CompTIA Security+ is the standard starting certification for anyone entering cybersecurity, since it requires no significant prior experience and is broadly recognized across the industry. Beyond that first step, the right next certification depends on the direction you're heading — analyst work, security management, or hands-on offensive security — which this guide breaks down by career stage rather than treating one certification as universally "best."
Cybersecurity certifications have a reputation problem that's only gotten louder: every training company selling an exam voucher has a strong financial incentive to tell you their certification is the one that unlocks a six-figure job. That noise makes it genuinely hard to figure out, as someone actually trying to get hired, which credentials employers take seriously, which ones are worth the study time, and which order makes sense for your specific starting point.
This guide skips the sales pitch and gives the practical version: what each major certification actually tests, roughly what it costs and how long it realistically takes to prepare, which job roles each one targets, and — just as important — an honest answer to whether a certification (or a degree) is even required to get your foot in the door. We work alongside certified technicians daily and hire based on demonstrated skill, so this is written from that hiring-adjacent vantage point, not a training-vendor one.
Who wrote this guide
This article was written and reviewed by IT Cares certified technicians. IT Cares employs certified IT and security professionals across Canada, and this guide reflects what we actually look for — and what we've seen work — when technicians and analysts break into the field or move up within it.
It's also worth being upfront about why this question keeps coming up so often right now. Cybersecurity has been one of the more consistently discussed growth areas within IT for several years running, driven by the steady rise in ransomware, data breaches, and regulatory attention across virtually every industry — which means demand for people who can actually do this work hasn't slowed down, even as the broader tech hiring market has had rockier stretches. That demand is exactly why the certification landscape has gotten crowded and confusing: more training providers have entered the space to meet it, and not all of them are equally aligned with what employers are actually hiring for. Cutting through that noise with a clear, career-stage view of what's genuinely worth pursuing is the entire point of this guide.
Cybersecurity Certification Path by Career Stage
Rather than ranking certifications against each other in the abstract, it's more useful to map them to where you actually are in your career — since a certification that's an excellent choice for a complete beginner may be a step backward for someone already working as an analyst.
| Stage | Certification | Cost range (USD) | Typical prerequisite | Targets | Renewal |
|---|---|---|---|---|---|
| Entry-level | CompTIA Security+ | ~$400–$450 | None required; basic IT literacy helps | SOC analyst tier 1, IT security support, junior compliance | 3 years, via continuing education units |
| CompTIA Network+ | ~$350–$400 | None; often taken before or alongside Security+ | Help desk, network technician, foundational IT roles | 3 years, via continuing education units | |
| Google Cybersecurity Certificate | ~$50/month (self-paced course) | None; designed for absolute beginners | Entry-level SOC/analyst roles, career-changer on-ramp | Course-based, no formal renewal cycle | |
| Intermediate | CompTIA CySA+ | ~$450–$500 | Security+ level knowledge recommended | SOC analyst tier 2, threat detection, incident response | 3 years, via continuing education units |
| CompTIA PenTest+ | ~$450–$500 | Security+ level knowledge and basic scripting familiarity | Junior penetration tester, vulnerability assessment | 3 years, via continuing education units | |
| Certified Ethical Hacker (CEH) | ~$1,000–$1,900 (varies by training path) | 2 years security experience, or approved training course | Penetration testing, red team, offensive security roles | 3 years, via continuing education credits | |
| Advanced | CISSP | ~$750 | 5 years paid security work experience across specific domains | Security manager, architect, senior analyst, CISO track | 3 years, via continuing education credits + fee |
| CISM | ~$760 | 5 years security management experience | Security management, governance, risk leadership roles | 3 years, via continuing education credits + fee | |
| OSCP | ~$1,500–$2,000+ (exam bundled with lab time) | No formal prerequisite, but strong hands-on skill expected | Senior penetration tester, red team, offensive security specialist | Does not expire |
A quick note on how to read this table: cost ranges are in USD, reflect exam fees and typical official training bundles at the time of writing, and can shift with vendor pricing changes — always confirm current pricing directly with the certifying body before budgeting. "Prerequisite experience" for the advanced tier is often negotiable in practice (some bodies allow you to pass the exam first and satisfy the experience requirement afterward), which is covered in more detail in the CISSP section below.
IT Cares works with certified security professionals every day
If you're building toward a career in cybersecurity, our team includes certified technicians who've been through this exact path — feel free to reach out with questions, or see our open remote roles.
