Security
Automation Certifications
Verify your security and networking automation expertise with our Vault and Consul certifications. Earn an associate-level certification to validate your foundational Vault or Consul knowledge and skills. You can also demonstrate your advanced Vault operational experience when you pass the Vault Operations Professional exam.
Vault Associate (003)
Prove your foundational Vault knowledge and skills in an hour-long multiple-choice exam.
Vault Associate (003) details
You should take the Vault Associate certification exam if you are a Cloud Engineer with foundational Vault knowledge and skills. You may specialize in security, development, or operations.
Prerequisites:
- Basic terminal skills
- Understanding of on-premises/cloud architecture
- Understanding of security
While professional experience is recommended, you can also prepare by practicing the exam objectives in a personal demo setup.
| Assessment Type | Multiple choice |
| Format | Online proctored |
| Duration | 1 hour |
| Price | $70.50 USD, plus locally applicable taxes and fees. Free retake not included. |
| Language | English |
| Credential Expiration | 2 years |
| 1 | Authentication methods |
| 1a | Define the purpose of authentication methods |
| 1b | Choose an authentication method based on use case |
| 1c | Explain the difference between human vs. system authentication methods |
| 1d | Define the purpose of identities and groups |
| 1e | Authenticate to Vault using the API, CLI, and UI |
| 1f | Configure authentication methods using the API, CLI, and UI |
| 2 | Vault policies |
| 2a | Explain the value of Vault policies |
| 2b | Describe Vault policy syntax: path |
| 2c | Describe Vault policy syntax: capabilities |
| 2d | Choose a Vault policy based on requirements |
| 2e | Configure Vault policies using the UI and CLI |
| 3 | Vault tokens |
| 3a | Choose between service and batch tokens based on use case |
| 3b | Describe root token uses and lifecycle |
| 3c | Explain the purpose of token accessors |
| 3d | Explain the impact of time-to-live |
| 3e | Explain orphaned tokens |
| 3f | Describe how to create tokens based on need |
| 4 | Vault leases |
| 4a | Explain the purpose of a lease ID |
| 4b | Describe how to renew leases |
| 4c | Describe how to revoke leases |
| 5 | Secrets engines |
| 5a | Choose a secrets engine based on use case |
| 5b | Compare and contrast dynamic secrets vs. static secrets, and know their use cases |
| 5c | Describe the uses of transit secrets engine |
| 5d | Describe the purpose of secrets engines |
| 5e | Describe the use of response wrapping |
| 5f | Explain the value of short-lived, dynamically generated secrets |
| 5g | Enable secrets engines using the CLI, API*, and UI |
| 5h | Access Vault secrets using the CLI, API, and UI |
| 6 | Encryption as a service |
| 6a | Encrypt and decrypt secrets |
| 6b | Rotate the encryption key |
| 7 | Vault architecture fundamentals |
| 7a | Describe how Vault encrypts data |
| 7b | Explain how to seal and unseal Vault |
| 7c | Configure environment variables |
| 8 | Vault deployment architecture |
| 8a | Explain cluster strategy for self-managed and HashiCorp-managed Vault clusters |
| 8b | Explain the uses of storage backends |
| 8c | Explain the uses of Shamir secret sharing and unsealing |
| 8d | Explain the uses of disaster recovery and performance replication |
| 8e | Differentiate between self-managed and HashiCorp-managed Vault clusters |
| 9 | Access management architecture |
| 9a | Describe the Vault Agent |
| 9b | Describe the Vault Secrets Operator |
* API was added to objective 5g and communicated to test-takers March 4 2025.
Understand your recertification options. Start by finding the scenario that applies to you and then evaluate your options. Know which exam version you passed by the 3-digit code on your credentials (badge and certificate).
Scenario 1: You hold an unexpired Vault Associate certification from the 003 version of the exam
Option 1: Pass the Vault Operations Professional exam
- Extend your Associate credentials' expiration date
- Earn a new professional-level badge and certificate
Option 2: Pass the 003 version of the Vault Associate exam starting 6 months before expiration
- Extend your Associate credentials' expiration date
Scenario 2: You hold an unexpired Vault Associate certification from the 002 version of the exam
Option 1: Pass the Vault Operations Professional exam
- Extend your Associate credentials' expiration date
- Earn a new professional-level badge and certificate
Option 2: Pass the 003 version of the Vault Associate exam starting 6 months before expiration
- Receive a new, separate set of credentials with a new expiration date
- Your original credentials' expiration date is not updated
Scenario 3: You hold any expired Vault Associate certification
There is only one option for recertifying if your certification has already expired.
