The cybersecurity market is growing at a rate of 12% annually, and according to the (ISC)² report, the world is short of 4 million security specialists. In Poland, demand for cybersecurity experts exceeds supply by 300%, and average salaries in this specialisation exceed PLN 15,000 gross per month. In this environment, certifications become a key differentiator in the job market.
If you’re considering a career in cybersecurity, you’ll inevitably face the question: which certification to choose? CompTIA Security+, CEH (Certified Ethical Hacker), or perhaps CISSP (Certified Information Systems Security Professional) straight away? Each of these certifications opens different doors and requires a different level of experience.
In this article, we’ll compare Security+, CEH and CISSP in detail in terms of knowledge scope, exam difficulty, costs, experience requirements and job market value in Poland. Whether you’re just starting your cybersecurity journey or already have several years of practice—this guide will help you choose the certification appropriate for your level and career goals.
CompTIA Security+ — cybersecurity foundation
CompTIA Security+ is an entry-level certification that provides an ideal starting point for people beginning a career in cybersecurity. Recognised as an industry standard for junior security roles, it’s often required as a minimum by employers in the public sector and by the US Department of Defence (DoD 8570 Directive).
Security+ knowledge scope
Security+ focuses on fundamental security concepts that every security specialist should know:
- Threats, attacks and vulnerabilities — recognising types of malware, phishing attacks, exploits and social engineering techniques
- Identity and Access Management (IAM) — multi-factor authentication, role-based access control (RBAC), AAA protocols
- Cryptography — symmetric and asymmetric encryption algorithms, hash functions, PKI, TLS/SSL
- Application, network and device security — firewalls, IDS/IPS, network segmentation, system hardening, secure coding
- Incident response — incident response procedures, digital forensics, risk management
- Governance, Risk and Compliance (GRC) — security policies, regulatory compliance (GDPR, ISO 27001), audits
Security+ doesn’t require deep technical knowledge, but expects understanding of basic security mechanisms and the ability to apply this knowledge in practical scenarios.
Exam format and requirements
Security+ exam details (SY0-701, current version since November 2023):
- Format: 90 questions — multiple choice and performance-based questions (practical simulations)
- Duration: 90 minutes
- Pass threshold: 750 points on a scale of 100-900 (approximately 83%)
- Language: English (officially), translations available at some Pearson VUE centres
- Certificate validity: 3 years (recertification required through CEU or higher CompTIA certificate)
Approximately 15-20% of the exam consists of performance-based questions (PBQs) — interactive simulations where you must configure a firewall, analyse security logs or diagnose an infrastructure problem. These tasks appear at the beginning of the exam and are more time-consuming than multiple-choice questions.
Prerequisites:
CompTIA officially recommends 2 years of IT experience with emphasis on security, but this isn’t a formal requirement. In practice, people with basic knowledge of networks (e.g., after CompTIA Network+ certification) and operating systems can take the exam after solid preparation.
Security+ cost
Costs in Poland (2026):
- Exam: $404 (approximately PLN 1,600)
- Study materials:
- Books (e.g., Darril Gibson “CompTIA Security+ Get Certified Get Ahead”): PLN 150-300
- Online courses (Udemy, Pluralsight): PLN 100-500
- Practice tests (Jason Dion, Professor Messer): PLN 100-200
- Authorised CompTIA training: PLN 2,500-4,000 (optional)
- Recertification after 3 years: 50 CEU (Continuing Education Units) or taking a higher CompTIA exam
Total cost: PLN 1,950-6,600 (depending on chosen preparation path)
Who is Security+ for?
Security+ is ideally suited for:
- Junior Security Analysts — who need an industry certification as proof of basic competence
- System/network administrators — who want to expand their competences into the security area
- People transitioning to security — without cybersecurity experience but with basic IT knowledge
- IT specialists in the public sector — where Security+ is often a formal requirement
- IT students — as a first security certification for their CV
Security+ isn’t a certification for advanced pentesters or security architects, but it provides a solid foundation upon which you can build a specialist security career.
CEH (Certified Ethical Hacker) — attacker’s perspective
CEH is a certification offered by EC-Council (International Council of E-Commerce Consultants) that focuses on an offensive approach to cybersecurity — thinking like a hacker to better defend systems. CEH is recognised as an intermediate-level certification and enjoys great recognition in roles related to penetration testing and red teaming.
