The cybersecurity certification market is a multi-billion dollar industry that exists at the intersection of genuine workforce development and opportunistic credentialism. Some certifications are excellent: they are technically rigorous, respected by employers, and demonstrably correlated with higher earnings. Others are expensive marketing exercises that provide minimal practical value and are primarily purchased by people who do not yet know enough to evaluate them critically. Navigating this landscape without good information is expensive — the wrong certification costs $1,000-$2,000, months of study time, and occasionally positions your resume poorly for the jobs you actually want.

This article provides a direct comparative ranking of the most widely recognised cybersecurity certifications: CompTIA Security+, CompTIA CySA+, CompTIA PenTest+, CISSP, CISM, CEH, OSCP, and the AWS/Azure/GCP cloud security certifications. Each is evaluated against four criteria: cost (exam fees plus realistic study investment), difficulty, salary impact based on 2023-2024 workforce survey data, and genuine employer perception in technical hiring contexts. The goal is to tell you not just what these certifications are, but which ones are worth your time and money and in what order to pursue them.

One important caveat before the rankings: certifications are credentials, not competence. The most respected certification in offensive security (OSCP) is respected precisely because it tests hands-on skill through a practical exam rather than multiple-choice questions. Multiple-choice certifications test knowledge, which is necessary but not sufficient. Employers who understand security know the difference, and the difference matters significantly for technical roles.

"OSCP is the only certification where I can look at it on a resume and be confident the person has actually done the thing, not just read about it. Everything else is a starting point for a conversation." — Senior Penetration Tester, quoted in TCM Security Community Forum, 2023

Key Definitions

CPE (Continuing Professional Education): Credits required to maintain active certification status after passing the initial exam. CISSP requires 120 CPEs over three years. Failure to maintain CPEs results in certification lapse.

DoD 8570: A US Department of Defense directive that maps cybersecurity job categories to required certifications. Security+ fulfils requirements for multiple DoD 8570 categories, making it mandatory rather than optional for many government and defence contractor roles.

Practical Exam: An exam format that requires candidates to perform real tasks in a simulated or live environment, as opposed to answering multiple-choice questions. Practical exams (OSCP, PNPT) are generally more respected by technical employers because they demonstrate applied skill.

Vendor-Neutral Certification: A certification not tied to a specific product or vendor. CompTIA and ISC2 certifications are vendor-neutral; AWS Security Specialty is vendor-specific to Amazon Web Services. Both types have value but serve different purposes.

Endorsement Requirement: CISSP requires applicants to be endorsed by an existing ISC2 member with 4+ years of experience who can attest to professional conduct. This creates a network dependency for obtaining the full credential.

Tier 1: Essential Foundation Certifications

CompTIA Security+

Cost: $404 exam fee; $50-$200 in study materials (Mike Chapple's official guide, Darril Gibson's book, or Jason Dion's Udemy course) Difficulty: Moderate for someone with Network+ and 6-12 months of IT experience; hard for someone without IT background Salary impact: Median $82,000-$96,000 for first security role; establishes floor rather than ceiling Employer perception: Universally accepted as baseline credential; required for many government, healthcare, and defence contractor roles

Security+ is the correct starting certification for almost everyone entering cybersecurity. It covers a broad curriculum — threats and attacks, cryptography, identity management, network security, cloud security basics, and risk management — that provides foundational literacy across the discipline. It does not specialise deeply in any area, which is appropriate for an entry-level credential.

Its DoD 8570 compliance gives it a practical mandate in government contexts that competitors cannot match. If you are targeting federal civilian roles, military contractor positions, or government-adjacent work, Security+ is not optional — it is required.

The exam consists of up to 90 questions (multiple choice plus performance-based) with a 90-minute time limit and a passing score of 750/900. Performance-based questions require configuring systems or interpreting outputs in simulated environments, which distinguishes it slightly from pure memorisation tests.

Verdict: Start here if you have Network+ or equivalent networking knowledge.

