Skip to content
CertMapCertMap

Certification Comparison 2026

What really moves you forward in 2026.

Which certification actually moves you forward – and which just costs time and money? CertMap puts hundreds of cybersecurity certifications side by side and rates them by market recognition, substance and total cost. Pick an area or compare your favourites directly – independent and free of sales pitches.

476
Certifications
10
compared
27
accredited

Updated on July 5, 2026Curated by the CertMap editors

For training providers
76 results

Selection curated by total score; full list (76) in the explorer.

10 of 10
Certification
12345678910
Our assessment
Market recognition
3/3
2/3
2/3
2/3
2/3
2/3
2/3
2/3
2/3
1/3
Schema quality
3/3
3/3
2/3
2/3
2/3
2/3
2/3
2/3
2/3
3/3
Practical evidence
2/3
2/3
3/3
3/3
3/3
2/3
2/3
2/3
2/3
1/3
Maintenance
2/3
2/3
2/3
2/3
2/3
2/3
2/3
2/3
2/3
3/3
Total scorevery strong (4,2)strong (3,8)strong (3,8)strong (3,8)strong (3,8)strong (3,3)strong (3,3)strong (3,3)strong (3,3)strong (3,3)
Profile & maintenance
AccreditationISO/IEC 17024 (ANSI)ISO/IEC 17024 (ANSI)ISO/IEC 17024 (IAS/UKAS)ISO/IEC 17024 (IAS/UKAS)ISO/IEC 17024 (ANAB)ISO/IEC 17024 (IAS/UKAS)ISO/IEC 17024 (IAS/UKAS)ISO/IEC 17024 (IAS/UKAS)ISO/IEC 17024 (ANAB)
Exam format150 multiple-choice questions, 4 hours, proctored via PSI. Passing score: 450/800.150 multiple-choice questions, 4 hours, proctored via PSI. Passing score: 450/800.Multi-stage: written exam + 2-day hands-on lab. Highest GIAC certification.The same exam as the Lead Implementer is taken: 80 multiple-choice questions (stand-alone and scenario-based), open-book, 3 hours, 70 percent passing score. The senior level requires no separate exam, only more professional experience.The same exam as the Lead Implementer is taken: 80 multiple-choice questions (stand-alone and scenario-based), open-book, 3 hours, 70 percent passing score. The senior level requires no separate exam, only more professional experience.106–180 questions, 4–5 hours, Open-Book, Proctored via Pearson VUE. Passing score: 73%.Exam with 80 multiple-choice questions (stand-alone and scenario-based), open-book, 3 hours, 70 percent passing score.Exam combining multiple-choice and scenario-based essay tasks across five domains (ICT risk management, DORA implementation, incident management, resilience testing, continual improvement), open-book, 70 percent passing score.Exam combining multiple-choice and scenario-based essay tasks aligned with NIS 2 requirements and implementation practice, open-book, 70 percent passing score. Exam and certificate fee included in training price, one complimentary retake within 12 months.CAT-based, 100–150 questions, 3 hours, proctored via Pearson VUE. Passing score: 700/1000.
Prerequisites3 years experience in IT risk management and IS control. Min. 1 year in Domain 1 or 2.5 years of experience in IT governance. Min. 1 year in Domain 1.Minimum of 2 active GIAC Gold certifications required.No formal prerequisite to sit the exam; the same exam as Lead Implementer is taken. The Senior Lead Implementer certification requires 10 years of professional experience (7 years in business continuity management), 1,000 hours of project activities, and signing the PECB Code of Ethics.No formal prerequisite to sit the exam; the same exam as Lead Implementer is taken. The Senior Lead Implementer certification requires 10 years of professional experience (7 years in information security), 1,000 hours of project activities, and signing the PECB Code of Ethics.noneNo formal prerequisite to sit the exam. Certification is tiered: Provisional Implementer with no experience; Implementer needs 2 years of professional experience (1 year in information security) and 200 hours of project activities; Lead Implementer needs 5 years (2 years in information security) and 300 hours of project activities. Plus signing the PECB Code of Ethics.No formal prerequisite to sit the exam. Certification is tiered: Provisional Manager with no experience; Manager needs 2 years of professional experience (1 year in ICT risk management) and 200 hours of project activities; Lead Manager needs 5 years (2 years in ICT risk management) and 300 hours; Senior Lead Manager needs 10 years (7 years in ICT risk management) and 1,000 hours. Plus signing the PECB Code of Ethics.No formal prerequisite to sit the exam. Certification is tiered: Provisional Implementer with no experience; Implementer needs 2 years of professional experience (1 year in cybersecurity management) and 200 hours of project activities; Lead Implementer needs 5 years (2 years in cybersecurity management) and 300 hours of project activities. Plus signing the PECB Code of Ethics.1 year experience in at least 1 of the 7 SSCP domains. Without experience: Associate of ISC2.
Validity3 years3 years4 years3 years3 years4 years3 years3 years3 years3 years
Maintenance20 CPE/year20 CPE/yearno CPE30 CPE/year30 CPE/yearno CPE30 CPE/year30 CPE/year30 CPE/year20 CPE/year
Acquisition cost699 €699 €8.744 €184 €184 €8.744 €920 €920 €920 €229 €
Total cost (3 yr)8231 yr: 740 € · 3 yr: 823 € · 5 yr: 906 €8231 yr: 740 € · 3 yr: 823 € · 5 yr: 906 €8.7441 yr: 8.744 € · 3 yr: 8.744 € · 5 yr: 9.185 €5151 yr: 294 € · 3 yr: 515 € · 5 yr: 736 €5151 yr: 294 € · 3 yr: 515 € · 5 yr: 736 €8.7441 yr: 8.744 € · 3 yr: 8.744 € · 5 yr: 9.185 €1.2511 yr: 1.030 € · 3 yr: 1.251 € · 5 yr: 1.472 €1.2511 yr: 1.030 € · 3 yr: 1.251 € · 5 yr: 1.472 €1.2511 yr: 1.030 € · 3 yr: 1.251 € · 5 yr: 1.472 €6021 yr: 353 € · 3 yr: 602 € · 5 yr: 850 €
Language
Training partners
Jump to …6 sections

