The Security+ exam has roughly a 50% pass rate on first attempt. A large share of those failures come from people who skipped Network+ and tried to jump straight in. The CompTIA roadmap isn't arbitrary — each cert assumes knowledge from the one before it, and getting the order wrong costs you both time and exam fees.
This guide covers the actual comptia roadmap: the three tiers CompTIA officially recognizes, the career branches that split off after Security+, salary ranges at each stage, and which courses are worth your money. No padding, no "start your journey" language.
How the CompTIA Roadmap Is Organized
CompTIA groups its certifications into three tiers: Core, Infrastructure, and Cybersecurity. There's also an emerging "Specialty" tier for newer domains like AI security. The intended flow is vertical within each track, but most working professionals move diagonally — picking up a Core cert, then moving into whichever specialization matches their job target.
The comptia roadmap looks like this in practice:
- Tier 1 — Core: IT Fundamentals+ (optional) → A+ → Network+ → Security+
- Tier 2 — Infrastructure: Server+, Cloud+, Linux+ (after A+/Network+)
- Tier 2 — Cybersecurity: CySA+, PenTest+ (after Security+)
- Tier 3 — Expert: SecurityX (formerly CASP+), now with SecAI+ entering the mix
The critical point: Security+ is the pivot cert. Almost every cybersecurity role lists it as a baseline requirement, and both CySA+ and PenTest+ treat it as an assumed foundation. If you're aiming at any security-adjacent job, Security+ isn't optional — it's the minimum acceptable credential.
Stage 1: The Core Certifications
CompTIA A+ (220-1101 / 220-1102)
A+ covers hardware, operating systems, troubleshooting, and basic networking. It's primarily aimed at help desk and IT support roles. Salary range for A+-certified technicians: $40,000–$58,000 depending on location and employer. Government contractors (particularly DoD) require A+ for certain IA roles under DoD 8570/8140, which gives the cert surprising staying power despite its reputation as entry-level.
Two exams are required: Core 1 (hardware, networking, virtualization, cloud basics) and Core 2 (OS, security, troubleshooting, operational procedures). Most study programs cover both, but they're separate sittings.
Skip if: You already have 2+ years in hands-on IT support. Experienced techs often skip A+ and test directly into Network+.
CompTIA Network+ (N10-009)
Network+ is where the roadmap gets serious. It covers OSI model, TCP/IP, routing protocols, network troubleshooting, and basic security. More importantly, it builds the mental model that Security+ assumes you already have. Trying to learn about firewall rules without understanding how packets move is the direct cause of most Security+ failures.
Network+ certified roles include network administrator and junior network engineer positions, with salaries typically ranging from $58,000–$78,000.
CompTIA Security+ (SY0-701)
Security+ is the most widely held CompTIA cert and the one that unlocks the most doors. The SY0-701 version (current as of 2026) emphasizes zero-trust, cloud security, and automation more than older versions. It satisfies DoD 8570 IAT Level II requirements, which matters for anyone considering federal or defense sector work.
Security+ holders working in SOC analyst, security administrator, or junior analyst roles typically earn $72,000–$98,000. In high-cost-of-living markets or with active clearances, that ceiling moves up considerably.
Stage 2: Where the Roadmap Branches
After Security+, the comptia roadmap splits into three distinct tracks. Picking the wrong one wastes 3–6 months of study time, so this decision deserves real thought before you start.
Infrastructure Track: Server+, Cloud+, Linux+
These certs are for people who want to work in systems administration, cloud operations, or DevOps-adjacent roles — not security. Server+ covers physical and virtual server management. Cloud+ (CV0-004) is the most in-demand of the three, covering IaaS, PaaS, hybrid environments, and cloud security basics. Linux+ validates command-line proficiency and is increasingly relevant as containerized workloads push Linux expertise up the required skills list.
Infrastructure track roles: sysadmin, cloud engineer, SRE. Salary range: $80,000–$115,000.
Cybersecurity Track: CySA+, PenTest+
CySA+ (CS0-003) is the defensive security cert. It covers threat intelligence, vulnerability management, incident response, and security operations — essentially what a SOC analyst or security engineer does daily. PenTest+ goes the opposite direction: it validates offensive skills including planning engagements, running exploitation techniques, and writing pen test reports.
These two certs serve different jobs and different personalities. CySA+ is for analysts who want to detect and respond. PenTest+ is for testers who want to find vulnerabilities before attackers do.
CySA+ salary range: $85,000–$110,000. PenTest+ roles (pen tester, red team member): $90,000–$125,000.
Expert Track: SecurityX and SecAI+
SecurityX (CAS-005, formerly CASP+) is CompTIA's highest-level cert. Unlike most CompTIA exams, it's performance-based rather than multiple-choice-heavy — you're expected to design security architectures, not just identify best practices. It's aimed at senior security engineers and architects with 10+ years of experience.
SecAI+ (CY0-001) is brand new. It covers AI security, adversarial ML, and the security implications of AI-powered systems. Given the pace at which AI tooling is entering enterprise environments, this cert is likely to become mandatory background for security roles within 2–3 years. Getting ahead of it now is one of the clearest near-term advantages on the comptia roadmap.
