I Did Microsoft's #AISKILLFEST - 8 Days Before My CC Exam. Here's What Happened
- Jun 12
- 8 min read
Five modules, 3.5 hours, zero dollars — and it accidentally became one of my best study sessions of the whole prep cycle.

Eight days before my ISC2 Certified in Cybersecurity exam, I added something to my plate.
I know, hear me out.
Microsoft's AI Skills Fest ran June 8–12, 2026, and one of the featured skill paths in the AI Skills Navigator was Security Pro: Strengthen Security Foundations — a five-module advanced track covering exactly the territory I've been living in for the past 90 days: securing apps and data, endpoints, infrastructure, identity, and AI systems.
I finished all five modules between June 10 and 11. This is my full recap — what each module actually covers, where it connected to my CC prep, and my honest answer to the question every cert-studier in a time crunch is asking: was it worth it?
Why I Said Yes Eight Days Out
My CC exam is June 20. I have my flashcard deck, my domain quizzes, and my wrong-answers journal. Domain 4 (Network Security) has been my weak spot, and two of these modules map right into it.
But really? The bigger reason I said yes is how I learn best.
I'm a Senior Data Analyst making the move into cybersecurity, and much of what I will point out on this blog is that finding what doesn't belong is the same skill everywhere. I did it with atmospheric data. I did it in healthcare analytics. Now I'm doing it in security logs.
Microsoft's interactive case studies force you to apply concepts, not just recognize them. Eight days out, that felt like exactly the right kind of practice.
So when a free, scenario-based security path dropped during the final stretch of my prep? That was an easy yes. Here's what I walked away with.
Module-by-Module Breakdown
Module 01 of 05
Securing Apps and Data
This interactive module put me inside a fictitious e-commerce company called Fabrikam Inc., running microservices across Azure and AWS at the same time — with all the chaos that implies. Manual secret rotation. Public database endpoints. CI/CD pipelines with no centralized security governance. It was a really realistic snapshot of what multicloud security debt actually looks like.
The module walked me through threat analysis, then architectural design. The solution used Azure Arc to extend governance to AWS clusters, workload identities to replace static credentials, and Microsoft Sentinel to correlate telemetry across both environments. The framework tying it all together was Zero Trust — and for the first time, I saw it not as a buzzword but as a blueprint. Nothing was trusted just because it was on the right network.
For CC prep, Zero Trust weaves through all five domains, so seeing it applied to a real scenario was genuinely useful. I came away from this module feeling like the concept had finally clicked at a deeper level.
🔗 Connected to CC Prep
Zero Trust principles — touch all five CC domains; identity and access concepts from Domain 5
💡 New Term / Tool
Microsoft Entra ID — Azure's identity platform. Different from on-prem Active Directory in ways that matter for cloud security.
✏️ One Thing I'd Explain to Someone Else
CI/CD pipelines aren't just a developer problem — they're a security boundary. If there's no centralized security gate on your build process, misconfigurations ship to production quietly. And production is exactly where attackers go looking.
Confidence after:
3 / 5
Module 02 of 05
Securing Endpoints and Infrastructure
This was the module I needed most for Domain 4. The scenario followed Litware Inc., a global manufacturer with 40+ sites and a security posture held together with duct tape — delayed patching, legacy industrial systems on flat networks with default credentials, and security telemetry siloed in regional tools that couldn't talk to each other.
What made this click for me was the threat analysis section. It didn't just list the problems — it traced each gap directly to an attack path. Unmanaged contractor devices = blind spot. Fragmented SIEM tools = delayed detection. Flat OT network = lateral movement with nothing to stop it. That cause-and-effect structure is exactly the logic the CC exam tests.
The solution brought in Microsoft Intune for unified endpoint management, Defender for IoT for agentless OT monitoring, and Sentinel for cross-domain threat correlation. By the end, I wasn't just memorizing tools — I was thinking about why each one addresses a specific gap, which is a different kind of understanding entirely.
🔗 Connected to CC Prep
Zero Trust, patching cadence (Domain 5), VLANs and network segmentation (Domain 4) — direct overlap
💡 New Term / Tool
Microsoft Intune — unified endpoint management that enforces compliance across hybrid environments. More powerful than I expected.
✏️ One Thing I'd Explain to Someone Else
OT and IT security are not the same discipline. On a manufacturing floor, uptime beats patching every time — and legacy protocols were never designed with security in mind. VLANs and network segmentation exist specifically to contain the blast radius when something in that environment gets hit.
Confidence after:
3.5 / 5
Module 03 of 05
Cybersecurity Threats, Attacks, and Mitigations
Okay, this one felt like a warm hug. Most of the material — CIA triad, malware taxonomy, attack vectors, social engineering, MFA — I already knew cold. And there's something genuinely reassuring about going through a module and thinking I got this a week before an exam.
That said, one section stopped me in my tracks: AI-enhanced social engineering. We've all been trained to spot phishing by looking for spelling errors and awkward grammar. That advice is becoming obsolete. Attackers are now using AI to generate emails that are polished, personalized, and contextually convincing. The old tells are gone.
The mitigation section (MFA, browser security policies, threat intelligence, user education) maps directly to CC Domains 1 and 2. I used this module as a confidence check more than a learning session — and it worked exactly that way.
🔗 Connected to CC Prep
CIA triad, threat landscape, malware types, MFA, social engineering — covers large chunks of Domains 1, 2, and 3
💡 New Term / Tool
Nothing new here — this was confirmation that the foundations are solid. That felt great going into exam week.
