Cybersecurity Certifications: CompTIA, CISSP, and What Employers Want

The Cybersecurity Cert Maze

Cybersecurity has a certification problem. There are too many of them, they're expensive, and half of them don't actually help you get a job. I've worked in infosec for five years and I've watched people waste thousands of dollars on certs that look great on paper but don't move the needle with hiring managers.

Let me give you the straight path — which certs to get, in what order, and what employers actually filter for when they're hiring.

The Certification Hierarchy (As Employers See It)

Think of cybersecurity certs in three tiers, mapped to career levels:

Career Level	Key Certifications	Typical Salary Range
Entry-Level (0-2 years)	CompTIA Security+, CySA+	$55K–$80K
Mid-Level (2-5 years)	CEH, OSCP, CCSP	$80K–$130K
Senior/Leadership (5+ years)	CISSP, CISM, CRISC	$130K–$200K+

Notice I said "as employers see it." Whether that hierarchy makes technical sense is debatable. But this is how HR departments and hiring managers filter resumes, so it's what you need to work with.

Entry Point: CompTIA Security+ (SY0-701)

If you're breaking into cybersecurity, Security+ is where you start. Full stop.

Why it matters: Security+ is the baseline certification that tells employers you understand fundamental security concepts — network security, cryptography, identity management, threat analysis, risk assessment. It's vendor-neutral, which means it applies regardless of whether the company uses Microsoft, Cisco, Palo Alto, or anything else.

The big deal: Security+ satisfies the DoD 8570 directive, which means it's required for most government and defense cybersecurity positions. If you want to work for the DoD, a defense contractor (Raytheon, Northrop Grumman, SAIC, Booz Allen), or any federal agency's IT security team — you literally cannot get hired without it. This alone makes it worth the investment.

Exam details: 90 questions, 90 minutes, passing score 750/900. Mix of multiple-choice and performance-based questions (PBQs) where you actually configure things. Cost: $404.

Study timeline: 4-8 weeks with daily studying. Professor Messer's free YouTube course covers everything. Supplement with Jason Dion's practice exams on Udemy ($15 on sale). That's genuinely all you need — don't let anyone sell you a $3,000 bootcamp for Security+.

Salary impact: Entry-level SOC analysts with Security+ earn $55K-$75K depending on market. Without it, many employers won't even look at your application.

Mid-Career: Where It Gets Complicated

CEH (Certified Ethical Hacker)

EC-Council's flagship cert. It teaches penetration testing methodology, attack techniques, and vulnerability assessment. Sounds cool, right? Here's the nuance.

CEH gets a lot of criticism in the infosec community for being too theoretical. The exam is mostly multiple-choice — it tests whether you know about attacks, not whether you can actually execute them. A lot of experienced pentesters look down on it.

But — and this is a big but — employers still list CEH in job postings all the time. Especially in corporate environments and consulting firms. HR departments know the name. Government contracts sometimes require it. Is it the best test of penetration testing skill? No. Does it open doors? Yes.

Cost: $1,199 for the exam alone, or $2,500+ if you go through EC-Council's official training (which they heavily push). You can self-study, but you need to prove you have 2 years of infosec experience to skip their training.

My honest take: If your employer is paying for it, go for it. If it's your own money and you want to prove hands-on skills, OSCP is the better investment.

OSCP (Offensive Security Certified Professional)

This is the cert that pentesters respect. It's a 24-hour hands-on exam where you have to break into multiple machines and write a professional report. No multiple choice. No theory questions. Just you, a Kali Linux machine, and a bunch of targets.

Spoiler: it's brutally hard. The fail rate is high. People prepare for months and still don't pass on the first attempt.

Cost: $1,749 for the PEN-200 course + exam (you need the course — there's no self-study path for the exam).

Why it's worth it: OSCP on a resume is an instant credibility booster. Hiring managers at security firms, red team roles, and penetration testing consultancies treat it as proof that you can actually hack, not just talk about hacking. A buddy of mine went from a $75K SOC analyst role to a $120K pentester role within two months of getting his OSCP.

Study timeline: 3-6 months of dedicated practice. Before starting PEN-200, I'd recommend spending a month on TryHackMe's offensive pentesting path and completing at least 20 machines on HackTheBox.

CySA+ (CompTIA Cybersecurity Analyst)

The defensive counterpart to CEH. Focuses on blue team skills — log analysis, incident response, threat hunting. It's less glamorous than pentesting certs but arguably more practical for the majority of security jobs out there, since most organizations need defenders way more than they need pentesters.

Cost: $404. Study timeline: 4-6 weeks after Security+.

Solid cert for SOC analysts moving into security analyst roles. Doesn't get enough credit.

