CEH vs. OSCP: A Modern Analysis for the Career-minded Professional

December 13, 2016 | Views: 45374

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Rising to the surface in a sea of cybersecurity hiring candidates demands more than mere skill. Employers demand stronger assurances, and the best guarantees of employee talent come in the form of certifications.Choosing between obtaining Certified Ethical Hacker and Offensive Security Certified Professional credentials may seem difficult to the uninitiated. Here’s some vital clarification on which certs will help you outswim your professional peers.

What Is CEH?

Certified Ethical Hacker certifications are designed for those who want to demonstrate their proficiency at identifying weaknesses and vulnerabilities in networks and systems. These vendor-neutral certifications cover a number of topics relevant to penetration testing.


You can take the CEH exam after you attend official training and demonstrate your experience in at least three of the five Certified Chief Information Security Officer, or CCISO, eligibility criteria. For most people, this amounts to having no less than two years’ worth of job experience. Alternatively, you can prove that you possess five years of information security experience in all five of the CCISO domains. In both cases, applying to obtain such proof from the EC-Council may take as long as six weeks.

If you completed your coursework online, you’ll need to provide your completion certificates to the EC-Council. Your CEH exam cost includes the cost of your training, which may vary, but the application is usually a nonrefundable $100.

After your application gets approved, you’ll have three months to purchase a test voucher. The CEH exam cost for the test itself is around $500.

Exam Requirements

Your exam will consist of a four-hour, multiple-choice test with 125 questions. To pass, you must earn a score of at least 70 percent.


What Is OSCP?

This ethical hacking certification focuses on common penetration-testing methodologies. It’s infamous for its rigorous, 24-hour exam.


This certification complements a mandatory training course called Penetration Testing with Kali Linux. You should be able to write scripts and tools for penetration testing, bypass firewalls with tunneling techniques, identify and exploit web application vulnerabilities like XSS and SQL injection, and conduct attacks from the client side and remotely. Many of these topics will be covered in the class, but most people agree that going in with solid experience in Linux and TCP/IP is a must.

Exam Requirements

This certification is hands on. In other words, you can’t obtain it without passing an intense practical challenge.

For the exam, you’ll be granted access to an unfamiliar network and given 24 hours to prove that you’ve completed a given set of penetration tests, successfully penetrated systems and correctly documented your progress. Most students find out how they performed within three days of completing the test.

How Do the Certifications Differ?

Offensive Security Certified Professional holders don’t need recertification, but those who complete Certified Ethical Hacker Training and testing must recertify every three years. While this might seem like an inconvenience, the fact that you have to keep your knowledge current may ultimately make you appear more hirable. It’s also important to note that Certified Ethical Hacker training and credentialing are generally more affordable.

Career Outlooks

Certified Ethical Hacker accreditation is accepted by the U.S. government, and some Department of Defense jobs actually require it as per DoD 8750 Baseline Certifications. Even though Offensive Security Certified Professional is a rigorous certification, having it may not help you land a government job.

Salaries and Job Markets

Both of these certifications can help you become a penetration tester, security engineer, information security analyst or security consultant. Salaries for these jobs ranged widely.

Is one certification going to earn you more during your professional lifetime? According to PayScale, in late 2016, Certified Ethical Hackers earned average salaries of around $76,855, and many enjoyed hefty bonuses, profit sharing options and upward mobility. OSCP holders earned slightly more on average, but their salaries also varied more widely along with their job titles.

Choosing Your Certification

Both of these certifications are highly valued by modern employers. Many professionals even hold both certifications or combine them with other credentials, like CISSP and CompTIA’s Security+.

Of course, there’s no substitute for having a packed resume and actual job experience. Still, completing your Certified Ethical Hacker training can definitely help you keep your head above water at interviews, especially if you’re new to penetration testing.


Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. I don’t know in what basis you have compared a worthless certification called C|EH with a highly valuable and reputed OSCP. Do you think CEH will land in a job. Nope this certification is treated as shit in Infosec industry and most of the fellow Infosec professionals i meet will laugh at C|EH whereas many appreciate the OSCP. I am a C|EH, E|CSA & L|PT holder and I know very well that EC Councils Certification is full of shit and it will never give you a good reputation other than in front of newbies and kids who will be like woooow. But real Infosec people be like what? just throw it into the dustbin. . . .

    So please don’t compare shit with fragrance and say both are almost best in one way and please please don’t misguide new people who are eagerly waiting to get into Information Security.

  2. I’m new to the field and actually was told that CEH is a good cert. to get. I would like a path to home a security analyst position one day. Would CEH and CISSO be good to obtain?

    • Don’t fall for CEH for it is just a waste of money. You can get the certificate easily but not the practical knowledge. Most of the things they show you are totally outdated and that is not at all worth to compare with OSCP. Because CEH is like a stone while OSCP is like a hill. It is totally worthless to make a comparison and moreover as everyone just say CEH will never land you on a job. You have to develop your practical skills. Only your knowledge and your skills will land you in a job. How I am saying this. Because I am a C|EH, E|CSA & L|PT certification holder. To be frank EC-Councils certification are just for showcase and not for talent. Want to have strong knowledge then develop your basic network, Windows, Linux Skills and apply for OSCP and work hard to achieve that certification which you will get after a 24hours tough practical exam.

      Never ever fall for the worthless EC-Council’s certification which are just a waste of money.

      • There’s no need to be a rage monster about this topic. Let’s look at the CEH as we would the CompTIA A+. It’s a good foundation for anyone starting out, and great for getting an upper hand on other candidates for an entry level position.Let’s face it, any test that you can pass after week long training course sounds just a little too easy to merit much recognition. but to say that it’s rubbish is to say the A+ is rubbish. And they most certainly are not to an entry level employee. If you have the money and you need the refresher or a crash course, I’d say go for it. OSCP would be more like going in front of a bunch of judges and defending your graduate thesis and will net you an essentially equal (equal in worth) degree to the one defending their thesis. It all depends on how you’re going to use it.

  3. There is another certification that requires hands on experience and testing, the Certified Penetration Tester from IACRB. It, too, requires the test taker to perform an actual hands on test and also to pass a written examination. It is no where near as well known or respected as either the CEH or the OSCP, but it is there. http://www.iacertification.org/cpt_certified_penetration_tester.html

  4. OSCP is a better penetration testing cert. But with the CEH, you can also get other type security jobs since government contract HR departments look for CEH for most security jobs. So with OSCP you’re kinda stuck, but with CEH you can move around.

    I got the CEH and got a job like a month later as a Cyber Security System Administrator

  5. As someone who has recently broken into the infosec field, and having had many discussions over the years with many, many professionals in the field, I have NEVER, not once, heard anyone say that they want to hire someone who has gone the CEH route over the OSCP certification. If anything, the CEH has been seen as something wholly inferior as it requires no hands-on application of theory. Offensive Security themselves have said that they aren’t DoD certified because it would require them to make their process and certification worse. And while on its face, re-certification may appear to be something desired, there is no guarantee that new versions have enough distinct new material to justify the costs.

    But honestly, putting the CEH (which is mostly theory) over the only certification in the industry that REQUIRES you to know concepts inside and out by using them in-depth…that’s borderline irresponsible.

    • Just to clarify, OSCP is not the only certification that requires practical knowledge and in-depth concepts inside and out. eLearn Security eCPPT does too.
      I have both eCPPT and OSCP and agree with everything else you’ve said. They are much more highly valued than CEH for Penetration Testers. In fact, my employer and most of the other big security firms in Australia won’t even consider a candidate who has CEH because it’s such a rubbish certification.
      I’m sure it has its place but that may be for a Sysadmin or similar, not a highly technical role that requires significant practical experience.

      • I only have the CEH cert, got my first role as a Firewall Support Engineer, and my second role as a Security Analyst, so the CEH does play a part in infosec, if you just want to do pentesting then yes do the ecppt or the oscp.

Page 1 of 3123»
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?