How to Become a Certified Ethical Hacker

a long view of a man sitting in a hallway working on a laptop
••• Westend61/Getty Images

“Hacker” didn't start out as a bad word, but it's evolved into one, thanks to hackers of the malicious kind. Despite how oxymoronic the term “ethical hacker” may seem, the Certified Ethical Hacker credential is no joke.

Certified Ethical Hacker (CEH) is a computer certification that indicates proficiency in network security, especially in thwarting malicious hacking attacks through pre-emptive countermeasures.

Malicious hacking is a felony in the U.S. and most other countries, but catching criminals requires the same technical skills that hackers possess.

About the CEH

The CEH credential is a vendor-neutral certification for information technology professionals who wish to specialize in stopping and identifying malicious hackers by using the same knowledge and tools the criminals use.

Even before the credential was introduced, private firms and government agencies were hiring reformed malicious hackers because they believed that was the best method for securing their networks. The CEH credential takes this a step further by requiring those who earn it to agree in writing to abide by the law and honor a code of ethics.

The credential is sponsored by the International Council of E-Commerce Consultants (EC-Council), a member-supported professional organization. Its goal, according to its website, is to establish and maintain standards and credentials for ethical hacking as a profession and to educate IT professionals and the public on the role and value of such specialists.

In addition to CEH certification, the EC-Council offers several other certifications relevant for network security jobs, as well as those for secure programming, e-business, and computer forensics jobs. Certification proficiency levels range from entry-level to consultant (independent contractor).

How to Become a CEH

Students who have a minimum of two years of security-related job experience can apply for approval to take the EC-Council exam. Those without two years of experience will be required to attend training at an accredited training center, through an approved online program, or at an approved academic institution. These requirements prepare applicants for the exam and help screen out malicious hackers and hobbyists.

As of 2018, the courseware price for the five-day certification course was $850. The application fee for those seeking to bypass the training course was $100, and the exam voucher price was $950.

The Course

The CEH Training Program prepares students to take the CEH 312-50 exam. It consists of 18 modules covering 270 attack technologies and mimics real-life scenarios in 140 labs. The course is run on an intensive five-day schedule with training eight hours per day.

In the end, the goal is for students to be ready for the exam in addition to being ready to handle whatever penetration testing or ethical hacking scenarios come their way in their IT security careers.

The Exam

The 312-50 exam lasts four hours, comprises 125 multiple-choice questions, and tests CEH candidates on the following 18 areas:

  • Introduction to ethical hacking
  • Footprinting and reconnaissance
  • Scanning networks
  • Enumeration
  • System hacking
  • Malware threats
  • Sniffing
  • Social engineering
  • Denial of service
  • Session hijacking
  • Hacking web servers
  • Hacking web applications
  • SQL injection
  • Hacking wireless networks
  • Hacking mobile platforms
  • Evading IDS, firewalls, and honeypots
  • Cloud computing
  • Cryptography

Job Outlook

IT security is a fast-growing field, and the U.S. Bureau of Labor Statistics (BLS) projects job growth at a rate of 28 percent for the decade ending in 2026. This is far greater than job growth of 7 percent projected for all professions combined. The median annual wage for IT security analysts, as of 2017, was about $95,000, according to the BLS.

A quick search on Indeed shows that many security jobs require or recommend a CEH credential, so candidates who possess one will be more marketable.

Most jobs that CEH-credentialed professionals pursue put candidates through background checks or more rigid personnel security investigations (PSIs). Security clearances likely will be required at government agencies or private firms with government contracts.

Success Stories

Many of the high-profile stories about ethical hackers involve the biggest companies in technology. Companies like Apple, Google, and others will challenge ethical hackers to break their security measures in order to help them find weaknesses and to make their products safer. They often offer a lot of money to anyone who can find a weakness.

In 2016, Nimbus Hosting listed some of the more famous success stories of ethical hackers. Among them are examples of a security team offering a reward to anyone who could take over an iPhone or iPad, and an anonymous hacker who went by the name Pinkie Pie who helped identify a bug in Google Chrome. Not all of these examples involve professionals following the CEH-certification route, but they show the value companies place on hiring hackers to help shore up network security.