In this article, we cover the Certified Ethical Hacker certification and whether it’s worth the investment of time and money. You can see our comparison of the CEH and the OSCP certification, and our comparison of the CEH with the PenTest+ here.

Penetration testing and the certifications that go along with it are hot topics of conversation in the cybersecurity realm.  I think this is because hacking is somewhat mysterious, and the idea that we can legally do things that would otherwise be illegal outside of our jobs is pretty interesting.  I think people also like the idea that they have the ability to hack systems if they wanted to.  In this article, I want to talk about what is probably the most well-known penetration testing certification out there, the Certified Ethical Hacker, and if it’s worth the effort to earn it.

Is the Certified Ethical Hacker (CEH) worth it?  The CEH is a well-known pen-testing certification that has a great combination of attainability and recognizability.  Almost all other penetration testing certifications are either less well known or more difficult to earn, which makes the CEH an ideal first penetration testing certification.

Let’s dive in now and discuss why you just might want to make the Certified Ethical Hacker your first penetration testing certification.

Table of Contents

What is the Certified Ethical Hacker certification?

The CEH, or Certified Ethical Hacker certification is a penetration testing focused certification exam issued by the EC-Council organization.  It is not the EC-Council’s lowest level certification, but it is the lowest certification that they offer that focuses specifically on penetration testing.  EC-Council states that their intention with the CEH is to certify “individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective”.

Certified Ethical Hacker Exam Details

Number Of QuestionsMaximum of 125
Question TypeMultiple Choice
Test LengthUp to 4 hours
Scoring60% to 85% required, depending on the exam
Recommended Experience2 Years
Required Experience2 Years of documented experience, or completion of EC-Council training
Suggested PrerequisiteCompTIA Security+ or similar

Key skill areas of the CEH

EC-Council lists the five phases of ethical hacking as key areas for the exam. You’ll also be required to know hacking tools common to the industry.

Gaining Access
Maintaining Access
Covering Tracks

What other certifications are offered by EC-Council?

EC-Council offers many other certifications related to IT and cybersecurity, but none are as well known as their flagship certification CEH.  Among these other offerings are CND, which is the lower-level and recommended prerequisite Certified Network Defender, and LPT, or Licensed Penetration Tester, which is a more advanced certification intended to follow the CEH.

Who is the CEH intended for?

EC-Council provides quite a long list of professionals on their target market list for the CEH, specifically “Ethical hackers, System Administrators, Network Administrators and Engineers, Web managers, Auditors, Security Professionals in general.”

It may be a stretch to suggest that the CEH is intended for all of these job classifications, but certainly, some of these will directly benefit from the certification, most notably security professionals and ethical hackers that are involved in security practices on a daily basis.

Should I take the CEH?

The Certified Ethical Hacker certification will probably be a good certification to pursue if you are an aspiring or current ethical hacker or penetration tester, or you are or will be working in a domain within IT or cybersecurity that is focused with the security of systems.  Even defensive positions, such as cybersecurity analysts and incident responders, will benefit from adding a certification related to penetration testing to their credentials.

Professionals that fall into one of these categories will want to compare the CEH to other penetration testing certifications, such as CompTIA’s PenTest+ or Offensive Security’s OSCP.  We cover the differences between the CEH and PenTest+ here and the CEH and OSCP here.

It has been noted online by many cybersecurity professionals that regardless of the quality of the CEH certification, it is a certification that is often recognized by HR departments, recruiters, and hiring managers.  It can be assumed in some cases that these hiring decision-makers aren’t truly aware of what a certification means or entails, but I think sometimes the title “Certified Ethical Hacker” is intriguing enough to capture their attention.  I have spoken to several CEH holders over the years that have the certification solely for the reason that it is a name that HR managers recognize and remember.

What experience is required to sit for the CEH?