✏️ One Thing I'd Explain to Someone Else
A virus and a worm are not interchangeable terms. A virus needs a human to do something — click a file, plug in a USB. A worm spreads itself by finding vulnerable systems. Once you understand how a threat moves, you understand how to stop it from moving further.
Confidence after:
5 / 5 🎉
Module 04 of 05
AI Security Controls
AI security controls are a whole layer of security thinking that doesn't exist in traditional cybersecurity study guides, because AI systems introduce entirely new kinds of risk.
Three things really landed for me. First: agent identity. When an AI system acts on your behalf, it should only be able to access the data you're authorized to see. The AI should never become an accidental privilege escalation path. That's the principle of least privilege applied to a new kind of actor — and it maps exactly to CC Domain 3.
Second: metaprompts as a security control. A system prompt isn't just "tell the AI what to do." It's a behavioral boundary — it tells the model what it can't do, instructs it to resist attempts to override its settings, and defines what data it can and can't return. Security through behavior design, not just blocking.
Third: grounding and why it matters for risk. An ungrounded AI model can confidently state something false, and users act on it anyway. RAG (retrieval-augmented generation) constrains the model to specific, verified sources — which reduces both hallucinations and the attack surface around misinformation.
🔗 Connected to CC Prep
Least privilege (Domain 3), access control, defense in depth — the underlying principles translate directly
💡 New Term / Tool
Jailbreak attempt detection — monitoring AI systems for known bypass patterns in content, not just infrastructure anomalies
✏️ One Thing I'd Explain to Someone Else
Logs are even more important in AI systems than traditional ones — and they're different. Traditional monitoring tells you what your infrastructure is doing. AI-specific monitoring tells you what's happening inside the content of interactions. That's where attacks like prompt injection actually live. If you're not capturing prompt and response patterns, you have a blind spot an attacker can walk right through.
Confidence after:
3.5 / 5
Module 05 of 05
Fundamentals of AI Security
If Module 4 was the controls layer, Module 5 was the threat model behind all of it. This one covered how AI security differs from traditional cybersecurity, the three-layer AI architecture model, and five categories of AI-specific attacks: jailbreaking, prompt injection, model manipulation, data exfiltration, and overreliance.
The three-layer model stuck with me as a genuinely useful mental map. The Usage layer is where users interact with the system — and where overreliance and AI-generated social engineering show up. The Application layer is where your business logic, plugins, and orchestration live — and where prompt injection hits hardest. The Platform layer is where the model and its training data live — where model poisoning and data poisoning attacks operate at the deepest level.
I was already familiar with MITRE ATT&CK. Seeing MITRE ATLAS — the AI-specific counterpart — felt like a natural extension of that framework I'd already built in my head. Each attack type has an ATLAS entry. That's the kind of structure I can actually use in a SOC context, not just on an exam.
The shared responsibility model for AI (SaaS vs. PaaS vs. IaaS) is mapped directly to CC Domain 4 cloud concepts. Same logic, new context — which is exactly my favorite kind of learning moment.
🔗 Connected to CC Prep
IaaS/SaaS/PaaS shared responsibility (Domain 3), data classification, defense in depth — strong overlap.
💡 New Term / Tool
MITRE ATLAS — adversarial AI threat taxonomy. A natural companion to MITRE ATT&CK for anyone moving into AI-adjacent security roles.
✏️ One Thing I'd Explain to Someone Else
Prompt engineering isn't just a productivity trick — it's a security design decision. How you structure a system prompt, what you tell the model to ignore, and where you set its behavioral limits determine how resistant the whole application is to manipulation. A vague or missing system prompt is an open door.
Confidence after:
3.5 / 5

*Photo credit: Microsoft's AI Skills Navigator. Disclaimer: I am not affiliated with, endorsed by, or sponsored by Microsoft Corporation.
The Honest Assessment
Was It Worth It Eight Days Out?
Yes — but not for the reason I expected. I thought this would be a supplemental review. It turned out to be something more useful: a different angle on the same concepts, plus a whole category of knowledge I didn't have before.
✓ What Worked
The scenario-based format forced me to apply concepts, not just recall them. That's a different cognitive muscle than flashcards — and it's the one the CC exam actually tests.
Modules 2 and 3 reinforced Domain 4 and foundational threat concepts at exactly the right moment.
◎ What Surprised Me
Modules 4 and 5 covered AI-specific attack surfaces — prompt injection, model poisoning, data exfiltration through inference — that aren't in any CC study material I've seen. Not on this exam, but absolutely real in modern SOC environments.
3.5 hours. Free. Microsoft badge. Reinforced my weak areas. That's a good return in exam week.
💬 For Data Professionals Transitioning into Cybersecurity
If you're coming from a data background like I am, the AI security modules will feel familiar in the best way. Data pipelines, access controls, and integrity of your training sets — these aren't new concepts; they're the same questions in a new context.
The hard part of cybersecurity isn't learning a completely different way of thinking. It's recognizing that you already do this — and building the vocabulary to show it.
What's Next
I am taking my ISC2 CC exam on June 20. On June 21, I'll be back with a full debrief — pass or fail, honest and complete, no glossing over the hard parts.
If you're in the middle of your own career pivot and trying to figure out whether free credentials and extra training are worth your limited time, follow along. I'm building this out in public so you don't have to figure it out alone.
Comments