Wanna get EC-Council CEH? Think again.

There are a lot of educated people on this forum so it's nothing new and everybody knows that this cert is more or less a joke. It is "kind of" legit but there are certain indications pointing an independent examiner to a conclusion that EC-Council is at least unprofessional, or, straight up disrespectful towards examinees and industry.

You may see this cert mentioned in job descriptions and it will certainly help you in passing HR filter in your job search. Therefore, it works. But you may also find out that some respected professionals disdain it and your reputation may suffer if you brag about having this cert in front of them.

I recently passed it (it will help for WGU program) and would like to point out some inconsistencies that I didn't like about this cert and certification body itself. I'm not a general cert hater, I have a lot of other certs. I'm more concerned about profession here and would like to call a spade a spade. Points are chronological.

- Process of exchanging completed purchase order information and and eligibility codes/vouchers is done via e-mail and isn't automated. Periodically you find yourself in e-mail threads in cc: with e-mail like this: hey Shawna, this guy paid for his exam, make appropriate arrangements, please.

- Eligibility application form contains a lot of mistakes and errors and overall design is atrocious. E.g. sometimes they write "Candidate" with capital c, sometimes "candidate" with lowercase, etc. Some phrases are ended with a period, some aren't. Contain several sentences like this one: "If you submit electronically please don't forget to attached the requested documents." Proof. I mean, I'm a foreigner myself and English isn't my native language, but if you want to sound official and be respected why don't you hire somebody with a degree in language arts to check it? Hell, even some important e-mails from executives got proofread and corrected before people send them out and this is a certification body!

- In eligibility application form you can select both Pearson VUE and Prometric. Personally I hate VUE and had bad experiences with them, so I hoped to use Prometric. To my surprise I wasn't allowed to.

- Apparently they ditched Prometric, but it's still shown on both their web-site and eligibility form, so you can go in and pay money hoping to pass it in your nearby Prometric to find out later that you have to register in and drive to Pearson VUE. Proof. Another proof.

- Surprisingly, you can schedule your test right on both Prometric and Pearson VUE web-sites and complete the process, including paying fees. I believe you even can take the test itself, just like you would do with MSFT certs, for example. Only after you may discover that you aren't allowed to do that: "EC-Council reserves the right to deny certification to any candidate who attempts to sit for this exam without a valid eligibility code. Respectively, if it is discovered that a certification was granted to a candidate who sat for the exam without a valid eligibility code, EC-Council also reserves the right to revoke the offending candidate's certification."

- Whole process is poorly documented and often you don't know what to do. I already mentioned ability to pay straight to testing centers which would be wrong. Say, you've paid your subsequent $500. What next? Are you supposed to just sit and wait until they recognize that payment? Or do you have to call or e-mail them? Which phone or e-mail in this case?

- Then you've got a document on how to proceed with scheduling your exam. Here is a screenshot. What's that? I'll tell you what. Someone just put an image into this file and it didn't fit. So the person who was doing it (wrong) just shrank it horizontally, that's why all the letters look like someone overstretched them. Proof.

- Anyways, the document is useless since VUE has changed their site appearance and these exact steps no longer work.

- In addition to your voucher (for which you pay $500 and which waives your $500 price on VUE) you get a "VUE Eligibility Code" which purpose is unclear. You can easily find some topics on this forum where people wonder what's that and where to put this. Great job on informing your customers, EC-Council!

- Not to mention that their web-site was hacked and defaced twice in recent years and probably personal information of candidates was stolen. This explains why the ask you to provide identification proof WITHOUT revealing your personal identifiable data. Proof.

- BTW, if you passed CISSP recently you probably don't need CEH. I passed it without preparation after I noticed that I get high percentage of correct answers on cccure in CEH after spending half a year for CISSP preparation. Yeah, you will probably do poorly on using hacking tools questions, but the rest of their questions fit into CISSP CBK pretty well. After all, just play with nmap and nc (if you haven't used them before which is doubtful) and memorize main switches.

- In my application process I had to create two support tickets on their support web-site (actually they outsource it to zendesk). Not that I'm unfamiliar with computer based testing and scheduling my exams. It's just the process. First time I asked why I keep getting payment failed for my initial $100 fee. Proof. It turned out that this payment goes overseas (despite the fact that EC-Council seems to be registered in ABQ, New-Mexico, U.S.) and you have to call your bank and tell them that it's not a fraud and you really want this payment to go through. Second time I asked why I don't seem to have possibility to get a voucher for Prometric despite the fact that it was stated earlier that Prometric is an option (in application eligibility form and a EC-Council website) and CEH is listed on Prometric.

- And yet, being that lame, this exam requires you to pay $600 to challenge it. I'd say it is 10 times higher than I would pay if I knew everything that I've written here before engaging. For some context, challenging CISSP (which is much more serious and respected) costs $600 in the US. MSFT exams are $150 each. GIAC exams, of course, are also through the roof and probably not worth money paid to take them, but at least they have some reputation.

