The CompTIA Cybersecurity Career Pathway (2019 Refresh): Employable Skills Found Here

by Patrick Lane | May 16, 2019

The CompTIA Cybersecurity Career Pathway: The Future of Cybersecurity Is Here
With cybercrime on the rise and vulnerabilities constantly being exposed, it is imperative that organizations take a proactive stance to protecting assets and employing skilled cybersecurity professionals. In fact, the U.S. Bureau of Labor Statistics predicts that the number of information security jobs will increase 28 percent from 2016 to 2026, making it one of the fastest-growing fields. Jobs requiring cybersecurity skills continue to grow rapidly, with more than 313,000 cybersecurity job openings, according to Cyberseek. Employers, from government to Fortune 500 companies, value CompTIA as an authority in cybersecurity certifications.

How to Get into Cybersecurity

The CompTIA Cybersecurity Career Pathway helps IT pros achieve cybersecurity mastery, from beginning to end. The centerpiece is the CompTIA Security+ certification. It establishes the foundational knowledge required of any cybersecurity role and provides a springboard to intermediate-level cybersecurity jobs. With performance-based questions, it emphasizes the hands-on practical skills used by junior IT auditors, systems administrators, network administrators and security administrators. 

After earning CompTIA Security+, cybersecurity professionals can take the next step by pursuing an intermediate skills-level cybersecurity certification, such as CompTIA Cybersecurity Analyst (CySA+) or CompTIA PenTest+.

The CompTIA Cybersecurity Analyst certification assesses the skills needed to apply behavioral analytics to networks to improve the overall state of IT security. The certification covers tools such as packet sniffers, intrusion detection systems (IDS) and security information and event management (SIEM) systems. After the seminal Target attack of 2014, the security analyst job role has gained more importance, making these skills essential for most organizations.

While CySA+ focuses on defense through incident detection and response, CompTIA PenTest+ focuses on offense through penetration testing and vulnerability assessment. It involves launching attacks on systems, discovering the vulnerabilities and managing them and is intended for cybersecurity professionals tasked with identifying, exploiting, reporting and managing vulnerabilities on a network.

The progression from CompTIA Security+ to CompTIA CySA+ and/or CompTIA PenTest+ is logical because Security+ assesses the knowledge, skills and abilities (KSAs) an IT professional demonstrates after two years of cybersecurity field work, and CySA+ and PenTest+ assess three to four years of cybersecurity field work.  

IT pros can pursue CompTIA Advanced Security Practitioner (CASP+) to prove their mastery of cybersecurity skills required at the 5- to 10-year experience level. CASP+ is the pinnacle of cybersecurity certifications and includes performance-based questions. It is intended for those who wish to remain immersed in hands-on enterprise security, incident response and architecture, for example, as opposed to strictly managing cybersecurity policy and frameworks.

Ready to Start Your Cybersecurity Career?

Check out the new CompTIA Security+ or download the exam objectives for any of our cybersecurity certifications to see which one is right for you.

The Building Blocks of Cybersecurity

But how do you get into cybersecurity with no experience? If you have limited experience in IT and aren't quite ready to start with CompTIA Security+, then you’ll want to start earlier on the pathway.

CompTIA A+ validates the skills employers look for in new and aspiring IT support professionals. In addition to covering today's core technologies in operating systems, cloud, data management and more, the new CompTIA A+ Core Series covers baseline security skills at the end point device level, including malware detection and removal, privacy concerns, physical security and device hardening.

Where CompTIA A+ considers connectivity from the perspective of the user and their device, CompTIA Network+ focuses on the connections from (and between) the core systems to the endpoint devices. It validates the essential knowledge and skills needed to design, configure, manage and troubleshoot wired and wireless networks. To best support and ultimately secure the systems that exchange information on your network, you must first understand how the network functions.

CompTIA A+ and CompTIA Network+ follow a progression consistent with the KSAs an IT professional exhibits as they move from an early career technical support role with 9 to 12 months of general IT experience to one with 1 to 2 years of general IT experience, and with a significant part of that specific to network support and administration.

CompTIA Network+ is also an important and strongly recommended prerequisite to CompTIA Security+. Before you can secure a network, you must understand how it functions. In other words, you shouldn’t skip algebra to start with calculus. Otherwise, you are learning security skills and applying them to a network you don’t understand.

