The cyber security certification market has a problem. It has produced an enormous range of credentials at wildly different price points, with wildly different levels of rigour, and almost no honest guidance on how to choose between them.
The question most beginners are actually asking is not which certification is most well-known. It is: which certification will actually demonstrate that I can do the job?
That question has a cleaner answer than most certification guides suggest. It comes down to one distinction.
What Actually Separates a Good Certification from a Forgettable One
There are two kinds of cyber security certification. Those that test whether you understand concepts, and those that test whether you can apply them.
Theory-based certifications take the first approach. You sit a timed exam, answer multiple-choice questions, and receive a score. These credentials have real value: they signal breadth of knowledge, satisfy employer checklists, and in some sectors meet regulatory or government requirements. But they cannot, on their own, prove that you can operate inside a real security environment. You can memorise every definition and still freeze when confronted with an actual investigation.
Practical certifications work differently. They put you inside a live environment and require you to complete real tasks: triage an alert, exploit a vulnerability, write a professional report. The evidence they produce is fundamentally harder to fake, which is why employers who conduct technical interviews value them so highly.
The most defensible certification strategy in 2026 combines both: a well-recognised theory credential for HR visibility, and a practical credential that validates genuine ability when it matters.
TryHackMe's certification stack was built around the second approach. That is where this guide starts.
TryHackMe Certifications
SEC1 - Cyber Security 101
SEC1 is TryHackMe's foundational certification, and it is the right starting point for anyone entering cyber security. The exam is 100 percent practical: a 24-hour window in which candidates complete hands-on tasks spanning offensive techniques, defensive skills, and operational fundamentals across Linux, Windows, networking, and web security.
There are no multiple-choice questions. You either find the answer inside the environment or you do not.
The scope is deliberately broad. SEC1 does not ask you to specialise yet. It validates that a candidate can operate across the full entry-level landscape, which makes it a genuine indicator of readiness for the next stage of learning rather than a narrow credential that rehearses a single domain.
The approximate cost is $149, which includes a free retake and three months of TryHackMe Premium access. If you have already completed the Pre Security path and want to bundle SEC0 alongside it, both certifications are available at a 20 percent saving. For the purposes of this guide, SEC1 is the practical starting credential worth focusing on.
SEC1 is newer than Security+ and will not yet carry the same weight with automated HR screening. The honest framing is this: put a theory-based credential on your CV header for the HR filter, and use SEC1 to demonstrate practical ability in the technical interview. The combination is more compelling than either alone.
SAL1 - Security Analyst Level 1
SAL1 is TryHackMe's blue team certification for those pursuing SOC analyst roles. The exam places candidates inside a SOC simulator and requires them to triage alerts, investigate cases using real evidence, and produce a concise incident report within a 24-hour window. It was developed with input from Accenture and Salesforce, and the format reflects the actual workflow of a junior analyst more closely than any multiple-choice credential can.
The cost is $349, which includes 3 months of TryHackMe Premium access. The SOC Level 1 learning path is the structured preparation route, covering SIEM fundamentals, alert triage, Windows threat detection, and network analysis before the exam.
SAL1 is the logical next step after SEC1 for anyone whose interests lean defensive.
PT1 — Junior Penetration Tester
PT1 is TryHackMe's offensive security entry certification. The exam simulates a real client penetration testing engagement, requiring candidates to operate methodically across web applications, network infrastructure, and Active Directory, then produce a professional report. The breadth of coverage across all three domains is what makes PT1 meaningful: it reflects how penetration testing actually works on a real engagement, not a narrow slice of it.
The exam costs $349. Preparation runs through the Jr Penetration Tester learning path, which covers the full methodology from reconnaissance through to exploitation and post-compromise activity.
PT1 is the logical next step after SEC1 for those whose interests lean offensive, and it is the most sensible preparation stage before attempting OSCP.
How the Rest of the Market Compares
With TryHackMe's stack as the reference point, here is how the most relevant external certifications sit alongside it.
