Certifications are a polarizing topic in security. Half the community will tell you they’re useless compared to real experience. The other half just got a $30k raise after passing CISSP.

Both are partly right.

The truth: certifications are door-openers, not skill-builders. They signal to hiring managers that you’ve achieved a standardized benchmark. What you actually know depends on how you prepared. And some certifications open much bigger doors than others.

Here’s an honest ranking of the certifications worth your time and money in 2026 — sorted by practical ROI for offensive security practitioners.

How We Define ROI

Before the list: ROI here means the combination of:

  1. Salary impact — how much does passing this cert move your compensation?
  2. Job access — does this cert unlock roles you couldn’t get without it?
  3. Hiring weight — how seriously do experienced hiring managers take it?
  4. Time-to-pass — how long does prep realistically take?
  5. Cost — exam fees, training materials, retakes

A $600 cert that gets you a $20k raise is better ROI than a $3,000 cert that gets you the same raise.

Tier 1: High ROI — These Move the Needle

OSCP (Offensive Security Certified Professional)

Cost: ~$1,499 (90-day lab access + exam attempt) Prep time: 3-6 months for someone with fundamentals Salary impact: $15,000–$30,000 for mid-level practitioners Hiring weight: ★★★★★

OSCP remains the most respected hands-on penetration testing certification in the industry. In 2026, it’s still the standard requirement for mid-level and senior pentest roles at most serious organizations.

What makes it different: you can’t memorize your way to an OSCP. The 24-hour practical exam requires you to compromise real machines. That legitimacy is why hiring managers still weight it heavily even as the market fills with alphabet-soup certs.

Who should get it: Anyone serious about a penetration testing career. Target it after 6-12 months of lab practice on HTB/THM.

Prep resources: HTB Academy’s Penetration Tester path is the best free prep. Pair with The Hacker’s Playbook 3 for methodology and AD attack chains, and Penetration Testing by Georgia Weidman for foundational technique coverage.

CISSP (Certified Information Systems Security Professional)

Cost: ~$749 (exam) + training materials ($200-$1,500) Prep time: 3-6 months for an experienced practitioner Salary impact: $20,000–$50,000 at senior/director level Hiring weight: ★★★★★ (management track)

CISSP is not a technical certification. It tests security breadth across eight domains — risk management, cryptography, identity management, network security, and more. The exam is adaptive and notoriously difficult to pass without real-world experience.

But for anyone targeting Director, VP, or CISO roles, CISSP is essentially mandatory. It appears in the requirements for more senior security positions than any other certification.

Who should get it: Practitioners with 5+ years of experience targeting leadership roles. It’s a waste of time for a junior analyst, and powerful for a senior practitioner moving toward management.

Note: CISSP requires 5 years of professional experience in 2+ of the 8 domains. You can pass the exam first and become an “Associate of (ISC)²” while accumulating experience.

CRTO (Certified Red Team Operator)

Cost: ~$399 (exam + 30-day lab access via Zero-Point Security) Prep time: 2-3 months with dedicated lab time Salary impact: $10,000–$25,000 for red team operators Hiring weight: ★★★★☆

The CRTO has become the go-to certification for practitioners who want to demonstrate Cobalt Strike proficiency and adversary simulation methodology. Zero-Point Security’s Red Team Ops course is excellent — practical, up-to-date, and taught by a practitioner.

Unlike OSCP, which covers broad penetration testing methodology, CRTO focuses specifically on red team tradecraft: C2 infrastructure, evasion, AD attacks, operational security. It’s more specialized, which means it’s extremely relevant for red team operator roles and less relevant for general pentest positions.

Who should get it: Mid-to-senior practitioners targeting red team operator or adversary simulation roles.

AWS Security Specialty / Azure Security Engineer Associate

Cost: $300-$400 (exam only) Prep time: 2-4 months Salary impact: $15,000–$35,000 (cloud security premium is significant) Hiring weight: ★★★★☆

Cloud security expertise carries a meaningful premium in 2026. As organizations continue migrating infrastructure to AWS, Azure, and GCP, the demand for practitioners who understand cloud-specific attack surfaces (IAM privilege escalation, SSRF to metadata services, serverless exploitation, misconfigured S3/blob storage) significantly outstrips supply.

Cloud security certs validate both defensive and, in context, offensive understanding of cloud environments. Pair one of these with OSCP and you’re in a very strong position for high-value engagements.

Who should get it: Any practitioner who wants to work on cloud infrastructure assessments or move into cloud security architecture.

Tier 2: Solid ROI — Worth Pursuing in Context

CompTIA Security+

Cost: ~$392 Prep time: 1-3 months Salary impact: $5,000–$15,000 at entry level Hiring weight: ★★★☆☆ (★★★★★ for DoD/government roles)

Security+ is the most widely recognized entry-level security certification. It’s required for many U.S. Department of Defense positions (DoD 8570 compliance) and appears in a huge percentage of entry-level job postings.

The honest assessment: Security+ tests security concepts, not security skills. Experienced practitioners won’t find it technically challenging. But it’s an efficient signal that entry-level candidates have foundational knowledge, which is why so many employers require it.

Who should get it: People entering cybersecurity with no prior security certs. Absolute entry-level baseline. Move on quickly.