CEH knowledge scope
CEH covers 20 thematic modules that guide through the complete cycle of penetration testing from an ethical hacker’s perspective:
- Reconnaissance — footprinting, network scanning, enumeration, social engineering
- Scanning and enumeration — Nmap, Nessus, OpenVAS tools, vulnerability identification
- Gaining Access — vulnerability exploitation, password attacks, session hijacking, man-in-the-middle
- Maintaining Access — trojans, rootkits, backdoors, covert channels
- Covering Tracks — log removal, steganography, tunnelling
- System-specific attacks:
- Windows, Linux, macOS systems hacking
- Web application hacking (OWASP Top 10, SQL injection, XSS, CSRF)
- Mobile application hacking (Android, iOS)
- Wireless network hacking (WEP, WPA/WPA2 cracking, evil twin attacks)
- IoT and OT (Operational Technology) hacking
- Malware analysis — malware types, static and dynamic analysis
- Cloud security — attacks on AWS, Azure, GCP, misconfiguration
- Practical cryptography — breaking encryption, attacks on cryptographic implementations
CEH emphasises practical hacking tools — Metasploit, Burp Suite, Wireshark, John the Ripper, Hashcat, Aircrack-ng, SQLmap — and penetration testing methodologies compliant with CEH Hacking Methodology (CHM) frameworks.
Exam format and requirements
CEH v12 exam details (current version since 2022):
- Format: 125 multiple-choice questions
- Duration: 4 hours
- Pass threshold: variable (approximately 60-85%, EC-Council doesn’t publish exact threshold)
- Language: English
- Certificate validity: 3 years (120 ECE credits required for recertification)
The CEH exam focuses on theoretical knowledge and tool familiarity, but doesn’t require practical demonstration of hacking skills (unlike CEH Practical, which is an optional laboratory exam).
Prerequisites:
EC-Council offers two paths to CEH certification:
- With training: Completing official CEH training (5 days) entitles you to take the exam without experience verification
- Without training (self-study): Requires documentation of minimum 2 years security experience + $100 application fee
In practice, most candidates choose the path with training because EC-Council materials are difficult to access without the official course.
CEH cost
Costs in Poland (2026):
- Official CEH training (5 days): PLN 10,000-15,000 (includes exam voucher)
- Exam without training: $1,199 + $100 application fee (approximately PLN 5,400)
- Self-study materials:
- Matt Walker book “CEH Certified Ethical Hacker All-in-One Exam Guide”: PLN 200-400
- Online courses (Udemy, INE): PLN 500-2,000
- Lab environments (HackTheBox, TryHackMe, PentesterLab): PLN 200-500/year
- Recertification after 3 years: 120 ECE credits (conferences, webinars, courses) + $80 fee
Total cost: PLN 5,400-17,000 (depending on chosen path)
CEH is significantly more expensive than Security+, mainly due to the high price of official training and EC-Council’s policy making materials difficult to access for self-study candidates.
Who is CEH for?
CEH works best for:
- Pentesters and red teamers — who need a recognised certification for penetration testing work
- Security Analysts — who want to understand attacker techniques to better defend systems
- SOC specialists — for analysing alerts and recognising advanced TTP (Tactics, Techniques, Procedures)
- Security consultants — for credibility in client conversations about penetration testing
- People interested in offensive security — who want to formalise their hacking knowledge
CEH is NOT a certification for complete beginners — it requires solid foundations in networks, operating systems and security fundamentals (ideally Security+ or equivalent knowledge). CEH also won’t replace practical experience in pentesting, especially if you don’t obtain additional CEH Practical.
CISSP (Certified Information Systems Security Professional) — security career pinnacle
CISSP is the most widely recognised certification for experienced cybersecurity professionals, offered by (ISC)² (International Information System Security Certification Consortium). CISSP is often called the “gold standard” in the security industry and is required for many senior-level positions, particularly in managerial and architectural roles.
CISSP knowledge scope
CISSP covers 8 knowledge domains (CISSP CBK — Common Body of Knowledge) that together create a holistic picture of information security at strategic and operational level:
1. Security and Risk Management (15% of exam)
- CIA triad concepts (Confidentiality, Integrity, Availability)
- Governance, risk management, compliance
- Ethics and law (cybercrime, privacy, intellectual property)
- Business continuity planning (BCP) and disaster recovery planning (DRP)
- Security policies, standards, procedures, guidelines
2. Asset Security (10%)
- Data classification (public, internal, confidential, restricted)
- Data lifecycle management (creation, storage, archiving, destruction)
- Data privacy (GDPR, CCPA, data sovereignty)
- Asset ownership and control management
3. Security Architecture and Engineering (13%)
- Security models (Bell-LaPadula, Biba, Clark-Wilson)
- Secure design principles (defence in depth, least privilege, fail-safe)
- Advanced cryptography (PKI, key management, quantum cryptography)
- Physical security (access control, CCTV, environmental controls)
- Security in architectures (cloud, virtualisation, containers, microservices, IoT)
4. Communication and Network Security (13%)
- Network security (network segmentation, DMZ, VPN, SDN)
- Network protocols and their security (IPsec, TLS, DNSSEC, BGP security)
- Network devices security (firewalls, IDS/IPS, proxies, load balancers)
- Wireless security (Wi-Fi, Bluetooth, NFC, 5G security)
5. Identity and Access Management (13%)
- IAM systems (authentication, authorisation, accounting)
- Identity management (SSO, federation, directory services)
- Access control (MAC, DAC, RBAC, ABAC)
- Physical and logical access controls
- Identity lifecycle management
6. Security Assessment and Testing (12%)
- Security audits and vulnerability assessments
- Penetration testing (ethics, methodologies, reporting)
- Vulnerability management (scanning, prioritisation, remediation)
- Security monitoring and log analysis
- Software testing (SAST, DAST, fuzzing)
7. Security Operations (13%)
- Investigations and forensics (chain of custody, e-discovery)
- Incident management (detection, response, recovery, lessons learnt)
- SOC operations (SIEM, threat intelligence, playbooks)
- Disaster recovery and business continuity
- Physical security operations
8. Software Development Security (11%)
- Secure SDLC (waterfall, agile, DevSecOps)
- Application security (OWASP, secure coding, code review)
- Application vulnerability management
- Software assurance (static analysis, dynamic testing, penetration testing)
- Change control and configuration management
CISSP differs from Security+ and CEH in that it’s a “mile wide, inch deep” certification — it covers all areas of information security, but at managerial and architectural level, not purely technical. CISSP doesn’t expect you to configure firewalls (that’s an engineer’s competence), but to understand when and why a firewall is an appropriate security control in enterprise architecture.
