Cybersecurity Career Paths & Certs
Last updated
Last updated
Below is a repository of information that range from types of career paths, different certificates, to rules and regulations across various industries. The bulk of this information can be applied to your portfolio as you begin to learn these new concepts and level up your portfolio and ultimately your career. This repository will be updated from time to time as new information is gathered.
If you believe that a piece of information is out of date or false, please don't hesitate to Contact Us so we can update as necessary. This repository will be updated from time to time as new information is gathered, but its possible a few things are missed. We strive to be the most up to date repository of career-related information in the cybersecurity field.
The problem that most newcomers have is where to start. Is there one path to walk down in order to end up at your chosen career? To save you the suspense, the answer is no. However, there are some broad strokes that a majority of people take to get on to their chosen career path. These are expanded upon in greater detail further into the page, but as an up front summary, they are as follows (in no particular order of importance):
Start by pursuing a bachelor's degree in cybersecurity, information assurance, or a related field. These programs provide a comprehensive understanding of cybersecurity principles, concepts, and practices.
Complement your education with industry-recognized certifications, such as the Security+, Certified Ethical Hacker (CEH), or Certified Information Systems Security Professional (CISSP). These certifications demonstrate your proficiency and expertise in specific areas of cybersecurity. If you're new to the field, start with the most basic certificates, which are outlined in the images below. Even if you are lacking in professional experience, studying for the certificates will help solidify that foundational knowledge.
From a career perspective, if you're a newcomer to the field, starting from a Technical Support/Help Desk position is typically your best bet, and what most cybersecurity professionals start out as. You can also gain practical experience through internships, volunteer work, or personal projects. Participating in cybersecurity competitions, such as the Capture the Flag (CTF) events, is also a valuable way to apply your skills and network with industry professionals.
Document your skills, experiences, and certifications by creating a professional portfolio. This portfolio will serve as a valuable asset when applying for cybersecurity jobs. Add your relevant side projects, hobbies, and interests to showcase what you may be lacking in professional experience.
Attend industry events, join online communities, and connect with experienced cybersecurity professionals. Building relationships can open up job opportunities and provide valuable insights into the field.
If you have a specific interest or expertise, consider pursuing specialized training or certifications in areas such as penetration testing, digital forensics, or cloud security. This will further enhance your qualifications and career prospects.
Remember, the cybersecurity field is constantly evolving, so it's essential to be adaptable and willing to learn new skills throughout your career. By following this path and staying committed to continuous learning, you can establish yourself as a successful and in-demand cybersecurity professional.
The ever-evolving cybersecurity field presents numerous career paths and associated certifications. Keeping pace with this dynamic environment can be challenging, especially when seeking a reliable, up-to-date roadmap. Fortunately, Paul Jerimy has created an invaluable resource: the Interactive Security Certification Progression Chart.
This interactive tool provides a clear overview of various cybersecurity certifications, grouping them by their corresponding domains and outlining associated costs. It serves as a valuable starting point for individuals seeking to navigate the complex world of cybersecurity certifications and identify those most relevant to their career aspirations.
While no single chart can perfectly capture the entirety of the evolving cybersecurity landscape, Paul Jerimy's interactive chart offers a valuable foundation for anyone seeking to chart their path in this field.
In addition to the Security Certification Progression Chart, the IT Certification Roadmap offers another valuable perspective for exploring career paths in cybersecurity. Given the interconnected nature of IT and cybersecurity, this roadmap can provide insightful information about relevant certifications that align with your desired cybersecurity focus.
By delving into the IT Certification Roadmap, you can:
Discover alternative cybersecurity paths: Expand your understanding of potential career options in the field.
Identify relevant certifications: Explore specific certifications that cater to your chosen cybersecurity focus.
Gain a broader understanding of the IT landscape: Enhance your knowledge of the wider context within which cybersecurity operates.
Combining the insights from both the Security Certification Progression Chart and the IT Certification Roadmap empowers you to make informed decisions about your cybersecurity career path and identify the most suitable certifications to equip you for success.