OSEP (Offensive Security Experienced Penetration Tester)

Cost: ~$1,499 Prep time: 4-6 months Salary impact: $10,000–$20,000 for senior practitioners Hiring weight: ★★★★☆

OSEP is OffSec’s advanced follow-on to OSCP, covering evasion techniques, advanced Active Directory attacks, and complex pivoting scenarios. It’s significantly harder than OSCP and signals genuine advanced capability.

In 2026, OSEP is increasingly appearing in job requirements for senior red team and adversary simulation roles. Its hiring weight is growing as organizations mature their red team programs.

Who should get it: OSCP holders targeting senior red team or adversary simulation positions.

eJPT (eLearnSecurity Junior Penetration Tester)

Cost: ~$200 Prep time: 1-2 months Salary impact: Minimal on its own Hiring weight: ★★★☆☆ (entry level only)

The eJPT has become the community-recommended first certification for absolute beginners — before OSCP, before Security+. It’s cheap, the associated course is excellent for true beginners, and it validates that you can perform basic penetration testing tasks.

Don’t spend much time here if you have fundamentals. Do spend time here if you’re completely new and need structured learning before tackling OSCP.

CPTS (HTB Certified Penetration Testing Specialist)

Cost: ~$490 (includes HTB Academy module access) Prep time: 3-5 months via HTB Academy path Salary impact: Emerging — still building hiring weight Hiring weight: ★★★☆☆ (growing)

HTB’s CPTS is a legitimate, rigorous certification. The 10-day exam is brutal — you’re performing a real penetration test against an enterprise environment and submitting a professional-quality report. From a pure difficulty and rigor standpoint, it rivals OSCP.

The challenge: hiring manager recognition is still lower than OSCP. In 2026, CPTS is increasingly accepted by forward-thinking organizations, but in job postings and HR filters, OSCP still dominates. This will likely change over the next 3-5 years.

Who should get it: People preparing for OSCP who want structured practice, or practitioners looking to demonstrate proficiency without paying OffSec prices.

Tier 3: Situational ROI — Context-Dependent

CEH (Certified Ethical Hacker)

Cost: ~$1,899 (with training) or $550 (exam only with experience) Prep time: 1-3 months Salary impact: Marginal for skilled practitioners Hiring weight: ★★☆☆☆ (practitioner community) ★★★★☆ (government/compliance)

CEH has a split reputation. The practitioner community largely dismisses it as a multiple-choice exam that doesn’t validate real skills. And that criticism is fair — the exam is memorization-heavy and doesn’t require you to actually hack anything.

However: CEH appears in a significant number of government, DoD, and compliance-heavy job requirements. If you’re targeting that sector, CEH can be a checkbox you need to check.

Who should get it: Practitioners targeting government or heavily compliance-regulated environments. Skip it for pure commercial red team roles.

GPEN / GWAPT / GXPN (GIAC Penetration Testing Certs)

Cost: $999–$1,499 (exam) + SANS course ($5,000–$8,000) Prep time: Training course + 2-3 months Salary impact: $10,000–$25,000 when bundled with SANS experience Hiring weight: ★★★★☆ (with SANS training)

GIAC certifications are technically solid and respected by practitioners. The problem is cost — SANS courses run $5,000-$8,000, making this inaccessible for self-funded individuals. If your employer pays, jump on it. If you’re self-funding, the ROI calculation rarely works out compared to OSCP.

Who should get it: Practitioners with employer sponsorship for SANS training.

The Web Application Security Track

If you’re specializing in web application security, the optimal certification stack looks different:

  1. OSCP (establishes baseline credibility)
  2. BSCP (Burp Suite Certified Practitioner — PortSwigger’s practical web exam, ~$99, growing rapidly in hiring weight for AppSec roles)
  3. CBBH (HTB Certified Bug Bounty Hunter)
  4. GWAPT (if employer-funded)

The Web Application Hacker’s Handbook is the conceptual foundation that makes web application certifications meaningful — it provides the “why” behind the techniques that all the certs test.

Entry Level (0-2 years)

  1. CompTIA Security+ (required for many entry-level postings)
  2. eJPT (demonstrates hands-on intent)
  3. Work toward OSCP

Mid Level (2-5 years)

  1. OSCP (non-negotiable for this level)
  2. Cloud specialty cert (AWS or Azure, depending on your environment)
  3. CRTO if targeting red team operator roles

Senior / Leadership (5+ years)

  1. OSCP + CRTO or OSEP (technical credibility)
  2. CISSP (leadership track credibility)
  3. Cloud certs as applicable

The Final Word on Certification ROI

Certifications are investments. Like all investments, the return depends on when you buy, what else is in your portfolio, and what you’re trying to achieve.

OSCP and CISSP have the strongest ROI for their respective career stages. Cloud security certs carry growing premiums as the market shifts. And CRTO is quietly becoming essential for serious red team operators.

What doesn’t have good ROI: chasing every cert without building real-world skills, paying for CEH when you’re targeting commercial roles, or getting CISSP before you have the experience to back it up in an interview.

Certify strategically. Practice obsessively. Ship good work.

Already certified and ready to level up your methodology? Our Red Team Career Path guide maps the full trajectory from junior practitioner to CISO.