The cybersecurity certifications roadmap.
There are over 300 cybersecurity certifications on the market. You don't need 47 of them — you need 3 to 5, in the right order, paired with real experience. This roadmap cuts the noise: five tiers, verified Q1 2026 pricing, what each cert actually opens, and where it stops paying off.
- 5-tier progression, entry to exec
- 16 certs ranked by ROI
- Verified 2026 pricing & renewals
- Track-specific stacking paths
ISC2 cut the CISSP experience-waiver list in half on April 1, 2026.
The qualifying-credentials list dropped from roughly 50 to 25. Notable removals include CEH, CISA, CRISC, and OSCP — all of which previously knocked one year off the CISSP's 5-year experience requirement. If you were planning to use any of these as a waiver, verify the current ISC2 list before you commit your study budget.
Why certifications matter in 2026.
Certifications won't make you a great defender or attacker — but in 2026 they're the filter your resume has to clear before a human ever reads it. The data is unambiguous.
Five tiers, in order.
Each tier corresponds to a phase of your career. The flagship cert in each tier is highlighted — that's the one most candidates should pick if they're picking only one. All prices are USD verified Q1 2026.
Get in the door.
Security+ (SY0-701)
The default first cybersecurity cert. Vendor-neutral, broadly recognized, and meets DoD 8570 IAT II compliance for federal contractor roles.
Certified in Cybersecurity (CC)
ISC2's newest entry-level cert, currently free for the first million candidates as part of the One Million Certified in Cybersecurity initiative. Solid resume signal.
Network+ (N10-009)
Networking is the foundation under every security skill. If subnetting, routing, and protocols feel shaky, take this before Security+.
SC-900 Security Fundamentals
Strong fit for Microsoft-heavy environments. Covers identity, compliance, and Microsoft 365/Azure security basics.
Specialize toward Blue Team or Red Team.
CySA+ (CS0-003)
The defensive analyst's mid-tier credential. Covers SIEM operations, threat hunting, vulnerability management, and incident response. Highly visible in SOC job postings.
CEH v13 (Ethical Hacker)
The most widely recognized offensive cert at this level. v13 adds AI-powered threat detection and cloud exploitation. Theory-heavy, ATS-friendly — useful for resume screens.
SC-200 Security Operations
Hands-on with Microsoft Sentinel, Defender, and KQL. If your employer runs on Microsoft, this is the highest-impact analyst cert you can hold.
PenTest+ (PT0-003)
Practical pentesting cert at a fraction of CEH's price. More hands-on than CEH but less rigorous than OSCP. Solid mid-tier offensive credential.
Become genuinely good at one thing.
OSCP (PEN-200)
The gold standard for pentesters. 24-hour hands-on hacking exam, manual exploitation only. Passing this immediately changes how you're treated in interviews.
Security Specialty (SCS-C02)
Cloud security is the highest-demand specialty in 2026. AWS Security Specialty covers IAM, encryption, monitoring, and incident response on AWS — the leading cloud platform.
AZ-500 Azure Security Engineer
Microsoft's flagship cloud security cert. Covers identity, platform protection, security operations, data and app security on Azure. Pair with SC-100 for senior cloud roles.
GCIH Incident Handler
SANS-backed and deeply respected for incident response work. Expensive, but the curriculum and credibility are unmatched in the IR space.
The certs that pay for themselves.
CISSP
The most recognized security certification globally and a near-requirement for senior architect, manager, and consultant roles. CAT exam, 8 domains, requires 5 years of paid experience.
CISM
Pure management focus — risk, governance, program design. Better than CISSP if your trajectory is purely managerial rather than technical-architect.
CCSP
CISSP-equivalent depth, focused entirely on cloud security architecture and operations. The senior cert for cloud-first security careers.
CISA
The audit-track equivalent. Required by Big Four and corporate IT audit teams. Note: CISA was removed from the CISSP waiver list in April 2026.
Differentiator credentials.
OSEP / OSEE
OSEP for evasion and advanced exploitation; OSEE for the hardest exam in offensive security — exploit development, kernel work. Both are clear differentiators in the red team market.
GCFA / GREM
GCFA for advanced forensic analysts; GREM for malware reverse engineering. The two most respected technical certifications in DFIR and threat research.