Methodology

How Does CertMap Rate Cybersecurity Certificates?

Scoring methodology across two axes (market strength × substance), 4 sub-criteria of 0–3 points each. Explains how the quadrant emerges.

The market for cybersecurity certificates is confusing. More than 400 programs compete for attention, some with decades of reputation, others of questionable value. CertMap puts them in context. This article explains the rules behind that classification and why a given certificate sits where it sits.

Two Axes, One Map

Every certificate is rated along two dimensions and positioned on a quadrant chart:

X-axis: Market Strength, What is the document worth? This axis measures the value of the certificate as proof. Is it actually in demand in the relevant job market? Is the certification process formally accredited? A certificate may be technically excellent, but if no one has heard of it, it helps little in a job interview.

Y-axis: Substance, How demanding is the process? This axis measures the quality of the path to certification. Is there a hard exam or just an online quiz? Is professional experience verified? Must the certificate be actively maintained? A document may be well-known, but if the path to it is trivial, it says little about the holder's competence.

The separation is deliberate. Market strength and substance often correlate, but not always. It is precisely these discrepancies that make the map interesting.

Four Criteria, 0 to 3 Points Each

Each of the two axes is composed of two individual criteria. Each criterion is rated from 0 to 3 points, giving an overall score between 0 and 12.

1. Quality of the Certification Scheme (schemaQuality)

This criterion rates the formal rigor of the certification process. Is there a real exam? Is the process independently audited?

  • 0: Mere proof of attendance or course participation, effectively no certification logic.
  • 1: Simple exam with limited formal rigor.
  • 2: Clearly structured scheme with a defined exam and sound logic.
  • 3: Highly formalized scheme with high evidentiary quality.

A central rule: The top score of 3 is reserved exclusively for certificates accredited under ISO/IEC 17024. This international standard governs the requirements for bodies that certify persons. Accreditation by a national body (ANAB, DAkkS, UKAS) means that the entire certification process, exam development, administration, impartiality, has been externally audited. It is the most rigorous formal quality assurance available for personnel certifications.

2. Practical and Evidentiary Strength (practiceEvidence)

This is about the question: does the certification actually prove ability?

  • 0: No substantive practical evidence.
  • 1: Limited practical relevance, low verification.
  • 2: Solid practical evidence through mandatory experience or a practical exam.
  • 3: Very strong practical evidence through a hard practical exam and/or verified multi-year professional experience.

A 24-hour hands-on exam like the OSCP weighs more heavily here than a multiple-choice test. Verified professional experience (such as the five years required for the CISSP, which must be endorsed by an existing certificate holder) also factors in.

3. Maintenance Requirements (maintenance)

Certifications can become outdated. This criterion rates whether and how strictly maintenance is regulated.

