Portfolio · Certification Strategy · v1 · Apr 2026
Active credentials across cloud infrastructure, Microsoft security, and AI — alongside a deliberate certification strategy for the Microsoft security stack. Certifications are one signal among many; the roadmap reflects targeted investment, not accumulation.
Credential Snapshot
Active credentials
13
12 certs + 1 skill badge
Lapsed / superseded
3
AWS CCP, CSCP, CSIS
Next targets
SC-300
SC-401 · SC-500
Strategic position
A strong infrastructure-and-cloud foundation — AZ-500 + AZ-104 + AZ-400 + Security+ — provides platform depth that most MS security consultants don't hold at this breadth. The next phase of credentialing targets the Microsoft security stack specifically: SC-300 for identity and Zero Trust, SC-401 for Purview and data governance (a core practice area), and SC-500 to replace the retiring AZ-500. These three exams over 12–18 months sharpen the profile without turning certification into the narrative.
Credentials Held vs. Market Benchmark
Currently held
Azure Security Engineer Associate
Core MS cloud security credential. Covers Defender for Cloud, Key Vault, NSGs, Azure Policy — maps directly to CSPM and cloud posture advisory work. Retiring Aug 2026; SC-500 is the anticipated successor pending vendor confirmation.
Azure Administrator Associate
Infrastructure platform baseline. Provides the Azure administration depth that pure security certs often assume but don't test.
DevOps Engineer Expert
Differentiator for DevSecOps and pipeline security conversations. Rare in pure-security consulting profiles.
Azure Fundamentals
Foundation level — no expiry. Validates platform literacy for stakeholders less familiar with the deeper credential stack.
CompTIA Security+
Vendor-neutral security baseline. DoD 8570 compliant — satisfies federal-adjacent requirements. Provides the vendor-neutral framing that underpins the broader stack.
CompTIA Network+
Network architecture depth that informs Zero Trust segmentation and lateral movement design conversations.
CompTIA Cloud+
Multi-cloud architecture baseline. Supports cloud posture conversations across platforms; CCSP is the planned upgrade in this lane.
CompTIA A+
Foundation credential from earlier in the career arc. Maintained as part of the CompTIA CE bundle alongside Network+.
CompTIA Cloud Admin Professional (Stackable)
Composite stackable credential aggregating Cloud+ and adjacent cloud administration coursework. Surviving CompTIA stackable after the Oct 2024 lapse of CSCP and CSIS — kept on the held roster as the active stackable companion to the standalones.
ITIL 4 Foundation
Service management framing — useful for change management and SecOps process conversations. No expiry, no renewal needed.
Microsoft Certified: AI Business Professional
Business-tier credential (exam AB-730) covering practical use of Microsoft 365 Copilot — prompting, agents, responsible AI, and privacy basics. Not a technical security cert, but signals AI platform literacy and supports Copilot deployment and governance conversations with non-technical stakeholders.
Microsoft Certified: AI Transformation Leader
Strategy-tier credential (exam AB-731) covering AI governance, adoption operating models, risk management, and aligning AI investments to business outcomes. Pairs with AB-730 to round out an AI advisory baseline — directly relevant to Security Copilot program design and DSPM for AI conversations with leadership audiences.
Microsoft Kusto Detective III
Highest rank in the Microsoft Kusto Detective KQL challenge series. Skill badge (Credly) rather than a vendor exam — practical evidence of Sentinel-relevant KQL depth ahead of SC-200 formalising the same content.
Identity & Access Admin Associate (in progress)
Prep course completed Nov 2025 via Microsoft Press. Exam scheduled as the immediate next step — identity and Zero Trust advisory work is underway and the credential formalises that depth.
AWS Certified Cloud Practitioner
Lapsed Feb 2025. Foundation level — not being renewed. The multi-cloud narrative is carried by Cloud+ and the broader Azure stack.
CompTIA stackable credentials
Composite stackable designations that lapsed Oct 2024. The underlying Security+ and Cloud+ remain active — no action planned on the stackables.
Senior Consultant market benchmark
Information Security Administrator Associate
Replaced SC-400 (retired May 2025). Covers Purview sensitivity labels, DLP, and information protection — the platform foundation for data security advisory. Note: compliance/governance content from SC-400 moved to Applied Skills credentials, not a single exam.
Identity & Access Administrator Associate
Most common requirement for Zero Trust and identity advisory roles. Entra ID, Conditional Access, PIM, governance. Prep course completed; exam is the immediate next step.
Security Operations Analyst Associate
Expected for Sentinel advisory and XDR design work. KQL, playbooks, investigation workflows. Kusto Detective I–III rankings reflect active KQL practice; SC-200 formalises that depth.
