CEH is the credential that defined the phrase “ethical hacking” for enterprise hiring managers.

Whether you think CEH is the best security certification or not, it is undeniably the most recognised entry point into the security testing space for employers who are not yet familiar with OSCP or OffSec's portfolio. Launched in 2003, EC-Council's Certified Ethical Hacker has been through thirteen major versions and is now held by over 500,000 professionals worldwide. It appears in more security job postings than any other offensive security credential, and it satisfies DoD 8570/8140 baseline requirements for CNDSP roles that OSCP does not formally cover. For candidates entering the security field from a networking or sysadmin background, CEH provides a structured map of the attacker mindset — covering every phase of a cyber attack from initial reconnaissance through post-exploitation — in a format that most hiring managers recognise on sight.

CEH v13, released in 2023, made two substantial changes to the curriculum. First, it added an entire AI module: candidates now study how threat actors use machine learning models to automate reconnaissance, generate convincing phishing content, and probe for vulnerabilities faster than traditional tools. Second, the OT and SCADA hacking module was expanded to reflect the increasing convergence of IT and operational technology in industrial environments. Both additions reflect where real-world attacks were heading when the curriculum was revised. The exam still tests all the traditional attack domains that have defined CEH since its early versions, but the AI additions make v13 the most current version of the content the exam has ever contained.

This guide covers the exam format, all 20 module domains, how CEH compares to CompTIA PenTest+ and OSCP, and the CEH Practical exam for candidates who want a performance-based component.

Exam format and logistics

CEH v13 is delivered as a 125-question multiple-choice exam with a 4-hour time limit. Questions are scenario-based — a situation is described and you select the most appropriate attack technique, tool, or countermeasure. The passing threshold is approximately 70%, though EC-Council uses a scaled scoring model where the exact number of correct answers required varies by the specific question pool drawn from its item bank. EC-Council does not publish the exact cut score, but 70% is the documented target.

Exam quick facts

Exam code: 312-50v13  ·  Questions: 125 MCQ  ·  Time: 4 hours  ·  Passing score: ~70% (scaled)  ·  Cost: ~$950 USD  ·  Delivery: EC-Council Exam Centre or Pearson VUE  ·  Validity: 3 years (EC-Council membership required)

The exam is delivered either through EC-Council's own testing platform (ECC Exam) or Pearson VUE. Both options offer in-person and online proctored formats. EC-Council requires candidates to demonstrate either two years of IT security work experience or completion of an official EC-Council training course (in-person, live online, or self-paced). Candidates who cannot meet the experience requirement must purchase training; this is how EC-Council bundles exam vouchers with courseware at lower effective rates than purchasing the voucher alone.

Maintaining CEH requires earning 120 Continuing Education (CE) credits over the three-year validity period plus maintaining an active EC-Council membership (~$80/year). CE credits are earned through training, conference attendance, writing articles, or earning additional EC-Council certifications. Candidates who let the cert lapse must retake the exam.

The 20 CEH v13 modules

The CEH curriculum maps the complete lifecycle of a cyber attack in sequence, from initial target selection through cover-up. Understanding this attack chain structure is as valuable as the individual module content — it gives security engineers a mental model for thinking like an adversary when designing defences.

Modules 1–5: Reconnaissance and Scanning

The pre-attack phase. Every subsequent attack phase depends on the quality of information gathered here.

  • Module 1 — Introduction to Ethical Hacking: The legal and conceptual foundations. The difference between black-box, white-box, and grey-box testing. The phases of hacking: reconnaissance, scanning, gaining access, maintaining access, covering tracks. Penetration testing methodologies (PTES, OWASP, NIST SP 800-115). The legal framework: written authorisation and scope of work documents before any testing begins. The exam tests conceptual knowledge here — no tools, just definitions and frameworks.
  • Module 2 — Footprinting and Reconnaissance: Passive information gathering without touching the target. OSINT (Open-Source Intelligence) techniques: WHOIS lookups, DNS interrogation (nslookup, dig), Google dorking (site:, filetype:, inurl: operators), Shodan for internet-connected device enumeration, LinkedIn and social media for employee enumeration, Maltego for relationship mapping. Email header analysis to map mail infrastructure. The exam tests which tool or technique is appropriate for each information type and which is passive versus active.
  • Module 3 — Scanning Networks: Active probing of the target after reconnaissance. Nmap is the central tool: host discovery (nmap -sn), TCP SYN scan (nmap -sS, stealthy because it never completes the TCP handshake), full connect scan (nmap -sT), UDP scan (nmap -sU), OS fingerprinting (nmap -O), service version detection (nmap -sV), and NSE scripts (nmap --script). Banner grabbing with netcat. Proxy chains and anonymisation to mask scan origin. The exam tests what each Nmap flag does and what information each scan type reveals.
  • Module 4 — Enumeration: Extracting detailed information from discovered services. NetBIOS enumeration on Windows networks: nbtscan, nbtstat. SNMP enumeration: snmpwalk against poorly configured devices using default community strings. LDAP enumeration for Active Directory user lists. NTP enumeration. DNS zone transfer attempts (dig axfr) to extract the full DNS record set. SMB enumeration with enum4linux and smbclient. The exam tests what each enumeration technique extracts and what countermeasures prevent it.
  • Module 5 — Vulnerability Analysis: Systematic identification of exploitable weaknesses. Vulnerability scanners: Nessus, OpenVAS, Qualys. The CVE (Common Vulnerabilities and Exposures) naming system and CVSS (Common Vulnerability Scoring System) scores — what CVSS score ranges indicate (Critical ≥9.0, High 7.0–8.9, Medium 4.0–6.9, Low 0.1–3.9). The difference between vulnerability scanning (automated, broad) and penetration testing (manual, targeted exploitation). Patch management as the primary countermeasure. The exam tests tool capabilities and CVSS concepts.

