IT security certs may be the key to landing your first cybersecurity role or accelerating early-stage career growth. Here’s how to make the right choice for launching your infosec career.
A UC Berkeley professor recently made headlines when he stated that even his computer science graduates with a perfect 4.0 grade point average were failing to land jobs. Such is the labor market in the AI era.
With AI coding assistants in wide use, junior developer roles are in jeopardy. The same may soon be said for entry-level IT positions across the board, including cybersecurity.
New graduates and early-stage professionals looking to break into cybersecurity must distinguish themselves in this brutal job landscape. Boasting a coveted certification could mean the difference between landing a job and going unnoticed in the applicant tracking system.
How to know which entry-level IT security cert to pursue
To help you stand out, we’ve waded through the glut of offerings to compile the most noteworthy certifications that early career professionals should consider obtaining based on the following criteria.
Value
Saddled with student debt, graduates and early-stage professionals must prioritize certifications that are mid-to-low cost, as well as ones most likely to have high returns. To measure value, we consulted Foote Partners’ “IT Skills Demand and Pay Trends Report,” which evaluated pay trends for 638 IT certifications, highlighting those receiving the highest payment premiums right now, as measured by the pay difference between a person with a credential and one without it.
Prerequisites and pathing
Certifications are often marketed as beginner-friendly but demand extensive experience in the fine print — much like many “entry-level” jobs. To address this Catch-22, we prioritized certifications with no enforced prerequisites or recommendations. Some included stated prerequisites but allow for them to be bypassed or reduced through grit and determination. For example, Certified Cloud Security Professional’s five-year work experience prerequisite can be waived through education or unpaid experiences. Candidates can even elect to take the exam without the required experience to earn Associate of ISC2 status. In short, all our chosen certifications have a low barrier to entry.
Note: Vendor lock-in must also be considered. Some certifications must be renewed by earning professional credits offered by the same vendor. These can also count toward a new certification. Thus, early career professionals would be wise to consider not just an individual credential but an ecosystem, prioritizing perhaps organizations with lucrative certs they can earn later.
Recognition
With certifications, brand names matter. The best ones are from organizations highly respected for developing marketable skills. As part of its 2024 Cybersecurity Global Workforce Study, ISC2 surveyed 7,698 hiring managers and 8,154 non-hiring managers in cybersecurity to ascertain the skills they are looking for most. The seven most in-demand skills align favorably with some of the certifications on this list.
We also looked at similar lists from other organizations focused on entry-level or early-stage certifications. Credentials cited frequently across these lists underscored the fact that they are held in wide esteem by a variety of industry players.
The 12 best entry-level IT security certifications
- AWS Certified Security — Speciality
- Certified Cloud Security Professional
- Certified Ethical Hacker
- Certified Information Systems Auditor (CISA)
- Cisco Certified Network Associate (CCNA)
- CompTIA Cybersecurity Analyst (CySA+)
- CompTIA Network+
- CompTIA Security+
- GIAC Security Essentials (GSEC)
- Microsoft Certified: Security, Compliance, and Identity Fundamentals
- Offensive Security Certified Professional (OSCP+)
- Systems Security Certified Practitioner (SSCP)
AWS Certified Security — Speciality
The AWS Certified Security — Speciality certification is ideal for cloud architecture, database, networking, and DevSecOps professionals. It covers data classifications, data protection mechanisms, data encryption methods, and secure internet protocols through the lens of AWS mechanisms. There is a free standard prep course that takes 6.5 hours to complete. The exam consists of 65 multiple-choice or multiple-response questions taken with a proctor online or onsite. Certificate holders may want to pursue other AWS certs after this one, such as AWS Certified DevOps Engineer — Professional or the AWS Certified Advanced Networking — Specialty.
To qualify, AWS recommends five years of IT security experience, including two securing AWS workloads.
Training fees: The standard prep course is free. AWS offers an enhanced preparation course that is included in an AWS Skill Builder subscription, beginning at US$29 per month.
Exam fee: Varies by country or region (US$300 in the US)
Why it’s on our list: Cloud security is the most in-demand skill, according to ISC2. As the largest cloud provider by market share, AWS is a solid choice for early career professionals selecting a vendor-specific route. The cert has no official prerequisites. Ambitious candidates can get up to speed on the recommended five years’ experience with AWS’s practice questions, exam, and study guide, all for free.
