Which certifications truly matter in cybersecurity work?

When comparing CSOC services (cybersecurity operations center), requests for proposals often include wishes or requirements related to cybersecurity certifications that experts should hold. There is a wide range of certifications available to validate security skills, but how can you distinguish the most important and relevant ones? Read our blog to learn which certifications are worth paying attention to when selecting a CSOC service and evaluating SOC analysts’ skills.

In cybersecurity, certifications are a key method for validating the competence of SOC analysts. However, the level and scope of certifications vary significantly. Some can be completed fairly easily through self‑study and at no cost. At the other extreme are university‑level, weeks‑long courses requiring extensive study and thousands of pages of reading. Some certifications are quite expensive, with costs ranging from a few hundred to several thousand euros. Assessments also vary greatly—from simple multiple‑choice exams to comprehensive hands‑on practical tests. Certifications are offered both by software vendors and independent organizations.

Consultants preparing procurement documents may value very different things, and their knowledge of certifications may not always be up to date. It’s also worth remembering that professionals can possess strong skills even without certifications, though certifications remain a valuable way to demonstrate expertise.

We have compiled a few key certifications that are worth including in requests for proposals and asking about when evaluating SOC analysts.

1) A solid foundation: Blue Team Level 1 (BTL1)

A SOC analyst’s core defensive skills—so‑called blue team work—include the ability to analyze security events as quickly and deeply as possible. This allows them to determine whether an activity is normal or something unusual. The BTL1 from Security Blue Team provides a good foundation for this.

• Provides basic knowledge of topics such as SIEM and forensics
• Requires mastery of the content and a 24‑hour practical lab assessment
• BTL2 builds on Level 1, expanding into threat hunting and malware analysis; Level 3 focuses on team leadership and operational planning

BTL2 laajentaa ykköstason osaamista esimerkiksi uhkien metsästykseen ja haittaohjelma-analyysiin. Tasoja on kolmanteen portaaseen saakka, jolla keskitytään tiimien johtamiseen ja toiminnan suunnitteluun.

2) Forensic expertise for IT environments: GCFA 

The GCFA (GIAC Certified Forensic Analyst) covers the same general domain as BTL1 but with a much more extensive theoretical base. Training is provided by the SANS Institute, and certification is issued by GIAC (Global Information Assurance Certification). High‑quality GCFA courses require an intensive week‑long training session.

• Prepares professionals to lead incident investigations
• Includes subjects such as system forensics, threat detection, attack analysis, and remediation
• Suitable for SOC analysts responsible for incident investigations and leading IR (incident response) processes

3) For those working in OT environments: GICSP & GRID 

In cooperation with GIAC, SANS offers the GRID (GIAC Response and Industrial Defense) and GICSP (Global Industrial Cyber Security Professional) certifications to validate OT (operational technology) cybersecurity competence.

• GICSP content has been developed with major international industrial automation companies
• A GRID‑certified SOC analyst can lead investigations in OT environments

These certifications are critical for professionals working with industrial systems or critical infrastructure 

4) Red Team perspective: OSCP

The OSCP (Offensive Security Certified Professional) is well known, particularly for its difficulty. The exam tests real applied skills, and passing the 24‑hour practical exam requires genuine expertise. On top of the technical portion, candidates must still produce a comprehensive report—further adding to the pressure and endurance required.

• Provides valuable insight into an attacker’s mindset and significantly broadens skillsets
• Most blue‑team professionals do not work directly in red‑team roles, but understanding offensive techniques is extremely beneficial

5)  At least one per team: CISSP 

It’s worth ensuring that at least one analyst on the team holds the CISSP (Certified Information Systems Security Professional) certification. The study material consists of thousands of pages, so passing the exam requires substantial effort.

• Covers a wide range of security domains—from physical security and cameras to legal topics
• Particularly suitable for team leads and security architects
• Includes organizational risk management and cost‑effective risk reduction

6) Vendor‑specific certifications

Vendor‑specific certifications are also important, especially when the customer uses particular software platforms. However, these certifications validate expertise only for the specific products and may not be applicable across other environments.

**

This list is not exhaustive—there are many other excellent certifications. But what can we learn from the ones mentioned above?

When comparing CSOC providers, consider the following:

• What type of expertise is essential for your organization
• Consultants can be valuable in competitive tendering, but ensure their knowledge is up to date
• Do your own research to understand which certifications matter—it’s worth highlighting them in quality scoring
• Focus on certifications that validate practical skills (BTL1, GCFA, GRID), broad understanding (CISSP), and technologies relevant to your IT/OT environment
• Individual certifications matter, but the overall competence of the SOC team is key. A strong team is built so that each analyst’s strengths support one another and serve the bigger picture. In a T‑shaped model, team members share a broad general understanding but have deep expertise in specific core areas.

PS. At Loihde, our experts are encouraged to pursue training and certifications deemed important. This allows us to demonstrate to customers—through independent assessments—the strength of our cybersecurity expertise. Ultimately, real skills show when something happens. The CSOC acts as the blue defensive team and is always prepared for the worst. The better trained the team, the faster they can handle even major incidents—even after a long quiet period. Maintaining core skills is essential, for example by testing malware, studying offensive tools, and keeping up with global cybersecurity developments.

This blog has been created with insights and expertise from Loihde’s CSOC service professionals.