CompTIA Network+

Cost: $358 exam fee Difficulty: Moderate with no prior networking experience; manageable with basic IT background Salary impact: Primarily foundational; jobs requiring Network+ alone pay $55,000-$75,000 in IT support contexts

Network+ is not a security certification but it is a prerequisite competency. Security+ questions assume networking knowledge — subnetting, routing, firewall rules, packet analysis — that Network+ explicitly teaches. Attempting Security+ without Network+ foundations is feasible but significantly harder and leaves dangerous knowledge gaps for practical work.

Tier 2: Mid-Career Specialist Certifications

OSCP (Offensive Security Certified Professional)

Cost: $1,499 for 90-day lab access plus exam attempt; additional attempts $249 each Difficulty: High. 24-hour practical exam requiring compromise of multiple machines in a simulated network Salary impact: Median $130,000-$150,000; significant premium in pen testing and red team job markets Employer perception: Gold standard for offensive security. Technical hiring managers treat it as proof of genuine skill.

OSCP is the most demanding and most respected certification in offensive security. Unlike every other certification on this list, it cannot be passed by memorising content. The exam is a 24-hour penetration test against an isolated network where candidates must compromise a specified number of machines, document their methodology, and submit a professional report within 24 hours after the exam.

The preparation pathway (Offensive Security's PEN-200 course, previously known as PWK) teaches a methodology that mirrors real penetration testing work: enumeration, vulnerability identification, exploitation, privilege escalation, lateral movement, and reporting. Students who complete the labs thoroughly arrive at the exam with genuine capability.

Pass rate is estimated at 40-60% on first attempt. Many candidates require multiple attempts, which is part of what gives the certification its signal value.

Verdict: The definitive certification for offensive security careers. Worth the investment if your target is penetration testing, red teaming, or vulnerability research.

CISSP (Certified Information Systems Security Professional)

Cost: $749 exam fee; study materials $200-$1,500 depending on whether you use a prep course Difficulty: Very high. ISC2 reports a 20% first-attempt pass rate. The exam is adaptive (CAT format) with 125-175 questions. Salary impact: ISC2 2023 data: median $156,000 for US holders, one of the highest certification salary premiums documented Employer perception: The most widely recognised security certification globally. Required or preferred for security management and architecture roles at most large organisations.

CISSP covers eight domains across the Common Body of Knowledge (CBK): Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. Its breadth is both its strength and its challenge.

The requirement for five years of paid work experience in two or more CBK domains (four years with a qualifying degree) means CISSP is inherently a mid-career credential. Candidates with insufficient experience can pass the exam and become 'Associates of ISC2' while accumulating the required experience, but the full CISSP requires verified professional history.

Verdict: The benchmark for management and architecture roles. Pursue after 5+ years of security experience.

CISM (Certified Information Security Manager)

Cost: $575-$760 depending on ISACA membership status Difficulty: Moderate to high; management and governance focused rather than deeply technical Salary impact: ISACA 2024 data: median $148,000 for US holders Employer perception: Highly regarded in governance, risk, and compliance contexts; less relevant for technical security engineering roles

CISM is ISACA's flagship management certification covering information security governance, risk management, incident management, and programme development. It explicitly targets professionals moving toward security management and CISO career trajectories rather than technical specialists.

CISM requires five years of information security management experience with at least three years in the CISM-specific domains. Like CISSP, it is a senior credential that assumes substantial professional experience.

Verdict: Excellent for GRC professionals and those targeting security management roles. Less relevant for technical engineering or offensive security tracks.

Tier 3: Specialist and Advanced Certifications

CompTIA CySA+ (Cybersecurity Analyst+)

Cost: $392 exam fee Difficulty: Moderate; appropriate intermediate step between Security+ and CISSP Salary impact: Median $95,000-$115,000; positions holders well for Tier 2-3 SOC and threat intelligence roles

CySA+ bridges Security+ and the advanced certifications, focusing on threat detection, incident response, vulnerability management, and security analytics. It is the logical next step for SOC analysts looking to advance beyond Tier 1 work.