Certified Cloud Security Professional
International Information System Security Certification Consortium (ISC2) offers the Certified Cloud Security Professional, among the most prized cloud security certifications for cloud architects, engineers, consultants, and administrators. CCSP covers six modules, including cloud concepts, architecture, and design, and goes up to legal, risk, and compliance. The US Department of Defense also approves the certification, which may be helpful for those seeking work at government agencies or third-party contractors. After passing the 125-question multiple-choice exam, CCSP holders must renew their certification by taking 60 continuing professional education credits every three years.
To qualify, candidates need at least five years of work experience. ISC2 offers a waiver system that may count part-time work, internships, and education. Candidates can waive the entire work experience requirement if they have the Certified Information Systems Security Professional (CISSP). If you don’t meet the minimum experience, you can still take the exam and earn Associate of ISC2 status, after which you have six years to gain the required experience.
Training fees: US$963.75, for self-paced online training; US$1,562.75, bundled with an exam; third-party training also available
Exam fee: Pricing varies by region (US$599 in the US)
Why it’s on our list: Some early-stage pros may prefer vendor-neutral certification to have more latitude. The flexible pathways to the CCSP make it ideal for establishing a career in cloud computing security without tying yourself to a vendor’s ecosystem.
Certified Ethical Hacker
The EC-Council’s Certified Ethical Hacker (C|EH) teaches the foundations of ethical hacking across 20 modules, beginning with footprinting all the way up to cloud computing and cryptography. The EC-Council recommends professionals have two years of experience in IT security; those without can prepare with its free Cyber Security Essentials series. For the C|EH, professionals will learn skills for each stage of ethical hacking: reconnaissance, scanning, gaining and maintaining access, and covering tracks. The cert is ideal for cybersecurity auditors, warning analysts, solution architects, and more. The C|EH exam consists of 125 multiple-choice questions, along with a practical exam based on different scenarios.
Although there are no official prerequisites, EC-Council recommends two years of relevant experience or its Cybersecurity Essentials Series, which provides foundational knowledge in cybersecurity.
Training and exam fees: US$799, exam plus on-demand video course; live and hybrid training options available coupled with exam vouchers
Why it’s on our list: Certified Ethical Hacker was the second most mentioned certification from similar lists. C|EH is built on practical knowledge, teaching more than 550 hacking and security techniques, many with AI — a skill sought by 24% of hiring managers, according to ISC2.
Certified Information Systems Auditor (CISA)
This Information Systems Audit and Control Association (ISACA) certification is geared toward IT auditors and covers five domains: IS auditing, implementation, and operations; protection of information assets; and IT governance. The four-hour exam consists of 150 multiple-choice questions, and candidates must earn 450 on ISACA’s scaled scoring system, with 800 representing a perfect score. To maintain their CISA, certification holders must take 20 CPE credits annually and 120 over three years through conferences, volunteering, on-demand learning, and other methods.
To qualify, ISACA requires at least five years of relevant work experience. There is a robust waiver system for CISA. For example, an undergraduate who earns a master’s degree in computer science or a related field would be granted a three-year waiver.
Training fees: ISACA offers four resources: online review course, US$895; annual subscription to question bank, US$399; print or digital review manual, US$139; discounts available for ISACA members
Exam fee: US$575, members; US$760, non-members
Why it’s on our list: With waivers, professionals can be fast-tracked to CISA, which boasts an average pay premium of 10%. These professionals can specialize in risk assessment, analysis, and management and move on to more broadly focused, leadership-oriented roles in governance, risk management, and compliance — skills that are among the most in-demand, according to ISC2.
Cisco Certified Network Associate (CCNA)
In addition to networking fundamentals, the Cisco Certified Network Associate teaches cybersecurity, focusing on secure access to devices and networks, threats and prevention, and user awareness and training. CCNA is suited for those who want to obtain roles as a network engineer, network administrator, or help desk administrator. Cisco recommends candidates have one year of implementing or working with its solutions. The two-hour exam is administered on a pass-or-fail basis, and candidates will know their results within 48 hours. CCNA also has a flexible renewal process: Candidates can retake the exam, take CE credits, earn another CISCO certification, or combine the latter two.
