CPEH (Mile2) alternative to CEH (ECC)

Not to continue the discussion of the recent issues of EC Council and the recent change/update of the CEH exam.

I began looking at the Roadmap posted on CompTIA website on Security Certifications and at the bottom listed as expert is a cert by Mile2 for Certified Penetration Testing Engineer C)PTE and began looking at the C)PEH as well for a comparison.

The first few items worth mentioning is that Mile 2 is being used by the US Air Force, NSA, and other foreign nations to train their cyber workforce through various courses.

I checked the NSA website and they are on the approved list. I checked with some vendors who sponsor the C)PEH and not only do they give an exam for $400 that is monitored from one's workplace/home residence - but there is a "hacking/penetration lab" that also goes with the course itself. This seems to roll in the convenience of working professionals to gain a entry level skill set with self-study and not having to worry about a testing center - while also folding in the practical application of doing a "real-time" penetration test as does OSCP by Offensive Security.

Although there appears to be a lack of "advertising" of this training vendor compared to CompTIA, CISCO, ISC2, and ECC - it does appear that they are heavily engaged with government clients.

It seems Mile2 actually started the development of the CEH training for ECC back in the early 2000's and finally split off in 2005 time frame due to ECC lack of updating material. Where Mile2 updates its material as new issues arise. I've read a few posts where they lack 2-3 yrs before an update, but then again so do the others. Unlike ECC recent move to ANSI for the CEH cert, Mile2 has not pursued such, but is also requiring "Continuing Education" to support a given certification as of 01 JAN 2016.

I think once the 8140 DOD Directive comes into fold, CEH won't be the only recommended or sought after entry cert for cyber defense - as is the OSCP cert is being sought after by Red Teams - the CEH does have a competitor - regardless of how well known it is. I doubt very much the training received will be updated without notification and written by non-English speaking personnel - considering Mile 2 is out of Florida. I find the ECC being Malaysia based is a security concern for US cleared personnel in my opinion - where having a US based company can be more readily approached should issues arise.

Seems that Mile2 is recognized by not only US Federal entities (NSA, FBI, DoD), but also by CompTIA and CISCO. Seems credible at the least.

Just pointing this out and did not see any discussion on it through a forum search. Perhaps Mile 2 training through DoD/DOJ/NSA contracts is enough, as well as, other foreign entities using the training for certification - seems worthwhile alternative and one I hope that HR departments pick up on in the near future.

I'm thinking about going through the training and comparing it to my recent 10 month venture with CEHv8 material to see how closely matched it is...and determining what I can gain out of it - if anything.

Will report back in a few months....

Find more posts tagged with

Comments

bryanthetechie

I applaud your efforts and would love to hear your findings

Mike7

Bravo! Keep us updated.

Some info about Mile2 and CEH here. Seems to have strong US military connection.

Mile2 is probably getting ISO/IEC 17024 (aka continual education) for consideration into 8140 DOD.
Perhaps eLearnSecurity (eWPT, eCPPT) and Offensive Security (OSCP) should follow.

MrAgent

Offsec has said they have no plans to require the CPEs etc. So I don't think they will make it onto the DoDs list of approved certifications.

ilikeshells

CPTE is pretty much the CEH. If you have the CEH, my advice is to forget the CPTE.

TK1799_st

Yeah...it seems that Off Sec is not concerned about that particular issue....but I have seen OSCP required by certain govt Red Teams...so...I guess it holds it own....

With the new addition of 8140....I have not seen a list of "certifications" where I think they will or might leave it open for the candidate to prove the skill set by comparing one cert to another....will have to wait until it comes out I guess....

TK1799_st

Mike7 wrote: »

Bravo! Keep us updated.

Some info about Mile2 and CEH here. Seems to have strong US military connection.

Mile2 is probably getting ISO/IEC 17024 (aka continual education) for consideration into 8140 DOD.
Perhaps eLearnSecurity (eWPT, eCPPT) and Offensive Security (OSCP) should follow.

interesting read...thanks for sharing....

I'll see what I've gotten myself into...in a short time from now...

adrenaline19

I hope OSCP never goes that route.

