Skip to content

CEH v12/v13 Study Path

The Certified Ethical Hacker is EC-Council's flagship offensive-security certification and one of the most polarizing credentials in the industry. This study path treats CEH for what it is: a breadth-oriented, multiple-choice exam that opens specific doors (DoD 8570 baseline, corporate HR filters, government contracting) while teaching less practical offense per dollar than OSCP, PNPT, or GPEN. If you need the cert for a job requirement, the path below gets you through it efficiently. If you're choosing between certs based on actual skill development, read the contrarian framing below before paying $1,200.

Honest framing: should you take CEH?

Most people who Google "should I take CEH" get a glossy answer. Here is the practitioner version.

What CEH actually is. A 125-question, 4-hour, multiple-choice exam administered by EC-Council. Passing score is approximately 70% but EC-Council uses a cut-score model that varies slightly by exam form, so any single question you see published as "the passing score" is an approximation. The current version is CEH v12 with v13 (which adds AI-augmented hacking content) rolling out in late 2024 / 2025. There is also an optional CEH (Practical) — a 6-hour hands-on lab exam — and a CEH Master designation if you pass both. The unqualified term "CEH" almost always refers to the multiple-choice exam.

What CEH actually costs. Around $1,199 for the exam voucher if you self-study and apply for eligibility (which requires either two years of documented infosec experience or completion of an EC-Council training course). With official iLearn or iWeek training the bundle runs $2,000-$4,000+. Annual ECE membership and continuing-education credits for renewal are extra. Compared to OSCP at $1,649 (course + first attempt, with three free retakes during lab access) or PNPT at around $400, CEH is expensive for what you get pedagogically.

Why people get CEH anyway — the real reasons.

  • DoD 8570 / 8140. CEH is on the approved baseline list for IAT Level II, IAT Level III, IAM Level I, and CSSP Analyst (among other categories). If you work for a federal agency or DoD contractor, this is often a hard gate, not a preference.
  • HR keyword filters. A meaningful share of corporate security job descriptions list CEH by name. Internal recruiters and applicant-tracking systems screen on it whether or not the hiring manager cares.
  • Compliance documents. Some PCI QSA shops, internal audit functions, and federal SOWs list CEH as an acceptable credential for assessment staff. PNPT or OSCP may technically map to the same role but trigger procurement friction your manager would rather avoid.
  • Career stage. Early-career analysts moving from helpdesk into security sometimes use CEH as a credibility signal because their employer recognizes the name and won't recognize "PNPT" or "eJPT" yet.

Why practitioners are critical of it.

  • The exam is multiple-choice. You can pass without ever having popped a shell, exploited a real vulnerability, or written a single payload. OSCP, PNPT, GPEN, OSWE all require demonstrated exploitation in a lab environment.
  • Some questions test EC-Council-specific definitions and tool taxonomies that drift from how working pentesters describe the same things. "Which of the following is a banner-grabbing tool?" with four roughly correct answers is not a skills test; it's a vocabulary test against a single vendor's curriculum.
  • Tool coverage skews dated. The exam still tests material around tools and techniques that working red teamers replaced years ago. You will memorize tool names you will never type at a real keyboard.
  • The cert is renewable via Continuing Education credits and annual fees, which functions as a recurring revenue stream more than an ongoing skill check.

When to take CEH.

  • Your current or target employer lists it as required and won't accept substitutes.
  • You're going for or staying in a DoD 8570-covered role.
  • A federal SOW you're staffing requires it for billable hours.
  • You're early career and the recognition value at HR matters more than the depth of learning.

When to skip CEH and go elsewhere.

  • You want practical pentesting skills. PNPT (TCM Security, ~$400, 5-day exam, real network compromise + report) or OSCP (OffSec, $1,649, 24-hour exam) teach more per dollar.
  • You want SANS-quality material with an industry-respected exam. GPEN (SANS SEC560, expensive but employer-funded for many) is the GIAC equivalent.
  • You're testing the waters before committing. eJPT (INE, ~$249) is a hands-on entry-level pentest cert that costs a fifth of CEH and demands you actually exploit hosts.
  • Your only goal is to learn. You'd be better served by a Hack The Box subscription, the TCM PEH course, and a six-month rotation through TryHackMe pathways for a fraction of the price.

The bottom line: take CEH if a specific door requires it. Don't take it expecting it to teach you to hack. Pair it with hands-on platforms (HTB, THM, PentesterLab) regardless of whether you take it for the credential or skip it.

Exam at a glance

Item Value
Cert body EC-Council
Current version CEH v12 (v13 rolling out with AI-augmented modules)
Format Multiple choice
Questions 125
Time 4 hours
Passing score Approximately 70% (cut-score varies by form)
Exam delivery ECC Exam Portal (online proctored) or Pearson VUE test center
Cost Approximately $1,199 USD voucher; training bundles $2,000-$4,000+
Eligibility Two years documented infosec experience OR completion of official EC-Council training
Renewal ECE program: 120 credits over 3 years + annual membership fee
DoD 8570 status Approved baseline for IAT II, IAT III, IAM I, CSSP Analyst (and others)
Optional add-on CEH (Practical) 6-hour lab exam → CEH Master designation

The 20 modules and the 8-phase study structure

CEH organizes its curriculum into 20 modules. For study purposes those map cleanly onto eight content phases. The percentage weights below are approximate based on published EC-Council blueprint information; the exam doesn't publish a strict per-module weighting, so plan for breadth across all modules rather than betting on any single area being a small percentage.

Phase 1: Information Security and Ethical Hacking Overview

CEH modules covered. Module 1: Introduction to Ethical Hacking.

What it covers. Threat actor taxonomy, the cyber kill chain, MITRE ATT&CK, classes of attacks, information-security controls, laws and standards (HIPAA, PCI DSS, GDPR, SOX, DMCA), penetration testing concepts, ethical-hacking phases (recon, scanning, gaining access, maintaining access, clearing tracks). EC-Council leans heavily on its own five-phase model — memorize their phase names and order even if you've internalized PTES or the Lockheed-Martin kill chain in real work.

Nexus chapters.

Nexus labs and resources.

Tools the exam expects you to recognize. Cyber kill chain (Lockheed Martin), MITRE ATT&CK, Diamond Model. The exam may ask you to identify the phase of an attack from a one-paragraph scenario; learn to map "the attacker is sending crafted phishing emails to harvest credentials" to "Weaponization + Delivery" in EC-Council's framing.

Practitioner notes. The legal and standards content is genuine — HIPAA, GDPR, PCI DSS terminology shows up in CEH the same way it shows up in CISSP, except shallower. Don't skip it just because it's the "boring" module; easy points sit here.

Phase 2: Reconnaissance Techniques

CEH modules covered. Module 2: Footprinting and Reconnaissance. Module 3: Scanning Networks. Module 4: Enumeration.