There are numerous cybersecurity roles and career paths which would be difficult to quantify in one post. Some fields have very specific cybersecurity roles and responsibilities, and others are more broad. The following roles can be further extrapolated out to sub-roles or even managerial roles as you begin to get more familiar with . What you will notice is a majority of the certificates are transferrable to different cybersecurity roles. These descriptors are meant to inform the reader of what high level cybersecurity roles exist across broad industries.
Let's delve into a few popular paths:
Imagine yourself as a digital detective, meticulously combing through network logs and system events, hunting for suspicious activity. You're the first line of defense, identifying and investigating security incidents before they escalate.
Think of yourself as a modern-day Sherlock Holmes, armed with powerful tools like SIEM (Security Information and Event Management) platforms and threat intelligence feeds. Your keen eye and analytical mind will be crucial in piecing together the puzzle and thwarting cyberattacks.
Key Skills:
Security information and event management (SIEM) tools
Incident response
Threat intelligence
Network security
Security analysis
While specific requirements can vary depending on the organization and role, some common certifications held by Security Analysts include:
Entry-level:
CompTIA Security+: This vendor-neutral certification validates foundational cybersecurity knowledge and skills.
Security+ CySA+: This advanced certification builds upon Security+ and focuses on incident detection, analysis, and response.
Certified Ethical Hacker (CEH): This certification covers ethical hacking methodologies and tools used to identify vulnerabilities and penetration testing.
Mid-level:
Certified Information Systems Security Professional (CISSP): This globally recognized certification demonstrates expertise in various cybersecurity domains.
GIAC Security Essentials (GSEC): This broad-based certification covers a comprehensive range of cybersecurity topics.
Certified Information Systems Auditor (CISA): This certification focuses on information systems auditing and control.
Advanced/Specialized:
Certified Cloud Security Professional (CCSP): This certification validates expertise in securing cloud environments.
Certified Information Security Manager (CISM): This certification focuses on managing information security programs.
AWS Certified Security - Specialty: This certification validates expertise in securing AWS cloud environments.
Additionally, some organizations might consider:
OSINT certifications: These certifications validate skills in gathering and analyzing open-source intelligence.
Forensics certifications: These certifications cover digital forensics and incident response techniques.
Vendor-specific certifications: These certifications demonstrate knowledge and skills specific to a particular vendor's security products or services.
Ever wondered what it's like to be a hacker... for good? As a PenTester, you'll don the black hat (ethically, of course) and probe systems for vulnerabilities before malicious actors do. You'll be the ultimate puzzle solver, exploiting weaknesses and finding clever ways to bypass defenses.
Key Skills:
Ethical hacking methodologies
Web application security
Network security
Vulnerability assessment and penetration testing (VAPT) tools
Scripting languages (Python, Bash)
Penetration testers, the ethical hackers of the cybersecurity world, need a specialized arsenal of skills and knowledge. To validate their expertise, several certifications can equip them with the tools and recognition they need. Here are some key options:
Entry-level:
CompTIA PenTest+: This foundational certification covers basic penetration testing methodologies and tools.
eLearnSecurity Junior Penetration Tester (eJPT): This practical certification focuses on hands-on learning through real-world scenarios.
Mid-level:
Offensive Security Certified Professional (OSCP): This globally recognized certification is a benchmark for professional penetration testers, requiring hands-on practical exercises to demonstrate skills.
Certified Ethical Hacker (CEH): This vendor-neutral certification provides a broad overview of ethical hacking methodologies and tools.
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN): This advanced certification focuses on advanced exploitation techniques and red teaming methodologies.
Advanced/Specialized:
Certified Expert Penetration Tester (CEPT): This certification validates advanced penetration testing skills and experience.
Certified Web Application Penetration Tester (CWAPT): This specialized certification focuses on web application security assessments and penetration testing.
Certified Cloud Penetration Tester (CCPT): This certification validates expertise in securing and testing cloud environments.
Additionally, penetration testers may consider:
Offensive Security Exploit Development (OSED): This specialized certification focuses on vulnerability research and exploit development.