DOD requirements are designed to destroy creativity.

impelse

The training is good, for the knowledge go for it, now the problem is outside the military there is not too much market for that cert, HR doesn't know about it.

TK1799_st

impelse wrote: »

The training is good, for the knowledge go for it, now the problem is outside the military there is not too much market for that cert, HR doesn't know about it.

Perhaps, however - like most things one should write their resume to explain those differences and prove the knowledge compared to the "known" cert. Something that DoD 8140 is suppose to correct after the very narrow scheme presented in the 8750 Directive.

I think as Computer Security trends continue to grow and HR types are introduced and educated by those of us seeking employment and gaining the necessary certifications to land these positions - it will open up. It's a hard road to go from college and gain certifications to be competitive in the job market - reaching out and getting in contact with a recruiter - sending them links - and giving them the info on cert's like this allows an open dialogue between the job seeker and the employer - most of the time - they are just unaware...

I'm going to go through this - and then publish a white paper comparing CompTIA, ECC, and now Mile 2 - since I hold cert's in the first two already...and knock out the maintenance and CE that goes with them all. This discussion is bringing up alot of valid points as well...

please stand by....

cyberguypr

I commend you for trying to be a forward thinker. But here's the thing, big companies are set in their ways. If you try to educate them about some fairly unknown cert, good luck. You could make a case for something like OSCP, as it pops in the job boards and is fairly known in the industry unlike Mile2. Smaller companies follow what the big guys do (even if they don't know what CISSP, GSEC, or CEH means). They just want you to be certified in one of those. If you try to sell them Mile2 you will get a blank stare.

For those like you who want to pave the way and are willing to bet, this seems like a good choice. Those of us who prefer tried and true certs that will bring immediate/short term ROI, not so much. Again, hats off to you for embarking in this journey.

IronmanX

The Canadian DND also uses the Mile2 training.

I do not know anyone who has achieved this certification.
In Canada its common for military members to do the training and not go for the certification.

If Canadian Military members have a security cert it is usually CISSP.

Usually certs are not a requirement but considered an asset.
I took the 5 day CEH class with a couple military members who did not plan on taking the exam even though it would have been free for them to do so.

Example of cert requirements for Canada CSIS (CIA equivalent) job posting:
"[h=2]Assets[/h]The following assets qualifications may be used by managers when selecting their right fit candidate(s) from the pool. Therefore, in the cover letter, applicants must also explain how they meet applicable asset experience criteria.
Core Information Security Certifications, and derivate of:

Offensive Security Certified Professional/ Certified Expert (OSCP/OSCE; OffSec)
Global Information Assurance Certified Penetration Tester (GPEN; GIAC)
Certified Penetration Testing Consultant/Engineer (CPTC/CPTE; EC-Council)
Certified Penetration Tester/Certified Expert Penetration Tester (CPT/CEPT)

Foundational understanding of:

Bypassing System ASLR & NX/DEP (such as Return Oriented Programming / Code Reuse)
Heap Spraying (such as Management, Feng Shui & Heaplib) and Browser User-After-Free Conditions
EMET Protection (such as LoadLibrary, MemProt, Caller, SimExecFlow, StackPivot)
Code Poly/Metamorphism, Caves, Splitting, Packing, Obfuscation and/or Encryption
OWASP Referenced and SQL Vulnerabilities

Experience with:
Assembly Language (x86/64), C, Python, Ruby, and/or SQL Language(s)

GCC & MinGW Compilers
Virtualization Technologies

** A written examination will be administered for the evaluation of candidates."
^^^This is for a Security Assessment Analyst position.

Cybersecurity Analyst
https://www.cse-cst.gc.ca/en/node/1462
^^^No certs mentioned

I thought I would share what it is like north of the border.
I would expect the Mile2 training to be quite good, but holding the cert may not get you passed the HR filter in the USA.

TK1799_st

That's interesting job post. I will say however, sitting in the meetings that I do on a national level - discussions are being delivered and if what Cyberguypr is saying on "the small guys will follow the big guys" Mile2 will start to be known - its a matter of time. This is how I found out about it. Looked into immediately. Maybe the Force Awoke in me...or that light bulb went off - but it seems very structured to those working and trying to balance the need to gain practical skills in IT Security.