Modules 6–9: Gaining Access

Active exploitation of identified vulnerabilities to achieve initial access to target systems.

  • Module 6 — System Hacking: The full system compromise methodology. Password attacks: dictionary attacks (Hydra, Medusa), brute-force, rainbow table attacks (Ophcrack) against NTLM password hashes. Pass-the-hash attacks against Windows authentication. Privilege escalation: exploiting misconfigured SUID binaries on Linux, unquoted service paths on Windows, token impersonation (Meterpreter getsystem). Maintaining access through backdoors, rootkits, and persistence mechanisms (registry run keys on Windows, cron jobs on Linux). Steganography: hiding data in images and audio files. Covering tracks: log deletion and tampering, timestomping file metadata.
  • Module 7 — Malware Threats: The taxonomy and behaviour of malicious software. Viruses vs worms (viruses require a host file; worms self-propagate). Trojans (remote access, keyloggers, ransomware). Spyware and adware. Rootkits (kernel-level versus user-level; detection with memory forensics). Botnets and C2 (command and control) infrastructure. Ransomware attack chains: initial access, lateral movement, data exfiltration before encryption. Antivirus evasion techniques: polymorphism, obfuscation, packers. The exam focuses on categorisation and countermeasures.
  • Module 8 — Sniffing: Passive and active interception of network traffic. Packet sniffers: Wireshark for capture and analysis, tcpdump for command-line capture. ARP poisoning (using Arpspoof or Ettercap) to redirect traffic through an attacker's machine for man-in-the-middle positioning. MAC flooding to overflow a switch's CAM table, forcing it to broadcast traffic (defeating switch-based isolation). DNS poisoning to redirect name resolution. Countermeasures: encrypted protocols (HTTPS/TLS, SSH), dynamic ARP inspection, 802.1X port authentication. The exam tests attack mechanisms and corresponding network defences.
  • Module 9 — Social Engineering: Human-layer attacks that bypass technical controls. Phishing (mass email), spear phishing (targeted), whaling (executive targeting), vishing (voice/phone), smishing (SMS). Pretexting: constructing a false identity or scenario to manipulate a target. Tailgating and piggybacking for physical access. Baiting with infected USB drives. Business Email Compromise (BEC) as a high-value attack. Defence: security awareness training, multi-factor authentication, email authentication standards (SPF, DKIM, DMARC). The exam tests which attack type matches which scenario and which training countermeasure is appropriate.

Modules 10–12: Persistence and Evasion

Maintaining access and avoiding detection after initial compromise.

  • Module 10 — Denial-of-Service: Attacks that degrade or eliminate service availability. Volumetric attacks: UDP flood, ICMP flood, amplification attacks (DNS, NTP, SSDP amplification exploits the asymmetry between small requests and large responses). Protocol attacks: SYN flood (exhausts TCP connection table), Ping of Death (oversized ICMP packets). Application-layer attacks: HTTP flood targeting web server resources. DDoS (Distributed Denial-of-Service) using botnets. Countermeasures: rate limiting, SYN cookies, traffic scrubbing via CDN providers, cloud-based DDoS protection services. The exam tests attack classifications and mitigation strategies.
  • Module 11 — Session Hijacking: Taking over an established authenticated session. TCP sequence number prediction to inject packets into an existing TCP stream. Session fixation and session token theft via XSS (cross-site scripting) to capture browser cookies. Cross-site request forgery (CSRF) to make authenticated requests on behalf of a victim. Countermeasures: HTTPS (prevents cookie theft on the wire), HttpOnly and Secure cookie flags (prevent JavaScript access and unencrypted transmission), CSRF tokens, short session timeouts. The exam tests which vulnerability leads to session hijacking and which HTTP security header or cookie attribute prevents it.
  • Module 12 — Evading IDS, Firewalls, and Honeypots: Techniques for bypassing perimeter defences. IDS evasion: packet fragmentation (reassembly required by IDS before pattern matching), TTL manipulation, slow-rate scanning to stay below signature thresholds, encrypted tunnels (using SSL/TLS to hide payload from signature-based IDS). Firewall evasion: port scanning through allowed ports (80/443), tunnelling over DNS or ICMP, IP spoofing. Honeypot detection: inconsistencies in timing, limited routing depth, perfect uptime (real systems have maintenance windows). The exam tests which evasion technique addresses which defensive control.

