Quick guidance: Start with CCSK if you want a vendor-neutral foundation. Add a provider-specific cert (AWS, Azure, or GCP) for the cloud you actually work with. CCSP is the gold-standard senior credential - pursue it once you have a few years of cloud experience. CKS if Kubernetes is your day job. Don't pay for a bootcamp until you've tried the free official material.
On this page
Side-by-side comparison
Prices and details change - confirm with the certifying body before paying.
| Cert | Issuer | Vendor-neutral? | Approx. cost (USD) | Format | Best for |
|---|---|---|---|---|---|
| CCSK | CSA | Yes | ~$395 | Online, open-book | Foundation; first cert |
| CCSP | ISC2 | Yes | ~$599 + endorsement | Proctored, 4 hrs | Senior practitioners |
| AWS Security Specialty (SCS-C03) | AWS | No (AWS) | ~$300 | Proctored, 170 min | AWS-focused engineers |
| Microsoft AZ-500 | Microsoft | No (Azure) | ~$165 | Proctored | Azure security engineers |
| Microsoft SC-100 | Microsoft | No (Microsoft) | ~$165 | Proctored | Cybersecurity architects |
| Google PCSE | No (GCP) | ~$200 | Proctored, 2 hrs | GCP security engineers | |
| CKS | CNCF / Linux Foundation | Yes (K8s) | ~$395 | Hands-on lab, 2 hrs | Kubernetes practitioners |
| GIAC GCSA / GCPN | SANS / GIAC | Mostly | $$$$ | Proctored | Employer-funded; deep technical |
Vendor-neutral certifications
CCSK - Certificate of Cloud Security Knowledge (CSA)
The classic vendor-neutral starter cert. Open-book online exam against the CSA Security Guidance and ENISA Cloud Risk Assessment. Genuinely useful study material - the v5 guidance is a solid baseline for the field. Recommended as a first cert for almost everyone, including people who already work in security and need to formalize their cloud knowledge.
- Format: 60 questions, 90 minutes, 80% to pass, online.
- Renewal: No expiration (legacy versions stay valid).
- Effort: 30-60 hours of self-study.
CCSP - Certified Cloud Security Professional (ISC2)
The senior-level vendor-neutral credential, often paired with CISSP. Six domains covering architecture, data security, platform/infrastructure, applications, operations, and legal/compliance. Requires five years of IT experience (three in security, one in cloud) - though one CSA cert can substitute for the cloud year.
- Format: 150 questions, 4 hours, proctored.
- Renewal: 90 CPEs over 3 years; AMF (~$125/year).
- Best for: Architects, senior engineers, and consultants who want a credential for proposals and promotion packets.
AWS-specific certifications
AWS Certified Security - Specialty (SCS-C03)
The deepest AWS-focused security cert. Covers IAM, threat detection, infrastructure security, identity federation, data protection, and incident response. Now an associate-level prerequisite is no longer required, so anyone can take it cold - though SAA-C03 (Solutions Architect Associate) study makes it materially easier.
- Format: ~65 questions, 170 minutes, proctored.
- Renewal: 3 years.
- Best for: Anyone working primarily in AWS. Pairs well with practical experience using GuardDuty, Security Hub, IAM Access Analyzer, and CloudTrail.
Microsoft Azure certifications
AZ-500 - Microsoft Azure Security Engineer Associate
Implementation-focused: identity (Entra), platform protection, security operations, and data/applications. Practical, hands-on flavor. The natural next step for anyone running Defender for Cloud, Sentinel, and Entra at work.
SC-100 - Microsoft Cybersecurity Architect Expert
Design-focused, more senior. Zero-trust strategy, governance, regulatory compliance, infrastructure and data architecture. Requires you to already hold one of: AZ-500, SC-200, SC-300, or MS-500. Good for cybersecurity architects working in a Microsoft-heavy environment.
SC-200 / SC-300 / SC-400
Operational-tier certs - Defender/Sentinel operations (SC-200), Entra identity admin (SC-300), and information protection (SC-400). Worth pursuing if those are your day job, but skippable if you're going straight to AZ-500/SC-100.
Google Cloud certifications
Professional Cloud Security Engineer (PCSE)
Google's flagship security cert. Covers identity, data protection, network security, GCP Security Command Center, key management, and compliance. Two-year renewal cycle. Smaller community than AWS or Microsoft, but the cert itself is well-respected for GCP-specific roles.
- Format: 50-60 questions, 2 hours, proctored.
- Renewal: 2 years.
Kubernetes security certifications
CKS - Certified Kubernetes Security Specialist
Hands-on lab exam - you SSH into a cluster and complete real tasks. Covers cluster hardening, system hardening, supply-chain security, runtime security, monitoring, and incident response. Requires a current CKA (Certified Kubernetes Administrator) to register. The CSOH Kubernetes & managed Kubernetes page covers the same topic areas at the depth the exam expects.
- Format: Performance-based, 2 hours, proctored.
- Renewal: 2 years.
- Best for: Anyone with Kubernetes in their job description. One of the most respected hands-on certs in the industry.
Certifications get your résumé past the filter; the portfolio gets you the offer. - how to use this page
Recommended paths by role
Career switcher / new to cloud security
- CCSK (foundation, vendor-neutral)
- One associate cert in your target cloud (e.g., AWS Solutions Architect Associate)
- The provider security specialty (AWS Security Specialty, AZ-500, or PCSE)
- CCSP after 3+ years of experience
Established security engineer adding cloud
- CCSK (fast on-ramp)
- Provider security specialty for whichever cloud you support
- CKS if you touch Kubernetes
Senior architect / consultant
- CCSP (signaling)
- SC-100 if Microsoft is in your portfolio
- Stay current via the provider specialty for your primary cloud
Detection / incident response specialist
- CCSK (foundation)
- SC-200 (Sentinel) or AWS Security Specialty
- GIAC GCSA or GCPN (employer-funded)
FAQ
Do certifications get you a job?
Not by themselves. They get you past resume filters and signal commitment. Pair every cert with hands-on work - labs, CTFs, side projects, write-ups. A CCSK plus a portfolio of CloudGoat write-ups is far more compelling than three certs and no lab work.
CCSK or CCSP first?
CCSK first, almost always. It's open-book, online, and prepares you for CCSP. Some people skip straight to CCSP if they already have years of cloud experience and just want the senior credential.
Are SANS / GIAC certifications worth the cost?
If your employer pays, yes - SANS courses are excellent. If you'd be paying out of pocket, the value-per-dollar is much better with CCSK + a provider specialty + practical lab work.
Do I need a cert for every cloud?
No. Pick the cloud you actually use. Most jobs are 80%+ one cloud. Cross-cloud knowledge from CCSK plus deep knowledge of one provider beats shallow knowledge of all three.
How current do these certs stay?
The provider specialties get refreshed every 1-3 years and the new versions matter (AWS replaced SCS-C02 with SCS-C03 in December 2025). CCSK gets revised when CSA publishes new guidance - v5 is the current generation. CCSP is the most stable.
Next steps
- Follow the cloud security learning path - see where each cert fits in a 12-24 month plan.
- Browse the certifications resource catalog - links to study guides and practice exams.
- Practice on cloud security CTFs - hands-on experience makes certs stick.
- Ask the community on Friday Zoom - get advice from people who've taken the exams.