Certified Ethical Hacker (CEH v13, 312-50): What's Actually Tested

The Certified Ethical Hacker (CEH v13, exam 312-50) is the single most recognized name in offensive security certification. The exam voucher runs about $1,199, the clock is 4 hours, and you face 125 multiple-choice questions across 20 hacking domains. The passing threshold is not a fixed number - EC-Council uses per-form cut scores that range from 60% to 85% depending on how the question set is calibrated, often cited around 70%. Version 13 layers generative AI throughout every module, so expect questions on using AI to assist each phase of hacking and on securing AI systems. Most candidates need 6 to 10 weeks of focused prep. If you are already working in security operations or penetration testing, 4 to 6 weeks is realistic. If you are coming from a general IT background, budget the full 10 weeks and go domain by domain.

The 90-second answer

Take CEH v13 if you need the credential for a specific reason: DoD 8570/8140 compliance, a government or defense-contractor role that explicitly lists it, or an employer whose HR checklist requires it. CEH is the dominant name-recognition cert in offensive security, and its DoD approval is the primary reason thousands of candidates pay $1,199 for an exam that is otherwise considered broad and not deeply technical.

Skip CEH v13 if you want to prove hands-on hacking ability. CEH is widely described as "a mile wide and an inch deep." It tests whether you can recognize tools, phases, and terminology, not whether you can exploit a live target. If your goal is to impress a hands-on hiring team, OSCP carries far more weight. If budget is the constraint, CompTIA PenTest+ (PT0-003) covers similar ground for roughly a third of the price.

What does the CEH v13 actually test?

CEH v13 spans 20 hacking modules mapped to nine broad domain groups. The blueprint weights below are approximate and established across recent versions. Version 13's headline change is that generative AI appears across all 20 modules - questions cover AI-assisted recon, AI-powered malware, and defending AI infrastructure, so do not ignore those additions.

Domain	Approx. Weight	What it covers
Information Security and Ethical Hacking Overview	~6%	Hacking concepts, attack phases, the cyber kill chain, ethics, laws and standards
Reconnaissance Techniques	~21%	Footprinting, OSINT, scanning networks (Nmap), enumeration
System Hacking Phases and Attack Techniques	~17%	Vulnerability analysis, system hacking, privilege escalation, malware (trojans, viruses, worms, fileless)
Network and Perimeter Hacking	~14%	Sniffing, social engineering, denial of service, session hijacking, evading IDS/firewalls/honeypots
Web Application Hacking	~16%	Hacking web servers and web apps, SQL injection, OWASP-style flaws
Wireless Network Hacking	~6%	Wireless encryption, wireless attacks, and tools
Mobile, IoT, and OT Hacking	~8%	Mobile platform attacks, IoT and operational-technology threats
Cloud Computing	~6%	Cloud concepts, container and serverless security, cloud attack vectors
Cryptography	~6%	Ciphers, PKI, encryption tools, cryptanalysis attacks

Reconnaissance is the heaviest single area at roughly 21%, which reflects how much of real-world offensive work starts with Nmap scans, OSINT gathering, and enumeration before anything touches an exploit. Web application hacking at ~16% is the second-heaviest block, and SQL injection appears repeatedly across multiple question styles there.

The exam rewards breadth over depth. A typical question presents a scenario and a list of tools, then asks which tool fits the described technique, or which phase of hacking the described activity belongs to. You will see Nmap, Metasploit, Wireshark, John the Ripper, Aircrack-ng, SQLmap, and several dozen other tools referenced by name. Knowing what each tool does and which phase it maps to is more important than knowing how to run them in a live shell.

How hard is the CEH v13?

CEH v13 is a difficulty 3 out of 5. It is broader than Security+, but the questions are more recall-oriented than the deep analysis that OSCP or even CASP+ requires. The "mile wide, inch deep" criticism is accurate and worth taking seriously when you plan your prep strategy.

The genuinely hard parts are:

• The sheer volume of tools, techniques, and acronyms across 20 domains. There are hundreds of named tools in the blueprint and you need to know roughly what each one does.
• The AI additions in v13 are newer, so practice materials for those topics are thinner than for the core domains. Budget extra time for AI-assisted attack and defense content.
• The variable cut score. You do not know whether you landed a 60%-cut or an 85%-cut form until you sit down. Scoring in the high 70s on practice exams is not a safe buffer.
• The eligibility barrier before you even book the exam. You either complete official EC-Council training (which bundles the voucher and typically costs $2,000 or more) or you pay a $100 non-refundable application fee and document at least 2 years of information-security work experience. No shortcut around that gate.