PNPT (Practical Network Penetration Tester)

Cost: $399 from TCM Security Difficulty: High but more accessible than OSCP for beginners Salary impact: Growing recognition, particularly at smaller organisations; currently sits below OSCP in most employer hierarchies

PNPT is a practical certification created by TCM Security that tests network penetration testing skills through a 5-day practical exam. It is significantly cheaper than OSCP, has excellent study materials (Heath Adams' courses on Udemy and TCM Security platform), and is increasingly accepted as OSCP preparation or alternative. Its lower brand recognition compared to OSCP is its main limitation.

AWS Certified Security Specialty

Cost: $300 exam fee Difficulty: Moderate; requires AWS platform knowledge alongside security concepts Salary impact: $10,000-$25,000 premium for cloud security roles at AWS shops; essentially mandatory for AWS security positions

The Overrated Certification: CEH (Certified Ethical Hacker)

CEH (Certified Ethical Hacker), offered by EC-Council, deserves specific attention because it is heavily marketed to career changers, commands high name recognition outside the security community, and costs $1,000-$1,500 — yet is widely considered overrated by working security professionals.

The problems are substantive. CEH is a multiple-choice exam that tests knowledge of security concepts and tool names rather than the ability to actually use those tools effectively. Its curriculum has been criticised for being outdated, overly broad, and insufficiently technical. EC-Council's reputation has also been affected by several controversies, including alleged exam material leaks and credential verification issues documented by security journalists at Motherboard (2022).

Among technical hiring managers in penetration testing and red team roles, CEH carries minimal weight. OSCP, PNPT, or even eJPT (eLearnSecurity Junior Penetration Tester, $200) are preferred for demonstrating actual capability.

Where CEH retains relevance: government procurement requirements that specifically list CEH without substitution, and certain corporate compliance frameworks that enumerate approved certifications from a limited list. If your target employer explicitly requires CEH, obtain it. Otherwise, the same $1,200+ is better invested in OSCP preparation materials.

Recommended Certification Order by Career Path

SOC Analyst / Blue Team Path: A+ (optional with IT experience) > Network+ > Security+ > CySA+ > SANS GCIA or GCIH > CISSP (at 5+ years)

Penetration Tester / Red Team Path: Network+ > Security+ > eJPT or PenTest+ > PNPT > OSCP > GXPN or CRTL (advanced)

Cloud Security Path: Security+ > AWS SAA-C03 (Solutions Architect Associate) > AWS Security Specialty or GCP Security Engineer > CCSP (Certified Cloud Security Professional)

GRC / Compliance Path: Security+ > CISM or CRISC (Certified in Risk and Information Systems Control) > CISSP > CDPSE (Certified Data Privacy Solutions Engineer)

Management / Leadership Path: Security+ (baseline) > CISM > MBA or Executive Education > CISSP > CISO role

References

1. ISC2 Cybersecurity Workforce Study 2023. isc2.org/research/workforce-study
2. ISACA State of Cybersecurity 2024. isaca.org
3. CompTIA Certification Directory 2024. comptia.org/certifications
4. Offensive Security PEN-200 Course Description. offensive-security.com
5. TCM Security PNPT Certification. tcm-sec.com/pnpt
6. Pearson IT Certification: CISSP Pass Rate Data 2023. pearsonitcertification.com
7. EC-Council CEH Programme Overview. eccouncil.org
8. eLearnSecurity eJPT Certification. elearnsecurity.com
9. AWS Certified Security Specialty. aws.amazon.com/certification
10. Motherboard (Vice): EC-Council Investigation, 2022. vice.com/en/motherboard
11. Jason Dion CompTIA Study Courses (Udemy). udemy.com
12. Mike Chapple Official CISSP Study Guide (Sybex, 9th Edition, 2022).