- In the end, I'd like to say that exam is too easy and those who passed it shouldn't really be considered as hackers in any respected way. I'd say that it gives you "certified ethical script kiddie" label, or C|ESK, hehe. Plus, I really felt myself pissed off when I stared at some of the questions on exam, they really suck in both wording and logic. I memorized two most ridiculous ones that are definitely wrong, but, I guess, I can't disclose them without violating NDA...

- Overall, I regret going through all of this and probably won't maintain this cert. If I'm contacted by them and get my cert revoked because of me writing this -- a sh!t I don't give. I deserve this because I was stupid enough to waste my 600 bucks on this, hehe

And, again, I write this in order to advance and protect the profession. EC-Council should fix their stuff (which I don't believe considering they haven't done it so far after all criticisms and web-site defaces) OR InfoSec community should disregard this cert because that's what it deserves, at least as of now.

Find more posts tagged with

Comments

E Double U

My former SOC manager told me that it is a joke when I told him that I was interested in it. My former SOC 3rd line engineer got that before OSCP and now feels CEH is worthless. I was really interested in it, but keep hearing the same thing. Luckily my CISO said he wouldn't reimburse for it so I'm going the SANS route instead.

gespenstern

OSCP is a serious exam from what I learned here and from my friends but pricey. I hope that my next employer will be willing to pay for it

wd40

I will never consider going for CEH, if you do not have the experience (like me) you need to take an official course which costs 2,895 US$ !

OSCP including 90 days lab costs 1,150 US$ and eCPPT Elite with 120 HRS lab access cost 999 US$ (and you can get it cheaper with special offers)

5ekurity

Funny, I was talking with my boss a few weeks ago about getting more into the 'Red Team' side of things over the course of the next year or two. He had mentioned seeing something about the CEH and I just started laughing. I explained to him that while HR values the certification for some reason, in reality it does little to prepare you for actual 'Red Team' work. With that, the conversation quickly moved on to talk about SANS and Offensive Security training

cyberguypr

^ mission accomplished.

E Double U

I was really interested in the cert, but I continue to see more nails being put in the coffin lol. I've yet to see a job that req'd CEH (I could be looking in the wrong places). I always see it listed as a recommendation with CISSP or CISA like having one of three is good enough.

NetworkNewb

I was and am still thinking of taking this. I always thought of it as a beginning cert before doing OSCP. I don't have a lot of experience in this area personally so I believe it would definitely help me. And I do see this on a lot of job ads (maybe not as requirement, but in the preferred section) so I believe it will definitely provide value in respect it will help you get an interview at least.

Is it a cert that will get me a job or meant for people with experience in this field, maybe not, but I can see some value in it.

cyberguypr

Oh yes, there's definitely some value, just not what EC Council is charging for it.

wd40

NetworkNewb, the question is: is it worth the cost?

You can take the CEH course for 2895 US$
or
eJPT 399 $
then
eCPPT 999 $
then
OSCP 1150 $
and
OSWP 450 $

So CEH + 103 $= eJPT + eCPPT + OSCP + OSWP

sigsoldier

Colemic is the resident EC-Council apologist on these boards. Hopefully he'll chime in and remind us why every IT professional needs to be CEH certified.

NetworkNewb

Thats true, that cost is ridiculous... Maybe if work will pay for it =P

Rumblr33

I used the GI Bill to pay for the CEH course and I feel like it was a waste of money and my benefits. I would have gone the route that's listed above, even though the GI Bill does not pay for the these certs.

Robertf969

My LT keeps telling me he wants C|EH, I always mess with him and tell him he just wants it because it has a cool name. After all most of my non-It friends would think a Certified Ethical Hacker is much cooler than a Certified Information Systems Security Professional, sadness. I told him there is so much more value in the CISSP, yet he still contends that he wants to get the C|EH first. That being said I do see a lot of postings saying C|EH and CISSP a plus so I might get it eventually, just not on my priority list right now.

E Double U

Robertf969 wrote: »

he just wants it because it has a cool name.

Guilty as charged

gespenstern

Robertf969 wrote: »

My LT keeps telling me he wants C|EH, I always mess with him and tell him he just wants it because it has a cool name.

Yeah, and this is a part of their commercial success (more or less of one) because they chose to sound cool. That plays well with shallow minded persons who don't dive deeply into things in the field. E.g. recruiters and like, people from outside, etc.

But I would suggest that it has quite an opposite effect on serious pros in the field, because they understand more clearly what it takes to be a hacker and how far C|EH certified person may be from it. And they start thinking that being a certified ethical hacker is more of bragging than being really a hacker and whole idea behind this cert start looking more as a fraud, more like a disguise. That's something not honest and not a true representation.

