I did my first (vocational) IT exam in 1999. This was after an annual appraisal from my (then) manager, who said “I’ve spoken to lots of people, and they’re all very impressed with your work. However, there’s no way for me to quantify your performance, so you don’t get a pay rise.” Based on that, I decided that it would be useful to have some objective evidence of my abilities from a neutral 3rd party, so I took the Visual Basic 5.0 exam and became a Microsoft Certified Professional.
Fast forward to 2023: I’ve now passed 41 exams and earned 50 certifications. In all honesty, this process has been a bit haphazard; I’ve picked certifications based on what looked interesting at the time, or what related to a skill I’d been using at work, rather than having a clear roadmap of where I wanted my career to go. I’ve also sometimes leant towards the Pokémon approach of “gotta collect them all!” So, I think it’s time to look back and review which of these were worthwhile, and which I’d recommend to other people.
NB I’m not including my university degrees in this list, because they’re academic rather than vocational. I’m also not including the European Computer Driving License (ECDL), because that’s aimed at end users rather than IT professionals.
Obviously, there are a lot of career paths within IT. For instance, a full-stack developer will spend a lot of time working with code inside an IDE (integrated development environment). By contrast, someone who handles GDPR compliance will be writing retention schedules and processes to handle subject access requests, so they’ll probably spend most of their time using Word/Excel. So, keep that in mind when you’re choosing which (if any) certifications you want to pursue.
Also, bear in mind that some certifications are “good for life” (similar to a GCSE), whereas others have to be maintained (e.g. by taking a new exam every 3 years). So, consider whether you want to make that kind of long-term commitment to the upkeep.
If you do have a deadline to do an exam, my advice is that you don’t leave it until the last minute; give yourself a safety margin. In 2019, my appendix burst and I had to go into hospital for emergency surgery. The day after I was discharged, I then had to travel to a test centre to do a Cisco exam; I couldn’t reschedule, because this was the last possible day to keep my existing certification active. If I’d booked the exam a month earlier, I could have delayed it.
If you want to know whether a certification is useful, a simple technique is to go to job sites and search their adverts for that keyword (e.g. “CCNA” or “CISSP”). However, some certifications act as a stepping stone, so they’re indirectly useful. Putting it another way, they’re necessary but not sufficient. For instance, suppose that you want to be a Maths teacher. If you just have a GCSE, and all the other candidates have a degree, they’ll have an advantage over you. However, you can’t get a Maths degree without having a Maths A level, and you can’t get a Maths A level without having a Maths GCSE. So, even if those job adverts don’t specifically ask for a Maths GCSE, you’ll still need it. (This particular example is specific to the UK, but the general principle applies more widely.)
In some cases, there are formal prerequisites. E.g. Cisco used to say that you had to be CCNA certified before you could get CCNP certified; if your CCNA lapsed then you had to start all over again. The 2020 syllabus removed that requirement, but they do still expect you to know the CCNA material. Based on that, you might want to do the training and skip the exam, which will save you some money. However, it can be tricky to know when you’re ready to move on. Much like Scylla and Charybdis in legend, you might be torn between imposter syndrome (“yes, I’ve read 5 books cover to cover, but do I really understand this?”) and the Dunning-Kruger effect (“well, I heard somebody mention this once, so I’m sure I’ve got the gist of it”). I wrote more about this in a previous post (Assessing ability): personally, I’m concerned about blind spots, so an exam will make me aware of “the things I didn’t know that I didn’t know”, and I think that’s worth the time/money.
I’ve grouped these certifications by vendor (e.g. Cisco) rather than topic (e.g. networking). I’m listing certifications rather than exams; sometimes it takes multiple exams to get a single certification (e.g. I passed 2 exams to get my CCNA), and other times a single exam will give multiple certifications (e.g. with CompTIA’s stackable certs). I’ve linked back to my previous posts so that you can read more detail on each certification, e.g. the training resources I used.
Speaking of training resources, please avoid “brain dump” sites. These are websites that (claim to) have copies of the real exams, along with the correct answer to each multiple choice question. If they’re telling the truth, that means that their staff have breached the NDA (Non-Disclosure Agreement) by repeating those questions. More importantly, if you use these sites then you are cheating. Even if you pass the exam, you’ll just be a paper tiger: memorising those answers won’t give you the underlying knowledge to actually do the job. If you get caught then lots of organisations will take away any existing certifications you have and ban you for life from ever doing another exam.