Modules 13–17: Application and Platform Attacks

Targeting specific technology layers from web applications to mobile devices.

  • Module 13 — Hacking Web Servers: Server-level attacks rather than application-level. Directory traversal: accessing files outside the web root via ../ sequences. Web cache poisoning. HTTP response splitting. Misconfigured web server directories exposing sensitive files. Banner grabbing to identify web server software and version for targeted exploit selection. Tools: Metasploit for known CVE exploitation, Nikto for web server misconfiguration scanning. Countermeasures: patch management, removing default pages, disabling directory listing, input validation on server-side.
  • Module 14 — Hacking Web Applications: OWASP Top 10 is the framework for this module. XSS (stored, reflected, DOM-based): injecting malicious JavaScript that executes in a victim's browser. IDOR (Insecure Direct Object Reference): accessing another user's data by changing an ID parameter. SSRF (Server-Side Request Forgery): making the server request internal URLs, used to access cloud metadata endpoints (169.254.169.254 on AWS EC2). XML External Entity (XXE) injection. Broken authentication and session management. Security misconfiguration. The exam tests the OWASP Top 10 attack categories, example payloads, and remediations.
  • Module 15 — SQL Injection: The most detail-tested individual attack type in CEH. Classic SQL injection: ' OR '1'='1 in login fields to bypass authentication. Union-based injection to extract data from other tables: ' UNION SELECT username, password FROM users--. Blind SQL injection: boolean-based (testing true/false conditions) and time-based (using SLEEP() or WAITFOR DELAY to infer data). Error-based injection: forcing database error messages that reveal schema information. Out-of-band injection: using DNS or HTTP callbacks to exfiltrate data. Tools: SQLmap for automated injection testing. Countermeasures: parameterised queries (prepared statements), ORM frameworks, WAF (Web Application Firewall), principle of least privilege for database accounts.
  • Module 16 — Hacking Wireless Networks: 802.11 Wi-Fi security attacks. WEP cracking: WEP uses a 24-bit IV (Initialization Vector) that repeats under heavy traffic, enabling RC4 key recovery with tools like Aircrack-ng. WPA/WPA2 cracking: PMKID attack and 4-way handshake capture for offline dictionary attack. WPA3 dragonfly handshake and its enhanced resistance to offline cracking. Evil twin attacks: rogue access point impersonating a legitimate SSID. De-authentication attacks: sending forged 802.11 de-auth frames to disconnect clients (used to force WPA handshake capture). Bluetooth attacks: Bluejacking (unsolicited message sending), Bluesnarfing (unauthorised data access), Bluebugging (remote control). Countermeasures: WPA3, 802.1X with RADIUS for enterprise Wi-Fi, wireless IDS.
  • Module 17 — Hacking Mobile Platforms: Android and iOS attack surfaces. Android: APK reverse engineering with apktool, rooting to bypass application sandboxing, adb (Android Debug Bridge) exploitation when USB debugging is enabled, malicious APK sideloading. iOS: jailbreaking to remove Apple's sandboxing restrictions, SSL certificate pinning bypass. Mobile malware distribution through unofficial app stores and phishing links. MDM (Mobile Device Management) as the enterprise countermeasure. OWASP Mobile Top 10 as the framework covering improper platform usage, insecure data storage, insecure communication, and insufficient cryptography.

Modules 18–20: Emerging Attack Surfaces

The newer modules that reflect where attack surfaces expanded between CEH v12 and v13.

