The cybersecurity certification market is a multi-billion dollar industry that sits at the intersection of genuine workforce development and opportunistic credentialism. Some certifications are outstanding: technically rigorous, respected by employers across the industry, and demonstrably correlated with higher earnings and expanded role access. Others are expensive marketing exercises that provide minimal practical value and are primarily purchased by people who do not yet know enough to evaluate them critically. Navigating this landscape without good information is expensive in every sense — the wrong certification can cost $1,500 in fees, four to six months of preparation time, and a resume that signals poor judgment to technical hiring managers.
This article provides a direct comparative evaluation of fifteen widely recognised cybersecurity certifications: CompTIA A+, Network+, Security+, CySA+, CASP+, CISSP, CISM, CEH, OSCP, PNPT, GPEN, GWAPT, eJPT, eCPPT, and AWS Security Specialty. Each is measured against six criteria — cost (all-in exam and study), pass rate, renewal requirements, difficulty, employer recognition, and salary data — drawn from ISC2's 2023 Cybersecurity Workforce Study, ISACA's 2024 State of Cybersecurity Report, and CompTIA's certification outcome surveys. The article also maps recommended certification sequences by career path and addresses the controversies that practitioners actually argue about, including OSCP versus CEH and CISSP versus CISM.
One critical framing point before the data: certifications are credentials, not competence. The most respected offensive security certification (OSCP) is respected precisely because it tests hands-on ability through a 24-hour practical exam rather than multiple-choice questions. Employers who understand security know the difference between a knowledge credential and a skill demonstration. The difference matters enormously for technical roles.
"OSCP is the only certification where I can look at it on a resume and be confident the person has actually done the thing, not just read about it. Everything else is a starting point for a conversation." — Senior Penetration Tester, TCM Security Community Forum, 2023
Key Definitions
CPE (Continuing Professional Education): Credits required to maintain active certification status after passing the initial exam. CISSP requires 120 CPEs over three years. Failure to maintain CPEs results in certification lapse and must be restarted.
DoD 8570 / DoD 8140: US Department of Defense directives that map cybersecurity job categories to required certifications. Security+ fulfils requirements for multiple categories, making it mandatory rather than optional for government and defence contractor roles.
Practical Exam: An exam format requiring candidates to perform real tasks in a simulated or live environment, rather than answering multiple-choice questions. Practical exams (OSCP, PNPT, eCPPT) are significantly more respected by technical employers because they demonstrate applied skill rather than retained knowledge.
Vendor-Neutral Certification: A certification not tied to a specific platform or product. CompTIA and ISC2 certifications are vendor-neutral; AWS Security Specialty is vendor-specific to Amazon Web Services. Both types have value but serve distinct purposes.
Endorsement Requirement: CISSP requires applicants to be endorsed by an existing ISC2 member with 4+ years of experience who can attest to their professional conduct. New CISSP holders without endorsement become Associates of ISC2 while seeking endorsement.