Exam format and requirements
CISSP exam details (current version):
- Format: CAT (Computer Adaptive Testing) — 125-175 questions (exam adjusts difficulty based on answers)
- Duration: 3-4 hours (depending on number of questions)
- Pass threshold: 700 points on a scale of 0-1000
- Language: English (officially), translations available in several languages (including German, Japanese, Korean, Chinese — no Polish)
- Question type: Multiple choice and drag-and-drop questions, often scenario-based requiring situation analysis and choosing the “most appropriate” solution
- Certificate validity: 3 years (40 CPE credits required annually, i.e., 120 CPE in 3-year cycle)
CAT format means the exam adapts — if you answer difficult questions correctly, you get even harder ones. The exam can end after 125 questions (if the algorithm determines with 95% certainty that you’ve passed or failed), or continue to 175 questions (if the result is borderline).
CISSP questions are notoriously difficult and ambiguous — you often choose not the “correct” answer, but the “most correct from a managerial viewpoint”. Sample question:
“Your company has experienced a security breach due to phishing. What SHOULD be the first action?”
- A) Change all user passwords
- B) Launch incident response procedure
- C) Notify management
- D) Train employees in security awareness
In this case, answer B is “most correct” from CISSP’s perspective, because every organisation should have a formal incident response procedure defining the sequence of actions. Other answers may be part of that procedure, but CISSP prefers an approach based on policies and governance.
Prerequisites (MANDATORY):
CISSP requires documentation of minimum 5 years paid work experience full-time in at least 2 of the 8 CISSP CBK domains. This requirement can be reduced by 1 year if:
- You have a 4-year university degree (bachelor’s, engineer’s, master’s)
- You hold another certificate from the approved (ISC)² list (e.g., CCSP, SSCP, CAP)
If you pass the exam but don’t meet the 5-year experience requirement, you receive the title “Associate of (ISC)²” and have 6 years to obtain the required experience to advance to full CISSP.
CISSP cost
Costs in Poland (2026):
- Exam: $749 (approximately PLN 3,000)
- Annual (ISC)² membership fee: $125 (approximately PLN 500) — required after certification
- Study materials:
- Official (ISC)² Study Guide: PLN 300-500
- Books (e.g., Shon Harris “All-in-One CISSP Exam Guide”): PLN 300-500
- Online courses (Cybrary, Udemy, Pluralsight): PLN 1,000-3,000
- Practice tests (Boson, CCCure): PLN 500-1,000
- Authorised (ISC)² training (5 days): PLN 12,000-18,000 (optional, but recommended)
- Recertification after 3 years: 120 CPE credits (conferences, training, self-study) + membership fees
Total cost in first year: PLN 4,600-23,000 (depending on chosen preparation path)
Cost of maintaining certificate for 10 years: approximately PLN 5,000 (membership fees) + CPE acquisition costs (variable)
CISSP is one of the most expensive security certifications, especially if you add the cost of official training. However, this investment pays off quickly — (ISC)² research shows that CISSP holders earn on average 25% more than specialists without certification.
Who is CISSP for?
CISSP is designed for experienced professionals in roles:
- Security Architects — designing security solutions for enterprises
- Security Managers and Directors — managing security teams and budgets
- Security Consultants — advising companies on cybersecurity strategy
- Chief Information Security Officers (CISO) — responsible for overall security strategy in the organisation
- Auditors and Compliance Officers — verifying compliance with regulations and standards
- Risk Managers — managing risk in the organisation
CISSP is NOT a certification for beginners or for people who prefer purely technical roles (e.g., penetration tester, SOC analyst). If you don’t have 5 years of experience or prefer hands-on security over strategy and management, CISSP may be too early in your career.
