Certifications worth the money.

$370 · 2-4 months

The federal-floor cert. DoD 8570 baseline · most federal cyber-coded billets require it or equivalent. Multiple-choice exam, 90 questions, 90 minutes. Worthwhile as the first cert · zero employers will be impressed but many gates require it. Free study material everywhere (Professor Messer YouTube is the canonical free path).

verdict: Buy it.

$1,749 (lab + exam bundle) · 3-12 months

The most respected entry-tier offensive cert in the industry. 24-hour live hacking exam against 5 machines + 24-hour report write-up. Passing it really does mean you can do penetration testing. Industry hiring managers actually look for it.

verdict: Buy it when you're ready. Don't take the exam early.

$1,799 each · 6-18 months each

Offensive Security's advanced credentials. OSEP (Evasion + Pentesting), OSED (Exploit Development), OSEE (Exploitation Expert). Each one is significantly harder than OSCP. OSEE is widely regarded as the hardest commercial cyber cert in existence (~5% pass rate). Don't pursue until you're a working professional with 2+ years.

verdict: Sequence-dependent. Take OSCP first.

$2,499 · Depends on SANS course

SANS course-paired cert. Course (SEC560) is $7-8K (employer-funded usually). GIAC certs are highly respected in the federal space — DoD 8140 recognized. Less hands-on than OSCP, more theoretical. Take it if your employer pays.

verdict: Buy if employer pays. Don't self-fund.

$2,499 · Depends on SANS course

Malware reverse engineering. Course (FOR610) is the canonical RE training. Reverse engineering is a specialized track · highly valued at federal labs and at private incident-response firms (Mandiant, CrowdStrike, etc.). Niche but extremely employable.

verdict: Specialist play.

$2,499 · Depends on SANS course

Incident response certification. Pairs with SEC504. Standard credential for SOC analysts, incident responders, threat hunters. The blue-team analog of OSCP.

verdict: Worth it for blue-team careers.

$1,199 · 1-3 months

The most-recognized cert by HR departments and the least-respected by practitioners. Theoretical exam, mostly multiple choice. Passes you through HR keyword filters in some federal-contractor environments. Won't help you actually hack anything. People still pay for it because of the HR filter situation.

verdict: Buy only if a specific job requires it.

$749 · 3-9 months

The senior security manager / architect cert. Requires 5 years experience to be 'fully certified' (otherwise 'Associate'). Heavy on policy, governance, risk. NOT a hacking cert. The right cert if you're heading to management, GRC, or security architecture.

verdict: Right for the management track. Skip if you want to stay technical.

$1,799 · 3-12 months

Web application exploit development cert. 48-hour live exam. Practical, heavy on white-box source review and exploit chain development. The right specialty cert for web bug bounty hunters and AppSec engineers.

verdict: Web specialty play.

$404 · 2-4 months

Federal-floor pentesting cert. Less respected than OSCP industry-wide but DoD 8570/8140 recognized. Has a useful role for federal cyber-coded billets that don't accept OSCP-only candidates. Multiple choice + performance-based questions.

verdict: Federal-specific play. Practitioners go OSCP.