What it covers. Passive footprinting (Whois, DNS, Shodan, Google dorking, social-media OSINT, job-posting analysis), active scanning (Nmap host discovery, port scanning, OS fingerprinting, service-version detection, banner grabbing), and enumeration (SMB, SNMP, LDAP, NetBIOS, NFS, SMTP, NTP, SSH user enumeration, RPC enumeration). This is one of the heavier sections because EC-Council loves Nmap flag minutiae and SMB/SNMP enumeration trivia.

Nexus chapters.

Nexus labs and resources.

Tools the exam expects you to recognize and the flags it cares about.

  • Nmap. Memorize -sS (SYN stealth), -sT (connect), -sU (UDP), -sN/-sF/-sX (null/FIN/Xmas), -sV (version), -sC (default scripts), -O (OS fingerprint), -A (aggressive), -Pn (skip host discovery), -T0 through -T5 timing, --top-ports, --script vuln, -oN/-oG/-oX output formats. This is one of the most-tested tool families on CEH — know the flags cold.
  • Masscan, Zmap, Hping3, Unicornscan. Recognize names and one-line purpose.
  • Nikto, WhatWeb, Wappalyzer, theHarvester, Recon-ng, Maltego. Recognize purpose; expect "which tool would you use to..." questions.
  • Shodan, Censys, FOFA. Internet-wide scan databases — know the difference and what each is best for (Shodan for IoT/banner, Censys for TLS/cert intel).
  • enum4linux, smbclient, rpcclient, snmpwalk, ldapsearch, dnsenum, dnsrecon, fierce. Enumeration utilities; expect direct "what does this tool enumerate" questions.
  • Whois, dig, host, nslookup. DNS and registration data — know the difference between A, AAAA, MX, CNAME, NS, TXT, SOA records.

Practitioner notes. This is the section where CEH most overlaps with real work. Nmap competence transfers to every offensive role. The exam's emphasis on banner grabbing and SMB null-session enumeration is dated for modern enterprise environments but the fundamentals still apply when you're pivoting through legacy networks or assessing third-party infrastructure.

Phase 3: System Hacking Phases and Attack Techniques

CEH modules covered. Module 5: Vulnerability Analysis. Module 6: System Hacking. Module 7: Malware Threats. Module 8: Sniffing. Module 9: Social Engineering. Module 10: Denial-of-Service. Module 11: Session Hijacking. Module 12: Evading IDS, Firewalls, and Honeypots.

What it covers. This is the largest content chunk. Vulnerability scoring (CVSS v3/v4), vulnerability scanners (Nessus, OpenVAS, Qualys, Nexpose), password attacks (offline cracking, online brute force, rainbow tables, hash types: NTLM, NetNTLMv1/v2, MD5, SHA, bcrypt, Argon2), privilege escalation (Linux SUID, sudo, kernel exploits, capabilities; Windows service misconfigs, unquoted paths, AlwaysInstallElevated, token impersonation), maintaining access (rootkits, backdoors, persistence mechanisms), covering tracks (log clearing, timestomping). Malware module covers virus/worm/Trojan/rootkit/ransomware taxonomy and analysis types (static, dynamic, behavioral). Sniffing covers ARP spoofing, MAC flooding, DHCP starvation, DNS poisoning, Wireshark filter syntax. Social engineering covers phishing taxonomy (vishing, smishing, whaling, pretexting), human-based vs computer-based vs mobile-based. DoS covers SYN flood, UDP flood, ICMP flood, Slowloris, application-layer attacks, amplification (DNS, NTP, Memcached), botnets. Session hijacking covers TCP hijacking, session-token prediction, cross-site request forgery, network-level vs application-level hijacking. IDS/firewall evasion covers fragmentation, decoy scanning, source-port spoofing, packet manipulation.

Nexus chapters.

Nexus labs and resources.

Tools the exam expects you to recognize.

  • Vulnerability scanners. Nessus (Tenable), OpenVAS (Greenbone), Qualys, Nexpose (Rapid7), Nikto (web), wpscan (WordPress), nuclei (template-driven). Know which is commercial vs open source and at least one differentiator each.
  • Password crackers. John the Ripper (modes: single, wordlist, incremental; format flags), Hashcat (modes 0=MD5, 100=SHA1, 1000=NTLM, 5500=NetNTLMv1, 5600=NetNTLMv2 — these specific mode numbers do show up), Hydra (online brute force, service-specific modules), Medusa, Ophcrack, RainbowCrack, CeWL (custom wordlist generation).
  • Hash identifiers. hash-identifier, hashid.
  • Sniffers and MITM. Wireshark (display vs capture filter syntax — the exam tests this distinction), tcpdump (BPF syntax), Ettercap, Bettercap, dsniff suite, tshark, Cain (legacy but EC-Council still references it), Responder (LLMNR/NBT-NS poisoning).
  • Social-engineering toolkits. SET (Social-Engineer Toolkit), Gophish, King Phisher, Maltego, BeEF (Browser Exploitation Framework).
  • DoS/stress. LOIC, HOIC, hping3, Slowloris, R-U-Dead-Yet (RUDY), Tor's Hammer.
  • IDS/firewall evasion. fragroute, Nmap evasion flags (-f, --mtu, -D, --source-port, --data-length, --randomize-hosts).
  • Persistence and post-exploitation. Metasploit (msfconsole, msfvenom, multi/handler, post modules — know the basic workflow even if you've never touched the framework), Meterpreter (commands: hashdump, getsystem, migrate, run persistence, clearev), Empire/Starkiller (PowerShell post-ex), Covenant.
  • Privilege escalation. LinPEAS, WinPEAS, linux-exploit-suggester, windows-exploit-suggester, Mimikatz (sekurlsa::logonpasswords, lsadump::sam, kerberos::ptt — the core commands).
  • Steganography. Steghide, OpenStego, Snow (whitespace stego), QuickStego.

Practitioner notes. The Hashcat mode numbers and Nmap flags are heavily tested — these are the kind of memorization questions where you either know it or you don't. Make a flashcard deck. The malware taxonomy is dated (the virus/worm/Trojan distinction matters less in 2026 when most modern threats are loaders, RATs, infostealers, or ransomware) but EC-Council still tests the textbook categories — answer to their definitions, not modern industry usage.

Phase 4: Network and Perimeter Hacking

CEH modules covered. This phase reinforces sniffing (Module 8), session hijacking (Module 11), evasion (Module 12), and overlaps with Module 16 wireless (covered separately below). Network-layer attacks specifically include ARP spoofing, MAC flooding (CAM table overflow), DHCP starvation, STP attacks, VLAN hopping, rogue DHCP, DNS cache poisoning.