Now that we’ve covered the IT certifications in the cybersecurity pathway, let’s explore some of the common questions surrounding it.

Questions About the CompTIA Cybersecurity Career Pathway

Where should I start on the CompTIA Cybersecurity Career Pathway?

Fast track your career. Click here to subscribe today and save 10 percent on CompTIA products.

The pathway is intended to help people get into the field of cybersecurity. IT pros can enter at any point, depending on their IT experience, existing certifications or course of study. There are no required prerequisites for these CompTIA certifications. For example, if you have two years of IT security experience or equivalent knowledge, you might start with CompTIA Security+ to prove your knowledge. If you already have CompTIA Security+, you can move ahead to CompTIA CySA+, CompTIA PenTest+ or CASP+. Find your place on the CompTIA Cybersecurity Career Pathway.

Do I need to take these certifications in order? Do I need to take all of them?

No. This is a recommended pathway, but it’s not a requirement. It depends on your job needs or interests. In general, the pathway follows a hierarchy of skills needed for IT security; each certification builds upon the skills from the previous one. You can find the recommended level of experience for each certification on the page, Which Certification Is Right for Me?

Can I take these exams with no IT or cybersecurity experience?

Yes, you can, however we recommend a minimum amount of hands-on experience before taking any of our certifications. (Each one has different recommendations, found in the Exam Details section of the certification webpage.) But hands-on experience doesn’t have to be on-the-job experience. It could mean any hands-on work, including practical experience gained while taking a class or through self-study or by helping friends, family or local nonprofits with their IT and cybersecurity issues. CompTIA certifications mirror the current job roles of IT professionals, so it makes sense to earn these certifications to validate the knowledge and hands-on skills currently being used in the workforce, whether you have job experience or not.   

Do these certifications replace on-the-job experience?

If you are an IT professional or an employer, you understand the value of on-the-job experience. IT certifications are a great place to start, but they do not replace hands-on experience. If you have CompTIA certifications and on-the-job experience, you have the best of both worlds.

In summary, the recommended CompTIA Cybersecurity Career Pathway offers guidance for IT pros, employers, instructors and students. You can start wherever it makes sense, depending on your personal background, job requirements or course of study. The pathway is unique because it offers vendor-neutral skills for IT professionals to achieve cybersecurity mastery, from beginning to end.

Ready to start your cybersecurity career? Check out CompTIA Security+.

Patrick Lane is a director of product management for CompTIA. He manages IT workforce skills certifications, including CompTIA Cybersecurity Analyst (CySA+), CompTIA PenTest+ and CompTIA Advanced Security Professional (CASP+). He has implemented a wide variety of IT projects, including an intranet and help desk for 11,000 end users. Patrick has received certifications in CompTIA Network+, Security+, (ISC)2 CISSP, Microsoft MCSE and CIW Internetworking Professional and Server Administrator.

Jen Blackwell also contributed to this article. She is a senior products marketing manager at CompTIA and oversees the certifications along the CompTIA Cybersecurity Career Pathway.


  • Adonica Heard

    Thursday, October 5, 2017

    I have a voucher for Sec+ SY-401. How long do I have before it expires since 501 will be coming out in Oct? I saw online there is normally a grace period for a few months but I wanted to check.

  • Thursday, October 5, 2017

    Hi, Adonica! For about six months, we'll have both versions on the market, so you still have plenty of time to take SY-401. Good luck!

  • Thembani Dyomfana

    Monday, October 9, 2017

    Good day Sir / Madam I'm interested in IT Fundamentals+ 

  • dmccraw

    Monday, October 9, 2017

    Hi, Thembani! Thanks for your comment. That's great that you're interested in IT Fundamentals+! Check out the web page to learn more: On the site, you can download sample questions and exam objectives to help you study (under Exam Details), find training materials and classes (under Preparation) and buy a voucher for the exam. Good luck!

  • Matt

    Monday, October 9, 2017

    Hello! I was going to purchase the CompTIA Security+ Deluxe Bundle, then noticed that it applies to the SY0-401 certification exam only. Given I have not yet started any training, I don't think it would be in my best interest to purchase a voucher for an exam that expires in a few short months, considering the vouchers usually last 1 year. My employer approved my request to fund the Deluxe bundle, but not everything individually which would be much more costly. Any suggestions for what my best option(s) might be? Thanks!