NB Those dodgy websites aren’t restricted to the so-called “dark web”. I’ve seen adverts for them when I watch YouTube videos, and at first glance they appear to be legitimate: they’re brightly lit, with upbeat music, and smiling students (actors). However, the voiceovers will hint at what’s really going on. E.g. “Why waste hundreds of hours studying? Come to us and we’ll teach you everything you need to know to pass the exam!” It’s ok for a book/video to offer practice questions, but they should be based off the exam objectives. In other words, they should be in the style of the real exam, but they should never actually be copied from the real exam.
I found this really boring, but unfortunately there are a lot of jobs that list it as a requirement; basically, anything that involves dealing with incidents and service requests, whether you’re actually on the service desk or picking up those incidents in the server/network team. It won’t get you a job on its own, but if you don’t have it then you won’t get the job. (Similar to my Maths GCSE analogy above, this certification is necessary but not sufficient.) I did the ITIL 3 exam, which is good for life; at some point, clients might ask for an ITIL 4 certification specifically, but I’m hoping to be in a different role by that time.
- Foundation Certificate in Software Testing
- Foundation Certificate in Information Security Management Principles (CISMP)
These certifications are both good for life.
I took the software testing exam in 2008, under ISEB (Information System Examination Board). The exams later got rebranded as BCS (formerly the British Computer Society), and the BCS now handles ISTQB (International Software Testing Qualifications Board) exams in the UK. So, the modern equivalent of this particular exam is ISTQB Certified Tester Foundation Level (2018).
As a developer (at the time), I tested my own code. I also had someone reporting to me who was a full-time tester, and I wanted to assess whether this would be relevant to them. There are some useful concepts in here, e.g. the difference between confirmation testing (“did we fix this bug?”) and regression testing (“did we break anything else in the process?”), which I’ve incorporated into my post-change test plans for change management. As a foundation exam, it’s mostly about memorising the terms rather than having a deeper understanding of how to apply them, so I found it fairly straightforward; I read the textbook to prepare rather than going on a training course.
If you want to be a software tester, this is valuable. I’ve seen job adverts where the requirements include:
“Minimum Requirement to have ISTQB Foundation Level”
I don’t think it’s an absolute deal-breaker in the same way as ITIL Foundation, but it will definitely improve your chances.
As a side note, I don’t think this is really relevant to penetration testing; there are far more specific certifications for that.
I took the CISMP in 2022. At the time, I was using it to prepare for the CREST CPSA (see below), and it wasn’t really relevant to that. However, it has been useful for the CompTIA CASP+ (see below) and IASME Cyber Assurance.
- Cisco Certified Entry Network Technician (CCENT)
- Cisco Certified Network Associate (CCNA) Routing & Switching
- Cisco Certified Network Associate (CCNA)
- Cisco Certified CyberOps Associate
These certifications need to be renewed every 3 years.
When I took the CCNA R&S certification, there was a choice of doing it all in 1 exam or in 2 separate exams. I chose to do it in 2 stages: ICND1 gave me CCENT, then ICND2 gave me CCNA R&S. When Cisco updated their certifications in Feb 2020 (consolidating most of the CCNA paths), I was automatically given the new CCNA as well. That means that 3 out of those 4 certifications are effectively the same, so I only list “Cisco Certified CyberOps Associate” and “Cisco Certified Network Associate (CCNA)” on my CV.
The main CCNA is a popular cert, i.e. a lot of employers ask for it in job adverts. Unlike the CompTIA certifications, this is very much Cisco-specific, and you need to know their implementation details (e.g. IOS commands). So, if you don’t work with Cisco kit then you’ll struggle with this; however, if you get it then a lot of the principles will apply elsewhere (e.g. to Aruba switches). So, if you want to be a network technician, this certification should definitely be on your shortlist.
The CyberOps certification is newer, and there’s not much demand for it amongst employers. There’s not much focus on hands-on skills (e.g. implementing 802.1X), because the old CCNA Security certification would cover that. It’s more about the concepts, e.g. threat models. For now, I think you’d be better off with Security+ and CySA+ (see below); only do this if you have a specific need for it (e.g. if your employer asks for it).