Master Certifications Comparison Table
| Certification | All-In Cost (USD) | Estimated Pass Rate | Renewal | Difficulty (1-10) | Employer Recognition | Hours to Prepare |
|---|---|---|---|---|---|---|
| CompTIA A+ | $450-$650 (2 exams) | ~70% | 3 years / 20 CEUs | 3 | Medium (IT baseline) | 80-120 |
| CompTIA Network+ | $358 | ~73% | 3 years / 30 CEUs | 4 | Medium-High | 100-150 |
| CompTIA Security+ | $404-$600 | ~65% | 3 years / 50 CEUs | 5 | Very High (DoD 8570 compliant) | 120-180 |
| CompTIA CySA+ | $392-$550 | ~60% | 3 years / 60 CEUs | 6 | High (SOC and blue team) | 150-200 |
| CompTIA CASP+ | $466-$650 | ~50% | 3 years / 75 CEUs | 7 | Medium-High (architecture) | 200-300 |
| CISSP | $749-$2,200 | ~20% | 3 years / 120 CPEs | 9 | Very High (global standard) | 300-600 |
| CISM | $575-$1,800 | ~50% | 3 years / 120 CPEs | 7 | Very High (management) | 200-350 |
| CEH | $950-$1,950 | ~60% | 3 years / 120 CPEs | 4 | Low-Medium (technical hiring) | 120-180 |
| OSCP | $1,499-$2,500 | ~40-55% | No expiry (PEN-200 update recommended) | 9 | Very High (offensive security) | 400-800 |
| PNPT | $399-$500 | ~70% (with retake) | No expiry | 7 | Medium-High (growing) | 200-300 |
| GPEN | $2,499-$3,000 | ~65% | 4 years / 36 CPEs | 7 | High (enterprise pen testing) | 250-400 |
| GWAPT | $2,499-$3,000 | ~65% | 4 years / 36 CPEs | 7 | High (web app pen testing) | 200-300 |
| eJPT | $200 | ~75% | No expiry | 4 | Medium (entry-level signal) | 60-100 |
| eCPPT | $400 | ~65% | No expiry | 6 | Medium-High (growing) | 150-250 |
| AWS Security Specialty | $300-$500 | ~55% | 3 years | 6 | Very High (AWS environments) | 150-200 |
Sources: ISC2 Cybersecurity Workforce Study 2023; CompTIA certification exam prep surveys 2024; Offensive Security internal data; GIAC certification programme documentation; practitioner-reported data from Reddit r/cybersecurity and TechExams.net community surveys 2024.
Tier 1: Foundation Certifications
CompTIA A+
A+ is the foundational IT credential covering hardware, operating systems, networking basics, and basic security hygiene. It is not a security certification per se, but it is the appropriate starting point for anyone without prior IT experience who is targeting a cybersecurity career through the help desk route.
Its relevance in 2026 is primarily as a resume signal for roles that explicitly require it — many managed service providers and government IT contracts specify A+ — and as preparation for Network+. For career changers with existing IT experience, it can often be skipped in favour of going directly to Network+.
Who needs it: Career changers with zero IT background targeting help desk or tier-1 support roles.
CompTIA Network+
Network+ is the critical prerequisite competency for cybersecurity. Security+ questions assume networking literacy — subnetting, routing protocols, firewall rule logic, packet analysis, VPN architectures — that Network+ explicitly teaches. Attempting Security+ without Network+ foundations is possible but leaves dangerous knowledge gaps that will show in practical work.
The certification covers network topologies, infrastructure components, cloud networking basics, and basic network security. It is not glamorous, but practitioners who lack its content are consistently the weakest responders when network-level incidents occur.
Who needs it: Anyone targeting Security+ who lacks 12+ months of hands-on networking work.
CompTIA Security+
Security+ is the correct starting certification for almost everyone entering cybersecurity. It covers a broad curriculum — threat types and attack vectors, cryptography fundamentals, identity and access management, network security, cloud security basics, risk management frameworks, and incident response — providing foundational literacy across the discipline.
Its DoD 8570/8140 compliance is its decisive practical advantage. Federal civilian cybersecurity roles, US military contractor positions, and a large proportion of government-adjacent work either require Security+ explicitly or use DoD 8570 frameworks that make it the default. No competing entry-level certification matches this institutional mandate.
The exam format includes up to 90 questions (multiple choice plus performance-based questions requiring real system interaction) with a 90-minute limit and a 750/900 passing score. The performance-based questions distinguish it from pure knowledge tests.
Verdict: Start here if you have Network+ or equivalent working networking knowledge. The DoD 8570 compliance alone justifies prioritizing it over alternatives.
Tier 2: Intermediate Specialist Certifications
CompTIA CySA+ (Cybersecurity Analyst+)
CySA+ bridges the gap between Security+ and the senior credentials, focusing on threat detection and analysis, incident response, vulnerability management, and security analytics. It is the logical next step for SOC analysts targeting advancement beyond Tier 1 work.
Its content covers SIEM usage and tuning, threat intelligence analysis, malware analysis basics, and security monitoring architecture — skills directly relevant to blue team roles. The certification is also DoD 8570 compliant at higher tiers, extending its government relevance.