Offensive Security Wireless Attacks (OSWA): This certification covers wireless network security assessments and penetration testing.
Offensive Security Social Engineering (OSSE): This certification teaches social engineering techniques used by attackers.
Imagine being the architect of a digital fortress, designing and implementing robust security infrastructure. You'll be the master builder, configuring firewalls, intrusion detection systems, and other defenses to keep the bad guys at bay.
Think of yourself as a digital fortress builder, crafting intricate security solutions to protect sensitive data and critical systems. Your expertise in network security, operating system hardening, and security automation will be instrumental in building an impenetrable digital shield.
Key Skills:
Network security
Operating system security
Security architecture
Cloud security
Security automation tools
Certificates for a Security Engineer are a bit tricky to define because most of the time, the specialties of the Security Engineer can be vendor specific. However, there are some broad certificates to strive for, but should prioritize whichever technologies your organization has in-house.
Entry-level:
CompTIA Security+: This foundational certification lays the groundwork for understanding core security principles and best practices.
Cisco Certified Network Associate (CCNA): This certification provides a solid understanding of networking concepts essential for securing networks.
Security Fundamentals (SF) by EC-Council: This vendor-neutral certification covers the basics of network security, cryptography, and risk management.
Mid-level:
Certified Information Systems Security Professional (CISSP): This globally recognized certification demonstrates expertise in various cybersecurity domains, including network security, cloud security, and incident response.
GIAC Security Essentials (GSEC): This broad-based certification covers a comprehensive range of cybersecurity topics relevant to security engineers.
Certified Information Systems Auditor (CISA): This certification focuses on information systems auditing and control, crucial for ensuring proper security posture within an organization.
Advanced/Specialized:
AWS Certified Security - Specialty: This certification validates expertise in securing cloud environments, increasingly relevant for modern security engineers.
Palo Alto Networks Certified Security Professional (PCSP): This vendor-specific certification focuses on securing networks using Palo Alto Networks firewalls and security products.
Certified Secure Software Lifecycle Professional (CSSLP): This certification covers secure software development methodologies and best practices, essential for security engineers involved in software development processes.
Additionally, security engineers may consider:
Security+ CySA+: This advanced certification builds upon Security+ and focuses on incident detection, analysis, and response, valuable skills for security engineers on incident response teams.
Certified Ethical Hacker (CEH): This certification provides insights into the attacker's mindset and methodologies, helping security engineers strengthen their defenses.
Cloud Security Alliance (CSA) certifications: These certifications validate specific knowledge and skills in securing cloud environments, such as the CSA Security Fundamentals (SCS-F) and the CSA Certificate of Cloud Auditing Knowledge (CCAK).
Ever wished you could be a trusted advisor, helping organizations navigate the treacherous landscape of cybersecurity? As a consultant, you'll be the wise sage, assessing security posture, identifying risks, and developing tailored strategies.
Think of yourself as a digital guardian angel, guiding organizations towards a more secure future. Your expertise in risk management, compliance, and security awareness training will be invaluable in empowering organizations to defend themselves against evolving threats.
Key Skills:
Risk assessment and management
Security governance
Compliance (PCI DSS, HIPAA, GDPR)
Security awareness training
Communication and presentation
Cybersecurity consultants provide expert advice and solutions to organizations to enhance their security posture. To stand out in this competitive field, a combination of certifications and in-depth knowledge is essential. Similar to the Cybersecurity Engineer, you may want to focus on which certificates best match to the in-house technologies that you're consulting for. Here are some key certifications for cybersecurity consultants:
Entry-level:
CompTIA Security+: This foundational certification validates understanding of core security principles and best practices.
GIAC Security Essentials (GSEC): This broad-based certification covers a comprehensive range of cybersecurity topics relevant to cybersecurity consultants.
Certified Information Systems Auditor (CISA): This certification focuses on information systems auditing and control, crucial for providing assurance to clients.
Mid-level:
Certified Information Systems Security Professional (CISSP): This globally recognized certification demonstrates expertise in various cybersecurity domains.
