TryHackMe certifications are shaking up the cybersecurity certification landscape. While CompTIA and Offensive Security have dominated for years, TryHackMe now offers practical, hands-on certifications that test your ability to actually do the job, not just answer questions about it.
This guide breaks down everything you need to know about TryHackMe certifications in 2026: the Security Analyst Level 1 (SAL1) for aspiring SOC analysts and the Junior Penetration Tester (PT1) for offensive security enthusiasts. You'll learn what each exam covers, how much they cost, how to prepare, and whether they're worth your time and money.
Quick Answers: TryHackMe Certifications
In This Guide
What Are TryHackMe Certifications?
TryHackMe offers two types of credentials: Certificates of Completion and Professional Certifications. Understanding the difference matters because they serve completely different purposes.
Certificates of Completion
When you finish a TryHackMe learning path, you earn a Certificate of Completion. These are free for Premium subscribers and demonstrate that you've worked through structured training material. They're great for LinkedIn profiles and showing commitment to learning, but they don't validate practical skills through examination.
Professional Certifications
Professional certifications require passing a rigorous practical exam. Instead of just completing modules, you must demonstrate your ability to apply security skills in realistic scenarios. TryHackMe currently offers two professional certifications:
- SAL1 (Security Analyst Level 1): For aspiring SOC analysts
- PT1 (Junior Penetration Tester): For aspiring penetration testers
Both certifications are backed by industry partners and designed with input from hiring managers who know what entry-level candidates actually need to succeed in their first roles.
Key point: TryHackMe's professional certifications test practical skills through hands-on scenarios, not multiple-choice memorization. This approach mirrors how you'll actually work in security roles.
SAL1 Certification: Security Analyst Level 1 Overview
The SAL1 certification validates your readiness for entry-level SOC analyst positions. Launched in February 2025 with backing from Accenture and Salesforce, SAL1 fills a gap in the market for affordable, practical blue team certifications.
What the SAL1 Exam Tests
The exam assesses core SOC analyst competencies across three sections:
| Section | Duration | Weight | What's Tested |
|---|---|---|---|
| Multiple Choice | 60 minutes | 20% | Security fundamentals, frameworks, tooling, SOC workflows |
| SOC Simulation 1 | 2 hours | 40% | Alert triage, SIEM analysis, threat investigation |
| SOC Simulation 2 | 2 hours | 40% | Complex alert scenarios, escalation decisions, reporting |
You have a 24-hour window to complete all three sections, but actual testing time is approximately 5 hours. The SOC simulations use a realistic SIEM environment where alerts arrive in real-time, forcing you to triage, investigate, and make escalation decisions just like in a real SOC.
SAL1 Pricing
- $349: Includes exam voucher, 3 months TryHackMe Premium, and 1 free retake
- $297: For existing Premium subscribers (15% discount)
What Makes SAL1 Stand Out
The SOC simulator is where SAL1 shines. Unlike certifications that test theoretical knowledge, SAL1 drops you into a functioning SOC environment. You'll use Splunk to investigate alerts, analyze IP addresses and URLs, and write case reports explaining your findings and decisions. Reviewers consistently praise the realism, noting that it mirrors actual SOC analyst daily duties.
Critical exam tip: You must close all True Positive alerts before the 2-hour timer expires in each simulation. If time runs out, you receive zero points for unclosed alerts, even if you correctly identified them. Manage your time carefully.
PT1: Junior Penetration Tester Certification
The PT1 certification validates entry-level penetration testing skills across web applications, networks, and Active Directory environments. It's designed to bridge the gap between CTF experience and professional pentesting.
What the PT1 Exam Covers
PT1 is a 48-hour practical exam testing three critical domains:
| Domain | Weight | Skills Tested |
|---|---|---|
| Web Application Security | 60% | IDOR, SQL injection, XSS, authentication flaws |
| Network Security | 20% | Enumeration, exploitation, privilege escalation on Linux/Windows |
| Active Directory | 20% | Kerberoasting, AS-REP roasting, pivoting, domain compromise |
PT1 Exam Format
You receive a VPN connection file and 48 hours to compromise targets across all three domains. The exam is unproctored, meaning no monitoring software watches you. You're free to use any tools: Burp Suite, Nmap, custom scripts, whatever works. This mirrors real penetration testing where tool restrictions don't exist.
To pass, you need 750+ points by collecting flags from compromised systems. But here's the critical part: you must also submit a professional penetration testing report. Even if you hack everything, a poor report means failure. TryHackMe uses AI to grade reports, so following their recommended structure closely is essential.
