Introduction To CEH And PenTest+ Certifications: Similarities And Key Differences

The advancement of computer technology and the proliferation of the internet worldwide were associated with an equal increase in cyberattacks. To cope with the digital revolution, criminals worldwide have shifted their criminal activities from the physical world into cyberspace. According to Cyber Security Ventures, by 2025, the global damage caused by cybercrime is expected to reach 10.05 trillion USD.

Today, global organizations need to hire ethical hackers to protect their data and networks. The best method to fight cybercriminals is to hire defenders that own –or master- the same skills hackers have, and this is what Certified Ethical Hackers (CEH)and PenTest+ are trying to achieve.

Ethical hackers use the same processes, techniques, tools, and methodologies used by black hat hackers to infiltrate an organization's devices and network. The aim is to discover security vulnerabilities, misconfigured services, applications, and any gap that malicious actors can exploit to gain unauthorized access to protected resources.

This article will compare the two famous ethical hacking certifications, the Certified Ethical Hacker (CEH) from the EC-Council and the CompTIA PenTest+ offered by the CompTIA.

Defining CompTIA PenTest+ and CEH Certifications

The CompTIA PenTest+ certification tests candidates about penetration testing and vulnerability assessment topics. The aim of the PenTest+ exam is not just exploiting open vulnerabilities; it also focuses on developing management skills to plan, understand, and manage security weaknesses to mitigate their dangers. The test taker should also understand the legal and compliance requirements and prepare a report with its findings and remediation steps. The CompTIA PenTest+ will not only focus on testing a tester's technical ability to penetrate servers and endpoints devices, but it will also assess him to test the security of other devices such as cloud and mobile devices (including IoT).

The CEH (Certified Ethical Hacker) certification offered by the EC-Council assesses an IT professional's ability to perform ethical hacking and penetration testing using a plethora of hacking tools, processes, and methodologies. The CEH curriculum will teach IT security professionals how to think like hackers and how to use the same tools, techniques, and modern attack vectors utilized by black hat hackers to infiltrate IT systems (e.g., databases, applications) and networks. The CEH curriculum also covers preventative countermeasures to mitigate and respond to the different cyberattacks.

CompTIA PenTest+ skills learned and official exam objectives

During your journey to prepare for the PenTest+ exam, a candidate will master the following security skills:

1. Understand the importance of compliance-based assessment and how to plan for vulnerability assessments.

2. Use a wide plethora of penetration testing tools, both free and commercial.

3. Gather information about your targets using various reconnaissance techniques.

4. Write specialized technical reports that include your key findings and how to mitigate the discovered weaknesses.

5. Conduct hands-on exploits to penetrate computer networks, wireless networks, applications, databases, web applications, and physical devices and understand the post-exploitation techniques.

The new exam objectives for the PenTest+ certification will appear in October 2021; the new exam code will change toPT0-002. For now, the effective PT0-001 exam objectives are as follow:

1. Planning and Scoping

2. Information Gathering and Vulnerability Identification

3. Attacks and Exploits

4. Penetration Testing Tools

5. Reporting and Communication

CEH Key Skills Learned

During your journey to prepare for the CEH exam, a candidate will master the following security skills:

1. Understanding the key hacking concepts, cybersecurity kill chain, security controls, and the different regulations related to information security.

2. Understand the emerging attack vectors, such as file-less malware, APT and ransomware attacks, web API, and web shell threats.

3. Advanced enumeration techniques, such as FTP, TFTP, SMB, Telnet, IPv6, and BGP.

4. Malware analysis (static and dynamic) and reverse engineering techniques.

5. Cloud computing threats and countermeasures, including Docker, Kubernetes, Serverless, and Container security.

6. Hacking web applications such as Web API, webhooks, and web shell.

7. Operation technology-based attacks, such as SCADA, PLC, and side-channel attacks.

8. Wireless hacking, such as WPA3 encryption and cracking.

9. Learn how to deal with Internet of Things (IoT) based attacks.

The CEH v11 exam can be extended to include the "Break the code" challenge, which includes 24 hacking challenges across four complexity levels that cover 18 attack vectors, including the OWASP Top 10. This extension will cost an additional $99 to the original exam fee.

The CEH exam consists of 125 multiple choice questions, and the tester has 4 hours to complete the exam. There is no passing score for the CEH exam, as there are different questions for each examiner selected automatically from the questions bank.

Eligibility Requirements for CompTIA PenTest+ vs. CEH

There are no eligibility requirements or prerequisites to attempt the PenTest+ exam; however, CompTIA recommends having three to four years of practical experience (hands-on) in the Information Security field and/or having the Network+ or Security+ certification.

The CEH has two requirements before attempting the exam:

1. The tester should follow a training course offered by an authorized EC-Council training center, or

2. Have two years of work experience in Information Security or other relevant cybersecurity fields. The EC-Council should first validate this experience after paying a $100 non-refundable application fee.

Similarities and Differences Between PenTest+ and CEH certification

Both certifications are intermediate to IT security professionals. We can recognize the following similarities and differences between CEH and PenTest+:

1. CEH focuses on penetration testing, while PenTest+ focuses on penetration testing and vulnerability assessment and management.

2. Both certifications are vendor-neutral.

3. CEH is more comprehensive than PenTest+. The number of skills a tester learns during their journey to prepare for the CEH certification exam is far richer in scope than the PenTest+ exam.

4. The CEH exam costs more than the PenTest+ exam; the PenTest+ exam costs $370, while the CEH exam can cost up to $1,200.

5. The PenTest+ exam consists of difficult questions compared to the CEH exam. For instance, CompTIA focuses on security concepts and other areas specific to the PenTest+ exam. The CEH exam is more practical, and its questions can be easily answered based on the candidate's work experience. This makes the CEH exam relatively easier.

6. Prerequisite requirements are different for each exam. For instance, the CEH has requirements before attempting the exam, while the PenTest+ does not have any requirements.

7. The CEH certificate has a higher demand in the job market than the PenTest+ certificate.

8. Both CEH and PenTest+ certifications need to renew every three years. The renewal process for the PenTest+ is straightforward. To renew your certificate, you must have 60 CEUs (Continuing Education Units) during the three years after certification. CEH requires 120 ECE (electrical and computer engineering) credits in addition to a membership fee totaling $80 each year.

Which Certification Is Right For Me?

As previously discussed, each exam has its pros and cons. The CEH is the most popular ethical hacking certificate in the IT industry. The PenTest+ exam is also recognizable and is a difficult and practical exam. Unfortunately, the PenTest+ exam is relatively new and still needs time to prove itself as a direct competitor to the CEH exam.

CEH focuses on penetration testing, but it is comprehensive. The new version 11 provides more hands-on exercises during the exam. CEH holders can also submit the "CEH Practical exam," which allows the holder to gain the CEH Master certificate.

PenTest+ certificate is the right fit for you if your work focuses on penetration testing and vulnerability management. If you do not want the breadth of CEH and spend $1,200 to take the CEH exam, then PenTest+ is a more suitable exam for you.

Summary

There is a high demand for ethical hackers worldwide to protect data and computer networks from the ever-increasing number of cyberattacks. This article compared the two most popular penetration testing certificates and suggested which one is the best based on the candidate's job role.