§ update history

What's changed.

A running record of certifications added, banks revised, and platform improvements. Most recent first.

May 2026 (most recent)

AIGP added. The first IAPP certification on the platform, opening a new ai_governance discipline (now 7 of 7 disciplines covered) and bringing the catalog to 25 of 25 cards across 12 vendor families. The bank targets the IAPP AIGP Body of Knowledge effective February 2026; the AIGP credential certifies professionals in responsible AI management across the U.S., EU, and other jurisdictions.

  • Certification added: AIGP, IAPP Certified AI Governance Professional (150 questions, 4 BoK domains). IAPP does not publish exact per-domain weights for the AIGP exam (the integrated exam blueprint specifies a min/max items per domain). Question allocation is centered on the typical AIGP guidance ranges: Foundations of AI governance 22.0%, Laws/standards/frameworks applicable to AI 29.3% (the largest because Domain II covers existing privacy laws + other existing laws + AI-specific laws + standards/tools), Govern AI development 24.0%, Govern AI deployment and use 24.7%. Pass threshold set to 70% as the conventional anchor; IAPP does not publish a fixed cut score (passing scores are set per administration via psychometric methods). Real exam: 100 multiple-choice items in 3 hours, includes case studies and the occasional multi-select item (the bank uses single-select only since the engine renders one-correct-answer items).
  • The bank emphasizes the vocabulary and frameworks the AIGP exam tests directly: trustworthy-AI pillars (fairness, accountability, transparency, explainability, privacy, robustness, safety, human oversight); AI-vs-AGI distinction; ML categories (supervised/unsupervised/reinforcement); foundation models / generative AI / LLMs; bias types (historical, representation, measurement, aggregation, evaluation, deployment); fairness metrics (equal opportunity, demographic parity, calibration, predictive parity); explainability methods (SHAP, LIME, Integrated Gradients, Grad-CAM); AI lifecycle phases; AI governance committees, AI inventory, AI use policy, RACI, risk appetite; the difference between transparency (disclosure of AI use) and explainability (understandability of mechanisms); AI-specific risks (hallucination, prompt injection, jailbreak, adversarial examples, data poisoning, model inversion, membership inference).
  • Coverage of the canonical laws, standards, and frameworks tested explicitly: GDPR Article 22 (automated individual decision-making) and Article 35 (DPIA), EU AI Act 4-tier risk classification (unacceptable/prohibited, high-risk, limited-risk/transparency, minimal/no risk), Article 5 prohibitions, Annex III high-risk, GPAI obligations and systemic-risk additions, conformity assessment, and FRIA for certain deployers, plus extraterritorial reach and phased application, NYC Local Law 144 (AEDT bias audit + candidate notice), Colorado AI Act SB 24-205 (effective Feb 1 2026), White House AI Bill of Rights Blueprint (5 principles), US EO 14110 (Biden, Oct 2023, REVOKED by EO 14179 in Jan 2025), Council of Europe AI Treaty (May 2024, first internationally binding AI treaty), G7 Hiroshima AI Process Code of Conduct, Bletchley Declaration (Nov 2023), White House Voluntary Commitments (July 2023), Singapore Model AI Governance Framework, plus existing-law application (FTC Section 5, EEOC/Title VII, COPPA, HIPAA BAAs, ECOA/Reg B for credit).
  • Coverage of the canonical standards and tools: NIST AI RMF 1.0 with the four functions GOVERN-MAP-MEASURE-MANAGE plus the NIST AI 600-1 Generative AI Profile, ISO/IEC 42001:2023 (AI management system standard, certifiable), ISO/IEC 23894:2023 (AI risk management), ISO/IEC 22989 (AI concepts and terminology), OECD AI Principles (the five 2019/2024 values), IEEE 7000-series ethics standards, model cards, datasheets for datasets, system cards, AIBOM (AI Bill of Materials), DPIA vs AIIA vs FRIA, privacy-preserving ML (differential privacy, federated learning, secure multi-party computation, homomorphic encryption), and post-deployment monitoring metrics (data drift, data quality, latency, computational, output quality - matching the IAPP example multi-select item).
  • Generation note: distractor length parity, canonical IAPP / NIST / ISO / OECD / EU terminology preserved verbatim, and balanced answer-position distribution (38/38/37/37) were enforced from first draft. Two of the IAPP example items from the AIGP study guide are included verbatim in the bank (the explainability definition and the AI impact assessment purpose) since IAPP publishes them as canonical reference. The "uniquely longest correct answer" rate is on the higher side because AIGP correct answers tend to be compound governance-pattern descriptions ("X plus Y plus Z plus oversight") which makes them inherently longer than the simpler distractors; this matches the pattern seen on the CCSP and CySA+ banks. Hero stats updated 24->25 certs, 11->12 vendors (IAPP added), 6->7 disciplines (ai_governance added).

May 2026 (earlier)

CCSP added. ISC2's senior cloud-security credential is now live, completing the ISC2 staircase from CC entry-level to CISSP enterprise-senior to CCSP cloud-architect-senior. Catalog grows from 23 to 24; cybersecurity discipline reaches 14 cards. The bank targets the October 1, 2025 CCSP Exam Outline (the outline candidates take through July 31, 2026); a new outline takes effect August 1, 2026 and will be addressed in a future bank revision.

