I have held CompTIA Security+, CISSP, CCNA, CCNA Security, CCNA Datacenter, and CCNA Voice over the course of my career. My CISSP is currently active. The others have lapsed — not because they stopped being useful, but because the knowledge they represented became foundational rather than credentialed.

My certification journey happened in two distinct stages. The first CCNA was a deliberate pivot — I was moving from finance into technology and needed something concrete to signal that transition to employers who had no reason to take a chance on me otherwise. It worked. The additional CCNA tracks came later, not as career moves but as validation of work I was already doing — I was building and running those systems and wanted to formalize what I knew. The Security+ was the second pivot, this time from networking into security. The CISSP came last, after years in the field, as a credential for where I was already operating. Each certification in that sequence validated existing competence. None of them created it.

That is the lens through which I rank every certification in this guide. Not which ones look impressive on paper, but which ones actually move your career and which ones drain your bank account while making you feel like you are making progress.

AUTHOR'S CERTIFICATION HISTORY
CISSP
ISC2 Certified Information Systems Security Professional
Used for senior management credibility — worth every hour of study
ACTIVE
SEC+
CompTIA Security+
First security cert — opened the door to the lateral move
LAPSED
CCNA
Cisco CCNA (Routing & Switching)
Foundation that made everything else possible
LAPSED
CCNA-S
CCNA Security
Bridge between networking and security — underrated cert
LAPSED
CCNA-DC
CCNA Datacenter
Essential for understanding cloud infrastructure attack surfaces
LAPSED
CCNA-V
CCNA Voice
Niche but relevant for VoIP security attack vectors
LAPSED

The honest ranking

Every certification below is ranked by one metric: return on investment for someone trying to build or advance a cybersecurity career. That means value relative to cost, time, and what employers actually care about — not what the certification industry wants you to believe.

SEC+
CompTIA Security+
CompTIA · Vendor-neutral
GET THIS FIRST
COST
~$404 exam
STUDY TIME
60-90 days
RENEWAL
3 years / CEUs
Security+ is the industry standard entry-level security certification. It is vendor-neutral, covers the foundational knowledge that all security roles require, and satisfies DoD 8570/8140 baseline requirements — which matters enormously if you have any interest in government or defense contractor work.
My verdict: Get this before anything else. It is not the most technically impressive certification on your resume but it is the most universally recognized and the most consistently required by employers at the entry level. I used it to make the lateral move from networking into security and it opened doors that nothing else would have at that stage. Professor Messer's free course on YouTube is sufficient preparation for most people with an IT background.
CISSP
Certified Information Systems Security Professional
ISC2 · Vendor-neutral
SENIOR ONLY
COST
~$749 exam
STUDY TIME
3-6 months
EXPERIENCE REQ
5 years minimum
CISSP is the gold standard for senior security professionals. It covers eight domains spanning the full breadth of security practice — from risk management and cryptography to software development security and physical security. It requires five years of verified work experience to sit the exam, which is often overlooked in conversations about it.
My verdict: It is worth it — but only when you are ready for it. I see too many people pursuing CISSP with two or three years of experience because job postings list it as a requirement. Those job postings are often written by HR departments that do not understand the certification. The CISSP is a management and architecture credential, not a technical skills credential. If you are moving into senior management, security architecture, or CISO-track roles it is essential. If you are an analyst or engineer it is premature. Study for it when you have the experience to contextualize what you are learning — otherwise you are memorizing material you cannot yet apply.
OSCP
Offensive Security Certified Professional
Offensive Security · Pen testing focused
OFFENSIVE ONLY
COST
~$1,499 bundle
STUDY TIME
3-12 months
DIFFICULTY
High
OSCP is the most respected certification in offensive security. Unlike most certifications that test knowledge through multiple choice questions, OSCP is a 24-hour practical exam where you must compromise a set of machines on a live network. You either get in or you do not. There is no partial credit for knowing the right answer.
My verdict: If penetration testing is your goal, pursue this instead of CEH. It is significantly harder, significantly more respected, and significantly more relevant to what actual pen testers do. Employers who know what they are looking for will take an OSCP holder over a CEH holder every time. However — and this is important — it is not an entry-level certification. Spend time on Hack The Box and TryHackMe first. Get comfortable with the fundamentals of exploitation before you invest in the PWK course. Going in underprepared is an expensive mistake.
CEH
Certified Ethical Hacker
EC-Council · Offensive security
DEBATABLE
COST
~$950-1,200
STUDY TIME
60-90 days
FORMAT
Multiple choice
CEH is widely listed in job postings, widely recognized by HR departments, and widely criticized by technical practitioners who consider it a mile wide and an inch deep. It is a multiple-choice exam covering a broad range of offensive security topics without requiring you to actually demonstrate any of the skills it claims to certify.
My verdict: The cybersecurity community is divided on CEH and the division breaks along a predictable line — HR departments and non-technical managers value it, technical practitioners consider it inferior to OSCP. The honest answer is that it depends on who is making the hiring decision. In organizations with mature security programs where technical people drive hiring, OSCP wins. In organizations where HR screens resumes and security decisions are made by non-technical management, CEH's name recognition can get you through the door that OSCP would not. Know your target environment before you invest.
CCNA
Cisco Certified Network Associate
Cisco · Networking foundation
UNDERRATED
COST
~$330 exam
STUDY TIME
3-6 months
FOUNDATION
Networking
CCNA is not a security certification. It is a networking certification. I am including it here because it is one of the most valuable credentials a security professional can hold and it is consistently undervalued in conversations about security career paths. I held four CCNA tracks — Routing & Switching, Security, Datacenter, and Voice.
My verdict: Security is applied networking. An attacker who does not understand how networks route traffic cannot effectively exploit them. A defender who does not understand the protocols they are protecting cannot effectively secure them. The CCNA teaches you networking at the level that makes security work meaningful. If you are coming from a non-networking background and considering a security career, getting a CCNA before your Security+ is a legitimate strategy that will make everything that follows easier. CCNA Security specifically is an excellent bridge certification for the transition.
GCC
Google Cybersecurity Certificate
Google / Coursera · Entry level
BEGINNERS
COST
~$49/month
STUDY TIME
3-6 months
FORMAT
Online / self-paced
The Google Cybersecurity Certificate on Coursera is a relatively new entry that has gained significant traction as an accessible on-ramp for complete beginners. It covers security fundamentals, network security, incident response, and introduces tools like Python and SIEM platforms in a structured, self-paced format.
My verdict: This is a good starting point for people with no prior IT background who need foundational context before pursuing Security+. It is not a replacement for Security+ and it carries less weight with employers — but it is inexpensive, accessible, and provides a solid introduction to the field. If you already have IT experience, skip this and go straight to Security+. If you are starting from zero, this is a reasonable first step.