Azure Security Engineer Associate
Cloud posture and infrastructure security. Defender for Cloud, Azure Policy. Core for CSPM-adjacent work. Currently held; SC-500 anticipated as the successor before Aug 2026 retirement, pending vendor confirmation.
Microsoft Cybersecurity Architect Expert
Expert-level capstone for architecture lead roles. Requires an associate pre-req — SC-300 will satisfy this once earned. A 2027 horizon target once architecture-led engagements are the primary delivery model.
Certified Cloud Security Professional
Vendor-neutral cloud security architecture credential from ISC2. Covers cloud governance, data security, legal/compliance, and multi-platform risk — the cross-provider layer your Azure-specific certs don't address. Your Azure engineering background maps directly to CCSP's six domains, making it the most accessible entry point in this tier. CCSP also qualifies as an ISC2-approved credential that waives one year of CISSP's experience requirement — earning it now slightly accelerates CISSP eligibility. Once CISSP is later earned, the full CCSP experience requirement is automatically waived. Note: exam outline updates Aug 1, 2026.
Certified Information Systems Security Professional
Vendor-neutral senior credential. Gold standard for CISO-level advisory and security leadership roles. Requires 5 years verified experience — worth planning timing. Not blocking near-term engagements, and CCSP waives one year of that experience requirement if held first.
Certified Information Security Manager
Preferred in GRC-heavy engagements and public sector procurement. Adds governance credibility that MS platform certs don't cover. 4-year experience requirement.
IAPP Privacy Certifications
CIPM (privacy program management) or CIPP/E (European privacy law) add the regulatory layer Purview platform certs can't cover. CIPM is the more practice-agnostic choice for US-focused work; CIPP/E only if EU/UK clients become a significant part of the mix.
CompTIA Security+
Sometimes required for federal-adjacent or DoD 8570 roles. Not a differentiator at Senior Consultant level in commercial MS advisory work.
Practical Path Forward
The Microsoft Press SC-300 prep course is complete. Exam scheduled for Q2 2026 — this closes the most visible gap for identity and Zero Trust advisory engagements and satisfies the associate pre-req for SC-100 later. AZ-104 expires Jul 2027 — renewal assessment scheduled for Jan 2027, no urgency.
SC-300 exam: targeted Q2 2026 · AZ-104 renewal: free online assessment, due Jan 2027
SC-200 maps directly to Sentinel advisory work and validates the KQL and detection engineering depth evidenced by Kusto Detective I–III. The most commonly expected credential for SOC transformation and XDR design engagements — the scenario type that appears most in the roles portfolio. With AZ-500 held, SC-200 completes the core Azure security profile without duplication. Planned to run in parallel with or immediately after SC-401.
6–8 weeks study · $165 exam fee · 1-year renewal cycle
SC-401 (which replaced SC-400 in May 2025) is the only exam that validates Purview information protection depth — sensitivity label taxonomy, DLP policy design, insider risk management, and data lifecycle. Given that Purview is a core practice pillar, this is co-equal priority with SC-200. Sequencing will be driven by near-term engagement type. Pairing SC-401 with Microsoft Applied Skills credentials (free, scenario-based assessments on Microsoft Learn) covers the compliance and governance content that moved out of the exam — specifically "Implement information protection and data loss prevention" and "Implement retention, eDiscovery, and Communication compliance."
6–8 weeks study · $165 exam fee · Applied Skills: free, ~4 hrs each
AZ-500 retires August 31, 2026 — after that date it cannot be renewed or re-earned. There is no automatic conversion to SC-500. SC-500 (Cloud and AI Security Engineer Associate) enters beta May 15, 2026, covering the core AZ-500 Azure security content plus AI system security — securing AI pipelines, generative AI deployments, and AI-adjacent cloud infrastructure. The AB-730 and AB-731 credentials already establish the AI strategy foundation; SC-500 adds the technical security layer. Plan: sit the beta exam (free) in May 2026, or target GA once it exits beta (~Aug 2026), before AZ-500 moves to historical status.
SC-500 beta: May 15, 2026 (free) · GA est. Aug 2026 · AZ-500 retires Aug 31, 2026
SC-100 is the expert capstone for cross-domain security architecture — most valuable when architectural design sessions and security program leadership are the primary delivery mode. SC-300 (earned in 2026) satisfies the associate pre-req. Targeted for 2027 once 12+ months of architecture-led delivery has accumulated behind it. The credential is most credible when the work already reflects the seniority level it signals.