EC-Council outlines two options for pursuing the Certified Ethical Hacker certification, which is to complete training prior to the exam or proceed directly to the exam.  The EC-Council approved training costs around $850 and can be taken through approved vendors as well as directly from EC-Council. The good thing about completing the training is that you are being trained directly for this certification exam by the same people that wrote the exam, but completing the training also means you are eligible to sit for the exam without going through the application process or paying the $100 application fee, which is included in your course cost.

If you choose to skip the official training and proceed directly to the exam, you’ll need to complete an application and pay the $100 fee.  Applicants that proceed directly to the exam will need to show two years of documented experience within the InfoSec domain.

This is an important point to consider:  If you don’t have experience in the field yet, you’ll have to take the training.  Only those people that have been in the field for two years or more and can document that have the option to skip the training course.

What is the cost of the CEH?

The current cost for the Certified Ethical Hacker is $1,199 for the exam voucher, which you complete through a Pearson Vue testing center.  EC-Council also allows for the exam to be taken remotely through them for $950. These costs are in addition to the $100 application fee, and if you take the training route explained above, you’ll have that additional cost you’ll need to pay as well.  Keep in mind that prices can change at any time, and some certification providers offer discounts to military, students or other groups, or offer discounts at certain times, so you should shop around to see if you can find a discounted option.  

What is the DoD compliance of the CEH?

The CEH is an approved DoD 8570 certification.

How long will it take to prepare for the CEH?

For an intermediate-level certification exam such as the CEH, there is no definitive time to prepare, as everyone’s background and experience vary so greatly.  For most people that complete the training, they’ll want to spend at least another 30 days preparing in most cases. Even seasoned professionals should spend some amount of time preparing for the exam by completing test bank questions and other resources.

Since the Certified Ethical Hacker shouldn’t be anyone’s first certification exam completed, each individual should have the testing experience necessary to determine their own best course of preparation.

What is the format of the CEH?

The CEH is a four-hour, multiple-choice exam that can include up to 125 questions, taken either at a Pearson Vue testing center or remotely through EC-Council.  Note that the format for the CEH isn’t hands-on or practical, meaning that you won’t be asked to perform penetration testing functions or tasks on the exam. This format may be helpful for test takers that have less experience in the field but are able to study the material appropriately.

Is the CEH Hard?

Many potential test-takers want to know how difficult the CEH is before the prepare to sit for the certification.

Is the CEH hard? The Certified Ethical Hacker is a challenging intermediate-level certification exam, which for most people will be more challenging than lower-level certifications, such as CompTIA’s Security+.

However, many experienced test takers that have completed multiple exams report that the comparable PenTest+ from CompTIA is at least as difficult as the CEH, and the hands-on OSCP, or Offensive Security Certified Professional certification is far more challenging.  The CEH should be achievable for anyone that is an experienced cybersecurity certification test taker that has at least a few years of experience in the field.

How long is the CEH good for?

The Certified Ethical Hacker is good for three years from the date of your successful completion of the exam, however, you’ll need to earn and document 120 CEU’s during that period, which EC-Council calls ECE, or electrical and computer engineering credits.  You’ll also need to pay an annual membership fee that is a flat rate no matter how many certifications you have with them. The annual membership fee is currently $80.

It’s worth pointing out that there have been some grumblings online by cyber professionals regarding this certification and it’s process as being a “money-grab” by EC-Council, and with costs like an annual fee, you can perhaps understand why some people may feel that way.  As with any certification, each individual should take the time to complete their own due diligence and learn of all of the costs associated with preparing for, sitting for, and maintaining a certification, and then make an individual decision as to whether that amount is a good investment for them.

Pros of the CEH

I want to take the next few paragraphs and cover what I see as the best pros and cons of the Certified Ethical Hacker certification and exam, especially as compared to other similar certifications on the market.

Pro #1:  Straightforward Exam

The multiple-choice format of the CEH makes it a straightforward exam, which means that every test taker will know what they’re in for before they sit for the exam.

Pro #2:  Plenty of Study Material Available

The CEH is so well known and established that finding good quality certification study resources is not a concern.