  • Certification added: CCSP, ISC2 Certified Cloud Security Professional (200 questions, 6 domains). Question allocation matches ISC2's published weights EXACTLY: Cloud Concepts/Architecture/Design 17.0% (target 17%), Cloud Data Security 20.0% (20%), Cloud Platform & Infrastructure Security 17.0% (17%), Cloud Application Security 17.0% (17%), Cloud Security Operations 16.0% (16%), Legal/Risk/Compliance 13.0% (13%). Pass threshold set to 70% matching the published 700/1000 cut score; the real exam uses Computerized Adaptive Testing (CAT) with 100-150 items in 3 hours.
  • The bank emphasizes the cloud-specific distinctions that separate CCSP from CISSP: NIST SP 800-145 five essential cloud characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service); the five cloud roles (customer, provider, partner, broker, regulator); shared responsibility per cloud category (IaaS/PaaS/SaaS); the CSA Cloud Data Lifecycle (Create -> Store -> Use -> Share -> Archive -> Destroy); cloud-native data protection patterns (tokenization vs encryption, anonymization vs pseudonymization vs masking, format-preserving encryption, homomorphic encryption, differential privacy, confidential computing/TEE); cryptographic erase as the practical sanitization method when physical media access is restricted; tenant partitioning vs hypervisor escape; the cloud management plane as the high-value target; and reversibility/portability as exit-assurance concepts unique to cloud contracting.
  • Coverage of the canonical CCSP frameworks tested explicitly: ISO/IEC 27017 (cloud security controls), ISO/IEC 27018 (public-cloud PII processor protection), ISO/IEC 27036 (supplier relationships including supply chain), ISO/IEC 27050 (eDiscovery), FIPS 140-2/140-3 (cryptographic module certification with EAL-style levels), Common Criteria / ISO 15408 (Evaluation Assurance Levels EAL 1-7), SOC 1 / SOC 2 / SOC 3 (Type I vs Type II) with SSAE 18 as the US standard and ISAE 3402 / 3000 as the international counterparts, CSA STAR registry tied to the CCM, threat-modeling families (STRIDE, DREAD, PASTA, ATASM), OWASP Top 10 (2021) with A01 Broken Access Control as the new #1, CWE/SANS Top 25, OWASP ASVS for verification, SAFECode for secure coding, ITIL / ISO 20000-1 processes (change/incident/problem/configuration/SLM/CSI), NERC CIP/HIPAA/HITECH/PCI DSS/SOX/GDPR Article 33 72-hour notification, and the canonical risk-treatment quadrant (avoid/mitigate/transfer/accept).
  • Coverage of cloud-specific architecture topics: virtual hardware security (Type 1 vs Type 2 hypervisor, vTPM, microsegmentation, NSGs vs WAFs vs API gateways), confidential computing (Intel SGX/TDX, AMD SEV-SNP, Arm CCA), HSM vs TPM (HSM serves crypto operations to apps, TPM anchors single-host integrity), CASB four pillars (visibility/compliance/data security/threat protection), federated identity (SAML 2.0 / OIDC), JIT privileged access (PIM/PAM with approval/recording), bastion hosts as canonical admin-broker (Azure Bastion, AWS Systems Manager Session Manager), DNSSEC for DNS integrity, the differences between data owner/controller and data custodian/processor under GDPR, and the difference between MSA / SLA / SOW in cloud contracting.
  • Generation note: distractor length parity, canonical ISC2/CSA/NIST/ISO terminology (NIST 5 essential characteristics, SaaS/PaaS/IaaS, OWASP Top 10/CWE Top 25, STRIDE/DREAD/PASTA, ISO 27001/27017/27018/27036/27050, FIPS 140-2/3, SSAE 18 / SOC 1/2/3, ISAE 3402, ITIL, GDPR/HIPAA/HITECH/PCI/SOX/NERC CIP), and balanced answer-position distribution (50/50/50/50) were enforced from first draft. The "uniquely longest correct answer" rate is on the higher side because CCSP correct answers heavily favor compound multi-control patterns ("X plus Y plus Z") which makes them inherently longer than the simpler distractors; this matches the pattern seen on the CySA+ and SC-100 banks. Hero stats updated 23->24 certs, cybersecurity discipline 13->14, ISC2 vendor 2 exams->3 exams.

May 2026 (earlier)

CS0-003 added. CompTIA's SOC-analyst-level credential is now live, completing the CompTIA staircase from Network+ baseline to Security+ baseline to CySA+ analyst-level. Catalog grows from 22 to 23; cybersecurity discipline reaches 13 cards. The bank targets the CySA+ V3 (CS0-003) outline launched June 6, 2023; CS0-003 is expected to retire in 2026, but candidates with planned exam dates this year still need practice material aligned to the live exam.

  • Certification added: CS0-003, CompTIA Cybersecurity Analyst (CySA+) V3 (150 questions, 4 domains). Question allocation matches CompTIA's published weights to within rounding: Security operations 32.7% (target 33%), Vulnerability management 30.7% (30%), Incident response management 20.0% (20%), Reporting and communication 16.7% (17%). Pass threshold set to 83% matching CompTIA's published 750/900 scaled cut score (the same anchor used for SY0-701; CompTIA uses identical scaled cut scores across most of its certifications).
  • The bank emphasizes the analyst-level distinctions that separate CySA+ from Security+: SIEM correlation rules versus single-source alerts; SOAR playbooks versus manual runbooks; threat hunting (hypothesis-driven, IOC-driven, TTP-driven) versus reactive monitoring; CVSS v3.1 vector breakdown (AV/AC/PR/UI/S/C/I/A) versus a single severity number; CVSS v4.0 changes (new Threat metric group plus Supplemental metrics replacing the v3.1 Temporal group); validating findings before remediation versus patching every finding; risk-acceptance documentation; SLO-based remediation cadence; and the analyst's role in stakeholder communication (executive summaries, holding statements, GDPR Article 33 72-hour notification, board-level metrics).
  • Coverage of the canonical CySA+ frameworks tested explicitly: Lockheed Martin Cyber Kill Chain (7 phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives), Diamond Model of Intrusion Analysis (Adversary, Capability, Infrastructure, Victim), MITRE ATT&CK (tactics vs techniques, sub-techniques, ATT&CK Navigator for coverage mapping, specific technique IDs like T1550.002 Pass-the-Hash and the TA0001-TA0011 tactic IDs), OSSTMM, OWASP Testing Guide, NIST SP 800-61 incident-response phases (Preparation; Detection & Analysis; Containment, Eradication, and Recovery; Post-Incident Activity), STRIDE and PASTA threat modeling, David Bianco's Pyramid of Pain (TTPs are the most painful indicator to change), the Admiralty Code for source/information confidence, TLP for sharing, STIX/TAXII for machine-readable threat intel, sector ISACs (E-ISAC, FS-ISAC, H-ISAC), and the canonical IR metrics (MTTD, MTTR, dwell time, RTO, RPO).
  • Coverage of the most-tested CySA+ tooling and tool-output interpretation: Wireshark display filters (http.request, udp.port == 53), tcpdump capture syntax, SIEM correlation versus aggregation, VirusTotal hash search versus file upload caveat, email header analysis (Received headers in reverse-chronological order, SPF/DKIM/DMARC alignment), Python regex for log parsing, PowerShell -EncodedCommand obfuscation and Get-ADGroupMember enumeration, Nmap -A flag, Nikto for OSS web scanning, Metasploit as multipurpose framework, Prowler for AWS CSPM audits, OWASP ZAP/Burp Suite for DAST, WinDbg/x64dbg for debugging, Volatility for memory forensics, EDR host-isolation APIs, write blockers and order of volatility, chain of custody, and the difference between SAST/DAST/SCA in a CI pipeline.
  • Generation note: distractor length parity, canonical CompTIA / vendor terminology (CVSS metric names, ATT&CK technique IDs, NIST 800-61 phases, STRIDE/PASTA, MTTD/MTTR/RTO/RPO, SPF/DKIM/DMARC), and balanced answer-position distribution were enforced from first draft. The "uniquely longest correct answer" rate is on the higher side (130/150) because CySA+ correct answers tend to be technically descriptive (multi-control-set defenses, multi-phase frameworks) while distractors can stay shorter; this matches the pattern seen on the AWS/Microsoft service-name-heavy banks. Hero stats updated 22->23 certs, cybersecurity discipline 12->13, CompTIA vendor 2 exams->3 exams.

