CEH - Has it value ??

misthe

Dear all,

I would like your valuable opinion on this matter.

I'm in the security industry a couple of years as security engineer and I already hold the CISSP certification.

At the moment I'm trying to expand my knowledge on the infosec department and I'm thinking to start the CEH cer.

So my question is that do you think that it will be provide me any value?

I'm not going to follow the area of PenTest which means to work for an integrator that provide these kind of services. I prefer to stay in in house on companies that accept this kind of services.

In addition i checked the CISM cer. but i believe is too much managerial for me.

Do you have any suggestions that could fulfill  appropriately the CISSP ? what is your opinion on this matter?

BR

beads

The idea that you have been in the field and have sat for the CISSP before 5 years of documented experience tells me you exactly what the C|EH is looking for in a candidate.

- b/eads

PC509

Does the job you're looking at moving to require it? If yes, then it holds value.

If not, then I would say it has no value at all. There are much better certs out there. Pentest+, eJPT, etc. that have more hands on. I have a really negative opinion on EC|Council themselves, but the CEH had to be one of the least valuable certs I've taken outside of my Vista certs from Microsoft. If you're doing it for the knowledge itself, check out the Security+ and PenTest+ or eJPT. You'll learn a lot more, have a lot more hands on experience, and just more knowledge of what's going on. The CEH sounds cool, and if an employer requires it it's fine. But, I just find very little value in it. Considering the cost, I'd say it has a negative ROI for a lot of people. 

StrikingInfluencer

misthe said:

Dear all,

I would like your valuable opinion on this matter.

I'm in the security industry a couple of years as security engineer and I already hold the CISSP certification.

At the moment I'm trying to expand my knowledge on the infosec department and I'm thinking to start the CEH cer.

So my question is that do you think that it will be provide me any value?

I'm not going to follow the area of PenTest which means to work for an integrator that provide these kind of services. I prefer to stay in in house on companies that accept this kind of services.

In addition i checked the CISM cer. but i believe is too much managerial for me.

Do you have any suggestions that could fulfill  appropriately the CISSP ? what is your opinion on this matter?

BR

I'm confused... So you already hold the CISSP but then later on you mention suggestions that could fulfill the CISSP..  Do you have your CISSP or are you an Associate of (ISC)2?

I would honestly stay far away from the C|EH regardless and here's why:

- Most professionals have a negative view of the C|EH and know it's a joke.  OSCP, PenTest+, etc... Are all more respected and half the cost or less.  
- HR and non-technical managers may see it in positive light but the rest of us professionals know what it really is.  
- ECC Council is an incredibly money grubbing and greedy organization.  C|EH is by far one of the most expensive exams I've ever seen at $900 for a voucher it's absurdly overpriced.  I have my CISSP and when I took it it was $699, which I thought was also insane but at least I can say it was worth it to hold the CISSP at my current company.  
- The actual content and the reason most people see it as a joke.  I actually went through a C|EH course when it was v8 and I was shocked how elementary it was.  I came out of it not even wanting to take the exam because I felt that it was just all a review of stuff I already knew.  Like have you logged into a Kali Linux machine before?  Have you used Angry IP Scanner?  Great, you're a C|EH...  

As others have said there are way better options out there and I hate giving crappy companies money.  I still see the C|EH frequently on 'top paying IT Security Certifications' and it really shocks me.  Not sure how it's still there as most people in industry see it as a joke.  I kind of wish ECC Council would just disappear.   

JDMurray

Also realize that the C|EH is not a pentesting certification. It the first requirement in getting the EC-Council LPT (Licensed Penetration Tester) certification. C|EH has the candidate study concepts that are useful to a pentester, but it does not directly test you on pentesting knowledge and skills as the Pentest+ and OSCP exams do.

If you believe that an absurdly over-priced certification from a vendor based in Pakistan will help you get a job or promotion then go for it.

StrikingInfluencer

JDMurray said:

Also realize that the C|EH is not a pentesting certification. It the first requirement in getting the EC-Council LPT (Licensed Penetration Tester) certification. C|EH has the candidate study concepts that are useful to a pentester, but it does not directly test you on pentesting knowledge and skills as the Pentest+ and OSCP exams do.