I know if a well written paragraph is delivered to hiring departments and such is delivered to "the client" - great things can happen. I'm going to see where this goes - and continue the conversation. Cyber is in high demand as is security/hacking and the more the "highers" learn about - the more that knowledge will flow down. The top listed instructor on Mile2 is a former professor of mine and is well known in the community. So - I can see some cred's there in the entity I'm with.

I'll report back once I have more on the course itself...still waiting for it to arrive in the mail. The videos I've watched and have been pre-recorded and I can tell it's being delivered to govt/military types. So - maybe that's their market and why it's not really known out in the public sector.

stay tuned....

impelse

There is one factor we need to consider, it is how much respect any cert can bring to the table, mean OSCP for example, when people begin to take that training and begin talk that it was not easy exam, not easy for people who can memorize very easy or cram in a couple of days then those guys begin to take management position and because they know what OSCP is bringing to the table then they begin to require people with OSCP cert.

The same can be done with other cert, letters, meeting marketing will not do too much if until the security guys begin to get respect for that cert, and will follow the same then it will begin to move to the big ones.

TK1799_st

Update:

I ordered my Self-Study Kit ($500) on SAT (09 JAN 2015) - it shipped on TUES (12 JAN 2015) out of North Carolina and will arrive today (WED).

The entire kit contents are as follows:

1 Mile 2 Marketing Sheet - May 2013
1 Key Concepts
1 Mile 2 Portable Charger
1 Kit assembly
1 Mile 2 Logo Pen
1 CPEH Student Lab Guide - Version 3.4
1 Mile 2 Sticky Notepad
1 Mile 2 Code of Ethics - Student Sign
1 CPEH Prep Guide
1 Mile 2 Completion Certificate - 040413
1 CPEH Student Workbook - Version 1
1 C-Slide Webcam Cover

I do not know if kits in the future will have the same contents - but this is what suppose to arrive today.

Once I go through it and ready for the exam - then I'll purchase that as well. The Exam also comes with a prep guide.

Everything seems to be falling into place....

A bit of info about their Cyber Range: http://www.trainingindustry.com/suppliers/m/michigan-cyber-range.aspx

The kit is shipped out by Gilmore Global USA: http://www.trainingindustry.com/suppliers/g/gilmore-global-usa.aspx

TK1799_st

So - here it is....The USB Stick is actually a power stick to re-charge your mobile device and the Webcam cover is nice also.

The Student Manual is a copy of the slides in the videos. Explanation is also provided within - so, If someone bought the Course materials - there's not need to purchase the videos. I've done 7 videos and they and what is said about the subject of every slide is in the Manual. The Prep guide is like a condensed notes - much like Exam Cram A+ - tells you exactly what you need to know quickly. Key Security Concepts are well known definitions of terms plus trojans and other items that must be known.

The Lab Guide is for those that actually attend the Cyber Range Course - but as I look through it - they use Kali Linux and Metaspoitable as some of the VM's to exploit. I'm thinking I'll still be able to go through the labs using my VM's I've already set up and learn the concepts while going through the labs. This is alot like OSCP training. I've got a copy of the Backtrack Lab Manual - and this one is set up the same.

The Laptops they provide at the Cyber Range apparently are loaded with alot of VM's and OS's from multiple Window versions and Linux to Unix. Pretty comprehensive to say the least. With that, I'm pretty sure someone with their own closed VM set up can accomplish the same. I've been doing it with the PWB Lab manual I found online.

I'm really impressed and wished I had discovered this last year and skipped the whole CEH debacle!

CPEH Course Materials.jpg

InfOut

So Much Better than CEH, But on ROI may not be good unless you are into military, NSA etc

TK1799_st

Interesting bit of history:

Mile2® - Cyber Security Certifications - Penetration Testing, Digital Forensics - Certified Ethical Hacker

Mile2 was largely responsible for the early adoption and success of EC-Council's Certified Ethical Hacker Course within the USA and several other countries. At the time, mile2 was the world's largest provider of Penetration Testing training and initially chose the basic CEH training course as our flagship for Penetration Testing training events. For a long time, mile2 delivered more CEH classes within the USA than any other training provider and possibly globally.

