam hard?

Yes, very very hard.

The first 50 questions went by so so so fast.

I think this is because of how much I had memorised.

They would ask me a question and the answer came to me instantly without even looking at the options presented to me.

If it required me to think, often my thought process was:

Well, it can't be X because of [fact I memorised in Anki]

At around question 70 it started to get very hard.

I went from almost instantly answering to being stuck and having to think long and hard.

Question 90 and above made me so anxious. I wanted to puke. I wanted to cry. I had to look around the room just to distract myself from my lack of knowledge and preparation.

I felt so entirely positive I was going to fail.

When I passed and it asked me to complete a survey I couldn't believe it. I felt like the survey was going to be like "so.... what did you use to study? Cause no one has ever failed as hard as you :/"

Even now as I write this I cannot believe I passed

Did you use any books etc?

No, my only sources were Quantum Exams and random blog posts about topics.

I have a learning disability. I cannot for the life of me sit through a whole textbook or 6 hour YouTube video.

It simply doesn't sink in.

For example, I have read Genki 1 and Tae Kim's grammar guide (Japanese stuff) maybe 10 times now.

I can't tell you what either of them contain. This is not how I learn. I learn by doing (testing myself) and correcting my mistakes.

Do you have any tips for the exam?

Yeah, here is how I answered the exam questions.

Please note I have a learning disability. I cannot read long texts very well.

  1. Pick out keywords

Straight up I ignored the whole question and scanned it for keywords. Quantum exams is good here to teach you what the keywords generally are.

  1. Read the question again

This time I reread the question in full knowing the keywords to see if I missed any.

  1. Repeat all keywords in my head
  2. Pattern match. Usually this is where Anki kicks in and I instantly know the answer. This is basically a flashcard for me now.
  3. If I do not have the answer, I pick out the keywords in the potential answers

Yes, I don't even bother reading the answers until I know I have to. I know, I know. I really should have. But if I did that my disability would mean I would get SO tired and not be able to complete the exam.

💡
I would argue you should not need the multiple choice answers to answer a question. They are helpful, but you should have a pretty good idea of what the answer is before looking at the answers.

Sometimes I did read the answers in full if there were slight variations between them.

What did your flashcards look like?

So simple.

The line represents the back of the card.

So the front is:

What is a KRI meant to measure?

And the back is:

Future risk

Please read this on how to make great flashcards:

20 rules of formulating knowledge in learning

What do you think of LearnZapp / Destination / blah

In my opinion LearnZapp violates the flashcard law of "make your own flashcards", so I never even checked it out.

No idea on Destination either. I didn't even look at them.

In my opinion you don't need anything other than Quantum Exams and Anki.

I am only writing this because people asked me 🤷‍♀️

What's next?

Now that CISSP is over I can spend more time learning Japanese :D

I also plan to go back to content creation, for cyber security content. I took a bit of a break as I moved to Tokyo 🥳