The first question most people ask isn't which CompTIA cert they need. It's which one to start with. Skip ahead if you already know the answer — for most people it's A+, unless you've already done IT work for a couple of years, in which case it's probably Network+ or Security+. The harder question is what comes next, and that's what most of this post is actually about.
CompTIA has 12 active certifications right now, and the comptia certification path through them is more deliberate than most career-change blogs make it sound. The certs are designed to stack. You don't grab them randomly — you climb them.
How the certifications stack
CompTIA groups its certs into five tracks: core, infrastructure, cybersecurity, data, and specialty. The labels are mostly marketing. What actually matters is the dependency chain underneath.
A+ is the foundation. Network+ assumes you understand how IT systems work. Security+ assumes you understand both. From Security+ you branch into CySA+ (defense), PenTest+ (offense), or CASP+ — which, by the way, was renamed SecurityX in 2024. Same exam content, same DoD recognition, but you'll see both names in job listings for the next few years and it confuses everyone.
The infrastructure branch (Server+, Linux+, Cloud+) builds on A+ and Network+ but doesn't require Security+. The data certs (DataSys+, DataX) sit mostly on their own. Project+ has no real lineage and no prerequisites.
One thing most people miss: passing a higher-tier cert renews the lower ones automatically. Earn Security+ and your A+ resets for another three years. Earn CySA+ and your Security+ resets. Climb the ladder and you're maintaining everything below with a single recert. This is one of the under-discussed reasons CompTIA's stacking model is more useful than collecting random vendor certs.
The trifecta — why everyone keeps recommending it
If you've spent any time on r/CompTIA, you've heard the term "trifecta": A+, Network+, Security+. It became the default entry path to cybersecurity careers because the math worked — most SOC analyst, junior security engineer, and InfoSec analyst job postings either require Security+ or strongly prefer it, and the underlying knowledge from the other two shows up in the interview even when it's not on the job description.
Here's the part people get wrong about the trifecta: it's not really about collecting three credentials. It's about whether you actually have the knowledge those credentials represent. I've watched people drill A+ practice questions for a month, pass the exam, and then flame out on Network+ because they couldn't reason about subnetting from scratch. They had the cert. They didn't have the foundation. The trifecta works when you actually learn it. It doesn't work as a pattern-matching exercise.
A few patterns worth knowing:
If you have zero IT experience, start with A+. Don't be tempted to skip it because you built your own gaming PC. A+ tests a specific kind of structured troubleshooting reasoning that most hobbyists haven't formalized, and Network+ assumes you've internalized it.
If you've been doing helpdesk for 2+ years, you can probably skip A+ entirely and go straight to Network+. Most hiring managers won't hold the missing A+ against you when your resume already shows the work. The deeper take on this trade-off is in the A+ vs Network+ post.
If you came from a NOC or networking background, you can sometimes jump straight to Security+. But take a Network+ practice exam first. The concepts will feel familiar, but CompTIA's question style isn't, and that catches a lot of experienced people off guard.
ITF+ exists for people who genuinely don't know what a USB port does. If you're reading this, you don't need it.
Picking your direction after the trifecta
This is where the path branches and where generic advice stops being useful. The right next cert depends entirely on what kind of role you actually want.
SOC analyst / blue team work. CySA+ is the direct continuation. It went through a major refresh in 2023 and now leans harder into cloud and detection engineering. Good fit if you're aiming at threat detection, vulnerability management, or incident response.
Pentesting / red team work. PenTest+ is the obvious choice on paper. I'll be honest about it though — the offensive security industry doesn't really respect PenTest+ the way it respects OSCP or eJPT. PenTest+ is fine as a second cert and helps with HR filters, but if your real goal is offensive security, plan on hands-on certs eventually. Hiring managers in this space want to see actual assessment skills, not multiple choice.
Cloud roles. This is where CompTIA gets weakest. Cloud+ is vendor-neutral, which sounds great in theory but means it doesn't carry the weight of AWS Solutions Architect or Azure Administrator in actual cloud hiring. If you're building a cloud career, get a vendor-specific cert first. (More on Cloud+'s actual market value here.)
Systems / infrastructure. Server+ and Linux+ are both solid. Linux+ in particular has become more relevant as Linux skills get baked into more job descriptions. A+ → Network+ → Linux+ is a reasonable infrastructure-focused trifecta variant if you're not chasing security roles.
Data work. DataSys+ and DataX are CompTIA's newest additions and frankly still earning their reputation in the market. If your employer specifically asks for them, get them. If they don't, vendor certs (Snowflake, Databricks, AWS data) probably move the needle more right now.
Project management. Project+ is fine, but PMP is the cert that actually drives PM hiring in IT. Project+ works as a bridge for people who don't yet have the documented project hours PMP requires.
The 12 certs, in less detail than CompTIA's site
Below is the practitioner's-eye view. I'm going deeper on the cybersecurity certs because that's where most people on this site end up, and skimming the others. CompTIA's official exam objectives are exhaustive if you need every detail.
