Quick guidance: Start with CCSK if you want a vendor-neutral foundation. Add a provider-specific cert (AWS, Azure, or GCP) for the cloud you actually work with. CCSP is the gold-standard senior credential — pursue it once you have a few years of cloud experience. CKS if Kubernetes is your day job. Don't pay for a bootcamp until you've tried the free official material.
📖 On this page
Side-by-side comparison
Prices and details change — confirm with the certifying body before paying.
| Cert | Issuer | Vendor-neutral? | Approx. cost (USD) | Format | Best for |
|---|---|---|---|---|---|
| CCSK | CSA | Yes | ~$395 | Online, open-book | Foundation; first cert |
| CCSP | ISC2 | Yes | ~$599 + endorsement | Proctored, 4 hrs | Senior practitioners |
| AWS Security Specialty (SCS-C02) | AWS | No (AWS) | ~$300 | Proctored, 170 min | AWS-focused engineers |
| Microsoft AZ-500 | Microsoft | No (Azure) | ~$165 | Proctored | Azure security engineers |
| Microsoft SC-100 | Microsoft | No (Microsoft) | ~$165 | Proctored | Cybersecurity architects |
| Google PCSE | No (GCP) | ~$200 | Proctored, 2 hrs | GCP security engineers | |
| CKS | CNCF / Linux Foundation | Yes (K8s) | ~$395 | Hands-on lab, 2 hrs | Kubernetes practitioners |
| GIAC GCSA / GCPN | SANS / GIAC | Mostly | $$$$ | Proctored | Employer-funded; deep technical |
Vendor-neutral certifications
CCSK — Certificate of Cloud Security Knowledge (CSA)
The classic vendor-neutral starter cert. Open-book online exam against the CSA Security Guidance and ENISA Cloud Risk Assessment. Genuinely useful study material — the v5 guidance is a solid baseline for the field. Recommended as a first cert for almost everyone, including people who already work in security and need to formalize their cloud knowledge.
- Format: 60 questions, 90 minutes, 80% to pass, online.
- Renewal: No expiration (legacy versions stay valid).
- Effort: 30–60 hours of self-study.
CCSP — Certified Cloud Security Professional (ISC2)
The senior-level vendor-neutral credential, often paired with CISSP. Six domains covering architecture, data security, platform/infrastructure, applications, operations, and legal/compliance. Requires five years of IT experience (three in security, one in cloud) — though one CSA cert can substitute for the cloud year.
- Format: 150 questions, 4 hours, proctored.
- Renewal: 90 CPEs over 3 years; AMF (~$125/year).
- Best for: Architects, senior engineers, and consultants who want a credential for proposals and promotion packets.
AWS-specific certifications
AWS Certified Security – Specialty (SCS-C02)
The deepest AWS-focused security cert. Covers IAM, threat detection, infrastructure security, identity federation, data protection, and incident response. Now an associate-level prerequisite is no longer required, so anyone can take it cold — though SAA-C03 (Solutions Architect Associate) study makes it materially easier.
- Format: ~65 questions, 170 minutes, proctored.
- Renewal: 3 years.
- Best for: Anyone working primarily in AWS. Pairs well with practical experience using GuardDuty, Security Hub, IAM Access Analyzer, and CloudTrail.
Microsoft Azure certifications
AZ-500 — Microsoft Azure Security Engineer Associate
Implementation-focused: identity (Entra), platform protection, security operations, and data/applications. Practical, hands-on flavor. The natural next step for anyone running Defender for Cloud, Sentinel, and Entra at work.
SC-100 — Microsoft Cybersecurity Architect Expert
Design-focused, more senior. Zero-trust strategy, governance, regulatory compliance, infrastructure and data architecture. Requires you to already hold one of: AZ-500, SC-200, SC-300, or MS-500. Good for cybersecurity architects working in a Microsoft-heavy environment.
SC-200 / SC-300 / SC-400
Operational-tier certs — Defender/Sentinel operations (SC-200), Entra identity admin (SC-300), and information protection (SC-400). Worth pursuing if those are your day job, but skippable if you're going straight to AZ-500/SC-100.
Google Cloud certifications
Professional Cloud Security Engineer (PCSE)
Google's flagship security cert. Covers identity, data protection, network security, GCP Security Command Center, key management, and compliance. Two-year renewal cycle. Smaller community than AWS or Microsoft, but the cert itself is well-respected for GCP-specific roles.
- Format: 50–60 questions, 2 hours, proctored.
- Renewal: 2 years.
Kubernetes security certifications
CKS — Certified Kubernetes Security Specialist
Hands-on lab exam — you SSH into a cluster and complete real tasks. Covers cluster hardening, system hardening, supply-chain security, runtime security, monitoring, and incident response. Requires a current CKA (Certified Kubernetes Administrator) to register.
- Format: Performance-based, 2 hours, proctored.
- Renewal: 2 years.
- Best for: Anyone with Kubernetes in their job description. One of the most respected hands-on certs in the industry.
Recommended paths by role
Career switcher / new to cloud security
- CCSK (foundation, vendor-neutral)
- One associate cert in your target cloud (e.g., AWS Solutions Architect Associate)
- The provider security specialty (AWS Security Specialty, AZ-500, or PCSE)
- CCSP after 3+ years of experience
Established security engineer adding cloud
- CCSK (fast on-ramp)
- Provider security specialty for whichever cloud you support
- CKS if you touch Kubernetes
Senior architect / consultant
- CCSP (signaling)
- SC-100 if Microsoft is in your portfolio
- Stay current via the provider specialty for your primary cloud
Detection / incident response specialist
- CCSK (foundation)
- SC-200 (Sentinel) or AWS Security Specialty
- GIAC GCSA or GCPN (employer-funded)
FAQ
Do certifications get you a job?
Not by themselves. They get you past resume filters and signal commitment. Pair every cert with hands-on work — labs, CTFs, side projects, write-ups. A CCSK plus a portfolio of CloudGoat write-ups is far more compelling than three certs and no lab work.
CCSK or CCSP first?
CCSK first, almost always. It's open-book, online, and prepares you for CCSP. Some people skip straight to CCSP if they already have years of cloud experience and just want the senior credential.
Are SANS / GIAC certifications worth the cost?
If your employer pays, yes — SANS courses are excellent. If you'd be paying out of pocket, the value-per-dollar is much better with CCSK + a provider specialty + practical lab work.
Do I need a cert for every cloud?
No. Pick the cloud you actually use. Most jobs are 80%+ one cloud. Cross-cloud knowledge from CCSK plus deep knowledge of one provider beats shallow knowledge of all three.
How current do these certs stay?
The provider specialties get refreshed every 1–3 years and the new versions matter (AWS SCS-C02 is meaningfully different from C01). CCSK gets revised when CSA publishes new guidance — v5 is the current generation. CCSP is the most stable.
Next steps
- Follow the cloud security learning path — see where each cert fits in a 12–24 month plan.
- Browse the certifications resource catalog — links to study guides and practice exams.
- Practice on cloud security CTFs — hands-on experience makes certs stick.
- Ask the community on Friday Zoom — get advice from people who've taken the exams.