Security
Automation Certification

HashiCorp offers certifications to validate your Security Automation skills with Vault and Consul. There are two levels of Vault exams. Start with the Vault Associate certification, which validates your foundational knowledge of Vault. Continue your journey with the Professional lab-based exam to prove your extensive production experience. For Consul, take the Associate certification to showcase your skills in building, securing, and maintaining Consul.

HashiCorp Certified:

Vault Associate (002)

Product version tested:Vault 1.6.0 and higher

Vault Associate 002 is currently available but will be replaced by Vault Associate 003 in 2025. Compare the differences between the 002 and 003 exam versions below. The Vault Associate certification is for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with Vault. You understand what Vault Enterprise features exist and can differentiate between Enterprise and Community Edition. You will be best prepared for this exam if you have professional experience using Vault in production, but performing the exam objectives in a personal demo environment may be sufficient.

  • Basic terminal skills
  • Basic understanding of on-premises or cloud architecture
  • Basic level of security understanding

You can use either version of the exam to validate your Vault knowledge at the associate level. Vault Associate 002 is currently available, and the Vault Associate 003 certification will launch in early 2025. You can hold both the Vault Associate 002 and Vault Associate 003 at the same time.

  • Vault Associate 002: Exam available now.
  • Vault Associate 003: Coming January 2025. The Vault Associate 002 exam will no longer be available to take once Vault 003 is released.
Assessment TypeMultiple choice
FormatOnline proctored
Duration1 hour
Price$70.50 USD, plus locally applicable taxes and fees. Free retake not included.
LanguageEnglish
Expiration2 years
1Compare authentication methods
1aDescribe authentication methods
1bChoose an authentication method based on use case
1cDifferentiate human vs. system auth methods
2Create Vault policies
2aIllustrate the value of Vault policy
2bDescribe Vault policy syntax: path
2cDescribe Vault policy syntax: capabilities
2dCraft a Vault policy based on requirements
3Assess Vault tokens
3aDescribe Vault token
3bDifferentiate between service and batch tokens. Choose one based on use-case
3cDescribe root token uses and lifecycle
3dDefine token accessors
3eExplain time-to-live
3fExplain orphaned tokens
3gCreate tokens based on need
4Manage Vault leases
4aExplain the purpose of a lease ID
4bRenew leases
4cRevoke leases
5Compare and configure Vault secrets engines
5aChoose a secret method based on use case
5bContrast dynamic secrets vs. static secrets and their use cases
5cDefine transit engine
5dDefine secrets engines
6Utilize Vault CLI
6aAuthenticate to Vault
6bConfigure authentication methods
6cConfigure Vault policies
6dAccess Vault secrets
6eEnable Secret engines
6fConfigure environment variables
7Utilize Vault UI
7aAuthenticate to Vault
7bConfigure authentication methods
7cConfigure Vault policies
7dAccess Vault secrets
7eEnable Secret engines
8Be aware of the Vault API
8aAuthenticate to Vault via Curl
8bAccess Vault secrets via Curl
9Explain Vault architecture
9aDescribe the encryption of data stored by Vault
9bDescribe cluster strategy
9cDescribe storage backends
9dDescribe the Vault agent
9eDescribe secrets caching
9fBe aware of identities and groups
9gDescribe Shamir secret sharing and unsealing
9hBe aware of replication
9iDescribe seal/unseal
9jExplain response wrapping
9kExplain the value of short-lived, dynamically generated secrets
10Explain encryption as a service
10aConfigure transit secret engine
10bEncrypt and decrypt secrets
10cRotate the encryption key

Review the rules and policies for taking HashiCorp certification exams.

Renew by passing a professional-level exam

Unexpired Vault Associate 002 or 003 credentials:

When you pass the Vault Operations Professional exam, you will receive the professional-level credentials (badge and corresponding certificate). You will also extend the expiration of your Vault Associate 002 or 003 credentials.

Renew by passing an associate-level exam

Unexpired Vault Associate 002 credential:

  • You can take the Vault Associate 003 exam starting 18 months after your previous exam date.
  • You will receive a new, separate set of credentials that will reflect your recertification date.
  • The expiration date of Vault Associate 002 credentials will not be updated.

Unexpired Vault Associate 003 credential:

  • You can retake the Vault Associate 003 exam starting 18 months after your previous exam date.
  • The expiration date on your credentials will be extended.

Have an expired Vault Associate credential?

  • You are eligible to recertify at any time by passing the Vault Associate 003 exam.
  • You will receive a new, separate set of credentials with a new expiration date.

