For every credential: what it actually unlocks, when it matters in your progression, what experience usually comes first, and what it won't magically solve. Anchored on the certifications hiring managers in IT, security, cloud, DevOps and GRC actually recognise.
Listed as 'entry-level security' on countless job ads. It isn't. The exam is passable in months; the five years of paid security experience required for full certification are not. Use it to consolidate seniority, not to enter the field.
Read the full take on CISSP, in contextAWS SAA and AZ-104 remain the clearest paid signal in the market, not because the exams are hard, but because the roles they map to are scarce and well-funded. If you only finish one cert this year and want comp to move, pick one of these.
Read the full take on AWS SAA, in contextUnfashionable, and that's exactly why it works. Cloud and security engineers who actually understand routing, subnets and TLS handshakes get promoted faster than those who don't. CCNA is still the cleanest way to earn that fluency.
Read the full take on CCNA, in contextGood enough to clear HR filters and DoD 8570 boxes. Not good enough to carry you through a technical interview alone. Treat it as a permission slip, not a qualification. Pair it with a home lab, a SOC tool, or scripting before applying.
Read the full take on Security+, in contextThese are our calls based on what hiring panels and infra teams actually look for in 2026. They are professional opinion, not statements about exam quality or vendor conduct. Your context will vary. Treat every verdict as a starting point for your own judgement.
Vendor-neutral baseline certs. HR-recognised, but rarely land roles alone.
Pure on-ramp, gets you help-desk shortlists, nothing further.
Process / service-management cert. Checks an HR box; doesn't make you a better engineer.
Vendor-neutral Linux baseline. Useful only if you can't justify RHCSA or LFCS yet.
Microsoft security/compliance/identity primer. Feeds the SC-200/300/400 lane, nothing more.
Microsoft 365 primer. Useful only as a feeder into MS-102 / MD-102 / AZ-900.
Modern Endpoint Administrator. Intune, Autopilot, compliance. The current desktop-engineer cert.
Azure data engineer. Synapse/Fabric/Spark/SQL on Azure. Niche but well-paid where it lands.
The most widely recognised entry-level security certification. Strong on vocabulary and concepts. Pair it with networking knowledge and hands-on labs to actually land roles.
Azure AI fundamentals, vocabulary primer, not a hiring signal.
The base layer cloud and security stand on. Hands-on, durable.
Still the clearest networking baseline; underrated by software-first crowds, respected by infra teams.
Cisco's professional networking cert, still the senior-engineer standard in Cisco shops.
Vendor-neutral networking primer, pair it with CCNA, don't end with it.
Palo Alto firewall associate cert. Pragmatic signal for network/security ops in Palo shops.
Fortinet's mid-tier cert. Strong in regions and verticals where Fortinet dominates.
Juniper foundation, relevant in service-provider and large-enterprise Junos networks.
Azure networking specialty, the depth-cert most Azure shops actually value.
CCNP Security. Deep network-security cert; respected in carrier/enterprise, less so in cloud-native shops.
Senior PAN-OS credential. Operationally deep, narrow market gravity in Palo-Alto-heavy enterprises.
SOC, detection, SIEM. The realistic on-ramp into security.
SANS forensic analyst. The gold-standard DFIR credential for serious incident teams.
Blue-team extension of Security+. Useful for SOC promotion talks, weaker as a first cert.
Vendor cert that proves you can drive a Splunk SIEM, narrow, but instantly useful in Splunk shops.
GIAC's foundational security cert. Respected by SANS-leaning employers, expensive relative to value.
Deep packet / detection analyst cert. Narrow but highly respected for IR and detection engineering.
SANS incident-handling. Operationally aligned and widely respected for IR and senior SOC.
The canonical Microsoft SOC credential, direct fit for Sentinel / Defender shops.
Security Blue Team Level 1. Most realistic hands-on cert for Tier-1/2 SOC work.
Certified CyberDefender (HTB). Hands-on DFIR-adjacent cert, increasingly recognised in defensive teams.
EC-Council forensic investigator, common in law-enforcement-adjacent and compliance markets.
Microsoft Information Protection / Purview specialty, the compliance-coded cert in the SC series.
SANS continuous-monitoring cert, closest SANS equivalent to a detection-engineering credential.
SANS network forensic analyst, narrow but credible for telemetry-heavy IR teams.
SANS malware RE cert, the strongest mainstream credential for malware analysts.
EC-Council Network Defender. Recognised in compliance-driven environments; practitioners typically pair it with labs or SOC work.
Pentest, red team. Slow ramp; entered after SOC or SWE experience.