If you believe that an absurdly over-priced certification from a vendor based in Pakistan will help you get a job or promotion then go for it.

Wow I didn't even realize that but I just looked at their website.  So to get a cert that is considered 'Core' you have to pay over $1,000..  https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/

I'll also add that they're the only certification organization I've come across that has a sales team.  I called them many moons ago to inquire about a training package for the C|EH (long before I knew it was a scam cert).  Some random salesperson still calls and leaves me voice messages from time to time.  She will always leave something a long the lines of "lock in our XYZ sale price now".  Something just really not right about a certification authority calling me and begging me to buy their training and get certified.  If the certification is worth it's money, I will call you and seek out the certification in my own way.

I've not once ever got a call from CompTIA, Cisco, Amazon, VMware, etc...    

E Double U

I really do not understand what you are trying to accomplish. How much value a certification has depends on how much value you place on it. No one else can tell you if C|EH or any other cert will have value for you. Here are a few scenarios in which any cert can provide value:

- Requirement for current or future role
- Genuine interest in the content covered in the cert course material
- Looks nice on resume even when not required
- Satisfaction from hobby as a cert collector

The reasons above sum up my cert journey. 

misthe

Hi,

Most of your opinion point correctly, the C|EH has not any useful content to give to a candidate, in contrast it has an incredible reputation in the market ( just google it most valuable sec. certs in the market 2020-2019)  and you will identify that it is in the top 5-10 certifications. I also don't understand why...

For someone that is looking for a professional change and trying to give more value to his CV maybe is a good option, but nothing more, just only for that. You may ask , Does it worth to spend ~1.400$ for that?

The answer is maybe "YES" but you know the reason from the beginning.

In response to a comment, of course I'm certified CISSP and not associate, but i believe that this cer. is very theoretical and lacks a lot of practical skills. (remember 1 mile long 1 inch deep)

I'm not going to follow the path of red team, in all my career i was standing on the other side (Blue).

So maybe also Ejpt is not going to be very useful for me. I believe that I'm not going to work as a Pen tester in the rest of my career.

So the best option could be a recognizable deffensive cer. in the market that would fulfill my CISSP.

Maybe from ELS the "IHRP" cer. could be better fit with my current status, but again I' m not sure how much recognizable is this cer. as well as ELS is in the market...

beads

It holds that 5-10 mark because of being part of the DoD standard only. The rest of us think its an acceptable substitute to prolong our already short supply of toilet paper.

Really, the cert hold no confidence or market value here in the US. Its one of those certs that would have gone away many years ago had the DoD not picked up on it and made it part of the level II bracket.

Enough said. You'd be better off spending your money on a Vegas weekend.

- b/eads

E Double U

beads said:

You'd be better off spending your money on a Vegas weekend.

Equal amount of money, equal amount of shame. 

yoba222

misthe said:

...

. . . in contrast it has an incredible reputation in the market ( just google it most valuable sec. certs in the market 2020-2019)  and you will identify that it is in the top 5-10 certifications. I also don't understand why...

...

I've dug a little deeper before as to why this is. I found that most (if not all) of the Google results describing most valuable certs are articles produces by companies that sell certification training. Kind of a conflict of interest to me. So in my opinion, those articles are untrustworthy. A better gauge of popularity to me is job ad websites and looking at popularity of cert keywords. Though this depends on the idea that whoever posted the job knew what they were talking about.

Edit: When I do a search, I see these mainly:

• Global Knowledge  - (Cert training company)
• CIO magazine
• Robert Half
• PC Mag

So Global Knowledge is definitely disqualified since they sell cert training. The other three seem reputable right? But when I dig into each article, every one of them cites the Global Knowledge "survey." So I stand by my point. And if I beleived the trash data the Global Knowledge creates, I'd just get an ITIL Foundations cert, collect $129,402 per year, and be done it.

beads

So we can't trust people trying to sell us sketchy training for an already sketchy certification? Oh! Grab the vapors, I am feeling faint at the mere idea.