May 2026 (earlier)

HCTA-004 added. The first HashiCorp certification on the platform, opening a new automation discipline (now 6 of 6 disciplines covered) and bringing the catalog to 22 of 22 cards across 11 vendor families. The bank targets the Terraform Associate (004) outline, which tests on Terraform 1.12 and explicitly includes HCP Terraform content; older 003 versions of the exam are not in scope.

  • Certification added: HCTA-004, HashiCorp Certified: Terraform Associate (004) (150 questions, 8 exam sections). HashiCorp does not publish per-section weights for the Terraform Associate exam, so question allocation is loosely proportional to the sub-objective count of each section, with extra emphasis on the most-tested practical areas: Terraform configuration (30), Core Terraform workflow (22), Terraform state management (20), Terraform fundamentals (18), Terraform modules (18), HCP Terraform (18), Infrastructure as Code (12), Maintain infrastructure (12). Pass threshold set to 70% as the conventional anchor; HashiCorp does not publish a fixed cut score (the passing score is set per administration via psychometric methods).
  • The bank explicitly covers all four 004-new topics documented in the certification guide: 4f the depends_on meta-argument and the create_before_destroy / prevent_destroy / ignore_changes / replace_triggered_by lifecycle rules; 4g validation of configuration using custom conditions (variable validation blocks, lifecycle preconditions, lifecycle postconditions); 4h ephemeral values and write-only arguments (and the broader sensitive-data story including HashiCorp Vault as the canonical secrets provider); and 8c how to organize and use HCP Terraform workspaces and projects (the projects layer is a 004-era addition that groups workspaces and lets variable sets and access policies apply at a higher level).
  • Coverage of the most-tested Terraform Associate distinctions: declarative vs imperative IaC and what idempotency means in practice; provider plugin architecture and the required_providers source/version syntax (~> 1.0 vs >= 1.0 vs = 1.0); the .terraform.lock.hcl file (commit it) versus terraform.tfstate (do not commit); resource vs data block (CRUD vs read-only); implicit dependencies via attribute references vs explicit depends_on for hidden dependencies; variable precedence (defaults < env < tfvars < -var-file < -var); type system (list vs set vs map vs object vs tuple); for expressions and the splat operator; dynamic blocks for repeating nested config; module sources (local ./, registry <NS>/<NAME>/<PROV>, git::https with ?ref= and //subdir, app.terraform.io for HCP Terraform); module variable scope (no global namespace, parent and child connect only via inputs and outputs); the local backend vs remote backends with native vs DynamoDB locking; partial backend configuration with -backend-config; terraform_remote_state for cross-config sharing; drift detection via terraform plan -refresh-only and persistence via terraform apply -refresh-only; the import block vs the legacy terraform import CLI command and the -generate-config-out flag; terraform state list / show / mv / rm; TF_LOG levels (TRACE/DEBUG/INFO/WARN/ERROR) and TF_LOG_PATH; the cloud {} block in HCL; HCP Terraform workspaces, projects, variable sets, run triggers, Sentinel and OPA policy, agents, run tasks, cost estimation, and notification configurations.
  • Bank uses canonical HashiCorp / HCL terminology verbatim throughout: HCP Terraform (the post-2024 name; Terraform Cloud is preserved only where the rebrand is explicitly relevant), HCL, terraform.tfstate, terraform.tfstate.backup, .terraform.lock.hcl, required_providers, required_version, depends_on, lifecycle, validation, precondition, postcondition, ephemeral, terraform_remote_state, Sentinel, OPA, the cloud block. No em-dashes anywhere in the bank.
  • New automation discipline added to the catalog filter (chip count 1 with HCTA-004 today, room for the Terraform Authoring & Operations Professional and other infrastructure-automation credentials later). Hero stats updated: 21->22 certs, 10->11 vendors (HashiCorp added), 5->6 disciplines. Generation note: distractor length parity, canonical terminology, and balanced answer-position distribution were enforced from first draft, not from a rewrite pass.

May 2026 (earlier)

SC-100 added. Microsoft's senior cybersecurity credential is now live, completing the Microsoft vendor section (AZ-900 + AZ-500 + SC-100 = 3 of 3) and pushing the catalog from 20 to 21 cards. Cybersecurity discipline reaches 12 cards. The bank targets the April 27, 2026 SC-100 skills outline, the most recent published outline at the time of the bank build, with explicit focus on architect-level design/recommendation/evaluation rather than configuration.

