Cybersecurity Certifications 2026: Security+ vs CISSP vs CEH and the Rest

Cybersecurity is one of the few fields where a piece of paper still moves the needle on your salary. Hiring managers in this space don’t just want to know you can configure a firewall or read a packet capture. They want a third party to vouch for it, because the cost of hiring someone who fakes their way through is genuinely catastrophic. A breach costs companies an average of $4.45 million, and nobody wants the resume of the person who let it happen.

That’s why the cert stack matters more in cyber than in almost any other tech discipline. You can break into software engineering with a GitHub portfolio and a Leetcode grind. You can land a data analyst job with a few Tableau dashboards. But cybersecurity job postings still routinely list specific certs as hard requirements, especially anything touching government, defense, healthcare, or finance. The DoD 8570 directive alone funnels thousands of jobs into people who hold approved certs like Security+, CISSP, or CASP+.

The problem is that there are now hundreds of cybersecurity certifications, and a chunk of them are basically marketing material for the issuing vendor. This guide walks through what’s actually worth your money, when to take each one, and what employers really care about versus what they say in the job listing. If you’re also weighing cloud certs, our AWS certification paths guide covers that side of the house.

Entry Level: Where to Start

If you’re new to cyber, you don’t need to overthink this. The on-ramp is well-established, and almost every hiring manager knows what these three certs mean.

CompTIA Security+ is the default first cert for nearly everyone. It costs $392, takes most people 6 to 10 weeks of study, and it’s vendor-neutral. It also satisfies DoD 8570 IAT Level II requirements, which means it unlocks a huge pile of federal and contractor jobs. The exam covers threats, architecture, operations, governance, and a bit of cryptography. None of it goes deep, but that’s fine for an entry credential.

CompTIA Network+ is technically optional but strongly recommended if your networking knowledge is shaky. You can’t defend infrastructure you don’t understand, and a surprising number of junior analysts have never actually configured a VLAN or read a routing table. Network+ runs $369 and pairs well with Security+.

CompTIA CySA+ (Cybersecurity Analyst) is the next step up, focused on SOC analyst work, threat detection, and incident response. It costs $392 and is what you’d take after Security+ if you’re aiming for a Tier 1 or Tier 2 SOC role. It’s also DoD-approved, which keeps your federal options open.

A reasonable entry stack looks like Security+ first, then either CySA+ if you’re going defensive or moving toward a junior pentest role. Don’t stack five entry certs before applying. Two is enough. After that, you need real job experience or your resume starts looking like cert farming.

Mid Level: Building Specialization

Once you’ve got 1 to 3 years of experience, the cert conversation shifts. You’re no longer trying to prove you understand the basics. You’re trying to signal a specialty.

CEH (Certified Ethical Hacker) is the most famous mid-tier cert and also the most controversial. It’s well-known among HR teams, costs around $1,199 with the official package, and shows up in tons of job postings. The catch is that working pentesters tend to view it as shallow. The exam is multiple choice. There’s a practical version (CEH Master), but it’s still not what most red teamers respect. If your employer is paying or you’re chasing a job listing that explicitly requires it, fine. Otherwise, you can probably skip straight to OSCP.

SSCP (Systems Security Certified Practitioner) from ISC2 is the lighter cousin of CISSP. It costs $249, requires 1 year of experience, and covers seven domains of operational security. It’s a solid mid-career cert if you’re a sysadmin pivoting into security, and it’s recognized but not exactly prestigious.

CompTIA PenTest+ sits between CEH and OSCP in difficulty and reputation. It runs $392, covers planning, scoping, and reporting alongside actual exploitation, and it’s getting more respect lately because the practical sections aren’t a joke. If you can’t justify OSCP yet, PenTest+ is a reasonable bridge.

Senior Level: The Big Three

The senior cybersecurity certs are gatekeeping credentials. They don’t teach you new skills so much as confirm you’ve been doing the work for years. They also unlock leadership roles and, frankly, much bigger paychecks.

CISSP (Certified Information Systems Security Professional) is the heavyweight champion. It costs $749, requires 5 years of paid security experience across at least 2 of 8 domains, and the exam is genuinely brutal. The median CISSP holder in the US makes around $145,000, and the cert is basically required for security architect, security manager, and CISO roles. If you want one cert that opens the most senior doors, this is it.

CISM (Certified Information Security Manager) from ISACA leans more toward governance and management than CISSP does. It costs $760 for non-members (ISACA membership saves you about $200), requires 5 years of experience, and it’s the cert of choice for people moving into security leadership or risk management. If you’d rather run a team than do hands-on work, CISM beats CISSP.

CISA (Certified Information Systems Auditor) is the audit-focused cert. Same vendor as CISM, similar pricing, and it’s the dominant credential for IT audit, compliance, and SOX work. If you’re heading toward Big Four consulting or internal audit at a regulated company, you’ll want this. Our finance certifications guide covers how CISA pairs with CPA for audit careers.

Pen Testing Track

The penetration testing track is its own world, and the cert hierarchy here is brutally meritocratic. Hiring managers in this space don’t care about multiple choice exams. They want to see you popped a box.

OSCP (Offensive Security Certified Professional) is the entry credential that actually matters for pentesting. It costs $1,749 for the PEN-200 course bundle including 90 days of lab access and one exam attempt. The exam is a 24-hour practical where you compromise a set of machines and write a professional report. Pass rates hover around 30 percent on the first attempt. It’s the cert that gets you pentest interviews.