  • 0: No maintenance requirements. Once passed, valid forever.
  • 1: Low or rather formal renewal requirements.
  • 2: Clear continuing-education or recertification requirements.
  • 3: Strict, regular, and substantively monitored maintenance requirements.

A certificate without recertification loses significance over time. For the CISSP, 40 CPE credits must be documented annually and a fee paid every three years, this ensures that holders continue their professional development. The OSCP has no such mechanism: once passed, valid forever.

4. Market Recognition (marketRecognition)

The most pragmatic criterion: is the certificate actually in demand in the market?

  • 0: Hardly any relevant recognition.
  • 1: Limited recognition in sub-areas or niches.
  • 2: Solid recognition in relevant roles or markets.
  • 3: Broadly established and strongly recognized credential.

The rating draws on job postings, industry surveys, and visibility within the professional community. An excellently designed certificate from an unknown provider may nonetheless score poorly here.

Four Quadrants: Where Does My Certificate Stand?

The two axes produce four areas:

Top right, Gold Standard: High market strength and high substance. Certificates that are both formally robust and technically demanding. This is where the heavyweights land, those required in tenders and respected within professional circles.

Top left, Hidden Gem: High substance but lower market strength. Technically excellent programs that (as yet) lack the recognition in the job market they deserve. For professionals who value competence over signaling.

Bottom right, Door Opener: High market strength but lower substance. Well-known certificates that open doors but whose examination process is less demanding. Useful for entering a career or as a baseline credential.

Bottom left, Entry Level: Both low. Often vendor certificates or course certificates with limited signaling value. Can be meaningful as a first step but contribute little to differentiation.

Three Examples: CISSP, OSCP, and GSE

CISSP, 11 out of 12 points (schemaQuality 3, practiceEvidence 2, maintenance 3, marketRecognition 3) ISC2's CISSP is accredited under ISO/IEC 17024 (ANAB) and therefore receives the top score for schemaQuality. Five years of verified professional experience and an adaptive exam secure a solid 2 for practiceEvidence, not a 3, because the exam is conceptual rather than practical-technical. The strict CPE requirements yield a 3 for maintenance. As the world's most sought-after security certificate, 3 points for marketRecognition are uncontroversial. Result: solid Gold Standard, top right.

OSCP, 8 out of 12 points (schemaQuality 2, practiceEvidence 3, maintenance 0, marketRecognition 3) OffSec's OSCP is the counter-example. The 24-hour practical exam is legendary and earns the top score for practiceEvidence. In job postings for pentesters, OSCP is the most frequently cited certificate, 3 points for marketRecognition. However: no ISO 17024 accreditation, so a maximum of 2 for schemaQuality. And no recertification, no CPE obligation, 0 points for maintenance. That costs four points relative to the CISSP and shows how the model works: the OSCP is technically first-class but falls short on formal robustness and currency maintenance.

GSE, 9 out of 12 points (schemaQuality 2, practiceEvidence 3, maintenance 2, marketRecognition 2) The GIAC Security Expert is the capstone of the SANS/GIAC system. Since the 2023/24 reform, it has been awarded as a portfolio certification: six Practitioner and four Applied Knowledge certifications with proctored lab exams. That yields a 3 for practiceEvidence. The absence of ISO 17024 accreditation caps schemaQuality at 2. GIAC requires renewal every four years, a solid 2 for maintenance. Market recognition is high but limited outside the SANS community, hence 2 for marketRecognition.

What the Rating Is Not

CertMap is a curated orientation, not an objective ranking. The rating makes no claim about which certificate is the best choice for a given person or career situation. It does not evaluate the learning content, the quality of the training material, or the price-performance ratio.

The scores are assigned editorially, not calculated algorithmically. Where there is room for judgment (for example in practiceEvidence or marketRecognition), it is transparently documented. The only hard rule concerns schemaQuality: a 3 is awarded only with demonstrated ISO 17024 accreditation. Anything else would be arbitrary.

The Noise-Off Filter

With more than 400 certificates, the map quickly becomes cluttered. The "Noise Off" filter hides vendor certificates and course certificates and shows only personnel certifications and specialist certifications, that is, programs with a substantive examination component. This reduces the display to the certificates for which the rating is most meaningful and makes the quadrant structure clearly visible.

Those specifically looking for a particular vendor certificate can deactivate the filter at any time. Hidden does not mean devalued, it means: less signal, more noise.

Read the full methodology

For training providers

Grow as a training provider with CertMap

Do you offer training for these certifications? Reach security professionals exactly when they are weighing their options. Clearly labelled and editorially separate from our assessment.

Become a provider
    GRC – compare certifications