What it covers. Switch- and router-layer attacks, firewall types (stateful, stateless, application-layer, NGFW, WAF), IDS architectures (NIDS vs HIDS, signature vs anomaly), honeypot taxonomy (low-interaction vs high-interaction, production vs research), VPN protocols (PPTP, L2TP/IPsec, OpenVPN, WireGuard), proxy types (transparent, anonymous, elite, reverse).

Nexus chapters.

Nexus labs and resources.

Tools the exam expects you to recognize. Wireshark, tcpdump, Yersinia (L2 attacks: STP, CDP, DTP, VTP, DHCP), macof (CAM flooding), arpspoof, dnsspoof, Ettercap. For honeypots: Honeyd, KFSensor, Specter, Glastopf, Cowrie. For firewall fingerprinting: Nmap firewalk script, hping3.

Practitioner notes. Layer-2 attacks (CAM flood, ARP spoof, VLAN hop via double-tagging) are still real but mostly mitigated in modern enterprise switches via DHCP snooping, dynamic ARP inspection, port security. The exam treats them as live techniques regardless. The "which firewall type inspects up to layer 7" type question is straightforward if you've memorized the OSI model.

Phase 5: Web Application Hacking

CEH modules covered. Module 13: Hacking Web Servers. Module 14: Hacking Web Applications. Module 15: SQL Injection.

What it covers. Web-server attacks (directory traversal, server misconfiguration, default credentials, server-status disclosure, IIS/Apache/Nginx-specific vulnerabilities). OWASP Top 10 (the exam tracks the current list — know the 2021 categories: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfig, Vulnerable Components, Auth Failures, Software/Data Integrity Failures, Logging/Monitoring Failures, SSRF). Web app attacks: XSS (stored, reflected, DOM-based), CSRF, SQL injection (in-band, blind, time-based, UNION-based, error-based), command injection, file upload bypasses, IDOR, parameter tampering, HTTP response splitting, web cache poisoning, deserialization attacks. SQL injection gets its own module — know the syntax for UNION-based extraction, boolean-based blind, time-based blind (SLEEP() MySQL, WAITFOR DELAY MSSQL, pg_sleep() Postgres), error-based with extractvalue() or updatexml(), and second-order injection.

Nexus chapters.

Nexus labs and resources.

Tools the exam expects you to recognize.

  • Proxies. Burp Suite (Community vs Professional, the core tabs: Proxy, Repeater, Intruder, Decoder, Comparer, Sequencer, Scanner — know what each does), OWASP ZAP, Caido (newer alternative, may not appear on older exam forms), Fiddler, Mitmproxy.
  • Scanners. Nikto, Wapiti, w3af, Acunetix, Burp Scanner, Netsparker (now Invicti), AppScan.
  • CMS-specific. wpscan (WordPress), JoomScan, Droopescan.
  • SQL injection. sqlmap (the exam loves sqlmap flags — --dbs, --tables, --columns, --dump, --os-shell, --level, --risk, --technique=BEUSTQ, --tamper), Havij (legacy but referenced).
  • Directory and content discovery. dirb, dirbuster, gobuster, ffuf, feroxbuster, wfuzz.
  • Subdomain enumeration. Amass, Subfinder, Sublist3r, assetfinder.
  • Other. XSStrike, BeEF, Burp extensions (Logger++, Autorize, Param Miner — the exam may reference Burp ecosystem).

Practitioner notes. Web app is one of the most relevant CEH sections because the underlying techniques and tools (Burp, sqlmap, OWASP Top 10) match how real web testing happens in 2026. The exam tests theoretical knowledge of injection types more than ability to actually exploit, but the vocabulary maps directly. If you want to convert this study time into real skill, supplement with PortSwigger Web Security Academy (free, the gold standard) and PentesterLab.

Phase 6: Wireless Network Hacking

CEH modules covered. Module 16: Hacking Wireless Networks.

What it covers. Wireless standards (802.11 a/b/g/n/ac/ax), encryption protocols (WEP, WPA, WPA2, WPA3 — know the upgrade rationale and known weaknesses of each: WEP IV/RC4 collision, WPA2 KRACK, WPA3 Dragonblood), authentication (PSK vs Enterprise/802.1X, EAP variants: EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, LEAP), four-way handshake mechanics, attack categories (rogue AP, evil twin, deauthentication, MAC spoofing, jamming, war driving, war flying, war chalking, war shipping). Bluetooth attacks (Bluejacking, Bluesnarfing, Bluebugging, Bluesmacking, BlueBorne). RFID and NFC attack basics.

Nexus chapters.

Tools the exam expects you to recognize. Aircrack-ng suite (airmon-ng, airodump-ng, aireplay-ng, aircrack-ng — know what each does in the WPA2 capture-and-crack workflow), Kismet, Wifite, Wifiphisher, Reaver and Bully (WPS PIN attacks), Pixiewps, Fern WiFi Cracker, Wireshark with WLAN decoder. For Bluetooth: BlueZ tools (hciconfig, hcitool, gatttool, sdptool), BtleJuice, Spooftooph.

Practitioner notes. Wireless is a small chunk of the exam. WEP is dead in practice but EC-Council still tests the IV/RC4 weakness because that's where the exam was originally written. WPA3 questions are increasing in newer exam forms. The four-way handshake mechanic (ANonce, SNonce, MIC, GTK) shows up regularly — understand the sequence even if you've never captured one.

Phase 7: Mobile Platform, IoT, and OT Hacking

CEH modules covered. Module 17: Hacking Mobile Platforms. Module 18: IoT and OT Hacking.

What it covers. Mobile attack vectors (malicious apps, OS exploits, network-based, web-based, physical), Android architecture and security model (Linux kernel, Dalvik/ART, app sandboxing, intents, content providers, manifest permissions), iOS architecture (kernel, sandboxing, code signing, app review), rooting and jailbreaking concepts and tools, mobile malware categories, MDM (Mobile Device Management) and MAM concepts, OWASP Mobile Top 10. IoT attack categories (insecure web, weak auth, network services, transport encryption, privacy, insecure cloud/mobile interface, insecure update, insecure default settings, lack of physical hardening), IoT communication protocols (Zigbee, Z-Wave, BLE, MQTT, CoAP, AMQP, LoRaWAN), IoT-specific threats (Mirai-class botnets, default credential abuse). OT (Operational Technology): SCADA, ICS, DCS, PLC, RTU, HMI distinctions; protocols (Modbus, DNP3, Profinet, EtherNet/IP, OPC UA); the Purdue Model levels; air-gapped environment realities; Stuxnet/Triton/Industroyer historical context.

Nexus chapters.