  • CompTIA

    Tuesday, October 10, 2017

    Hi, Matt! Thanks for your comment. The two versions of Security+ will overlap for about six months, so you do still have some time to prepare for and take the 401 exam. Once you pass a CompTIA exam, your certification is good for three years, so it wouldn't be a waste either way. That said, cybersecurity has changed a lot in the past three years, and the CompTIA Cybersecurity Career Pathway has as well! When we developed SY0-401, there was no CySA+, so Security+ had to cover a wider spectrum of cybersecurity topics. Only you can decide which would be the best option for you. You can either purchase the SY0-401 bundle now, study and take the exam within six months, or, if you can wait until mid-November, we'll have a new bundle when the updated CertMaster for Security+ comes out. Good luck!

  • Ashutosh

    Friday, October 13, 2017

    Awesome information

  • Steve

    Tuesday, October 17, 2017

    If we have current Security+ certification, does the CySA+ fulfill requirements of Security+ re-certification?

  • dmccraw

    Tuesday, October 17, 2017

    Hi, Steve! Thanks for your question. CySA+ fully renews Security+. You can read more about how getting a higher-level certification can renew lower-level certifications here:

  • Lamanday

    Wednesday, October 18, 2017

    Good Evening, My bachelor's degree is in psychology with a double minor in sociology and criminal justice studies. My master's is in counseling. I am interested in making a career change into the IT field, specifically into security. I have no prior knowledge of IT, at all. I recently completed a Intro to Cyber Security and I am scheduled to begin the IT Fundamentals+ course in 2 weeks. What path would you take to eventually end up with a CEH and eventually a CISSP certification? Would you recommend that I take the fundamentals course or is it possible to start a little further along on the path. Any suggestions are greatly appreciated!

  • dmccraw

    Wednesday, October 18, 2017

    Hi, Lamanday! Thanks for your question. Congratulations on taking the first steps to a career in IT! As for where to start, it really depends on your level of expertise. Some people need IT Fundamentals+ (ITF+) to provide a solid foundation of IT knowledge, while others can jump right in CompTIA A+. Take a look at the exam websites and download the sample questions and exam objectives to see where your skill level is. In terms of a cybersecurity pathway, the CompTIA Certifications Career Roadmap can help you plan out your certification journey. Look under the Information Security section to see what certifications can help you work your way up to CEH and CISSP. In the CompTIA pathway, Network+, Security+ and CySA+ would all be good options leading up to CEH. Good luck!

  • Bahar Bozorgkhoo

    Thursday, October 19, 2017

    Hi, I have very little experience in IT, I am going to change my career and start cyber security, what is the first step?

  • aziz

    Friday, October 20, 2017

    excellent & helpful information

  • dmccraw

    Friday, October 20, 2017

    Hi, Bahar! Congratulations on getting started in IT and cybersecurity. Our cybersecurity hub has some great resources for getting into cybersecurity: If you need to build up your foundational IT skills, you'll probably want to start with CompTIA A+, or even CompTIA IT Fundamentals+. We offer CertMaster training for both of those, which is interactive, online training that will not only prepare you for the exam but help you gain the skills you need to further your career. Good luck!

  • Jamiu A Ahmed

    Thursday, October 26, 2017

    I am CompTia LX0-103 and 104 Certified, and currently studying privately for CySA and would like to register for the course and the certification. Kindly send me the link to register. God bless. Jamiu Ahmed.

  • Krishna

    Thursday, October 26, 2017

    Hi, I have 15 yrs of experience in IT. I want to appear for Seurity+ exam but confused between SY0-401 and SY0-501. Can you please give more information on these two. How they are different or if similar. Also, if SY0-501 exam is taken then will it include SY0-401? I still need to prepare for exam before registering for the exam. From where can I download require book/exam material and which is the official course book. Thanks

  • dmccraw

    Friday, October 27, 2017

    Hi, Krishna! Thanks for your comment. SY0-401 was developed before we had CySA+, so it had to cover a much broader range of security topics. Now that CySA+ serves as an intermediate cybersecurity exam, SY0-501 covers foundational cybersecurity knowledge, including risk management, data and host security, and cryptography. You can read more about the new exam here: You can also download exam objectives and sample questions for both versions from the Security+ product page and compare them to see what would be the best option for you: This page also includes training materials, including CertMaster, an interactive, online training tool. If you choose the 401 exam, you can start CertMaster now. If you choose 501, you'll have to wait a few months until we release CertMaster for the new exam. Good luck!

