The ISACA CCOA certification is ISACA's first credential built specifically for hands-on security operations work, and it is one of the most interesting new entries on the cybersecurity map in 2026. If you work in a security operations centre, want to break into one, or are weighing CCOA against the better-known CompTIA CySA+, this guide breaks down exactly what the exam covers, what it costs, how hard it is, and whether it is worth your time and money this year.
CCOA stands for Certified Cybersecurity Operations Analyst. Unlike most of ISACA's portfolio, which leans towards governance, audit and management (think CISA, CISM and CRISC), CCOA is a technical, practitioner-level certification aimed at the people who actually sit at the SOC console: triaging alerts, hunting threats and running incident response. That makes it a genuinely different proposition from anything else ISACA has offered, and a direct rival to CySA+ for the SOC analyst job market.
What Is the ISACA CCOA Certification?
CCOA validates that you can do the day-to-day work of a security operations analyst, not just describe it. It targets early to mid-career professionals, roughly those with two to three years of experience, who want to prove practical competence in threat detection, incident response and security monitoring.
The defining feature is that the exam is hands-on. Rather than only asking you to recognise the right answer, CCOA puts you in front of real open-source tools and asks you to use them. Candidates are expected to be comfortable with utilities such as Wireshark and Security Onion, and to analyse alerts the way an analyst would on shift.
Exam Tip: CCOA is one of the few analyst-level certifications where you are tested on tool proficiency directly. Reading about Wireshark is not enough. You need to have actually captured and filtered packets before exam day.
This is ISACA aiming squarely at the practical skills gap that purely theoretical entry certifications leave behind. Security+ proves you understand the concepts. CCOA is designed to prove you can apply them inside a live SOC workflow.
CCOA Exam Domains
The CCOA exam is built on five job practice domains. Each one maps to a real cluster of SOC responsibilities rather than abstract theory.
- Domain 1: Technology Essentials. The networking, operating system and infrastructure foundations an analyst needs to interpret what they are seeing on the wire and on the host.
- Domain 2: Cybersecurity Principles and Risk. Core security concepts, the threat landscape, and how risk shapes monitoring and response priorities.
- Domain 3: Adversarial Tactics, Techniques and Procedures. How attackers actually operate, mapped to the behaviours you will detect and investigate.
- Domain 4: Incident Detection and Response. Detecting threats using SIEM platforms, triaging alerts, and responding to incidents following established playbooks.
- Domain 5: Securing Assets. Hardening and protecting the systems, data and identities the SOC defends.
The weighting leans towards detection, response and adversary behaviour, which is exactly where a working analyst spends most of their time. If you want to know what the day job feels like, Domains 3 and 4 are the heart of it.
CCOA Exam Format and Passing Score
CCOA uses a hybrid format that blends traditional multiple-choice questions with performance-based questions (PBQs) that require you to work inside real tools.
| Detail | CCOA specification |
|---|---|
| Total questions | 140 (115 multiple choice, 25 performance based) |
| Exam duration | 4 hours |
| Scoring scale | 200 to 800 (scaled) |
| Passing score | 450 or higher |
| Prerequisites | None |
| Question style | Multiple choice plus hands-on PBQs using open-source tools |
The 25 performance-based questions are what set this exam apart, and they are also what catches people out. A PBQ might drop you into a packet capture and ask you to identify the malicious flow, or hand you a set of SIEM alerts and ask you to determine the scope of an incident. You cannot bluff these. You either know how to drive the tool or you do not.
Exam Tip: ISACA converts your raw result to a scaled score from 200 to 800, and you need 450 or higher to pass. Because the scale is fixed, do not waste exam time trying to calculate how many questions you can afford to miss. Treat every PBQ as if it counts heavily, because they do.
There are no formal prerequisites, so the exam is open to anyone, but do not read that as "beginner friendly". The hands-on questions assume real comfort with analyst tooling.
How Much Does CCOA Cost in 2026?
CCOA pricing in 2026 depends on whether you hold ISACA membership.
| Item | ISACA member | Non-member |
|---|---|---|
| Exam registration | $399 | $499 |
| Exam extension (6 months) | $75 | $75 |
ISACA membership carries its own annual fee, so the "member" price only saves you money overall if you are already a member or plan to use other ISACA benefits. For a one-off CCOA attempt, most candidates simply pay the non-member rate.
Compared with lab-heavy certifications that run well over a thousand dollars, CCOA is a relatively affordable way to get a hands-on, performance-based credential. That cost-effectiveness is one of its strongest selling points for individuals and for employers trying to set a consistent skills baseline across a SOC team.
Ongoing CPE and Renewal Costs
CCOA is not a one-and-done certification. To keep it active you must earn and report Continuing Professional Education (CPE) hours:
- A minimum of 20 CPE hours every year, and
- A total of 120 CPE hours over each three-year reporting period.