CompTIA Security+ - Broad Recognition, Theory Foundation
Security+ is the most widely recognised entry-level cyber security certification in the world. It is vendor-neutral, covers a broad range of domains, and is accepted as a baseline qualification by the US Department of Defense. For many employers, particularly in government and defence sectors, it functions as a minimum threshold. For HR filtering systems, it remains one of the most reliably recognised credential names.
The exam consists of up to 90 questions in 90 minutes, mixing multiple-choice with a small number of performance-based questions. The passing score is 750 out of 900. The exam voucher costs $425, and total preparation costs typically run between $600 and $1,000. Valid for three years, with renewal requiring 50 Continuing Education Units and an annual maintenance fee.
The honest limitation: Security+ demonstrates that you understand security concepts. It does not require you to operate inside a real environment. Candidates who hold Security+ and nothing else often find that technical interviewers probe quickly past it. It is most valuable as the HR-visible credential that gets you in the room, while a practical credential like SEC1 or SAL1 gives you something substantive to discuss once you are there.
CompTIA CySA+ - The Mid-Career Blue Team Credential
CySA+ is CompTIA's intermediate-level certification for SOC analysts and threat detection roles. It covers threat and vulnerability management, behavioural analytics, security operations, and incident response, and meets DoD 8140 requirements across a range of analyst positions. CompTIA recommends at least four years of hands-on experience before attempting it, which positions it firmly as a mid-career credential.
The exam voucher costs $425, with renewal requiring 60 CEUs over three years. Like Security+, the format is primarily multiple-choice with performance-based questions that simulate rather than replicate live investigation.
Where CySA+ sits relative to SAL1: they target similar roles, but different stages of a career. SAL1 is the right entry point for someone building toward their first SOC role. CySA+ is the right credential for someone already working in security who wants government-recognised validation of their analyst-level skills. If you are several years into a SOC career, CySA+ carries HR weight that SAL1 does not yet match. If you are just starting, SAL1 provides more relevant and practical preparation for what the job actually involves.
eJPT - Affordable Offensive Entry Point
The eLearnSecurity Junior Penetration Tester (eJPT), offered by INE Security, is one of the most accessible entry-level offensive credentials available. The 48-hour practical exam gives candidates access to a simulated network and requires them to enumerate systems, identify vulnerabilities, and answer questions based on their findings. It is open-book, auto-graded, and includes one free retake. The exam voucher costs approximately $200.
eJPT is a legitimate first step, particularly for budget-conscious learners who want practical experience with offensive tools before committing to a more demanding certification. Its limitation is scope: it focuses primarily on network exploitation and does not cover Active Directory, web applications in depth, or professional report writing. PT1 covers all three, which is why PT1 is a more complete credential for those building toward a penetration testing career, even at entry level.
BTL1 - The Established Practical Blue Team Credential
The Blue Team Level 1 (BTL1) from Security Blue Team is one of the most well-regarded practical defensive certifications in the market. It covers six domains across security fundamentals, phishing analysis, threat intelligence, digital forensics, SIEM investigation, and incident response, assessed through a 24-hour browser-based exam using real tools including Splunk, Wireshark, and Autopsy. A score of 70 percent earns certification; 90 percent on the first attempt earns a gold challenge coin that has become a recognised signal in SOC hiring. The certification is valid for life.
The cost is approximately $490, which includes training, lab hours, and two exam attempts. BTL1 has been adopted by government agencies, MSSPs, and enterprise security teams across more than 80 countries, and its name recognition among hiring managers in SOC-focused roles is well established.
The honest comparison with SAL1: both are practical, both are browser-based, both target the same entry-level blue team audience. BTL1 currently has greater name recognition with hiring managers. SAL1 integrates directly into TryHackMe's training ecosystem, includes 12 months of Premium access, and was built with direct input from Accenture and Salesforce. For those already training on TryHackMe, SAL1 is the natural choice. For those who want the widest current hiring visibility for a defensive practical credential, BTL1 is a credible alternative worth considering.