  • do you have training center in turkey..?

    Saturday, November 4, 2017

    if you have a centers in turkey so plz provide me the adresses so i can joining comptia as soon as possible. thanks.

  • Robert

    Sunday, November 5, 2017

    Being already Security+ certified, and having a few months of industry experience, is CySA+ really required/recommended, or can I go straight to CASP? Also, why doesn't CASP have a "+" on the end of it - is this an oversight?

  • Tuesday, November 7, 2017

    Hello! Yes, we have testing centers in Turkey. Go to this link to find the nearest testing center:

  • dmccraw

    Tuesday, November 7, 2017

    Hi, Robert! Everyone takes a different path to certification. Some people find that going from Security+ to CySA+ to CASP is best for them while others may skip around. CASP is recommended for cybersecurity professionals with at least 5 years of experience, whereas CySA+ is for those with 3-4 years of experience. Check out the exam objectives for both to determine where your skills like and which certification is best for you: Also, CASP without the plus is not an oversight. CASP stands for CompTIA Advanced Security Practitioner - no plus required.

  • K

    Thursday, November 9, 2017

    Thank you for this guide, I've been looking for some direction as to what is required for penetration testing. Your assistance has been invaluable.

  • A.J.

    Tuesday, November 14, 2017

    I'm finding that many employers are not familiar with your top-tier security certifications. Very few job postings list the CASP, and I've had to add explanatory notes on resumes and in cover letters. Yet, two years after earning my CASP certification (on top of a career with 20+ years of experience, including security experience), I've had few interviews and recruiters keep asking if I plan to get better known certifications, like the CISSP or CISA. What good are the certifications if employers don't value them?

  • Thursday, November 16, 2017

    Hi, A.J.! CASP is gaining popularity as a hands-on alternative to CISSP. It's a unique certification for a unique audience: the U.S. Navy requested its development to assess the advanced technical skills of cybersecurity pros who didn’t want to go into management. The Navy found its “tech geeks” wanted to remain at the command line close to the data centers. As with A+, Network+ and Security+, it can take many years for a cert to reach global awareness. CASP will probably never reach the popularity of Security+ because it appeals to a much smaller audience – advanced cybersecurity pros. We are working with enterprises and governments to raise the awareness of CASP. As more people take the exam and CompTIA continues to promote it, you should see an increased awareness of it.

  • Matt

    Friday, November 24, 2017

    Does the CompTIA CySA+ certification renew the A+, Network+, and Security+ ?

  • dmccraw

    Monday, November 27, 2017

    Hi, Matt! Yes, CySA+ renews A+, Network+ and Security+. You can read more here:

  • Alfredia

    Friday, January 5, 2018

    I am currently pursuing my bachelor degree in information system with a concentration of cyber security. I currently have the Comptia A+ certification since 2010. I have six classes left, currently in two of the classes. I haven't worked in cyber security yet, just wanted a career change. I am looking forward in learning more about my career. Any suggestion on the start of my job opportunity in this field.

  • Gman

    Friday, July 6, 2018

    Although, Security 401 is expiring on July 31, 2018. Do they still keep this test active for a few minutes? If so, is it active until December 31, 2018? Can I still take Security + 401 by September 28, 2018? If possible Thanks,

  • Tuesday, July 10, 2018

    Hi, Gman! Thanks for your question. We released Security+ (SY0-501) in October 2017, so there was already a period of overlap where both exams were available. When SY0-401 retires on July 31, 2018, it will no longer be available. If you've purchased a voucher, be sure to take the exam before July 31. If you haven't purchased a voucher, check out the exam objectives and practice questions for SY0-501 so you can adjust your studies and take that exam when you're ready. Good luck!

  • Mike

    Sunday, December 16, 2018

    Hey, So I passed the Security+ certification, would I still need the A+ and Network+ exams or is having the security just better?

  • Monday, December 17, 2018

    Hi, Mike! Thanks for your question. Although CompTIA certifications build upon one and other, candidates may choose to take whichever one(s) make sense for their experience and career path. You don't have to go back and get A+ and Network+ if you already have Security+, however, A+ and Network+ will give you the foundation of computer networking and problem solving. And if you have all three, that will earn you the stackable certification CompTIA Secure Infrastructure Specialist (CSIS). On the other hand, if you are already working in cybersecurity and want to gain higher-level certifications, CompTIA Cybersecurity Analyst (CySA+) or PenTest+ may be the right choice for you. Check out the exam objectives to learn more:

  • J.J.