Mile2's almost perfect student evaluations of its Certified Ethical Hacker events were due largely to the proprietary enhancements Mile2 made to the basic CEH curriculum. New threats arose daily and Mile2 developed enhancements to keep CEH current as materials printed in large quantities and shipped in from Asia tended to have a short shelf life. In contrast, CPTS (now CPTEngineer) materials were printed the week before class to accommodate constant security changes.
Eventually mile2 chose to supercede CEH with a series of classes with a focus on "Professional Penetration Testing" rather than simply teaching "Hacking Techniques". The result was the release of our CPT line of classes. We, and many of our graduates (experienced with both CEH and m2 products), believe and strongly recommend to future students that our classes are now the best courses available globally.

Mile2 has been incorporating Live Lab exercises in their training for a long time - much like OSCP - uses VM's to train people on exploiting vulnerable OS's -- something the CEHv9 is just now doing....

Also - this is of great importance to those of us that were AMBUSHED by ECC during the announced CEH update -- the Manager of Business at Mile 2 made up my lose with ITEMS that are needed for the certification for FREE! Seems Mile2 is more concerned with training and certifying folks - rather than just making money from them! It was highly unexpected - but VERY APPRECIATED!

Glad I found this - and I believe others need to sit down and educate their HR departments on other cert's out there that accomplish the same standards...

IronmanX

TK1799_st wrote: »

the Manager of Business at Mile 2 made up my lose with ITEMS that are needed for the certification for FREE!
Glad I found this - and I believe others need to sit down and educate their HR departments on other cert's out there that accomplish the same standards...

What does that mean? made up for your lose?

Sitting down with HR to try to educate them is not going to work for making this cert mainstream, becoming a DOD requirement will though. You have said something along the lines that you are in the know and that the DOD is evaluating other certifications.

looks like mile2 is more in the business of selling training that aligns with certs approved for DOD. For example you would take C)ISSO course and then go and do the CISSP exam.

From their site:
C)ISSO covers the exam objectives of the Certified Information Systems Security Professional
C)SLO covers the exam objectives of theGSLC
C)IHE covers the exam objectives of the GCIH
C)PTE covers the exam objectives of the CEH

TK1799_st

uhm...from what I'm understanding and hearing Division Chiefs and higher -- if someone had the CPEH and not the CEH, they would still hire them. The cyber force is being built on those with both educational degrees (Bachelors/Masters) and those with certifications. Certifications are being highly scrutinized. DoD is finding out that their initial push for CEH didn't work to protect the network and is seeking other training.

The DoD 8750 Directive serves as a guide to known cert's that meet a requirement. ( It providesguidance and procedures for the training, certification, and management of the DoD workforceconducting Information Assurance (IA) functions in assigned duty positions. )Mile2 meets and in most cases exceeds those requirements, which is why the USAF hired them for the CPTE training and certification at a certain location for a certain entity within the USAF. They have GSA contact and deal directly with the govt. Outside private business may not known about them, but one can show the same standard was meet. I still think one can benefit from Mile2 certification and during an interview prove their knowledge and be hired.

As for the CISSP - a professor who had it and after his discussion on covering it - stated it is nothing more than a fraternity of membership and is meant for executive level managers to understand the cyber threat, but direct others who actually know how to handle it to respond. Where, per Mile2 C)ISSO - does that, plus gives the student the understanding on how to solve it and take action.

Apparently that's why (I guess) Canada National Defense uses it.

IronmanX

TK1799_st wrote: »

The DoD 8750 Directive serves as a guide to known cert's that meet a requirement. ( It providesguidance and procedures for the training, certification, and management of the DoD workforceconducting Information Assurance (IA) functions in assigned duty positions. )Mile2 meets and in most cases exceeds those requirements, which is why the USAF hired them for the CPTE training and certification at a certain location for a certain entity within the USAF. They have GSA contact and deal directly with the govt. Outside private business may not known about them, but one can show the same standard was meet. I still think one can benefit from Mile2 certification and during an interview prove their knowledge and be hired.

