Most certification guides tell you what certifications exist. This one tells you which ones to get, in what order, and why, built around TryHackMe's certification ladder from complete beginner to senior practitioner.
Every certification on this roadmap is practical. No multiple choice memory tests. No rote recall. Every exam puts you in a live environment and asks you to do the work. That is what employers are starting to care about, and it is what TryHackMe has built its certification programme around.
Here is the full picture.
Why Does the Order Matter?
Certifications compound. The skills you build for SEC0 make SEC1 faster. The foundations from SEC1 make SAL1 or PT1 genuinely achievable rather than a scramble. Jumping ahead wastes money and produces gaps that show up in technical interviews.
The roadmap below is the shortest line between where you are and where you want to be. Follow it in sequence and every step prepares you for the next one.
Stage 1: Start Here: SEC0 and SEC1
SEC0: Pre Security Certification
SEC0 is where the roadmap begins. It validates that you understand how computers, operating systems, networks, and the internet actually work before any security concepts are added on top. No assumed knowledge. No prior background required.
The exam is hands-on from start to finish. You are not answering questions about networking. You are working through practical tasks that demonstrate you understand it. That approach runs through every TryHackMe certification: prove it, do not just describe it.
Who it is for: Complete beginners. Anyone who has never touched cyber security before. People who want a formal first credential that confirms their foundational knowledge is solid.
Preparation: TryHackMe's Pre Security path is the canonical study route.
Bundle: SEC0 and SEC1 are available together as a bundle with 20% off each cert. If you are starting from zero, the bundle is the most cost-effective way to work through both foundations in one purchase.
SEC1: Cyber Security 101 Certification
SEC1 takes the foundations further. It validates beginner-level cyber security knowledge across networking, operating systems, essential security principles, and core concepts in both offensive and defensive security. It is the first credential that signals to an employer you understand the field, not just the infrastructure it runs on.
The exam is structured assessment rather than SOC simulation: you find answers through practical tasks rather than multiple choice, but the format is more accessible than SAL1 or PT1. It is the right stepping stone between foundational knowledge and role-specific specialisation.
Who it is for: People who have completed SEC0 or already have IT foundations. Anyone who wants a formal entry-level credential before committing to a blue or red team direction.
Preparation: TryHackMe's Cyber Security 101 path is the preparation route.
Stage 2: Choose Your Direction
After SEC1, the roadmap splits. Blue team or red team. Defensive or offensive. Both tracks lead to job-ready credentials. Choose based on where you want to work, not what sounds most impressive.
Blue Team Track: SAL1
SAL1: Security Analyst Level 1
SAL1 is the certification that answers the question every SOC hiring manager is actually asking: can you investigate a real alert?
The exam puts you inside a live SOC simulator. A real alert queue. Real tooling. Real incident reports that are graded as part of your assessment. You triage alerts, investigate incidents, correlate log data across sources, and document your findings in a professional format. It is the most practically validated entry-level SOC credential available.
Backed by Accenture and Salesforce. Premium subscribers receive a 15% discount.
Who it is for: Anyone targeting a SOC analyst, blue team analyst, or security operations role at Tier 1 level.
Preparation: TryHackMe's SOC Level 1 path covers every domain the exam tests.
Red Team Track: PT1
PT1: Junior Penetration Tester
PT1 is the offensive counterpart to SAL1. The exam is a 48-hour practical engagement across web application, network, and Active Directory targets. You attack live systems, document your findings, and submit a graded professional report. No shortcuts. No theory questions. Just a real engagement under timed conditions.
Premium subscribers receive a 15% discount.
Who it is for: Anyone targeting a junior penetration tester, red team analyst, or offensive security role.
Preparation: TryHackMe's Jr Penetration Tester path is the canonical preparation route. The path was completely rebuilt for 2026: 89 rooms across 17 modules, a full nine-room Active Directory module, a thoroughly rewritten web security curriculum, and three capstone challenges that mirror the PT1 exam format.
Stage 3: Level Up: SAL2
SAL2: Security Analyst Level 2
SAL2 is where Tier 1 analysts become Tier 2 analysts. The exam extends the SAL1 format into more complex, multi-stage investigation scenarios covering advanced threat detection, digital forensics, memory analysis, network traffic analysis, and threat hunting.
This is the credential that validates you can lead an investigation independently, not just triage alerts from a playbook. Pablo Menendez Cores, SOC Analyst at NCC Group, described SAL2 as "a strong and practical certification... it reflects quite well what we actually do in an MSSP environment." That is practitioner validation from one of the most respected names in managed security services.
Premium subscribers receive a 15% discount.
Who it is for: SOC analysts with Tier 1 experience ready to move into Tier 2 investigation, threat hunting, and DFIR responsibilities.
Preparation: TryHackMe's Threat Hunting module and DFIR module alongside the SOC Level 1 path content build the skills this exam tests.
The Full Roadmap at a Glance
| Certification | Stage | Direction | Exam format | TryHackMe preparation path |
|---|---|---|---|---|
| SEC0 | 1. Foundation | Both | Hands-on practical tasks | Pre Security path |
| SEC1 | 1. Foundation | Both | Structured practical assessment | Cyber Security 101 path |
| SAL1 | 2. Specialise | 🔵 Blue Team | Live SOC simulator, graded incident reports | SOC Level 1 path |
| PT1 | 2. Specialise | 🔴 Red Team | 48-hour practical engagement, graded report | Jr Penetration Tester path |
| SAL2 | 3. Level Up | 🔵 Blue Team | Advanced multi-stage SOC investigation scenarios | Threat Hunting + DFIR module |
SEC0 and SEC1 are available as a bundle at a discounted rate. Premium subscribers receive 15% off all professional certifications.
What About AI Security?
AI security is the fastest-growing skill area in the field. TryHackMe's AI Security path covers LLM vulnerabilities, prompt injection, AI threat modelling using MITRE ATLAS, AI supply chain security, and RAG security in hands-on lab environments. It is where the roadmap extends for practitioners who want to stay ahead of where the industry is moving.
Which Certifications Should You Get First?
If you are brand new: SEC0, then SEC1. Do not skip the foundations. They are what make everything after them faster.
If you have IT or tech foundations already: start with SEC1 to validate your baseline, then move directly to SAL1 or PT1 depending on your direction.
If you know you want blue team: SEC1, then SAL1, then SAL2. That sequence takes you from entry-level credential to mid-level validation in a logical progression with no wasted steps.
If you know you want red team: SEC1, then PT1. Then OSCP when you are ready to go further.
The roadmap is clear. The paths are built. The only move left is starting.
Nick O'Grady