There are definite limitations when organizations approach cybersecurity certifications individually. There’s a common sequence of events: an analyst decides they want a certification, their manager approves the budget, and the certification gets added to that analyst’s CV. It’s useful, but it’s not a program. With nearly two-thirds of managers (59%) citing critical or significant skills needs this year, a change in approach is crucial.
A certification program is something different:
- It gives every role in a cyber team a clear credentialing path.
- It tells managers where each analyst actually stands against a verified standard.
- It creates a shared baseline the whole team can be measured against.
- And it produces the kind of objective, third-party evidence that leadership and auditors
can act on.
Building that program requires the right certifications at the right levels, and a platform that makes them manageable at scale.
Why most security certifications fall short for teams
The majority of widely recognized security certifications were designed for individual career development, and are detached from the needs of hiring organizations. This creates a specific problem for managers trying to build an actionable understanding of team readiness.
Moreover, these certifications test what practitioners know: they rely on multiple-choice exams, theory-heavy content, and narrow domain coverage, but misses the validation of practical skills that demonstrates job-readiness. Passing proves that an analyst has studied a topic. It doesn't tell you whether they can execute under pressure in a real environment.
For managers of cyber teams, that gap matters at every stage of the employment lifecycle:
- New hires arrive with certifications on their CV that tell you what they've studied, not what they can do in your environment
- Existing analysts may hold certs that are years old, acquired before the threat landscape looked anything like it does today
- Promotions and role changes get made on tenure and gut feel rather than verified evidence of capability at the next level
- Leadership conversations about team readiness rely on anecdote rather than data
Hands-on, job-aligned certifications close that gap. They put candidates inside realistic environments and ask them to perform, so managers get a verified signal they can actually use.
What a team certification program looks like
A well-structured certification program maps credentials to roles and seniority levels, creates clear progression paths, and gives managers a central view of where the team stands at any point.
TryHackMe's certification portfolio is built around this model. Every exam is hands-on, browser-based, and designed to reflect the actual demands of the role. There are no multiple-choice questions. Candidates work in live environments against real scenarios and are assessed on what they can do, not what they can recall.
The TryHackMe certification ladder spans six certifications, each designed for a specific role and career stage. Together they create clear progression pathways from onboarding a non-technical hire to validating a senior SOC analyst ready for L2 responsibilities.
SEC0 | Pre Security
Who it's for: Cyber-adjacent roles, early learners, career switchers, non-technical business staff, interns
What it validates: Core cyber concepts and terminology: computer, OS, and network fundamentals, how the web works, attacks and defenses
Why it matters: No IT or tech background required. SEC0 gives non-security staff the vocabulary to engage meaningfully with the team, and acts as the first step on the TryHackMe learning journey. [Learn more about the SEC0 certification]
SEC1 | Cyber Security 101
Who it's for: Career starters, students, interns, junior cyber team members (0–2 years experience)
What it validates: Foundational offensive, defensive, and investigative skills across 7 practical sections: OS and network fundamentals, Red Team, Blue Team, and scenario-based tasks. No MCQs.