The DoD 8750 Directive serves as a requirement not a guide.
so the training is probably good but you still need to the cert from the approved DoD 8750 list in order to work in that field.

In the private sector its up to the HR filter really. I'm sure you could explain in a cover letter how your training/experience meets industry standard.

Another issue is that due to "Cyber Insurance" the insurance companies may require certain employees hold certain certificates.

TK1799_st

IronmanX wrote: »

The DoD 8750 Directive serves as a requirement not a guide.
so the training is probably good but you still need to the cert from the approved DoD 8750 list in order to work in that field.

Being one that sits in a high level position within the US DoD arena - it's a guide to list certifications that meet a training and certification level of standards set forth on what they (US GOV) would like a candidate to have. That's it, nothing more. I'm not going to get into an emotional argument here over a directive that states certain guidelines and standards and leaves it open for Divisions to hire who they want depending on the applicant's resume and acquired certifications/education. Which is what I stated in my original comment. I was hired due to my background, knowledge of the area, education, and certifications after proving and meeting those open end standards of "popular" certifications.

The newer 8140 is going to break up that little list of certs and determine that one cert may fill several needs in categories. They is being determined at the moment. So, those going after a Mile2 certification have the ability to prove that cert meets the same criteria as the one of the other popular ones at the moment and should be hired. It's going on right now as I type this. Just because you haven't heard of it - see it in an article - or it's not mentioned - doesn't mean its non-existent.

My intent on here is not to belittle - bring about fear mongering - or anything else -- but to aid those seeking training that will be worthwhile in the end...so, no - one can still be hired without a cert on the DOD 8750 list once the applicant writes to the position the necessary criteria comparing a gained certification to one of the popular ones. That's all I'm saying...unless you are sitting at the Pentagon and covering down on the cyber positions - there is still a way to be hired...it's being done....smart hiring managers are doing this...as are Defense Contractors....

IronmanX

No emotional argument from me. The Dod 8750 doesn't even apply to me.

I was under the impression the Dod 8750 list are required certifications for the positions listed.
"As an extension of Appendix 3 to the DoD 8570.01-Manual, the following certifications have been approved as IA baseline certifications for the IA Workforce. Personnel performing IA functions must obtain one of the certifications required for their position category or specialty and level. Refer to Appendix 3 of 8570.01-M for further implementation guidance."
http://iase.disa.mil/iawip/Pages/iabaseline.aspx

adrenaline19

I was an infantry sniper, graduated college with a 3.62 GPA, and I am teaching myself info sec, discrete mathematics, and cryptography for fun. I can't find DoD work with computers because my Bachelor's isn't computer related. That tells me everything I need to know about DoD policy. Screw what they list. I'll take the word of my peers over what they decide any day.

SaSkiller

Adrenaline, I can assure you that isn't the reason why. DoD employers (in general, Positions like FBI SA are different.) don't really care what your degree itself is in, they care about what you bring to the table that is related to the position. If you have a strong cyber/infosec resume and can interview, you won't have an issue.

As far as the original topic here, there are a few things to consider. The value of training is important. If the CPTE material is useful for you to learning, then do it. In addition, having a different name on your resume (CPTE vice CEH) can be a benefit. It may interest someone, but generally you will need to make it to someone beyond HR. You must first meet whatever requirements there are for the position. So no HR person is going to pass your resume on to a hiring manager if they ask for CEH and you have CPTE unless you well meet the other requirements (previous experience). Once you talk to that manager then you can tell them why your unknown cert is worthwhile.

In my case I have the CPT. I can use that as a differentiator because I can say that I have hands on experience. However my CEH gets me through HR and meets any DoD requirement (not to mention I think I got a free voucher when I went through CPT). If you are deadset for not doing the CEH, then get another cert that is on the list to insure you are covered, that simple.

OP, I'm interested in the actual presentation and quality of the materials. How does the training style come across? Do you leave the videos/books prepared to attempt the labs? Are the tools valid and useful?

