CISSP AI Learning Hub

WEEKS TOTAL

DOMAINS

3000+

PRACTICE Q's

1st

ATTEMPT TARGET

📍 6-Week AI-Powered Roadmap

⚡ How to Use This Roadmap with Claude:
Each day → Ask Claude the exact prompt shown. Claude = your personal CISSP tutor. No PDF needed. Click any week to see the daily plan + what to ask Claude that day.

WEEK 1 — PHASE 1: FOUNDATION ▼ Click to expand

D1: Security & Risk Management (16% — Most Important)

Risk formulas · BCP/DRP · Legal frameworks · Ethics · Governance

HARDEST MINDSET 16% WEIGHT MANAGER THINKING

DAY 1

Risk Management Fundamentals — ALE, SLE, ARO formulas. Threat vs Vulnerability vs Risk

Ask: "Teach me CISSP D1 risk formulas with solved examples"

DAY 2

Governance & Frameworks — NIST RMF, ISO 27001, COBIT. Policy vs Standard vs Guideline

Ask: "Quiz me on CISSP governance frameworks D1"

DAY 3

Legal & Regulations — GDPR, HIPAA, SOX, PCI-DSS, CCPA differences

Ask: "Comparison table GDPR vs HIPAA vs SOX for CISSP"

DAY 4

BCP / DRP — RTO, RPO, MTD, BIA process, recovery strategies

Ask: "Teach CISSP BCP vs DRP with scenario questions"

DAY 5

Ethics + Personnel Security — (ISC)² Code of Ethics, NDA, separation of duties

Ask: "CISSP ethics scenario drill — 10 questions"

DAY 6-7

D1 Full Review + 50 Practice Questions — Focus on manager mindset answers

Ask: "Give me 20 CISSP D1 scenario-based exam questions"

WEEK 2 — PHASE 1: ASSETS ▼ Click to expand

D2: Asset Security (10%) + D8: Software Development Security (10%)

Data classification · Ownership roles · SDLC · STRIDE · Threat modeling

QUICK WINS 20% COMBINED

DAY 1-2

D2 Asset Security — Data classification (Gov/Corporate), Owner vs Custodian vs User roles, NIST 800-88 destruction

Ask: "Teach D2 asset security roles and data classification for CISSP"

DAY 3-4

D8 Software Security — SDLC phases, STRIDE threat model, Static vs Dynamic analysis, OWASP Top 10

Ask: "CISSP D8 SDLC and threat modeling — teach and quiz me"

DAY 5-7

Review + 60 Questions — Mixed D2+D8 practice, review wrong answers with Claude

Ask: "30 mixed CISSP D2 and D8 exam questions with explanations"

WEEK 3 — PHASE 2: HARDEST DOMAIN ▼ Click to expand

D3: Security Architecture & Engineering (13%) — GIVE THIS EXTRA TIME

Security models · Cryptography · Cloud security · Common Criteria

HARDEST DOMAIN CRYPTO HEAVY 13% WEIGHT

DAY 1

Security Models — Bell-LaPadula (confidentiality), Biba (integrity), Clark-Wilson, Brewer-Nash. Know which model = which property

Ask: "Teach CISSP D3 security models with comparison table and quiz"

DAY 2

Cryptography Part 1 — Symmetric (AES, DES, 3DES), Asymmetric (RSA, ECC), Key lengths, use cases

Ask: "CISSP crypto symmetric vs asymmetric — teach then 15 questions"

DAY 3

Cryptography Part 2 — PKI, digital signatures, hashing (MD5/SHA), certificates, CA hierarchy

Ask: "CISSP PKI and digital signatures deep dive with scenarios"

DAY 4

Common Criteria + Evaluation — EAL levels 1–7, TOE, PP, ST, TCSEC, ITSEC

Ask: "Explain CISSP Common Criteria EAL levels simply with examples"

DAY 5-7

Full D3 Review + 70 Questions — Focus on crypto questions (most tricky)

Ask: "40 CISSP D3 exam questions, heavy on cryptography"

WEEK 4 — PHASE 2: YOUR STRENGTHS ▼ Click to expand

D4: Network Security (13%) + D5: IAM (13%) — Use your 13yr advantage

OSI attacks · Firewall types · VPN · SSO · SAML · Kerberos · Zero Trust

YOUR STRENGTH 26% COMBINED BEWARE TRAPS

DAY 1-2

D4 Network Security — Focus on CISSP-style questions (not config). OSI attack mapping, VPN types, wireless EAP variants, firewall placement