The certifications I would skip

There are certifications I have not included in the ranked list because I genuinely do not recommend them for most people in most circumstances.

CompTIA CySA+ and PenTest+. These exist as stepping stones between Security+ and more advanced certifications. In practice, most hiring managers care more about Security+ plus experience than they do about these intermediate CompTIA certifications. The time spent earning them is often better invested in hands-on lab work or pursuing OSCP directly if pen testing is your goal.

Vendor-specific security certifications without a clear role requirement. AWS Security Specialty, Microsoft SC-200, and similar vendor certifications are valuable if you are working in that specific environment. They are far less valuable as general career credentials. Get them when your role requires them, not as general career investments.

Bootcamp-issued certificates. These are not certifications — they are course completion records. They carry essentially no weight with employers who know the difference. The thousands of dollars spent on a bootcamp that ends with a branded certificate is almost always better invested in exam fees and lab subscriptions for real certifications.

"A certification validates what you already know. It does not create knowledge you do not have. Do the lab work first. The certification follows naturally — and it sticks."

The order of operations

Based on my own path and what I have seen work for others, here is the recommended sequence depending on your starting point.

Coming from IT (networking, sysadmin, help desk): Security+ first. Then hands-on labs on TryHackMe and Hack The Box. Then CISSP when you have 5+ years, or OSCP if pen testing is your direction. The CCNA tracks you already hold are an asset — make sure your resume reflects what they mean for security work.

Starting from scratch: Google Cybersecurity Certificate for foundational context. Then Security+. Then specialize based on where your early career takes you. Do not plan your entire certification path before you understand what part of security you actually want to work in.

Already in security, looking to advance: The answer depends entirely on your target role. If you are moving toward management or architecture: CISSP. If you are deepening offensive security skills: OSCP. If you are working in cloud environments: relevant cloud security certifications. If you are in a government or defense context: look at the DoD 8140 framework to understand which certifications map to which roles.

THM
TryHackMe
Build the hands-on skills before you sit the exam. Structured paths for every level, from Security+ prep to advanced offensive techniques.
START FREE →
HTB
Hack The Box
The best preparation for OSCP. Real-world scenarios, retired machines with write-ups, and a community of serious practitioners.
JOIN HTB →

The bottom line

Certifications depend entirely on which one, when you pursue it, and what you are trying to accomplish. Security+ is worth it for almost everyone entering the field. CISSP is worth it for senior professionals on a management track. OSCP is worth it for people who genuinely want to do offensive security work. Everything else is situational.

What is never worth it is pursuing certifications as a substitute for hands-on experience. The people who get hired and who advance are the ones who can demonstrate real competence — the certification is the signal, not the substance. Build the substance first. The signal follows.