Skip to main content

The cybersecurity certification roadmap, from zero to senior

There is no single cybersecurity certification roadmap that fits every candidate. The right order depends on where you are starting. A career changer with no IT background follows one path. A sysadmin pivoting laterally follows another. A senior engineer with five years under their belt should not be sitting Security+. Below are the four common paths, the realistic timelines, and what each one qualifies you for.

Path 1: Zero IT background to first security role

Start with CompTIA A+, then CompTIA Network+, then CompTIA Security+. Yes, all three. Most security work is networking work in disguise, and skipping the networking layer is why so many junior analysts stall at packet captures and firewall rules.

Realistic timeline: 9 to 12 months part-time. At the end you qualify for tier-1 SOC analyst, junior pentest, or junior compliance roles.

Path 2: Sysadmin or developer transitioning into security

Skip A+ and Network+. You already have the fundamentals. Start at Security+. After that, split based on intent. Defensive track: CySA+ then CASP+. Governance track: CISA then CISM.

Realistic timeline: 6 to 9 months for Security+ plus one specialty.

Path 3: Five-plus years experience, going for senior IC

Skip the CompTIA stack entirely. Start at (ISC)² CISSP. The credential requires five years of paid security work to activate, the first-attempt pass rate sits around 65%, and you should plan 100 to 150 prep hours minimum. It is a thinking exam, not a memorization exam.

Layer specialty after CISSP based on where you want to land: CISM for the manager track, AWS SCS-C02 for AWS security IC work, CCSP for cloud security generalists, or CEH if you are leaning offensive.

Path 4: Audit and governance track

ISACA CISA is the cert finance and healthcare hiring managers actually look for, then ISACA CISM for the strategic side. CISSP is optional here, useful but not required.

Realistic timeline: 12 to 18 months for CISA plus CISM.

What to skip

Stacking three entry certs in a year (Security+ plus SSCP plus GSEC) is overkill and signals indecision to hiring managers. CEH as your first cert is a mistake if you want hands-on offensive work, because pentest hiring expects OSCP. And sitting CISSP without the experience requirement leaves you with the Associate designation, which does not activate the credential. Hiring managers know the difference.

Where to start on this map

If you are not sure which path is yours, take the free CAT evaluation at claudelab.me. It tells you which step on this roadmap is closest to your real baseline. ARIA picks the next milestone from there, not from where you wish you were.