Ask: "CISSP D4 tricky scenario questions on network security — I'm a network engineer so test my conceptual gaps"

DAY 3-5

D5 IAM Deep Dive — Authentication factors, SSO, SAML 2.0 flow, OAuth 2.0 vs OIDC, Kerberos (AS→TGS→TGT), PAM, provisioning lifecycle

Ask: "Teach CISSP D5 IAM — federation protocols SAML vs OAuth vs OIDC with diagrams and 20 questions"

DAY 6-7

D4+D5 Mixed Questions — 80 questions total, flag all wrong, review with Claude

Ask: "Explain why my answer was wrong: [paste wrong question + your answer]"

WEEK 5 — PHASE 3: OPERATIONS ▼ Click to expand

D6: Security Assessment (12%) + D7: Security Operations (13%)

Pen test phases · IR lifecycle · Forensics · Change management · BCP/DRP operations

VAPT ADVANTAGE 25% COMBINED

DAY 1-2

D6 Assessment & Testing — Pen test phases CISSP-style, VA vs PT vs Red Team, audit types, CVSS scoring

Ask: "CISSP D6 — test me on assessment types, my background is VAPT so challenge me conceptually"

DAY 3-5

D7 Security Operations — IR lifecycle (6 phases), forensics chain of custody, change management, patch management, DR operations

Ask: "CISSP D7 incident response and forensics — 25 scenario questions"

DAY 6-7

Full ops review — 80 mixed questions D6+D7. Focus on: what to do FIRST in incident scenarios

Ask: "Give me 30 CISSP D7 'what do you do FIRST' scenario questions"

WEEK 6 — PHASE 4: FINAL SPRINT 🚀 ▼ Click to expand

Full Mock Exams + Weak Domain Blitz + Exam Day Strategy

3 full mock exams · Wrong answer review · Mental preparation · Exam day checklist

FINAL SPRINT EXAM READY

DAY 1-2

Full Mock Exam 1 — 150 questions, timed (3 hours). Score yourself. List all wrong answers by domain

Ask: "Give me 50 CISSP mixed-domain exam questions with manager mindset"

DAY 3

Weak Domain Blitz — Revisit your 2 lowest scoring domains with Claude deep-dive

Ask: "I'm weak on [domain] — give me a 30-min crash review and 20 questions"

DAY 4-5

Full Mock Exam 2+3 — Focus on question elimination strategy. Must score 75%+ to be ready

Ask: "CISSP exam strategy — teach me elimination technique for tricky questions"

DAY 6

Light Review Only — Key formulas, ethics, models. NO new topics. Mental rest

Ask: "Give me a 1-page CISSP cheat sheet — formulas, models, acronyms only"

DAY 7

EXAM DAY — Sleep well, eat, arrive 30min early. Think MANAGER not engineer. Trust first instinct

You've got this. 13 years prepared you. 🎯

🧠 All 8 Domains — Quick Reference

DOMAIN 01

Security & Risk Management

EXAM WEIGHT: 16%

Key Topics: Risk formulas (ALE/SLE/ARO), BCP/DRP, GDPR/HIPAA/SOX, (ISC)² Ethics, Governance frameworks, Threat modeling

⚠ MINDSET SHIFT REQUIRED

DOMAIN 02

Asset Security

EXAM WEIGHT: 10%

Key Topics: Data classification, Owner/Custodian/User roles, NIST 800-88, Data lifecycle, Scoping & tailoring

✓ QUICK WIN

DOMAIN 03

Security Architecture & Engineering

EXAM WEIGHT: 13%

Key Topics: Bell-LaPadula, Biba, Clark-Wilson, Cryptography (PKI/AES/RSA), Common Criteria EAL, Cloud security models

🔴 HARDEST — EXTRA TIME

DOMAIN 04

Communication & Network Security

EXAM WEIGHT: 13%

Key Topics: OSI attack mapping, Firewall types, IPSec/VPN, Wireless EAP variants, Network segmentation, Protocols

✓ YOUR STRENGTH

DOMAIN 05

Identity & Access Management

EXAM WEIGHT: 13%

Key Topics: MFA, SAML/OAuth/OIDC, Kerberos flow, Provisioning lifecycle, PAM, Zero Trust, SSO

