The CompTIA cybersecurity certification path is shorter than people think. Four certs total: Security+, then either CySA+ or PenTest+, then CASP+. That's it. Everything else CompTIA sells is either adjacent (Network+, Cloud+) or a specialized sidebar.
The actual question isn't which certs exist. It's which order makes sense, when you're ready to move, and what to do at the two real decision points on the way up.
The shape of the ladder
Security+ is the floor. Past that, the ladder forks once and joins back up once.
- Entry: Security+
- Mid-career fork: CySA+ (defensive/blue team) or PenTest+ (offensive/red team)
- Advanced: CASP+ — or CISSP, if you're bending toward leadership
Most people take 5-7 years to climb the whole thing. Some move faster. The ones who move faster almost always have hands-on security work in their day job — not just study time.
Security+: the part you can't skip
Everyone starts here. Security+ is the DoD 8140 baseline, which means if you want any federal cybersecurity job — or any cleared contractor role — you need it. Private sector is similar: most mid-level security postings list Security+ as "required or equivalent," and for "equivalent" they usually mean CySA+ or CISSP, which you don't have yet.
Typical roles: SOC analyst (Tier 1), security systems admin, junior security engineer, IT specialist with security duties. Salary range is roughly $65k–$95k depending on region and whether you already have IT experience. The low end is "help desk person who just passed the exam." The high end is "network admin of five years who finally got the cert and moved into a security seat."
Most people study 8–12 weeks at ~15 hours a week. If you want the week-by-week version, we have a Security+ study plan broken down by domain.
One thing worth saying plainly: Security+ doesn't make you a security professional. It gets you in the room. The actual security work starts in your first SOC shift when someone hands you an alert queue and says good luck.
The real fork: CySA+ vs PenTest+
This is the decision that matters. Security+ is mostly a formality — you study it, you pass it, you move on. The blue team / red team split is where your actual career starts shaping itself, and people get it wrong all the time.
Here's the pattern I see most often: someone reads about pentesting, watches a few HackTheBox videos, decides red team is obviously cooler, and chases PenTest+. Then they spend two years as a junior pentester doing the same web app assessment over and over for clients who barely read the report. Meanwhile their friend who "settled" for CySA+ is running point on incident response at a Fortune 500 and making $30k more.
The cooler cert isn't always the better career. Below is what each one actually opens up.
CySA+ (defensive / blue team)
CySA+ is threat detection, behavioral analytics, vulnerability management, incident response. You're the person watching the SIEM, triaging alerts, tuning detections, and running response when something goes wrong. Job titles: SOC analyst Tier 2-3, threat analyst, vulnerability analyst, incident responder, defensive security engineer. Salary range roughly $80k–$115k.
The job market for defense is enormous. Every company with a SOC needs more blue team people, and the burnout rate means they're always hiring. If you like data, patterns, and the satisfaction of catching something before it became an incident, this is the path.
We have a full CySA+ vs. Security+ breakdown if you want the domain-level detail.
PenTest+ (offensive / red team)
PenTest+ is the other path — authorized testing, exploitation, assessment, reporting. Titles: penetration tester, vulnerability assessor, red team operator, security consultant. Salary range roughly $85k–$125k, and the ceiling is higher than CySA+ once you're senior, especially if you move into consulting or specialized red team work.
The trade-off: fewer positions, tougher market for juniors, and the work is less varied than people expect. A lot of junior pentesting is external network assessments and web app testing on a rotation. The really interesting stuff — red team engagements, physical testing, adversary emulation — is senior-level work, and there are maybe a few thousand of those jobs in the US. PenTest+ is also a harder exam than Security+ in a meaningful way; we wrote about the PenTest+ difficulty jump separately.
How to actually pick
If you like investigating, tuning systems, and being on the team that defends an organization long-term: CySA+. If you like breaking things, writing reports about how you broke them, and being hired in as an outsider: PenTest+. If you have no idea which one you'd prefer, pick CySA+ first — it has way more job openings at the junior level, and you can add PenTest+ later. Plenty of people hold both. The split isn't a permanent commitment.
One note I'll throw in: geography matters more than you'd think. PenTest+ jobs concentrate in a few metros (DC, NYC, Bay Area, a handful of others) and remote consulting shops. CySA+ roles are everywhere. If you're in a mid-sized city and not willing to relocate, the math usually points to blue team regardless of preference.
Level 3: CASP+
CASP+ — now technically rebranded as SecurityX in newer CompTIA documentation, though most of the market still says CASP+ — is the advanced technical cert. It's for senior practitioners who want to stay hands-on instead of moving into management.
