What topics are covered in ISC2 CC Domains 1 through 3?

Domain 1 covers Security Principles, including the CIA triad, risk concepts, and control categories such as administrative, technical, and physical. Domain 2 addresses Incident Response, Business Continuity, and Disaster Recovery — including the distinction between events and incidents and the response lifecycle. Domain 3 covers Access Control Concepts, including least privilege, need-to-know, segregation of duties, and access control models like DAC, MAC, and RBAC.

Is the ISC2 CC a good starting certification for cybersecurity?

The ISC2 Certified in Cybersecurity is designed for entry-level candidates and people entering the field from adjacent roles. It establishes foundational vocabulary and concepts that apply across security disciplines — defensive, operational, and offensive. It is not a specialization credential, but it provides the conceptual grounding that more advanced certifications and practical skills build on.

Do you need to understand defensive security before learning offensive security or penetration testing?

Yes. Offensive security work — including vulnerability assessment and penetration testing — requires understanding the security controls being evaluated. A tester who does not understand access control models cannot accurately distinguish a misconfiguration from an intentional design choice. Foundational knowledge of how systems are meant to be protected is what makes it possible to recognize when that protection is failing.

What is TryHackMe and how is it used for ethical hacking practice?

TryHackMe is an online platform that provides guided cybersecurity training through structured rooms and labs in isolated, controlled environments. It is commonly used by students and early-career professionals to practice offensive and defensive techniques legally, without touching any systems they do not have explicit authorization to access. All activity occurs within the platform's own infrastructure.

What are the remaining domains of the ISC2 CC certification?

The ISC2 CC covers five domains in total. Domains 4 and 5 address Network Security and Security Operations respectively. Both are directly relevant to security testing and operations work, and they build on the principles established in the first three domains.

ISC2 CC Domains 1–3 Complete | KC Cyber Labs

Where I Am Right Now

Domains 1, 2, and 3 of the ISC2 CC are finished. Security Principles, Incident Response and Business Continuity, and Access Control Concepts — the assessments averaged 96% across all three, but the more useful outcome is that the concepts have started to connect. They feel less like separate study topics and more like a coherent picture of how security is supposed to work.

I also want to be honest about where my interest is pointing. I am not drawn to a career sitting behind a SIEM watching dashboards. I want to test security — evaluate whether the controls that are supposed to protect a system actually do. That means eventually moving toward offensive skills: vulnerability assessment, penetration testing, finding the gaps before someone else does.

I am not there yet. But the foundation I have been building is exactly the right starting point, and I want to document why.

What Domains 1–3 Actually Taught Me

Security Principles

Domain 1 is where everything starts. The CIA triad — confidentiality, integrity, availability — is not a beginner concept that you graduate past. It is the framework that every security decision references. When a tester probes a system, they are asking: can I access data I should not see? Can I alter something that should be read-only? Can I disrupt a service that should be available? Those are CIA questions.

The domain also covered risk terminology — assets, threats, vulnerabilities, likelihood, impact — and control categories: administrative, technical, physical. Defense in depth rounds it out: the idea that no single control is sufficient, and security comes from layering.

None of this is abstract. It is the vocabulary that makes security conversations possible.

Incident Response and Business Continuity

Domain 2 is about what happens when something goes wrong. The distinction between an event and an incident, the response lifecycle, containment before eradication, and the difference between keeping a business running during disruption versus recovering systems after a failure.

For someone interested in offensive work, this domain is a useful perspective shift. Security testers are not operating in isolation — the work they do feeds directly into how an organization prepares for and responds to real threats. Understanding the IR lifecycle makes that connection clear.

Access Control Concepts

Domain 3 is where a lot of the practical security machinery lives. Least privilege, need-to-know, segregation of duties, the access control models — DAC, MAC, RBAC — and how identity and access management actually functions across a user's lifecycle from provisioning to deprovisioning.

Access control is also one of the most common areas where real-world security breaks down. Misconfigured permissions, over-privileged accounts, forgotten credentials — these are not exotic attack vectors. They are the everyday failures that make systems vulnerable. Knowing the model tells you what correct looks like, which makes it much easier to recognize when something is wrong.

Where I Am Pointing Next

My intention is to move toward offensive security — specifically, testing the security of home and small business environments. That is where I will begin applying what I have learned in controlled, legal practice before anything else.

The reasoning is practical. Home networks and small business setups are often under-protected, genuinely misunderstood by their owners, and represent real risk. They also tend to use common configurations, standard equipment, and familiar software — which makes them good learning environments. Understanding how to evaluate that kind of environment responsibly is a useful starting point.

I am not claiming to be a penetration tester. I am a student with a solid conceptual foundation who is building toward that capability. TryHackMe is part of that — guided rooms in a controlled environment where I can practice the mechanics without touching anything I do not have explicit authorization to touch. That distinction matters and I take it seriously.

Why the Foundation Comes First

There is a tendency in cybersecurity content to frame offensive skills as something separate from — or more exciting than — foundational knowledge. That framing is wrong.

A tester who does not understand access control models cannot accurately evaluate whether the permissions on a system are misconfigured or intentional. A tester who does not understand the CIA triad cannot clearly articulate the risk their findings represent. A tester who has not thought through incident response does not understand what happens on the other side when a real attacker triggers the same finding.

Domains 1, 2, and 3 are not prerequisites to get through before the real learning starts. They are the real learning. The offensive skills I am developing sit on top of them.

What Comes Next

Domains 4 and 5 are still ahead — Network Security and Security Operations. Both are directly relevant to where I am heading, and I expect the concepts to continue building on each other. I will document that progress the same way I have documented everything else: honestly, with the actual scores and the actual gaps.

The interest is in offensive work. The path there runs straight through understanding how systems are built and protected. That is the only sequence that makes sense.

What I Know After Completing Domains 1–3 of the ISC2 CC — and Where I'm Pointing Next