Back to blog
Certification Deep Dives9 min read

KCSA Explained: Domains, Cost and Is It Worth It in 2026?

A full breakdown of the Kubernetes and Cloud Native Security Associate (KCSA): the six exam domains, cost, format, passing score and an honest verdict on whether KCSA is worth it in 2026.

Nadia Rahman

Nadia Rahman · Cloud & AI Certifications Editor

13 July 2026

If you want to break into cloud native security but do not yet have the hands-on Kubernetes experience for the harder exams, the KCSA is built for you. The Kubernetes and Cloud Native Security Associate (KCSA) is the entry-level security credential from the Cloud Native Computing Foundation (CNCF) and the Linux Foundation, and in 2026 it has become the natural first rung on the Kubernetes security ladder. This guide explains the KCSA exam domains, the cost, the format and, most importantly, whether KCSA is worth it in 2026.

The short answer: if you are a developer, platform engineer, SOC analyst or aspiring DevSecOps engineer who wants a recognised, affordable, vendor-neutral security credential without needing to pass a live terminal exam first, the KCSA is worth it. It proves you understand how Kubernetes is attacked and defended, and it sets you up cleanly for the hands-on CKS later.

What Is the KCSA Certification?

The KCSA is a multiple-choice, pre-professional certification that validates your conceptual knowledge of Kubernetes security and the wider cloud native ecosystem. It sits in the CNCF certification family alongside the Kubernetes and Cloud Native Associate (KCNA), which is the general foundational exam, and the three hands-on credentials: the Certified Kubernetes Administrator (CKA), the Certified Kubernetes Application Developer (CKAD) and the Certified Kubernetes Security Specialist (CKS).

The key thing to understand is that KCSA tests what you know, not what you can type. Unlike the CKS, which is a live, performance-based exam where you fix real clusters in a terminal, the KCSA is a knowledge exam. That makes it far more accessible to people who are early in their cloud native journey.

Exam Tip: KCSA is conceptual and multiple-choice. CKS is hands-on and performance-based. Passing KCSA first gives you the security vocabulary and threat model you will need before attempting the much harder CKS.

The certification is also part of the Kubestronaut programme, the CNCF recognition awarded to people who hold all five Kubernetes certifications (KCNA, KCSA, CKA, CKAD and CKS). For many people, KCSA is one of the easiest of the five to knock out early.

KCSA Exam Domains and Weightings

The KCSA exam is built around six domains. Knowing the weightings tells you exactly where to spend your study time, because nearly half the exam sits in the first two domains.

DomainWeightingWhat it covers
Kubernetes Cluster Component Security22%Securing the control plane, worker nodes, etcd, kubelet, network policies
Kubernetes Security Fundamentals22%Authentication, RBAC authorisation, Pod Security Standards, secrets management
Kubernetes Threat Model16%Attack vectors, container escape, man-in-the-middle, trust boundaries
Platform Security16%Supply chain security, image scanning, admission control, observability
Overview of Cloud Native Security14%The 4C's model (Cloud, Cluster, Container, Code), core security principles
Compliance and Security Frameworks10%CIS Benchmarks, threat modelling frameworks, runtime security, logging

The Two Domains That Decide Your Result

Kubernetes Cluster Component Security (22%) and Kubernetes Security Fundamentals (22%) together make up 44% of the exam. If you master these two, you are most of the way to a pass.

Cluster Component Security is about protecting the machinery of the cluster itself. You need to understand how the API server, the scheduler, the controller manager, etcd and the kubelet are secured, and why an exposed etcd database or an unauthenticated kubelet is such a serious risk. Network policies also live here.

Security Fundamentals is where the day-to-day security controls sit. Expect questions on how authentication works, how role-based access control (RBAC) limits what a user or service account can do, how Pod Security Standards replaced Pod Security Policies, and how secrets are stored and mounted.

The Mid and Lower Weight Domains

The Kubernetes Threat Model (16%) asks you to think like an attacker. You should be able to reason about container escapes, privilege escalation, lateral movement and the trust boundaries between a pod, a node and the control plane.

Platform Security (16%) broadens the lens to the software supply chain: image signing and scanning, admission controllers such as those built on the Open Policy Agent, and the tooling that enforces policy before a workload ever runs.

The Overview of Cloud Native Security (14%) domain is high-level and very learnable. The 4C's of Cloud Native Security (Cloud, Cluster, Container, Code) is a near-certain topic, so learn that model cold. Finally, Compliance and Security Frameworks (10%) covers CIS Benchmarks, runtime security, monitoring and logging.

KCSA Exam Format, Cost and Requirements

Here are the current 2026 exam facts at a glance.

DetailKCSA specification
FormatOnline, remotely proctored, multiple-choice and multi-select
Number of questions60
Duration90 minutes
Passing score75%
Cost250 USD (includes one free retake)
PrerequisitesNone
Validity2 years
DeliveryKnowledge-based (no live cluster)

The KCSA exam has 60 multiple-choice questions and you have 90 minutes to complete it. The passing score is 75%, which is higher than many entry-level exams, so it is not a certification you can walk in and pass on general knowledge alone.

The exam costs 250 US dollars and, helpfully, includes one free retake. There are no prerequisites, so anyone can register, although a basic grasp of Kubernetes concepts and general networking will make your study far easier. The certification is valid for two years, after which you renew to keep it current.

