Invest in yourself. Advance your career. Stand out to employers.
That's the pitch, isn't it? The same fundamental promise wrapped in slightly different packaging across every cybersecurity certification body. SANS will charge you $8,500 for the privilege. ISC2 wants $749 and five years of your professional life. OffSec demands $1,749 and your sanity. EC-Council asks for $2,199 and your willingness to believe that "92% of employers prefer CEH candidates."
The cybersecurity certification industrial complex has achieved something rather remarkable: it has convinced an entire generation of aspiring security professionals that the path to employment runs through expensive examinations rather than demonstrated capability. The product being sold isn't competence - it's hope. Hope that the acronym after one's name opens doors. Hope that the investment yields returns. Hope that employers actually value what the certification claims to validate.
Some certifications deliver on these hopes. Most do not. The challenge lies in determining which is which before one has already spent the money and hundreds of hours memorising material that may or may not correlate with actual job requirements.
The certification market has metastasised into a multi-billion dollar industry built largely on information asymmetry. The vendors know which certifications actually correlate with employment and salary increases. The candidates do not, at least not until after they've paid and invested months of preparation time.
SANS positions itself as the premium option - $8,500 for a single course and GIAC certification. The value proposition is explicit: candidates are purchasing access to distilled expertise from legitimate practitioners, not professional trainers recycling decade-old PowerPoint slides. And to their credit, SANS largely delivers quality training. The instructors generally know their craft. The materials are comprehensive and regularly updated.
But here's the uncomfortable economic reality: SANS certifications are priced for organisations with training budgets, not individuals paying out of pocket. The pricing strategy explicitly acknowledges this - if an employer isn't funding the certification, candidates are almost certainly overpaying for credentials that won't generate sufficient salary premium to justify the investment. Industry data suggests GIAC-certified professionals earn between $75,000 and $150,000 annually, but correlation isn't causation. Those earning $150,000 likely would be earning similar amounts without the GIAC certification, because they already possessed the experience and skills that command such compensation.
The fundamental problem: SANS certifications are preferred for mid-level and senior positions - roles one cannot access without existing experience. For someone attempting to break into the field, spending $8,500 on a GSEC is an expensive gamble that one will even secure an entry-level position where the certification matters. Most entry-level security positions don't require GIAC credentials. They require foundational IT knowledge and the ability to learn. The $8,500 would be better spent on practical experience, even if that means accepting a lower-paying help desk role to build the resume that actually opens doors.
ISC2's CISSP occupies a curious position in the certification landscape. The exam costs $749. Annual maintenance runs $135. The total investment including study materials might reach $2,000 depending on preparation approach. Compared to SANS, it's practically affordable. Job posting analysis reveals CISSP appearing in requirements or preferences at rates 4-5 times higher than CEH. Salary data consistently shows CISSPs earning $100,000-$130,000 compared to $70,000-$85,000 for non-certified peers in equivalent roles.
The certification's prominence stems largely from its five-year experience requirement. Candidates cannot simply purchase training, pass an exam, and acquire the certification. They must demonstrate five years of professional experience across at least two of eight security domains. This seemingly arbitrary requirement creates a filter that ensures CISSPs possess actual operational knowledge rather than merely test-taking capability.
The experience requirement inadvertently solved an adverse selection problem that plagues certification markets. Employers trust CISSP because they know certified individuals have done the work. The credential signals experience and judgement, not just ability to memorise exam material.
However, the degree to which CISSP actually enhances one's profile rather than merely correlating with existing experience remains an open question. Does CISSP open doors, or do the same professionals who would succeed without it simply acquire it as table stakes for roles they were already qualified for? The certification certainly appears in job postings with notable frequency, but whether it's driving hiring decisions or simply reflecting lazy HR filtering is less clear. For someone with five years of experience already, CISSP may provide marginal differentiation. Claiming it transforms careers overstates the case. For someone trying to break into the field, it's irrelevant because one cannot obtain it yet.
OffSec's OSCP occupies a fascinating middle ground. The certification costs $1,749 for 90 days of lab access and one exam attempt. Unlike theory-heavy multiple-choice examinations, OSCP requires 24 hours of actual penetration testing in a live environment under exam conditions. Candidates exploit systems, escalate privileges, document findings, and either succeed or fail based on demonstrable capability. The first-attempt failure rate is substantial because one cannot talk their way through compromising a machine.
For penetration testing roles specifically, OSCP carries genuine weight precisely because it validates performance rather than knowledge. Employers hiring for offensive security positions weight OSCP heavily because passing the exam proves candidates can actually do the work. The certification isn't measuring ability to recall port numbers or explain attack methodologies - it's measuring whether one can exploit vulnerable systems within time constraints.
This performance validation matters. Average OSCP holder salaries range from $103,000 to $120,000, reflecting the specialised technical skills the certification legitimately validates. For someone pursuing penetration testing as a career path, the $1,749 investment offers reasonable ROI, assuming they pass.
The assumption carries significant weight. OSCP is not an entry-level certification despite lacking formal prerequisites. It assumes solid Linux administration, networking fundamentals, and scripting capability. Attempting OSCP as one's first security certification is an expensive way to discover a lack of foundational knowledge required to succeed. The certification works for candidates who already possess base competencies and need validation of their offensive security skills. For everyone else, it's $1,749 spent failing a brutally difficult practical exam.