- A+ (good for life)
- A+ ce
- Server+ (good for life)
- Network+ ce
- Security+ ce
- CySA+ ce
- PenTest+ ce
- CASP+ ce
- Project+ (good for life)
The “ce” (continuing education) certifications need to be renewed every 3 years.
- IT Operations Specialist (CIOS) [A+, Network+]
- Secure Infrastructure Specialist (CSIS) [A+, Network+, Security+]
- Network Infrastructure Professional (CNIP) [Network+, Server+]
- Network Vulnerability Assessment Professional (CNVP) [Security+, PenTest+]
- Security Analytics Professional (CSAP) [Security+, CySA+]
- Security Network Professional (CNSP) [Security+, PenTest+, CySA+]
- Security Analytics Expert (CSAE) [Security+, CySA+, CASP+]
- Security Infrastructure Expert (CSIE) [Security+, CySA+, PenTest+, CASP+]
The stackable certifications are basically a gimmick. At best, it’s a form of brevity, e.g. a job advert could ask for “CSIS” rather than “A+, Network+, and Security+”. However, I’ve never seen that happen, and I don’t even bother listing the stackable certifications on my CV. So, it’s not worth getting a direct certification just to fulfil the requirements for another stackable certification; you should consider the direct certifications on their own merits.
NB I haven’t done the IT Fundamentals certification so I can’t comment on how useful that is.
A+, Network+, and Security+ make up the “core” track, and I’d recommend them all to anyone who works in IT. Even if you don’t do the exams, you should at least read through the exam objectives and make sure that you’re comfortable with all the topics they list.
- A+ is aimed at people who are doing desktop support; if you’re working with servers or network infrastructure then it’s less relevant. However, I thought it was quite interesting (particularly some of the information in Mike Meyers’ textbook that went beyond the syllabus), and it might be useful if you’re upgrading your home PC.
- Network+ will teach you about subnets (particularly variable length subnet masks and CIDR), which is also relevant to desktops and servers. This is an important prerequisite for cybersecurity, e.g. you can’t do a ping sweep or a port scan unless you understand how IP addresses work.
- Security+ goes for breadth rather than depth, and it will make you aware of important principles. This includes “traditional” security concepts (e.g. a man in the middle attack) and also disaster recovery principles (e.g. RPO and RTO).
Server+ is part of the infrastructure track. However, I don’t recommend this in its current form, because there’s too much overlap with the core exams. There is some useful stuff in there relating to storage (e.g. LUNs and converged network adapters), so the training might be useful, but I wouldn’t bother with the exam.
CySA+ and PenTest+ are intermediate exams, part of the cybersecurity track. They were introduced a couple of years ago (CySA+ in 2017 and PenTest+ in 2018) to bridge the gap between Security+ and CASP. The CySA+ is useful, and some aspects are relevant to other job roles, e.g. server admins might want to run regular vulnerability scans. The PenTest+ was disappointing; I recommend the eJPT instead (see below).
CASP+ is essentially a “capstone” certification, which includes material from all the others. I mainly did it so that I could renew my existing CompTIA certs for another 3 years. CompTIA suggest that it’s comparable to the CISSP (from ISC2), but in practical terms there are very few job adverts which mention it.
Project+ is a bit different to the others. It’s aimed at IT professionals rather than dedicated project managers, and there are two main benefits. Firstly, if you’re working alongside a project manager then it’s useful to speak the same “language”. Secondly, if you’re planning out your own projects then it will give you a more realistic idea of timescales. I think the principles can also be applied elsewhere, e.g. if you’re doing home renovations.
If you want to take a CompTIA exam, don’t book it directly through the Pearson Vue website. Instead, buy a voucher, then redeem that voucher at Pearson Vue. Several organisations offer discounts, but they only apply to the CompTIA marketplace; you can’t use those discounts at Pearson Vue. For instance, as an ACM member I get a 15% discount on exam vouchers. Another option is to visit Dion Training, who offer at least a 10% discount on exam vouchers; depending on what discounts you’re eligible for elsewhere, this might be a cheaper option.
If you’re eligible, you should consider doing a beta exam. It’s significantly cheaper, e.g. the Project+ exam cost me £30+VAT rather than £212+VAT. The drawback is that you won’t have dedicated training material available for the new version, and you’ll have to wait 6 months for your results.
- CREST Practitioner Security Analyst (CPSA)
- CREST Registered Penetration Tester (CRT)
All CREST certifications expire after 3 years.