  • Certification added: SC-100, Microsoft Certified: Cybersecurity Architect Expert (175 questions, 4 skill areas). Question allocation lands inside each Microsoft published weight range: Design solutions that align with security best practices and priorities 22.9% (range 20-25%), Design security operations, identity, and compliance capabilities 31.4% (range 30-35%), Design security solutions for infrastructure 23.4% (range 20-25%), Design security solutions for applications and data 22.3% (range 20-25%). Pass threshold set to 70% matching the published 700/1000 scaled cut score; 120-minute proctored exam.
  • SC-100 sits at the expert level, capping the Microsoft security path. Question style emphasises BEST/MOST-aligned design choices over single-tool configurations: which framework to cite (MCRA vs MCSB vs CAF vs WAF), which Defender plan to recommend, how to layer controls across identity-network-data, and which posture metric to brief leadership with. The bank rejects cartoon distractors in favour of REAL adjacent Microsoft products (other Defender XDR components, other Purview pillars, other Entra capabilities) so wrong answers train the candidate's discrimination between similar tools.
  • Bank uses canonical post-2024 Microsoft naming verbatim throughout: Microsoft Entra ID (not Azure AD), Microsoft Defender XDR (not Microsoft 365 Defender), Microsoft Defender for Cloud (not Azure Security Center), Microsoft Sentinel (not Azure Sentinel), Microsoft Purview, Microsoft Priva, Microsoft Intune, Microsoft Entra Internet Access and Microsoft Entra Private Access (the 2024 SSE/ZTNA products that replace Application Proxy and legacy VPN), Microsoft Entra ID Governance, Microsoft Defender External Attack Surface Management (Defender EASM), Microsoft Security Exposure Management, and Microsoft Defender for Cloud Permissions Management (CIEM). Older terms appear only as deliberately-wrong distractors.
  • Coverage of the most-tested SC-100 distinctions: MCRA vs MCSB vs CAF Secure vs WAF Security pillar (architecture vs control catalog vs methodology vs design pillar); Zero Trust pillars (Identities, Devices, Apps, Data, Infrastructure, Network) and the three principles (verify explicitly, least privilege, assume breach); Enterprise Access Model tier separation and PAW design; MCRR Rapid Modernization Plan (RaMP) sequencing privileged access first; ransomware resiliency with immutable + isolated-identity backups; Defender CSPM (paid: attack path analysis, agentless scanning, exposure insights) vs foundational CSPM (free); Defender for Servers Plan 2 features (JIT, FIM, agentless scan, MDE auto-deploy); Defender XDR cross-domain correlation across Defender for Identity, Defender for Endpoint, Defender for Office 365, Defender for Cloud Apps; Microsoft Sentinel SIEM patterns (per-region workspaces, cross-workspace queries, MITRE ATT&CK page, UEBA, Fusion, automation rules + Logic Apps SOAR); Conditional Access with continuous access evaluation (CAE) and authentication strength; Microsoft Entra ID Governance lifecycle workflows + access packages + access reviews; Defender for Cloud Permissions Management (CIEM) right-sizing across Azure/AWS/GCP; Microsoft Entra Internet Access vs Microsoft Entra Private Access (SSE/ZTNA replacing VPN and Application Proxy); Microsoft Defender for IoT passive sensors for OT/ICS; Azure Front Door Premium + WAF + Private Link origin pattern; Always Encrypted vs TDE vs Dynamic Data Masking vs Row-Level Security; immutable blob storage vs soft delete; Azure Key Vault Premium / Managed HSM for HSM-backed keys; managed identities and workload identity federation (OIDC) replacing client secrets.
  • The bank reflects the April 27, 2026 skills measured update, including specific named additions: Microsoft Cybersecurity Reference Recommendations (MCRR) alongside MCRA, Microsoft Security Exposure Management on top of Defender EASM, Microsoft Entra Internet Access and Microsoft Entra Private Access as named SSE/ZTNA products, Microsoft Priva for privacy/SRR, and the Microsoft Defender for Cloud AI workloads protection plan plus Azure AI Content Safety with Prompt Shields. Generation note: distractor length parity, canonical terminology, and balanced answer-position distribution were enforced from first draft, not from a rewrite pass.

May 2026 (earlier)

SCS-C03 added. The third AWS cert on the platform (alongside CLF-C02 and SAA-C03), and the senior security engineer track. Catalog grows from 19 to 20 cards; cybersecurity discipline reaches 11 cards. The bank targets the current SCS-C03 outline, which replaced SCS-C02 on December 2, 2025, so the candidate practices against what the live exam tests today.

  • Certification added: SCS-C03, AWS Certified Security - Specialty (170 questions, 6 content domains). Question allocation matches AWS's published weights exactly: Detection 16.5% (range 16%), Incident Response 14.1% (14%), Infrastructure Security 18.8% (18%), Identity and Access Management 20.6% (20%), Data Protection 18.2% (18%), Security Foundations and Governance 14.7% (14%). Pass threshold set to 75% matching the published 750/1000 scaled cut score.
  • SCS-C02 to SCS-C03 transition: AWS retired SCS-C02 on December 1, 2025; SCS-C03 has been in use since December 2, 2025. The bank explicitly covers all SCS-C03 NEW topics that did not exist in SCS-C02: Open Cybersecurity Schema Framework (OCSF) integration with Amazon Security Lake (Skill 3.1.4), GenAI OWASP Top 10 for LLM Applications protections via Amazon Bedrock Guardrails (Skill 3.2.7), inter-resource encryption for Amazon EMR/EKS/SageMaker AI/Nitro (Skill 5.1.3), differences between imported key material and AWS-generated key material in AWS KMS (Skill 5.3.3), Amazon CloudWatch Logs data protection policies and Amazon SNS message data protection (Skill 5.3.4), and AWS Private Certificate Authority across regions (Skill 5.3.5).
  • Coverage of the most-tested SCS-C03 distinctions: Amazon GuardDuty plans (Foundational, Runtime Monitoring, Malware Protection for EBS) and EventBridge automation; AWS Security Hub control-based scoring across standards (FSBP, CIS, PCI DSS, NIST 800-53); Amazon Macie sensitive data discovery; CloudTrail organization trails and CloudTrail Lake; VPC Flow Logs vs Transit Gateway flow logs vs Route 53 Resolver query logs; AWS WAF managed rule groups vs Shield Advanced (DRT, cost protection, DDoS); Network Firewall vs security groups vs NACLs (stateful/stateless); Systems Manager Session Manager vs EC2 Instance Connect vs Bastion (no inbound ports); AWS IAM Identity Center permission sets and SAML/SCIM federation with external IdPs; SCPs vs RCPs vs declarative policies and AI service opt-out; the confused deputy problem and External ID; KMS multi-region keys, Bucket Keys, External Key Stores (XKS), and the imported-vs-AWS-generated key trade-off; S3 Object Lock GOVERNANCE vs COMPLIANCE mode; AWS Backup Vault Lock; AWS Audit Manager evidence collection; AWS Control Tower landing zones with the canonical management/log-archive/audit account split.
  • The bank uses canonical post-2024 AWS service names verbatim throughout: AWS IAM Identity Center (not AWS SSO), Amazon SageMaker AI (not just SageMaker per the 2024 rename), AWS Private Certificate Authority (not ACM PCA), Amazon Q Developer (formerly CodeWhisperer). Older terms appear only as deliberately-wrong distractors or in explanatory context noting the rename. This matches what the live exam tests against and avoids confusing candidates with retired naming.