EC-Council's CEH represents everything dysfunctional about certification-based training distilled into a single multiple-choice examination. Cost: $1,199 for the exam alone, or $2,199 for the bundled training package. Renewal: $80 annually plus 120 continuing education credits every three years.
EC-Council's marketing materials claim "92% of employers prefer CEH candidates for ethical hacking jobs." This statistic appears everywhere - website, brochures, partner materials - repeated with the confidence of revealed truth. What the statistic conspicuously fails to mention: the methodology, the sample size, or the rather important detail that actual job posting analysis shows OSCP appearing far more frequently in penetration testing role requirements than CEH.
CEH is a four-hour, 125-question multiple-choice exam. Candidates need 70% to pass. The "Practical" variant exists, but the standard CEH that most candidates pursue is pure theory. One can memorise their way to certification without ever exploiting a system, writing functional code, or demonstrating any practical offensive security capability whatsoever.
The average CEH salary sits around $83,000-$90,000, notably lower than both CISSP and OSCP. The certification does not correlate with premium compensation the way CISSP does for management roles or OSCP does for technical penetration testing positions. CEH occupies an awkward middle ground - too expensive for entry-level candidates who cannot justify the investment, insufficiently respected for mid-level roles where employers prefer either CISSP for strategic positions or OSCP for technical offensive security work.
The primary value proposition for CEH appears to be government compliance - specifically DoD 8570 approval for US defence contractors. Outside this narrow niche, CEH functions as expensive resume decoration that signals one has heard of common attack tools without demonstrating the ability to effectively employ them.
The certification market has optimised for vendor revenue rather than candidate outcomes. This isn't conspiracy - it's basic economics. Certification bodies earn revenue from examination fees, training materials, and annual maintenance charges regardless of whether certified individuals secure employment or salary increases. The incentive structure rewards maximising the number of candidates pursuing certifications, not ensuring those certifications deliver value.
Consider the perverse dynamics at play: candidates with limited information must decide which certifications to pursue based primarily on vendor marketing materials and anecdotal reports from other candidates. Employers filter candidates based on certifications they believe indicate competence, often without rigorous analysis of whether certified candidates actually perform better than non-certified peers. Certification vendors optimise messaging to attract maximum candidates whilst providing just enough value to avoid obvious fraud.
The result is a market where certain certifications (CISSP, OSCP) accidentally deliver some degree of value through structural features that create marginally legitimate signalling, whilst others (CEH, most vendor-specific certifications) extract revenue through clever marketing that exploits information asymmetry and candidate desperation to differentiate themselves in crowded labour markets.
There's also the rather substantial opportunity cost that nobody discusses. SANS certification preparation requires 40-80 hours of focused study. CISSP demands 100-150 hours. OSCP requires 300-500 hours of intensive practice. Those hours represent time not spent building actual security projects, contributing to open-source tools, or gaining practical experience that might differentiate a candidate more effectively than certification acronyms.
For employed professionals studying in evenings and weekends, this is manageable. For unemployed candidates desperately trying to break into cybersecurity, those 300 hours pursuing OSCP could instead build a portfolio of security research, vulnerability disclosures, or tool development that demonstrates capability more compellingly than any certification. But candidates are led to believe the certification is the more reliable path to employment, despite mixed evidence supporting this assumption.
The certification market also profits from failure in ways that deserve examination. OSCP's high failure rate means many candidates pay $1,749, study for months, fail the exam, and must decide whether to pay an additional $249 for a retake. SANS certifications have lower pass rates than marketing materials suggest - failing after investing $8,500 is financially and emotionally devastating. The certification industry profits regardless of whether candidates pass, whether they get hired, or whether the credential actually advances their career. They pay upfront. Vendors deliver training and an exam. Whether it leads to employment is the candidate's problem, not theirs.
The certification industrial complex has responded to genuine demand for security talent by optimising for revenue extraction rather than effective training and credible signalling. CISSP achieves some degree of legitimacy not because ISC2 is uniquely virtuous, but because the experience requirement accidentally created a somewhat reliable signal - though prudence suggests questioning whether the certification drives outcomes or merely correlates with professionals who would succeed regardless. OSCP works because performance-based evaluation is harder to fake than multiple-choice exams. SANS delivers quality training but prices it for corporate budgets rather than individual candidates.
CEH and the broader universe of vendor-specific certifications extract billions annually by convincing candidates that expensive examinations open doors, when in reality most employers filter for experience and demonstrated capability regardless of certification status.
The industry could optimise for candidate outcomes. It could structure certifications to validate actual performance rather than test-taking ability. It could price credentials at levels that generate reasonable ROI for individual candidates rather than corporate training budgets. It could provide transparent data on employment and salary outcomes for certified versus non-certified candidates.
It doesn't, because the current model generates substantial revenue whilst requiring minimal accountability for outcomes. The certification is sold. The exam is administered. Whether the candidate secures employment or salary increases is their problem, not the vendor's.
Rather elegant, really. Expensive, certainly. But elegant nonetheless.