Pro #3:  CEH is Available at Pearson Vue

There is a benefit to sitting for an exam at a testing center.  At a testing center, you’re less likely to get burned by a bad internet connection or faulty computer (although it can happen), and if it does occur, it isn’t your problem or your fault.  I personally like the structured environment of the testing center versus the uncertainty of remoting in.

Pro #4:  You Can Sit for CEH Without Training

Another pro for the CEH is that seasoned professionals don’t have to take a required training course first, which some other certifications require.  That means you can get right to the exam if you’re ready.

Pro #5:  Well-known by HR Departments

For whatever reason, it seems that HR departments and hiring managers recognize the CEH name, which can help open the door to employment for those that earn the certification.  Certainly, there are stronger certifications out there, but if a hiring manager doesn’t recognize it, then it doesn’t have the same benefit.

Cons of the CEH

Con #1:  True Pen Testers Prefer the OSCP

I’ve written about the OSCP here, and the differences between the OSCP and CEH here, but the bottom line is that some experienced penetration testers out in the field prefer and respect the OSCP more.

Con #2:  CEH Test Dump

It was reported that the actual questions of the CEH exam have been leaked out onto online forums.  I haven’t confirmed this, but if this is the case, the exam dump does weaken the credential for all who have it or want to earn it.

Con #3:  The PenTest+ is Cheaper

When CompTIA launched the PenTest+ a few years ago, they made it clear that it was intended to be a cheaper alternative to the CEH, and money does matter to exam takers.  And in this case, we’re talking hundreds of dollars more to complete the CEH exam.

What positions would benefit from the CEH certification?

EC-Council specifically states that the following professionals, or aspiring professionals, are the target market for the Certified Ethical Hacker certification.

  • Systems Auditors – Professionals that perform cybersecurity audits on technology systems.
  • Security Professionals – Those with security or cybersecurity-related job tasks, such as cybersecurity analysts, network security engineers, incident responders, and similar roles.
  • Site Administrators – Those that maintain or administer network systems and assets.
  • Network Infrastructure professionals – Professionals that are involved in the support and protection of network systems and infrastructure.

Additionally, professionals in the following areas would benefit from attaining the CEH certification.

What about the CompTIA PenTest+?

Many people want to compare the CEH with the PenTest+ from CompTIA, and we do that in our article here.  The PenTest+ is a newer certification alternative from CompTIA that is intended to compete with the Certified Ethical Hacker.

What about the OSCP?

The OSCP from Offensive Security is a completely different style of penetration testing exam, which makes it difficult to truly compare to the CEH.  If you need information on the OSCP, you can see our write up here, and if you do want to OSCP and CEH comparison, we’ve covered that too.

Our Recommendations

Based on your penetration testing experience, you should consider the CEH, PenTest+ and OSCP as possible penetration testing certifications.
If you cannot afford the CEH, consider the less expensive PenTest+ from CompTIA.
Keep in mind that becoming a successful penetration tester takes a great deal of experience in addition to certifications such as the CEH.

Conclusion/Key Points

  • The CEH is a highly recognized penetration testing certification that can help you establish an entry-level career as a penetration tester.
  • The exam format of the CEH is very straightforward, with only multiple-choice questions.
  • The CEH is expensive to earn and maintain, including required training, application fee, exam fee, membership fees, and CEU requirements.

The Certified Ethical Hacker Certification is a highly recognized penetration testing-focused certification that is nearly unmatched in recognizability and attainability.  It is more expensive to earn and maintain than other comparable certifications, such as the PenTest+ and OSCP, but it’s availability and well-known name make it worthy of consideration.

About the author 

Matt Day

Matt Day is a cybersecurity professional with over twenty years of experience in the IT, cybersecurity, and technology training fields. He has a degree in Computer Information Science and CompTIA A+, Network+, Security+, Server+, CySA+, and Cisco CCNA certifications.