Cloud Security Alliance (CSA) certifications: These certifications validate knowledge and skills in securing cloud environments, such as the CSA Security Fundamentals (SCS-F) and the CSA Certificate of Cloud Auditing Knowledge (CCAK).
Certified Information Systems Risk Manager (CISM): This certification focuses on managing information security programs, an essential skill for cybersecurity consultants.
Advanced/Specialized:
AWS Certified Security - Specialty: This certification validates expertise in securing AWS cloud environments, becoming increasingly relevant for cybersecurity consultants.
International Information System Security Certification Consortium (ISC)² certifications: These certifications validate expertise in specific cybersecurity domains, such as the Certified Information Systems Security Professional (CISSP), Certified Cloud Security Specialist (CCSP), and Certified Incident Handler (GCIH).
Certified Authorization Professional (CAP): This certification focuses on developing and maintaining effective information security authorization processes.
Additionally, cybersecurity consultants may consider:
Penetration testing certifications: These certifications validate skills in identifying and exploiting vulnerabilities, valuable for cybersecurity consultants conducting penetration tests for their clients.
Security architecture certifications: These certifications validate knowledge and skills in designing and implementing secure IT architectures.
Security forensics certifications: These certifications validate skills in investigating cybercrime incidents and gathering digital evidence.
Imagine yourself as a digital spy, infiltrating the dark web and piecing together the puzzle of cybercrime. You'll be the ultimate information gatherer, tracking the activities of cybercriminals, identifying emerging threats, and providing crucial insights to security teams.
Think of yourself as a digital Sherlock Holmes, but instead of chasing Moriarty, you're tracking down cybercriminals and their nefarious plans. Your expertise in open-source intelligence (OSINT), threat hunting, and data analysis will be instrumental in staying ahead of the curve and thwarting cyberattacks before they occur.
Key Skills:
Open-source intelligence (OSINT)
Threat hunting
Threat modeling
Security research
Data analysis and visualization
Remember, this is just a glimpse into the exciting world of cybersecurity. Numerous other paths await, like cybercrime investigators, security architects, CISOs, and privacy specialists.
Threat intelligence analysts are the watchful guardians, constantly scanning the horizon for emerging threats and vulnerabilities. To excel in this vital role, specific certifications can sharpen your vision and validate your expertise. Here are some key options:
Entry-level:
CompTIA Security+: This foundational certification lays the groundwork for understanding core security principles and best practices.
Certified Threat Intelligence Analyst (CTIA): This vendor-neutral certification covers the fundamentals of threat intelligence, including collection, analysis, and dissemination of threat information.
GIAC Threat Intelligence Fundamentals (GIF): This introductory certification provides a solid understanding of the threat intelligence lifecycle and key concepts.
Mid-level:
Certified Threat Intelligence Professional (CTIP): This advanced certification builds upon CTIA and delves deeper into advanced threat analysis techniques and methodologies.
Open Threat Modeler (OTM): This certification focuses on threat modeling methodologies and tools, valuable for threat intelligence analysts.
SANS Threat Intelligence Analyst (TIA): This vendor-specific certification covers the SANS methodology for threat intelligence analysis.
Advanced/Specialized:
SANS Advanced Threat Intelligence (ATI): This advanced certification builds upon TIA and focuses on advanced threat analysis techniques and tools, including threat hunting and malware analysis.
Certified Cyber Threat Analyst (CCTA): This certification validates expertise in analyzing cyber threats and vulnerabilities.
MITRE ATT&CK Framework Certification: This certification demonstrates understanding of the MITRE ATT&CK framework, a widely used knowledge base for cyber adversary tactics, techniques, and procedures (TTPs).
Additionally, Threat Intelligence Analysts may consider:
Open-source intelligence (OSINT) certifications: These certifications validate skills in gathering and analyzing open-source intelligence, crucial for threat intelligence analysts.
Cybersecurity incident response certifications: These certifications provide valuable insights into incident response methodologies and best practices.
Foreign language certifications: Proficiency in additional languages can significantly enhance your ability to gather and analyze threat intelligence from diverse sources.