  • Module 18 — IoT and OT Hacking: Internet of Things devices (smart cameras, industrial sensors, medical devices) and Operational Technology (SCADA systems, PLCs, HMIs) present distinct attack surfaces from traditional IT. IoT attacks: default credential exploitation (many IoT devices ship with admin/admin or device-specific defaults; Shodan exposes these at scale), firmware extraction and analysis for hardcoded credentials, insecure update mechanisms. OT/SCADA attacks: Stuxnet as the canonical example of OT compromise (destroyed Iranian centrifuges by sending incorrect commands while reporting normal operation to operators), Modbus and DNP3 protocol attacks (industrial protocols with no authentication). The Purdue Model for OT network segmentation and the ICS security challenges when air-gapping is impractical.
  • Module 19 — Cloud Computing Security: Cloud-specific attack vectors and the shared responsibility model. Cloud attacks: misconfigured S3 bucket data exposure, SSRF to access instance metadata service (IMDS) for IAM credential theft, container escape techniques, account takeover via stolen IAM access keys. The OWASP Cloud Top 10 as a supplementary framework. Cloud security controls: IAM least privilege, SCPs (Service Control Policies) in AWS Organizations, CloudTrail for audit logging, GuardDuty for threat detection, security groups and NACLs for network segmentation. The exam tests cloud attack patterns and which native cloud security service addresses each threat.
  • Module 20 — Cryptography: The mathematical underpinnings that CEH candidates must understand to identify weak implementations. Symmetric encryption (AES, 3DES, RC4 — RC4 is considered broken and appears as a wrong-answer distractor for modern systems). Asymmetric encryption (RSA, ECC): public/private key pairs, digital signatures, certificate verification. Hashing (MD5, SHA-1 are deprecated and collision-vulnerable; SHA-256 and SHA-3 are current standards). PKI: certificate chains, certificate revocation (CRL, OCSP). TLS: the handshake process, cipher suites, perfect forward secrecy (PFS) via Diffie-Hellman ephemeral (DHE) key exchange. Attack on cryptography: birthday attacks on weak hash functions, meet-in-the-middle on 2DES, padding oracle attacks on TLS. CEH v13 specifically adds discussion of quantum computing threats to RSA and ECC and post-quantum cryptography standards currently being finalised by NIST.

CEH vs CompTIA PenTest+ vs OSCP: which path is right?

Comparison: CEH vs PenTest+ vs OSCP

  • EC-Council CEH v13 — Best for candidates seeking DoD 8570 CNDSP compliance, enterprise hiring manager recognition, or a structured survey of all attack domains before specialising. 125 multiple-choice questions, no live exploitation required. Wide employer recognition in commercial and government sectors. The primary criticism: multiple-choice format means you can pass CEH without ever running a real exploit. The CEH Practical exam addresses this for candidates who want to demonstrate hands-on skill.
  • CompTIA PenTest+ PT0-003 — Best for candidates who want DoD 8570 compliance (CSSP Analyst and Vulnerability Assessor) with a vendor-neutral credential from a US-based non-profit. Similar multiple-choice format (165 questions, 165 minutes). Explicitly covers penetration testing engagement management and reporting — the professional skills around a pentest, not just the technical skills. Often chosen as a complement to CEH rather than a replacement. Lower cost (~$404) than CEH.
  • OffSec OSCP (PEN-200) — Best for candidates who want to demonstrate actual penetration testing skill, not just knowledge. 24-hour live exam: exploit a set of boxes in an isolated lab, then write a professional penetration test report. No multiple choice. Highly respected in pure offensive security roles (red team, professional pentester). Significantly harder than CEH — requires genuine exploit development, Active Directory attack chains, and privilege escalation without step-by-step guidance. Not DoD 8570 CNDSP approved (which is CEH's advantage for government roles).
CEH gets you into the room for security analyst interviews. OSCP closes the deal for penetration tester roles. They are not direct competitors — they address different career stages and different employer requirements.

CEH Practical: the hands-on add-on

EC-Council introduced the CEH Practical exam as a response to the common criticism that passing CEH multiple-choice questions does not prove you can run an actual exploit. CEH Practical is a 6-hour, proctored, live lab exam administered via iLabs (EC-Council's virtual lab platform). Candidates are given a set of machines in a simulated corporate network and must answer 20 practical challenges by demonstrating actual exploitation: performing a network scan, identifying a vulnerability, running an exploit to gain access, and capturing a flag (a specific string or file that proves compromise).

CEH Practical costs approximately $550 in addition to the main exam fee. Passing both exams earns the “CEH Master” designation. For candidates applying to penetration tester roles at organisations that recognise EC-Council credentials, CEH Master is significantly more competitive than CEH alone because it addresses the hands-on skill gap that hiring managers who understand the space know exists with the multiple-choice exam.

For candidates who pass CEH and then want to progress to OSCP, the CEH Practical is reasonable preparation — it introduces the rhythm of time-limited live exploitation under exam conditions, which is the core challenge of the OSCP 24-hour lab exam. CEH Practical is not as difficult as OSCP (the lab challenges are more directed and the tools are more constrained), but it is a meaningful intermediate step.

Sharpen your cybersecurity knowledge with free practice questions on CertQuests — covering Security+, CISSP, CySA+, and more.

Start Practising Free