Skip to main content

The CompTIA certification path in 2026, the order that actually works

CompTIA publishes around 20 active certifications in 2026. They span hardware, networking, security, cloud, data, Linux, and project management. There is no single "CompTIA path." There are five role-specific paths, and the order that works depends on what you are trying to do for a living. Most guides treat the CompTIA ladder as a sequential climb where you collect every rung before moving up. You do not have to, and often should not. Below is the honest 2026 sequence, broken out by role, with the certs to skip and the order that wastes the fewest months.

The map

CompTIA's 2026 active cert catalog, grouped by tier:

Core (foundational, vendor-neutral): A+, Network+, Security+, Linux+

Infrastructure: Server+, Cloud+

Cybersecurity: CySA+, PenTest+, CASP+

Data: Data+, DataSys+

Additional tracks: Project+ (project management), CTT+ (training), Cloud Essentials+

Trying to collect every box is how candidates spend three years in prep without advancing their career. Pick the role family you want, run depth-first, stop when the next cert no longer buys a salary or job-access lift.

Path 1, the IT generalist or help desk

You are new to IT or working at the help desk level, building the foundation to move into sysadmin, cloud, or security roles.

  1. A+. The correct starting point for anyone with no IT experience. Two exams (Core 1 and Core 2), covers hardware, OS, mobile, networking basics, cloud concepts, scripting basics, troubleshooting, and professional communication. Skip it only if you have 12 or more months of IT support or sysadmin experience.
  2. Network+. Builds on A+'s networking introduction: OSI model, TCP/IP, subnetting, switching, routing, wireless, WAN, cloud networking, network security basics. Assumed by every specialist cert above it.
  3. Security+. Opens entry-level cybersecurity roles and satisfies US DoD 8570 requirements for a wide range of contractor positions. This is the single highest-leverage cert in the CompTIA catalog for career-opening power.

At this point, stop and get the certs work-tested for 12 to 18 months before adding a specialist cert. Collecting A+, Network+, and Security+ without field experience produces a credential stack that hiring managers look past when they interview.

Path 2, the cybersecurity professional

You are working in security, aspire to, or your role involves SOC work, incident response, vulnerability management, or red team operations.

  1. Security+. If you do not have it yet, start here. It is the prerequisite the field assumes.
  2. Choose a specialty based on your direction:
    • CySA+ for the blue team path: threat and vulnerability management, security operations, incident detection and response. The natural next step after Security+ for SOC analysts and security operations roles. Roadmap.
    • PenTest+ for the offensive / assessment path: planning and scoping, information gathering, attacks and exploits, reporting and communication. Less recognized than OSCP for hardcore red team roles, but more accessible and broadly recognized for assessors and junior pen testers. Roadmap.
  3. CASP+ for senior practitioners who want to stay hands-on rather than move into management. The hardest CompTIA cert, with no multiple-choice safety net: all performance-based. Validates advanced security architecture, risk management, enterprise integration, and research skills. Roadmap.

CASP+ is the right endpoint for senior security engineers and architects who explicitly want a vendor-neutral advanced credential. If your path is CISSP, go there directly after CySA+ instead of taking CASP+ as a stepping stone. The two certs target different audiences: CASP+ is practitioners, CISSP is managers and leaders.

Path 3, the cloud or infrastructure engineer

You manage cloud environments, on-premises servers, or hybrid infrastructure.

  1. A+ and Network+, or skip them if you have the equivalent experience.
  2. Choose based on your environment:
    • Cloud+ if your work spans multiple cloud providers or you want a vendor-neutral cloud operations credential. Roadmap.
    • Server+ if your role is primarily on-premises server infrastructure: hardware management, Windows Server, Linux server, RAID, virtualization, disaster recovery. Roadmap.
  3. Layer with a cloud-provider-specific cert. AWS SAA-C03, AZ-104, or Google ACE depending on your environment. These open salary bands that vendor-neutral certs do not.

Cloud+ and Server+ are not stepping stones to anything in the AWS or Azure cert trees. They are valid standalone credentials in their own right. Do not take Cloud+ as a prerequisite to SAA-C03: they are parallel, not sequential.

Path 4, the data analyst or database professional

You work with data operationally: business analysis, reporting, querying databases, or managing data environments.

  1. Data+ if you want to validate end-to-end data literacy: mining, analysis, visualization, and governance without engineering depth. Roadmap.
  2. DataSys+ if your role is closer to the database layer: installation, configuration, management, and security of database systems.
  3. Layer with a vendor-specific data cert if your environment demands it: Microsoft DP-900 for Azure data fundamentals, or Google PDE for GCP data engineering.

Data+ and DataSys+ are newer certs with lower brand recognition than Security+ or Network+. In 2026 they are most valuable at organizations that standardize on the CompTIA ecosystem, or for candidates who want a vendor-neutral credential alongside vendor-specific tools.

Path 5, the Linux system administrator

You administer Linux servers: package management, file systems, processes, networking, security, and scripting.

  1. Linux+. The only vendor-neutral Linux cert that CompTIA offers. Covers both the LPIC-1 (Linux Professional Institute Certification Level 1) and LPI Linux Essentials domains. Tests command-line operations, shell scripting, system services, storage management, networking, and security on multiple Linux distributions. Roadmap.
  2. Layer with a Red Hat cert if your environment uses RHEL: RHCSA for the sysadmin role, RHCE for the senior automation and services layer. Red Hat certs are performance-based exams (no multiple choice) with strong market recognition in enterprise Linux environments.

