Passed the CDP last month after about 8 weeks of study and wanted to share some honest feedback for anyone prepping. My background is 5 years in AppSec with a heavy development focus, so I went in confident on the technical integration pieces - SAST, DAST, container security, pipeline hardening. Those sections were manageable.
What surprised me was how much of the exam leaned into governance, risk frameworks, and organizational change management. I'd estimate roughly 30-35% of the questions were less about tooling and more about how you build DevSecOps culture, establish metrics, get buy-in from dev teams, and integrate security into existing SDLC governance structures. I wasn't unprepared but I was underweighted there.
I spent about 90 minutes a day for the first 5 weeks on deep technical review, then shifted to 50/50 for the final 3 weeks. Final score was 78%. If I were doing it again I'd flip that ratio earlier - maybe 60/40 governance-heavy from the start, since the technical side is easier to brush up on quickly than the conceptual frameworks.
5 years AppSec here too. I passed at 81% but would echo the governance warning. Questions about persuading dev teams and embedding security champions in sprint workflows require a different kind of thinking than just "which scanner to use in CI."
The exam felt current - I saw questions about supply chain security and SBOM practices that weren't covered in older prep material I found. Worth checking when whatever resource you're using was last updated before you commit to it.
78% on a first attempt is solid. Can you share which practice resources you used? The official study guide feels thin on governance and I'm about 4 weeks out right now.
The governance framing matches my experience. The OWASP DevSecOps Guideline is worth reading carefully - not just the highlights but the maturity model progression specifically. Several questions seemed to draw directly from that framing.
Related Discussions
- CDP exam prep — where do you start with data governance when your background is engineering?4 replies
- CDP Certified Dementia Practitioner exam — what does it actually cover and how long should I prepare?4 replies
- CDP exam timeline and domains — how experienced should you be before sitting?3 replies
- Finally passed my CDP exam after failing twice — here's what worked3 replies