Learner profile · Security analyst

You work security. What’s honestly next — and what’s gated?

This page assumes the job — for what a cybersecurity analyst role pays and involves, see the role page. Here the question is a ladder: deepen on the defensive track, add the offensive lens, or sequence toward the experience-gated flagships— with the honest catch that CISSP and CISM are destinations you build toward, not certs you skip to. Cited costs, renewal economics, and how to get your employer to pay.

You are here

The ladder, not a menu of equal options

A security analyst’s next-cert question gets answered badly when it is framed as a shopping list. It is a ladder. The bottom rung is the foundation credential the rest of your team assumes you hold; the middle rungs are analyst depth (the defensive track) and the offensive lens (learning to think like the attacker); and the famous names at the top — CISSP, CISM — are experience-gated destinations, not rungs you jump to. The verdicts below are ordered as a climb, and they are honest about which rungs are open to you now and which the vendor holds behind years you have not accrued yet.

The rungs

Next-cert verdicts, cited

Complete the foundation — if you are in the seat without it: CompTIA Security+ exam $439 · 3-yr renewal $150 · Difficulty 45/100 (Moderate)

Plenty of people land a SOC seat before they hold the baseline credential the rest of the team assumes. If that is you, this is the honest first move — not because it teaches you the job you already do, but because it is the common floor every later rung and most compliance frameworks build on. Where DoD 8140 applies to your role, confirm the current approved baseline at the DoD Cyber Exchange before you assume this one qualifies.

Deepen — the analyst rung: CompTIA CySA+ exam $439 · 3-yr renewal $150 · Difficulty 75/100 (Hard)

The natural next step on the defensive track: it maps to the detection, triage, and response work an analyst already does, and it is the rung that says "not just fundamentals anymore" without asking for years you may not have yet. If your week is alerts, SIEM queries, and incident write-ups, this is where the ladder points first.

Add the offensive lens — if attacker thinking is the gap: CompTIA PenTest+ exam $439 · 3-yr renewal $150 · Difficulty 65/100 (Hard)

Analysts who can think like the attacker read their own detections better. This rung is worth it if you want the offensive vocabulary — vulnerability findings, exploitation chains, scoping — not because you plan to switch to red team, but because it sharpens the blue-team work you already do. Skip it if depth on the defensive side is the more honest gap right now.

The destination — enterprise security leadership: CISSP - Certified Information Systems Security Professional exam $749 · 3-yr renewal $405 · Difficulty 80/100 (Expert)

This is where the ladder eventually leads, not a rung you jump to. It is the recognized credential for senior and lead security roles — but the vendor gates full certification behind substantial paid experience, so treat it as the destination you are building toward while the analyst rungs above accumulate the years. You can sit the exam before you meet the requirement and become an Associate; you do not become certified until the experience is there.

Not yet: full certification requires 5 yearsof relevant paid experience — the vendor’s gate, not ours. Sequence toward it; do not let anyone sell it to you as a shortcut.

The destination — security management: CISM - Certified Information Security Manager exam $575 · 3-yr renewal $45 · Difficulty 80/100 (Expert)

The management-track counterpart: it is aimed at people who run security programs, not people who staff them, and it carries the same honest catch — the credential assumes years of security-management experience you accrue on the job. Worth naming now so you sequence toward it deliberately; not worth chasing before the role and the experience are real.

Not yet: full certification requires 5 yearsof relevant paid experience — the vendor’s gate, not ours. Sequence toward it; do not let anyone sell it to you as a shortcut.

Fees, renewal costs, and eligibility from each vendor’s official pages — cited and dated on the linked certification pages, at published list price: planning context, not a promise of voucher or bundle pricing. Difficulty is the RoleMath structure-based score of the exam, never a pass rate or a claim about you.

Renewal economics

The stack you already hold has a carrying cost

Whatever you add next sits on top of what you already renew. Keeping CompTIA Security+ current runs $150 over a three-year cycle (cited on its cost page). The good news for a security stack: a higher analyst rung can often satisfy the renewal of a lower one through the vendor’s cross-credit, so climbing the ladder can retire a renewal rather than add one. Before paying to renew an older credential, decide whether it still buys you anything once the next rung is active — a superseded foundation cert is often safe to let lapse. The honest budget is the whole stack’s three-year cost, not one exam fee.

Adjacent moves

If this is really a role-direction question

A cert is evidence; a role change is a bigger decision. If you are weighing a move into incident response, detection engineering, or the security-engineering track rather than a skill add, the pathway and role pages carry the full cited picture — sequencing, occupation-level outlook, and what your analyst background transfers.

The funding ask

Your employer owns the alerts you’d be studying

In-role upskilling is the easiest certification-funding case there is: the credential maps directly to the detection and response work your team already owns, and IRC §127 educational-assistance plans let them fund it tax-advantaged up to the annual exclusion. Make the ask specific — exam fee, materials, a defined study window, and the SOC capability it buys (better triage, coverage of a new detection surface). The full playbook for the conversation:

Study while working

Official-first, on a working schedule

Every rung above has a free-study page built from the vendor’s official objectives and free materials — the realistic baseline before spending on courses. Your advantage over a career changer is the environment you work in every day: most defensive and offensive-lens content can be practiced against the telemetry and tooling you already touch (within your team’s rules of engagement). We sell no training.

Common questions

The next-cert decision, answered honestly

After Security+, what certification comes next?
For a working security analyst the honest next rung is the analyst-tier defensive credential (CySA+) — it maps to detection, triage, and response work rather than restating fundamentals. If the gap is attacker thinking rather than defensive depth, the offensive-lens rung (PenTest+) is the alternative. The famous flagships — CISSP and CISM — are destinations further up the ladder, not the immediate next step, because the vendor gates full certification behind years of paid experience. The wrong answer is collecting another entry-level credential that restates what your day job already proves.
Should I get the CISSP now?
Name it as your destination, but read the requirement honestly: full certification requires substantial paid security experience, so it is what you sequence toward while the analyst rungs accumulate the years — not a rung you jump to from an early-career SOC seat. You are allowed to sit the exam before you qualify and hold Associate status, but you are not certified until the experience is there. Anyone telling you the CISSP is a quick next cert is selling you something; the vendor requirement is the vendor requirement.
Is PenTest+ or CySA+ better after Security+?
They answer different questions, so the honest choice is about your gap, not a ranking. CySA+ deepens the defensive, analyst-side work you already do — detection, SIEM, incident response — and is the more natural next rung if your week lives in the SOC. PenTest+ adds the offensive lens: how attackers find and exploit weaknesses, which sharpens how you read your own alerts. If defensive depth is the real gap, start with CySA+; if you keep wishing you understood the attacker better, PenTest+ earns its place.
Should my employer pay for my next security certification?
Ask — the case is strong. The credential you would study maps directly to the detection and response work your team already owns, and IRC §127 educational-assistance plans let an employer fund it tax-advantaged up to the annual exclusion. Make the ask specific: the exam fee, study materials, and a defined study window, tied to a capability the SOC needs. Employers say yes to plans and no to vague requests.
Do I need to keep renewing the certifications I already hold?
Check each one before assuming yes. CompTIA credentials renew through the continuing-education program on a three-year cycle; the higher analyst rungs can often satisfy the renewal of a lower one through cross-credit, so you are not always paying twice. The honest budgeting question is whether an older credential still buys you anything once a higher rung is active — some foundation certs are stepping stones you can let lapse without consequence. Renewal terms are cited from the vendor on each certification page.

One low-commitment next step

Pick the rung that matches your gap — then take that certification’s readiness check to see what your SOC experience already covers, and personalize the evidence against your background and whether your employer will fund it.