CISSP on the other hand stick to what's real and don't try to jump over their heads. Professional is a professional, one who works in the industry and earns money from what he/she does. That's honest, that's precise, there's nothing deceitful in it.

Yeah, you can perceive it as an entry-level cert, etc, but don't lie to yourself, because it's not what this cert name says about its holder. Name says that you are probably more bold than you may really be and that can lead to consequences when you can't fulfill, can't do what you are expected to because people from outside thought more of your capabilities based purely on the cert name.

Justin-

What would be a good security cert to pursue for someone like me who has no experience in the IT Security sector? I have 4 months experience (as an intern) working as a desktop analyst though. I obtained the Security+ just this month so I'm wondering what security certs would supplement my resume and my current work experience? Hope to hear some responses. Cheers everyone.

griffondg

I am not a CEH defender by any means. I personally don't think the cert is worth much other than checking a box on a job posting, BUT, I did learn quite a bit in the training and the online version put out by EC-Council was only $1,800 and it came with an exam voucher. I don't regret getting the cert and have just signed up for the OSCP.

Eric

ramrunner800

While it's necessary to caution C|EH candidates against overestimating what the cert will actually give them, I think this post goes pretty overboard. The reality is that, at least in certain very large industries, C|EH provides a very good ROI. I don't disagree with anybody here that the skills the cert teaches are in no way aligned with it's cost, but this cert will do an incredible job of getting you past HR filters. After that you had better have the real skills to back it up when you do a technical interview with the hiring manager, and no C|EH will not teach you those.

As far as this cert damaging your reputation because people will look down on you if you if you brag about having it, bragging about any cert (with the exception of probably the Offsec certs) will damage your reputation, because bragging about certs is idiocy. Security is a do-ocracy not a resume building contest. Where I work talking about certs is taboo, and the folks that list their certs in their e-mail sigs tend also be the folks who are the least competent.

I'm really surprised that nobody appears to have pointed out that the situation with C|EH comes from DOD 8570. This directive has created a situation where if you want to work certain jobs you must hold C|EH, and this is where the cert gets all it's traction from.

Burnsie

ramrunner800 wrote: »

I'm really surprised that nobody appears to have pointed out that the situation with C|EH comes from DOD 8570. This directive has created a situation where if you want to work certain jobs you must hold C|EH, and this is where the cert gets all it's traction from.

^This is the only reason I am pursuing the cert. It's an unfortunate requirement for a lot of cyber DoD positions. There are alternatives, such as SANS certs. While I think they are way better than EC Council, the total cost is the limiting factor for a lot of people.

gespenstern

ramrunner800 wrote: »

I'm really surprised that nobody appears to have pointed out that the situation with C|EH comes from DOD 8570.

Sure, I thought that everybody in infosec industry knows that already. I hope someone from DoD reads this forum periodically and this post may serve as an additional argument in revising these competency policies. But yeah, government isn't always quick to react

griffondg

I think people are slagging the CEH, unnecessarily. It may not be perfect but no cert is. I have the CISSP but did I really learn anything more than I did in the CEH? Maybe a little but not much.

LionelTeo

There is something great about CEH, if you see a hiring organization looking for CEH, don't join them, because they don't understand cyber security.

It does helps me in understanding some foundation back then.

wd40

I did a quick LinkedIn search for my Country, there are several CEH's and a single OSCP (My country's population is less than 1 million

).

So CEH is more known, but still I will not pay that amount for it.

ramrunner800

LionelTeo wrote: »

There is something great about CEH, if you see a hiring organization looking for CEH, don't join them, because they don't understand cyber security.

It does helps me in understanding some foundation back then.

In the US that would eliminate the vast majority of employers. Most employers use it to verify basic security knowledge, not to qualify pentesters. It would be better if they renamed the cert Hacking+, because it is more on par with a ComptTIA cert in terms of coverage and difficulty. The biggest problem with this cert is that noobs and HR folks expect it to teach something it doesn't (that and the fact that EC Council pretends and charges like it taught you to be an actual hacker). I've never met a hiring manager who thought CEH made someone a pentester though.

I really have a hard time listening to people rag on C|EH, because it can be a huge career booster. We can talk all day long about how maybe it shouldn't be, but it is. I don't think the OP's points are wrong, but they sound so bitter they're tough to take seriously.

From the perspective of a person who wants to get into security the question is, should I take CEH? The answer is absolutely yes. I had never worked in IT before, had a few certs and labbed like crazy on my own before I took CEH, but nobody was calling me back. When I put CEH on my resume, within 2 months I landed an $80k job, and 6 months after that got a raise to over $100k. It got me past the HR filters so I could talk to a hiring manager who was willing to invest in and train me.