Learn more about recertification in our Knowledgebase.

HashiCorp Certified:

Vault Associate (003)

Product version tested:Vault 1.16

Vault Associate 003 is a new version of the Vault Associate exam and will be available in 2025. Compare the differences between the 002 and 003 exam versions below. Begin preparing for this exam now, and look for registration information soon! The Vault Associate 003 will still be for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with Vault. You will be best prepared for this exam if you have professional experience using Vault in production, but performing the exam objectives in a personal demo environment may be sufficient.

Prepare for the examComing Soon
  • November 2024 - Scheduling opens for Vault Associate 003.
  • January 2025 - Vault Associate 003 exam is available to take and Vault Associate 002 is retired.

You can use either version of the exam to validate your Vault knowledge at the associate level. The Vault Associate 002 certification is still relevant and will be accepted as validation of Vault knowledge until the badge’s expiration date. You can hold both the Vault Associate 002 and Vault Associate 003 at the same time.

  • Vault Associate 002: Exam available now.
  • Vault Associate 003: Coming January 2025. The Vault Associate 002 exam will no longer be available to take once Vault 003 is released.

We updated the Vault Associate 003 exam to account for how Vault has grown, and to accommodate future growth. The changes are primarily a reorganization and rewording of the 002 exam objectives. More significant changes are listed below.

The Vault Associate (003) tests on Vault version 1.16 and now includes HCP Vault content.

NEW topics covered in (003)
8eDifferentiate between self-managed and HashiCorp-managed Vault clusters
9bDescribe the Vaults Secrets Operator
(002) objectives now covered in other objectives in (003)
61 - Authentication methods
2 - Vault policies
5 - Secrets engines
7 - Vault architecture fundamentals
71 - Authentication methods
2 - Vault policies
5 - Secrets engines
81 - Authentication methods
5 - Secrets engines
91 - Authentication methods
5 - Secrets engines
7 - Vault architecture fundamentals
8 - Vault deployment architecture
9 - Access management architecture
105 - Secrets engines
6 - Encryption as a service
  • Basic terminal skills
  • Basic understanding of on-premises or cloud architecture
  • Basic level of security understanding

This exam is a suggested prerequisite for the Vault Operations Professional exam. Intermediate and advanced topics are reserved for the Professional-level exams.

Assessment TypeMultiple choice
FormatOnline proctored
Duration1 hour
Price$70.50 USD, plus locally applicable taxes and fees. Free retake not included.
LanguageEnglish
Expiration2 years
1Authentication methods
1aDefine the purpose of authentication methods
1bChoose an authentication method based on use case
1cExplain the difference between human vs. system authentication methods
1dDefine the purpose of identities and groups
1eAuthenticate to Vault using the API, CLI, and UI
1fConfigure authentication methods using the API, CLI, and UI
2Vault policies
2aExplain the value of Vault policies
2bDescribe Vault policy syntax: path
2cDescribe Vault policy syntax: capabilities
2dChoose a Vault policy based on requirements
2eConfigure Vault policies using the UI and CLI
3Vault tokens
3aChoose between service and batch tokens based on use case
3bDescribe root token uses and lifecycle
3cExplain the purpose of token accessors
3dExplain the impact of time-to-live
3eExplain orphaned tokens
3fDescribe how to create tokens based on need
4Vault leases
4aExplain the purpose of a lease ID
4bDescribe how to renew leases
4cDescribe how to revoke leases
5Secrets engines
5aChoose a secrets engine based on use case
5bCompare and contrast dynamic secrets vs. static secrets, and know their use cases
5cDescribe the uses of transit secrets engine
5dDescribe the purpose of secrets engines
5eDescribe the use of response wrapping
5fExplain the value of short-lived, dynamically generated secrets
5gEnable secrets engines using the CLI and UI
5hAccess Vault secrets using the CLI, API, and UI
6Encryption as a service
6aEncrypt and decrypt secrets
6bRotate the encryption key
7Vault deployment architecture
7aDescribe how Vault encrypts data
7bExplain how to seal and unseal Vault
7cConfigure environment variables
8Vault deployment architecture
8aExplain cluster strategy for self-managed and HashiCorp-managed Vault clusters
8bExplain the uses of storage backends
8cExplain the uses of Shamir secret sharing and unsealing
8dExplain the uses of disaster recovery and performance replication
8eDifferentiate between self-managed and HashiCorp-managed Vault clusters
9Access management architecture
9aDescribe the Vault Agent
9bDescribe the Vault Secrets Operator

Review the rules and policies for taking HashiCorp certification exams.