A Closer Look at the Major Certifications
CompTIA Security+
Security+ is a broad, vendor-neutral certification covering foundational security concepts: threats and vulnerabilities, network security, identity and access management, cryptography basics, and security operations. It's a multiple-choice and performance-based exam (a format that includes some hands-on simulation questions, not purely memorization), and it's specifically designed to be accessible without requiring years of prior experience.
Who it's for: anyone starting out in cybersecurity, IT professionals adding a security specialization, or career-changers with some general technical comfort but no formal security background.
Realistic prep time: most first-time candidates with some IT background spend 6-10 weeks of consistent study; a complete beginner with no IT exposure at all may reasonably need longer, often paired with foundational study first.
Exam cost: roughly $400-$450 USD at the time of writing, not including study materials or practice exams, which add a meaningful amount on top for most candidates.
Certified Ethical Hacker (CEH)
CEH tests knowledge of offensive security concepts and tools — reconnaissance techniques, scanning, common exploitation methods, malware types, and the general methodology attackers use — primarily through a multiple-choice format (with an optional hands-on practical add-on some candidates pursue separately for a more applied credential). It's positioned as a broad survey of offensive security concepts rather than a deep, hands-on proof of exploitation skill.
Who it's for: professionals moving toward penetration testing, red team, or vulnerability assessment roles who want a recognized offensive-security credential without yet having the depth of hands-on experience OSCP expects.
Realistic prep time: typically 2-4 months depending on the training path chosen and existing familiarity with networking and common attack tools.
Exam cost: commonly $1,000-$1,900 USD depending on whether it's purchased standalone or bundled with an official training course, which is a significantly wider and higher range than Security+.
CISSP
CISSP (Certified Information Systems Security Professional) is a broad, management-oriented certification covering eight domains spanning security and risk management, asset security, architecture, network security, identity management, security assessment, operations, and software development security. It's a demanding multiple-choice exam that tests breadth of knowledge across all of these domains rather than deep technical skill in any single one.
Who it's for: experienced security professionals moving into management, architecture, governance, or senior analyst roles — it's generally not the right starting point for someone brand new to the field, both because of the experience requirement and because its content assumes a working professional's context.
Realistic prep time: 2-4 months of focused study for someone already working in security; longer for those newer to some of the covered domains.
Exam cost: roughly $750 USD. Importantly, CISSP requires five years of cumulative, paid work experience in at least two of its eight domains to be awarded in full — candidates who pass the exam without yet meeting the experience requirement can hold "Associate of ISC2" status while they accumulate it.
OSCP
OSCP (Offensive Security Certified Professional) has built a strong reputation specifically because of its format: rather than multiple-choice questions, candidates sit a 24-hour hands-on practical exam where they must actually compromise a set of live target systems in a lab environment and then write up a professional-grade report documenting exactly how they did it. There's no way to pass by memorizing concepts without being able to actually apply them under time pressure.
Who it's for: professionals serious about penetration testing and offensive security work who want a credential that hiring managers widely regard as strong evidence of genuine hands-on capability, not just conceptual knowledge.
Realistic prep time: this varies more than any other certification on this list — candidates with substantial existing hands-on lab experience sometimes prepare in a couple of months, while those newer to hands-on exploitation commonly spend 4-6+ months building skills in the accompanying lab environment before attempting the exam.
Exam cost: typically $1,500-$2,000+ USD, which usually bundles exam attempts with a period of lab access — a meaningfully different pricing model than a standalone multiple-choice exam fee.
📊 IT Cares field note: The clearest distinction we've seen play out in hiring conversations: a CEH or CISSP tells you a candidate understands the concepts and has met an experience bar. An OSCP tells you the candidate can actually do the thing under pressure, because the exam format leaves no room to bluff. Neither is "better" in the abstract — they're answering different questions about a candidate.
Which Path Should You Choose First? Three Common Starting Points
The right first move depends heavily on where you're starting from. These three profiles cover most of the people who ask this question.
The career-changer with no IT background
If you're coming from a completely unrelated field, the honest recommendation is to not start with Security+ directly. Spending a few months building basic IT literacy first — through the Google Cybersecurity Certificate, CompTIA Network+, or an equivalent foundational course — gives Security+'s content something to attach to, rather than trying to learn networking fundamentals and security concepts simultaneously from a standing start. This isn't a strict requirement, but candidates who skip this step often find Security+'s material harder to retain than it needs to be.