Salary context: Practitioners with CySA+ report median salaries of $95,000-$115,000 in the US (CompTIA State of the Tech Workforce 2024), positioning it well for Tier 2-3 SOC and threat intelligence roles.
CompTIA CASP+ (CompTIA Advanced Security Practitioner)
CASP+ targets security architects and senior technical practitioners rather than management-track professionals. It is the most technically demanding of the CompTIA certifications and lacks the profile of CISSP, but it serves a specific market: senior individual contributors who want a DoD 8570-compliant advanced credential without the management experience requirements of CISSP.
Employer recognition is solid but narrower than CISSP. Its value is highest in government and defence contractor contexts.
eJPT (eLearnSecurity Junior Penetration Tester)
eJPT is a practical entry-level penetration testing certification offered by INE (formerly eLearnSecurity) for $200. It is designed as a beginner's practical credential and uses a skills-based exam format rather than multiple choice.
Its primary value is as an entry signal for people targeting offensive security careers. It demonstrates genuine hands-on interest and basic practical skill in a way that no multiple-choice certification can. At $200 with freely available preparation materials, it has an exceptional cost-to-signal ratio as a first step before investing in PNPT or OSCP preparation.
Verdict: The best cheap first step for anyone targeting a penetration testing or offensive security career.
eCPPT (eLearnSecurity Certified Professional Penetration Tester)
eCPPT is a practical intermediate penetration testing certification from INE. It covers network penetration testing methodology, web application security, and basic exploit development through a practical exam. It sits between eJPT and OSCP in difficulty and cost, providing a meaningful stepping stone for candidates who are not yet ready for the OSCP commitment.
Tier 3: Advanced and Senior Certifications
OSCP (Offensive Security Certified Professional)
OSCP is the definitive credential for offensive security. Unlike every other certification on this list, it cannot be passed by memorizing content. The exam is a 24-hour penetration test against an isolated network of machines: candidates must compromise a required number of systems, document the methodology for each, and submit a professional report within 24 hours of the exam ending.
The preparation pathway — Offensive Security's PEN-200 course (formerly Penetration Testing with Kali Linux) — teaches a hands-on methodology that mirrors actual penetration testing: network enumeration, vulnerability identification and exploitation, privilege escalation, lateral movement, and professional documentation. Candidates who complete the lab environment thoroughly arrive at the exam with genuine technical capability.
The pass rate on first attempt is estimated at 40-55%. Many candidates require two or three attempts, which is part of what gives the credential its signal value — it cannot be obtained by simply buying a prep course.
Salary impact: OSCP-certified penetration testers command $130,000-$165,000 median US salary (LinkedIn Salary Insights 2024), with senior and specialist practitioners earning $165,000-$200,000+.
Verdict: The gold standard for offensive security. Worth every dollar and hour if penetration testing or red teaming is your target. Not worth it if your career target is blue team, GRC, or management.
CISSP (Certified Information Systems Security Professional)
CISSP is the most globally recognised security certification and the default requirement or strong preference for security management, architecture, and leadership roles at large organizations.
The eight-domain Common Body of Knowledge (CBK) covers: Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. Its breadth is both its strength and the source of its difficulty — candidates must have genuine knowledge across all eight domains.
The adaptive computer exam format (CAT) presents 125-175 questions, adjusting difficulty based on performance. ISC2 reports a roughly 20% first-attempt pass rate, making it genuinely difficult by any standard.
The experience requirement is strict: five years of paid work experience in two or more CBK domains, or four years with a qualifying degree. This makes CISSP an inherently mid-career credential. Associates of ISC2 can pass the exam before meeting the experience requirement and obtain the full credential once experience is verified.
Salary impact: ISC2's 2023 Cybersecurity Workforce Study places the median US salary for CISSP holders at $156,000 — among the highest certification salary premiums documented across any professional certification globally.
Verdict: The benchmark for security management and architecture careers. Pursue after 5+ years of security experience. Do not attempt it as an entry or early-career credential.