Renew by passing a professional-level exam

Unexpired Vault Associate 002 or 003 credentials:

When you pass the Vault Operations Professional exam, you will receive the professional-level credentials (badge and corresponding certificate). You will also extend the expiration of your Vault Associate 002 or 003 credentials.

Renew by passing an associate-level exam

Unexpired Vault Associate 002 credential:

  • You can take the Vault Associate 003 exam starting 18 months after your previous exam date.
  • You will receive a new, separate set of credentials that will reflect your recertification date.
  • The expiration date of Vault Associate 002 credentials will not be updated.

Unexpired Vault Associate 003 credential:

  • You can retake the Vault Associate 003 exam starting 18 months after your previous exam date.
  • The expiration date on your credentials will be extended.

Have an expired Vault Associate credential?

  • You are eligible to recertify at any time by passing the Vault Associate 003 exam.
  • You will receive a new, separate set of credentials with a new expiration date.

Learn more about recertification in our Knowledgebase.

HashiCorp Certified:

Vault Operations Professional

Product version tested:Vault 1.13.0 and higher

The Vault Operations Professional certification is a lab-based exam for Cloud Engineers focused on deploying, configuring, managing, and monitoring HashiCorp Vault. You are well-qualified to take this exam if you hold the Vault Associate Certification (or equivalent knowledge), have experience operating Vault in production, and can evaluate Vault Enterprise functionality and use cases.

We strongly recommend passing the associate-level Vault exam before taking the professional-level exam. Practitioners who are already experienced with Vault operations in a production environment—and understand the concepts covered in the associate exam— may be able to successfully pass the professional-level exam.

  • HashiCorp Certified: Vault Associate Certification (recommended)
  • Linux skills such as list and edit files via command terminal
  • Understanding of IP networking
  • Experience with Public Key Infrastructure (PKI), including PGP and TLS
  • Information security fundamentals such as network security and RBAC
  • Understand the concepts and functionality of infrastructure running in containers including starting and stopping services, and reading logs
Assessment TypeLab-based and multiple choice
FormatOnline proctored
Duration4 hours; 15-minute break included
Price$295 USD, plus locally applicable taxes and fees. Includes free retake.
LanguageEnglish
Expiration2 years
1Create a working Vault server configuration given a scenario
1aEnable and configure secret engines
1bPractice production hardening
1cAuto unseal Vault
1dImplement integrated storage for Community and Enterprise Vault
1eEnable and configure authentication methods
1fPractice secure Vault initialization
1gRegenerate a root token
1hRekey Vault and rotate encryption keys
2Monitor a Vault environment
2aMonitor and understand Vault telemetry
2bMonitor and understand Vault audit logs
2cMonitor and understand Vault operational logs
3Employ the Vault security model
3aDescribe secure introduction of Vault clients
3bDescribe the security implications of running Vault in Kubernetes
4Build fault-tolerant Vault environments
4aConfigure a highly available (HA) cluster
4b[Vault Enterprise] Enable and configure disaster recovery (DR) replication
4c[Vault Enterprise] Promote a secondary cluster
5Understand the hardware security module (HSM) integration
5a[Vault Enterprise] Describe the benefits of auto unsealing with HSM
5b[Vault Enterprise] Describe the benefits and use cases of seal wrap (PKCS#11)
6Scale Vault for performance
6aUse batch tokens
6b[Vault Enterprise] Describe the use cases of performance standby nodes
6c[Vault Enterprise] Enable and configure performance replication
6d[Vault Enterprise] Create a paths filter
7Configure access control
7aInterpret Vault identity entities and groups
7bWrite, deploy, and troubleshoot ACL policies
7c[Vault Enterprise] Understand Sentinel policies
7d[Vault Enterprise] Define control groups and describe their basic workflow
7e[Vault Enterprise] Describe and interpret multi-tenancy with namespaces
8Configure Vault Agent
8aSecurely configure auto-auth and token sink
8bConfigure templating

This performance-based exam contains labs that must be completed in a virtual environment, and a shorter multiple-choice section. During the lab scenarios, exam-takers will be tested on performing real-world Vault operational tasks on the command line. The Vault UI and API can also be used where applicable, and exam-takers will have access to the Vault and Vault API documentation.

To renew your Vault Professional certification, you will need to take and pass the Vault Professional exam.

If you hold an unexpired Vault Professional certification: You can take the exam again starting 18 months after your previous exam date. When you pass the exam, the expiration date on your credentials will be extended.

If you hold an expired Vault Professional certification: You are eligible to recertify at any time. When you pass the exam again, you will receive a new, separate set of credentials with a new expiration date.

