In security roles, certifications can be a useful signal, but they rarely “replace” projects and real-world experience. They tend to help most when:
- you’re entering the field or switching tracks (backend → AppSec, DevOps → cloud security),
- the process starts with ATS/recruiter screening (where exact codes/keywords matter),
- you want to communicate a direction quickly (defensive vs offensive, cloud vs app).
Simple rule: a certification should map to what you do now (or what you want to do in the next 6–12 months), otherwise it’s just a badge.
TL;DR
- Start with explicit mentions in job ads (codes/names, not “AWS/Azure/Kubernetes”).
- Pick 1–2 certifications that clearly match your target role (AppSec, SecOps, cloud security, pentest).
- Pair each certification with a small, demonstrable project (repo + threat model + findings + remediation).
What certifications show up in job ads (from active listings)
The list below is built from explicit mentions (e.g., “OSCP”, “CISSP”) in Security roles on the platform.
Certifications mentioned in Security roles
Based on job listings posted in the last 365 days.
Counts are based on explicit certification mentions in listings from the last 365 days.
How to choose (by role)
Application Security (AppSec)
Look for certifications that push you toward product-facing fundamentals:
- secure coding, OWASP Top 10, threat modeling,
- design reviews (auth, sessions, secrets, permissions),
- practical testing (SAST/DAST, triage, fix validation).
Interview signal: being able to explain trade-offs (e.g., “why JWT here”, “how auth works across services”, “rate limiting without hurting UX”).
Cloud Security
Many teams want applied fundamentals:
- IAM and least privilege,
- networking (segmentation, private endpoints),
- logging/monitoring (what to log, what to alert on),
- guardrails and policy as code.
Interview signal: showing you understand where misconfigurations happen and how you reduce risk in practice.
SecOps / SOC
For operational roles, the signal is often process maturity:
- triage, incident response, runbooks,
- alert tuning, false positives,
- log pipelines, SIEM queries.
Interview signal: prioritization and communication (what you say, when, and to whom).
Pentest / Offensive
In offensive roles, certifications can be used as a shortlist filter, but projects and write-ups still matter most. Interview signal: methodology, clear reporting, and remediation focus.
Projects that validate a certification
It doesn’t need to be big. It needs to be clear and complete so a reviewer can see:
- what you tested,
- what you found,
- why it matters,
- what the remediation looks like.
Practical examples:
- AppSec: a small threat model for a flow (login + reset) with risks, mitigations, and “secure defaults”.
- Cloud security: minimal IaC setup with IAM + logging + guardrails + a policy check (e.g., deny public buckets).
- SecOps: rules + runbook for an incident type (credential leak, brute force) with example queries.
- Offensive: a short write-up (no sensitive data) with actionable remediation.
Common mistakes
- Collecting too many badges without examples: 1–2 + one clear project beats a long list.
- Claiming a cert but struggling with basics (auth, IAM, logging): prepare 5–10 common questions and short answers.
- Confusing technologies with certifications: “AWS/Azure” in a listing doesn’t mean a certification is required—this is why the list counts explicit mentions only.
How the list is built (short)
- Scans title + description of Security jobs on the platform.
- Counts explicit certification mentions only (codes/names), not general technologies.
- Shows how many listings mention each certification within a recent window.
Next steps
- Security jobs: /ro/cariere-it/rol/security-engineer
- Security CV template: /ro/ghiduri/model-cv-security-it-romania
