Google Cloud · 2026 Edition
A complete preparation guide written by Google Cloud-certified engineers. Covers the exam format,all 5 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
3–5 months
Prep time
Advanced
Difficulty
60
Exam questions
720/1000
Pass mark
Exam code
PCSE
Full name
Google Professional Cloud Security Engineer
Vendor
Google Cloud
Duration
120 minutes
Questions
60 items
Passing score
720/1000 (scaled)
Domains covered
5 blueprint domains
Recommended experience
3+ years of cloud security experience including 1+ year of GCP security experience
Typical prep time
3–5 months
The Professional Cloud Security Engineer certification validates the ability to design and implement secure infrastructure on Google Cloud. It is the credential expected for cloud security architects and engineers at GCP-centric organisations.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Weeks 1–3
Configuring Access: IAM, Resource Manager, Workload Identity, service accounts
Tip: Google Cloud IAM allow policies grant permissions; deny policies (newer) explicitly block permissions even if allowed by another policy. Know the difference and when each is used — deny policies are evaluated before allow policies. Deny policies are useful for preventing accidental escalation of privileges.
Weeks 4–6
Network Security: VPC Service Controls, Cloud Armor, Private Google Access, VPN/Interconnect security
Tip: VPC Service Controls create an access perimeter around GCP APIs. Know the difference between an access level (a condition for access — e.g. from corporate IP range) and a VPC perimeter (which services are inside the fence). Dry-run mode lets you monitor what would be blocked before enforcing.
Weeks 7–9
Data Protection: CMEK, Cloud KMS, DLP API, Secret Manager, data classification
Tip: Cloud Data Loss Prevention (DLP) API is the primary tool for data discovery and classification. Know that DLP supports inspection jobs (scan existing data in Cloud Storage, BigQuery, Datastore), de-identification transformations (redact, mask, tokenise, encrypt PII), and re-identification risk analysis. Questions describe a data handling requirement and ask which DLP transformation to use.
Weeks 10–13
Security Operations: Security Command Center, Chronicle, Mandiant, logging strategy
Tip: Security Command Center (SCC) Standard vs Premium: Standard includes basic asset discovery and security health analytics; Premium adds Event Threat Detection, Container Threat Detection, Web Security Scanner, and Sensitive Data Protection integration. Know which features require Premium tier.
Customer-Managed Encryption Keys (CMEK) let you control the encryption keys for Google Cloud data. Know that CMEK keys are stored in Cloud KMS, that disabling or destroying a key makes the protected data inaccessible, and that Cloud EKM (External Key Manager) lets you hold keys outside of Google's infrastructure entirely.
Organisation Policy constraints are a key exam topic. Know the difference between IAM (who can do what) and Org Policy (what can be done in the organisation — e.g. only allow specific image families for Compute Engine, enforce uniform bucket-level access on Cloud Storage). Org Policy constraints apply regardless of individual IAM permissions.
BeyondCorp Enterprise (Google's Zero Trust access proxy) is tested on the PCSE exam. Know that it enforces access based on user identity AND device posture (managed device, OS version, antivirus status) without requiring a VPN. Access levels in BeyondCorp define the conditions an identity and device must meet.
Cloud Armor WAF rules for the PCSE exam: know the pre-configured rule sets (ModSecurity CRS rules for OWASP Top 10), adaptive protection (ML-based DDoS defence), rate limiting rules, and named IP lists. Questions describe a web attack pattern and ask which Cloud Armor feature defends against it.
Audit logging in GCP: Admin Activity audit logs (always on, who did what to GCP resources), Data Access audit logs (must be explicitly enabled, who read or wrote data), and System Event logs (non-human GCP actions). Know what each log type captures and that Admin Activity logs cannot be disabled.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on PCSE — with exam key points and common misconceptions.