Why it matters: Browser-based and integrated with the TryHackMe learning path, so candidates can prepare and assess in the same environment. Targets the actual job skills needed for a first role. [Learn more about the SEC1 certification]
SAL1 | Security Analyst Level 1
Who it's for: L1 SOC analysts, new hires, onboarding cohorts
What it validates: Real-world SOC work in a simulated environment, built specifically for the L1 analyst role and developed in collaboration with Salesforce and Accenture
Why it matters: The go-to onboarding benchmark. Spots capability gaps before new joiners touch live systems. Tells managers what they're actually working with. [Learn more about the SEC2 certification]
SAL2 | Security Analyst Level 2
Who it's for: Mid-senior analysts ready to validate seniority, SOC managers making promotion and succession decisions
What it validates: Technical depth, operational judgment, and stakeholder communication across 12 scenario-based investigations delivered in a 72-hour window — including SIEM analysis (Splunk/Elastic), compromised machine access, PCAP and malware triage, detection engineering with Sigma, incident summary writing, customer-facing updates, SLA management, and threat classification
Why it matters: The only certification at this level that tests communication and escalation alongside technical skills, because that is what separates senior analysts from junior ones. Provides an auditable, third-party benchmark for promotion decisions, budget cases, and regulated environments. [Learn more about the SAL2 certification]
PT1 | Junior Penetration Tester
Who it's for: Entry-level offensive security practitioners and red team members
What it validates: Offensive skills across web, network, and Active Directory, including a full-stack simulated penetration test
Why it matters: Validates offensive capability before an analyst takes on offensive responsibilities. Built by industry experts and designed to mirror the reality of an engagement. [Learn more about the PT1 certification]
AI1 | AI Security Level 1
Who it's for: Security teams and AI-adjacent roles working with AI-enabled systems
What it validates: End-to-end AI attack and defense skills on live systems — live chatbots, RAG knowledge bases, and model artifact environments — covering prompt injection, supply chain security, data poisoning, and remediation
Why it matters: Aligned with OWASP LLM Top 10 and CompTIA SecAI+. As AI becomes embedded in more environments, AI1 gives teams an objective measure of whether they can actually defend against the threats that come with it. [Learn more about the AI1 certification]
Building the program: SAL1 and SAL2 as the backbone of a SOC certification journey
For defensive cyber teams, Security Analyst Level 1 and Security Analyst Level 2 are the natural anchors of a team certification program. They are not just two standalone assessments, but present a connected growth path. SAL1 establishes a verified baseline for every analyst on the team. SAL2 defines what senior readiness actually looks like. Together, they give managers something most certification programs never offer: objective evidence of capability at both ends of the L1-to-L2 progression.
Security Analyst Level 1: Establishing a Verified SOC Baseline
Security Analyst Level 1 is built specifically for L1 SOC analysts. It was developed in direct collaboration with Salesforce and Accenture, grounded in what the role actually demands rather than what a syllabus committee agreed on.
Candidates work inside a simulated SOC environment, triaging alerts, investigating incidents, and writing case reports across scenarios that reflect the tooling and workflows analysts encounter day to day. There are no theory questions, the assessment is entirely task-based.
For managers, SAL1 solves a specific and persistent problem: onboarding without a verified baseline. When every new joiner is expected to achieve SAL1 before handling live systems, the team has a consistent, objective foundation. When existing analysts hold it, the manager has confidence that a shared standard exists across the team.
SAL1 also gives L1 analysts a concrete and credible target. They can see exactly what proficiency looks like, and work toward it with purpose rather than waiting for someone to tell them they're ready.
Security Analyst Level 2: Validating the Step Up
SAL2 picks up where SAL1 leaves off. It’s built for analysts who have developed their foundational skills and are ready to demonstrate they can operate at a senior level: independently, under pressure, across the full scope of what L2 SOC work actually involves.
That scope is broader than most certifications acknowledge. Across 12 scenario-based investigations in a 72-hour window, SAL2 candidates handle real incidents using Splunk or Elastic, access compromised machines, conduct PCAP and malware analysis, and work through detection engineering with Sigma. They are also assessed on stakeholder communication like incident summary writing, customer-facing updates, SLA management, and threat classification, because that is what separates L2 analysts from L1 analysts in practice.
For managers, SAL2 turns a subjective promotion decision into an evidence-based one. For the analysts themselves, it is a meaningful milestone that reflects genuine achievement, not accumulated tenure. And for the business, it is an auditable signal of operational readiness that holds up in regulated environments and leadership conversations alike.
The SAL1-to-SAL2 path is the clearest growth journey in defensive security certification. It tells a consistent story: this is what entry-level readiness looks like, and this is what senior readiness looks like, with objective evidence at both points.
Where certifications fit in the wider capability picture
Certifications validate what analysts can do at a point in time. They answer a specific management question: is this person ready for this level of responsibility? But they work best when they sit inside a broader capability management approach.
At onboarding, certifications replace assumption with evidence. A new joiner with Security Analyst Level 1 has a verified baseline. One without it gets a structured path to achieve it before handling live systems.
At progression points, certifications like Security Analyst Level 2 make promotion and succession decisions objective. Rather than relying on tenure or the opinion of a senior colleague, managers have verified evidence of performance at the next level of complexity, including the operational judgment and stakeholder communication skills that actually separate L1 from L2.