    Saturday, April 13, 2019

    I notice that in your discussions of the progression of security certifications, you never mention the Penetration (PenTest+) even though it is still in the graphic near the beginning of the article. Is the PenTest certification being dropped/phased out or is the text of the article not updated to include it?

  • Monday, April 15, 2019

    Hi, J.J.! Thanks for your question. No, we are not dropping PenTest+. This article was written prior to the launch of our penetration testing certification. It looks like we updated the graphic but did not add any new information. Thanks to your comment, I've added a link to learn more about PenTest+.

  • RAJ

    Friday, June 7, 2019

    I have 20 years experience running a break fix Computer Repair business but it is declining and I am looking to take my skills into a new field . Any suggestions on how to proceed?

  • Friday, June 7, 2019

    Hi, Raj! Thanks for your question. Computer repair involves problem solving and troubleshooting, which are prevalent in all areas of IT. Think about whether you want to continue working on equipment - like networks and servers - or if you want to move into something virtual, like the cloud or cybersecurity. The skills you've developed over the years can be applied in a number of ways. When you decide which way you want to pivot, research what kinds of jobs are available and how to get into them. Our Your Next Move series might help: Good luck!

  • CJ

    Monday, June 24, 2019

    I have 0 experience in IT and cyber. I do have an MS Emergency Management w/ a focus in planning and mitigation as well as an MS Security Management w/ a focus in physical security. My work experience is writing policy, SOPs and other security/emergency plans. I will like to get a CompTIA credential that can add to my experience and education. Any suggestions?

  • Monday, June 24, 2019

    Hi, CJ! Thanks for your question. That's great that you want to get into cybersecurity - it sounds like you certainly have skills that would apply! But in order to secure a network, you need to understand how the network works, so you may want to start by gaining some IT knowledge and experience. That might mean getting CompTIA A+ or Security+ certified, tinkering on your own machine or volunteering to help friends, family and local nonprofits who need IT support. You may need to work your way up, but it will be worth it to land your dream job in cybersecurity. Good luck!

  • Bradd

    Thursday, August 29, 2019

    Hi, I would like to to change careers and go into cloud I need to start with A+ to S+ or I can just go into cloud + ? Please advise.

  • Thursday, August 29, 2019

    Hi, Bradd! Thanks for your comment. It really depends on your current skill level. If you don't have any IT experience, CompTIA A+ and Security+ can give you the foundational knowledge you need before getting into cloud computing. But, if you have basic IT knowledge, you could potentially go right to Cloud+. I would suggest looking at the recommended experience levels for each exam (on the certification web pages) and also downloading the exam objectives (they're free) to see where your knowledge lies. Good luck!

  • Alex

    Monday, September 9, 2019

    Hello, I have my A+ and Network+ currently but I am wanting to move into a Cyber Security role within my company. I have been taking DHS training for Security+ but I feel like the CySa+ would be a better cert to have. How does it work if I took the CySa+ certification and passed (let's just say hypothetically I do)? From my understanding the CySa+ certification is Mid-level and renews the ones below it but if I hadn't taken the Security+, would this still happen? I know I should look at taking the Security+ exam prior to the CySa+ and I am weighing my options. Seeing as I am paying for my certifications myself I want to make sure that I make the most of the money that I have. *True if I don't pass the CySa+ exam then I would be out the money, but same would be true if I don't pass the Security+ exam. Thanks in advance for your time, -Alex

  • Monday, September 9, 2019

    Hi, Alex! Thanks for your question. The good news about CompTIA certifications is that you can take the one that makes the most sense for you. So, if you feel you are able to skip Security+ and jump right to CySA+, that is completely fine. However, if you want to be able to list Security+ on your resume, you would need to pass that exam separate from CySA+. Once you have Security+, earning higher-level certs will renew it automatically, but taking higher-level certs does not automatically add the credential. If you do skip to CySA+, it would, however, automatically renew A+ and Net+ because you have already earned them. I hope that makes sense! Check out the exam objectives and practice tests for both Security+ and CySA+ to see which one is right for you. Good luck!

Leave a Comment

Boost your Career with a Certification

Find out more about our Certifications

How to get Certified

4 Steps to Certification

Already certified? Let us and others know!

Share Your Story