Comparison table — Security+, CEH, CISSP
| Criterion | Security+ | CEH | CISSP |
|---|---|---|---|
| Difficulty level | Entry/Intermediate | Intermediate | Advanced |
| Organisation | CompTIA | EC-Council | (ISC)² |
| Exam cost | $404 (~PLN 1,600) | $1,199 (~PLN 4,800) | $749 (~PLN 3,000) |
| Training cost | PLN 2,500-4,000 (option) | PLN 10,000-15,000 (often required) | PLN 12,000-18,000 (option) |
| Exam format | 90 questions, 90 min | 125 questions, 4 h | 125-175 questions CAT, 3-4 h |
| Pass threshold | 750/900 (~83%) | ~60-85% (variable) | 700/1000 |
| Required experience | 2 years recommended (not required) | 2 years security (without training) | 5 years security (required) |
| Certificate validity | 3 years | 3 years | 3 years |
| Recertification | 50 CEU | 120 ECE credits | 120 CPE credits (40/year) |
| Annual fee | None | None | $125 (~PLN 500) |
| Focus | Security fundamentals | Offensive security, pentesting | Management, governance, architecture |
| Knowledge domains | 5 (attacks, IAM, crypto, networks, GRC) | 20 (hacking methodology) | 8 (CBK — full security scope) |
| Practical tasks | Yes (PBQs ~15%) | No (yes in CEH Practical) | No |
| Perspective | Defensive security | Offensive security (ethical hacking) | Strategic (entire organisation) |
| Typical role | Security Analyst, IT Admin | Penetration Tester, Security Analyst | Security Architect, CISO, Manager |
| Average salary (PL) | PLN 8,000-12,000 | PLN 10,000-16,000 | PLN 15,000-25,000+ |
| Market recognition | High (vendor-neutral) | High (pentesting) | Highest (gold standard) |
| Best as | First security certification | Second certification (after Security+) | Certification for experienced (5+ years) |
This table shows fundamental differences between the three certifications. Security+ is a solid foundation, CEH is specialisation in pentesting, and CISSP is broad managerial-architectural knowledge for seniors.
Exam difficulty and preparation time
Time needed to prepare for each certification differs significantly depending on your experience and learning style. Here are realistic estimates:
Security+ — 1-3 months preparation
With IT experience (helpdesk, admin, developer):
- 80-120 hours of study (2-3 months at 10-15 h/week)
- Focus on: cryptography basics, security protocols, compliance frameworks
Without IT experience:
- 150-200 hours of study (3-5 months at 10-15 h/week)
- First obtain network basics (Network+) and operating systems
Key challenges:
- Performance-based questions (PBQs) require practical tool knowledge
- Wide scope — you need to know a bit of everything
- Time management — 90 minutes is little for 90 questions (1 min/question)
Pass rate: approximately 85% after solid preparation
Preparation strategy:
- Read Darril Gibson “Get Certified Get Ahead” (2 weeks)
- Watch free Professor Messer course on YouTube (30 h)
- Hands-on practice — set up home lab (VirtualBox + Kali Linux + Windows Server)
- Solve 3-5 complete practice tests (Jason Dion, Professor Messer)
- Focus on PBQs — learn firewall configuration, ACL, wireless security
CEH — 3-6 months preparation
With security/pentesting experience:
- 150-200 hours of study (3-4 months at 10-15 h/week)
- Focus on: hacking tools (Metasploit, Burp Suite, Nmap), pentesting methodologies, web application hacking
With security basics (Security+):
- 200-300 hours of study (4-6 months at 10-15 h/week)
- Lots of practice in lab environments (HackTheBox, TryHackMe, PentesterLab)
Without security experience:
- Not recommended — first obtain Security+ or equivalent basics
Key challenges:
- Enormous amount of material — 20 modules, hundreds of tools
- Requirement to know tool commands and flags (e.g., “What does Nmap -sS -A -T4 do?”)