Exam Tip: At 75% to pass across 60 questions, you can afford to miss 15. Practise under a 90-minute timer so you learn to move quickly and flag the harder scenario questions for a second pass.

Is KCSA Hard? What to Expect

The KCSA is moderate in difficulty. It is harder than a pure fundamentals exam like KCNA because the questions probe real security reasoning, not just definitions, but it is far more approachable than the hands-on CKS.

Most people report that scenario questions are the trickiest part. Rather than asking "what is RBAC?", the exam will describe a misconfigured cluster and ask which control would have prevented an attack. That means rote memorisation is not enough; you need to understand why each control exists and what it defends against.

The good news is that the syllabus is finite and well documented, and there is no live environment to trip you up under time pressure. A prepared candidate with some Kubernetes exposure can typically get ready in four to eight weeks of focused study.

KCSA vs CKS: Which Kubernetes Security Cert First?

This is the question most people searching for KCSA really want answered. KCSA and CKS both cover Kubernetes security, but they are pitched at very different levels.

FactorKCSACKS
LevelAssociate (entry)Specialist (advanced)
FormatMultiple-choice, knowledgePerformance-based, hands-on
PrerequisiteNoneMust hold a current CKA
FocusUnderstanding threats and controlsImplementing and fixing controls live
Cost250 USDHigher, and requires CKA first
Best forGetting started in cloud native securityProving you can secure clusters in production

Take the KCSA first if you are newer to Kubernetes, if you want a security credential without needing to pass the CKA beforehand, or if you want to build the threat model and vocabulary that the CKS assumes you already have. Go straight to the CKS only if you already hold a current CKA and you work with clusters hands-on every day.

For most people, the sensible path is KCSA to build understanding, then CKA to prove administrative skill, then CKS to prove you can secure a cluster under exam conditions. If you are working towards the full Kubestronaut set, KCSA is one of the friendliest exams to clear early.

If you want to plan the whole journey, our Kubernetes certification study plans map out each exam in order, and our CKS study plan picks up exactly where KCSA leaves off.

Is KCSA Worth It in 2026?

Yes, for the right person the KCSA is worth it in 2026. Here is the honest breakdown.

Where KCSA delivers value

  • Career entry into cloud native security. Cloud native security roles such as Cloud Security Analyst, Junior DevSecOps Engineer and Platform Engineer are in strong demand, and KCSA is a credible signal that you understand how Kubernetes is secured.
  • Low barrier, low cost. At 250 US dollars with no prerequisites and a free retake, it is one of the more affordable security certifications, and it does not gate you behind a harder exam first.
  • A stepping stone, not a dead end. It maps directly onto the CKS syllabus, so the study you do is not wasted; it is the foundation for the advanced credential.
  • Vendor-neutral credibility. Because it comes from the CNCF and the Linux Foundation, it is recognised across the whole cloud native ecosystem rather than tied to one cloud provider.

Where KCSA falls short

  • It is not hands-on. Employers hiring senior Kubernetes security engineers will still want the CKS or demonstrable production experience. KCSA proves knowledge, not that you can fix a live cluster.
  • It is an associate credential. On its own it will not land you a senior role. Treat it as the start of a path, not the destination.

The verdict: if you are early in your cloud native or security career, KCSA is one of the best value entry points available, and it positions you perfectly for the CKS. If you are already a seasoned Kubernetes engineer, you may prefer to skip straight to the CKA and CKS.

How to Prepare for the KCSA

A focused four to eight week plan works well for most candidates.

  1. Weeks 1 to 2: Learn the 4C's model and the cluster components. Get comfortable with what the API server, etcd, kubelet and controller manager do and how each is secured.
  2. Weeks 3 to 4: Drill the fundamentals. Authentication, RBAC, Pod Security Standards and secrets management make up a huge share of the exam.
  3. Weeks 5 to 6: Work through the threat model and platform security. Understand container escapes, supply chain risks, admission control and image scanning.
  4. Weeks 7 to 8: Cover compliance frameworks and CIS Benchmarks, then move fully into timed practice questions until you are consistently scoring above 85%.

Practice questions are the single highest-value study tool for a multiple-choice exam like KCSA, because they train you to read scenario questions quickly and spot the control being tested. Our certification practice tests let you rehearse under real exam conditions before the day itself.

Ready to Start Practising?

The KCSA rewards structured study and plenty of scenario practice, and that is exactly what CertCrush is built for. Work through realistic KCSA-style questions, track your weak domains and walk into the exam knowing you are ready.

Create your free CertCrush account to start practising today, browse our full range of Kubernetes and cloud security courses, and turn KCSA into the first certification on your cloud native security path.

KCSAKubernetes securitycloud native securityCNCF certificationsLinux FoundationCKS
Nadia Rahman

Written by

Nadia Rahman · Cloud & AI Certifications Editor

Nadia came up through platform engineering — building and breaking cloud infrastructure — and now tracks the fastest-moving corner of the certification world: cloud, AI and DevOps. She reads every new exam blueprint the week it drops, so her study plans are aligned to what the exam tests now, not what it tested two years ago.

All articles by Nadia

Want a KCSA practice course?

We don’t cover this exam yet — we build the most-requested courses first. One click tells us you want it.

Ready to crush this exam?

Set your exam date, follow a daily plan, and watch your readiness score climb — realistic practice with an explanation for every answer.