The IT professional pivoting into security
If you already work in help desk, network administration, or general IT support, you have a real head start most people don't: operational familiarity with the systems security professionals are protecting. Security+ is still the right first formal security credential, but it will likely move faster than for a complete beginner, and CySA+ or PenTest+ become realistic next steps sooner, since you're not learning basic networking and security concepts at the same time.
The recent graduate or student
If you're finishing a degree (in computer science, IT, or an unrelated field) and want to pivot into cybersecurity specifically, use the remaining time before graduation to pursue Security+ and start a home lab in parallel with coursework — arriving at your first job search with both a certification and demonstrable hands-on evidence puts you ahead of candidates who have only the degree itself. A degree without any of the practical elements covered in this guide is a weaker signal on its own than the same degree paired with Security+ and a documented project or two.
Other Certifications Worth Knowing About
The certifications covered in detail above are the ones most likely to come up in job postings and general career advice, but a few others are worth knowing about because they solve for specific specializations the main list doesn't fully cover.
GIAC certifications (GSEC, GCIH, and others)
GIAC certifications, associated with the SANS Institute, have a strong reputation for technical depth and are often mentioned by experienced practitioners as some of the most rigorous, content-dense certifications available — GSEC (Security Essentials) and GCIH (Certified Incident Handler) are two commonly referenced entry points into the GIAC family. The tradeoff is cost: GIAC certifications, especially when paired with official SANS training, are typically priced well above CompTIA or ISC2 options, often running into several thousand dollars when training is included, which puts them out of reach for many self-funded early-career candidates without employer sponsorship.
CompTIA CASP+ (CompTIA Advanced Security Practitioner)
CASP+ sits between CySA+/PenTest+ and CISSP in CompTIA's own certification ladder — it's positioned as a hands-on, technical alternative to CISSP for practitioners who want to stay in a technical (rather than purely management) track while still demonstrating advanced-level knowledge. It's worth considering for someone who wants CISSP-adjacent recognition without CISSP's heavier management-domain focus.
(ISC)² CCSP (Certified Cloud Security Professional)
As more infrastructure moves to cloud platforms, CCSP has grown in relevance for professionals specializing specifically in securing cloud environments (AWS, Azure, Google Cloud) rather than traditional on-premises networks. It shares some domains conceptually with CISSP but focuses specifically on cloud architecture, data security, and compliance considerations unique to cloud deployments — a reasonable specialization certification for someone whose career is clearly heading toward cloud-focused security roles rather than general practice.
Vendor-specific cloud security certifications
Beyond the vendor-neutral certifications above, the major cloud providers (Microsoft Azure, AWS, Google Cloud) each offer their own security-specific certification tracks. These are worth pursuing specifically when you already know which cloud ecosystem a target employer or role is built around, since the content is deliberately platform-specific rather than broadly applicable — a strong complement to, not a replacement for, a foundational certification like Security+.
Common mistakes when choosing a certification path
The most frequent misstep we see is collecting certifications horizontally at the same level (multiple entry-level credentials) instead of moving vertically toward the next stage, or the reverse — attempting an advanced certification like CISSP before having the practical exposure to make the material stick. A second common mistake is choosing a certification based purely on which one a course provider is currently discounting, rather than which one actually matches the job roles being targeted. Map the certification to the specific role you want next, not to what's on sale.
Do You Need a Certification or a Degree to Break Into Cybersecurity?
The honest answer, and one that differs from the "you absolutely need a computer science degree" advice that circulated for years: for entry-level cybersecurity roles specifically, certifications combined with demonstrable, hands-on skill often carry as much or more weight with hiring managers than a four-year degree on its own.
This isn't a claim that degrees are worthless — for certain larger organizations, government positions, and some leadership tracks, a degree still matters, sometimes as a formal requirement in the job posting. But for the specific goal of landing a first cybersecurity role — SOC analyst, junior penetration tester, security-focused IT support — what tends to move the needle most is evidence that you can actually do relevant work, not just that you hold a credential of any kind.
What "demonstrable skill" actually looks like
- A home lab. Setting up a small virtualized environment — a vulnerable target machine, a basic network, a SIEM tool ingesting logs — and documenting what you built and learned from it shows initiative and hands-on comfort in a way a resume line can't.
- CTF (capture the flag) participation. Platforms hosting beginner-friendly CTF challenges let you practice real offensive and defensive techniques in a legal, structured environment, and a documented track record of CTF participation is a concrete talking point in an interview.