During role transitions, certifications flag readiness before responsibilities change. An analyst moving from a defensive to a more offensive role can work toward Junior Penetration Tester to validate the skills the new position requires, rather than discovering gaps in production.
For cyber-adjacent teams, certifications like Pre Security and AI Security Level 1 give non-technical roles the foundation to understand what the security team is dealing with, and give IT, legal, and compliance functions the grounding to participate meaningfully in security programs and incident response. AI Security Level 1 makes existing security skills current for all skill levels, by adding the crucial context of a new attack surface.
For ongoing readiness, certifications catch capability drift before it becomes operational risk. Skills that aren't practiced against current material decay quietly. A structured recertification cadence keeps the team's verified baseline current.
The Manager Dashboard in TryHackMe gives teams a central view of certification status across the whole cyber team: completions, retakes, upcoming expiry, and where gaps exist by role. The program stays visible and manageable rather than drifting on autopilot.
What leadership needs from a certification program
The business case for a structured certification program is straightforward. Leadership needs to know the cyber team is capable of handling the threats the organization faces. Regulatory frameworks increasingly require demonstrable evidence of security workforce readiness. Auditors ask for it, boards are starting to ask for it.
Job titles and tenure are proxies, while certifications from a hands-on platform that assesses real performance in realistic environments are evidence.
Organizations need to treat certifications as a capability management tool, not an individual career benefit. To map credentials to roles, track status centrally and build progression paths that show analysts where they're going and give managers the data to support investment decisions with something more than instinct.
[Explore TryHackMe's certification program for cyber teams.]
Frequently Asked Questions
What is the TryHackMe Security Analyst Level 1 (SAL1) certification? Security Analyst Level 1 is a hands-on SOC analyst certification from TryHackMe, built specifically for L1 analysts and developed in collaboration with Salesforce and Accenture. Candidates work inside a simulated SOC environment: triaging alerts, investigating incidents, and writing case reports, with no multiple-choice questions. It is designed to validate what analysts can actually do in a real environment, not what they can recall from a textbook.
What is the TryHackMe Junior Penetration Tester (PT1) certification? Junior Penetration Tester is an entry-level offensive security certification from TryHackMe. It validates practical skills across web application testing, network penetration, and Active Directory attacks, and includes a full-stack simulated penetration test. It is designed for red team practitioners and analysts who work across offensive and defensive responsibilities.
What is the difference between TryHackMe Security Analyst Level 1 and Security Analyst Level 2? Security Analyst Level 1 is designed for L1 SOC analysts and establishes a verified baseline of core defensive skills in a simulated SOC environment. Security Analyst Level 2 is designed for mid-senior analysts and goes further, assessing not just technical depth across endpoints, networks, cloud logs, and SIEM platforms, but also operational judgment, incident communication, and stakeholder reporting across 12 scenario-based investigations in a 72-hour assessment window.
Are TryHackMe certifications recognized by employers? TryHackMe certifications are hands-on and job-aligned, developed with input from practitioners and industry partners including Salesforce and Accenture. They are designed to validate real operational capability rather than theoretical knowledge, which makes them meaningful to hiring managers and security leaders who need evidence of what candidates can actually do.
How long does it take to complete TryHackMe's Security Analyst Level 1 certification? Security Analyst Level 1 is a flexible, on-demand assessment. TryHackMe provides an integrated learning path to help candidates prepare, and the exam itself is non-proctored with one free retake included. Preparation time varies depending on existing experience, but the SOC L1 learning path is designed to be worked through consistently alongside operational responsibilities.
Can managers track certification progress across their cyber team? Yes. TryHackMe's Manager Dashboard gives team leaders a central view of certification status across the whole team — including completions, retakes, and upcoming expiry dates. It sits alongside broader team performance and skill gap data, so certification progress is visible in the context of overall capability management rather than as a separate tracking exercise.
What TryHackMe certifications are suitable for non-technical or cyber-adjacent roles? TryHackMe's Pre Security certification (SEC0) is designed for learners without a technical background, covering core cyber concepts and terminology across seven modules. It is well suited to IT, legal, compliance, and business roles that need to understand the security landscape and participate meaningfully in security programs and incident response. AI Security Level 1 (AI1) is also relevant for AI-adjacent roles across the organization, covering end-to-end AI attack and defense skills on real AI systems.