OSCP - The Offensive Security Benchmark
The Offensive Security Certified Professional (OSCP) is the most respected penetration testing certification in the industry. The format is a 24-hour hands-on exam in which candidates compromise a set of target machines and submit a professional penetration testing report. No automation tools. No multiple choice. The updated OSCP+ places additional emphasis on Active Directory exploitation and professional reporting, directly reflecting how modern penetration testing engagements operate.
The entry point costs $1,749 for 90 days of lab access and one exam attempt. Most candidates spend 300 to 500 hours preparing. Most fail on their first attempt. It is not an entry-level credential.
OSCP is the advanced milestone for offensive security professionals, not a starting point. Candidates who complete PT1 on TryHackMe arrive at OSCP preparation having already performed a methodical penetration test under exam conditions and produced a professional report. That experience matters: the gap between PT1 and OSCP is demanding but navigable, whereas attempting OSCP without equivalent preparation typically ends in an expensive failure.
Reading the Landscape as a Beginner
The path through these credentials becomes straightforward once you match them to where you are rather than treating them as a flat list to rank.
If you are just starting out, SEC1 is the most practical and cost-effective first credential available. It tests genuine ability, not recall, and it gives you something concrete to discuss in a technical interview before you have accumulated work experience.
If you are building toward a SOC analyst role, SAL1 is the natural progression from SEC1, with BTL1 as a well-regarded alternative if current name recognition in SOC hiring is your priority. CySA+ becomes relevant once you have several years of operational experience and need government-recognised validation.
If you are building toward penetration testing, PT1 is the right entry credential after SEC1. It covers more ground than eJPT, validates professional reporting, and prepares you for OSCP in a way that an auto-graded multiple-choice-adjacent exam cannot.
The certifications that produce the strongest evidence are always the ones that required you to demonstrate ability in a live environment. That principle should drive every decision in this list.
| Certification | Provider | Level | Domain | Exam Format | Window | Price | Retake |
|---|---|---|---|---|---|---|---|
| SEC1 | TryHackMe | Beginner | Offensive + Defensive | 100% practical, hands-on tasks | 24 hrs | See cert page | 1 free |
| SAL1 | TryHackMe | Entry | Defensive / SOC | Multiple choice + SOC simulator | 24 hrs | From €297 (€349 with training) |
1 free |
| PT1 | TryHackMe | Entry | Offensive / Pentesting | Practical pentest + report | 48 hrs | €297 (15% off for Premium subscribers) |
1 free |
| Security+ | CompTIA | Entry | Broad / Foundational | Multiple choice + PBQs | 90 mins | $425 exam voucher | New voucher required |
| CySA+ | CompTIA | Intermediate | Defensive / SOC | Multiple choice + PBQs | 165 mins | $425 exam voucher | New voucher required |
| eJPT | INE Security | Entry | Offensive / Pentesting | Practical labs + MCQ | 48 hrs | See INE pricing (subscription + voucher required) |
1 free |
| BTL1 | Security Blue Team | Entry | Defensive / SOC | Practical task-based | 24 hrs | £399 (training + exam included) |
1 free |
| OSCP+ | OffSec | Advanced | Offensive / Pentesting | Practical compromise + report | 24 hrs | $1,749 (PEN-200 bundle, 90-day lab access) |
$249 per retake |
Prices sourced directly from provider pages, March 2026. THM prices are displayed in Euros and vary by region and subscriber status. CompTIA prices are in USD for the exam voucher only - study materials are additional. BTL1 price is in GBP and includes training, lab access, and one free resit. OSCP price is in USD and includes the PEN-200 course and 90 days of lab access. eJPT requires an active INE subscription in addition to an exam voucher. All prices subject to change - confirm on the provider's certification page before purchasing.
Start Building Toward the Right Certification
TryHackMe's learning paths are structured to prepare you directly for each certification above, using the same practical, browser-based environment as the exams themselves. No local setup required.
Nick O'Grady