✓ CISSP FOCUS: FEDERATION

DOMAIN 06

Security Assessment & Testing

EXAM WEIGHT: 12%

Key Topics: Pen test phases, VA vs PT vs Red Team, Audit types, CVSS, Code review, Security metrics

✓ VAPT BACKGROUND HELPS

DOMAIN 07

Security Operations

EXAM WEIGHT: 13%

Key Topics: IR lifecycle (6 phases), Forensics & chain of custody, Change management, Patch mgmt, BCP/DRP operations, SIEM

⚠ BEWARE: PROCESS QUESTIONS

DOMAIN 08

Software Development Security

EXAM WEIGHT: 10%

Key Topics: SDLC phases, STRIDE/DREAD/PASTA, Static vs Dynamic analysis, OWASP Top 10, DevSecOps, Secure coding

⚠ FOCUS: SDLC CONCEPTS

🤖 This is your AI Learning System: Copy any prompt below and paste it to Claude. These are optimized prompts that replace 1800+ pages of PDF study. Click any prompt to copy it.

🎓 Core Learning Prompts

PURPOSE	COPY THIS PROMPT
Teach any domain	Teach me CISSP Domain [X] like I'm a 13-year network security engineer. Skip basics. Use tables, give real-world analogies, highlight what the exam specifically tests. End with 10 scenario questions.📋 copy
Concept clarification	I'm confused about [concept] in CISSP. Explain it simply with an analogy, show me where it appears in the exam, and give me 3 example questions where this concept is tested.📋 copy
Practice drill	Give me 20 CISSP Domain [X] scenario questions. After I answer each, tell me if I'm right/wrong and explain WHY the correct answer is correct and why the others are wrong. Manager mindset questions only.📋 copy
Wrong answer analysis	I answered this CISSP question wrong: [PASTE QUESTION]. I chose [X] but correct was [Y]. Explain why my engineer thinking led me wrong and how a CISO would think about this.📋 copy
Quick comparison	Create a comparison table for CISSP: [Topic A] vs [Topic B] vs [Topic C]. Columns: Definition, Key property, When used, Exam trick. Keep it concise.📋 copy
Daily revision	I have 30 minutes. Quiz me on CISSP weak areas: [domain]. Give 15 rapid-fire questions. After each answer, give instant feedback. Track my score at the end.📋 copy

⚡ Domain-Specific Power Prompts

DOMAIN	POWER PROMPT
D1 — Risk	Teach CISSP risk quantitative formulas: ALE, SLE, ARO, AV, EF. Give me 5 solved math problems like the real exam. Then give 10 scenario questions where I choose the best risk response (Accept/Mitigate/Transfer/Avoid).📋 copy
D3 — Crypto	I struggle with CISSP cryptography. Teach me: symmetric vs asymmetric, PKI chain of trust, digital signatures vs encryption, hashing algorithms. Use the 'post office' analogy. Then 15 questions.📋 copy
D3 — Models	Create a cheat sheet for CISSP security models: Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash, Graham-Denning. Table format: Model name \| Property protected \| Simple rule \| Exam trick📋 copy
D5 — IAM	Teach me CISSP IAM federation: SAML 2.0 flow, OAuth 2.0 vs OIDC, Kerberos TGT/TGS process. Draw text-based flow diagrams. Then give 15 questions that test understanding not memorization.📋 copy
D7 — IR	Give me 20 CISSP incident response scenario questions. Each one should ask 'What do you do FIRST?' I'm prone to jumping to technical action — challenge me to think process-first.📋 copy
Full Mock	Generate a 50-question CISSP mock exam. Mix all 8 domains proportionally by weight. All scenario-based. After I finish, give me domain-wise score analysis and top 3 weak areas to focus on.📋 copy

⚠️ Critical Mistakes — Before & During Exam

🔴 BEFORE EXAM — Fatal Mistakes

❌

Studying only from PDF/textbook — missing conceptual understanding. With AI, you can get instant clarification instead of re-reading 50 pages.

❌

Skipping D1 because "it seems theory." It's 16% — single biggest domain. Most exam failures happen here.

❌

Doing fewer than 2,000 practice questions. Knowledge without question practice = guaranteed failure on CAT exam.

❌

Thinking your technical background is enough. CISSP rewards management thinking, not engineering depth.

❌

Not reviewing WRONG answers. Most people skip this. Your mistakes are where the real learning happens.