- No practical exam (in CEH) — you can memorise, but that won’t give you pentester skills
Pass rate: approximately 60-70% on first attempt
Preparation strategy:
- If taking official training — focus on course notes
- If self-study — Matt Walker “CEH All-in-One” + Udemy courses (Heath Adams, Zaid Sabih)
- Practice, practice, practice — HackTheBox (50-100 h), TryHackMe (CEH Learning Path)
- Solve 500-1000 test questions (Boson, uCertify, Exam-Labs)
- Create your own command and flag notes — there’ll be many “Which command does X?” questions
- Optionally: also pass CEH Practical (6-hour hands-on exam) to prove real skills
CISSP — 6-12 months preparation
With 5+ years security experience:
- 300-500 hours of study (6-9 months at 10-15 h/week)
- Focus on: domains where you have less experience (e.g., if you’re a pentester, learn GRC and physical security)
With IT experience, but < 5 years security:
- 400-600 hours of study (9-12 months at 10-15 h/week)
- All 8 domains require in-depth study
Key challenges:
- Questions are deliberately ambiguous — often all answers are “technically correct”, but only one is “correct from manager’s perspective”
- Thinking “mile wide, inch deep” — they don’t ask about firewall configuration, but when a firewall is an appropriate control
- CAT format — exam adapts, so you don’t know how you’re doing
- 8 domains is enormous amount of material — you need to know everything
Pass rate: approximately 60-70% on first attempt (amongst those with required experience)
Preparation strategy:
- Read official (ISC)² Study Guide (CISSP CBK) — 1400+ pages (2-3 months)
- Additionally: Shon Harris “All-in-One” or Kelly Handerhan “How to Think Like a Manager”
- Watch video course (LinkedIn Learning “CISSP Cert Prep” or Cybrary)
- Solve 2000-3000 test questions (Boson, CCCure, Official Practice Tests)
- Practice in groups — join study group or forum (Reddit r/CISSP, Discord)
- Last 2 weeks — review all domains (mind maps, flashcards)
- Important: Learn to think “like a manager”, not “like a technician” — CISSP prefers answers based on policies, governance, and business impact
Most common mistake: Candidates choose technical answers instead of managerial answers. Example:
“After detecting malware on a server, what FIRST?”
- Technician: “Isolate server from network”
- Manager (correctly): “Launch incident response procedure according to plan”
Which exam is hardest?
- CISSP — hardest mentally (ambiguous questions, managerial thinking, material volume)
- CEH — hard due to material quantity and detail (hundreds of tools, commands, methodologies)
- Security+ — least difficult, but still demanding (PBQs, wide scope, time pressure)
Remember: difficulty isn’t just the exam, but preparation. If you have 10 years security experience, CISSP may be easier than CEH for someone without pentesting experience.
Job market and salaries — which investment pays off?
A certification’s value is measured not only by knowledge, but by impact on career and salary. Here’s how Security+, CEH and CISSP look in the Polish and global job market.
Security+ — solid career start
Typical roles requiring Security+:
- Security Analyst (Junior/Mid)
- SOC Analyst
- System Administrator (with security focus)
- IT Auditor
- Compliance Officer
Average salaries in Poland (2026):
- Junior (0-2 years): PLN 7,000-10,000 gross
- Mid (2-5 years): PLN 10,000-14,000 gross
Market value: Security+ is often a formal requirement in:
- Public sector and administration
- Companies cooperating with US Department of Defence (DoD 8570 baseline)
- IT outsourcing and managed security services
In Polish job adverts, Security+ appears in approximately 15% of security analyst role offers and 30% of SOC analyst offers. It’s not the most frequently required certification, but having it clearly increases chances of interview, especially for juniors without experience.
CEH — pentesting specialisation
Typical roles requiring CEH:
- Penetration Tester
- Security Consultant (offensive)
- Red Team Operator
- Security Researcher
- Vulnerability Analyst
Average salaries in Poland (2026):
- Junior Pentester (0-2 years): PLN 9,000-13,000 gross
- Mid Pentester (2-5 years): PLN 12,000-18,000 gross
- Senior Pentester (5+ years): PLN 16,000-25,000 gross (+ freelance projects)
Market value: CEH is standard in pentesting and appears in approximately 40% of job offers for pentesters in Poland. Companies offering pentesting as a service (e.g., SecuRing, Afine, 7N) often require CEH or equivalent (OSCP, GPEN).
However, worth remembering:
- CEH alone isn’t enough — you need a portfolio (HackTheBox, write-ups, CVE discoveries)
- CEH Practical has greater value than theoretical CEH — shows you can actually hack
- OSCP (Offensive Security Certified Professional) is often more valued than CEH in the pentester community, though more expensive and harder (24-hour hands-on exam)
CISSP — gateway to senior and managerial roles
Typical roles requiring CISSP:
- Security Architect
- Security Manager / Director
- Chief Information Security Officer (CISO)
- Risk Manager
- Security Consultant (strategic)
- Compliance Manager / Auditor
Average salaries in Poland (2026):
- Security Architect (5-8 years): PLN 15,000-22,000 gross
- Security Manager (8-12 years): PLN 18,000-28,000 gross
- CISO (12+ years): PLN 25,000-50,000+ gross (often including bonuses and equity)
Market value: CISSP appears in approximately 50% of job offers for Security Architect positions and 70% of offers for Security Manager/Director positions in Poland. In the financial sector (banks, insurance) and international corporations, CISSP is often a formal requirement.
(ISC)² research shows that:
- CISSP holders earn on average 25% more than security specialists without certification
- CISSP shortens average job search time by 40%
- In the US, average salary with CISSP is $131,000 annually (over $10,000/month)
In Poland, CISSP has lower market penetration than in the US or UK, which means less competition — if you have CISSP and 5+ years experience, you’re in the top 5% of candidates for senior security positions.