- b/eads

bigdogz

@misthe

We do not know your experience or background.

The CEH is a good mid level certification that has some knowledge into tools but EC-Council is a bad certified body (compared to others). If you are looking at Pen Testing, this certification is a start. It is a needed pill to swallow.

I hope that helps.

StrikingInfluencer

bigdogz said:

@misthe

We do not know your experience or background.

The CEH is a good mid level certification that has some knowledge into tools but EC-Council is a bad certified body (compared to others). If you are looking at Pen Testing, this certification is a start. It is a needed pill to swallow.

I hope that helps.

Nope, I respectfully disagree.  It is no where near a 'mid-level' certification and as others have said even EC-Council does not recognize the C|EH as 'mid-level'.  If you look at this link below it will show you that EC-Council actually puts the C|EH at a 'Core' level with the next level being ECSA and the highest level being L|PT. 

https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/

I also think it's a little disingenuous to keep telling people this cert will get them a job or that it's a necessary place to start.  There are so many better places to start and go for a fraction of the cost of this certification and training.  I think the eJPT is a fantastic certification for the money at $400 for the basic PTS package with a voucher to take the exam.  Meanwhile EC-Council charges like $1600 for a full training package for the C|EH, a 'Core' certification. 

bigdogz

thanks for the respect

When I first went for the cert, there were other lower level certifications EC Council had but have now removed.

I forgot about the ECSA. I had the LPT some time ago and at the time EC Council did not have the ECSA. When they did it was in a different track. I guess this goes to marketing and the additional classes like the CEH Practical.

Although the eJPT is less expensive, the ROI for the CEH is better since it has established a name for itself and been around longer. Learning more for less money goes to the eJPT or even Pentest+.

CEHv10 does do some remedial pen tests / attacks. A great deal than in versions prior.

If you really want to be cheap about getting the CEH, take the $200 online labs and you may be able to have the fee waived. If not, I think the fee is ~$200. In any case it will also save you some time on labbing but some of the labs just do not work.

Performing a search on Monster or Dice gets more searches for the CEH than the eJPT or the eWPT.

It will take some time for this certification and the other Elearn Security to gain some ground or do some better marketing.

MarioKart64

I had to get the CEH for school (WGU MSCSIA) and in my experience it is essentially just the A+ of Ethical Hacking, it taught you basic terminology but not much else so I would recommend that you stay away from it unless it is a job requirement and work is paying for it. 

StrikingInfluencer

MarioKart64 said:

I had to get the CEH for school (WGU MSCSIA) and in my experience it is essentially just the A+ of Ethical Hacking, it taught you basic terminology but not much else so I would recommend that you stay away from it unless it is a job requirement and work is paying for it. 

Honestly that is the biggest reason I am turned away from the WGU MSCSIA.  I'd love to get my masters degree from them and I really enjoyed my B.S. but I cannot take the EC-Council certs seriously.  Even though I have the CISSP, I think that would align so much better with that degree, hell even the SSCP or really anything besides EC-Council certs. 

I have some co-workers who were previous DoD and they have the C|EH.  One of them doesn't even list it on his LinkedIn because he is ashamed of it -- LOL (he also has OSCP).  The others, along with the technical managers also mostly think it's a joke.   

misthe

OK. Gentlemen that was a clear statement from you. I need to stay away from this cer. since it can not offer me the expected value, either on knowledge or the reputation.

Probably I' m going to follow the IHRPv1 from ELS. Do you have any opinion on that  is it acknowledge in our industry? 

MarioKart64

misthe said:

OK. Gentlemen that was a clear statement from you. I need to stay away from this cer. since it can not offer me the expected value, either on knowledge or the reputation.

Probably I' m going to follow the IHRPv1 from ELS. Do you have any opinion on that  is it acknowledge in our industry? 

I have worked as a Technical Recruiter and interviewed people for Infosec positions and I have honestly never heard of IHRPv1 so I would recommend that you stick to better known certifications. CompTIA has a really good certification roadmap that helps you to determine which certification most closely aligns to your goals and experience. Link: https://www.comptia.org/content/it-careers-path-roadmap