Cybersecurity GRC Analysts play a critical role in ensuring organizations comply with various security regulations and standards while maintaining effective risk management practices. They are a fast track to the role of a Chief Information Security Officer as they are the guardians of governance, risk, and compliance, weaving a tapestry of security controls, risk mitigation strategies, and compliance adherence.
Key Skills
Risk Management:
Conduct risk assessments to identify, analyze, and prioritize security risks.
Develop and implement risk mitigation strategies.
Monitor and report on risk metrics.
Compliance:
Understand and interpret relevant security regulations and standards (e.g., PCI DSS, HIPAA, GDPR).
Conduct compliance audits and assessments.
Develop and implement compliance programs.
Liaise with external auditors and regulatory bodies.
Governance:
Develop and implement security policies and procedures.
Manage access controls and user permissions.
Monitor and enforce security policies.
Reporting:
Develop and deliver reports on risk, compliance, and governance activities.
Provide insights and recommendations to stakeholders.
Additional Key Skills:
Strong analytical and problem-solving skills.
Excellent communication and presentation skills.
Ability to work independently and as part of a team.
Proficient in Microsoft Office Suite and other relevant software tools.
Understanding of risk management frameworks (e.g., NIST CSF, ISO 31000).
Knowledge of relevant security regulations and standards.
Entry-Level:
Security Fundamentals (SF) by EC-Council: Introduces basic cybersecurity principles and concepts.
CISA (Certified Information Systems Auditor): Provides foundational knowledge of information systems auditing and control.
CompTIA Security+: Validates core security principles and best practices.
GIAC Security Essentials (GSEC): Covers a broad range of cybersecurity topics relevant to GRC analysts.
Certified Data Privacy Solutions Engineer (CDPSE): Focuses on implementing data privacy solutions.
Mid-Level:
CRISC (Certified in Risk and Information Systems Control): Deepens knowledge in risk identification, assessment, mitigation, and monitoring.
CGEIT (Certified in the Governance of Enterprise IT): Examines the governance of IT resources and services within an organization.
CISM (Certified Information Security Manager): Demonstrates expertise in information security governance, risk management, and compliance.
CISSP-ISSAP (Certified Information Systems Security Professional - Information Systems Security Architecture Professional): Validates expertise in information security architecture and design.
FAIR (Factor Analysis of Information Risk): Helps organizations quantify and prioritize cybersecurity risks.
Advanced/Specialized:
COBIT (Control Objectives for Information and Related Technologies): Provides a comprehensive framework for IT governance and management.
ISO 31000: Implements best practices for risk management principles and processes.
CIPP (Certified Information Privacy Professional): Focuses on data privacy and security regulations like GDPR and CCPA.
ITIL (Information Technology Infrastructure Library): Offers best practices for IT service management.
Vendor-specific certifications: These certifications validate expertise in specific security products or services used by the organization.
Additional Notes:
Certifications should align with your career goals and specific role requirements.
Stay updated on emerging trends and regulations in the cybersecurity landscape.
Consider relevant industry-specific certifications depending on your focus area.
Continuously learn and develop new skills to stay ahead of the curve.
Software security developers play a critical role in building secure software by identifying and mitigating vulnerabilities throughout the development lifecycle. Their skills and knowledge are highly sought after in today's digital world, offering a rewarding and exciting career path.
Here's a breakdown of the typical career progression for a software security developer:
Entry-Level:
Junior Software Security Developer: Assist senior developers in security tasks like threat modeling, penetration testing, and code review. Gain hands-on experience with security tools and practices.
Secure Coding Specialist: Focus on secure coding practices, implementing secure coding guidelines, and reviewing code for potential vulnerabilities.
Application Security Analyst: Analyze applications for security vulnerabilities, create and maintain security documentation, and collaborate with development teams to address security concerns.
Mid-Level:
Software Security Engineer: Develop secure software architecture, design and implement security features, and conduct threat modeling and risk assessments.
Security Architect: Design and implement overall security strategy for applications and systems, assess security risks, and provide guidance to development teams.