Senior Level: CISSP

CISSP (Certified Information Systems Security Professional)

The big one. CISSP from (ISC)² is the most recognized senior cybersecurity certification in the world. It covers eight domains: security and risk management, asset security, security architecture, communication and network security, identity management, security assessment, security operations, and software development security.

Let's be real — CISSP is a management-level cert. It's broad, not deep. It tests whether you can think like a security leader, not whether you can exploit a buffer overflow. And that's exactly why employers want it for senior roles.

Requirements: 5 years of paid work experience in at least 2 of the 8 domains. You can pass the exam with less experience, but you'll hold an "Associate of (ISC)²" status until you hit the 5-year mark.

Exam: CAT format (computer adaptive testing), 125-175 questions, 4 hours. Passing score is 700/1000. The questions are intentionally vague and scenario-based — they're testing judgment, not memorization.

Cost: $749 for the exam. Annual maintenance fee of $125 plus 40 CPE credits per year.

Salary data: CISSP holders earn a median of $151K in the US according to the (ISC)² workforce study. That's significantly above the general cybersecurity average. Senior roles like Security Architect, CISO, or Director of Security almost always list CISSP as required or strongly preferred.

Study resources: The "CISSP All-in-One" book by Shon Harris (now updated by Fernando Maymi) is the bible. Supplement with Mike Chapple's LinkedIn Learning course and Boson practice exams. Budget 3-4 months of studying.

Certs vs. Experience: The Real Answer

I get asked this constantly: "Do I need certs or experience?" The answer is both, but if I had to rank them — experience edges it out, especially at the mid and senior level.

Here's why: a hiring manager at a security firm once told me, "I've interviewed CISSP holders who couldn't explain how a TCP handshake works. And I've interviewed people with zero certs who could walk me through an incident response scenario from triage to remediation." That stuck with me.

Certs get you through the door. Experience gets you the offer. The ideal path combines both:

1. Year 1: Get Security+. Land a SOC analyst or IT helpdesk role. Start doing TryHackMe and HackTheBox in your spare time.
2. Year 2-3: Move to a security analyst or junior pentester role. Get CySA+ or CEH depending on whether you're going defensive or offensive.
3. Year 3-5: Get OSCP if you're on the offensive path. Get hands-on with incident response, threat hunting, or cloud security if you're defensive.
4. Year 5+: Get CISSP when you're ready to move into security leadership, architecture, or consulting.

Free Resources to Build Real Skills

Certs prove knowledge on paper. These build actual skills:

• TryHackMe — Guided rooms from beginner to advanced. The "SOC Level 1" and "Offensive Pentesting" paths are excellent. Free tier available.
• HackTheBox — More challenging. Retired machines have community walkthroughs. Active machines are unguided. Great for OSCP prep.
• SANS Holiday Hack Challenges — Free annual CTF (Capture The Flag) event with puzzles ranging from easy to insane. Fun and educational.
• CyberDefenders — Blue team challenges using real packet captures and log files. Underrated resource for defensive skills.
• OverTheWire (Bandit) — Linux command-line wargames. Perfect for absolute beginners who need to get comfortable in a terminal.

The Career Ladder: SOC Analyst to CISO

The typical cybersecurity career path looks something like this:

1. SOC Analyst / IT Security Analyst ($55K-$80K) — Monitor alerts, triage incidents, write reports. Entry-level grind, but you learn the fundamentals.
2. Security Engineer / Pentester ($80K-$130K) — Build security tooling, conduct assessments, respond to incidents. This is where specialization happens.
3. Senior Security Engineer / Security Architect ($130K-$175K) — Design security programs, evaluate vendors, lead projects. CISSP becomes important here.
4. Security Director / VP of Security ($175K-$250K) — Manage teams, own the security budget, report to the C-suite. Business skills matter as much as technical.
5. CISO (Chief Information Security Officer) ($200K-$400K+) — Board-level responsibility for the entire security posture. At this level, it's about risk management, not firewalls.

Not everyone wants to go the management route, and that's fine. Staff security engineers and principal architects at big tech companies can earn $200K+ without managing anyone.

Where to Start Today

If you're reading this and feeling overwhelmed — pick one thing. If you have zero security experience, start with TryHackMe's free rooms and study for Security+. If you already have Security+ and a year or two of experience, decide if you want to go offensive (OSCP path) or defensive (CySA+ → CISSP path) and commit to one direction.

And if you're already interviewing for security roles, Craqly can be a solid companion — it picks up on technical questions in real time and helps you structure your answers, which is especially useful for scenario-based security interviews where you need to think through incident response steps methodically.