OSWE (Offensive Security Web Expert) is the web app specialization. It costs roughly $1,749 with the WEB-300 course, and the exam is a 48-hour grind focused on source code review and exploit development for web applications. Take this if your target role is web pentesting or bug bounty.

CRTP (Certified Red Team Professional) from Altered Security is the cheapest serious red team cert at around $499. It focuses on Active Directory attacks, which is what most real-world red team engagements actually hit. The lab is excellent and the cert is increasingly respected. CRTO from Zero-Point Security is the next step up if you want command-and-control and OPSEC depth.

Cloud Security

Cloud security is where the money is moving in 2026. Companies are realizing that misconfigured S3 buckets and overly permissive IAM roles cause more breaches than zero-day exploits.

AWS Certified Security Specialty costs $300 and validates security knowledge across the AWS platform. You’ll want the AWS Solutions Architect Associate first as a foundation. This cert is in heavy demand because nearly every Fortune 500 runs significant AWS workloads, and most of them need someone who actually understands GuardDuty, KMS, and SCP design.

Microsoft SC-200 (Security Operations Analyst) costs $165 and focuses on Microsoft Sentinel, Defender, and Entra ID. It’s the most useful Azure security cert for SOC roles, and pairs well with SC-100 (Cybersecurity Architect Expert) if you’re going senior. Microsoft has been aggressive about pricing, which is why these certs are roughly half what AWS charges.

Google Cloud Professional Cloud Security Engineer costs $200 and covers GCP-specific security. Take this only if you’re targeting a GCP-heavy employer, which is mostly Google itself, some media companies, and a handful of fintech startups.

Comparison Table: Core Cyber Certs

Cert	Cost	Experience Required	Best For	Median Salary Bump
Security+	$392	None	First cert, DoD eligibility	+$10k entry
CySA+	$392	Recommended 4 yrs	SOC analyst roles	+$8k
CEH	$1,199	2 yrs or training	HR-driven job filters	+$5k
PenTest+	$392	3-4 yrs recommended	Junior pentest	+$7k
CISSP	$749	5 yrs	Senior architect, manager	+$25k to $40k
CISM	$760	5 yrs	Security management	+$20k to $35k
CISA	$760	5 yrs	IT audit, compliance	+$15k to $30k
OSCP	$1,749	None required	Pentesting	+$15k
AWS Security Specialty	$300	5 yrs IT recommended	Cloud security engineer	+$18k
SC-200	$165	None	Microsoft SOC	+$10k

Salary bumps are rough estimates from ISC2, (ISC)2 workforce studies, and the 2025 Robert Half Technology salary guide. Your mileage will vary by city, employer, and how you negotiate.

Salary Impact By Cert

The salary numbers in cybersecurity are real but they’re skewed by what cert you stack with what role. Security+ alone won’t make you rich. It just gets you in the door at $65k to $80k for an entry SOC role. The real money kicks in when you combine deep cert credentials with 5-plus years of incident response, architecture, or pentest experience.

CISSP holders consistently report a $145k US median, with senior architects in major metros pulling $180k to $220k base. CISM holders skew slightly higher because they’re often in management tracks. OSCP plus 3 years of pentest experience puts you in the $130k to $170k range at consultancies, and senior red teamers at FAANG-tier companies clear $250k total comp.

Cloud security is now the highest-paying specialization on average. AWS Security Specialty plus 4 years of cloud engineering experience routinely hits $170k base, partly because the talent pool is small and partly because the consequences of a cloud misconfiguration are huge.

If your employer offers tuition reimbursement, you should absolutely use it. Most cyber certs qualify, and our guide on employer tuition reimbursement covers how to ask for it without burning political capital.

What Employers Actually Require Vs Prefer

Job postings lie. Or rather, they aspire. The “required” section of a cybersecurity job listing is usually a wishlist written by a recruiter who copied it from a competitor’s posting. Here’s how to read it.

If a posting says “CISSP required,” and you don’t have one but have 4 years of relevant experience, apply anyway. Roughly half the time the requirement is negotiable, especially if you can demonstrate the underlying knowledge in the interview. The other half it’s a real federal contract clearance requirement and you genuinely can’t get past HR. You’ll figure out which it is from the recruiter call.

If a posting says “Security+ or equivalent,” that’s a hard filter. Get the cert. It’s $392 and it removes a friction point from every application you’ll ever submit in this industry.

If a posting lists 8 certs as preferred, the company is fishing. Pick the 1 or 2 that match the actual role and don’t worry about the rest. Nobody at the hiring manager level is reading your resume thinking, “Wow, only 6 of the 8 listed certs.”

The certs that punch above their weight in 2026 are CISSP, OSCP, AWS Security Specialty, and CISM. Everything else is supporting cast. If you’re early in your career, get Security+ and one cloud cert, then build experience for 2 to 3 years before chasing senior credentials. Pair your certs with a sharp resume that quantifies your impact. Our tech resume guide walks through exactly how to write security accomplishments that hiring managers actually read.

The cybersecurity field rewards people who keep learning, but it punishes people who treat certs as a substitute for real work. Get the credentials that open doors. Then walk through them and actually do the job.