Skip to main content
POST ATLAS
All perspectives
Perspective · Certifications

Why Security+ is simultaneously overrated and useful

It will not get you a security job. It will get you past an HR filter. Those are different problems.

Published 24 May 2026·9 min read·By the POST editor, 20 yrs, helpdesk to security architect
Verdict

Security+ won't get you a security job, and the people who promised you it would were overselling it or misunderstanding what it signals. What it will do, reliably, is get your CV past a keyword filter and give you the vocabulary to have a sensible conversation in a security team. Those are different problems, and they don't overlap as much as the marketing implies.

Who this is for

  • Anyone in the middle of studying Security+ wondering whether the job offers are about to start arriving the moment they pass. They aren't. Carry on with the cert, but adjust the expectation.
  • People in IT support thinking about Security+ as their first cert on the way into security. It's a reasonable choice. It is not, by itself, a route in.
  • Hiring managers and team leads asking whether to keep listing it as "preferred" on entry-level security postings. Mostly yes, for one specific reason explained below.

Who it isn't for

  • People with any kind of existing security role. The cert teaches almost nothing you don't already know, and the time is better spent on something hands-on.
  • Anyone targeting offensive security specifically. Skip it. Go straight to eJPT, do TryHackMe consistently, then PNPT or OSCP. The path is well-trodden and Security+ is rarely the thing that moves that specific path forward.
  • Career changers who already passed a more technical cert (CCNA, AWS, Azure, Linux). You don't need Security+ on top. The breadth is mostly redundant once you've passed something with real depth.

The real tradeoff

Security+ does one job well. It satisfies the HR keyword filter for "entry-level security cert" without committing the candidate to any specific vendor or specialism. The exam voucher itself is roughly £240 to £290 plus VAT depending on supplier, and the study sits at roughly 60 to 100 hours for someone with an IT background. That's the mechanism. It's a gatekeeper credential more than a teaching one.

Where the marketing gets people in trouble is implying it's also a teaching credential. It teaches vocabulary. It doesn't teach you to analyse a packet capture, write a detection rule, triage an alert, or hold a sensible architectural conversation about identity. People who pass and then can't do any of those things in an interview don't get the job, regardless of the cert.

What people get wrong

The biggest one is thinking Security+ replaces a portfolio. It doesn't. Junior SOC interviews have been "show me what you've done in your own time" for at least five years now. A home Wazuh or Splunk lab, a write-up of a TryHackMe blue room, a tiny Python script that triages phishing headers. Any one of those does more in a real interview than the cert does. The cert gets you to the interview. The labs and writing get you through it.

Then there's the cert-stacking trap. Security+, then CySA+, then maybe Pentest+, then back to studying for Network+ "to fill the gap." Twelve months later, the candidate has spent £1,200 and still has nothing they can demo to a hiring manager. On paper it looks like progress. In practice it's a year of avoiding the bit that's actually hard, which is building something.

Last one: taking it before you've decided on a direction. If you don't yet know whether you want SOC, AppSec, GRC, cloud security or red team, Security+ won't help you decide. It's wide and shallow by design. A weekend on TryHackMe and a weekend writing a small Terraform stack will tell you more about which corner you'd enjoy than the entire Security+ syllabus.

What it actually unlocks

Realistically, three things, and the third matters more than people expect.

US federal and contractor roles where the DoD 8140 framework (the replacement for 8570) lists Security+ as an approved baseline for several work roles. That's one of the clearest places it can become a formal gate.

The recruiter screen for entry-level SOC and GRC roles, where hiring managers use it as a filter rather than a learning signal. Useful but not interesting.

Internal mobility into a security team at the same employer, where the cert is read as "they're serious enough about this to have spent their own money." That third one is undervalued and probably the best return on a single cert for people who already have an IT job.

The honest alternative

  • Aiming at SOC with any IT background? Pair Security+ with BTL1 (Blue Team Level 1). The combination of the recognised cert and a hands-on lab credential is far stronger than either alone.
  • Aiming at offensive work? Skip Security+ entirely. eJPT first. Then either PNPT or straight to OSCP, depending on time and money. Nothing about the offensive recruiter screen rewards Security+.
  • Aiming at cloud security? Do AZ-500 or AWS Security Specialty in place of CySA+ after Security+. The cloud-security market is hot enough that the specific cert matters more than the breadth one.
  • Aiming at GRC? Security+ is fine as the technical baseline, but it's CISM or ISO 27001 Lead Implementer that actually moves you forward on that track.

When to walk away from the plan

If you've already spent six months on Security+ and you still don't enjoy the material, that's a useful signal. Security as a career involves a lot of reading badly-written documentation, sitting with ambiguity, and arguing with non-technical people about risk. None of that gets more fun later. If the cert content is putting you off and you can't articulate a specific role you're chasing, it might be worth sitting with the bigger question for a weekend before spending another £300 on the next one.

Where this connects on POST

The pathways page has the realistic helpdesk-into-SOC lane, with the project shortlist that opens junior SOC interviews. The helpdesk piece covers the bigger pattern people get wrong when they treat a cert stack as a career plan. And the Security+ cert page has the structured breakdown alongside the practitioner take.

Authored by

The POST editor. Twenty years in the work. Helpdesk, sysadmin, network, cloud, security engineering, security architecture. POST exists because the advice given to people entering this industry is, on average, dishonest.

Last reviewed 24 May 2026. Career advice without a date is worth what you paid for it.

POST Atlas is independent practitioner commentary. Certification and product names belong to their respective owners. Views are based on observed hiring patterns, public job-market signals and practitioner experience, not vendor endorsement.

Where this fits

This essay describes one pattern. The question is whether it applies to your route.

Pathways that touch this
Roles to consider
Certifications in scope
Perspectives that bear on this

The serious next step

This essay named one failure mode. The verdict tells you whether it's yours.

A Career Verdict is the practitioner-authored call applied to your specific situation. Same six primitives, every time.

Plateau zone
The flat year nobody warns you about, named and timed.
Reality vs Fantasy
Your actual five-year curve against the one you've been sold.
What to sit and what to skip
Each cert on your list: useful, optional, or skip, with reasons.
The call
A single written judgment on whether your plan holds up.
Tradeoff spectrum
What you're giving up for what you're choosing, plotted.
Decisive factors
The two or three things that will actually make or break this.
See what a Career Verdict looks like£25 · one verdict, yours to keep

Built on POST's practitioner-authored assessment framework, calibrated by James from twenty years across helpdesk, infrastructure and security. Framework is human-authored; the verdict applies it to your inputs.

All perspectives