Pass the current version of the Vault Associate exam at any time
- Receive a new, separate set of credentials with a new expiration date
- Your expired credentials' expiration date is not updated
Learn more about recertification in our Knowledge base.
Vault Operations Professional
Demonstrate your advanced, production-level Vault operational expertise in an intensive, lab-based exam.
Vault Operations Professional details
You should take the Vault Operations Professional exam if you are a Cloud Engineer with advanced, production-level Vault operations expertise. You will need to demonstrate your ability to deploy, configure, manage, and monitor HashiCorp Vault, and you must also be able to evaluate Vault Enterprise functionality and use cases.
Prerequisites:
- Vault Associate certification (strongly recommend, or equivalent experience required)
- Linux skills such as list and edit files via command terminal
- Understanding of IP networking
- Experience with Public Key Infrastructure (PKI), including PGP and TLS
- Information security fundamentals such as network security and RBAC
- Understand the concepts and functionality of infrastructure running in containers including starting and stopping services, and reading logs
| Assessment Type | Lab-based and multiple choice |
| Format | Online proctored |
| Duration | 4 hours; 15-minute break included |
| Price | $295 USD, plus locally applicable taxes and fees. Includes free retake. |
| Language | English |
| Credential Expiration | 2 years |
| 1 | Create a working Vault server configuration given a scenario |
| 1a | Enable and configure secret engines |
| 1b | Practice production hardening |
| 1c | Auto unseal Vault |
| 1d | Implement integrated storage for Community and Enterprise Vault |
| 1e | Enable and configure authentication methods |
| 1f | Practice secure Vault initialization |
| 1g | Regenerate a root token |
| 1h | Rekey Vault and rotate encryption keys |
| 2 | Monitor a Vault environment |
| 2a | Monitor and understand Vault telemetry |
| 2b | Monitor and understand Vault audit logs |
| 2c | Monitor and understand Vault operational logs |
| 3 | Employ the Vault security model |
| 3a | Describe secure introduction of Vault clients |
| 3b | Describe the security implications of running Vault in Kubernetes |
| 4 | Build fault-tolerant Vault environments |
| 4a | Configure a highly available (HA) cluster |
| 4b | [Vault Enterprise] Enable and configure disaster recovery (DR) replication |
| 4c | [Vault Enterprise] Promote a secondary cluster |
| 5 | Understand the hardware security module (HSM) integration |
| 5a | [Vault Enterprise] Describe the benefits of auto unsealing with HSM |
| 5b | [Vault Enterprise] Describe the benefits and use cases of seal wrap (PKCS#11) |
| 6 | Scale Vault for performance |
| 6a | Use batch tokens |
| 6b | [Vault Enterprise] Describe the use cases of performance standby nodes |
| 6c | [Vault Enterprise] Enable and configure performance replication |
| 6d | [Vault Enterprise] Create a paths filter |
| 7 | Configure access control |
| 7a | Interpret Vault identity entities and groups |
| 7b | Write, deploy, and troubleshoot ACL policies |
| 7c | [Vault Enterprise] Understand Sentinel policies |
| 7d | [Vault Enterprise] Define control groups and describe their basic workflow |
| 7e | [Vault Enterprise] Describe and interpret multi-tenancy with namespaces |
| 8 | Configure Vault Agent |
| 8a | Securely configure auto-auth and token sink |
| 8b | Configure templating |
To renew your certification, you will need to pass the Vault Operations Professional exam again.
Unexpired certification
- Retake the exam starting 6 months before your expiration date
- Passing extends your current credentials' expiration date
Expired certification
- Retake the exam at any time
- Passing gives you a new set of credentials with a new expiration date
Learn more about recertification in our Knowledge base.
Consul Associate (003)
Prove your foundational Consul knowledge and skills in an hour-long multiple-choice exam.