Still the most-recognised offensive cert, but it gates on lab time, not on the exam itself.
Practical, AD-heavy offensive cert. Cheaper and arguably more realistic than OSCP for internal pentest work.
Recognised in compliance-driven shops; carries far less weight than OSCP/PNPT in technical interviews.
Still passes HR filters in compliance-driven hiring; practitioners typically pair it with hands-on work (HTB / labs / OSCP).
SANS pentest cert. Strong in gov/consulting markets, expensive vs OSCP for similar signal.
SANS web app pentest cert. Credible in SANS-funded shops; OSWE is the deeper alternative.
HTB's modern offensive benchmark, respected by practitioners, still building HR recognition.
Zero-Point Security red-team cert. Modern Cobalt Strike tradecraft, increasingly the de-facto red-team cert.
OffSec's evasion / advanced AD cert, only meaningful after OSCP and red-team exposure.
OffSec's web-exploitation cert. The deepest hands-on AppSec credential for source-aware testers.
SANS exploit-dev cert. Narrow, expensive, only meaningful in vuln-research-adjacent roles.
Cheap, hands-on entry to offensive security, great warm-up, not a hiring credential by itself.
AWS / Azure / GCP. Strongest senior salary ladder in tech.
The cloud cert that actually moves resumes; treat it as a baseline, not a finish line.
AWS vocabulary primer. Useful for first cloud roles, transparent at any senior level.
Operations-focused counterpart to SAA, heavier on monitoring, automation, and incident response.
Developer-flavoured AWS cert. Most useful if you actually ship code on Lambda/DynamoDB/CDK.
Practical Azure administrator cert. The closest equivalent to AWS SysOps in the Microsoft world.
GCP's associate cert, niche but premium-paid where Google Cloud lands.
Vendor-neutral cloud-security primer. Cheap, broad, lighter than CCSP.
Hybrid Windows Server on Azure. The cert ex-sysadmins use to translate into the cloud.
AZ-800's senior sibling, hybrid security, monitoring, recovery.
Microsoft 365 Administrator, tenants, Exchange Online, Entra, Teams, compliance.
Strong signal for cloud-security-leaning roles. Assumes you already speak AWS fluently.
Azure security engineer cert. Practical and recognised in enterprise EU / regulated industries.
Azure solutions architect. The senior design cert, only credible with production scars.
GCP's senior cloud-security credential, narrow market, strong signal inside GCP shops.
(ISC)²'s senior cloud-security cert. CISSP-adjacent, weighted toward architecture and program work.
Azure vocabulary primer. Required to make AZ-104 stick, not a hiring signal on its own.
AWS SA Pro. See the relationship graph for context.
IAM, PAM, SSO, Zero Trust. Often entered from AD or cloud.
Audit, risk and compliance. Senior management lane.
ISACA's audit cert. The credential of choice for internal/external IT audit and audit-adjacent GRC.
Senior governance signalling cert. Useful for management lanes, not for hands-on engineering.
ISACA's management-coded cert. The CISSP alternative for governance and program leads.
ISACA's risk credential. The dedicated counterpart to CISM for risk-coded governance lanes.
ISC2 governance / risk / compliance cert (formerly CAP). Narrow but credible in federal / regulated markets.
Hands-on senior security generalist cert, quietly respected, mostly in defence/contractor space.
ISO 27001 Lead Implementer. The cert that gets you on certification programs, not running them.
ISO 27001 Lead Auditor, for the audit side of the same standard.
Enterprise architecture framework cert. Meaningful only at enterprise scale, almost irrelevant elsewhere.
Microsoft security architect. The senior design cert for the Microsoft security stack.
EC-Council's CISO-prep cert. Narrower employer recognition than CISM/CISSP in most markets.
Kubernetes, IaC, pipelines. Code fluency required.
HashiCorp's Terraform cert. Quick win for cloud / DevOps candidates; weak on its own.
Validates real Kubernetes ops skill. The exam punishes anyone who only watched videos.
Hands-on Linux signal that infra and platform interviewers actually trust.
Distro-neutral counterpart to RHCSA, slightly less prestige, equally hands-on.
Developer-side counterpart to CKA. Useful for engineers shipping to k8s, less so for operators.
VMware professional cert, narrowing market, still meaningful in regulated enterprise.
Cisco's network-automation cert. Useful proof that a network engineer actually codes.
DevOps engineer on the Microsoft stack. Azure DevOps, GitHub, pipelines, IaC.
k8s security depth cert. Only meaningful if you already hold CKA and ship clusters.
RHCE. See the relationship graph for context.