Appendix H: Certification Roadmap

Chapter 39 made the core argument and it is worth repeating before you spend a dollar or a month: a certification is a door-opener, not a skill. It gets your résumé past an automated filter and a human recruiter, it forces a structured tour through a body of knowledge, and for some roles — government, regulated industries, large enterprises — it is a hard requirement. It does not prove you can do the job. The lab, the portfolio, and the work prove that. Hold both facts at once and the certification landscape stops being intimidating and starts being a tool you use deliberately.

This appendix is the field reference behind §39.3. For each major credential it states who it's for, its level (entry / mid / advanced-management), the domains it covers, and — the part you cannot get from a vendor's marketing page — which chapters of this book map to it, so you can use what you have already read as exam preparation. It closes with recommended sequences by career track.

A standing caution, applied to this entire appendix. Exam codes, prices, question counts, passing scores, experience requirements, and continuing-education rules change, and they differ by region and over time. This appendix deliberately does not quote exam numbers, prices, or passing scores, because the moment they are printed they are wrong somewhere. Treat every level and domain description here as a durable summary of intent and scope, and always confirm the current details with the issuing body before you commit money or months. Anything below that is an approximation or a moving target is flagged inline.

How to read the levels

Three stages run through everything that follows, the same three from §39.3. Matching the stage to your stage is the single most important decision, and the most common expensive mistake is reaching past your stage for a credential that signals more than your experience can back.

  • Entry / foundational — little or no professional experience assumed. Establishes baseline vocabulary and breadth. This is where almost every reader should start.
  • Mid / intermediate — a few years of relevant work assumed; role-specific depth (blue team, GRC, cloud). You specialize here.
  • Advanced / management — senior, often with a multi-year experience requirement that gates the full credential (you may be able to pass the exam earlier and hold an associate status until the experience accrues). These attest to breadth, leadership, or deep specialist mastery.

A second framing that helps: certifications come from a few issuing bodies, and knowing the body tells you a lot about the credential's flavor. CompTIA credentials are vendor-neutral and broad. (ISC)² credentials lean toward management and breadth. ISACA credentials are audit-, risk-, and governance-flavored. GIAC (the certification arm associated with SANS training) credentials are deep, hands-on, and practitioner-focused. The cloud providers (AWS, Microsoft Azure, Google Cloud) certify security on their own platforms. Vendor certifications attest to a specific product. Each is described in its own right below.

The CompTIA ladder (vendor-neutral, broad)

CompTIA's security credentials form a clean ladder from foundational to advanced, and because they are vendor-neutral and widely recognized, they are the most common starting point — especially the first rung.

CompTIA Security+ — the standard first cert

  • Who it's for: Everyone entering the field. If you read one certification recommendation in your career, it is this one as your first.
  • Level: Entry / foundational.
  • Domains (in scope, summarized): general security concepts; threats, vulnerabilities, and mitigations; security architecture; security operations; and security program management and oversight (governance, risk, compliance basics). The exact domain weighting is revised periodically — confirm the current objectives with CompTIA.
  • This book's prep: The whole book maps to it, which is by design — finishing this volume covers nearly everything Security+ tests. Weight especially Chapters 1–7 (foundations, crypto, network security), 16 (authentication), and 26–28 (governance, risk, compliance). The key-takeaways.md file in each chapter tags the Security+-relevant material.
  • Note: Vendor-neutral, broadly accepted as a baseline by many employers and the U.S. government for certain roles. Its body of knowledge maps almost one-to-one onto this book.

CompTIA Network+ — the networking base

  • Who it's for: Newcomers whose networking fundamentals are weak. Not strictly a security certification, but a frequent prerequisite-in-spirit, because you cannot defend a network you do not understand.
  • Level: Entry / foundational (often taken before Security+ if needed).
  • Domains: networking fundamentals, implementations, operations, security basics, and troubleshooting.
  • This book's prep: Chapters 6–7 (TCP/IP, ports, segmentation, firewalls) and 10 (network monitoring). This book is a security book, not a networking primer, so Network+ candidates should pair these chapters with a dedicated networking resource.

CompTIA CySA+ (Cybersecurity Analyst) — the blue-team analyst's cert

  • Who it's for: SOC analysts and aspiring threat detectors — the natural next step after Security+ for the defensive-operations track.
  • Level: Mid / intermediate.
  • Domains: security operations; vulnerability management; incident response and management; and reporting and communication. It is behaviour- and analysis-focused — built around the daily work of a SOC.
  • This book's prep: Part V (Chapters 21–25) is the core — SIEM, threat detection and hunting, vulnerability management, incident response, and forensics — plus Chapter 2 (threat landscape) and Chapter 10 (network monitoring). This is the cleanest mapping in the book after Security+.

