Most cyber security certifications test what you have memorised. TryHackMe certifications test what you can actually do.
Every exam in the TryHackMe certification programme puts you inside a live environment with real tooling. No multiple choice. No theory questions. You investigate real alerts, run real attacks, and submit graded professional reports. The credential you earn is proof of practical ability, not exam technique.
Here is every TryHackMe certification, who it is for, and how to get there.
The TryHackMe Certification Ladder
Six certifications. A clear progression from complete beginner to advanced practitioner. Every one of them practical.
SEC0: Pre-Security Certificate
Who it is for: Complete beginners. Anyone who has never studied cyber security, networking, or operating systems before. People who want a formal first credential that confirms their foundational knowledge is solid before specialising.
What it proves: That you understand how computers, networks, and the internet actually work. Not security concepts yet. The layer below them: TCP/IP, how websites are served, how operating systems manage files and processes. The knowledge that makes every subsequent security concept meaningful rather than abstract.
The exam: Practical, scenario-based tasks. You apply knowledge to analyse situations rather than recall information from memory.
Preparation path: Pre Security path
Bundle: SEC0 and SEC1 together at 20% off. If you are starting from zero, the bundle is the most cost-effective route through both foundational credentials in one purchase.
SEC1: Security 101 Certificate
Who it is for: People who have completed SEC0 or already have IT foundations. Anyone who wants a formal entry-level credential before committing to a blue or red team direction. IT support, helpdesk, or networking professionals making the security pivot.
What it proves: Beginner-level cyber security knowledge across both offensive and defensive domains. This is the first credential that signals to an employer you understand the field, not just the infrastructure it runs on.
The exam: Structured practical assessment. You find answers through hands-on tasks rather than multiple choice.
Preparation path: Cyber Security 101 path
Bundle: SEC0 + SEC1 available at 20% off each. Premium subscribers receive a further 15% discount.
SAL1: Security Analyst Level 1
Who it is for: Anyone targeting a SOC analyst, blue team analyst, or security operations role at Tier 1 level. The most important credential for anyone whose career destination is defensive security.
What it proves: That you can investigate a real alert. Not in theory. The exam puts you inside a live SOC simulator with a real alert queue, real tooling, and graded incident reports. You triage alerts, investigate incidents, correlate log data across sources, and document your findings in professional format.
Backed by Accenture and Salesforce. When these organisations endorse a credential, it means their hiring teams recognise it. That is the practical signal that matters.
The exam: Live SOC simulator. Real alerts. Real tooling. Graded incident reports as part of the assessment.
Preparation path: SOC Level 1 path
Discount: Premium subscribers receive 15% off.
SAL2: Security Analyst Level 2
Who it is for: SOC analysts with Tier 1 experience who are ready to move into deeper investigation, threat hunting, and DFIR responsibilities. The credential for practitioners who want to lead investigations independently rather than triage from a playbook.
What it proves: Tier 2 investigation capability. Advanced multi-stage scenarios covering threat hunting, memory forensics, network traffic analysis, and the independent analytical depth that senior SOC roles require.
Pablo Menendez Cores, SOC Analyst at NCC Group, described SAL2 as "a strong and practical certification... it reflects quite well what we actually do in an MSSP environment." That is a practitioner at one of the most respected managed security services providers in the world validating what the exam tests.
The exam: Advanced multi-stage SOC investigation scenarios. Harder, longer, and more ambiguous than SAL1 by design.
Preparation path: SOC Level 2 path
Discount: Premium subscribers receive 15% off.
PT1: Junior Penetration Tester
Who it is for: Anyone targeting a junior penetration tester, red team analyst, or offensive security role. The right first practical certification before OSCP.
What it proves: That you can run a structured offensive security engagement and communicate findings professionally. A 48-hour practical exam across web application, network, and Active Directory targets. You attack live systems, document your findings, and submit a graded professional report. No shortcuts. No theory questions.
The exam: 48-hour practical engagement. Graded professional report. Live targets across web, network, and Active Directory.
Preparation path: Jr Penetration Tester path, rebuilt for 2026 with 89 rooms across 17 modules, a full nine-room Active Directory module, and three capstone challenges that mirror the exam format.
Discount: Premium subscribers receive 15% off.
AI1: AI Security Certificate
Who it is for: Security practitioners who want to be ahead of where the industry is heading. Penetration testers who need to assess AI systems. Defenders who need to detect and respond to AI-powered attacks. The forward-looking specialism that most practitioners have not yet invested in.
What it proves: The ability to both attack and defend real AI systems across 13 hands-on scenarios. Prompt injection. LLM vulnerability exploitation. AI threat modelling. AI forensics. AI supply chain security. This is the first practical AI security certification available on any platform.