Penetration Tester: Conduct ethical hacking attacks to identify vulnerabilities in applications and systems, report findings, and work with developers to remediate issues.
Advanced/Specialized:
Security Research Engineer: Research and analyze emerging security threats and vulnerabilities, develop innovative security solutions, and publish research findings.
Vulnerability Management Specialist: Manage and prioritize identified vulnerabilities, track remediation progress, and measure the effectiveness of security controls.
Chief Information Security Officer (CISO): Lead the organization's overall security strategy, manage cybersecurity risks, and ensure compliance with regulations.
Skills and Qualifications:
Strong programming skills in various languages (e.g., Java, Python, C++)
In-depth understanding of secure coding practices and vulnerabilities
Familiarity with security tools and methodologies (e.g., OWASP, SANS Top 25)
Excellent analytical and problem-solving skills
Strong communication and collaboration skills
Passion for cybersecurity and continuous learning
Additional Paths:
DevSecOps: Integrate security practices into the development process and collaborate with DevOps teams to ensure continuous security throughout the software development lifecycle.
Cloud Security: Specialize in securing cloud environments, including infrastructure, applications, and data.
Mobile Security: Focus on securing mobile applications and devices.
Product Security: Become responsible for the security of a specific product or software line.
This role is difficult to quantify certs for as well since application development is such a broad field. Here is a short list of certificates that a Software Security Developer could focus on:
Entry-Level:
CompTIA Security+: Provides a foundational understanding of security principles and best practices.
Certified Ethical Hacker (CEH): Introduces the ethical hacking mindset and basic penetration testing techniques.
GIAC Security Essentials (GSEC): Covers a broad range of cybersecurity topics relevant to software security developers.
Microsoft Technology Associate (MTA) Security Fundamentals: Offers a vendor-specific introduction to security concepts and tools.
EC-Council Certified Secure Coding Professional (CSCP): Focuses on secure coding practices and common vulnerabilities in various languages.
Mid-Level:
Certified Secure Software Lifecycle Professional (CSSLP): Validates expertise in secure software development methodologies and best practices.
Offensive Security Certified Professional (OSCP): Demonstrates practical skills in penetration testing and vulnerability exploitation.
Certified Information Systems Security Professional (CISSP): Offers a comprehensive understanding of various cybersecurity domains, including software security.
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN): Delves deeper into advanced exploitation techniques and red teaming methodologies.
Cloud Security Alliance (CSA) certifications: These certifications validate knowledge and skills in securing cloud environments, such as the CSA Security Fundamentals (SCS-F) and the CSA Certificate of Cloud Auditing Knowledge (CCAK).
Advanced/Specialized:
Certified Secure Software Developer (CSSD): Validates advanced knowledge and skills in secure coding practices and vulnerability prevention.
GIAC Web Application Penetration Tester (GWAPT): Focuses on web application security assessments and penetration testing techniques.
SANS Certified Secure Software Architect (CSSA): Covers advanced secure software architecture principles and best practices.
Offensive Security Web Expert (OWWE): Provides in-depth knowledge and skills in web application penetration testing.
Offensive Security Open Source Exploit Engineering (OSEE): Focuses on exploit development for open-source software.
Offensive Security Exploit Development (OSED): Provides in-depth knowledge of vulnerability research and exploit development.
Additional Notes:
Consider industry-specific certifications relevant to your focus area.
Choose certifications that align with your career goals and development needs.
Continuously strive to learn and update your knowledge with emerging trends and technologies.
Combine certifications with practical experience and strong problem-solving skills for success.
Continuously learn about emerging technologies, threats, and best practices. Keep an eye on industry publications, attend conferences, and participate in online forums to stay ahead of the curve. See the for a list of reputable sources.
To access the interactive chart and explore specific certifications in detail, visit Paul Jerimy's .
Think of yourself as a digital lockpick, meticulously testing the security of systems and networks. Your findings will be invaluable in patching up vulnerabilities and hardening defenses before real attackers can exploit them. Hackthebox.com has a great on how to get started as a newcomer.