May 2026 (earlier)

AZ-500 added. Second Microsoft cert on the platform (alongside AZ-900), and the cybersecurity discipline grows to 10 cards. Catalog grows from 18 to 19. Important retirement notice: Microsoft has announced that AZ-500, related certification, and renewal assessments retire on August 31, 2026, at 11:59 PM Central Standard Time. Candidates who pass before that date receive the credential under normal renewal terms; the bank is published despite the upcoming retirement so candidates with planned exam dates this summer have practice material aligned to the current January 22, 2026 skills outline.

  • Certification added: AZ-500, Microsoft Certified: Azure Security Engineer Associate (174 questions, 4 skill areas). Question allocation lands inside the centre of each Microsoft published weight range: Secure identity and access 18.4% (range 15-20%), Secure networking 23.6% (range 20-25%), Secure compute/storage/databases 23.6% (range 20-25%), Secure Azure with Microsoft Defender for Cloud and Microsoft Sentinel 35.1% (range 30-35%). Pass threshold set to 70% matching the published 700/1000 scaled cut score. 100-minute proctored exam.
  • Bank uses canonical post-2023 Microsoft naming verbatim throughout: Microsoft Entra ID (not Azure AD), Microsoft Defender for Cloud (not Azure Security Center), Microsoft Sentinel (not Azure Sentinel). Older terms appear only as deliberately-wrong distractors. This matches what the live exam tests against and avoids confusing candidates with retired terminology.
  • Coverage of the most-tested AZ-500 distinctions: Azure RBAC vs Microsoft Entra roles (different control planes); JIT VM access and Azure Bastion vs direct public IP exposure; Service Endpoints vs Private Endpoints (and Private Link service for the producer side); NSGs vs ASGs vs Azure Firewall rule types (NAT, Network, Application); Disk encryption layering (Azure Disk Encryption with BitLocker/dm-crypt, encryption at host, confidential disk encryption); Storage protection layering (soft delete + versioning + immutable + BYOK + double encryption); SQL data protection layering (TDE at rest, TLS in transit, Always Encrypted in use, Dynamic Data Masking at presentation); Conditional Access policy structure (assignments, conditions, grant/session controls); MFA and phishing-resistant FIDO2; managed identities vs service principals; Microsoft Defender plans (Servers Plan 1/2, SQL, Storage, Containers, Resource Manager, APIs, DevOps, Key Vault); Defender CSPM (paid) vs foundational CSPM (free); attack path analysis and governance; Microsoft Sentinel data connectors, analytics rules, hunting queries, watchlists, UEBA, automation rules, and SOAR playbooks via Logic Apps.
  • The bank reflects the January 22, 2026 skills measured update, including the Microsoft Cloud Security Benchmark (MCSB) which replaced the older Azure Security Benchmark v3, and Microsoft Defender External Attack Surface Management (EASM). The change log between the previous skills outline and the current one shows only minor changes (Manage Microsoft Entra application access & managed identities, Plan and implement advanced security for compute, and Configure and manage threat protection by using Microsoft Defender for Cloud); the bank targets the current outline.

May 2026 (earlier)

CSSGB added. The first ASQ certification on the platform, and the first process-improvement-discipline cert. With CSSGB live, every catalog card is now AVAILABLE: the platform reaches 18 of 18 certs across 11 vendor families and 5 disciplines. Bank built against the published ASQ Body of Knowledge (2022 BoK, currently in effect).

  • Certification added: CSSGB, ASQ Certified Six Sigma Green Belt (166 questions, 6 BoK sections). Question allocation scales the official ASQ BoK weighting exactly: Overview (11→18), Define (20→33), Measure (20→33), Analyze (18→30), Improve (16→26), Control (15→25). The real exam scores 100 questions over 4h18min; the bank's 1.66x scaling preserves relative emphasis while giving substantial practice depth per section.
  • Pass threshold set to 70%. ASQ does not publish a fixed cut score for CSSGB; it is scored using a criterion-referenced (Angoff) method per administration with the implied threshold widely estimated at 70-75%. 70% is a defensible practice anchor.
  • The bank is built around the cognitive levels specified in the BoK (Bloom's-Revised: Remember, Understand, Apply, Analyze, Evaluate, Create). Lower-cognition topics get definition/recognition questions; higher-cognition topics get scenario, calculation, and judgment questions. This mirrors the real exam's testing depth per topic.
  • Coverage of canonical Six Sigma terminology and tools that the BoK calls out by name: DMAIC and DfSS (DMADV, IDOV); FMEA with RPN = S x O x D and the inverse Detection scale; SIPOC; QFD; CTQ tree; Kano model categories (Must-be, Performance, Excitement, Indifferent); Pareto charts and the vital few; the 8 wastes (DOWNTIME); 5S (Sort/Set/Shine/Standardize/Sustain); Cp = (USL-LSL)/(6 sigma) and Cpk; Pp/Ppk and the 1.5-sigma shift; six sigma = 3.4 DPMO long-term; the seven control charts (X-bar/R, X-bar/s, ImR, median, p, np, c, u); SMED for changeover; kaizen and kaizen blitz; PDCA (attributed to Shewhart and popularized by Deming); TPM with OEE; Andon and Jidoka; first/second/third-party audits; Tuckman team stages; RACI; NGT and brainstorming.
  • Card text updated: "Lean Six Sigma Green Belt" was renamed to "Certified Six Sigma Green Belt" matching ASQ's official naming (the official cert is not "Lean Six Sigma" although Lean tools are heavily covered). Phase count changed from "5 (DMAIC)" to "6" reflecting the BoK's actual 6 sections (Overview + DMAIC).

