CompTIA PenTest+ vs. CEH: Which Should You Choose?
This article compares the CompTIA PenTest+ and the Certified Ethical Hacker certifications. For a comparison of the PenTest+ and CompTIA’s CySA+ certifications, check out our review here.
When looking at certifications in the cyber security field, you will see that some of them seem very similar to others. For example, the CompTIA PenTest+ and the CEH (Certified Ethical Hacker) certifications are very similar in content. Anyone preparing for a job relating to penetration testing will need to figure out which exam is more worthwhile for their time investment.
PenTest+ vs. CEH: Which exam should you take? Regardless of whether you are actively working in the field and have substantial experience with penetration testing or are new to the field, the Certified Ethical Hacker (CEH) option is probably a better investment for your time and money.
Let’s now take a closer look at the pros and cons of each exam and see why taking the Certified Ethical Hacker may make more sense for you than taking the PenTest+, and what the PenTest+ could do better on.
Factor #1: Cost
The cost of each certification is important to factor in when deciding between two similar certifications. You are probably going to pick the one that will give you the most bang for your buck. When you look at the price of each exam, you will probably start to wonder why the CEH costs a substantial $1,199, while the PenTest+ is only $349, especially when the are such similar tests.
If you are just starting out, you may see the large price tag on the CEH exam as a major turn-off. Keep in mind that either one you pick will be worth it in the future, and that plenty of penetration testers have chosen the CEH certification, even despite it’s cost. Those professionals have considered it a worthwhile investment.
Factor #2: Test Difficulty
Look at any forum about CEH vs. PenTest+ and it will tell you that the PenTest+ is a much more difficult test. The PenTest+ has thus far been considered to be a challenging exam, even to those that are well experienced in penetration testing. (We’ve compiled our favorite study resources for the PenTest+, including two video courses that are pretty awesome.) While PenTest+ and CEH share similar exam topics, it seems that CompTIA focuses some of their exam around what they want you to know and not what you will necessarily use in a live work environment, which makes it more difficult if you are actively in the field. The Certified Ethical Hacker, on the other hand, is pretty straight forward with its exam questioning and seems more relative to the job than the PenTest+. With that being said, the CEH is the recommended exam for this factor.
Factor #3: Requirements
Many certifications you take will recommend a minimum amount of training and/or work experience before you can sit for the exam, or are recommended to sit for the exam. Usually that is the bare minimum that you should have to even think of attempting some of these certifications. The CEH recommends that you have a minimum of 2 years of work experience in the Information Security domain. On their exam roadmap, they also recommend that you take the CND (Certified Network Defender) exam before taking the CEH.
They also require you to pay a $100 non-refundable application fee. The application itself takes 5-10 business days to process, once you respond to the requests for information. They also have a rule about how you must study for the exam. You are not allowed to use any “brain dumps” due to that being a violation of the non-disclosure agreement that you must sign. If you are caught using a brain dump, you will be permanently banned from taking future ECC exams, and any certification you do have through them will be revoked.
On the other hand, the PenTest+ recommends that you have a minimum of three to four years of work experience. They also recommend that you have earned the Network+, Security+ or equal education. (If you haven’t done the Security+ yet, you probably should do that first. Here’s our guide on how to pass the Security+ and when you’re ready for study materials, our review of the best Security+ videos and books.)
Keep in mind that with the PenTest+ recommending more experience and being considered more difficult, it is not to be taken lightly.
Factor #4: The exam
When looking at certifications, you should consider what the exam encompasses and how the exam will test you. The PenTest+ exam focuses on penetration testing and vulnerability assessment, while the Certified Ethical Hacker exam only focuses on penetration testing.
Another factor is that the CEH takes up to four hours and has a massive 125 questions, while the PenTest+ is two hours and 45 minutes, and has up to 85 questions. The PenTest+ has a few built in simulations that you must complete alongside the multiple-choice questions. When you take the CEH, you will take only multiple-choice questions, which contribute to it being the easier of the two exams for most test takers.