The CPSA is quite a niche certification. Basically, if you want to get the CRT then you must do the CPSA as a prerequisite. (Think of it like a driving licence, where you have to do the theory test before the practical test.) I’ve also seen companies asking for the CPSA in job adverts, i.e. this might get you an interview on its own. However, this is just a stepping stone rather than an end goal. E.g. with Cisco I think it’s absolutely fine to stay at CCNA level without ever progressing to CCNP, but with CREST you should be planning to move beyond the CPSA.
I got the CRT via equivalency (i.e. I combined the CPSA and OSCP). At some point I’ll do the CREST practical exam, which will make me eligible to be a CHECK Team Member.
NB CREST certifications will be particularly useful if you want to work for a company which is CREST approved.
I got this certification in 2015, and it’s good for life, but CWNP retired the exam in Dec 2018. They suggest the CWS or CWT as replacements. These are valid for 3 years (rather than being perpetual like the CWTS), but you can only renew them by taking a new version of the same exam; in particular, the CWNA (Network Administrator). won’t renew them. By contrast, the CWAP (Analysis Professional), CWDP (Design Professional), and CWSP (Security Professional) will all renew the CWNA.
The CWTS was aimed at “sales and support”; that’s an unusual target audience, since the two roles don’t have much in common. The syllabus included a lot of theory about the physics of radio waves, which is more than marketing person really needs to know, so I can see the logic of splitting the syllabus in half: CWS for sales and CWT for IT support. Based on the exam objectives, I think that the new CWT looks fairly similar to the old CWTS, although I can’t vouch for it personally.
The CWTS hasn’t been directly useful to me, e.g. I haven’t seen any job adverts asking for it. There are a few adverts that ask for the CWNA (typically in the context of “you should have one of these certs” rather than “you must have this specifically”), and the CWTS is a stepping stone towards that. I also found the wireless material in the Network+ syllabus very easy after I’d done the CWTS, but it would be overkill just as preparation for that. Similarly, this was useful preparation for the OSWP (see below), but it’s not necessary.
Basically, I’d view the CTWS as more academic than vocational; it would fit in well as a module in an undergraduate degree. If you work with wireless networks and you really want to understand how they work, then this will be useful to you. If you just want to know to configure the equipment, you’d be better off with a vendor certification (e.g. from Cisco or Aruba).
I don’t regret doing the CWTS, and I might take the CWNA at some point: partly for my own interest, and partly as a prerequisite for the CWSP. However, that’s a low priority for me.
This is a good certification for aspiring pen testers. It probably won’t get you a job on its own, but it’s a good stepping stone towards a higher certification (e.g. the eCPPT or OSCP), and far better than the PenTest+. Basically, the exam involves a lab and a multiple choice test. In order to answer the questions, you have to do a pen test against the lab servers, so you need to have hands-on skills with the relevant tools.
This certification is good for life, but it’s no longer available to new students; it’s been replaced by the eJPTv2.
I had high hopes for this, but I was disappointed. The exam content was very similar to the Security+, so my advice is to do that instead. Be aware that aside from the cost of the exam (currently £199+VAT), you also have to pay $125/year as an annual maintenance fee, and do CPE activities to renew it every 3 years.
Part of the problem is that the (ISC)2 don’t do much to promote this certification. Looking through their magazine, they either talk about the CISSP (which is established as their “flagship” certification) or the CCSP (which is new and shiny), but they barely even mention the SSCP. The subtext seems to be “yes, this is also a thing that exists, and you can do it if you really want to, but we don’t care about it”. Consequently, this doesn’t seem to carry any weight with potential employers.