Tools the exam expects you to recognize. Mobile: ADB (Android Debug Bridge), apktool, dex2jar, JADX, Frida, Objection, MobSF (Mobile Security Framework), Drozer (Android), Burp + ProxyDroid for traffic interception. iOS: Cycript, Cydia (jailbreak app store, dated reference), checkra1n, unc0ver. IoT: Shodan, Censys, IoT Inspector, Firmadyne, Binwalk (firmware extraction), Bus Pirate (hardware), JTAGulator. OT: Nmap with Modbus/DNP3/S7 NSE scripts, Wireshark with industrial-protocol dissectors, ICS-CERT advisories as a reference category.

Practitioner notes. This module is broad but shallow on the exam. You don't need to actually reverse an Android APK; you need to know what apktool does versus dex2jar versus JADX. OT content is recognition-level (know the protocol names and Purdue Model layers) unless you're working in an industrial-control environment. The exam may include "Stuxnet was an attack on which of the following" type questions — historical malware case-study recognition is fair game.

Phase 8: Cloud Computing and Cryptography

CEH modules covered. Module 19: Cloud Computing. Module 20: Cryptography.

What it covers.

Cloud. Service models (IaaS, PaaS, SaaS, FaaS) and the shared-responsibility split for each, deployment models (public, private, hybrid, community), virtualization concepts (Type-1 vs Type-2 hypervisors, container vs VM), container security (Docker, Kubernetes basics — image vulnerabilities, runtime escape, privileged container risks), serverless attack surface, cloud-specific threats (account hijacking, insecure APIs, misconfigured storage buckets, data loss, abuse of cloud services, insufficient due diligence). Major-provider awareness: AWS, Azure, GCP — recognize core service categories at minimum (compute, storage, networking, IAM). Cloud security tools at the recognition level.

Cryptography. Symmetric algorithms (DES, 3DES, AES, RC4, Blowfish, Twofish — know which are deprecated and rough strength), asymmetric algorithms (RSA, DSA, ECC, ElGamal, Diffie-Hellman key exchange), hash algorithms (MD5, SHA-1, SHA-2 family, SHA-3, RIPEMD), MACs and HMACs, digital signatures, PKI components (CA, RA, CRL, OCSP, certificate fields, X.509), certificate types (DV, OV, EV, wildcard, SAN), TLS handshake mechanics, key-management lifecycle, common cryptographic attacks (brute force, birthday, meet-in-the-middle, side-channel, padding oracle, replay, known-plaintext, chosen-plaintext/ciphertext), disk encryption (BitLocker, FileVault, LUKS, VeraCrypt), email encryption (PGP, S/MIME), steganography vs cryptography distinction.

Nexus chapters.

Nexus labs and resources.

Tools the exam expects you to recognize. Cloud: AWS CLI, Azure CLI, gcloud, Pacu (AWS exploitation framework), CloudGoat (vulnerable AWS lab), ScoutSuite, Prowler, kube-hunter, kube-bench, Trivy (image scanning), Docker Bench. Crypto: OpenSSL CLI (know the basic subcommands: genrsa, req, x509, s_client, enc, dgst), GnuPG (gpg), VeraCrypt, Hashcalc, CryptoSuite, Cryptool, John/Hashcat for hash cracking.

Practitioner notes. Cloud module on CEH is shallow versus AWS Certified Security Specialty or actual cloud red team work. The exam mostly tests vocabulary and shared-responsibility-model questions. Crypto module has more depth — symmetric vs asymmetric strength, hash collision resistance, PKI mechanics, and "which attack targets which weakness" questions are common. Do not try to derive RSA from first principles for the exam; just memorize key sizes and algorithm categories.

Study schedules

8-week plan (assumes ~12-15 hrs/week, prior security background)

Week Focus Daily target
1 Phase 1 (overview, kill chain, ATT&CK) + Phase 2 reading (recon, scanning, enumeration) Read Modules 1-4; Nmap flag drill (build flashcard deck)
2 Phase 2 hands-on + Phase 3 reading start Nmap scans against TryHackMe rooms or HTB starting point; read Modules 5-8
3 Phase 3 deep dive (system hacking, malware, sniffing) Hashcat/John mode-number drill; Wireshark filter practice; malware taxonomy
4 Phase 3 finish (social eng, DoS, session hijack, IDS evasion) + Phase 4 Modules 9-12; Nmap evasion flag drill; firewall/IDS taxonomy
5 Phase 5 (web app + SQL injection) Read Modules 13-15; PortSwigger Web Security Academy SQLi labs; sqlmap flag drill
6 Phase 6 (wireless) + Phase 7 (mobile, IoT, OT) Modules 16-18; aircrack-ng workflow; Purdue Model memorization
7 Phase 8 (cloud + crypto) + first full practice exam Modules 19-20; take a 125-question practice exam; identify weak modules
8 Targeted weak-area review + second practice exam + rest day before exam Re-quiz weak modules; second practice exam; sleep before exam day

12-week plan (assumes ~8-10 hrs/week, lighter prior background)

Same content phases but spread over twelve weeks. Add one extra week each to Phase 3 (the largest content chunk) and Phase 5 (web app and SQLi). Use the extra two weeks as cushion for life and for hands-on practice on TryHackMe paths or HTB. Target two practice exams in weeks 11 and 12.

What "study" should look like in practice

  • Active flashcard recall for tool names, Nmap flags, Hashcat modes, port numbers, and EC-Council-specific terminology. Anki, RemNote, or paper cards. Passive re-reading is the trap.
  • One hands-on session per study day. TryHackMe Pre-Security and Jr Penetration Tester paths, HTB Academy modules, or PentesterLab exercises. Even thirty minutes of actual command-line work cements concepts that no amount of reading will.
  • Module-end self quiz before moving on. If you can't answer five questions about a module without notes, reread it.
  • One full practice exam in week 7 (8-week plan) or week 11 (12-week plan). Use the score as a diagnostic, not a confidence check.

Exam-day strategy

Time math

125 questions in 240 minutes = 1 minute 55 seconds per question average. That sounds tight; in practice CEH questions are mostly short multi-choice you can answer in 30-60 seconds. The real risk is getting stuck on five hard questions and burning 30 minutes. Discipline:

  • Pass 1 (target 90 minutes): answer every question you can answer in under 60 seconds. Mark for review anything that takes longer.
  • Pass 2 (target 90 minutes): return to marked questions. Spend up to 2-3 minutes each.
  • Pass 3 (final 60 minutes): the questions you still can't answer. Use elimination. Never leave a blank — there's no penalty for guessing.

Question style notes

  • Many questions are scenario-form: "An ethical hacker is performing reconnaissance against the example.com domain. Which of the following tools would best [X]?" The right answer is usually the most specific tool for the stated task, not the most general.
  • Some questions have two technically correct answers where one is more correct in EC-Council's taxonomy. When stuck between two, choose the one that matches EC-Council module language exactly.
  • A small number of questions use vendor-marketing-flavored phrasing or reference dated tools. Don't argue with them; choose the answer that matches their framing and move on.
  • Watch for distractor answers that swap two terms (e.g., stateful vs stateless, symmetric vs asymmetric, NIDS vs HIDS). Read carefully.