CompTIA PenTest+ — the authorized-testing cert

  • Who it's for: Those moving toward authorized penetration testing and vulnerability assessment. Listed here for completeness and so you recognize it; this defensive book does not train offensive testing — that is the companion offensive volume's job.
  • Level: Mid / intermediate.
  • Domains: planning and scoping (including the legal/authorization framing), information gathering and vulnerability scanning, attacks and exploits, reporting and communication, and tools/code analysis.
  • This book's prep: Partial and indirect. The defensive understanding of the attacks PenTest+ covers lives in Chapters 12–13 (application/web attacks and their defenses), 6–7 (network attacks), and 23 (vulnerability scanning from the defender's side). Use this book to understand what these techniques do and how to detect them; use authorized, scoped resources to practice the offensive side legally.

CompTIA CASP+ / SecurityX (advanced practitioner) — the senior technical cert

  • Who it's for: Senior security engineers and architects who want an advanced, hands-on, vendor-neutral credential that stays technical rather than pivoting to management. (CompTIA's advanced practitioner certification has been undergoing a rename/refresh; confirm the current name and code with CompTIA — it is one of the moving targets flagged above.)
  • Level: Advanced (technical, not management).
  • Domains (summarized): security architecture, security operations, governance/risk/compliance at an engineering depth, and security engineering and cryptography.
  • This book's prep: Broad — Parts II–IV (network, system, identity), Part VII (DevSecOps, zero trust, OT, AI/ML in security), and Chapters 4–5 (cryptography). It is a synthesis credential, much like this book's later parts.

(ISC)² credentials (management and breadth)

(ISC)² credentials are widely demanded, lean toward breadth and leadership, and several carry a formal experience requirement that gates the full credential.

(ISC)² SSCP (Systems Security Certified Practitioner) — the hands-on operations cert

  • Who it's for: Hands-on practitioners — analysts, administrators, engineers — who operate and implement security day to day. Often described as a more operational, practitioner-level counterpart to the management-oriented CISSP from the same body.
  • Level: Foundational–intermediate (an experience requirement applies for the full credential — confirm with (ISC)²).
  • Domains (summarized): security operations and administration; access controls; risk identification/monitoring/analysis; incident response and recovery; cryptography; network and communications security; and systems and application security.
  • This book's prep: Parts II–V broadly — network security, system/application security, identity, and security operations — plus Chapters 4–5 (cryptography). A wide but practical mapping.

(ISC)² CISSP (Certified Information Systems Security Professional) — the management-breadth milestone

  • Who it's for: Mid-to-senior practitioners moving toward security management, and a near-ubiquitous requirement on senior and leadership job postings. Not a first certification.
  • Level: Advanced / management. It carries a multi-year experience requirement for the full credential; you may be able to pass the exam earlier and hold an Associate of (ISC)² status until the experience accrues. Confirm the current requirement with (ISC)².
  • Domains: the eight CISSP domains — security and risk management; asset security; security architecture and engineering; communication and network security; identity and access management; security assessment and testing; security operations; and software development security.
  • This book's prep: The entire book — and satisfyingly, the eight CISSP domains correspond roughly to the eight parts of this volume, which is part of why this book is a reasonable long-horizon companion to CISSP study. Map domain by domain: risk management ≈ Parts I & VI; architecture/engineering ≈ Parts I–III & VII; network ≈ Part II; identity ≈ Part IV; assessment/testing ≈ Chapters 23 & 22; operations ≈ Part V; software security ≈ Chapters 12–13 & 31.
  • The pitfall (from §39.3): Chasing CISSP first earns a "manager" signal on a résumé that says "no experience," which helps no one. Aim for it when you have the years it requires. Until then, put the energy into Security+, a specialization cert, and the lab.

(ISC)² CCSP (Certified Cloud Security Professional) — the vendor-neutral cloud cert

  • Who it's for: Practitioners specializing in cloud security who want a vendor-neutral credential (as opposed to a single provider's certification).
  • Level: Intermediate–advanced (an experience requirement applies — confirm with (ISC)²).
  • Domains: cloud concepts/architecture/design; cloud data security; cloud platform and infrastructure security; cloud application security; cloud security operations; and legal, risk, and compliance for cloud.
  • This book's prep: Chapter 15 (cloud security) is the core, with Chapters 31 (DevSecOps) and 32 (zero trust) extending it, and Part IV (identity) underpinning it — because in the cloud, identity is the perimeter.