May 2026 (earlier)

CFA L1 added. The first CFA Institute certification on the platform, and the first finance-discipline cert. The bank uses an authentic 3-answer-choice (A/B/C) format throughout, matching how the real CFA Level I exam is written; this is the first cert on the platform that does not use 4 options.

  • Certification added: CFA L1, CFA Institute Chartered Financial Analyst Level I (180 questions, 10 topics). The total exactly matches the real exam length (180 questions across two 135-minute sessions). Topic weighting sits at the centre of each published official range: Ethical and Professional Standards 16.7% (range 15-20%), Quantitative Methods 7.2% (6-9%), Economics 7.2% (6-9%), Financial Statement Analysis 12.2% (11-14%), Corporate Issuers 7.2% (6-9%), Equity Investments 12.2% (11-14%), Fixed Income 12.2% (11-14%), Derivatives 6.7% (5-8%), Alternative Investments 8.3% (7-10%), Portfolio Management 10.0% (8-12%). All weights fall within the official ranges.
  • Three answer choices (not four): the engine in assets/quiz.js renders q.o.length options dynamically, so 3-option questions render as A/B/C without engine changes. The shuffle mechanism handles 3-option arrays correctly. The bank's question objects use a:0/1/2 instead of a:0/1/2/3. Answer-index distribution after rebalance: 60 each across {0, 1, 2}. The 3-option format is important for authentic preparation; practising with 4 options would be misleading.
  • Pass threshold set to 70%. CFA Institute does not publish a fixed cut score; the Minimum Passing Score (MPS) is set per administration via the modified Angoff method and is widely estimated at 65-70%. 70% is a defensible practice anchor; passing this benchmark gives candidates strong confidence going into the real exam, where pass rates have historically been 35-45% (so the bar is meaningful).
  • Question style uses canonical CFA stem phrasings throughout: "most likely", "least likely", "best characterized as", "best described as", and the two formal item formats from the exam guide (sentence completion with three unique choices, and direct questions with three unique choices). FSA questions follow IFRS unless explicitly stated as US GAAP, matching the real exam's convention. Coverage of common L1 testing patterns: ethics scenarios mapped to specific Standards (I-VII); time value of money including perpetuities and NPV; CAPM with beta and Sharpe/Treynor/IR ratios; bond pricing including duration and convexity; futures vs forwards distinctions; put-call parity; LBO structure; commodity roll yield; and the IPS as the foundation of the portfolio management process.

May 2026 (earlier)

PSM I added. The first Scrum.org certification on the platform, and the project-management discipline now has 4 of 4 cards available (PMP, CAPM, PRINCE2-F, and PSM I). Bank targets the Scrum Guide November 2020 edition, which is what Scrum.org tests against; the older 2017 Guide is not in scope.

  • Certification added: PSM I, Scrum.org Professional Scrum Master I (180 questions, 4 domains: Theory/Values/Framework 17%, Scrum Team 28%, Scrum Events 28%, Artifacts and Done 28%). Pass threshold set to 85% matching the real PSM I cut score (68 of 80 questions, 60-minute timebox), the highest threshold of any cert on the platform.
  • The bank reflects the November 2020 Scrum Guide changes that PSM I tests directly: the Scrum Team is now ONE team with no separate "Development Team" sub-team; "self-organizing" was replaced by "self-managing"; the Product Goal was introduced as the commitment for the Product Backlog (commitments now exist for all three artifacts: Product Goal, Sprint Goal, Definition of Done); Sprint Planning has three topics (Why/What/How); the Daily Scrum's three classic questions are no longer prescribed; and the Scrum Master is described as "a true leader who serves" rather than "servant leader". Older 2017 Guide phrasing is intentionally absent.
  • Coverage of the most-tested PSM I distinctions: the three pillars (transparency, inspection, adaptation) vs the five values (commitment, focus, openness, respect, courage); accountability boundaries (Product Owner orders the Product Backlog and is the only role that can cancel a Sprint; Scrum Master is accountable for team effectiveness and Scrum being understood; Developers own the Sprint Backlog and are accountable for the Done Increment); the Sprint as a container event for all other events; multiple Increments may be created within a Sprint; only Done work (meeting the Definition of Done) is part of the Increment; the Sprint Goal is a commitment that does not change but the work to achieve it can be renegotiated; Definition of Done can become more stringent over time but not less.
  • Question style emphasises common Scrum misconceptions tested at PSM I: the Daily Scrum is for the Developers (not a status meeting for the PO/SM/management); the Scrum Master does not assign tasks (Developers self-manage); the Product Owner cannot override the Developers' technical "How"; the Sprint Backlog is owned by the Developers and updated throughout the Sprint; stakeholders attend Sprint Review (not Sprint Retrospective); Scrum is purposefully incomplete and immutable; Scrum is founded on empiricism AND lean thinking (both, not just one).

May 2026 (earlier)

PRINCE2 Foundation (V7) added. The first AXELOS/PeopleCert certification on the platform, and the first methodology cert that is delivery-approach-agnostic (it tailors to predictive, hybrid, or agile). Bank built against PRINCE2 7 (the 2023 release), not the older v6 syllabus.

  • Certification added: PRINCE2-F, PRINCE2 Foundation Version 7 (175 questions, 4 domains: Principles/People/Tailoring 23%, Practices 40%, Processes 29%, Project Performance 9%). Pass threshold set to 60% matching the real PRINCE2 7 Foundation cut score (36 of 60 questions on the live exam), unlike the 70% used for most other certs.
  • PRINCE2 7 (released 2023) introduced three changes the bank reflects throughout: Themes were renamed to Practices (the seven practices are now Business Case, Organizing, Plans, Quality, Risk, Issues, Progress — note "Change" theme has been merged into the Issues practice); Sustainability is the seventh project performance target alongside time, cost, quality, scope, benefits, and risk; and the People aspect is explicit, covering leadership, team development, and communication. Older v6 terminology (themes, six performance targets) does not appear in the bank.
  • Coverage of canonical PRINCE2 7 terminology: 7 principles (continued business justification, learn from experience, defined roles/responsibilities/relationships, manage by stages, manage by exception, focus on products, tailor to suit), 7 practices, 7 processes (Starting up a Project, Directing a Project, Initiating a Project, Controlling a Stage, Managing Product Delivery, Managing a Stage Boundary, Closing a Project), management products (Project Brief, PID, Stage Plan, Team Plan, Exception Plan, Highlight Report, Checkpoint Report, Exception Report, End Stage Report, End Project Report, Lessons Report, Risk Register, Issue Register, Quality Register, Daily Log, Lessons Log, Configuration Item Records), and the four management approaches created during IP (Risk, Quality, Communication, Change Control).
  • Question allocation drills into specific Foundation-exam-tested distinctions: time-driven vs event-driven controls (Highlight Report vs Exception Report; Checkpoint Report vs End Stage Assessment), tolerance hierarchy (corporate -> Board -> PM -> Team Manager), threat responses (avoid/reduce/transfer/accept/escalate) vs opportunity responses (exploit/enhance/share/accept/escalate), the three issue types (request for change, off-specification, problem/concern), product-based planning's four steps, the project board interest split (business/user/supplier), and tailoring rules (principles never tailored; processes always applied but scope/formality tailored).