Factor #5: Employability
Whenever you are looking at certifications, you want to consider what jobs you can potentially get with it. Unlike the PenTest+, the CEH is a DoD 8570 baseline certification. This qualifies you for four different cybersecurity service provider positions and various government related jobs. As of now, CompTIA is in the process of applying to get the PenTest+ DoD 8570. Before sitting for either certification, you should check the DoD 8570 baseline certifications list before choosing to verify compliance with this directive.
Factor #6: Recertification
For almost all certifications you acquire, you will have to recertify eventually. For some certifications, the recertification process is a hassle. The CEH and the PenTest+ are similar in their recertification process. Both the PenTest+ and the CEH are good for three years from the date of the exam. The PenTest+ it relatively easy to recertify, requiring 60 CEUs (Continuing Education Units) be uploaded to your certification account in that 3-year span. You can get these by completing approved activities and training programs from CompTIA.
The CEH is a bit more difficult to recertify because it requires more time, but it is still simple. They require that you get 120 ECE (electrical and computer engineering) credits. They also require you to pay an annual membership fee that is a flat rate no matter how many certifications you have under the ECE policy. That fee is $80, but it will only cost you $20 if you have other certifications that are not under the ECE policy.
Factor #7: Which exam is more respected?
The amount of respect an exam holds is important when going in for job interviews. The more well known and respected an exam is, the more weight it holds in the field. The PenTest+ is a very new exam and isn’t well known yet because the exam has only been around for a short while.
The PenTest+ is well respected because of the difficulty of the test, the familiarity that the industry has with CompTIA as a certification provider, and that the certification uses hands-on examples.
The Certified Ethical Hacker has been around for more than fifteen years and has had quite a long time to build up a positive reputation. The CEH is a very well-respected exam and is very well known, and the fact that it is also a DoD 8570 baseline certification further adds to its credibility and respectability. Most penetration testing jobs will require or recognize the CEH (We’ve interviewed a few pen testers, check out their take on certifications.)
Which exam should you take?
While each exam has its own pros and cons, the CEH is a more well known, respected, and credible exam than the PenTest+. While the PenTest+ does have a lot of pros, such as cost, it still has a way to go before it will be viewed equal to the CEH. Once the PenTest+ gets approved as a DoD 8570 Baseline Certification and gains more recognition in the field it will become a great alternative to the Certified Ethical Hacker certifcation.
Good luck on whichever path you choose to take!
What are some other cyber security related certifications to consider? There are a few other related certifications that you could pursue, such as the GIAC Penetration Tester (GPEN) and the Offensive Security Certified Professional (OSCP). OSCP requires you to complete Offensive Security’s Penetration Testing with Kali Linux (PwK) course and pass the 24-hour hands-on test. During the test, you will have to compromise each host which ranges in difficulty. After you complete that you must submit your penetration test report. You need to complete the course before you can take the hands-on test. You don’t need to recertify because it doesn’t expire.
The GPEN exam is another well-respected exam that you can take. Their exam is structured differently compared to any of the previous exams because the GIAC exams are open note. The test itself is more expensive than all the others at $1,899 by itself. They also offered a much cheaper route if you purchase SANS training with the exam. It will still cost you $769, but it is much more reasonable than the exam by itself. The problem with the SANS training is that you either must take the training online, requesting private training, or go to one of the locations where it is being offered. The in-person training requires you to follow their schedule of dates and locations so you might have to travel if you want to get the training earlier. Requesting private training has its own roadblocks in that you must have a group of 25 or more students.
What is the CEH practical exam? The CEH practical is the exam that you should take after you get the CEH. It is a 6-hour long exam that focuses on being able to demonstrate the application of ethical hacking techniques. It is new to the field as well and fills the lack of practicality that the CEH has. Since this exam is still new, it isn’t well known or talked about, so it hasn’t gained a reputation yet. It does have a few interesting twists that other exams don’t have, mainly being open note and you can take the test in the comfort of your own home. It will still be a proctored exam even though you take it at home. This exam is like the OSCP exam in that both are practical tests and share some of their exam topics.