CISM (Certified Information Security Manager)
CISM is ISACA's flagship management certification, covering information security governance, risk management, program development and management, and incident management. It explicitly targets professionals on management and CISO career tracks rather than technical practitioners.
CISM requires five years of information security management experience (three in CISM-specific domains). Like CISSP, it is a senior credential that signals organizational and governance maturity rather than hands-on technical skill.
CISSP vs CISM for managers: This is one of the most commonly asked certification questions among mid-career practitioners. The meaningful distinction: CISSP covers broader technical ground and is recognized across more role types globally. CISM has stronger brand recognition specifically in GRC (governance, risk, and compliance), audit, and board-level contexts. CISM holders at ISACA member companies report slightly stronger recognition in banking and financial services GRC roles specifically. For most management-track practitioners, CISSP is the higher-value first credential; CISM adds value after CISSP for those specifically targeting CISO or GRC director positions.
Salary impact: ISACA's 2024 State of Cybersecurity Survey places the median US salary for CISM holders at $148,000.
GPEN (GIAC Penetration Tester) and GWAPT (GIAC Web Application Penetration Tester)
GIAC certifications (from the SANS Institute) are the most expensive on this list at approximately $2,499-$3,000 all-in for the exam, and the associated SANS courses run an additional $5,000-$8,000. The cost reflects genuinely excellent training content — SANS courses are among the best technical security training available — but makes GIAC certifications primarily viable for employer-sponsored training or very senior self-funded practitioners.
GPEN covers network penetration testing methodology at a rigorous level. GWAPT covers web application penetration testing with depth that complements OSCP's network-focused curriculum. Both are highly regarded by technical hiring managers at enterprise organizations.
Who benefits most: Security practitioners whose employers will sponsor SANS training, or senior practitioners targeting enterprise security consulting where SANS/GIAC credentials carry institutional weight.
The Overrated Certification: CEH (Certified Ethical Hacker)
CEH deserves direct treatment because it is heavily marketed to career changers, commands high name recognition outside the technical security community, costs $950-$1,950 depending on training format, and is widely considered overrated by working practitioners.
The problems are substantive. CEH is a multiple-choice knowledge test that covers security concepts and tool names without requiring candidates to use any of those tools effectively. The curriculum has been consistently criticised by practitioners as outdated (still teaching techniques superseded years ago), overly broad, and insufficiently technical for any genuine security work. EC-Council's institutional reputation has also been damaged by documented controversies including alleged exam content leaks (Motherboard/Vice, 2022) and inconsistent credential verification.
Among technical hiring managers in penetration testing and red team contexts, CEH carries minimal weight. In assessments published by multiple security practitioners (including those on TCM Security's community forums and the r/netsec and r/CEH subreddits), OSCP, PNPT, or even eJPT are preferred as evidence of actual capability.
Where CEH retains real relevance: Government and military procurement requirements that specifically enumerate CEH without permitting substitution; certain compliance frameworks (particularly in financial services and healthcare) that maintain certification lists compiled before the practitioner community soured on EC-Council. If your target employer or government contracting vehicle specifically requires CEH, obtain it. Otherwise, the same $1,200-$2,000 invested in OSCP preparation materials, lab time, or PNPT will produce better results.
Salary Impact Table by Certification
| Certification | Median US Salary (Holders) | Typical Salary Range | Role Context |
|---|---|---|---|
| No security certification | $85,000-$95,000 | $65,000-$115,000 | IT background, entry security |
| CompTIA Security+ | $82,000-$96,000 | $68,000-$120,000 | Baseline; floor-setter |
| CompTIA CySA+ | $95,000-$115,000 | $80,000-$140,000 | SOC Tier 2-3 |
| CASP+ | $110,000-$130,000 | $90,000-$155,000 | Senior technical |
| eJPT | $75,000-$95,000 | $65,000-$110,000 | Entry offensive security |
| PNPT | $100,000-$125,000 | $85,000-$145,000 | Pen test, junior-mid |
| eCPPT | $100,000-$120,000 | $85,000-$140,000 | Pen test, intermediate |
| OSCP | $130,000-$165,000 | $110,000-$200,000+ | Offensive security specialist |
| GPEN / GWAPT | $130,000-$160,000 | $110,000-$190,000 | Enterprise pen testing |
| AWS Security Specialty | $130,000-$160,000 | $110,000-$185,000 | Cloud security roles |
| CISM | $148,000 median | $120,000-$220,000 | Management, GRC |
| CISSP | $156,000 median | $130,000-$250,000+ | Architecture, management |
Sources: ISC2 Cybersecurity Workforce Study 2023; ISACA State of Cybersecurity 2024; LinkedIn Salary Insights 2024; Glassdoor Cybersecurity Salary Data 2024.