Typical roles: security architect, senior security engineer, technical security lead, principal engineer. Salary range $110k–$150k+, with the top end pushing higher in tech hubs.
Here's what makes CASP+ different from everything below it: the exam is performance-based. Not "mostly" performance-based. There are scenario-driven simulations where you're configuring, analyzing, and making architectural calls under time pressure. No multiple-choice cruise control. This is why it has a reputation for being brutal — people who studied for Security+ and CySA+ by grinding question banks hit a wall.
The prerequisite is Security+ plus around 5 years of hands-on experience (or 6 with related IT experience). Don't shortcut this. I've seen people take CASP+ at year 3 because they were ambitious, fail badly, and walk away discouraged. The exam assumes you've actually built and broken things at scale.
CASP+ vs. CISSP: the senior-level pivot
At the top of the ladder you hit a choice that isn't really about CompTIA anymore. CASP+ keeps you in the technical lane. CISSP moves you toward strategy, risk, and management.
| CASP+ | CISSP | |
|---|---|---|
| Format | Performance-based, scenario labs | Multiple-choice + CAT, business-focused |
| Audience | Senior practitioners | Security leaders and managers |
| Focus | Architecture, engineering, implementation | Governance, risk, policy, strategy |
| Experience req | 5 yrs hands-on (or 6 with IT) | 5 yrs in 2+ CISSP domains |
| Career direction | Stay technical | Move to management |
The honest read: CISSP has more name recognition with HR and recruiters, especially outside of federal work. CASP+ is deeply respected by technical managers who've taken it, and largely unknown to recruiters who haven't. If you're in a DoD-adjacent role, CASP+ is well-recognized and sometimes preferred. Everywhere else, CISSP carries more weight on a resume. That's not commentary on which cert is harder (they're both hard in different ways) — it's just market reality.
Many senior folks eventually get both. But they're not interchangeable, and they don't point you at the same kinds of jobs.
What the timeline actually looks like
People ask "how long does this take" and the honest answer is: depends on whether you have a day job that gives you real security work. With a relevant job, the whole ladder takes 5-7 years. Without one, it takes longer, because exams can't replace experience.
| Year | Cert | Typical role |
|---|---|---|
| 0–2 | Security+ | SOC Tier 1, junior security, IT with security duties |
| 2–3 | (decide the fork) | Security analyst |
| 3–5 | CySA+ or PenTest+ | SOC analyst, threat analyst, pentester |
| 5+ | Optional: the other Level 2 cert | Senior analyst |
| 5–7+ | CASP+ | Security architect, senior engineer |
| 5–7+ | CISSP (alt path) | Security manager, director |
A pattern worth naming: people who jump straight from Security+ to CASP+ "because they're experienced in IT" almost always fail the first attempt. The CompTIA ladder works because each rung assumes you've genuinely spent time at the one below. Skipping rungs technically works on paper — CompTIA doesn't strictly require CySA+ before CASP+ — but the exam content punishes you for it.
Another thing I've noticed: the people who delay booking Security+ because they "don't feel ready" usually aren't studying inefficiency problems, they're studying confidence problems. If you've put in 6-8 weeks of real prep and you're scoring above 80% on full-length practice exams, book it. Waiting another month rarely moves the needle.
Ways to accelerate without skipping rungs
You can compress this timeline without breaking the ladder. A few things that actually work:
Get hands-on at your current job even if security isn't in your title. Ask to own patch management, or the phishing simulation program, or vulnerability scanning for your team. That experience is what makes the next cert real instead of theoretical.
Use your employer's cert budget. Most IT employers will reimburse exams if the cert is relevant to your role. A lot of people don't ask and pay out of pocket for no reason.
Set up a home lab. Virtual machines, a pfSense firewall, a Security Onion install, something vulnerable to practice on. The cost is near-zero and the skill transfer into CySA+ and PenTest+ is massive.
Stack exams when the material overlaps. CySA+ and Security+ share a lot of ground. If you pass Security+ and your momentum is still strong, CySA+ is easier to knock out within the next 6-9 months than if you wait two years and lose the context.
One more thing before you start
The CompTIA cybersecurity certification path is straightforward once you see it: Security+ to open the door, CySA+ or PenTest+ to specialize, CASP+ or CISSP to go senior. The trap is treating it like a checklist instead of a career. Certs are evidence of skill, not skill itself — and the people who do well in this field are the ones whose resumes are a close match to what they actually know.
If you're at the very beginning and not sure where you stand on Security+, the fastest way to find out isn't another YouTube video. Take a free Security+ diagnostic test — 20 minutes, no signup, and it'll tell you which of the five domains you're already solid on and which ones will eat your study time. That's the real starting point for the rest of the ladder.