Linux+ is the right cert if your environment is multi-distribution or if you want the foundational Linux credential before committing to a single vendor's ecosystem. RHCSA is the right cert if your environment runs RHEL and your employer values Red Hat specifically.

Costs to budget

US 2026 voucher prices, before any discount programs:

TierExam fee
Core (A+, Network+, Security+, Linux+)$246 per exam
Specialist (CySA+, Cloud+, Server+, Data+, PenTest+)$359 per exam
Expert (CASP+)$499 per exam

Note: A+ requires two exams (Core 1 and Core 2) at $246 each, so the A+ total is $492. CompTIA often runs discount promotions through Pearson VUE and through academic channels. Employer reimbursement is common, particularly for Security+ and beyond.

The renewal math

Most CompTIA certs expire after three years and must be renewed through the CE program or by passing a higher-level exam. The renewal chains work like this:

  • Passing CySA+ or PenTest+ renews Security+.
  • Passing CASP+ renews Security+, CySA+, and PenTest+.
  • Passing Cloud+ renews Network+.

This matters for your sequence. If CySA+ is on your roadmap, plan to take it before your Security+ renewal deadline. You get both the upgrade and the free renewal in one exam fee.

Exceptions: Server+ and CTT+ do not expire at all. No CE program, no renewal deadline. That is unusual in the CompTIA catalog and one practical argument for Server+ over other intermediate infrastructure certs.

What to skip

A few common time-sinks worth flagging:

  • All core certs as a stack before any specialist cert. A+, Network+, Security+, and Linux+ back-to-back before any specialist work is four certs at the foundational level. Pick the role family first, take the foundation certs your path needs, then move up.
  • Project+. CompTIA's project management cert is not recognized by hiring managers the way PMP or CAPM is. If you want a project management credential, take CAPM or PMP. They cost more but carry meaningfully more weight.
  • CASP+ as a stepping stone to CISSP. CASP+ and CISSP target different audiences. CASP+ is for senior practitioners who stay technical. CISSP is for leaders who move into management, architecture oversight, or CISO track roles. If CISSP is your goal, the prep for it is the same whether or not you hold CASP+. Take CISSP directly after CySA+.

Pacing the whole arc

Honest timeline for someone working full-time at 8 to 10 hours of study per week:

  • Months 0 to 3: A+ (two exams, or skip if experienced).
  • Months 3 to 6: Network+.
  • Months 6 to 9: Security+.
  • Months 9 to 24: Real work experience in your role. Do not collect the next cert yet.
  • Months 18 to 24: First specialist cert (CySA+, Cloud+, Linux+, or Data+ depending on your path).
  • Months 30 to 48: Advanced cert (CASP+ or CISSP or equivalent) if your role demands it.

The candidates who finish fastest are the ones who do not try to compress it. Cert prep without field experience between levels produces a thin profile. The certs are accelerators on top of real work, not substitutes for it.

Common questions

What is the best first CompTIA certification in 2026?

For most candidates entering IT for the first time, A+ is the right starting point. It covers hardware, software, networking basics, and troubleshooting fundamentals that every subsequent cert builds on. With one to two years of IT experience already, you can start at Network+ or Security+ depending on your role focus.

Should I take A+, Network+, and Security+ in order?

Not necessarily. The trifecta is the sequence CompTIA recommends and that most IT support and help desk roles use as a benchmark. But if your goal is cloud or cybersecurity specifically, and you have relevant experience, starting at Security+ alone is often faster and more valuable than collecting all three in sequence first.

Do CompTIA certifications expire?

Most expire after three years and must be renewed through the CE program or by passing a higher-level exam in the path. Exceptions: Server+ and CTT+ do not expire. Passing a higher-level cert in the same path renews lower-level certs automatically.

Is CompTIA Security+ enough to get a cybersecurity job?

Security+ opens entry-level cybersecurity roles: SOC analyst, junior security analyst, IT security specialist. It satisfies US DoD 8570 requirements for most IAT and IAM contractor roles. It does not, by itself, get you a mid-senior security engineering or red team role. Those require Security+ plus field experience plus usually a second cert.

How does CompTIA compare to vendor-specific certs?

CompTIA certs are vendor-neutral and broadly recognized across job categories and employer types. Vendor-specific certs (AWS, Microsoft, Cisco, Red Hat) often unlock higher salary bands for roles in those specific environments. The two types are complementary: CompTIA certs validate foundational principles; vendor certs validate depth on a specific platform. Holding both is stronger than holding either alone.

Pick your path, then run a diagnostic

Decide your role family first. Then run the free CAT evaluation for the next cert in your sequence. Fifteen minutes, per-domain skill estimates, a phased roadmap sized to your real baseline. Doing this before booking an exam date is the cheapest correction you can make to a multi-month plan.

Related reading: the cybersecurity certification roadmap covers where Security+, CySA+, and CASP+ sit relative to CISSP, CEH, and OSCP, and the AWS certification path in 2026 covers the cloud-provider track alongside Cloud+.