TK1799_st

adrenaline19 wrote: »

I was an infantry sniper, graduated college with a 3.62 GPA, and I am teaching myself info sec, discrete mathematics, and cryptography for fun. I can't find DoD work with computers because my Bachelor's isn't computer related. That tells me everything I need to know about DoD policy. Screw what they list. I'll take the word of my peers over what they decide any day.

DoD is now going through a change -- which is why the 8140 is being issued and brought up to standard. That is currently being done. Per Mile2, they already have the "in" you are looking for. Per the recent ECC change and "unannounced update" that screwed so many people over - word is spreading fast in the IT security community. So, much like SaSkiller is suggesting - get the skill set you need so you can "walk-the-walk & talk-the-talk" during the interview and good things will happen. Much of my conversation skipped HR and went directly to recruiters reaching out to veterans and applying and re-interpreting their gained skill sets. Trust me, go after the direct route and everything will fall into place. Think positive - stay positive - the right position at the right time will pop up for you! You have the discipline brother...just hang in there!!! Remember - Mile2 is preferred by the FBI and USAF uses it as well. CompTIA lists it on their IT Road-map as Expert.

Hit me up on PRIVATE message and I will help out any way I can. I know a ton of defense contracting recruiters that can leverage your past and present skill set...re-do your resume - and get you in front of people...it take time...but it can be done.

shadowsong22

Shouldn't this be a sticky thread already for anyone who wants to know about mile2?

cyberguypr

Given how unusual and unpopular this cert is I just don't see the need for a sticky at this point in time.

TK1799_st

I'm finding out that it is well known within the NSA, FBI, NATO commands - to include the USAF out of Dayton, OH - plus other military and govt entities. One of their instructors is a former Counterintelligence Agent, US Army and they have strong ties with these govies....so, it seems that just because main street America doesn't know about them - they are quiet popular withing certain realms of national defense. They don't bend themselves around the axle on failing the students who take their courseware - and are more concerned on getting the skill set learned and the person certified. I'm just finishing their CPEH Labs -- they mirror up to those found in the Linux Backtrack Lab manual found online for the OSCP cert. Even though Kali Linux is used now - they same methodology is being taught. Plus, you have time to complete them and they are direct and to the point. I wished I had done this instead of ever following the CEHv8 path...which was a waste of time and money. Mile2 is taking care of me - and as a student - that means alot when learning a new skill set!

TK1799_st

UPDATE: As of this morning, I passed my certification for Certified Professional Ethical Hacker C)PEH !!!

Having taken both CompTIA A+ce and Security+ ce - in addition to C|HFI and CEH - this exam was a no joke - very serious - and hardcore process of knowledge and quick assessment. In my opinion - the CompIA Security+ exam easier.

Regardless what others are saying on here about industry knowledge of Mile 2 certs' - I will be putting that to test and so far have found a very receptive from major defense contracting entities and others. I'll see what and who contacts me now to gauge the popularity of this certification.

Until people talk and get the word out - most won't know!

In the end, I will stress that the CPEH exam is very serious and covers the material presented, but one had better know the north, south, east, & west vectors of the course lectures, labs, and terminology.

On to the Certified Penetration Testing Engineer C)PTE....

detroitwillfall

TK1799_st wrote: »

UPDATE: As of this morning, I passed my certification for Certified Professional Ethical Hacker C)PEH !!!

Having taken both CompTIA A+ce and Security+ ce - in addition to C|HFI and CEH - this exam was a no joke - very serious - and hardcore process of knowledge and quick assessment. In my opinion - the CompIA Security+ exam easier.

Regardless what others are saying on here about industry knowledge of Mile 2 certs' - I will be putting that to test and so far have found a very receptive from major defense contracting entities and others. I'll see what and who contacts me now to gauge the popularity of this certification.

Until people talk and get the word out - most won't know!

In the end, I will stress that the CPEH exam is very serious and covers the material presented, but one had better know the north, south, east, & west vectors of the course lectures, labs, and terminology.

On to the Certified Penetration Testing Engineer C)PTE....

Congrats!! PM'd you!