The exam: 13 hands-on scenarios. Offensive and defensive AI security across real AI systems.
Preparation path: AI Security path, 25 rooms covering the full offensive and defensive AI security landscape.
Discount: Premium subscribers receive 15% off.
Which Certification Path Is Right for You?
If you are a complete beginner
Start with SEC0. Complete it, then move to SEC1. The bundle saves you money and takes you through both foundational credentials in the most cost-effective way. After SEC1, you will know which direction appeals to you: blue team or red team. Then choose SAL1 or PT1 accordingly.
Your path: SEC0 → SEC1 → SAL1 or PT1
If you want a SOC analyst or blue team career
Start with SEC1 if you do not have IT foundations. Go straight to SAL1 preparation if you do. The SOC Level 2 path is your preparation route for SAL2. Once you are in a Tier 1 role, SAL2 is the natural progression to Tier 2.
Your path: SEC1 → SAL1 → SAL2
If you want a penetration testing or red team career
Start with SEC1 to validate your foundational knowledge. Then work through the Jr Penetration Tester path and sit PT1. This is the right first step before OSCP. After PT1 and some professional experience, AI1 extends your offensive capability into the fastest-growing attack surface in the field.
Your path: SEC1 → PT1 → AI1
The Full Certification Reference Table
| Certification | Level | Direction | Exam format | Preparation path | Premium discount |
|---|---|---|---|---|---|
| SEC0 | Foundation | Beginner | Hands-on practical tasks | Pre Security path | 15% off. 20% bundle with SEC1 |
| SEC1 | Foundation | Beginner | Structured practical assessment | Cyber Security 101 path | 15% off. 20% bundle with SEC0 |
| SAL1 | Entry level | 🔵 Blue Team | Live SOC simulator, graded incident reports | SOC Level 1 path | 15% off |
| SAL2 | Mid level | 🔵 Blue Team | Advanced multi-stage investigation scenarios | SOC Level 2 path | 15% off |
| PT1 | Entry level | 🔴 Red Team | 48-hour practical engagement, graded report | Jr Penetration Tester path | 15% off |
| AI1 | Specialist | 🟣 Both | 13 hands-on scenarios across offensive and defensive AI security | AI Security path | 15% off |
FAQ
Which cyber security certification has the best practical labs? SAL1 and PT1 are the most practically validated entry-level credentials available. SAL1 puts you inside a live SOC simulator for the exam: real alerts, real tooling, graded incident reports. PT1 is a 48-hour live engagement across web, network, and Active Directory targets with a graded professional report. Both test whether you can actually do the work, not whether you can describe it.
What cyber skills are most in demand for 2026? SOC analysis and threat detection, penetration testing across web and Active Directory environments, cloud security, AI security, and incident response. TryHackMe's certification ladder maps directly to these: SAL1 and SAL2 for detection and response, PT1 for penetration testing, AI1 for AI security. The demand is not for people who have studied these areas. It is for people who can demonstrate they can execute them.
Are TryHackMe certifications worth it? They are worth it for a specific reason: they are practical exams that produce evidence of ability rather than knowledge. SAL1 is backed by Accenture and Salesforce. SAL2 is endorsed by NCC Group. PT1 is recognised as a direct preparation credential for OSCP. These are not paper qualifications. They are proof that you can operate under exam conditions in a live environment. For hiring managers who can evaluate technical ability, that is worth considerably more than a multiple choice pass.
Is a cyber security degree worth it in 2026? A degree provides structured academic grounding and may be required for certain government and regulated sector roles. But most cyber security employers in 2026 weight certifications and demonstrated practical ability over formal degrees. The practitioners who get hired fastest are those with a combination of practical credentials, a visible public profile showing consistent lab work, and the ability to talk specifically in a technical interview about what they have done. A degree without those things is less valuable than most people expect. Those things without a degree are increasingly sufficient.
What cyber security career path should I choose? It depends on whether you want to detect attacks or run them. Blue team work, which covers SOC analyst, incident response, threat hunting, and DFIR, is the most accessible entry point with the largest hiring pipeline. Red team work, which covers penetration testing and offensive security, has a higher technical bar at entry but strong demand and excellent compensation. Both are valid. The right answer is which one you will sustain the motivation to practise consistently over twelve to eighteen months. Start with TryHackMe's free account and see which type of room you keep returning to.
What cyber security salary can I expect at entry level in 2026? SOC Tier 1 analyst roles typically start at $55,000 to $75,000 in the US. Junior penetration tester roles start at $65,000 to $95,000. Both increase significantly with experience and practical credentials. SAL1 and PT1 signal readiness in a way that accelerates hiring decisions and starting salary negotiations because they provide evidence a hiring manager can evaluate, rather than a certificate they have to take on faith.
Nick O'Grady