Manzill Surolia

Analysis · 17 Jul 2026

The Cybersecurity Certification Map

Forty-plus certifications, eight domains, a dozen issuing bodies. You don’t collect them — you pick a lane and go deep. Here’s the map, and the order to walk it.

40+certifications in play
8domains / career lanes
~12issuing bodies
3levels: entry → pro → expert
1HR filters on it: CISSP

The certification landscape looks like an alphabet soup because it is one — forty-plus acronyms from a dozen competing bodies. But you never need more than a few. The trick is to read the map along two axes: which domain (SOC, offensive, cloud, GRC, privacy…) and which level (a foundational ticket, a professional credential, or an expert capstone). Pick a lane, walk it entry→expert, and let one or two certs from a neighbouring lane round you out. Badge-collecting is not a strategy.

1 · The Eight Domains

Each lane has its own ladder. This is where most careers actually specialise — and the certs that signal you belong there.

DomainEntryProfessionalExpert / advanced
FoundationalCC, Security+SSCP, GSECCISSP, CASP+ (SecurityX)
GRC & ManagementCISA, CRISC, CGRCCISM, CGEIT, CCISO
Offensive / Pen-testPenTest+, CEHGPEN, CPTS, CRTPOSCP, GXPN, LPT
SOC / Incident ResponseCyberOps Assoc., CFRCySA+, GCIH, CDSAGCIA, GMON, ECSA
Digital ForensicsGCFE, CHFIGCFA
Cloud SecurityCCSKAWS/Azure/GCP securityCCSP, GCSA
AppSec / DevSecOpsCASE, GWEBCSSLP, GSSP-Java
Data PrivacyCIPPCIPM, CDPSE

Highlighted certs are the ones the market treats as the lane’s benchmark.

2 · The Career Ladder (Any Lane)

Read vertically instead of by domain and the same three rungs appear everywhere: a foundational ticket to get interviews, a professional credential to do the job, an expert capstone to lead.

LevelWhat it provesRepresentative certs
EntryFoundational knowledge; you can be trusted with a junior roleCC, Security+, CyberOps Associate
ProfessionalYou can do the work in a specialty, hands-onCySA+, PenTest+, CCSP, CISA, CIPM
ExpertDepth or breadth to lead / architect / go adversary-gradeCISSP, OSCP, CISM, GXPN, GCFA, CCISO

CISSP is the one HR systems filter résumés on for senior roles — broad, management-leaning, and gated behind five years’ experience. It signals seniority more than any single hands-on skill.

3 · By Issuing Body (What Each Is Known For)

The body behind a cert tells you its flavour — vendor-neutral vs vendor-specific, theory vs hands-on, accessible vs premium.

BodyKnown forFlagships
(ISC)²Management-leaning, broadCISSP, CCSP, SSCP, CSSLP, CC
ISACAAudit, risk & governanceCISM, CISA, CRISC, CGEIT, CDPSE
CompTIAVendor-neutral, accessible on-rampsSecurity+, CySA+, PenTest+, CASP+
GIAC / SANSDeep, hands-on — and premium-pricedGSEC, GCIH, GPEN, GXPN, GCFA, GCSA
EC-CouncilBroad catalogue; door-opener certsCEH, CHFI, LPT, CCISO, CASE
Offensive SecurityBrutal, proctored, hands-on offensiveOSCP (and up)
Hack The BoxModern hands-on pen-test / SOCCPTS, CDSA
Cloud vendors & CSAPlatform-specific / cloud-neutral cloud securityAWS/Azure/GCP security, CCSK
IAPPPrivacy law & programme managementCIPP, CIPM

4 · Which Cert, When

A practical route by goal — start foundational, specialise, then capstone. Don’t skip the middle rung to chase the famous badge.

  1. New to security? CC or Security+ — the interview ticket.
  2. Heading for the SOC? CySA+ → GCIH; add CyberOps for a Cisco shop.
  3. Want to break things? PenTest+/CEH to learn the map → OSCP to prove it hands-on → GXPN to go deep.
  4. Going cloud? CCSK or a cloud-vendor security cert → CCSP as the capstone.
  5. GRC / audit path? CISA → CISM → CRISC — the ISACA spine.
  6. Privacy? CIPP (law) + CIPM (programme) + CDPSE (technical).
  7. Aiming to lead? CISSP for the résumé gate → CCISO for the executive track.

Bottom line

  • Pick a lane, don’t collect badges — depth in one domain beats a shelf of shallow certs.
  • CISSP is the résumé gate — broad and management-leaning; it opens senior doors, not a specific skill.
  • OSCP is the hands-on standard for offensive work; theory-only certs open doors but prove less.
  • GRC careers run on ISACA — CISA + CISM is the durable pair.
  • Match the body to the goal — GIAC for depth, CompTIA for on-ramps, vendor certs once you’ve committed to a cloud.

Sources & method. Certifications, issuing bodies and domains are drawn from the vendors’ own catalogues (ISC², ISACA, CompTIA, GIAC/SANS, EC-Council, Offensive Security, Hack The Box, the cloud providers, Cloud Security Alliance, IAPP). Level and “benchmark” placements are the author’s analysis of how the market reads them, and shift over time. Original analysis; no third-party graphics or text reproduced.