ISACA credentials (audit, risk, governance)

ISACA's credentials are the GRC track's natural home — audit-, risk-, and management-flavored. Each carries an experience requirement for the full credential; confirm specifics with ISACA.

ISACA CISA (Certified Information Systems Auditor) — the audit cert

  • Who it's for: IT auditors and GRC professionals whose work centers on assessing and assuring controls. A long-established, widely recognized audit credential.
  • Level: Intermediate–management.
  • Domains (summarized): the information systems auditing process; governance and management of IT; information systems acquisition, development, and implementation; operations and business resilience; and protection of information assets.
  • This book's prep: Chapters 26 (governance), 28 (compliance frameworks and audit), and 36 (metrics and reporting), with Chapter 27 (risk) as context.

ISACA CISM (Certified Information Security Manager) — the security-management cert

  • Who it's for: Security managers and aspiring CISOs — the management-track credential focused on running a security program rather than operating tools.
  • Level: Management.
  • Domains: information security governance; information security risk management; information security program development and management; and information security incident management.
  • This book's prep: Chapters 26–27 (governance and risk), 36 (metrics/board reporting), 37 (building and leading the function), and 38 (the capstone — building and presenting a complete program), which is essentially a worked CISM-domain exercise.

ISACA CRISC (Certified in Risk and Information Systems Control) — the risk cert

  • Who it's for: Risk professionals — those who identify, assess, and govern enterprise IT risk and the controls that treat it.
  • Level: Intermediate–management.
  • Domains (summarized): governance; IT risk assessment; risk response and reporting; and information technology and security (the control side).
  • This book's prep: Chapter 27 (risk management — the ALE, risk register, treatment, and appetite material) is the core, with Chapter 29 (third-party/supply-chain risk) and Chapter 36 (risk reporting and burndown).

Cloud security certifications (provider-specific)

Each major cloud provider certifies security on its own platform. These are intermediate, in-demand, and best chosen to match the platform your employer (or target employer) actually uses. The three providers' programs are restructured periodically and the exact certification names and codes change — confirm the current security certification name with the provider; the descriptions below are by intent, not by exam code.

  • AWS — cloud security specialty (provider-specific). For practitioners securing workloads on Amazon Web Services. Covers identity and access management (IAM), data protection and encryption (KMS), infrastructure and network security, logging and monitoring (CloudTrail and related), and incident response in AWS. This book's prep: Chapter 15 (Meridian's AWS footprint is the running example), plus Part IV (identity) and Chapter 32 (zero trust).
  • Microsoft Azure — security credentials (provider-specific). For practitioners securing Microsoft Azure and the Entra ID / M365 ecosystem (which Meridian also runs). Microsoft's security certifications cover identity and access, platform protection, security operations, and data/application security on Azure; the role-based certification names are revised periodically — confirm with Microsoft. This book's prep: Chapter 15, Chapter 18 (identity governance, including Entra ID and directory services), and Part V (operations).
  • Google Cloud — security credentials (provider-specific). For practitioners securing Google Cloud Platform. Covers cloud identity, network and data security, and security operations on GCP. This book's prep: Chapter 15, Part IV, Chapter 32.

Choosing a cloud cert. Pick the provider your organization runs. A platform-specific certification is most valuable where that platform is in use; a candidate for a shop that is AWS-first should generally certify on AWS. If you want a vendor-neutral cloud credential instead — to demonstrate cloud security breadth independent of provider — the (ISC)² CCSP above is the common choice. Many cloud specialists eventually hold one provider certification plus CCSP.

GIAC credentials (deep, hands-on, practitioner)

GIAC certifications (the certification arm associated with SANS training) are known for depth and a hands-on, practitioner orientation. They tend to be intermediate-to-advanced, are highly respected in operational roles, and are frequently the credentials a blue-team practitioner pursues after CySA+ to go deeper. The GIAC catalog is large; three are especially relevant to this book's defensive focus.

