Ready to Start Your Career?

What Are The CEH Exam Requirements?

Cybrary Staff's profile image

By: Cybrary Staff

September 13, 2021

While there are no educational prerequisites for the CEH certification, successful candidates usually have a strong background in IT security.

Summary: Although there are no formal educational requirements for taking the CEH exam, successful candidates typically have a strong background in software engineering, computer programming, or computer science. This blog examines what it takes to become a certified ethical hacker.

Certified ethical hackers play an increasingly vital role in proactive cybersecurity, and they are in rapidly growing demand. The CEH accreditation, maintained by the US-based EC-Council, is one of the most respected in the industry, having been approved as a baseline certification by the US Department of Defense. Successful candidates can expect six-figure salaries and no shortage of job opportunities.

However, like any respected information security certification, it takes a lot of experience and hard work to become a CEH. Even though there are no formal educational requirements, the EC-Council recommends candidates have at least two years of work experience in IT security and a strong working knowledge of key areas like TCP/IP and Windows Server environments. There is also a complex approval process, not to mention a high price tag for the exam.

Which skills are measured by the CEH exam?

The CEH exam features 125 multiple-choice questions, and candidates have up to four hours to complete it. Certifications are valid for three years, after which recertification is necessary by achieving 120 ECE credits by working in an approved job area. The exam covers a broad range of topics that collectively revolve around the concept of proactive security and using the same type of tools and tactics that cybercriminals use to find vulnerabilities in a network. Key skills and knowledge areas candidates will be tested on include:

  • Strong general background knowledge of networking, telecommunications, computing systems, and web systems.
  • Existing security protocols in common business operating systems, including Windows Server, Linux, and macOS.
  • Broad understanding of the preventative, corrective, and protective countermeasures widely adopted to safeguard systems against malicious actors.
  • Common and emerging attack vectors, tools, and methods, such as social engineering and malicious software.
  • The ability to identify and exploit network vulnerabilities using similar tools and tactics to those deployed by cybercriminals.

Given the scope of these topic areas, potential candidates must undergo training before they register for the exam. This should include hands-on training involving simulations of real-world use cases, such as network scanning, IoT hacking, web servers, and applications hacking, and social engineering.

Meeting the eligibility requirements for the CEH exam

Potential candidates have two options for satisfying the eligibility criteria of the certification – either through official or unofficial training. Official CEH training can be in any format, such as instructor-led courses or computer-based training, provided the EC-Council has approved the program.

Candidates may instead want to attempt the certification without official training. However, this requires having at least two years of documented professional work experience in IT security, submitting a completed CEH exam eligibility form, and paying a non-refundable registration fee of $100. If the application is approved, the EC-Council will give the candidate a voucher number to register for the exam. Taking the exam itself requires candidates to pay a fee of $1,119, which is one of the steeper certification costs in the industry.

How can successful candidates maintain their certifications?

The CEH accreditation is valid for three years, similar to most IT security-related certifications. Maintaining the certification requires earning 120 EC-Council Continuing Education (ECE) credits, or 40 per year, to be eligible for renewal. There are several ways to earn the required credits over the three years:

  • Enroll in information security courses. The EC-Council provides online courses, and one hour of training equates to 1 credit, meaning that candidates must spend at least 40 hours per year training on maintaining their certifications.

  • Attend meetings, seminars, and conferences on information security. Again, one hour of activity earns a single ECE credit. The cost of attending these events is typically the responsibility of the candidate’s employer.

  • Identify a new vulnerability in an organization to earn 10 ECE credits while working as a security professional. This is one of the most popular ways to earn credits since it is directly tied to the CEH’s everyday responsibilities.

  • Give a presentation on information security to earn 3 ECE credits per hour. EC-Council places a lot of weight on such presentations since these opportunities play an essential role in educating broader audiences on key IT security issues.

Regardless of the certification maintenance process, or processes, the candidate chooses, it is generally the case that they will earn ECE credits simply by working in an approved area of cybersecurity. Everything must be documented, and certificate holders must submit their credits as part of their paid EC-Council membership plan.

Failing to submit the required ECE credits means the accreditation will be suspended. In this case, the EC-Council allows candidates to submit 120 ECE credits in the first year following the suspension. However, if they fail to do that, they will need to pay another $1,119 to take the exam again.

Cybrary for Teams is an all-in-one workforce development platform that helps organizations develop stronger cybersecurity skills, prepare for new certifications, and track team progress. Get started with our penetration testing and ethical hacking course to learn more.

Schedule Demo