Core
A+ (Core 1 + Core 2). Two exams, both required, both moderately difficult. Hardware, OS, networking basics, security basics, customer service, troubleshooting methodology. The most widely recognized entry-level IT cert in the world. Plan on roughly three months of study from a cold start.
ITF+. Pre-A+ for total beginners. Skip unless you're working with someone who genuinely has no exposure to computers.
Infrastructure
Network+. TCP/IP, routing, switching, wireless, troubleshooting. Heavier on subnetting and protocols than people expect. You need lab time, not just reading time.
Server+. Server hardware, virtualization, storage, admin tasks. Useful for sysadmin roles, less essential than it used to be as more infrastructure moves cloud-native.
Linux+. Linux administration, command line, scripting basics, security hardening. The cert went through a significant refresh recently and is harder than its earlier reputation suggested. Genuinely useful for DevOps-adjacent work.
Cloud+. Vendor-neutral cloud architecture and operations. Best treated as a supplement to vendor certs rather than a substitute.
Cybersecurity
Security+. The big one. Threats, cryptography, IAM, security architecture, incident response. This is the cert most cybersecurity job postings require, and the one that opens DoD 8140 doors. Even with prior security exposure, plan on 2-3 months of focused study — the full timeline breakdown is here.
CySA+. Defensive analyst work. After the 2023 refresh, expect heavier cloud and detection-engineering content. Good fit for SOC and vulnerability management tracks.
PenTest+. Penetration testing methodology, scoping, reporting. Multiple choice and PBQs — useful for HR filters, less useful as proof of hands-on offensive skill.
CASP+ / SecurityX. Senior-level security architecture and strategy. Renamed in 2024 but the content and DoD recognition didn't change. Not a starting cert. Aim here once you have several years of security experience under your belt.
Data
DataSys+. Data administration and database management. Newer, still building employer recognition.
DataX. Data analytics and BI. Even newer. Watch the job market in your area before committing study time.
Specialty
Project+. Entry-level IT project management. Useful as a bridge toward PMP for people who can't yet meet PMP's project-hour requirements.
DoD 8140 and the government track
If federal contracting or DoD work is even a vague possibility for you, the certification math gets simpler — and a lot more important.
DoD 8140 (which replaced 8570 in 2023, though the transition is still working its way through agencies and contractors) requires specific certifications for cybersecurity work roles. Security+ alone qualifies you for IAT Level II and IAM Level I positions, which covers most of the entry to mid-level security work in defense contracting. CySA+, PenTest+, and SecurityX cover the higher tiers. The full mapping is in our DoD 8140 post.
The practical impact: if you're targeting government work, the trifecta plus one advanced cert is your floor, not your ceiling. And because DoD requirements change slowly, certs recognized today will almost certainly still be recognized five years out. That stability is one of the underrated reasons CompTIA dominates entry-level government cybersecurity hiring.
One pattern I've noticed: people in the military who let their CompTIA certs lapse during deployments end up paying for it later. The trifecta plus continuing education credits is much cheaper than re-taking exams from scratch. If you're in a position to renew via continuing education, do it.
How long the path actually takes
Honest answer: somewhere between 12 months and 4 years, depending on how aggressive you are and what you're starting with.
A reasonable timeline for someone working full-time with limited prior IT experience:
- A+ — about 3 months
- Network+ — about 3 months
- Security+ — 2 to 3 months
- One advanced cert (CySA+, PenTest+, Cloud+, etc.) — 3 to 4 months
That's roughly 12 to 15 months from zero to Security+ plus one specialization. Each additional advanced cert adds another 6 to 9 months.
A few honest things about timelines:
People underestimate how much study time gets eaten by life. You'll have weeks where you put in 15 hours and weeks where you put in zero. Both happen. Setting an exam date 90 days out and working backward is more effective than trying to study "consistently" without a deadline — vague timelines have a way of becoming permanent.
Failed exams are common and not the disaster they feel like. CompTIA exams are pass/fail, the failure doesn't go on your record, and most people who fail Security+ pass on the second attempt with another month of focused work on their weak domains.
The trifecta tends to compress as you go. A+ takes the longest because the foundations are new. Network+ goes faster because you've built study habits. Security+ goes faster again because the concepts overlap with Network+ in ways the official objectives don't make obvious.
What to actually do next
If you're starting from zero, the move isn't picking a study plan — it's figuring out where you actually stand. Most people overestimate how much they know about networking and underestimate how much they know about security, and that mismatch wrecks otherwise reasonable study plans.
Take a free CompTIA diagnostic before you commit to a track. LearnZapp's covers the core domains across the trifecta with no signup, and the per-domain breakdown will tell you in about 20 minutes whether A+, Network+, or Security+ is actually the right starting point for you — instead of going off what worked for someone else two years ago.