Tactical tips

  • Skip-and-return discipline. Mark hard questions and move on. Time is your real adversary.
  • Eliminate aggressively. Even when you don't know the right answer, you can usually eliminate two of four.
  • Trust your first read on tool/flag/port questions. These are memorization items. If you've studied, your first answer is almost always right.
  • Re-read scenario questions twice. The setup paragraph often contains the disambiguator that makes one of two plausible answers correct.
  • Don't over-engineer. CEH is breadth not depth. The "best practice" answer in EC-Council's framing is usually a moderate, vendor-neutral choice — not the cutting-edge or contrarian one.

Logistics

  • ECC Exam Portal (online proctored): clean room, government ID, webcam, no second monitor, no phone, no notes, no smart watches. Test your camera and mic the day before.
  • Pearson VUE test center: arrive 30 minutes early; bring two forms of ID; lockers for personal items.
  • Read the EC-Council exam-day policy current at the time you book — these change.

Practical lab supplements (essential, not optional)

CEH is theoretical-heavy; the cert alone will not make you employable as a tester. Layer hands-on practice on top regardless of whether you also pursue the CEH (Practical) exam.

Platform Cost Best for Why it pairs with CEH
TryHackMe $14/mo Beginner to intermediate paths Pre-Security, Jr Penetration Tester, Web Fundamentals, Red Teaming paths cover CEH content with hands-on labs
HTB Academy $8-$49/mo Structured technical modules "Penetration Tester" path aligns with CEH/PNPT/OSCP overlap; module quality is high
HTB Labs $14-$49/mo Capture-the-flag boxes Build muscle memory for enum → exploit → privesc workflow
PortSwigger Web Security Academy Free Web application attacks Best resource on the internet for OWASP Top 10 hands-on; covers CEH Phase 5 better than any paid material
PentesterLab $20-$30/mo Web app + serialization + advanced Excellent for Burp competency and exploit chains
CloudGoat (AWS) / GOAD (AD) Free Cloud + AD scenarios Self-hosted; covers Phase 7-8 cloud and Phase 3 AD-style escalation realistically
Vulnhub Free Boot-to-root VMs Older box library; download and practice offline
OWASP Juice Shop / DVWA / WebGoat Free Web app fundamentals Spin up locally; hammer Phase 5 content

If you have to pick one paid resource: TryHackMe for breadth or HTB Academy for depth. PortSwigger Academy regardless — it's free.

Common pitfalls real candidates report

  • Memorizing tool names without understanding categories. EC-Council asks "which tool would you use for X" expecting you to differentiate similar tools. Don't memorize names in isolation; group them by function (vuln scanners, password crackers, sniffers, etc.) and learn at least one differentiator per tool.
  • Using only EC-Council courseware. The official material is comprehensive but dry. Pair it with at least one alternate source — a CEH-aligned video course (Boson, Cybrary, INE, Udemy options) or a current CEH study guide from Sybex/Wiley. Different framings catch the gaps.
  • Skipping the legal/standards module. It's "boring" but produces easy points. HIPAA, PCI DSS, GDPR, SOX, Computer Fraud and Abuse Act, DMCA — know the one-line scope of each.
  • Not building a flashcard deck for tool/port/flag/mode trivia. This material is pure recall. The candidates who fail by 5-10% almost always cite tool-recognition questions as the reason.
  • Treating practice-exam scores as ceiling rather than floor. Free or cheap practice exams (Boson is the most-cited paid option) are usually harder than the real exam. If you're hitting 75%+ on Boson consistently, the real exam should be passable. If you're at 60% on free question banks, that's a danger zone — the real exam may be harder than the free banks.
  • EC-Council-specific definitions that drift from industry usage. Examples: their hacker taxonomy ("white hat / black hat / gray hat / suicide hacker / script kiddie / spy hacker / cyber terrorist / state-sponsored hacker") includes labels you won't hear in any real SOC. Memorize their list anyway. Same for their five-phase ethical-hacking model versus PTES or the kill chain — answer to EC-Council's framing on the exam, regardless of how your day job phrases it.
  • Underestimating wireless and crypto. Wireless and crypto are smaller modules but easy to score on if you study them and easy to lose points on if you don't. Don't punt them.
  • Cramming the night before. Counterproductive. Sleep is more valuable than one more re-read of the malware module. Do a 30-minute flashcard review the morning of and walk in rested.

Post-cert: where to go next

Passing CEH is the floor of an offensive-security path, not the ceiling. Options ordered by what most practitioners recommend:

If your goal is real pentesting / red team skill

  1. PNPT (TCM Security Practical Network Penetration Tester). ~$400 with course access. Five-day exam with full network compromise plus professional report. The most respected mid-tier hands-on cert in 2026 by working pentesters; far better skill-per-dollar than CEH. If you'd skip CEH again knowing what you know now, this is what you'd take instead.
  2. OSCP (OffSec PEN-200). ~$1,649. The 24-hour exam standard for entry-to-mid-level pentesting roles. Tougher than PNPT, more name recognition with corporate hiring, similar real-world relevance. After OSCP, OSEP for evasion, OSWE for web, OSED for exploit dev.
  3. GPEN (SANS SEC560). Expensive (often employer-funded). High-quality material; respected industry cert. Pair with GXPN or GWAPT for specialization.
  4. eCPPT (eLearnSecurity / INE). Hands-on cert covering broader scope than OSCP at lower cost. Good intermediate step.

If your goal is web app specialization

  1. Burp Suite Certified Practitioner (PortSwigger). $99. Practical, vendor-aligned, increasingly recognized.
  2. OSWE (OffSec Web Expert). Advanced; focuses on white-box web app exploitation.
  3. eWPTX (INE / eLearnSecurity). Practical web app pentest cert.

If your goal is cloud red team / cloud security

  1. AWS Certified Security Specialty. Foundational AWS security knowledge.
  2. CARTP / CRTP (Altered Security). Cloud + AD red team focus; well-regarded among practitioners.
  3. Cloud-specific HTB Academy paths and PortSwigger material.

If your goal is to move toward management or governance

  1. CISSP (ISC2). The management-track standard. See Nexus's CISSP path for mapping.
  2. CISM, CRISC (ISACA). Management/risk-leaning alternatives.
  3. CCSP (ISC2). Cloud-leaning CISSP companion.

If you want EC-Council follow-ups

  1. CEH (Practical). The 6-hour lab exam. Combined with the multiple-choice gives you "CEH Master" designation. More hands-on but still inside EC-Council's ecosystem.
  2. CPENT (Certified Penetration Testing Professional). EC-Council's hands-on pentest cert. Mixed reception — some respect, some skepticism.
  3. CHFI (Computer Hacking Forensic Investigator). EC-Council's forensics offering.