Recommended Order by Career Path
SOC Analyst / Blue Team Path
A+ (skip if IT experience exists) > Network+ > Security+ > CySA+ > GCIA or GCIH (if employer-sponsored) > CISSP (at 5+ years)
The SOC analyst path is the most common entry route into cybersecurity. Security+ is the non-negotiable credential at the foundation. CySA+ is the natural progression for analysts targeting Tier 2-3 work and threat intelligence roles. GCIA (Intrusion Analyst) and GCIH (Incident Handler) are the best advanced blue team credentials but require employer sponsorship or significant self-investment. CISSP becomes relevant after substantial experience for those moving toward security management.
Penetration Tester / Red Team Path
Network+ > Security+ > eJPT (6-12 months of study) > PNPT > OSCP > GXPN or CRTO (advanced)
The offensive security path requires building genuine technical skill before spending significant money. eJPT is the appropriate first practical credential because it is cheap enough to treat as a learning exercise. PNPT provides more rigorous practical training and a credential with growing market recognition. OSCP is the target for anyone serious about offensive security. The advanced credentials (GXPN for exploit development, CRTO for red team operations) are post-OSCP refinements.
Do not buy CEH on this path. The cost, time, and employer signal are all inferior to the practical credential sequence above.
Cloud Security Path
Security+ > AWS SAA-C03 (Solutions Architect Associate) > AWS Security Specialty or GCP Professional Cloud Security Engineer > CCSP (Certified Cloud Security Professional)
Cloud security is currently the best-compensated non-executive security specialization. The path requires both platform competency (Solutions Architect Associate establishes this for AWS) and security-specific expertise (Security Specialty builds on it). CCSP, offered by ISC2, bridges cloud security with the broader CISSP framework and is increasingly expected for senior cloud security architect roles.
GRC / Compliance Path
Security+ > CISM or CRISC (Certified in Risk and Information Systems Control) > CISSP > CDPSE (Certified Data Privacy Solutions Engineer)
The GRC path emphasizes governance, risk frameworks, audit preparation, and regulatory compliance. CISM is the primary credential; CRISC adds specific risk management depth valued in banking and insurance. CISSP is still expected at director level for credibility across the broader security community. CDPSE is increasingly relevant as data privacy regulations proliferate.
Management / CISO Path
Security+ (technical baseline) > CISM > CISSP > Executive education (optional) > CISO program
The management path requires technical baseline credibility (Security+), governance credibility (CISM), and the globally recognised benchmark credential (CISSP). Executive education — through programmes like the SANS Technology Institute Leadership programme, Carnegie Mellon CISO Executive Education, or an MBA with technology focus — adds strategic management context that pure technical certifications do not provide.
Overrated vs Underrated: A Direct Assessment
Overrated:
- CEH: High cost, low technical credibility in practitioner hiring, institutional controversy. Defensible only if explicitly required.
- CASP+: Solid technical content but limited market recognition outside DoD-adjacent contexts. OSCP or GPEN serve offensive practitioners better; CISSP serves management-track practitioners better.
Underrated:
- eJPT: Exceptional value at $200 for a practical credential that signals genuine hands-on interest. Most career changers targeting offensive security should start here rather than immediately paying for PNPT or OSCP.
- eCPPT: Practical intermediate credential that fills the gap between eJPT and OSCP without the full commitment cost. Underutilized as an OSCP preparation step.
