HashiCorp Professional Security Automation Certification

Cloud engineers can use the Vault Operations Professional certification exam from HashiCorp to verify their specialized security automation skills.

HashiCorp Certified: Vault Operations Professional

The Vault Operations Professional exam is for Cloud Engineers focused on deploying, configuring, managing, and monitoring HashiCorp Vault. Well-qualified candidates hold the Vault Associate Certification (or equivalent knowledge), have experience operating Vault in production, and can evaluate Vault Enterprise functionality and use cases. Certification holders have proven they have the skills, knowledge, and competency to perform the Vault operational tasks listed in the objectives.


We strongly recommend passing the associate-level Vault exam before taking the professional-level exam. Practitioners who are already experienced with Vault operations in a production environment—and understand the concepts covered in the associate exam— may be able to successfully pass the professional-level exam.

  • HashiCorp Certified: Vault Associate Certification (recommended)
  • Linux skills such as list and edit files via command terminal
  • Understanding of IP networking
  • Experience with Public Key Infrastructure (PKI), including PGP and TLS
  • Information security fundamentals such as network security and RBAC
  • Understand the concepts and functionality of infrastructure running in containers including starting and stopping services, and reading logs

arrow going from associate badge toward pro badge showing a prerequisite relationship

Product version tested

Vault 1.13.0 and higher

Renewing your Vault Professional certification

To renew your Vault Professional certification, you will need to take and pass the Vault Professional exam.

If you hold an unexpired Vault Professional certification: You can take the exam again starting 18 months after your previous exam date. When you pass the exam, the expiration date on your credentials will be extended.

If you hold an expired Vault Professional certification: You are eligible to recertify at any time. When you pass the exam again, you will receive a new, separate set of credentials with a new expiration date.

Exam Details

Assessment Type* Lab-based and multiple choice
Format Online proctored
Duration 4 hours; 15-minute break included
Price $295 USD
plus locally applicable taxes and fees
Includes free retake
Language English
Expiration 2 years

*Assessment Type

This exam is primarily lab-based, in addition to a shorter multiple-choice section. During the lab scenarios, exam-takers will be tested on performing real-world Vault operational tasks on the command line. The Vault UI and API can also be used where applicable, and exam-takers will have access to the Vault and Vault API documentation.

Preparing for the Exam

Visit the Prepare for Vault Operations Pro Exam page on HashiCorp Learn to start your exam prep. There you will find an overview, a study guide, and a review guide. The study guide includes tips and example questions, while the review guide is a direct mapping of where what documentation and tutorials to study each exam objective.

Exam Objectives

1 Create a working Vault server configuration given a scenario
1a Enable and configure secret engines
1b Practice production hardening
1c Auto unseal Vault
1d Implement integrated storage for open source and Enterprise Vault
1e Enable and configure authentication methods
1f Practice secure Vault initialization
1g Regenerate a root token
1h Rekey Vault and rotate encryption keys
2 Monitor a Vault environment
2a Monitor and understand Vault telemetry
2b Monitor and understand Vault audit logs
2c Monitor and understand Vault operational logs
3 Employ the Vault security model
3a Describe secure introduction of Vault clients
3b Describe the security implications of running Vault in Kubernetes
4 Build fault-tolerant Vault environments
4a Configure a highly available (HA) cluster
4b [Vault Enterprise] Enable and configure disaster recovery (DR) replication
4c [Vault Enterprise] Promote a secondary cluster
5 Understand the hardware security module (HSM) integration
5a [Vault Enterprise] Describe the benefits of auto unsealing with HSM
5b [Vault Enterprise] Describe the benefits and use cases of seal wrap (PKCS#11)
6 Scale Vault for performance
6a Use batch tokens
6b [Vault Enterprise] Describe the use cases of performance standby nodes
6c [Vault Enterprise] Enable and configure performance replication
6d [Vault Enterprise] Create a paths filter
7 Configure access control
7a Interpret Vault identity entities and groups
7b Write, deploy, and troubleshoot ACL policies
7c [Vault Enterprise] Understand Sentinel policies
7d [Vault Enterprise] Define control groups and describe their basic workflow
7e [Vault Enterprise] Describe and interpret multi-tenancy with namespaces
8 Configure Vault Agent
8a Securely configure auto-auth and token sink
8b Configure templating