Honest recommendation

If you're early career and just took CEH for the HR filter or DoD requirement: do PNPT next (or OSCP if your employer reimburses). The combination of CEH on your resume (for filters) plus PNPT or OSCP (for actual demonstrated skill) is significantly stronger than either alone, and you'll start producing pentest reports that look like a working tester wrote them, not a multiple-choice taker.

If you're mid-career and CEH was a checkbox: skip the CPENT/EC-Council follow-up loop. Go directly to OSCP, GPEN, or specialty certs.

Quick-reference summary

  • Get CEH because. A specific job, contract, or compliance gate requires it. Otherwise you're paying $1,200+ for a credential less respected than $400 alternatives.
  • Don't get CEH because. You want to learn pentesting. PNPT, OSCP, eJPT, HTB Academy, PortSwigger Academy will all teach you more per dollar.
  • Plan 8-12 weeks of study at 8-15 hrs/week.
  • Build a flashcard deck for tools, Nmap flags, Hashcat modes, ports, EC-Council taxonomy.
  • Pair with one hands-on platform (TryHackMe or HTB Academy) plus PortSwigger Academy (free).
  • Take 1-2 timed practice exams in the final 2 weeks.
  • On exam day: three-pass strategy, never leave blanks, choose EC-Council's framing when stuck between two technically valid answers.
  • After passing: PNPT or OSCP for actual offensive skill, regardless of your career stage.

Nexus SecOps coverage map for CEH

This study path links 18 chapters and 14 labs across the eight CEH content phases, plus the cheat sheets, the Detection Query Library, and the ATT&CK Technique Reference. Coverage is heaviest in Phases 2, 3, 5, and 8 — the phases where Nexus content overlaps directly with practical offensive technique. Phases 6 (wireless) and 7 (mobile/IoT/OT) have lighter Nexus coverage by design; supplement those modules with EC-Council courseware or third-party material.

If a Nexus chapter linked above doesn't go deep enough on a specific CEH module sub-topic, that's a feature not a bug — Nexus is a security operations textbook with a red team supplement, not a CEH study guide. Use the chapter for conceptual grounding, then use the official CEH courseware or a CEH-specific guide (Sybex CEH v12 Study Guide, Matt Walker's All-in-One Exam Guide) for the EC-Council-specific definitions and tool taxonomies the exam requires.

Appendix A: High-yield memorization reference

The exam tests recall on a small number of categories repeatedly. Build flashcards from these tables. Most candidates who fail by single-digit percentages cite missing the items below.

A.1 Common port numbers (memorize cold)

Port Protocol Typical service
20 / 21 TCP FTP data / FTP control
22 TCP SSH, SCP, SFTP
23 TCP Telnet
25 TCP SMTP
53 TCP/UDP DNS (UDP for queries, TCP for zone transfer + responses >512 bytes)
67 / 68 UDP DHCP server / client
69 UDP TFTP
80 TCP HTTP
88 TCP/UDP Kerberos
110 TCP POP3
111 TCP/UDP RPCbind / portmapper
119 TCP NNTP
123 UDP NTP
135 TCP Microsoft RPC endpoint mapper
137 / 138 / 139 UDP/UDP/TCP NetBIOS name / datagram / session
143 TCP IMAP
161 / 162 UDP SNMP / SNMP trap
389 TCP/UDP LDAP
443 TCP HTTPS
445 TCP SMB over TCP
465 TCP SMTPS (legacy)
500 UDP IKE (IPsec)
514 UDP Syslog
515 TCP LPD/LPR (printing)
587 TCP SMTP submission
593 TCP RPC over HTTP
636 TCP LDAPS
749 / 750 TCP/UDP Kerberos admin / Kerberos v4
873 TCP rsync
993 TCP IMAPS
995 TCP POP3S
1080 TCP SOCKS proxy
1433 / 1434 TCP/UDP Microsoft SQL Server / MSSQL Browser
1521 TCP Oracle DB
1701 UDP L2TP
1723 TCP PPTP
1812 / 1813 UDP RADIUS auth / accounting
2049 TCP/UDP NFS
3128 TCP Squid proxy default
3268 / 3269 TCP Global Catalog (AD) / LDAPS over GC
3306 TCP MySQL
3389 TCP RDP
4444 TCP Metasploit default handler (recognize, not standard)
5060 / 5061 TCP/UDP SIP / SIP-TLS
5432 TCP PostgreSQL
5900 TCP VNC
5985 / 5986 TCP WinRM HTTP / WinRM HTTPS
6379 TCP Redis
8080 / 8443 TCP HTTP-alt / HTTPS-alt
9100 TCP Printer JetDirect
27017 TCP MongoDB

If you can't recite the protocol and service for every entry above without looking, you're not ready for the exam.

A.2 Hashcat mode numbers (most-tested subset)

Mode Hash type Notes
0 MD5 Raw MD5
100 SHA1 Raw SHA1
1000 NTLM Windows local hash
1100 Domain Cached Credentials (DCC, mscash) Legacy domain cache
1400 SHA-256 Raw
1700 SHA-512 Raw
1800 sha512crypt $6$ Modern Linux /etc/shadow
2100 DCC2 (mscash2) PBKDF2-based domain cache
3000 LM Legacy LANMAN
5500 NetNTLMv1 Network challenge/response
5600 NetNTLMv2 Modern network challenge/response
7500 Kerberos 5 AS-REQ Pre-Auth (etype 23) AS-REP Roasting variant
13100 Kerberos 5 TGS-REP (etype 23) Kerberoasting
18200 Kerberos 5 AS-REP (etype 23) AS-REP Roasting
22000 WPA-PBKDF2-PMKID+EAPOL Modern WPA2 capture format
1500 descrypt, DES Unix Legacy /etc/shadow
500 md5crypt $1$ Old Linux /etc/shadow
1600 apr1 / Apache MD5 .htpasswd

A.3 Nmap flag cheat (the flags that show up on the exam)

Flag Meaning
-sS TCP SYN scan (stealth, default for privileged users)
-sT TCP connect scan (full handshake, used when raw sockets unavailable)
-sU UDP scan
-sN / -sF / -sX Null / FIN / Xmas scan (firewall evasion attempts against non-stateful filters)
-sA TCP ACK scan (firewall ruleset mapping)
-sV Service/version detection
-sC Default script scan (equivalent to --script=default)
-O OS fingerprinting
-A Aggressive: -O -sV -sC --traceroute
-Pn Skip host discovery (treat all hosts as up)
-PS / -PA / -PU TCP SYN / TCP ACK / UDP host discovery
-PE / -PP / -PM ICMP echo / timestamp / netmask host discovery
-p- All 65535 TCP ports
--top-ports N Top N most common ports
-T0 to -T5 Timing template (0=paranoid, 5=insane)
-f Fragment packets (evasion)
--mtu N Custom MTU (evasion)
-D decoy1,decoy2,ME Decoy scanning
-S <addr> Spoof source address
--source-port N / -g N Spoof source port
--data-length N Append random data to scan packets
--randomize-hosts Randomize target order
--script vuln Run vulnerability category NSE scripts
--script smb-enum* SMB enumeration scripts
-oN/-oG/-oX/-oA Output normal / grepable / XML / all
-v / -vv / -d Verbose, very verbose, debug
-iL <file> Read targets from file

A.4 EC-Council five phases of ethical hacking

Memorize the order; the exam asks you to map activities to phases.