PT1 Pricing
- $297: Includes exam voucher, 3 months TryHackMe Premium, and 1 free retake
- 15% discount: Available for existing Premium subscribers
The Reporting Challenge
Multiple reviewers emphasize that reporting makes or breaks your PT1 attempt. The exam tests communication skills alongside technical abilities. Your report must include:
- Detailed vulnerability descriptions using predefined categories
- Step-by-step reproduction instructions
- Accurate CVSS severity ratings
- Remediation recommendations
- Screenshots documenting your exploitation chain
Pro tip: Document your entire process during the exam, not just final flags. Use the CVSS calculator at cvss.js.org for accurate severity ratings. The AI grader looks for specific technical keywords, so be thorough.
SAL1 vs PT1: Which Should You Choose?
The choice between SAL1 and PT1 depends on your career goals. They target completely different security roles.
| Aspect | SAL1 | PT1 |
|---|---|---|
| Target Role | SOC Analyst | Jr Penetration Tester |
| Focus | Blue Team / Defensive | Red Team / Offensive |
| Price | $349 | $297 |
| Exam Duration | ~5 hours (24h window) | 48 hours |
| Format | MCQ + SOC simulations | Practical + report |
| Industry Backing | Accenture, Salesforce | Industry experts |
| Key Skills | SIEM, alert triage, reporting | Web exploits, AD attacks, pivoting |
Choose SAL1 If...
- You want to work in a Security Operations Center
- You prefer defensive security over attacking systems
- You're interested in threat detection and incident response
- You want a certification backed by major enterprise employers
Choose PT1 If...
- You want to become a penetration tester
- You enjoy breaking into systems and finding vulnerabilities
- You have some CTF experience and want formal validation
- You're comfortable with long, unstructured exam formats
TryHackMe vs Other Entry-Level Certifications
How do TryHackMe certifications compare to established alternatives? Here's an honest assessment.
For SOC Analysts: SAL1 vs BTL1 vs CySA+
| Certification | Price | Format | Recognition |
|---|---|---|---|
| TryHackMe SAL1 | $349 | Practical + MCQ | Growing (new in 2025) |
| Security Blue Team BTL1 | $499 | 24-hour practical | Established |
| CompTIA CySA+ | $404 | MCQ + performance-based | Industry standard |
SAL1 offers excellent value at $349 with its realistic SOC simulator. CySA+ has maximum HR recognition but tests more theory than practice. BTL1 is well-established but costs more and lacks the industry backing SAL1 has from Accenture and Salesforce.
For Penetration Testers: PT1 vs eJPT vs PJPT
| Certification | Price | Duration | Domains Covered |
|---|---|---|---|
| TryHackMe PT1 | $297 | 48 hours | Web, Network, AD |
| INE eJPT | $249 | 48 hours | Network focus |
| TCM PJPT | $249 | 4 days | External pentest |
PT1 stands out by covering all three major pentesting domains (web, network, AD) in one exam. The eJPT focuses primarily on network security, while PJPT emphasizes external penetration testing methodology. For comprehensive coverage at entry level, PT1 offers the broadest scope. For those pursuing advanced offensive certifications, check our PNPT guide and OSCP preparation guide.
Recognition reality check: TryHackMe certifications are new and still building industry awareness. CompTIA and Offensive Security certifications have decades of reputation. For maximum marketability, consider pairing a TryHackMe certification with an established one like Security+ or CySA+.
How to Prepare for TryHackMe Certifications
TryHackMe provides structured learning paths that align directly with exam objectives. Here's how to prepare effectively for each certification.
SAL1 Preparation Path
Complete these TryHackMe learning paths before attempting SAL1:
- SOC Level 1 Path Core SOC concepts, SIEM fundamentals, alert handling workflows
- Cyber Defense Path Threat intelligence, network security monitoring, incident response
- Security Operations Rooms Practice with Splunk, investigate real alert scenarios
Focus especially on Splunk proficiency and case report writing. The exam tests your ability to communicate findings clearly, not just identify threats.
PT1 Preparation Path
Complete these learning paths and supplement with additional practice:
- Jr Penetration Tester Path Fundamental web vulnerabilities, network enumeration, basic exploitation
- Web Fundamentals Path Deep dive into OWASP Top 10, SQL injection, XSS, authentication attacks
- Active Directory Basics Kerberoasting, AS-REP roasting, BloodHound, lateral movement
- Offensive Pentesting Path Advanced techniques, privilege escalation, post-exploitation
Essential Tools to Master
For PT1, ensure you're comfortable with these tools before exam day:
- Burp Suite: Web application testing (see our Burp Suite tutorial)
- Nmap: Network enumeration (check our Nmap cheat sheet)
- Ligolo-ng: Pivoting through networks (required for AD section)
- BloodHound: Active Directory attack path mapping
- SQLMap/manual techniques: SQL injection exploitation
Critical PT1 warning: TryHackMe's suggested web application learning path covers only basics. The exam tests intermediate-level web vulnerabilities. Consider supplementing with PortSwigger Web Security Academy for deeper preparation.
Are TryHackMe Certifications Worth It?