May 2026 (earlier)

CAPM added. The PMI vendor section is now complete (PMP + CAPM both available). CAPM gives a much wider scope than PMP: business analysis is the second-largest domain, agile and predictive get equal billing, and PM fundamentals dominate the weighting.

  • Certification added: CAPM, PMI Certified Associate in Project Management (150 questions, 4 domains). Question distribution matches the CAPM ECO 2023 weighting (Project Management Fundamentals and Core Concepts 36%, Predictive Plan-Based Methodologies 17%, Agile Frameworks/Methodologies 20%, Business Analysis Frameworks 27%). Pass threshold set to 70% as the conventional anchor for practice tests; the real exam uses scaled scoring without a published cut score.
  • Business analysis weighting (27%) is unusually heavy for a PMI exam and reflects the JTA-driven 2023 ECO redesign. The bank takes BA seriously rather than treating it as an afterthought: stakeholder roles (process owner vs process manager vs product owner vs product manager), elicitation techniques (workshops, interviews, surveys, prototyping), the requirements traceability matrix, the product roadmap, and acceptance criteria are all covered head-on.
  • Coverage of canonical PMI/PMBOK 7 terminology: 12 PMBOK 7 principles, 8 performance domains, 5 conflict resolution techniques (Withdraw/Avoid, Smooth/Accommodate, Compromise/Reconcile, Force/Direct, Collaborate/Problem Solve with Collaborate generally preferred), threat responses (Avoid/Transfer/Mitigate/Accept), opportunity responses (Exploit/Enhance/Share/Accept), Earned Value formulas (CV = EV − AC, SV = EV − PV, CPI = EV/AC, SPI = EV/PV), Scrum events and roles, and the four agile families that the ECO calls out by name (Scrum, Kanban, Extreme Programming, Scaled Agile Framework).
  • Generation note: bank written with distractor length parity, canonical terminology, and balanced answer-position distribution enforced from first draft, not from a rewrite pass. Distractors are real adjacent PM/agile/BA concepts (other PMBOK performance domains, other agile ceremonies, other elicitation techniques) rather than cartoon-bad alternatives.

May 2026 (earlier)

PMP added. The first project management certification on the platform, opening up a new discipline beyond IT certs. The PMI vendor section now has 1 of 2 cards available (CAPM remains soon).

  • Certification added: PMP, PMI Project Management Professional (200 questions, 3 domains). Question distribution exactly matches the PMI January 2021 outline weighting (People 42%, Process 50%, Business Environment 8%). Pass threshold set to 70% as the conventional anchor for practice tests; the real exam uses scaled scoring with categorical ratings (Above Target / Target / Below Target / Needs Improvement) per domain.
  • Predictive/Agile balance: per the 2021 PMP exam update, about half the real exam covers predictive/waterfall approaches and the other half covers agile/hybrid. The bank reflects this 50/50 split throughout all three domains rather than treating agile as a footnote.
  • Question style is scenario-based "BEST first action" reflecting PMP's manager's mindset. The right answer is typically PM-led, collaborative, root-cause-seeking, and value-focused. Wrong answers are typically avoidant, blame-shifting, escalating prematurely, or technical-fix-first when the issue is people.
  • Coverage emphasises directly-tested concepts: Tuckman team development stages (Forming → Storming → Norming → Performing → Adjourning); the five PMBOK conflict resolution techniques (Withdraw/Avoid, Smooth/Accommodate, Compromise/Reconcile, Force/Direct, Collaborate/Problem Solve, with Collaborate generally preferred); Earned Value Management formulas (CV=EV−AC, SV=EV−PV, CPI=EV/AC, SPI=EV/PV, EAC=BAC/CPI); risk strategies (Avoid/Transfer/Mitigate/Accept for threats; Exploit/Enhance/Share/Accept for opportunities); communication channels formula n(n−1)/2; Scrum events and roles (sprint planning, daily Scrum, sprint review, retrospective; product owner, Scrum Master, team); servant leadership.

May 2026 (earlier)

AZ-900 added. Microsoft's Azure Fundamentals is now live, expanding cloud coverage beyond AWS and adding the first Microsoft cert.

  • Certification added: AZ-900, Microsoft Azure Fundamentals (150 questions, 3 skill areas). Question distribution matches the January 14, 2026 outline weighting (Cloud Concepts 28%, Azure Architecture and Services 37%, Azure Management and Governance 35%). Pass threshold set to 70% to match the 700/1000 cut score.
  • Naming reflects current Microsoft branding: Microsoft Entra ID (formerly Azure AD), Microsoft Entra Domain Services (formerly Azure AD DS), Microsoft Defender for Cloud (formerly Azure Security Center + Azure Defender), Microsoft Purview (formerly Azure Purview). One question explicitly tests rebrand recognition since this is a known exam pattern.
  • Coverage emphasises distinctions the exam tests directly: Azure Policy vs RBAC vs resource locks (different governance layers), Region vs Availability Zone vs Region Pair, Cost Management vs Pricing Calculator vs TCO Calculator, Azure Arc vs Azure Stack (project-into-Azure vs run-Azure-on-prem), IaaS/PaaS/SaaS responsibility boundaries.

May 2026 (earlier)

CISSP added. The senior cybersecurity credential is now live. ISC2's vendor section is complete (CC + CISSP both available), and the cybersecurity vendor section now has 9 of 9 cards available.