  • GIAC GSEC (Security Essentials). A broad, hands-on security-essentials credential — a practitioner-oriented counterpart to the foundational tier, covering core defensive concepts across networking, cryptography, access control, and operations. Level: intermediate (hands-on). This book's prep: Parts I–IV broadly.
  • GIAC GCIH (Certified Incident Handler). Focused on incident handling and the attacker techniques a responder must recognize — detection, containment, eradication, and recovery. Level: intermediate–advanced. This book's prep: Chapter 24 (incident response) is the core, with Chapter 2 (attacker TTPs), Chapter 22 (detection), and Chapter 25 (forensics).
  • GIAC GCIA (Certified Intrusion Analyst). Focused on intrusion detection and traffic analysis — reading packets, tuning detection, and recognizing malicious activity on the wire. Level: intermediate–advanced. This book's prep: Chapter 10 (network monitoring and traffic analysis) and Chapters 21–22 (SIEM, detection engineering).

A note on GIAC scope and cost. GIAC offers many more certifications than the three above (forensics, malware analysis, OT/ICS, cloud, detection, and more), each typically paired with in-depth training. These are deep, role-specific credentials usually pursued mid-career once you know your specialization. They are also, as a class, among the more expensive certifications — another reason to pursue them deliberately, after a foundation, rather than early. Confirm current offerings and requirements with GIAC.

Offensive and vendor certifications (named for recognition)

Two more categories round out what you will see on résumés and job postings, named here so you recognize them — not because this defensive book trains for them.

  • Offensive security certifications (e.g., OffSec OSCP). The OSCP is a famously hands-on, well-respected credential for authorized penetration testing, requiring a practical exam against a lab environment. It is advanced and is for people heading into offensive roles — which, as Chapter 39 stressed, almost always come after a defensive or engineering foundation, not as a first job. This defensive book does not train offensive exploitation; the companion offensive volume does. We list OSCP (and PenTest+ above) so you recognize them and understand the attacks well enough to defend against them.
  • Vendor / product certifications. Many security vendors certify proficiency in their own products — firewalls, SIEM platforms, endpoint/EDR tools, identity platforms, cloud-security tooling, and so on. Who they're for: practitioners who operate a specific product, especially where an employer has standardized on it. Level: varies (entry to advanced) by product and tier. Value: high where that product is in use, lower as a portable signal. This book's prep: the concepts behind the products — e.g., Chapter 7 for firewall/IDS products, Chapter 21 for SIEM products, Chapter 11 for EDR, Part IV for identity platforms — so that learning a specific vendor's tool is learning its interface on top of fundamentals you already hold. We do not name or endorse specific vendor certifications here, because the landscape shifts and naming a few would slight the rest; check which products your target role uses and look up that vendor's program.

The whole landscape, on one page

The table below consolidates the credentials above by stage and neighborhood, with the chapters that prepare you. It mirrors and extends the table in §39.3. These are real certifications; the descriptions are accurate, but exam codes, prices, and exact requirements change — confirm current details with the issuing body before committing.

Certification Body Stage Best for (neighborhood) This book's prep
Security+ CompTIA Foundational Everyone — the standard first cert The whole book; esp. Ch.1–7, 16, 26–28
Network+ CompTIA Foundational Networking base before security Ch.6–7, 10 (+ a networking primer)
CySA+ CompTIA Intermediate Blue team / SOC analyst Part V (Ch.21–25), Ch.2, 10
PenTest+ CompTIA Intermediate Authorized testing (offensive) Ch.12–13, 6–7, 23 (defensive view only)
CASP+ / SecurityX (name in flux) CompTIA Advanced (technical) Senior engineer / architect Parts II–IV, VII; Ch.4–5
SSCP (ISC)² Foundational–intermediate Hands-on operations Parts II–V broadly; Ch.4–5
CISSP (ISC)² Advanced / management Breadth; leadership The entire book (8 domains ≈ 8 parts)
CCSP (ISC)² Intermediate–advanced Cloud (vendor-neutral) Ch.15, 31–32; Part IV
CISA ISACA Intermediate–management Audit / GRC Ch.26, 28, 36
CISM ISACA Management Security management / GRC leadership Ch.26–27, 36–38
CRISC ISACA Intermediate–management Risk management Ch.27, 29, 36
AWS / Azure / GCP security (names vary) Cloud providers Intermediate Cloud security (provider-specific) Ch.15, 18, 31–32; Part IV
GSEC / GCIH / GCIA GIAC/SANS Intermediate–advanced Deep blue team / IR / intrusion analysis Ch.21–25, 22, 10
OSCP OffSec Advanced Red team / pentest (offensive) (Companion offensive volume)
Vendor / product certs Various Varies Operating a specific product Concept chapters per product (e.g., Ch.7, 11, 21)

A roadmap that says "get everything" says nothing. Here are concrete, opinionated sequences for the four tracks this book serves. Each starts in the same place — Security+ — because foundational breadth comes first regardless of where you are headed. After that, the paths diverge by neighborhood. These are common, sensible sequences, not rules; your employer's requirements, your region, and the credentials' evolving details should adjust them.