HashiCorp Certified:

Consul Associate (003)

Product version tested:Consul 1.15

The Consul Associate certification is for site reliability engineers (SREs), solutions architects (SAs), DevOps professionals, or other cloud engineers who know the basic concepts and skills to build, secure, and maintain Consul. You understand what Enterprise features exist and can differentiate between Consul Enterprise and Community Edition. You will be best prepared for this exam if you have professional experience using Consul in production, but performing the exam objectives in a personal demo environment may be sufficient.

  • Containerization
  • Basic terminal skills
  • Load balancing architecture
  • Distributed systems knowledge
  • Basic security practices knowledge
  • OSI Model familiarity
  • Cloud & Platform awareness (AWS, Google, Azure, Kubernetes, VMs)
Assessment TypeMultiple choice
FormatOnline proctored
Duration1 hour
Price$70.50 USD, plus locally applicable taxes and fees. Free retake not included.
LanguageEnglish
Expiration2 years
1Understand the pillars of service networking
1aUnderstand how Consul discovers, tracks, and monitors the health of services
1bExplain how Consul secures service to service communication
1cSummarize how Consul controls access to services at point of entry
1dDiscuss how Consul automates networking tasks
2Describe Consul architecture
2aIdentify Consul datacenter components including agents and communication protocols
2bReview Consul server high availability & scalability options
2cDifferentiate between server agents and data plane components (client agents and Consul Dataplane)
2dUnderstand that Consul can run on multiple platforms
3Deploy a single datacenter
3aConfigure, bootstrap, and start Consul server agents
3bConfigure and start Consul client agents
3cConfigure and start Consul on Kubernetes
3dExplain Consul agent join methods and behavior
4Register services and use service discovery
4aInterpret a service registration
4bDifferentiate between service registration methods
4cUnderstand service health check configuration options and behaviors
4dQuery Consul's service catalog via CLI, API, UI, and/or DNS, and interpret the results
4eInterpret & use prepared queries
5Use Consul service mesh
5aConsider high level architecture & key benefits of Consul service mesh
5bUnderstand Consul service mesh intentions & when to use them
5cApply proxy configuration options within Consul service mesh
6Secure agent communication
6aUnderstand Consul security/threat model
6bDifferentiate certificate types needed for TLS encryption
6cInterpret TLS encryption settings & intended use
6dConfigure gossip encryption
7Secure services with basic access control lists (ACLs)
7aUnderstand Consul ACL system components and usage
7bCreate and configure ACL policies and tokens
7cUse ACL tokens to communicate securely with Consul services and agents
8Secure and connect service mesh applications
8aUse Consul gateways to securely connect and access services into, out of, and within the service mesh
8bUnderstand how to enable communication between multiple Consul datacenters
9Monitor Consul
9aDescribe Consul service mesh observability
9bReview Consul datacenter observability
10Operate and maintain Consul
10aManage Consul servers
10bMaintain Consul communications security
10cBackup and restore Consul cluster state
10dUnderstand Consul datacenter troubleshooting options

To renew any Consul Associate certification, you will need to take and pass the new Consul Associate 003 exam.

If you hold an unexpired Consul Associate 002 certification: You can take the new (003) exam starting 18 months after your previous exam date. When you pass the Consul Associate 003 exam to recertify, you will receive a new, separate set of credentials (badge and corresponding certificate) that will reflect your recertification date. The date of your credentials related to your Consul Associate 002 certification will not be updated.

If you hold an unexpired Consul Associate 003 certification: You can take the new exam starting 18 months after your previous exam date. When you pass the new exam, the expiration date on your credentials will be extended.

If you hold any expired Consul Associate certification: You are eligible to recertify at any time. When you pass the new exam, you will receive a new, separate set of credentials with a new expiration date.

Content Differences Between the 002 and 003 exams

We updated the Consul Associate 003 exam to account for how Condul has grown, and to accommodate future growth. The changes are primarily a reorganization and rewording of the 002 exam objectives. More significant changes are listed below.

(002) objectives NOT covered in (003)
4Access the Consul key/value (KV)
(002) objectives now covered within other objectives in (003)
1Explain Consul Architecture
2Deploy a single datacenter
7Secure agent communication
9Use gossip encryption
NEW objectives in (003)
1cSummarize how Consul controls access to services at point of entry
1dDiscuss how Consul automates networking tasks
2dUnderstand that Consul can run on multiple platforms
3cConfigure and start Consul on Kubernetes
8Secure and connect service mesh applications at scale
9Monitor Consul