  1. Reconnaissance — passive information gathering (OSINT, Whois, DNS, social media, Google dorking)
  2. Scanning — active probing (Nmap, vulnerability scans, enumeration)
  3. Gaining Access — exploitation (vulnerability exploit, password attack, social engineering payload delivery)
  4. Maintaining Access — persistence (backdoor, rootkit, scheduled task, service creation, accounts)
  5. Clearing Tracks — log clearing, timestomping, hiding artifacts

The exam may ask you to differentiate this from PTES (Pre-engagement, Intel Gathering, Threat Modeling, Vuln Analysis, Exploitation, Post-Exploitation, Reporting) or the Cyber Kill Chain (Recon, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives). Know which framework owns which phase names.

A.5 EC-Council hacker taxonomy

Memorize even though several labels don't appear in real-world security writing.

Label EC-Council definition
White hat Ethical hacker with authorization
Black hat Malicious unauthorized hacker
Gray hat Operates between ethical and malicious; may break rules without malice
Suicide hacker Doesn't care about legal consequences; ideologically motivated
Script kiddie Uses others' tools without understanding
Cyber terrorist Politically/religiously motivated, large-scale targets
State-sponsored hacker Nation-state employed
Hacktivist Politically motivated
Spy hacker Hired for corporate espionage

A.6 Vulnerability scoring (CVSS)

CVSS v3.1 base metrics: Attack Vector (Network/Adjacent/Local/Physical), Attack Complexity (Low/High), Privileges Required (None/Low/High), User Interaction (None/Required), Scope (Unchanged/Changed), Confidentiality/Integrity/Availability impact (None/Low/High). Base score ranges:

CVSS score Severity
0.0 None
0.1 - 3.9 Low
4.0 - 6.9 Medium
7.0 - 8.9 High
9.0 - 10.0 Critical

CVSS v4.0 adds Threat metrics (Exploit Maturity), Environmental adjustments, and Supplemental metrics. The exam may reference v3.x or v4.0; recognize both.

A.7 Symmetric vs asymmetric algorithm reference

Category Algorithms Key sizes / notes
Symmetric block DES (56-bit, broken), 3DES (168-bit effective ~112, deprecated), AES (128/192/256), Blowfish (32-448), Twofish (128/192/256), IDEA (128), RC5, RC6, CAST, Camellia AES is the modern default
Symmetric stream RC4 (broken, deprecated), ChaCha20 (modern) RC4 still tested for historical context
Asymmetric RSA (1024 weak / 2048 minimum / 3072+ preferred / 4096), DSA, ECC (256-bit ECC ≈ 3072-bit RSA strength), ElGamal, Diffie-Hellman ECC strength-per-bit advantage is a tested concept
Hash MD5 (broken, 128-bit), SHA-1 (broken for collision resistance, 160-bit), SHA-2 (224/256/384/512), SHA-3 (224/256/384/512), RIPEMD-160 SHA-256 is the modern baseline
Block modes ECB (don't use), CBC, CFB, OFB, CTR, GCM (authenticated), CCM "Why is ECB bad" is a recurring question — patterns leak
Key exchange Diffie-Hellman (DH), ECDH, RSA key transport DH provides forward secrecy when ephemeral (DHE/ECDHE)

Appendix B: Anatomy of a CEH question (worked examples)

The exam's question patterns repeat. Recognizing patterns saves seconds per question and adds up to minutes by question 125. Synthetic examples below — not real exam questions, but representative of the patterns.

Pattern 1: "Which tool would best..."

An ethical hacker is performing reconnaissance against example.com and wants to enumerate subdomains and gather DNS records without sending traffic to the target. Which of the following tools would BEST accomplish this?

A. Nmap B. theHarvester C. Nessus D. Hydra

Walkthrough. Constraint: "without sending traffic to the target" → passive recon only. Eliminate Nmap (active scanning), Nessus (active scanning), Hydra (online password attack). theHarvester pulls from search engines, public sources, and certificate transparency logs without touching the target directly. Answer: B.

Lesson. When a question stipulates "passive" or "without sending traffic," eliminate every active tool first.

Pattern 2: "An attacker captures the following output..."

An attacker captures the following Nmap output:

PORT     STATE  SERVICE
445/tcp  open   microsoft-ds
139/tcp  open   netbios-ssn

Which of the following enumeration tools would the attacker MOST LIKELY use next?

A. snmpwalk B. enum4linux C. dnsenum D. nikto

Walkthrough. Open ports 445 and 139 mean SMB/NetBIOS. Eliminate snmpwalk (SNMP, port 161), dnsenum (DNS, port 53), nikto (web, ports 80/443). Answer: B (enum4linux is the canonical SMB enumeration wrapper).

Lesson. Map open ports → service → enumeration tool. Memorize the matchups.

Pattern 3: "Which attack is described..."

An attacker sends a crafted ARP reply to a victim host claiming that the gateway's IP address corresponds to the attacker's MAC address. The victim then routes all outbound traffic through the attacker. This is BEST described as which of the following attacks?

A. ARP flooding B. ARP poisoning (also known as ARP spoofing) C. CAM table overflow D. DHCP starvation

Walkthrough. Crafted ARP reply binding a target IP to attacker's MAC → ARP poisoning / spoofing by definition. ARP flooding floods the cache with bogus entries (related but different). CAM table overflow targets switches. DHCP starvation exhausts the DHCP pool. Answer: B.

Lesson. Read carefully — multiple distractors are "in the same neighborhood" but only one is the textbook definition.

Pattern 4: "The MOST appropriate countermeasure..."

An organization has detected repeated failed login attempts against multiple user accounts within a short time window. Which of the following would be the MOST appropriate countermeasure?

A. Implement account lockout after a threshold of failed attempts B. Disable all affected accounts permanently C. Block the source IP at the perimeter firewall only D. Enable verbose authentication logging without other action

Walkthrough. B is overcorrection. C is incomplete (attacker can rotate IPs). D detects but doesn't prevent. Answer: A. CEH likes the moderate, vendor-neutral, generally-correct answer when asked for "MOST appropriate."