Here's an honest assessment of TryHackMe certifications for your career.
The Strengths
- Practical exams: Test real skills, not memorization ability
- Affordable: $297-$349 undercuts most competitors
- Free retake included: Reduces financial risk of failure
- Quality training platform: TryHackMe's learning content is well-regarded
- Industry backing: SAL1 has Accenture and Salesforce support
- Modern approach: Exams reflect current job requirements
The Limitations
- New certifications: Limited industry recognition compared to CompTIA or OffSec
- HR filters: Many job postings still specifically request Security+, CySA+, or OSCP
- AI grading concerns: PT1 report grading can feel inconsistent
- Platform maturity: Some exam features still being refined
The Verdict
TryHackMe certifications excel at validating practical skills. They're ideal for:
- Building genuine competency before job hunting
- Supplementing theory-heavy certifications with hands-on validation
- Budget-conscious learners who want quality practical testing
- Those targeting employers who prioritize skills over certification names
For maximum career impact, consider pairing a TryHackMe certification with an established one. SAL1 + Security+ or PT1 + CompTIA PenTest+ combines practical validation with HR-friendly credentials.
Bottom line: TryHackMe certifications are worth it if you want to develop and prove practical skills. They're not yet replacements for industry-standard certifications but serve as excellent complements that demonstrate you can actually do the work.
Frequently Asked Questions
How much do TryHackMe certifications cost?
SAL1 costs $349 and PT1 costs $297. Both include 3 months of TryHackMe Premium access and one free retake. Existing Premium subscribers receive a 15% discount.
Do TryHackMe certifications expire?
Yes, both SAL1 and PT1 certifications are valid for 3 years from the date you pass. After expiration, you'll need to retake the exam to maintain certification status.
Can I retake the exam if I fail?
Yes. Each certification purchase includes one free retake. Your exam attempts are valid for 12 months from purchase. If you need additional attempts after using your free retake, you can purchase more vouchers.
Are TryHackMe certifications recognized by employers?
Recognition is growing but still limited compared to established certifications. SAL1's backing from Accenture and Salesforce helps. For maximum job market appeal, pair TryHackMe certifications with well-known credentials like Security+ or CySA+.
Should I get SAL1 or BTL1?
Both validate SOC analyst skills. SAL1 is newer, cheaper ($349 vs $499), and has industry backing from major employers. BTL1 has more established recognition. If budget is tight, SAL1 offers excellent value. If maximum recognition matters most, BTL1 is more established.
Is PT1 harder than eJPT?
PT1 is generally considered more challenging because it covers three domains (web, network, Active Directory) versus eJPT's network focus. PT1's web application section is particularly demanding. However, the 48-hour timeframe provides adequate time if you're well-prepared.
What tools can I use on PT1?
Any tools you want. PT1 is unproctored with no tool restrictions. Use Burp Suite, Metasploit, custom scripts, or anything else that helps you complete the engagement.
How long should I study before attempting these exams?
Plan for 2-4 months of focused preparation. Complete the recommended TryHackMe learning paths and supplement with additional practice. Those with prior CTF experience or security backgrounds may need less time.
Responsible Learning and Legal Considerations
The skills you develop preparing for these certifications are powerful. Use them ethically and legally.
Critical reminder: Only practice security testing on systems you own or have explicit written permission to test. Unauthorized access is illegal regardless of your intentions. TryHackMe's labs and exam environments are legal practice spaces. Real systems without authorization are not.
- Use legal practice environments. TryHackMe labs, HackerDNA Labs, and your own home lab are appropriate places to develop skills.
- Never test production systems without authorization. Having a certification doesn't grant permission to test systems. Always obtain written approval.
- Practice responsible disclosure. If you discover vulnerabilities during authorized testing, report them through proper channels.
- Protect sensitive information. Handle any data encountered during testing with appropriate care and confidentiality.
Your Next Steps
TryHackMe certifications offer an affordable, practical path to validating cybersecurity skills in 2026. Whether you choose SAL1 for blue team work or PT1 for penetration testing, you'll develop real-world competencies that translate directly to job performance.
Action plan: Start with TryHackMe's free tier to explore the platform. Subscribe to Premium when ready for structured learning. Complete the recommended paths for your chosen certification. Practice until you can consistently perform the required skills. Then schedule your exam with confidence.
Based on Your Goals
- Want to work in a SOC? Start the SOC Level 1 learning path, then pursue SAL1 certification.
- Want to become a pentester? Complete the Jr Penetration Tester path, supplement with web application security practice, then tackle PT1.
- Not sure which path? Try both learning paths on TryHackMe's free tier. The one that excites you more is probably your answer.
The cybersecurity industry needs skilled practitioners, not just certification collectors. TryHackMe certifications help you become both. Start learning today, build genuine skills, and earn credentials that prove you can do the job.