❌

Studying D3 crypto too lightly. It's the hardest domain and needs 2x the time of other domains.

✅ FIXES — What First-Timers Do Right

✅

Use AI for every concept gap — 30-second clarification instead of searching PDF for 20 minutes.

✅

Practice "what do you do FIRST?" questions daily. Train your brain to think process before action.

✅

Do domain-specific sessions then cross-domain mixed. Builds both depth and exam stamina.

✅

Bookmark every wrong answer — paste into Claude: "Why was my answer wrong?" Do this after every session.

✅

Score 75%+ on 3 consecutive mock exams before booking the real exam. Non-negotiable threshold.

✅

The night before: STOP studying. Light review only. Rest is more valuable than last-minute cramming.

🔴 DURING EXAM — Thinking Traps

⚠️

"I'd actually do X in real life" — The exam doesn't care what you'd do. It asks what you SHOULD do per best practice.

⚠️

Jumping to technical action — 70% of the time, the answer involves assessing, reporting, or following a process BEFORE technical action.

⚠️

Ignoring answer options — CISSP has 2 "close" answers per question. Read all 4 before deciding. The difference is subtle.

⚠️

Panicking at question count (CAT) — CAT stops when it's confident. If you get 100 questions, that's good. If you get 150, stay calm.

⚠️

Over-flagging — Max flag 10 questions. Flagging 50+ eats your time and confidence on review.

✅ EXAM DAY STRATEGY

🎯

The CISO Test: Before answering, ask "What would a CISO recommend to the board?" Not "what would I configure?"

🎯

Eliminate 2 first: Usually 2 options are clearly wrong. Focus on the 2 remaining. Look for "most comprehensive" or "first step."

🎯

Time: 1.7 min/question: With 150 questions = 255 min (4hr 15min). Keep a mental pace check every 30 questions.

🎯

First instinct is usually right: Studies show changing answers reduces scores. Only change if you find a clear logical error in your reasoning.

🎯

At 50 questions, take a 2-min mental break. Breathe. Reset. The exam is a marathon not a sprint.

🎯 Mindset Drill — Manager vs Engineer Thinking

⚡ The #1 reason experienced engineers fail CISSP: They answer as engineers. You must answer as a CISO recommending to the board. Practice this mental switch below. Click the options to see if you're thinking right.

SCENARIO QUESTION 01

A developer reports that a critical vulnerability exists in production code. The system handles customer PII. What should you do FIRST?

Immediately patch the vulnerability and push to production

Disable the system until the vulnerability is fixed

Assess the risk, determine impact, and follow change management process

✅ CISSP answer: Always assess first. Change management protects against unintended consequences. Manager thinks risk and process.

Notify affected customers about the vulnerability

SCENARIO QUESTION 02

Your organization needs to implement access control for a new financial system. Which access control model is MOST appropriate?

DAC — Users control access to resources they own

MAC — Access determined by classification labels, not user discretion

✅ Financial systems need strict control. MAC removes user discretion, preventing unauthorized data access. Labels enforce separation of duties.

RBAC — Access based on job function

ABAC — Access based on user and resource attributes

SCENARIO QUESTION 03

During a security audit, you discover employees are sharing passwords. Management is aware but says changing this would disrupt operations. What do you do?

Immediately enforce password policy and lock shared accounts

Accept the risk since management is aware and approved it

Report the issue to regulatory authorities

Document the risk formally, present business impact to management, and get formal risk acceptance in writing

✅ CISSP answer: Document and escalate properly. Risk acceptance must be formal and in writing. The security professional advises — management decides. CYA principle.

SCENARIO QUESTION 04

You receive an alert that a server may be compromised. What is the FIRST action?

Immediately shut down the server to prevent data loss

Run antivirus to remove the malware

Contain the system (isolate from network) while preserving evidence for forensics

✅ Containment first — stop the spread. But don't shut down (destroys volatile evidence). Forensics preservation is key. This is IR Phase 3: Containment.

Notify all affected users and customers immediately

📊 Study Progress Tracker

OVERALL PROGRESS

Click each domain to cycle status: Not Started → In Progress → Completed ✓

Risk Mgmt

16%

Not Started

Asset Sec

10%

Not Started

Architecture

13%

Not Started

Network

13%

Not Started

IAM

13%

Not Started

Assessment

12%

Not Started

Operations

13%

Not Started

Software

10%

Not Started

📝 Daily Study Log