CISSP — how many questions in before you felt like you'd actually pass?
I'm sitting for the CISSP in three weeks and the adaptive testing format is messing with my head. I keep reading about people finishing at 100 questions and passing, and others going to 150 and also passing, and I can't tell if there's any real signal in the question count. I've been studying about four months, roughly two hours a day, and my Boson practice scores are consistently in the 78–82% range.
My background is eight years in network security, the last three focused on risk management and governance. Domains 1 and 5 feel solid, domain 4 is decent, but domain 3 (security architecture) and domain 7 (security operations) are weaker. I've been focusing the last few weeks on those gaps but there's a lot of ground in domain 3 especially.
The thing I keep hearing is to think like a manager, not a technician — but that's easier said than done when you've spent eight years being the technician. Does that framing actually help when you're sitting there second-guessing answer choices, or is it more useful in retrospect as an explanation for why you got something wrong?
78–82% on Boson is a solid indicator — Boson questions are harder than the actual exam in most domains. I was scoring similarly and passed at 100 questions. The real exam felt slightly more straightforward on the application-level questions.
I finished at 125 questions and passed. The whole drive home I was convinced I'd failed because a stretch around question 90 felt impossibly hard. Turns out that's normal — the CAT engine pushes you to your ceiling. Hard questions are not a bad sign.
The manager framing is real and it takes practice to internalize. When two answers are both technically correct, ask which one a CISO presenting to a board would choose. That shift changed how I read questions in a way no textbook explanation could.
Domain 3 tripped me up too. I made a one-page summary of the main security models — Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash — with their use cases and reviewed it every morning for two weeks before my exam. Made that domain manageable.
I'm actually in a similar boat but for AI-900, not CISSP, so take this with a grain of salt. Just hit 87% on my last practice run and I'm sitting the real thing next Tuesday. The adaptive format stuff you're describing honestly sounds exhausting, but from what I've read the question count really doesn't mean what people think it means.
What's been helping me is just not tracking the meta stuff and focusing on whether I actually understand the material. You've got three weeks which is solid time. Good luck with it.
Failed my first attempt at 125 questions and spent weeks trying to figure out what the number meant. It didn't mean anything. Second time I passed at 143 and honestly felt worse walking out than I did the first time. What changed wasn't my strategy around question count, it was that I stopped treating every topic like it needed equal attention and started thinking like a manager, not a technician. That mindset shift is everything for CISSP.
The anxiety around adaptive testing is real but you're burning energy on the wrong thing. I'd also say don't underestimate how much practicing adjacent cert material helps your brain build connections. I randomly did some ai 900 ai workloads and considerations questions while studying and it actually sharpened how I thought about risk and governance concepts. Three weeks is enough time if you trust your prep and stop counting.
Just passed CISSP last month and I felt the same way going in. Honestly, the thing that clicked for me was stopping obsessive question-count math and just trusting that if I actually understood the concepts, the adaptive format would work itself out. I finished at 125 and had no idea if that was good or bad until the screen showed me I passed.
The real shift for me was focusing on why wrong answers are wrong, not just memorizing what's right. That's true for any cert, honestly. I did the same thing when I was studying for a different exam and working through ai 900 ai workloads and considerations material - understanding the reasoning behind each option is what actually sticks. Three weeks is enough time if you're drilling on weak spots instead of re-reading stuff you already know.