Realistic Timelines and Exam Costs
- A+ (both exams): 2–4 months of study; ~$480 total exam cost
- Network+: 1–2 months (assumes A+ background); ~$369
- Security+: 2–3 months (assumes Network+ background); ~$404
- CySA+ or PenTest+: 2–3 months; ~$404 each
- SecurityX: 3–6 months; ~$512
- SecAI+: 1–2 months for those with Security+ background; ~$369
Full roadmap from zero to Security+: roughly $1,250 in exam fees and 6–12 months of study, depending on your starting point and weekly hours available. Many employers reimburse exam costs after passing — negotiate this before you start if possible.
Top Courses for the CompTIA Roadmap
Course quality varies enormously in this space. The following are the highest-rated options currently available for the key certs on this roadmap.
CompTIA A+ Core 1 (220-1201) Full Course & Practice Exam
Covers the full Core 1 exam domain including networking, hardware, and cloud fundamentals. The built-in practice exam matches the difficulty level of the real test, which matters more than lecture hours — A+ candidates who skip practice tests fail at a much higher rate.
CompTIA A+ Core 1 (220-1201) 6 Practice Tests [2026]
Six full-length practice exams mapped to the current exam objectives. If you're already comfortable with the material, dedicated practice test volume is the most efficient use of final prep weeks before the exam.
CompTIA Security+ (SY0-701) Exam Prep 2026
Updated for the SY0-701 objectives with substantial coverage of the new zero-trust and automation domains that tripped up people who studied from older materials. One of the few courses that explicitly maps content to the updated exam weightings.
CompTIA Security+ (SY0-701) 1,000+ Practice Questions 2026
Over 1,000 questions with detailed explanations for wrong answers — the explanations are where the actual learning happens. Useful as a standalone supplement alongside any lecture-based course for Security+ prep.
CompTIA SecAI+ Fundamentals: AI Cybersecurity Basics CY0-001
Covers the CY0-001 exam domains including AI attack surfaces, model security, and prompt injection defenses. The cert is new enough that course options are limited — this is the most thorough option currently available for the SecAI+ specifically.
CompTIA SecurityX (CAS-005) 6 Practice Exams
SecurityX is performance-based and scenario-heavy, making practice exams far more important here than for entry-level certs. Six full-length exams gives enough volume to see the full range of scenario types before exam day.
FAQ
Do I have to follow the CompTIA roadmap in exact order?
For the Core tier, order matters. Network+ before Security+ is strongly recommended — the exam domains overlap significantly and Network+ fills in gaps that Security+ assumes. For the Infrastructure and Cybersecurity tracks, you have more flexibility since they're parallel tracks rather than sequential ones. SecurityX is legitimately an expert cert and should come after 5+ years of hands-on work regardless of what certs you hold.
How long does the full CompTIA roadmap take?
From zero IT background to Security+: 9–18 months for someone studying 10–15 hours per week. The full roadmap including a specialization cert (e.g., CySA+) typically takes 18–30 months. These aren't "take a weekend bootcamp" certifications — the practical knowledge required for the higher-level certs takes time to build regardless of study method.
Is the CompTIA roadmap worth it compared to alternatives like CISSP or CEH?
CompTIA certs are vendor-neutral, widely recognized, and more accessible than CISSP (which requires 5 years of documented experience). For someone building an IT or security career from scratch, the CompTIA roadmap is the right starting point. CISSP makes sense after you have the experience requirement and want to move into senior architect or management roles. CEH has a more mixed reputation — many employers prefer PenTest+ or OSCP for offensive security roles.
Which CompTIA cert has the best ROI?
Security+ by a wide margin. It's required for DoD 8570 compliance, listed in more job postings than any other CompTIA cert, and recognized across both public and private sector employers. The salary jump from no certification to Security+-certified averages around $15,000–$20,000 annually in most markets. CySA+ has strong ROI for people already working in security operations who need formal validation.
What's the deal with CompTIA SecAI+?
SecAI+ (CY0-001) launched in 2025 and covers AI security specifically: securing AI/ML pipelines, prompt injection attacks, data poisoning, model theft, and adversarial inputs. It's aimed at security professionals working in or adjacent to AI-heavy environments. It's not a replacement for any existing cert on the roadmap — think of it as a specialization add-on, similar to how PenTest+ fits alongside CySA+.
Can I get a job with just A+ certification?
Yes, but the job market is narrow. A+-only candidates compete primarily for help desk and tier-1 support roles. If your goal is any kind of network administration, security, or systems work, plan to move to Network+ within 6 months of passing A+. A+ as a career endpoint is a low-ceiling position; A+ as a stepping stone to Network+ and Security+ is a sensible strategy.
Bottom Line
The comptia roadmap works when you treat it as a sequence, not a menu. The core path — A+, Network+, Security+ — takes most people 12–18 months and opens up a genuine range of IT and security roles in the $70K–$100K range. After Security+, pick one branch based on what you actually want to do: CySA+ for defensive security and SOC work, PenTest+ for offensive/red-team work, Cloud+ if you're going infrastructure, SecurityX if you've got a decade in and want to move into architecture.
The SecAI+ is worth watching closely. As AI tooling embeds into enterprise infrastructure, the attack surface it creates will require dedicated expertise. Getting ahead of this cert while the field is still new puts you in a better position than waiting until every job posting requires it.
Where most people go wrong: they treat the roadmap as a list of credentials to collect rather than a skill-building sequence. The certs matter because they represent knowledge. Study to understand, use practice exams to test gaps, and the certification follows.