Identity Security (IAM, PAM, SSO)
Engineer the identity layer. Entra ID, Okta, CyberArk, PAM, SSO, MFA, Zero Trust. Operational, technical, in demand.
Phased progression
Foundations → first role → specialisation → advanced. The realistic order, not a script.
- 010–6 monthsFoundations
Literacy, lab habits, the cert that opens first conversations.
Microsoft SC-300 - 026–18 monthsFirst paid role
Land a IAM Engineer. Operational time, not more certs, earns the next move.
IAM Engineer$80–130k entry - 031.5–3 yearsSpecialisation
Add a specialist credential aligned to the work you're already doing.
Okta Professional$130–180k senior - 043+ yearsAdvanced
Move into adjacent roles. Long-term credentials become worth their cost.
Identity EngineerMicrosoft SC-100$130–180k senior
- 01Foundations0–6 months
Literacy, lab habits, the cert that opens first conversations.
Microsoft SC-300 - 02First paid role6–18 months
Land a IAM Engineer. Operational time, not more certs, earns the next move.
IAM Engineer$80–130k entry - 03Specialisation1.5–3 years
Add a specialist credential aligned to the work you're already doing.
Okta Professional$130–180k senior - 04Advanced3+ years
Move into adjacent roles. Long-term credentials become worth their cost.
Identity EngineerMicrosoft SC-100$130–180k senior
Certification sequence
Ordered by realistic relevance, not vendor marketing.
Practical projects
What to actually build, the portfolio that opens interviews.
- Build an access-review workflow against Entra ID
- Implement PAM for a tier-0 service
- Design an SSO / Conditional Access policy set
- ·AD / M365 admin → IAM
- ·Cloud engineer → cloud IAM
Realistic expectations
What no recruiter will tell you.
That stacking certifications shortcuts the timeline. It doesn't. Operational time and a public portfolio are what compress the path.
12–24 months is the realistic time to the first role on this route. Most people overshoot by 6–12 months. Plan for it; don't panic when it happens.