ROI — which investment returns fastest?
Let’s calculate return on investment (ROI) for each certification:
Security+:
- Cost: PLN 2,000-6,000
- Average salary increase: +PLN 2,000/month (for juniors)
- Investment return: 1-3 months
CEH:
- Cost: PLN 5,000-15,000
- Average salary increase: +PLN 3,000/month (for pentesters)
- Investment return: 2-5 months
CISSP:
- Cost: PLN 5,000-20,000
- Average salary increase: +PLN 4,000-8,000/month (for seniors)
- Investment return: 1-5 months
All three certifications pay off very quickly if they lead to role change or promotion. However, remember: certification alone doesn’t guarantee a raise — you must also have skills and experience confirming the certification’s value.
What order to take certifications? Career path
If you’re planning a career in cybersecurity, it’s worth approaching certification strategically. Here are recommended paths depending on your goals:
Path 1: Defensive Security (SOC, Incident Response, GRC)
Year 1-2:
- Security+ — foundation, opens first doors to security
- CySA+ (CompTIA Cybersecurity Analyst) — specialisation in security analysis and SOC
- Experience: Security Analyst, SOC Analyst (2 years)
Year 3-5:
- CISSP — transition to architectural and managerial roles
- Optionally: CISM (Certified Information Security Manager) — focus on security management
- Experience: Senior Security Analyst, Security Engineer (3 years)
Year 5+:
- CISA (Certified Information Systems Auditor) — if aiming for audits and compliance
- CCSP (Certified Cloud Security Professional) — if your company is cloud-heavy
- Target role: Security Manager, CISO, Security Architect
Path 2: Offensive Security (Pentesting, Red Team)
Year 1-2:
- Security+ — basics (optional, but recommended)
- CEH — entry to pentesting, recognisable brand
- Experience: Junior Pentester, Security Analyst (2 years)
- Practice: HackTheBox, TryHackMe, Bug Bounty
Year 3-5:
- OSCP (Offensive Security Certified Professional) — practical 24h exam, highly valued
- CEH Practical — if you have theoretical CEH, add practical
- Optionally: GPEN (GIAC Penetration Tester) — alternative to OSCP
- Experience: Penetration Tester, Red Team Operator (3 years)
Year 5+:
- OSEP (Offensive Security Experienced Penetration Tester) — advanced pentesting
- OSCE (Offensive Security Certified Expert) — exploit expert
- Optionally: CISSP — if you want to transition to management or consulting
- Target role: Senior Pentester, Red Team Lead, Security Consultant
Path 3: Cloud Security
Year 1-2:
- Security+ — basics
- AWS Certified Security – Specialty OR Azure Security Engineer Associate — cloud specialisation
- Experience: Cloud Security Engineer (2 years)
Year 3-5:
- CCSP (Certified Cloud Security Professional) — cloud security at architectural level
- Optionally: CEH — if you want to understand cloud attacks
- Experience: Senior Cloud Security Engineer (3 years)
Year 5+:
- CISSP — management and architecture (CCSP requires CISSP or 5 years experience)
- Target role: Cloud Security Architect, CISO
Universal rule: Don’t collect certifications for certifications
3 key rules:
- Experience > Certifications — better 1 certification + 3 years practice than 5 certifications + 0 years experience
- Portfolio counts more than paper — for pentesters, HackTheBox profiles and write-ups mean more than CEH
- Certify what you already know — don’t study for the exam, certify skills you have from practice
How EITT prepares for cybersecurity certifications
EITT offers comprehensive preparation for all three certifications — Security+, CEH and CISSP. Our approach differs from traditional training: we don’t just prepare for the exam, but build practical skills that will serve you in daily work.
What makes EITT training special?
500+ security experts, 2500+ training sessions — experience you can see:
Our trainers are practitioners with experience at top security companies — SecuRing, AT&T Cybersecurity, banks, telecommunications operators. They don’t teach theory from books, but share knowledge from real projects, incidents and audits.
Hands-on labs, not just slides:
80% of training time is practice in laboratory environments:
- Security+: firewall configuration, ACL, wireless security, log analysis
- CEH: pentesting in lab environments (Metasploit, Burp Suite, Nmap)
- CISSP: case studies, business scenario analysis, group discussions
Adapted to your level:
We don’t do mass training. Groups of max 12 people allow the trainer to adjust pace and examples to the group’s level. If a participant has experience in a given area, we go deeper. If the topic is new — we start from basics.
