How Does CertMap Rate Cybersecurity Certificates?

The market for cybersecurity certificates is confusing. More than 400 programs compete for attention, some with decades of reputation, others of questionable value. CertMap puts them in context. This article explains the rules behind that classification and why a given certificate sits where it sits.

Two Axes, One Map

Every certificate is rated along two dimensions and positioned on a quadrant chart:

X-axis: Market Strength, What is the document worth? This axis measures the value of the certificate as proof. Is it actually in demand in the relevant job market? Is the certification process formally accredited? A certificate may be technically excellent, but if no one has heard of it, it helps little in a job interview.

Y-axis: Substance, How demanding is the process? This axis measures the quality of the path to certification. Is there a hard exam or just an online quiz? Is professional experience verified? Must the certificate be actively maintained? A document may be well-known, but if the path to it is trivial, it says little about the holder's competence.

The separation is deliberate. Market strength and substance often correlate, but not always. It is precisely these discrepancies that make the map interesting.

Four Criteria, 0 to 3 Points Each

Each of the two axes is composed of two individual criteria. Each criterion is rated from 0 to 3 points, giving an overall score between 0 and 12.

1. Quality of the Certification Scheme (schemaQuality)

This criterion rates the formal rigor of the certification process. Is there a real exam? Is the process independently audited?

• 0: Mere proof of attendance or course participation, effectively no certification logic.
• 1: Simple exam with limited formal rigor.
• 2: Clearly structured scheme with a defined exam and sound logic.
• 3: Highly formalized scheme with high evidentiary quality.

A central rule: The top score of 3 is reserved exclusively for certificates accredited under ISO/IEC 17024. This international standard governs the requirements for bodies that certify persons. Accreditation by a national body (ANAB, DAkkS, UKAS) means that the entire certification process, exam development, administration, impartiality, has been externally audited. It is the most rigorous formal quality assurance available for personnel certifications.

2. Practical and Evidentiary Strength (practiceEvidence)

This is about the question: does the certification actually prove ability?

• 0: No substantive practical evidence.
• 1: Limited practical relevance, low verification.
• 2: Solid practical evidence through mandatory experience or a practical exam.
• 3: Very strong practical evidence through a hard practical exam and/or verified multi-year professional experience.

A 24-hour hands-on exam like the OSCP weighs more heavily here than a multiple-choice test. Verified professional experience (such as the five years required for the CISSP, which must be endorsed by an existing certificate holder) also factors in.

3. Maintenance Requirements (maintenance)

Certifications can become outdated. This criterion rates whether and how strictly maintenance is regulated.

• 0: No maintenance requirements. Once passed, valid forever.
• 1: Low or rather formal renewal requirements.
• 2: Clear continuing-education or recertification requirements.
• 3: Strict, regular, and substantively monitored maintenance requirements.

A certificate without recertification loses significance over time. For the CISSP, 40 CPE credits must be documented annually and a fee paid every three years, this ensures that holders continue their professional development. The OSCP has no such mechanism: once passed, valid forever.

4. Market Recognition (marketRecognition)

The most pragmatic criterion: is the certificate actually in demand in the market?

• 0: Hardly any relevant recognition.
• 1: Limited recognition in sub-areas or niches.
• 2: Solid recognition in relevant roles or markets.
• 3: Broadly established and strongly recognized credential.

The rating draws on job postings, industry surveys, and visibility within the professional community. An excellently designed certificate from an unknown provider may nonetheless score poorly here.

Four Quadrants: Where Does My Certificate Stand?

The two axes produce four areas:

Top right, Gold Standard: High market strength and high substance. Certificates that are both formally robust and technically demanding. This is where the heavyweights land, those required in tenders and respected within professional circles.

Top left, Hidden Gem: High substance but lower market strength. Technically excellent programs that (as yet) lack the recognition in the job market they deserve. For professionals who value competence over signaling.

Bottom right, Door Opener: High market strength but lower substance. Well-known certificates that open doors but whose examination process is less demanding. Useful for entering a career or as a baseline credential.

Bottom left, Entry Level: Both low. Often vendor certificates or course certificates with limited signaling value. Can be meaningful as a first step but contribute little to differentiation.

Three Examples: CISSP, OSCP, and GSE

CISSP, 11 out of 12 points (schemaQuality 3, practiceEvidence 2, maintenance 3, marketRecognition 3) ISC2's CISSP is accredited under ISO/IEC 17024 (ANAB) and therefore receives the top score for schemaQuality. Five years of verified professional experience and an adaptive exam secure a solid 2 for practiceEvidence, not a 3, because the exam is conceptual rather than practical-technical. The strict CPE requirements yield a 3 for maintenance. As the world's most sought-after security certificate, 3 points for marketRecognition are uncontroversial. Result: solid Gold Standard, top right.

OSCP, 8 out of 12 points (schemaQuality 2, practiceEvidence 3, maintenance 0, marketRecognition 3) OffSec's OSCP is the counter-example. The 24-hour practical exam is legendary and earns the top score for practiceEvidence. In job postings for pentesters, OSCP is the most frequently cited certificate, 3 points for marketRecognition. However: no ISO 17024 accreditation, so a maximum of 2 for schemaQuality. And no recertification, no CPE obligation, 0 points for maintenance. That costs four points relative to the CISSP and shows how the model works: the OSCP is technically first-class but falls short on formal robustness and currency maintenance.

GSE, 9 out of 12 points (schemaQuality 2, practiceEvidence 3, maintenance 2, marketRecognition 2) The GIAC Security Expert is the capstone of the SANS/GIAC system. Since the 2023/24 reform, it has been awarded as a portfolio certification: six Practitioner and four Applied Knowledge certifications with proctored lab exams. That yields a 3 for practiceEvidence. The absence of ISO 17024 accreditation caps schemaQuality at 2. GIAC requires renewal every four years, a solid 2 for maintenance. Market recognition is high but limited outside the SANS community, hence 2 for marketRecognition.

What the Rating Is Not

CertMap is a curated orientation, not an objective ranking. The rating makes no claim about which certificate is the best choice for a given person or career situation. It does not evaluate the learning content, the quality of the training material, or the price-performance ratio.

The scores are assigned editorially, not calculated algorithmically. Where there is room for judgment (for example in practiceEvidence or marketRecognition), it is transparently documented. The only hard rule concerns schemaQuality: a 3 is awarded only with demonstrated ISO 17024 accreditation. Anything else would be arbitrary.

The Noise-Off Filter

With more than 400 certificates, the map quickly becomes cluttered. The "Noise Off" filter hides vendor certificates and course certificates and shows only personnel certifications and specialist certifications, that is, programs with a substantive examination component. This reduces the display to the certificates for which the rating is most meaningful and makes the quadrant structure clearly visible.

Those specifically looking for a particular vendor certificate can deactivate the filter at any time. Hidden does not mean devalued, it means: less signal, more noise.