Passed My CEH Resit. Some Thoughts On The Cert And EC-Council.
I passed my CEH resit last week after failing the initial attempt by 2% when I sat the v9 exam instead of v8. I would like to make it absolutely clear because there is apparently still some confusion about this on here and on other websites - you will be sitting "v9" of this exam. It doesn't matter if you signed up for v8 or if your exam voucher ends with v8, you will be sitting version 9 and there is a significant difference in the material. There is some absolutely ridiculous mental gymnastics going on by some people on this forum trying to claim this doesn't matter but for the vast majority of people sitting this exam, it will. You will see posts from people who have been penetration testers for 7 years or so saying how easy the exam is - they are obviously not the intended audience for this fundamental certification and most people will struggle to pass using only v8 material (especially if you're relying on the official EC-Council courseware.)
I won't go into any specifics on questions or specific areas to study (there are already several of these kinds of posts on this site) but I will say this - the vast majority of practice tests for this exam are useless.
If you're not answering the majority of practice questions (wether it be from the AIO book, skillset, boson, cybrary or any of the mobile study apps) with ease I think you will struggle with the exam. Most of them do not go anywhere near in depth enough to compare to the real exam.
As I said before, there are a lot of apologists for the EC-Council on this website. The way they handled the version mix up has been absolutely disgraceful and has once again shown what an unprofessional organization the ECC are.
Trying to communicate with them is unbelievably frustrating. They are apparently based out of New Mexico in the USA however it seems like every aspect of their business is handled by people in Malaysia who do not speak English as a first language - every e-mail is riddled with extremely poor spelling and grammar and often requires 2 or 3 e-mails back and forth to clarify exactly what they're trying to say (this would also explain why many people in the past have complained about strange wording of exam questions). Combined with this, the person responsible for handling complaints/appeals seems to be a glorified member of HR with little to no understanding of the industry or the material the ECC is putting out. The appeal process was a pointless exercise that resulted in everyone being sent the same few stock responses without any of the individual points or concerns being addressed at all. Possibly the most unprofessional incident regarding this **** up happened on this forum, where a member of the appeal committee trawled the forum looking for information from people then ultimately singled out a member on here to argue with, advising him that his appeal would be seen by the appeals committee then when he signed off his post he revealed he was on that committee. This made me extremely uncomfortable about posting anything regarding my appeal and was just mind blowingly petty and unprofessional. Why the ECC have a chair on their committee trolling these forums instead of dealing with it through official channels is beyond me.
I would not advise anyone to go for this certification unless you are absolutely required to by your employer. If you do want to sit it and aren't confident going in considering the v8/v9 situation my advice would be to wait for a good 3rd party study guide to come out. The official courseware is $850-$885 depending on your location and if it's anything like the v8 material it is absolutely useless. They just flood you with mountains of useless information, it's all presented in slides that don't really go into depth and half the book is just a list of different tools (their "whats new to v9" page states they have more than 1500 new/updated tools..). So the official textbook will cost you almost $900 and then your exam voucher will cost you $600. Compare this with the OSCP where $800 gets you pdfs, videos, 30 days access to a virtual network to hack into and your exam cost is included..
I'm glad I passed the exam and relieved it's over with. I certainly won't be taking another certification with the EC-Council unless I'm forced to by an employer. I'm starting the OSCP in January and I'm really looking forward to it, I've read several blogs and reviews on the course and they're all very positive so hopefully it's as challenging and rewarding as people claim.
I won't go into any specifics on questions or specific areas to study (there are already several of these kinds of posts on this site) but I will say this - the vast majority of practice tests for this exam are useless.
If you're not answering the majority of practice questions (wether it be from the AIO book, skillset, boson, cybrary or any of the mobile study apps) with ease I think you will struggle with the exam. Most of them do not go anywhere near in depth enough to compare to the real exam.
As I said before, there are a lot of apologists for the EC-Council on this website. The way they handled the version mix up has been absolutely disgraceful and has once again shown what an unprofessional organization the ECC are.
Trying to communicate with them is unbelievably frustrating. They are apparently based out of New Mexico in the USA however it seems like every aspect of their business is handled by people in Malaysia who do not speak English as a first language - every e-mail is riddled with extremely poor spelling and grammar and often requires 2 or 3 e-mails back and forth to clarify exactly what they're trying to say (this would also explain why many people in the past have complained about strange wording of exam questions). Combined with this, the person responsible for handling complaints/appeals seems to be a glorified member of HR with little to no understanding of the industry or the material the ECC is putting out. The appeal process was a pointless exercise that resulted in everyone being sent the same few stock responses without any of the individual points or concerns being addressed at all. Possibly the most unprofessional incident regarding this **** up happened on this forum, where a member of the appeal committee trawled the forum looking for information from people then ultimately singled out a member on here to argue with, advising him that his appeal would be seen by the appeals committee then when he signed off his post he revealed he was on that committee. This made me extremely uncomfortable about posting anything regarding my appeal and was just mind blowingly petty and unprofessional. Why the ECC have a chair on their committee trolling these forums instead of dealing with it through official channels is beyond me.