There are no formal prerequisites to qualify for the CCNA exam.
Training fees: US$1080 for one-year access to Cisco U. Essentials with self-paced, guided, and hands-on training offered at various rates
Exam fee: US$300, or Cisco Learning Credits
Why it’s on our list: Although not explicitly a cybersecurity certification by title, CCNA is security adjacent and is frequently cited on similar lists due to its content. CCNA specifies that it may be ideal for “individuals looking to move into the IT field.”
CompTIA Cybersecurity Analyst (CySA+)
Developed in partnership with the US Department of Defense, Visa, and AWS, CompTIA CySA+ focuses on four domains: security operations, vulnerability management, incident response and management, and reporting. The 165-minute exam consists of a maximum of 85 multiple-choice and performance-based questions; candidates must score 750 on a scale of 900. Certificate holders must take 60 CEUs within three years. Note: CompTIA launched the CompTIA CySA+ exam on June 6, 2023, and will likely retire the exam by 2026 to pave the way for another with refreshed content under the same name.
While CompTIA CySA+ has no official prerequisites, the organization recommends CompTIA Security+ or CompTIA Network+, along with four years of experience in incident response or security analysis.
Training and exam fees: US$404, exam; US$581, exam, retake, study guide; US$1,111, exam, retake, study guide, hands-on lab training, exam prep, e-learning
Why it’s on our list: CompTIA CySA+ is more specialized than the Security+, opening up jobs such as cybersecurity analyst, application security analyst, threat intelligence analyst, and cybersecurity specialist. Security analysis is an in-demand skill sought after by 25% of hiring managers, according to the ISC2.
CompTIA Network+
CompTIA Network+ teaches candidates about networking concepts, implementations, operations, troubleshooting, and security, focusing on concepts, attacks, and defense. The certification is a great fit for those interested in network administrator, systems administrator, or data center technician roles. CompTIA recommends a CompTIA A+ certification and 9 to 12 months in a junior network role. The 90-minute exam consists of 90 multiple-choice and performance-based questions, and candidates must score a 720 on a scale of 900. Renewing CompTIA Network+ requires 30 CEU credits every three years.
There are no formal prerequisites to qualify for the exam.
Training and exam fees: US$369, exam; US$629, exam, retake, on-demand learning; US$721, exam, retake, on-demand learning, additional exam practice
Why it’s on our list: The certification is explicitly designed for the “early career” experience level and is a vendor-neutral alternative to the CCNA.
CompTIA Security+
The CompTIA Security+ certification teaches risk analysis and automation across five domains: security concepts, operations, architecture, program management, and threats, vulnerabilities, and mitigations. Numerous enterprises have contributed to the development of Security+, including Microsoft, Deloitte, and Zoom. The Security+ cert opens up varied opportunities, including network security analyst, penetration tester, and security architect. The 90-minute exam consists of a maximum of 90 multiple-choice and performance-based questions; candidates must score 750 on a scale of 900. Certificate holders must renew the cert by taking 50 CEU through CompTIA’s Continuing Education program within three years. Note: After launching the CompTIA Security+ exam on Nov. 7, 2023, CompTIA will likely retire this version by 2026. It will then be replaced by a new exam under the same title.
Training and exam fees: US$404, exam; US$581, exam, retake, study guide; $US1,111, exam, retake, study guide, hands-on lab training, exam prep, e-learning
Why it’s on our list: The CompTIA Security+ is unanimous choice across similar lists. The program specifically teaches early career skills and is the most widely adopted ISO/ANSI-accredited early career cert. CompTIA also documents numerous case studies of professional development enabled through the cert. CompTIA is also the most frequently mentioned certifying organization on similar lists, and its advanced certs, such as CompTIA Advanced Security Practitioner (CASP), come with an average pay premium of 10%.