- CySA+: Strong salary data, DoD compliance, and direct relevance to SOC work. Often overlooked in favour of immediately targeting CISSP by practitioners who underestimate the value of the intermediate credential.
Worth every dollar:
- OSCP: The salary premium, employer respect, and skills genuinely developed during preparation justify the cost for offensive security careers. The practical exam format means you are paying for real capability development, not just a credential.
- CISSP: At $749 for the exam and measurable median salary premium of $30,000-$50,000 over uncertified peers in equivalent experience brackets, CISSP has one of the strongest return profiles of any professional certification.
Practical Takeaways
The most common certification mistake is attempting credentials in the wrong order — specifically, buying CISSP or CEH too early, before building the technical foundation and experience that gives those certifications actual value. Follow the career path sequences above and treat each step as genuine skill development, not just credential collection.
If you are self-funding your certification journey, prioritize return on investment. Security+ plus OSCP is a stronger combination for offensive security than any amount of CompTIA intermediate certifications plus CEH. Security+ plus CySA+ plus CISSP is the correct sequence for blue team to management tracks.
Employer-sponsored certification is a significant benefit that many professionals underutilize. If your employer has a professional development budget, the SANS courses leading to GCIA, GCIH, GPEN, or GWAPT are among the highest-quality security training available anywhere. The cost is prohibitive for self-funded candidates but reasonable as employer-sponsored development.
References
- ISC2 Cybersecurity Workforce Study 2023. isc2.org/research/workforce-study
- ISACA State of Cybersecurity 2024. isaca.org/resources/reports/state-of-cybersecurity-2024
- CompTIA State of the Tech Workforce 2024. comptia.org/content/research/state-of-the-tech-workforce
- Offensive Security PEN-200 (OSCP) Course Description 2024. offensive-security.com/pwk-oscp
- TCM Security PNPT Certification Programme 2024. tcm-sec.com/pnpt
- INE / eLearnSecurity eJPT and eCPPT Certification Programmes 2024. ine.com
- GIAC Certification Catalogue 2024. giac.org/certifications
- AWS Certified Security Specialty Exam Guide 2024. aws.amazon.com/certification/certified-security-specialty
- Motherboard (Vice): EC-Council Exam Controversy Investigation, 2022. vice.com/en/motherboard
- Mike Chapple and David Seidl. Official ISC2 CISSP Study Guide, 9th Edition. Sybex / Wiley, 2022.
- Jason Dion. CompTIA Security+ Study Course (Udemy). 2024 edition.
- LinkedIn Salary Insights: Cybersecurity Role Compensation Data 2024. linkedin.com/salary
Frequently Asked Questions
Which cybersecurity certification has the highest salary impact?
CISSP leads salary surveys at a \(156,000 US median (ISC2 2023 Workforce Study). OSCP commands equivalent or higher premiums specifically in offensive security and penetration testing roles, with median salaries of \)130,000-$165,000.
Is CEH worth getting in 2026?
For most practitioners, no. CEH costs \(950-\)1,950 and tests memorization rather than hands-on skill. Technical hiring managers in offensive security strongly prefer OSCP or PNPT. CEH retains value only if your target employer or government contract explicitly lists it as a requirement.
What is the difference between CISSP and CISM?
CISSP covers broader technical and architectural ground and is recognized globally across management and architecture roles. CISM is more focused on governance, risk, and management functions and has stronger brand recognition specifically in GRC and board-level contexts at financial institutions. For most managers, CISSP first, then CISM.
How hard is OSCP compared to other security certifications?
OSCP is a 24-hour practical penetration test requiring compromise of multiple machines and a professional report. First-attempt pass rates are estimated at 40-55%. It cannot be passed through memorization alone, which is why technical employers treat it as a genuine skill signal unlike multiple-choice certifications.
What is the best order to get cybersecurity certifications?
For offensive security: eJPT > PNPT > OSCP. For blue team/SOC: Security+ > CySA+ > CISSP. For cloud security: Security+ > AWS Solutions Architect > AWS Security Specialty > CCSP. For GRC: Security+ > CISM > CISSP. Skip steps only if you have equivalent verified work experience.