I would not advise anyone to go for this certification unless you are absolutely required to by your employer. If you do want to sit it and aren't confident going in considering the v8/v9 situation my advice would be to wait for a good 3rd party study guide to come out. The official courseware is $850-$885 depending on your location and if it's anything like the v8 material it is absolutely useless. They just flood you with mountains of useless information, it's all presented in slides that don't really go into depth and half the book is just a list of different tools (their "whats new to v9" page states they have more than 1500 new/updated tools..). So the official textbook will cost you almost $900 and then your exam voucher will cost you $600. Compare this with the OSCP where $800 gets you pdfs, videos, 30 days access to a virtual network to hack into and your exam cost is included..
I'm glad I passed the exam and relieved it's over with. I certainly won't be taking another certification with the EC-Council unless I'm forced to by an employer. I'm starting the OSCP in January and I'm really looking forward to it, I've read several blogs and reviews on the course and they're all very positive so hopefully it's as challenging and rewarding as people claim.
Comments
Blog: www.network-node.com
There is only one version of the exam. If you sign up to take it, you will take that version. Yes, content has been updated. If you can't explain [newer] vulnerabilities like heartbleed (nearly 2 years old) or shellshock (just over a year old) then you shouldn't be taking this exam. If you don't know your nmap switches or how to interpret a pcap file, you shouldn't be taking this exam. The recommended amount of related experience for this exam is 2 years. If you don't have that, you should carefully consider whether you should be taking this exam. This isn't rocket science or some evil ploy to try and scam people. It's not an easy exam. If you're coming into it with little or no experience I'm not sure why you would expect to pass.
I'm not going to apologize for EC-Council. What they choose to do with their business decisions is entirely up to them. There was no "mix up" per se... updated content was released. As has been done in the past.
The appeals process is, and works, exactly what it sounds like. Yes, I would imagine that upon requesting an appeal or submitting an appeals request that you will likely receive the same response back (e.g., "thanks for your complaint, here's the process, we'll keep you posted"). If you're not happy with the initial decision by EC-Council then you have the right to appeal further to the Scheme Committee. At that point, I can assure you that all of the points or concerns are addressed, individually. If you do not include your concern in your appeals paperwork, then it can't be addressed. Similarly, if you appeal with a concern but don't request some sort of resolution, what sort of answer would you expect? More often than not, the Scheme Committee sides with the candidate. However, this requires some solid evidence and thorough explanation of what happened to justify.
Regarding your "incident" of singling out a specific person... I was advised of the situation happening on this forum and all of the confusion that was spreading in the various posts. There was one person here that seemed to be bouncing around the forums posting everywhere, both slandering EC-Council, making direct, personal attacks against a specific EC-Council representative, and just generally spreading misinformation regarding the exam. In my attempts to consolidate all of the issues here and clear up the confusion, that person continued to argue with and attack me instead. I simply offered the opportunity to appeal (which they did, along with two others..). Whether you decide to share information on a public forum about your own personal appeal is entirely up to you. If you have questions or concerns about the process, as it relates to the SC, I'm happy to answer. Appeals brought to the SC (whether from people here at this forum or elsewhere, I don't know) are dealt with, and have been reviewed more quickly than normal (quarterly) to get answers back to the candidate.
Anyways, my 2 cents on the matter.
Blog: www.network-node.com
Blog: www.network-node.com
I don't disagree. It's very frustrating to have language barriers preventing you from communicating your issue or from being able to interpret the response. The reality is that EC-Council has an office in Malaysia and a US headquarters in New Mexico. Obviously, with any company, when you have non-native English speakers there will be some errors. I don't know who the exam writers are but I fully agree, it's not acceptable for there to be errors in the exam questions. I have gone through many of the current exam questions and made a lot of edits - hopefully they'll be fixed - and have also suggested that a better process be put in place to prevent such spelling and grammar errors.
Please feel free to point to and provide such evidence of this "coming in here to shut down the OP and anyone who criticizes [the] organization." Note: It's not my organization. I am not an EC-Council employee. I have zero control over who they hire and what languages they speak. And I agreed with the point you made as it is frustrating. If you have issues with EC-Council representatives, you should take that up with EC-Council.
"I think people on here should be free to say what their experience was, without you replying and trying to intimidate them or discredit them through ridicule." Again, where have I done this? People are free to share their experiences here. I haven't stopped or prevented anyone from doing such - nor do I have the ability to do so. The only thing I've done is corrected the misinformation and provided additional information to clarify other matters.
My post is not passive aggressive. I have nothing against the OP. Some of the information was wrong and I addressed it. I also had to defend my own previous actions against his personal attacks. Seems like a rather simple concept to me.