GIAC Security Essentials (GSEC)
The GIAC Security Essentials certification offers a curriculum comparable to CompTIA Security+. Topics covered include everything from cryptography and the cloud to incident handling and endpoint security. GSEC is suited for security administrators, forensic analysts, and penetration testers who have an IT background but need to validate their knowledge as a practitioner. Candidates must score 73% or more on the four-hour, 106-question exam, which can be administered with a proctor online or onsite. Professionals must take the 36 continuing professional education credits within four years to renew GSEC, a standard consistent for all GIAC certs.
Training fees: On-demand and in-person options priced at local rates
Exam fees: US$999; retakes, US$899
Why it’s on our list: The GIAC Security Essentials offers foundational cybersecurity knowledge ideal for “new InfoSec professionals.” GSEC is also part of the lucrative GIAC certification ecosystem: The average pay premium for GIAC Network Forensic Analyst (GNFA) and GIAC Cloud Security Automation is 10%, while GIAC Security Leadership stands at 15%.
Microsoft Certified: Security, Compliance, and Identity Fundamentals
Microsoft Certified: Security, Compliance, and Identity Fundamentals focuses on the basics of security, compliance, and identity. The vendor-specific cert provides instruction through Microsoft Azure, Entra, Preview, and Purview. The 45-minute proctored exam may consist of 40 to 60 questions across multiple choice, drag and drop, list building, and more. Candidates must wait 24 hours for a retake and then two weeks for all subsequent retakes. Certification holders may display their certificate on LinkedIn and a custom URL through their certification dashboard.
Training fees: Candidates can take the course on-demand and access a study guide for free. Alternatively, they can use a third-party training provider that teaches the material online or onsite at local market rates.
Exam fee: Varies by country (US$99 for US)
Why it’s on our list: While Microsoft offers numerous certifications relating to cybersecurity, Microsoft Certified: Security, Compliance, and Identity Fundamentals is one explicitly aimed at beginners, including students, new IT pros, and business stakeholders. The curriculum aligns strongly with the governance, risk management, and compliance preferred by 24% of hiring managers, according to ISC2.
Offensive Security Certified Professional (OSCP)
To earn the Offsec Certified Professional certification, candidates must complete the affiliated course, PEN-200: Penetration Testing with Kali Linux, and pass the subsequent exam. The course covers 10 modules, including information gathering, vulnerability scanning, client-side attacks, and fixing exploits. Certificate holders will have shown mastery of penetration testing methodologies ideal for new roles, such as an ethical hacker, incident responder, or threat hunter. The OSCP+ exam is entirely hands-on, and test-takers must compromise systems within a lab environment.
OffSec does not enforce any prerequisites but recommends candidates be familiar with TCP/IP networking, scripting in Bash and Python, and Linux and Windows, which they can learn through its Network Penetration Testing Essentials Learning Path.
Training and lab fees: OffSec bundles the course and exam for US$1649 and as a one-year subscription that also includes a lab environment for US$2079 annually.
Why it’s on our list: OffSec is among the most valuable certifying bodies for offensive security. The average pay premium for Offensive Security Certified Expert (OSCE) is 10%, and for Offensive Security Exploitation Expert (OSEE) is 11%.
Systems Security Certified Practitioner (SSCP)
The ISC(2) SSCP certification covers seven domains: security concepts, access control, incident response, cryptography, network security, systems and application security, and risk identification, monitoring, and analysis. It is ideal for various professionals, including security analysts, systems engineers, network analysts, database administrators, and security consultants. The three-hour exam consists of 125 multiple-choice questions; candidates must earn 700 out of 1,000 points to pass and undergo a process validating their professional experience. Those who earn the SSCP must abide by ISC(2)’s code of ethics and pay an annual maintenance fee that supports the organization and its initiatives, including its members-only network of cybersecurity pros.
To qualify, the SSCP requires one year of experience. Those without the experience requirement can bypass it with a relevant undergraduate or graduate degree in computer science or a related subject.
Training fees: SSCP has numerous free resources, including an exam outline, flashcards, a practice quiz, and a study app, along with paid options, such as on-demand training for US$90 for 90-day access.
Exam fee: Varies by market (US$249 for North and South America)
Why it’s on our list: The program aligns with two top in-demand skills noted in the ISC2 Cybersecurity Workforce Study: application security and risk assessment, analysis, and management.