- Write-ups and a portfolio. Publishing walkthroughs of labs you've completed, CTFs you've solved, or home-lab projects you've built gives a hiring manager something concrete to review, rather than taking a certification's word for your skill level.
- An existing IT background. Help desk, network administration, or system administration experience is a strong, underrated on-ramp into security roles, since it demonstrates real operational comfort with the systems security professionals are ultimately protecting.
The practical takeaway for someone deciding where to invest time and money: a degree is a reasonable long-term investment if you're early in your education and considering options broadly, but it is not a prerequisite you need to have in hand before starting to build a cybersecurity career. Certifications plus a genuine, demonstrable track record of hands-on skill is a proven path that doesn't require four years of tuition to get started.
How to Actually Study and Pass
Certification study approaches that work reliably tend to share a few common elements, regardless of which specific exam you're targeting.
Start with the official exam objectives, not a random course
Every major certification publishes a detailed list of exact topics the exam covers. Read it first, before picking any study material, so you can evaluate whether a given course or book actually covers what you'll be tested on — a surprising number of study resources drift from the official objectives.
Use practice exams to find your actual weak spots, not just to feel confident
Practice exams are most valuable when treated as a diagnostic tool — review every wrong answer to understand why it was wrong, not just to log a passing score. Repeatedly passing practice exams without addressing the underlying knowledge gaps is a common way candidates get an unpleasant surprise on the real exam.
Get hands-on lab time for anything with a practical component
For certifications that test hands-on skill (PenTest+, OSCP, and the practical add-ons some candidates pursue for CEH), reading about a technique is not a substitute for actually performing it repeatedly in a lab. Budget real lab time into your study plan, not just reading time.
Set a realistic timeline and stick to a consistent cadence
Cramming rarely works for the breadth-based exams (Security+, CISSP) and doesn't work at all for the hands-on ones (OSCP). A modest, consistent weekly study schedule sustained over the realistic prep windows mentioned earlier in this guide beats an intense short burst that fizzles out.
Join a study community, even an informal one
Study groups, forums, and online communities built around a specific certification are useful for two reasons: they surface question patterns and common pitfalls other candidates have already hit, and they provide accountability that keeps a study plan from quietly slipping.
Note: this guide intentionally doesn't recommend a specific paid course brand — the right study resource depends heavily on your existing background and learning style, and the official exam objectives (mentioned in step one above) are a more reliable starting point than any single vendor's marketing.
Building a Home Lab: A Practical Starting Point
Since a home lab came up earlier as one of the strongest forms of demonstrable skill, it's worth being concrete about what that actually looks like in practice, since "build a home lab" is common advice that's rarely explained in specific terms.
- Start with free virtualization software on a normal laptop or desktop — no specialized hardware is required to begin. A modest amount of RAM lets you run a couple of virtual machines simultaneously, which is enough for most beginner exercises.
- Set up a deliberately vulnerable target machine — there are widely used, purpose-built vulnerable virtual machines designed specifically for practicing exploitation techniques legally and safely, isolated from your real network.
- Practice basic network segmentation — configuring a small virtual network with a few machines that can (and can't) talk to each other builds real, transferable understanding of concepts tested on Security+, Network+, and later certifications alike.
- Set up a basic log-monitoring tool and get comfortable searching through logs to spot unusual activity — this hands-on exposure to what a SOC analyst actually does day to day is difficult to convey through reading alone, and directly relevant to CySA+ and entry-level analyst interviews.
- Document everything as you go. A simple written log of what you set up, what broke, how you fixed it, and what you learned becomes the raw material for both a portfolio and genuinely useful interview talking points later.
None of this requires a significant financial investment — the value comes from the repetition and troubleshooting, not from expensive equipment. Candidates who pair certification study with even a modest, consistently maintained home lab tend to describe technical concepts more confidently in interviews than those who studied purely from books or video courses.
Frequently Asked Questions
Building Your Cybersecurity Career?
IT Cares employs and works alongside certified security professionals across Canada. If you're pursuing this path, feel free to reach out — and if you're an employer looking for certified technicians, that's exactly who we are.
Comments (3)
Passed Security+ last month after 8 weeks of study following pretty much this exact plan — official objectives first, then practice exams to find gaps. Worked well.
Wish I'd read the CISSP experience requirement section before signing up for a bootcamp that implied I'd walk out "CISSP certified." The Associate of ISC2 detail matters a lot.
Career-changer here, no CS degree. The home-lab and CTF section gave me an actual plan instead of just "get certified and hope." Starting my lab this weekend.
Leave a Comment