Lesson. Avoid extreme answers. The right answer is usually proportionate.

Pattern 5: "The hacker is in which phase..."

A penetration tester has gained shell access on a target system and is now installing a web shell to ensure access in case the original entry vector is patched. According to EC-Council's five phases of ethical hacking, the tester is in which phase?

A. Scanning B. Gaining Access C. Maintaining Access D. Clearing Tracks

Walkthrough. Web shell for persistence → Maintaining Access. Don't overthink it. Answer: C.

Lesson. Map the activity to EC-Council's five-phase model, not PTES or kill chain.

Pattern 6: "Which Hashcat mode..."

A penetration tester captured a Kerberos TGS ticket with encryption type 23 (RC4) for offline cracking ("Kerberoasting"). Which Hashcat mode should be used?

A. 1000 B. 5500 C. 13100 D. 22000

Walkthrough. 1000 = NTLM, 5500 = NetNTLMv1, 13100 = Kerberos 5 TGS-REP etype 23 (the Kerberoasting hash format), 22000 = WPA. Answer: C.

Lesson. Hash mode questions are pure recall. Build the flashcard deck.

Pattern 7: "The BEST defense against..."

Which of the following is the BEST defense against SQL injection in a new application being developed?

A. Input validation using a denylist of dangerous characters B. Web application firewall (WAF) with default ruleset C. Parameterized queries / prepared statements D. Stored procedures

Walkthrough. Denylists are bypassable (B is a backstop, not primary defense). WAFs are detective/compensating. Stored procedures help if parameterized but can still concatenate. Answer: C — parameterized queries are the textbook primary defense in OWASP and CEH framing.

Lesson. When asked for "BEST defense" against an injection class, choose the structural fix (parameterization, output encoding, principle of least privilege) over the bolt-on (WAF, validation alone).

Appendix C: Chapter-and-lab cross-reference matrix

For each CEH module, the Nexus chapters and labs that map most directly:

CEH Module Primary Nexus chapter Secondary chapters Hands-on labs
1. Intro to Ethical Hacking Ch 16 Ch 1, Ch 13, Ch 41 Lab 1
2. Footprinting & Recon Ch 19 Ch 42
3. Scanning Networks Ch 43 Ch 16 Lab 22
4. Enumeration Ch 43 Ch 45 Lab 22
5. Vulnerability Analysis Ch 29 Ch 30 Lab 30
6. System Hacking Ch 17 Ch 41, Ch 45, Ch 48 Lab 22
7. Malware Threats Ch 18 Ch 23 Lab 7, Lab 19
8. Sniffing Ch 31 Ch 43
9. Social Engineering Ch 25 Ch 47
10. Denial-of-Service Ch 31 Ch 22, Ch 23
11. Session Hijacking Ch 30 Ch 44 Lab 20
12. Evading IDS/Firewalls Ch 31 Ch 41
13. Hacking Web Servers Ch 30 Ch 44 Lab 20
14. Hacking Web Applications Ch 44 Ch 30, Ch 52 Lab 20, Lab 25, Lab 28
15. SQL Injection Ch 44 Ch 30 Lab 20
16. Hacking Wireless Networks Ch 31 Ch 34
17. Hacking Mobile Platforms Ch 34
18. IoT and OT Hacking Ch 21 Ch 34
19. Cloud Computing Ch 20 Ch 46, Ch 51, Ch 57 Lab 8, Lab 13, Lab 17, Lab 21, Lab 26, Lab 27
20. Cryptography Ch 32 Ch 33

Total Nexus mapping: 19 chapters, 11 labs, plus cheat sheets and the Detection Query Library. Modules 6 (wireless) and 17 (mobile) lean lightest on Nexus content; supplement those from EC-Council courseware or a CEH-specific guide.

Appendix D: FAQ

Q: Should I take CEH v12 or wait for v13? A: Take whatever version is current when you book. v13 adds AI-augmented hacking content but the core 20-module structure is similar. Don't delay six months waiting for a version refresh; the cert-body cycle is regular and there's always another version on the horizon.

Q: Should I do CEH (Practical) for the CEH Master designation? A: Only if you'll get value from the CEH Master title (some employers and contracts call for it explicitly). Otherwise, your time is better spent on PNPT or OSCP, which have stronger industry recognition than CEH Master in 2026.

Q: I have CompTIA Security+. Should I do CEH or CySA+ next? A: Depends on direction. For SOC/blue team: CySA+. For pentest/red team and DoD 8570: CEH. Both have value but they target different roles. If you're not sure which direction yet, CySA+ is more transferable; CEH is more credential-recognized.

Q: My employer is paying. Is CEH worth it then? A: Yes if it satisfies a job/contract gate. Still pair it with hands-on practice — passing CEH alone won't make you good at the work.

Q: How does CEH compare to CompTIA PenTest+? A: Similar tier; PenTest+ is generally cheaper and considered roughly equivalent or slightly more practical. CEH has more brand recognition in HR systems and DoD 8570 lists. Either works as a credential checkbox; neither replaces hands-on training.

Q: Can I pass CEH using only the official iLearn courseware? A: Yes if you absorb it well, but most candidates report better results pairing official material with one alternative source (Sybex CEH study guide, Boson practice exams, or a video course like Cybrary/INE).

Q: How long is CEH valid? A: CEH is valid for three years. To renew you accumulate 120 EC-Council Continuing Education credits and pay the annual ECE membership fee.

Q: What's the failure rate? A: EC-Council doesn't publish official pass rates. Anecdotal reports cluster around 60-70% first-attempt pass rate for prepared candidates. Most failures cite tool/flag/port memorization gaps rather than conceptual misunderstanding.

Q: Can I retake if I fail? A: Yes. There's a retake fee and a waiting period (initially 1 day for second attempt, longer for subsequent attempts under EC-Council's current retake policy at the time you book — verify current policy then).

Q: Will I learn enough from CEH to do real pentest work? A: No. CEH gives you the vocabulary and framework. Doing real pentest work requires hands-on practice (HTB, TryHackMe, real lab environments, eventually OSCP or PNPT). Treat CEH as the credential layer and the hands-on platforms as the skill layer.

Q: Is CEH respected outside of HR/DoD? A: Mixed. Working pentesters and red teamers tend to view it as entry-level at best and as marketing-driven at worst. Hiring managers in security roles often share that view. HR and procurement view it favorably. Plan accordingly: get CEH for the doors it opens, not for the respect it earns from peers.

Q: Can I skip CEH if I have OSCP? A: For most pentest roles, yes. OSCP is uniformly viewed as harder and more practical. The exception is DoD 8570 and contracts that name CEH specifically — OSCP is also on the 8570 baseline list but specific contract SOWs may demand CEH by name.