Practical materials — checklists, playbooks, templates:
After training you receive not just slides, but:
- Exam checklists (key topics you must know)
- Review scenarios (Security+ PBQs, CEH attack scenarios)
- CISSP domain mind maps (8 CBK visualisation)
- Access to practice platforms (lab environments for 30-90 days)
Post-training support:
We don’t leave you alone with the exam:
- Trainer consultations (email, Slack) up to 30 days after training
- Access to updated materials (exam changes, new tools)
- EITT participant community (LinkedIn group, networking meetings)
EITT training programmes
CompTIA Security+ — 3 days (24h), online or classroom
Programme:
- Day 1: Threats, Attacks & Vulnerabilities + Architecture & Design
- Day 2: Implementation (IAM, Cryptography, PKI) + Operations & Incident Response
- Day 3: Governance, Risk & Compliance + Performance-Based Questions (PBQs) practice
Includes: materials, practice tests, exam voucher (optionally +PLN 500)
CEH v12 — 5 days (40h), online or classroom
Programme:
- Day 1: Introduction to Ethical Hacking + Footprinting & Reconnaissance
- Day 2: Scanning Networks + Enumeration + Vulnerability Analysis
- Day 3: System Hacking + Malware Threats + Sniffing
- Day 4: Social Engineering + Denial-of-Service + Session Hijacking
- Day 5: Web Application Hacking + Wireless & Mobile + IoT & Cloud Hacking
Includes: EC-Council materials, lab access (6 months), exam voucher
CISSP — 5 days (40h), online or classroom
Programme:
- Day 1: Security & Risk Management + Asset Security
- Day 2: Security Architecture & Engineering + Communication & Network Security
- Day 3: Identity & Access Management (IAM) + Security Assessment & Testing
- Day 4: Security Operations + Software Development Security
- Day 5: Review all domains + Case studies + Mock exam
Includes: official (ISC)² materials, mind maps, 1000+ test questions, voucher optionally
EITT pass rate statistics
- Security+: 87% pass rate on first attempt (market average: 85%)
- CEH: 72% pass rate on first attempt (market average: 60-70%)
- CISSP: 68% pass rate on first attempt (market average: 60-65%)
Participant rating: 4.8/5 based on 2500+ cybersecurity training sessions.
Closed training for companies
If you’re developing a security team in a company, we offer closed training adapted to your stack:
- Programme customisation (focus on technologies used in your company)
- Flexible dates (weekends, evenings, intensive 3-5 days)
- Group discounts (10+ people)
- Post-training support (consultations, security posture review)
FAQ — frequently asked questions
1. Which certification should I obtain first — Security+, CEH or CISSP?
Answer: If you’re just starting a security career, definitely Security+. It’s the foundation giving you a broad picture of cybersecurity and opening doors to first roles (Security Analyst, SOC Analyst).
CEH makes sense as a second certification if you want to specialise in pentesting. CISSP is for experienced professionals with minimum 5 years practice — if you don’t meet this requirement, passing the exam only gives you the title “Associate of (ISC)²”, and you’ll receive full CISSP only after documenting required experience.
2. Can I pass CISSP without 5 years experience?
Answer: Yes, you can pass the exam, but you’ll receive the title “Associate of (ISC)²” instead of full CISSP. You’ll have 6 years to obtain required experience (5 years full-time work in 2+ CISSP CBK domains). After documenting experience, you’ll advance to full CISSP.
You can reduce required experience by 1 year if:
- You have a 4-year university degree
- You hold another certificate from the approved (ISC)² list (e.g., CCSP, SSCP)
3. CEH or OSCP — which certification is better for a pentester?
Answer: It depends on what you’re looking for:
CEH:
- Easier exam (theoretical, 125 questions)
- More recognisable amongst HR and recruiters
- Covers wider scope (20 modules: web, mobile, cloud, IoT, wireless)
- More expensive (training often required)
OSCP (Offensive Security Certified Professional):
- Harder exam (24h hands-on — you must hack machines in lab)
- More valued amongst pentesters (shows real skills)
- Focus on practical penetration testing (buffer overflows, privilege escalation)
- Cheaper ($1649 for course + exam + 90 days lab access)
Recommendation: If you’re just starting, CEH gives broader knowledge and looks better on CV for recruiters. If you already have pentesting experience and want to prove skills, OSCP is better choice. Many pentesters have both certifications.
4. Is it worth obtaining all three certifications (Security+, CEH, CISSP)?
Answer: Not immediately. Certifications make sense when they match your experience level and career goals:
- Security+ (year 1-2): If you’re starting in security
- CEH (year 2-4): If you specialise in pentesting
- CISSP (year 5+): If you’re aiming for senior/managerial roles
Collecting certifications without practical experience makes no sense — employers prefer 1 certification + 3 years practice over 5 certifications + 0 years experience.
Exception: If you work for a company that pays for training, obtain certifications opportunistically (but ensure you’ll actually use that knowledge at work).