The most common failure pattern is underestimating the tool and technique volume. Candidates who consume a single video course and skip the tool flashcard work tend to blank on the scenario questions that ask "which of these tools performs passive fingerprinting" or "which malware type self-replicates without user interaction." The breadth is the difficulty, not the depth of any single topic.

How long should you study for CEH v13?

EC-Council recommends candidates have a background in information security before attempting the exam. That recommendation is real - the domains assume you already know networking basics and general security concepts. For actual study time:

• With 2+ years of security operations or pen testing experience: 4 to 6 weeks at 8 to 10 hours per week
• With a general IT or networking background and Security+: 6 to 8 weeks at 8 to 12 hours per week
• New to security but with solid IT fundamentals: 10 weeks, and consider CompTIA Security+ first to build the foundational vocabulary
• Switching from a purely defensive (blue team) background: 6 to 8 weeks, focused on offensive phases, tools, and the attack-centric framing the exam uses

The biggest study mistake is drilling only the domains you already know. Reconnaissance is ~21% of the exam and most security practitioners have gaps in wireless (~6%), IoT/OT (~8%), or the specific cryptanalysis vocabulary. Map your weak domains in week 1 and weight your time there.

A realistic week-by-week pace for an 8-week plan looks like:

1. Week 1: Hacking overview, attack phases, kill chain, laws and ethics; begin tool inventory flashcards
2. Week 2: Footprinting, OSINT tools, Nmap scanning, enumeration techniques
3. Week 3: Vulnerability analysis, system hacking phases, privilege escalation methods
4. Week 4: Malware types, sniffing, social engineering, DoS/DDoS, session hijacking
5. Week 5: IDS/firewall/honeypot evasion, web server and web app hacking, SQL injection, OWASP flaws
6. Week 6: Wireless attacks, mobile hacking, IoT and OT threats
7. Week 7: Cloud security, cryptography, and the AI-assisted techniques added in v13
8. Week 8: Full timed practice exams, tool and phase flashcard review, weak-domain sweep

Most shortfalls trace back to the tool-recognition questions in week 2 and 3 content. Reconnaissance and system hacking together account for nearly 40% of the exam. If your flashcards are not covering named tools per phase by week 3, the timed practice exams in week 8 will feel thin.

What does the CEH v13 cost?

The exam voucher alone is about $1,199. That is one of the most expensive single-exam vouchers in the certification market, and the total cost depends heavily on which eligibility path you take.

Component	Range	Notes
Exam voucher (remote proctored)	~$1,199	One attempt via EC-Council's ECC Exam platform
Official EC-Council training	$2,000+	Bundles the voucher; required unless you apply via experience path
Experience-path application fee	$100 non-refundable	Requires 2+ years documented infosec experience; no training required
Study course (third-party)	$30 to $200	Matt Walker, Total Seminars, or Pluralsight if you go the experience path
Practice questions	$0 to $60	NerdExam has 627 CEH questions; official iLabs is a separate paid add-on
Total via official training path	$2,000 to $3,000+	Voucher typically bundled but training cost dominates
Total via experience path	$1,300 to $1,600	$100 app fee + $1,199 voucher + third-party study materials

The price is the most common reason candidates hesitate. CompTIA PenTest+ (PT0-003) covers much of the same conceptual ground for roughly $404. The reason CEH stays popular despite the cost is its DoD 8570 approval and its presence on HR job-requirement checklists for government and contractor roles. For those specific roles, the premium is often unavoidable.

EC-Council also charges an annual ECE membership fee during the 3-year cert validity period. Factor that in if you are calculating total cost of ownership. Retake policy and fees vary; check the EC-Council site before you book.

What salary can you expect after passing?

CEH is primarily a compliance and name-recognition cert, so the salary ranges reflect the roles it unlocks rather than a direct premium for the cert itself. 2026 US data from job boards shows:

• SOC analyst or security analyst with CEH: $75,000 to $110,000
• Vulnerability analyst or assessor with CEH: $90,000 to $125,000
• Penetration tester with CEH: $95,000 to $140,000
• Senior offensive security roles with CEH plus 5+ years: $130,000 to $170,000

A realistic note on what the cert does and does not do: CEH functions largely as a hiring filter and a compliance checkbox, especially in government and defense-contractor environments that require DoD 8570/8140 alignment. You will often see it listed as required for roles where the actual work is more audit-style than active exploitation. For hands-on penetration testing teams, OSCP carries significantly more weight with technical hiring managers. CEH gets you past the HR screen; OSCP gets you respect in the room. Many candidates hold both.