From the perspective of someone who wants to be in security, CEH is a great way to go. The ROI is great. Just research what you're getting into, and that you're not going to come out the other side as a ninja hacker.

dave0212

Completely agree with the OP and most others, this cert does not make you an accomplished hacker/tester but it does provide a foundation if you are interested in entering the field, I definitely learnt things when I studied for the exam but it's a HR tick box.

I don't really have any issue maintaining as I have CPEs to get for CISSP, SSCP, CISA and CEH so they just get used everywhere but if they started charging fees I may question its value especially as it is massively overpriced.

Robertf969

ramrunner800 wrote: »

... before I took CEH, but nobody was calling me back. When I put CEH on my resume, within 2 months I landed an $80k job, and 6 months after that got a raise to over $100k. It got me past the HR filters so I could talk to a hiring manager who was willing to invest in and train me.

From the perspective of someone who wants to be in security, CEH is a great way to go. The ROI is great. Just research what you're getting into, and that you're not going to come out the other side as a ninja hacker.

This is the only reason I plan to eventually take the exam, but if it really helps get past HR peeps, I might knock it out real quick after I pass the CASP.(I started off studying for the CASP just cuz Uncle Sam is paying but I am actually surprising myself on how much I am learning, not sure why people knock the CASP).

gespenstern

LionelTeo wrote: »

There is something great about CEH, if you see a hiring organization looking for CEH, don't join them, because they don't understand cyber security.

That's how I perceive this cert. And BTW I feel myself obliged to go to HR and inform them specifically that this cert should be considered a) entry-level and therefore not put in the same weight category as CISSP and even GSEC and b) this cert claims to be what it really isn't and doesn't live up to the hype and therefore it should be suspicious.

And yeah, there's nothing more demotivating in this world as carelessness for infosec and I have hard times convincing myself to work for companies who are blind and deaf to proven industry best practices and I just keep thinking to myself well, yeah, you are the next sony/target/anthem cause you can't tell what's wrong and what's right

compton2k15

Work is paying for mine, so I am going to take it in 2 weeks. Then I can add "Haxxor" to my email signature :P

NOC-Ninja

The best hacker i know dont even have CEH, CISSP, CISM and all this sec certs.

LionelTeo

Oh yeah, one really good point overlook regarding this CEH cert is that, it does helps those who specialise in malware analysis to get a good understanding of the perimeter attacks. Some security professional works on antivirus vendor and spends lots of time analysing malware, but this certification does help them to give a good foundation on what they are lacking. That's all to the CEH, its a foundation with a over hyped name, its more like a perimeter attack+.

ramrunner800 wrote: »

In the US that would eliminate the vast majority of employers. Most employers use it to verify basic security knowledge, not to qualify pentesters. It would be better if they renamed the cert Hacking+, because it is more on par with a ComptTIA cert in terms of coverage and difficulty. The biggest problem with this cert is that noobs and HR folks expect it to teach something it doesn't (that and the fact that EC Council pretends and charges like it taught you to be an actual hacker). I've never met a hiring manager who thought CEH made someone a pentester though.

I really have a hard time listening to people rag on C|EH, because it can be a huge career booster. We can talk all day long about how maybe it shouldn't be, but it is. I don't think the OP's points are wrong, but they sound so bitter they're tough to take seriously.

From the perspective of a person who wants to get into security the question is, should I take CEH? The answer is absolutely yes. I had never worked in IT before, had a few certs and labbed like crazy on my own before I took CEH, but nobody was calling me back. When I put CEH on my resume, within 2 months I landed an $80k job, and 6 months after that got a raise to over $100k. It got me past the HR filters so I could talk to a hiring manager who was willing to invest in and train me.

From the perspective of someone who wants to be in security, CEH is a great way to go. The ROI is great. Just research what you're getting into, and that you're not going to come out the other side as a ninja hacker.

I am happy for you getting a salary increment for this job, but this wouldn't represent the market rate for CEH increment as a whole right? Of course it does boils to do individual skillset and if they are applicable to the role they are hiring for. Having a company listing CEH in a job scope do shows a lot of the hiring process; the same scenario also applies to jobs scope looking for CISSP under 3 years experience, it does reflect culturally of the organization, either the HR doesn't coordinate or the hiring manager doesn't know what is best of the team;

Its safer to look for an organization that's look for applicability, getting into a good company that give good opportunity to learn is definitely important. I am very sure CEH works for your case scenario, for someone breaking into infosec, or a good foundation of knowledge, i won't recommend it as a HR tickbox in anyway. If a recommending manager appreciates your eagerness to upgrade yourself, that's fine, but not for to apply jobs that look for such certification. I usually recommend CEH for a foundation to bridge into GCIH due to overlapping content and GCIH being the easier quality infosec certification to obtain, and used it to find good positions where you can learn some good real hands cyber security work.