5. Are security certifications worth their price?
Answer: Yes, if they lead to role change or promotion. All three certifications pay off in 1-5 months through salary increase:
- Security+: +PLN 2,000/month (for juniors entering security)
- CEH: +PLN 3,000/month (for pentesters)
- CISSP: +PLN 4,000-8,000/month (for seniors advancing to managerial roles)
However, remember: certification alone doesn’t guarantee a raise. You must also:
- Have practical skills (portfolio, projects, experience)
- Be able to sell your value (negotiations, interviews)
- Apply to companies that value certifications (banks, corporations, security vendors)
6. How long are certifications valid and what does recertification look like?
Answer:
Security+:
- Validity: 3 years
- Recertification: 50 CEU (Continuing Education Units) — conferences, courses, webinars, self-study
- Option: Passing higher CompTIA certification (e.g., CySA+, CASP+) automatically renews Security+
CEH:
- Validity: 3 years
- Recertification: 120 ECE credits (EC-Council Continuing Education) + $80 fee
- ECE credits: training, conferences, webinars, publications, security community volunteering
CISSP:
- Validity: 3 years
- Recertification: 120 CPE credits (40 CPE/year) + annual membership fees $125
- CPE credits: training, conferences, self-study, mentoring, publications, participation in Group A activities (maximum 40 CPE from Group A)
- Option: Passing another (ISC)² certification (e.g., CCSP, SSCP) counts as CPE
All three certifications require continuous development, which is a plus — motivates staying current in the rapidly changing security industry.
7. Can I prepare for exams independently (self-study) or do I need training?
Answer: It depends on your learning style and level of discipline:
Security+:
- Self-study sufficient if you have IT experience and are disciplined
- Materials: Darril Gibson “Get Certified Get Ahead”, Professor Messer (YouTube), Jason Dion (Udemy)
- Training useful if: you’re a complete beginner or prefer structured path
CEH:
- Training recommended — EC-Council materials are difficult to access without official course
- Self-study possible, but more expensive (voucher without training $1199 + $100 application fee vs training with voucher ~PLN 12,000)
- If self-study: Matt Walker “CEH All-in-One” + HackTheBox/TryHackMe (practice) + Boson tests
CISSP:
- Self-study possible, but requires 300-500 hours study (6-12 months)
- Materials: official (ISC)² Study Guide, Shon Harris “All-in-One”, Boson/CCCure tests
- Training useful if: you want to shorten preparation time (training is 40h structured study + tips & tricks from trainer)
EITT recommendation: If company pays for training — take training (faster preparation, networking, trainer access). If paying from your own pocket — self-study for Security+ and CISSP is realistic option (CEH harder without official course).
Summary — how to choose the right certification?
Choosing a security certification depends on your experience level, career goals and preferences (defensive vs offensive security). Here’s a concise guide:
Starting security career (0-2 years experience): → Security+ — foundation, vendor-neutral, opens doors to first roles
- Cost: PLN 2,000-6,000
- Preparation time: 1-3 months
- Roles: Security Analyst, SOC Analyst
Have security basics and interested in pentesting (2-4 years): → CEH — offensive security, recognisable brand in pentesting
- Cost: PLN 5,000-15,000
- Preparation time: 3-6 months
- Roles: Penetration Tester, Red Team Operator
Have 5+ years experience and aiming for senior/managerial roles: → CISSP — gold standard, broad managerial-architectural knowledge
- Cost: PLN 5,000-20,000
- Preparation time: 6-12 months
- Roles: Security Architect, CISO, Security Manager
Don’t know which to choose? → Start with Security+. It’s the safest investment — gives you fundamentals after which you can specialise in any direction (pentesting, GRC, cloud security, incident response).
Want to maximise ROI? → CISSP — highest salary increase (+PLN 4,000-8,000/month), but requires 5 years experience. If you have it, CISSP is a gateway to top 5% security roles in Poland.
Ready for certification? Discover EITT’s offer
EITT has been preparing IT specialists for security certifications for years — Security+, CEH, CISSP and dozens of others. Our training combines solid theory with intensive hands-on practice, and trainers are experts with experience in real security projects.
What you gain with EITT:
- 500+ security experts with experience at top companies
- Hands-on labs (80% time is practice, not slides)
- Practical materials (checklists, playbooks, tests)
- Post-training support (trainer consultations up to 30 days)
- 4.8/5 participant rating based on 2500+ training sessions
Check current training dates:
- Security+ — upcoming dates and programme
- CEH — open and closed training
- CISSP — preparation for security gold standard
Have questions? Contact us:
- Contact form — we respond within 24h
- Phone: +48 22 000 00 00 (Mon-Fri 9:00-17:00)
- Email: szkolenia@eitt.pl
A certification isn’t just paper — it’s proof of competence, a gateway to better roles and an investment that pays off in months. The question isn’t “is it worth it”, but “when will you start?”
Read Also
- Cybersecurity Career Path - From Security Analyst to CISO
- AI in Cybersecurity: Defense, Threats, and AI System Security
- AI in Cybersecurity: Defense, Threats, and Security of AI Systems
Develop Your Skills
This article is related to the training CISSP - Certified Information Systems Security Professional. Check the program and sign up to develop your skills with EITT experts.