🛡️ SOC analyst / blue team

  Security+  ──►  CySA+  ──►  GIAC GCIH or GCIA  ──►  (later) CISSP for breadth
  (foundation)   (analyst    (deep IR / intrusion      (when the experience
                  depth)      analysis)                  requirement is met)
  1. Security+ — the foundation; you are most of the way there having read this book.
  2. CySA+ — formalizes the SOC skill set (Part V is your prep). This is the cert that most directly says "SOC analyst."
  3. GIAC GCIH (incident handling) or GCIA (intrusion analysis) — go deep where your role specializes (response vs. detection). Pursue mid-career; these are deeper and costlier.
  4. Later: CISSP for breadth as you move toward senior or lead roles. Not early.

🏗️ Security engineer / architect

  Security+  ──►  a cloud security cert  ──►  CASP+/SecurityX or CCSP  ──►  CISSP
  (foundation)   (match your platform)      (advanced technical)         (breadth/seniority)
  1. Security+ — foundation. Add Network+ first if your networking is weak.
  2. A cloud security certification matching your employer's platform (AWS/Azure/GCP) — because nearly everything you will build runs in the cloud (Chapter 15 prep).
  3. CASP+ / SecurityX (advanced, stays technical) or CCSP (vendor-neutral cloud depth) — to deepen architecture and engineering breadth (Parts II–IV, VII prep).
  4. CISSP as you approach architect/lead roles, for the breadth those roles demand.

📋 GRC / governance, risk, and compliance

  Security+  ──►  CISA or CRISC  ──►  CISM  ──►  CISSP (optional, for breadth)
  (foundation)   (audit / risk)     (security    (senior leadership)
                                     management)
  1. Security+ — even GRC professionals benefit from the technical baseline; it makes you credible with the engineers whose controls you govern.
  2. CISA (if your work is audit-leaning) or CRISC (if risk-leaning) — choose by where your role sits (Chapters 26–28 prep for CISA; Chapter 27 for CRISC).
  3. CISM — the security-management credential as you move toward leadership (Chapters 26–27, 36–38 prep).
  4. Optional: CISSP for breadth, particularly if you may cross between GRC and technical leadership. As §39.2 noted, GRC is one of the most direct routes toward management and the CISO chair, and these credentials are its currency.

☁️ Cloud security

  Security+  ──►  one provider's security cert  ──►  CCSP  ──►  (later) CISSP
  (foundation)   (AWS/Azure/GCP — your platform)   (vendor-neutral   (breadth)
                                                     cloud breadth)
  1. Security+ — foundation.
  2. A provider security certification for the platform you work on (Chapter 15 prep). This is the highest-leverage early move for a cloud specialist.
  3. CCSP — vendor-neutral cloud breadth, demonstrating you understand cloud security independent of any one provider (Chapters 15, 31–32 prep).
  4. Later: CISSP as you broaden toward architecture and leadership.

Using this book as exam preparation

A closing, practical word on turning what you have read into a passed exam. Three habits make the difference, and all three lean on material already in your hands:

  1. Reread the key-takeaways.md files. Each chapter's takeaways card is built to be dense, skimmable, and exam-oriented — roughly 80% tables, checklists, and decision rules — and several items in each are tagged to the Security+ and CISSP domains. The §39.3 crosswalk and these cards together tell you which chapters cover which exam objectives.
  2. Do the quizzes. Each chapter's quiz.md includes questions deliberately written in the style of, and mapped to, Security+ and CISSP domains, with an answer key and a "topics to review" map. Retrieval practice beats rereading.
  3. Back every credential with a story. As the §39.3 Defender's Lens warned: a certification gets you past a filter, but the interview tests what you have actually done. For every domain a cert covers, have a lab exercise or a piece of bluekit work you can speak to. A cert you cannot speak to behind is a liability, not an asset.

And the rule that outlives every exam code in this appendix: confirm the current details with the issuing body, match the stage to your stage, and never let the certificate get ahead of the competence. The credential opens the door; only demonstrated skill keeps you on the other side of it.