What study resources actually work?

The candidates who pass on the first attempt tend to use a consistent stack built around breadth and tool recognition:

1. One structured course covering all 20 modules. Matt Walker's CEH study guides are the community standard for the experience-path self- study approach. Total Seminars and Pluralsight both offer solid video-based coverage.
2. A dedicated tool inventory. Build a flashcard deck mapping every named tool to its phase (recon, exploitation, post-exploitation, etc.) and its category (network scanner, password cracker, packet sniffer, wireless cracker, web app scanner). The exam uses tool names constantly.
3. Phase mapping practice. Know the five phases of hacking (recon, scanning, gaining access, maintaining access, covering tracks) and map every domain activity to one of those phases. Many questions are just "which phase does this describe."
4. At least 500 practice questions before exam day. Include questions that test tool recognition and attack/defense framing, not just definitions. Practice under time pressure: 125 questions in 4 hours is about 115 seconds per question, which is tighter than it sounds when long scenarios are involved.
5. Two full-length timed practice exams in the final two weeks. If your score is below the 75% mark on both, push the exam date and work the weak domains. The variable cut score means you want a real buffer.

Skip brain-dump sites. EC-Council actively pursues cert fraud, and more practically, the questions on the actual exam are scenario-based in ways that brain dumps do not prepare you for. You will recognize a question's answer without understanding why, which leaves you flat when the scenario twists slightly.

For the practice question portion, NerdExam has 627 enriched CEH 312-50 questions with full explanations. Start practicing CEH v13 questions to see the tool-recognition and scenario framing before you commit to a study plan. The explanations map answers back to the five hacking phases and the relevant domain, which is exactly the mental model the exam tests.

Who should NOT take the CEH v13?

The cert is the wrong fit for several common candidate profiles:

You are	Take instead
On a budget and want hands-on proof of offensive skill	OSCP or CompTIA PenTest+ (PT0-003) at roughly one-third the cost
Brand new to security entirely	CompTIA Security+ first to build the foundational vocabulary
A blue-team defender who has no offensive requirement	CySA+ or GIAC GCIH, which are purpose-built for detection and response
A cloud security specialist	A cloud security cert (AWS Security Specialty, Google PCSE, or CCSP)
Someone who needs pen test credibility with technical teams	OSCP; CEH is a box-check, OSCP is a proof of work

The price-to-value calculation is honest: if you do not need CEH for a specific role requirement or DoD compliance, you can cover the same conceptual material for far less money and earn more hands-on credibility with OSCP or PenTest+. CEH's value is real but narrow. It is the standard HR filter for government and contractor offensive security roles, and that is the use case it is optimized for.

What's next after CEH v13?

Once CEH is in hand, several paths branch depending on your goal:

• Hands-on credibility track: CEH Practical (the lab-based companion exam) is the natural next step. Pass CEH Practical alongside CEH ANSI and you become a CEH Master, which signals hands-on ability that the multiple- choice exam alone cannot prove. After that, OSCP is the gold standard for offensive security credibility with technical teams.
• Broader pen testing track: CompTIA PenTest+ (PT0-003) or GIAC GPEN if you want more structured coverage of the pen testing lifecycle beyond CEH's breadth-over-depth approach.
• Defense and detection track: If you discover that your work is more detection and response than offensive, pivot to CompTIA CySA+ or GIAC GCIH. Many CEH holders end up in hybrid roles where both views matter.
• Cloud offensive track: CCSP or AWS Security Specialty if your environment is heavily cloud-based and the Cloud Computing domain was the area where you felt most engaged.

Most people take 6 to 12 months between CEH and their next cert. Use that window to put the domains into practice - run a home lab, work through a CTF platform, or move into a role where you are doing actual vulnerability assessments. CEH on a resume paired with real work experience is a strong combination. CEH alone, without applied experience, gets you past the filter but not much further.

Ready to start? Browse the full CEH 312-50 question bank on NerdExam or jump straight into the free per-question explanations. If you are still weighing whether CEH is the right cert for your situation, the official EC-Council program page at eccouncil.org/programs/certified-ethical-hacker-ceh has the current eligibility requirements, approved training providers, and the official blueprint mapped to each domain.