Spending the time and money to earn certification is a commitment. Asking yourself, "Is this worth it?" is an understandable question and makes perfect sense. Certification exams can be expensive and require time to study, so you want to make sure investments of time and money will pay "dividends" in a career boost.
Before pursuing a certification, candidates need to consider both the benefits (pros) and the drawbacks (cons) of the qualification. This article attempts to conduct such an analysis for potential candidates of the Certified Ethical Hacker (CEH) certification. This will be done by first providing a high-level overview of the CEH credential and exam itself. Then by providing a sampling of some of the pros and cons often attributed to the CEH.
Please note this is not an exhaustive list of pros and cons. These benefits/drawbacks may vary depending on each candidate's perspective.
Overview of the CEH Certification and Exam
The Certified Ethical Hacker (CEH) certification, by the International Council of Electronic Commerce Consultants (EC-Council), is one of the most well-known certifications for pen-testing. It was established in 2003 by EC-Council (ECC), making it the first certification for penetration testers. In 2010, the United States Department of Defense required personnel working in network defense roles to hold a CEH, increasing credibility and demand for the certification.
Currently, in version 11, the certification exam covers various topics from 20 modules included in the CEH course. These 20 modules cover the following areas:
- Module 01: Introduction to Ethical Hacking
- Module 02: Footprinting and Reconnaissance
- Module 03: Scanning Networks
- Module 04: Enumeration
- Module 05: Vulnerability Analysis
- Module 06: System Hacking
- Module 07: Malware Threats
- Module 08: Sniffing
- Module 09: Social Engineering
- Module 10: Denial-of-Service
- Module 11: Session Hijacking
- Module 12: Evading IDS, Firewalls, and Honeypots
- Module 13: Hacking Web Servers
- Module 14: Hacking Web Applications
- Module 15: SQL Injection
- Module 16: Hacking Wireless Networks
- Module 17: Hacking Mobile Platforms
- Module 18: IoT Hacking
- Module 19: Cloud Computing
- Module 20: Cryptography
The theory exam consists of 125 multi-choice questions. A passing score varies, depending on which version of the exam you take. A passing score on the CEH exam can range anywhere from 60% to 85%. There is also a practical portion of the exam available. This 6-hour exam consists of 20 challenges in a lab environment. A score of 70% is required to pass. Taking the practical exam is not required to become CEH certified, but one must pass the practical portion to become a certified CEH Master.
To be eligible to take the exam, one needs at least two years of experience. You have the option to complete the EC-Council provided training, attend a non-ECC provided CEH exam prep course, or prepare for the exam on your own (i.e., self-study). However, there is an additional application fee for the exam when not completing the ECC training.
The intended audience for the exam is pentesters, red team members, forensics practitioners, and information security professionals in general.
There are numerous pros to earning the CEH. Below is a sampling of several that are more important when considering taking the CEH exam.
One of the top pros to the CEH is that it is a globally recognized certification.
CEH is an intermediate-level certification. However, there are minimal requirements to sit for the exam. One only needs two years of experience.
CEH is such a well-known cert, and many HR professionals look for this cert. So, it can help people get a foot in the door for a job interview.
The ECC offers extensive material for the CEH exam. To their credit, they periodically update the material to stay current with the industry. Many additional non-ECC sources are available for the CEH, such as study guides, practice exams, and other online resources. However, the many options and large amounts of material can be a bit overwhelming.
Compared to some other IT and cybersecurity-related certification exams, the majority of the questions on the CEH exam are pretty straightforward. If you understand the concepts, you should be able to identify the incorrect answers. The goal is to at least identify two incorrect answers out of the four answers, leaving two possible options, thus giving a 50/50 chance of selecting the correct answer.
There is an at-home option available to sit for the CEH exam. This option is great for people living in remote areas that are not near a designated testing center. This option was made available primarily due to the global pandemic; however, due to its popularity, it will likely continue to be an available option going forward.
Since v10 of the exam, a hands-on (Practical) portion of the exam can also be taken. This practical exam is a way to further demonstrate penetration testing skills by completing a set of hands-on tasks. This portion of the exam is not required to become CEH (ANSI) certified; one can earn the theory portion. However, one has to have passed the CEH exam already to sit for the practical exam and earn the CEH Master title.
The name "Certified Ethical Hacker" itself makes it a cool certification to hold and is more than likely a nice conversation starter at a party when talking to someone, not in the cyber security industry.
Per the website payscale.com, for 2021, the average annual salary of a CEH holder is roughly USD 83,000, with a bonus payout ranging anywhere from USD 1,000 to USD 155,000. Please note that these figures will vary depending on location, work experience, negotiation, etc.
Like with most things, there are cons to the CEH as well. Some of the cons that are often heard about the CEH have been listed below.
For whatever reason, the CEH is not as prized as other pen tester certifications. Among some pen testers, the CEH is not considered illustrious of a certification compared to the OSCP or proof of practical job-ready skills like the eJPT.
The CEH is not cheap. The exam and the training cost are substantially more expensive than comparable certifications such as CompTIA's Pentest+.
The ECC material for the exam is extensive. It's over 3000 pages of material (basically PDFs of slides). To some candidates, this may present an overwhelming obstacle. Even though everything you need to know for the exam is covered in this material, there are only 125 questions on the exam, making it a lot of material to study that may not be on the exam.
The process of registering for the exam is a bit cumbersome. Two documents provide instructions on registering for the exam, and this registration requires creating accounts on two separate websites. If this is your first time taking an EC Council exam, it can be a bit confusing. Fortunately, once the site accounts have been created, it is intuitive on how to schedule the exam date. Nevertheless, it seems like an unnecessary and burdensome process that could be streamlined.
ECC's customer service does not have the best reputation. If you have any issues with your material, voucher, etc., it may be one of the most frustrating experiences of your life if you need to contact ECC customer service to help with resolving an issue.
The CEH is not as rigorous of an exam as the OSCP. The CEH (ANSI) is not a hands-on exam to validate your basic pen testing skills. These things are not what the CEH has become to be known for in the cyber security industry. Nevertheless, the CEH does play a role in the industry and represents a noteworthy achievement for any cyber security professional.
The CEH is a globally recognized certification that has become the standard measure that many organizations use as criteria when considering candidates for employment as pentesters and other cyber security roles. With that in mind, plus the extensive material that the exam covers, it is worth the effort to pursue the CEH.
If you truly value the learning experience and aspire to have a general understanding of ethical hacking, then this is the certification for you. If your goal is to become a "super-hacker," you may want to consider a different and more rigorous certification.
Online there are numerous other learning resources related to exam preparation for the CEH and pentesting in general. You can explore and get started right away.
C|EH – The Ultimate Ethical Hacking Certification
Certified Ethical Hacker