CEH Experience Requirement

Sorry if this is answered somewhere else, but can anyone attest as to what the EC-Council considers "information security experience"?

I've graduated from college over a year ago with a degree in Computer Security Systems (minor in Cyber Forensics), I've only worked in the IT/IS field since July, moving to a very specific IS field in November. I've got a bunch of networking certs (as well as the Security+) under by belt, and I know that I can pass the CEHv8 exam if I dedicated the time and effort to it utilizing self-study methods.

I don't understand the 2 year experience requirement--not be cause experience requirements are abnormal, but because it seems like a huge marketing ploy to sell overpriced product. Hence the "unless you purchase official courseware" clause... Quite frankly, the certification voucher (plus $100 application for eligibility) is expensive as it is, but I simply don't have $1900 to spend on it and don't think I need the $1300 worth of their official courseware...

I guess I'm better off spending the $1200 on the OSCP with 90 days of lab time rather than being forced to spend an additional $1300 on coursework that I don't think I need?

Find more posts tagged with

Comments

lsud00d

There are varying opinions on here but IMO CEH = not worth it. Unless it is required for a position you are looking at (which is possible in the federal/military sector), don't worry about it. It's an over-glorified S+ and there are many certs (like OSCP if that's what you're into) with a better ROI.

Vask3n

The only problem I have with CEH is just that I don't understand how the two possible routes they offer (coursware or experience) are equivalent to each other. Let's say you choose to go the courseware route and pay the couple thousand on the official course....How is that equivalent to the second way of being eligible, which is 2 years of experience, an education requirement, and being recommended?

Does the $2000 somehow magically replace what two years of real-world experience in the security field teach you? I just don't see the benefit of paying upwards of $2,000 to take a certification which is a glorified pen-test exam when you can just take a free 7 day trial of CBT nuggets and blaze through the Kali Linux and CEH courses in a couple days? And I don't mean that as a plug to CBT, I mean that from a practical perspective.

I would rather just learn pen-testing using other courseware and videos and focus on something other than CEH

colemic

Vask3n wrote: »

The only problem I have with CEH is just that I don't understand how the two possible routes they offer (coursware or experience) are equivalent to each other. Let's say you choose to go the courseware route and pay the couple thousand on the official course....How is that equivalent to the second way of being eligible, which is 2 years of experience, an education requirement, and being recommended?

Does the $2000 somehow magically replace what two years of real-world experience in the security field teach you? I just don't see the benefit of paying upwards of $2,000 to take a certification which is a glorified pen-test exam when you can just take a free 7 day trial of CBT nuggets and blaze through the Kali Linux and CEH courses in a couple days? And I don't mean that as a plug to CBT, I mean that from a practical perspective.

I would rather just learn pen-testing using other courseware and videos and focus on something other than CEH

LOL you just characterized the $2,000 course perfectly - a bribe.

mfrat1114

Vask3n wrote: »

The only problem I have with CEH is just that I don't understand how the two possible routes they offer (coursware or experience) are equivalent to each other. Let's say you choose to go the courseware route and pay the couple thousand on the official course....How is that equivalent to the second way of being eligible, which is 2 years of experience, an education requirement, and being recommended?

Does the $2000 somehow magically replace what two years of real-world experience in the security field teach you? I just don't see the benefit of paying upwards of $2,000 to take a certification which is a glorified pen-test exam when you can just take a free 7 day trial of CBT nuggets and blaze through the Kali Linux and CEH courses in a couple days? And I don't mean that as a plug to CBT, I mean that from a practical perspective.

I would rather just learn pen-testing using other courseware and videos and focus on something other than CEH

That's exactly my point. Why even list an experience requirement if you can get out of it by pulling out a ridiculous sum of cash out of your pocket? Seems like a huge joke to me, and the $100 application fee is also laughable.

JDMurray

There are two broad groups of CEH certification candidates: 1) those with no professional InfoSec experience who need the full course, and 2) those with professional InfoSec experience who can pass the CEH without taking the official course. For people in group #2, the prerequisite of work experience is easy to satisfy, so they only need to fork over the extra $100 "application fee" with the exam fee to take the CEH exam. Candidates in group #1 that don't want to take the official course are the ones that complain about the experience requirement.

IMHO, the CEH course and courseware are well worth the $2K cost, but the exam isn't worth the $500 fee.

mfrat1114

JDMurray wrote: »

There are two broad groups of CEH certification candidates: 1) those with no professional InfoSec experience who need the full course, and 2) those with professional InfoSec experience who can pass the CEH without taking the official course. For people in group #2, the prerequisite of work experience is easy to satisfy, so they only need to fork over the extra $100 "application fee" with the exam fee to take the CEH exam. Candidates in group #1 that don't want to take the official course are the ones that complain about the experience requirement.

IMHO, the CEH course and courseware are well worth the $2K cost, but the exam isn't worth the $500 fee.

I do have over a year of professional InfoSec experience, and I certainly do not need the course. I feel like it's kind of pointless to institute an experience requirement that gets waived if you shell out cash. I feel that the coursework is probably very educational, but examining practice exams, already studying and reading material (such as Matt Walker's AIO), a lot of this stuff is very familiar to me, as I perform security audits / vulnerability assessments / penetration tests for many different clients.

JDMurray

Unfortunately, the EC-Council has no way to evaluate exam candidate's professional experience other than their resumes. The "classroom vs. work experience" trade-off is acceptable to everybody who meets the experience requirements and rarely acceptable by those that don't.

I would suggest waiting another year to collect the necessary work experience and use that time to decide if the CEH will actually give your career a significant return on your $600 investment.

mfrat1114

JDMurray wrote: »

Unfortunately, the EC-Council has no way to evaluate exam candidate's professional experience other than their resumes. The "classroom vs. work experience" trade-off is acceptable to everybody who meets the experience requirements and rarely acceptable by those that don't.

I would suggest waiting another year to collect the necessary work experience and use that time to decide if the CEH will actually give your career a significant return on your $600 investment.

Thanks for the advice. I read through the AIO in about a week because the content was actually very enjoyable. However, as reflected by the AIO, I felt that it's more-so foundational knowledge to someone new to auditing/VA scanning but that it should be a required read by all wishing to enter that field.

The methodologies are good and the level of knowledge is not hard, but enough to give a good foundation and understanding of the whole process.