Factor this in before you commit. The renewal admin is modest, but it is real, and it is the same model ISACA uses across its other certifications.
Is the CCOA Certification Worth It in 2026?
Here is the honest verdict. CCOA is worth it if you want or already hold a SOC analyst role and you want a credential that proves you can actually operate, not just recite. It is less compelling if you are chasing broad name recognition or a governance and management career path, where CISM, CISA or CISSP still carry more weight.
The case in favour is strong:
- It proves practical skill. Employers increasingly distrust paper certifications. A credential with 25 hands-on PBQs is hard to fake, which makes it a credible signal for hiring managers.
- The salary band is healthy. A cybersecurity operations analyst earns around $99,400 on average, with the broader range running from roughly $43,000 to $150,000 depending on seniority and location (source: web salary data). CCOA can support a five to ten per cent uplift for early-career analysts.
- It is affordable for what it tests. A performance-based exam for a few hundred dollars is good value next to lab certifications costing several times more.
- Government recognition is coming. While CySA+ currently has the edge on DoD 8140 mapping, CCOA's approval is anticipated during 2026, which would widen its appeal for public-sector and contractor roles.
The case against is mostly about maturity. CCOA is new, so it does not yet have the years of brand recognition that CySA+ and Security+ enjoy. Some hiring managers will not know it on sight in 2026. That gap will close, but if you need a certification that every recruiter recognises today, that is a genuine consideration.
Exam Tip: If you are early in your career, the best move is often to lead with a widely recognised cert and add CCOA to prove depth. A hiring manager who sees Security+ or CySA+ plus CCOA reads it as "understands the theory and can do the work".
CCOA vs CySA+: Which SOC Analyst Cert Should You Choose?
This is the comparison most people researching CCOA are really trying to settle. Both certifications target the SOC analyst role and both are hands-on, but they are not identical.
| Factor | ISACA CCOA | CompTIA CySA+ |
|---|---|---|
| Vendor | ISACA | CompTIA |
| Focus | Hands-on SOC operations with open-source tools | Applied security analytics, vulnerability and incident response |
| Format | 140 questions (115 MCQ + 25 PBQ), 4 hours | Multiple choice plus PBQs |
| Passing score | 450 of 800 scaled | 750 of 900 scaled |
| Market recognition | Newer, growing | Established and widely recognised |
| DoD 8140 mapping | Anticipated 2026 | Already mapped |
| Exam cost | $399 member / $499 non-member | Comparable, around the same range |
CySA+ remains the more established and more widely recognised choice for pure SOC analyst work, and CompTIA's CySA+ V4 update (launching around 23 June 2026) refreshes its coverage of security operations, cloud and hybrid environments, and AI concepts. If you can only take one in 2026 and recognition matters most, CySA+ is the safer pick.
CCOA earns its place when you want to differentiate on demonstrable, tool-level skill, when you value ISACA's growing reputation in technical certifications, or when you want both. Taking CySA+ for recognition and CCOA for hands-on credibility is a defensible one-two punch for an analyst building a serious SOC career.
If you want to dig deeper into the CompTIA side, see our guides on how hard CySA+ CS0-004 really is and whether to take CySA+ or Security+ next.
How to Prepare for the CCOA Exam
CCOA rewards practical preparation over passive reading. A focused plan looks like this:
- Shore up the fundamentals first. Make sure your networking, operating system and log-analysis basics are solid. Domain 1 (Technology Essentials) underpins everything else.
- Get hands-on with the tools early. Install and actually use Wireshark and Security Onion. Capture traffic, build SIEM queries, and walk an alert from detection to containment. The PBQs assume muscle memory, not familiarity.
- Drill adversary behaviour. Study common attacker tactics and techniques, then practise spotting them in real telemetry. Domains 3 and 4 carry the practical weight of the exam.
- Practise under time pressure. Four hours sounds generous until you hit a packet-analysis PBQ. Rehearse working quickly and methodically so the hands-on questions do not drain your clock.
- Test yourself with realistic questions. Use practice questions that mirror the multiple-choice style and the scenario-driven thinking the exam demands, then review every miss until you understand the why.
Because CCOA blends theory with performance tasks, the candidates who pass comfortably are the ones who studied the concepts and put their hands on the keyboard. If your prep is all reading and no doing, the PBQs will expose it.
Ready to Start Practising?
CCOA is a smart, affordable way to prove you can do real SOC work, and the candidates who pass are the ones who practise the way the exam tests. The fastest route to exam-ready confidence is repetition: realistic questions, honest feedback, and a clear view of your weak domains.
CertCrush helps you get there. Create a free CertCrush account to practise scenario-driven cybersecurity questions, track your progress across the domains, and walk into exam day knowing you have already done the work. Browse our full range of cybersecurity certification courses to map out your path from analyst to specialist, and when you are ready to commit, check our pricing to unlock the full question bank.
Prove you can do the job, not just describe it. Start practising today.