  • Certification added: CISSP, ISC2 Certified Information Systems Security Professional (200 questions, 8 domains). Question distribution exactly matches the ISC2 CISSP Exam Outline weighting (Risk Management 16%, Asset Security 10%, Architecture 13%, Network Security 13%, IAM 13%, Assessment 12%, Operations 13%, Software Security 10%). Pass threshold set to 70% to match the 700/1000 scaled cut score.
  • Question style mixes the famous "BEST answer" / manager's-mindset pattern (where two or more options are technically correct but only one is most appropriate given scenario constraints) with direct factual questions for security models, cryptanalytic attacks, and AAA terminology. Both styles appear on the real CISSP CAT exam.
  • AI security integration: per the current CISSP outline, AI security concepts are distributed across all 8 domains (data poisoning under Asset Security, prompt injection and Explainable AI under Architecture, AI in NDR under Network Security, behavioural biometrics under IAM, AI red teaming under Assessment, model drift under Operations, AI-assisted coding risks under Software Security).
  • Per-session default raised to 25 (vs 20 for other certs) reflecting CISSP's longer exam length (100-150 items, 3 hours, computer adaptive). The session-length selector still allows 10/20/50/Full bank.

May 2026 (earlier)

ISC2 Certified in Cybersecurity (CC) added. The first ISC2 cert and first vendor-neutral entry-level credential on the platform.

  • Certification added: CC, ISC2 Certified in Cybersecurity (150 questions, 5 domains). Question distribution exactly matches the ISC2 CC Exam Outline weighting (Security Principles 26%, BC/DR/IR 10%, Access Controls 22%, Network Security 24%, Security Operations 18%). Pass threshold set to 70% to match the 700/1000 cut score.
  • Question depth matches CC's actual entry-level character rather than being artificially harder. CC is designed for newcomers without prior IT experience; questions test foundational vocabulary and concept recognition (CIA triad, MFA factors, access control models, port basics, ISC2 Code of Ethics canon order) rather than scenario-deep judgement.
  • Note: ISC2 announced a new CC Exam Outline effective September 1, 2026 that integrates AI security concepts (model poisoning, model drift, AI access controls, LLM data leakage). This bank targets the current outline (effective Oct 1, 2025); a refresh will be needed when the new outline takes effect.

May 2026 (earlier)

Network+ added. CompTIA's networking baseline is now live, completing the Net+/Sec+ pair that many candidates take together.

  • Certification added: N10-009, CompTIA Network+ V9 (150 questions, 5 domains). Question distribution exactly matches the CompTIA exam objectives weighting (Networking Concepts 23%, Network Implementation 20%, Network Operations 19%, Network Security 14%, Network Troubleshooting 24%). Pass threshold set to 80% to match the 720/900 scaled cut score.
  • Question style mixes scenario-based judgement (troubleshooting, design choices) with direct recall where the exam tests it (port numbers, OSI layer placement, subnet math). Several questions test the canonical 7-step troubleshooting methodology in order, which appears repeatedly on the real exam.
  • Stats grid spacing fix: cells now have horizontal padding so the numbers and labels are not flush against the frame border or vertical dividers.

May 2026 (continued)

Security+ added; session-length selector live. CompTIA Security+ is the first vendor-neutral cert on the platform.

  • Certification added: SY0-701, CompTIA Security+ (150 questions, 5 domains). Question distribution exactly matches the CompTIA exam objectives weighting (General Concepts 12%, Threats & Vulnerabilities 22%, Architecture 18%, Operations 28%, Program Management 20%). Pass threshold set to 83% to match the 750/900 scaled cut score, the highest in the catalog. Questions test scenario-based judgement on access control models, Zero Trust components, social engineering techniques, vulnerability indicators, incident response phases, risk metrics (SLE/ALE/ARO), and the dense acronym vocabulary the real exam emphasises.
  • Note on PBQs: the real SY0-701 exam includes Performance-Based Questions (drag-and-drop network diagrams, log analysis, configuration screens). The Certmesa engine is multiple-choice only, so PBQ-style scenarios are written as text-based questions that test the same underlying knowledge. Cert page discloses this.
  • Platform: session-length selector added to all cert pages. Users can pick 10 / 20 / 50 / Full bank for any cert, replacing the fixed-length sessions. Defaults stay at the per-cert recommended value (10 for CrowdStrike, 20 for AWS and Security+) and reset on each visit.

May 2026 (earlier)

AWS coverage. Both AWS certifications are now live with scenario-based banks.

  • Certification added: SAA-C03, AWS Certified Solutions Architect - Associate (200 questions, 4 domains). Question distribution exactly matches the exam guide weighting (Secure 30%, Resilient 26%, High-Performing 24%, Cost-Optimized 20%). Pass threshold set to 72% to match the official 720/1000 cut score. Questions are scenario-driven, requiring the candidate to weigh constraints (RPO/RTO, cost, operational overhead) and choose the best-fit AWS design.
  • Bank revised: CLF-C02 rebuilt from softball identification questions to 211 scenario-based questions matching real exam difficulty. Domain weighting brought into line with the exam guide (Cloud Concepts 23%, Security 32%, Tech 34%, Billing 11%). Distractors are now closely-related services rather than obvious wrong answers.
  • Practice session length set to 20 questions for both AWS certs to better match real exam pacing.

May 2026

Launch. First release of Certmesa, focused on the CrowdStrike Falcon analyst path.

  • Certification added: CCFA, Certified Falcon Administrator (100 questions, 8 domains).
  • Certification added: CCFR, Certified Falcon Responder (100 questions, 6 domains).
  • Certification added: CCFH, Certified Falcon Hunter (100 questions, 7 domains).
  • Certification added: CCIS, Certified Identity Specialist (100 questions, 12 domains).
  • Certification added: CCCS, Certified Cloud Specialist (100 questions, 7 domains).
  • Aggregate counter dashboard published at stats, showing test starts, completions and average scores per certification. No personal data collected.
  • Privacy notice published. Imprint published in compliance with French LCEN article 6-III.
  • Thirteen further certifications across CompTIA, ISC², AWS, Microsoft, PMI, AXELOS, Scrum.org, CFA Institute and ASQ pre-staged for upcoming addition.