- Microsoft Certified Professional
- Microsoft Specialist: Windows 7, Configuring
- Microsoft Specialist: Windows 7, Enterprise Desktop Support Technician
- Microsoft Specialist: Windows 7, Enterprise Desktop Administrator
- Microsoft Certified IT Professional: Enterprise Desktop Administrator on Windows 7
- Microsoft Certified IT Professional: Enterprise Desktop Support Technician on Windows 7
- Microsoft 365 Certified: Fundamentals
- Microsoft Certified: Azure Fundamentals
- Microsoft Certified: Security, Compliance, and Identity Fundamentals
- Microsoft Certified Solution Developer: Visual Studio 6.0
- Microsoft Certified Desktop Support Technician: Windows XP
- Microsoft Certified Technology Specialist: Microsoft Windows Vista, Configuration
- Microsoft Certified IT Professional: Enterprise Support Technician on Windows Vista (Charter Member)
- Microsoft Certified Technology Specialist: Windows 7, Configuration
- Microsoft Certified Solutions Associate: Windows 7
- Microsoft Certified Technology Specialist: Microsoft Exchange Server 2007, Configuration
- Microsoft Certified Technology Specialist: SQL Server 2005
All of these certifications are “good for life” (i.e. you don’t need to recertify), although they will become less relevant over time; hopefully there aren’t many companies left who are still using Windows XP! A few years ago, Microsoft overhauled their entire certification program, so most of these certifications are no longer on offer. It’s not simply that the product has changed to a newer version, e.g. there’s no current version of the MCSD or MCSE.
The distinction between active and retired certifications seems a bit arbitrary, but the lists above correspond to my transcript. In fact, looking at the active list, these are the only 3 certifications which are still available (for new test-takers):
- Microsoft 365 Certified: Fundamentals
- Microsoft Certified: Azure Fundamentals
- Microsoft Certified: Security, Compliance, and Identity Fundamentals
(On a side note, Microsoft also offer Associate and Expert certifications for their cloud technology. Those certifications have to be renewed every year, but the renewal exam is free of charge. Their Fundamentals certifications last forever, but the content of the exam is updated every so often.)
I don’t bother listing the older certifications on my CV anymore; I have so many that I need to pick and choose which are most relevant.
I had some quibbles with the Fundamentals exams, but I think they’re worthwhile if you’re applying for jobs that involve cloud technology; aside from anything else, it’s a legitimate way to get that keyword on your CV so that you can get past the HR filter. The training is free, and each exam costs £69 (+VAT); most of the exams I’ve taken cost between £200 and £300 each, so these are definitely at the cheaper end of the scale. You might also be able to get a free exam voucher if you attend a virtual training day.
(Offensive Security rebranded as OffSec in March 2023. The name has changed, but the acronyms for their certifications remain the same.)
These certifications are good for life.
In simple terms, the OSCP is a de facto requirement to be a penetration tester. It’s possible to get a job without it, but having the certification will give you more options. There are some rivals (e.g. the eCPPT, the PNPT, and the CPTS) but they don’t have the same recognition. It’s “entry level” by pen testing standards, i.e. there are more advanced certifications out there, but it’s also the hardest exam I’ve done so far; it’s 24 hours long, so it’s physically demanding as well as the mental challenge!
The OSWP is useless on its own, but if there are 2 candidates with the OSCP and 1 of them has the OSWP too, it might make a difference. Having said that, I found the course really interesting and the exam was actually fun (a bit like an escape room). So, I do recommend this for pen testers, but you might want to do the OSCP first.
NB If you get a Learn One subscription from OffSec, that will cover both courses/exams.
Palo Alto Networks
- Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET)
- Palo Alto Networks Certified Cybersecurity Associate (PCCSA)
Although the name suggests that PCCSA is equivalent to CCNA, this is really a foundation level certification, similar to Microsoft 365 Fundamentals. It’s now been re-branded as PCCET (which is a more accurate name), i.e. I got both certifications from the same exam.
NB I briefly had both certifications; when I recertified, I kept PCCET but lost PCCSA. So, looking at the title of this post, I’ve earned 50 certifications and none of them have lapsed, but “only” 49 are still active.
Palo Alto certifications have to be renewed every 2 years.
Doing this course and exam, a lot of the content felt very familiar: it’s basically the same material that I covered in Security+, SSCP, and SECFND (the first half of Cisco Certified CyberOps Associate). So, I personally didn’t learn a great deal from this. However, this exam is cheaper than the other 3, so if you’re interested in basic security concepts then it might be a good place to start. On the other hand, if you’ve got a lot of experience with Panorama and PAN-OS, you might be better off jumping straight to the Palo Alto Network Security Administrator exam (PCNSA).
I haven’t seen any jobs that specifically ask for the PCCET/PCCSA certification, but I have seen a lot of adverts that want experience with Cisco, Checkpoint, and Palo Alto firewalls. So, having this on your CV might get you past a keyword filter and get you to the interview stage. However, it doesn’t prove that you know how to configure a firewall, so you’ll need hands-on experience to supplement the certification if you’re applying for that type of role.