Consul Associate (003) details
You should take the Consul Associate certification exam if you are a Cloud Engineer with foundational Consul knowledge and skills, who can identify Consul Enterprise features and distinguish them from Community Edition. You may be a site reliability engineer, solutions architect, or other DevOps professional.
Prerequisites:
- Containerization
- Terminal skills
- Load balancing architecture
- Distributed systems
- Security practices
- OSI Model familiarity
- Cloud & Platform awareness (AWS, Google, Azure, Kubernetes, VMs)
While professional experience is recommended, you can also prepare by practicing the exam objectives in a personal demo setup.
| Assessment Type | Multiple choice |
| Format | Online proctored |
| Duration | 1 hour |
| Price | $70.50 USD, plus locally applicable taxes and fees. Free retake not included. |
| Language | English |
| Credential Expiration | 2 years |
| 1 | Understand the pillars of service networking |
| 1a | Understand how Consul discovers, tracks, and monitors the health of services |
| 1b | Explain how Consul secures service to service communication |
| 1c | Summarize how Consul controls access to services at point of entry |
| 1d | Discuss how Consul automates networking tasks |
| 2 | Describe Consul architecture |
| 2a | Identify Consul datacenter components including agents and communication protocols |
| 2b | Review Consul server high availability & scalability options |
| 2c | Differentiate between server agents and data plane components (client agents and Consul Dataplane) |
| 2d | Understand that Consul can run on multiple platforms |
| 3 | Deploy a single datacenter |
| 3a | Configure, bootstrap, and start Consul server agents |
| 3b | Configure and start Consul client agents |
| 3c | Configure and start Consul on Kubernetes |
| 3d | Explain Consul agent join methods and behavior |
| 4 | Register services and use service discovery |
| 4a | Interpret a service registration |
| 4b | Differentiate between service registration methods |
| 4c | Understand service health check configuration options and behaviors |
| 4d | Query Consul's service catalog via CLI, API, UI, and/or DNS, and interpret the results |
| 4e | Interpret & use prepared queries |
| 5 | Use Consul service mesh |
| 5a | Consider high level architecture & key benefits of Consul service mesh |
| 5b | Understand Consul service mesh intentions & when to use them |
| 5c | Apply proxy configuration options within Consul service mesh |
| 6 | Secure agent communication |
| 6a | Understand Consul security/threat model |
| 6b | Differentiate certificate types needed for TLS encryption |
| 6c | Interpret TLS encryption settings & intended use |
| 6d | Configure gossip encryption |
| 7 | Secure services with basic access control lists (ACLs) |
| 7a | Understand Consul ACL system components and usage |
| 7b | Create and configure ACL policies and tokens |
| 7c | Use ACL tokens to communicate securely with Consul services and agents |
| 8 | Secure and connect service mesh applications |
| 8a | Use Consul gateways to securely connect and access services into, out of, and within the service mesh |
| 8b | Understand how to enable communication between multiple Consul datacenters |
| 9 | Monitor Consul |
| 9a | Describe Consul service mesh observability |
| 9b | Review Consul datacenter observability |
| 10 | Operate and maintain Consul |
| 10a | Manage Consul servers |
| 10b | Maintain Consul communications security |
| 10c | Backup and restore Consul cluster state |
| 10d | Understand Consul datacenter troubleshooting options |
Understand your recertification options. Start by finding the scenario that applies to you and then evaluate your options. Know which exam version you passed by the 3-digit code on your credentials (badge and certificate).
Scenario 1: You hold an unexpired Consul Associate certification from the 003 version of the exam
Pass the 003 of the Consul Associate exam starting 6 months before expiration
- Extend your Associate credentials' expiration date
Scenario 2: You hold an expired Consul Associate certification from the 002 version of the exam
Pass the 003 of the Consul Associate exam starting 6 months before expiration
- Receive a new, separate set of credentials with a new expiration date
- Your original credentials' expiration date is not updated
Scenario 3: You hold any expired Consul Associate certification
Pass the current version of the Consul Associate exam at any time
- Receive a new, separate set of credentials with a new expiration date
- Your expired credentials' expiration date is not updated
Learn more about recertification in our Knowledge base.
Stay Informed
Sign up to be notified with updates to the HashiCorp Product Certifications program and to receive news and information about HashiCorp products.