Whether you choose to agree or not, my "consolidation" post was only meant for everyone to share their complaints so that I could take them back to EC-Council on the behalf of the candidates having issues. None of my posts have had any malicious intent. I have explained the process and my role, several times over.
Again... What? Stalked and intimidated? Threats? Where? Yes, you're right. Providing accurate information and answering questions isn't helpful. Why would people be scared to say what they think? They don't seem to be. I haven't stopped anyone from posting. If you have negative things to say about EC-Council, go ahead and share it.
These two statements are extremely contradictory.
I've been watching all these EC-Council threads and while I might not think the way they go around these things are perfect and I don't really see a ton of ROI on their certs compared to others, I think BillV has handled himself pretty professionally from what I've seen. Maybe I'm missing something and if someone could link me a post where he's threatening someone or trying to intimidate someone, I'd be happy to retract that. If he's honestly here to explain the process and he's willing to take feedback to the company, why not use him for that purpose?
Anyways, my 2 cents on the matter and it's not like I have skin in this game. My EC-Council probably expired this year and I won't ever be renewing them.
Blog: www.network-node.com
Please explain.
Still not an EC-Council employee and not an EC-Council representative. As mentioned in the post above (and as I've stated elsewhere), I'm on a volunteer-based committee and just another certification holder. This gives me much better insight into the exam and processes regarding the certifications, allowing me to [attempt to] clear up any confusion by providing accurate information and answering questions, and also allows me to take back any concerns/issues/etc. to key people at EC-Council along with the committee to push for changes if needed.
Once again, this is all to the benefit of the candidate.
I'm really not sure what your problem is. You asked why no one addressed a certain issue pointed out in the original post, and I responded giving you an answer - even agreeing with you. You've since been hell bent on attacking me, for whatever reason (none of them have really made sense so far). You seem to think that the purpose of my first reply in this thread was to defend EC-Council. It is not. I was only providing corrected information regarding the exam and responding to the attacks against my own actions.
You say that I'm somehow preventing people from posting what they want, or that I'm going to tell you that you can't criticize EC-Council. Go ahead. Feel free to post what you want and call them out on things. Search long enough, and you'll find places where I've called them out as well. But it's a bit hypocritical of you to say people should be able to post whatever they want - but then tell me that I can't respond. If you go around posting inaccurate information, then yes, I'm likely going to confront you about it. If you try to tell me that I'm being "intimidating" or that I'm "stalking" you, then yes, I'm going to ask you to supply evidence. Why is that a tough concept to understand? If you're going to make accusations or ***** forums and spew random information, you should probably be prepared to back up your comments with some sort of supporting evidence.
If my posts aren't helpful to you, ignore them. Plain and simple.
edit: apparently you can't say t-r-o-l-l
Great. Thanks.
What a joke.
When ISC2 switched over to the new CISSP 2015 CBK, they announced a cut-over date (15th April 2015) and put up FAQ at https://www.isc2.org/cissp-sscp-domains-faq/default.aspx
Similarly, when CompTIA announced new CASP version (CAS-002), exam takers can choose to take either version before CAS-001 was retired in June 2015.
Both CISSP and CASP are accredited under ANSI ISO 17024.
Was there any announcement by EC Council about CEH version change?
BTW, the "EC-Council News" (404 Page Not Found) on the main EC Council site at Certified Ethical Hacker, Information Security Certifications, Computer Security Training, Network Security Courses, Internet Security, Hacking | EC-Council returns a 404 (file not found).
A change to the CBK is a change to the exam blueprint. That is a major change and one that would justify making an announcement. I would hope if EC-Council were making that drastic of a change to the exam, it would also be communicated in advance. The recently released update is just keeping current with times. The exam still covers tools, still expects candidates to be familiar with vulnerabilities, and still requires a recommended 2 years of experience. The updated exam still remains as easy as the old exam for someone with experience.
ISC2 uses the same process, and makes similar exam updates with no notification:
https://www.isc2.org/uploadedfiles/credentials_and_certifcation/about_our_credentials_and_process/jta-whitepaper_1.pdf
As does CompTIA:
https://certification.comptia.org/docs/default-source/downloadablefiles/whitepaper-cybersecurity.pdf?sfvrsn=2
https://eccouncil.zendesk.com/anonymous_requests/new
(to complain about getting your news)
Which ECC does not.
So everyone is in agreement
I think that still remains to be seen. EC-Council has done so in the past. They haven't changed the "CBK" for the exam so there has been no need for an announcement.
Hmm.. so CEH v8 to v9 is not a CBK change?
No. The exam blueprint ("CBK") has remain unchanged.
So if the CBK is unchanged, what has changed from CEHv8 to CEHv9?
https://cert.eccouncil.org/images/doc/CEH-Exam-Blueprint-v2.0.pdf