8–12 weeks study · Requires associate pre-req · Expert level renewal
CISSP is the gold standard for CISO-level advisory and senior security leadership — widely recognised in procurement and required for most security leadership roles. It requires 5 years of verified experience across two domains. CCSP is the intended first step: the Azure engineering background maps directly to CCSP's six domains, and CCSP qualifies as an ISC2-approved credential that waives one year of CISSP's experience requirement. Once CISSP is earned, the full CCSP experience requirement is automatically waived — making the pair easier to collect in that order. The CISSP + CCSP combination is the highest-earning credential pairing in cloud security. Note: CCSP exam outline updates August 1, 2026. CISM is a separate consideration for GRC program ownership and public sector procurement contexts — not a sequencing dependency.
CCSP: $599 · 5 yr IT exp req (waived with CISSP) · CISSP: $749 · 5 yr exp req · CISM: $575–$760 · 4 yr mgmt exp req
IAPP certifications add the legal and regulatory layer no Microsoft platform cert covers. CIPM (privacy program management) is the more practice-agnostic choice — structures and operating a privacy program regardless of jurisdiction, mapping well to Purview advisory across US clients. CIPP/E adds GDPR-specific depth if EU or UK client work becomes a significant part of the mix. The SC-401 + CIPM combination is uncommon — most Purview practitioners know the tooling without the program management layer. That gap is where differentiated advisory sits.
CIPM: $550 · CIPP/E: $550 · No experience pre-req · Annual renewal · 8–12 weeks study each
Renewal & Expiry Watch
AWS Certified Cloud Practitioner
Lapsed Feb 2025
Foundation level. Not being renewed — the multi-cloud narrative is covered by Cloud+ and the broader Azure stack.
No action plannedCompTIA CSCP & CSIS
Lapsed Oct 2024
Composite stackable designations — underlying Security+ and Cloud+ remain active. No action planned on the stackables.
No action plannedAZ-104 — Azure Administrator Associate
Expires Jul 2027 · ~15 months out
Free renewal assessment on Microsoft Learn, ~2 hours. Comfortable timeline — reminder set for Jan 2027 to complete well ahead of expiry.
Reminder: Jan 2027AZ-500 — Azure Security Engineer Associate
Exam retires Aug 31, 2026 · Cert expires Mar 2027
Not a standard renewal. Microsoft is retiring AZ-500 on Aug 31, 2026 — it cannot be renewed or re-earned after that date. The replacement is SC-500 (Cloud and AI Security Engineer Associate), entering beta May 15, 2026. No automatic conversion; SC-500 requires a new exam. AZ-500 remains on transcript but moves to historical once expired. SC-500 beta or GA exam is planned before expiry.
SC-500 targeted · beta May 2026AZ-400 — DevOps Engineer Expert
Expires Jan 2027 · ~9 months out
Free renewal assessment on Microsoft Learn. Reminder set for Jul 2026 to complete ahead of expiry.
Reminder: Jul 2026Security+, Network+, A+, Cloud+
All expire Oct 2027 · 18 months out
CompTIA CE credits being logged on an ongoing basis via CertMaster CE and qualifying activities — renewal will not require a concentrated study effort.
CPE logged ongoingOn Certs as One Signal
Certifications answer a narrow question: can this person demonstrate baseline competency on a vendor's platform? They don't answer whether an engagement can be led, a CISO advised, or an architecture designed that actually holds up in a complex environment. At Senior Consultant level, platform competency is assumed — what clients are evaluating is judgment, communication, and whether the experience maps to their problem.
The certification strategy here isn't accumulation — it's filling the specific gaps that matter for the Microsoft security stack (SC-300, SC-401, SC-500), then pursuing SC-100 when the work already reflects the seniority level it signals. CCSP and CISSP are horizon credentials tied to client type and seniority, not checkboxes.
The AZ-500 + AZ-400 combination is unusual in security consulting profiles — most security practitioners don't hold DevOps Engineer Expert. That combination signals platform depth that goes beyond advisory. Note that AZ-500 retires Aug 31, 2026 — SC-500 is a replacement exam, not a renewal, and is planned accordingly.
A small number of pre-pivot foundation credentials remain visible on the LinkedIn profile but are intentionally not portfolio-claimed here. CompTIA Project+ is the current example. The cert was earned during the deliberate-build phase before the security pivot consolidated; LinkedIn renders it as part of the deliberate-build signal a recruiter skim can see, while this portfolio scopes the Currently held roster to credentials that actively support the Microsoft security stack and the Principal-track architecture direction. The asymmetry is intentional — resume and external tailoring follow the portfolio scope, not the LinkedIn render.