CRISC
Senior risk and IT control credential. Pairs naturally with CISM for governance leaders. Note: CRISC was removed from the CISSP waiver list in April 2026.
CISSP-ISSAP
CISSP concentration in security architecture. Requires existing CISSP plus 2 years of architecture experience. Strong fit for staff and principal architect roles.
Cert sequences by career track.
Six common career trajectories with the cert sequences hiring managers actually look for. Estimated total time assumes one cert at a time alongside full-time work.
SOC Analyst → Senior → Manager
The default defensive progression. Security+ opens the SOC door, CySA+ deepens analytical skills, CISSP gates senior roles, CISM completes the management pivot.
Pentester → Red Team Lead
Hands-on offensive path. Skip CEH if budget is tight — OSCP carries the hiring weight. OSEP differentiates senior red teamers from generalist pentesters.
Cloud Engineer → Architect
Cloud security is the highest-demand specialty in 2026. Pick AWS or Azure based on employer footprint, then validate breadth with CCSP for senior roles.
Analyst → Audit Lead → Risk Director
The ISACA-heavy governance, audit, and risk pathway. Security+ adds technical literacy. CGEIT is for senior risk and enterprise governance roles.
Engineer → Architect → CISO
For engineers moving into architecture and ultimately leadership. Many seasoned professionals hold both CISSP and CISM — they signal different things to different audiences.
Responder → Forensic Lead → Researcher
Premium SANS-heavy path for incident response and malware research specialists. Expensive, but the courses themselves are the differentiator — not just the cert.
Side-by-side comparison.
Every major cert at a glance — pricing, difficulty, time investment, validity. Use this to spot-check before committing study time and budget.
| Certification | Issuer | Exam | Difficulty | Study | Validity |
|---|---|---|---|---|---|
| Security+ | CompTIA | $425 | 2–4 mo | 3 yrs | |
| ISC2 CC | ISC2 | Free* | 3–6 wk | 3 yrs | |
| SC-900 | Microsoft | $99 | 3–6 wk | Annual renew | |
| CySA+ | CompTIA | $425 | 2–3 mo | 3 yrs | |
| CEH v13 | EC-Council | $1,199 | 2–3 mo | 3 yrs | |
| PenTest+ | CompTIA | $425 | 2–4 mo | 3 yrs | |
| SC-200 | Microsoft | $165 | 6–10 wk | Annual renew | |
| AZ-500 | Microsoft | $165 | 2–3 mo | Annual renew | |
| AWS Security Specialty | AWS | $300 | 2–4 mo | 3 yrs | |
| OSCP | OffSec | $1,749 | 3–6 mo | Lifetime | |
| CISSP | ISC2 | $749 | 3–6 mo | 3 yrs | |
| CISM | ISACA | $575–$760 | 3–4 mo | 3 yrs | |
| CCSP | ISC2 | $599 | 3–4 mo | 3 yrs | |
| CISA | ISACA | $575–$760 | 3–5 mo | 3 yrs | |
| OSEP | OffSec | $1,799+ | 6–12 mo | Lifetime | |
| GCFA / GREM | SANS / GIAC | $979* | 4–6 mo | 4 yrs |
What renewals actually cost.
The exam fee is just the entry ticket. Most certifications need annual maintenance fees and continuing education credits to stay valid. Plan for the recurring cost before you buy.
Security+, CySA+, PenTest+
Higher-tier CompTIA certs auto-renew lower ones. Pass CySA+ and your Security+ stays current. Free CEU sources cover most candidates' annual quota.
CISSP, CCSP, CC
CISSP requires 40 CPEs annually. ISC2 webinars are free and count. Conferences and on-the-job training cover the rest for most professionals.
CISM, CISA, CRISC
Membership pays for itself if you hold multiple ISACA certs. CPEs come from chapter events, ISACA Journal quizzes, and webinars.
Five expensive mistakes.
The most common ways candidates waste time and money chasing certs that won't move their career forward. Recognize the patterns, skip the traps.
Not sure where you sit on this map?
Take the 2-minute career fit quiz to find your track, then we'll point you at the right certification to start with.