EC-CouncilProfessional Level2026 Updated

Certified Ethical Hacker

Updated May 1, 202612 min readWritten by Certsqill experts

Quick facts — CEH v13

Exam cost

$550 USD (exam only) / $850 USD (courseware + exam)

Questions

125 items

Time limit

4 hours

Passing score

70%

Valid for

3 years (ECE credits)

Testing

ECC Exam Center / VUE

Who this exam is for

The Certified Ethical Hacker certification is designed for professionals who work with or want to work with EC-Council technologies in a professional capacity. It is taken by cloud engineers, DevOps practitioners, IT administrators, and technical professionals looking to validate their expertise.

You do not need extensive prior experience to attempt it, but you will benefit from hands-on familiarity with the subject matter. The exam tests applied knowledge and architectural judgment, not just memorization. If you can reason about trade-offs and real-world scenarios, structured practice will handle the rest.

Domain breakdown

The CEH v13 exam is built around official domains, each with a fixed percentage of the question pool. This distribution should directly inform how you allocate your study time.

Domain

Weight

Focus areas

Introduction to Ethical Hacking

Ethical hacking concepts, information security laws, hacker types, and the overall penetration testing methodology.

Footprinting & Reconnaissance

Information gathering techniques, OSINT, social engineering for recon, Google hacking, and passive/active footprinting.

Scanning Networks

Network scanning techniques, Nmap usage, OS fingerprinting, banner grabbing, and network topology discovery.

Enumeration

Enumerating NetBIOS, SNMP, LDAP, NTP, SMTP, and DNS to extract target system information.

Vulnerability Analysis

Vulnerability research methodologies, vulnerability scoring (CVSS), scanning tools, and classification of vulnerabilities.

System Hacking

Password cracking techniques, privilege escalation, maintaining access with backdoors/rootkits, and log clearing.

Malware Threats

Malware types (viruses, worms, Trojans, ransomware, spyware), APT concepts, and malware analysis fundamentals.

Sniffing

Passive and active sniffing, ARP poisoning, MAC flooding, DNS poisoning, and countermeasures against sniffing attacks.

Social Engineering

Social engineering types (phishing, vishing, pretexting, baiting), insider threats, and countermeasures.

Denial-of-Service

DoS and DDoS attack techniques, botnet infrastructure, amplification attacks, and DoS protection mechanisms.

Session Hijacking

TCP/IP session hijacking, cookie theft, cross-site scripting for session theft, and countermeasures.

Evading IDS/Firewalls/Honeypots

IDS/IPS evasion techniques, firewall evasion, honeypot identification, and traffic obfuscation methods.

Hacking Web Servers

Web server attack types (directory traversal, HTTP response splitting), patch management issues, and web server hardening.

Hacking Web Applications

OWASP Top 10 attacks, web app hacking methodology, XSS, CSRF, injection attacks, and web application firewalls.

SQL Injection

SQL injection types (in-band, blind, out-of-band), SQLMap usage, stored procedures exploitation, and countermeasures.

Hacking Wireless Networks

Wireless encryption (WEP/WPA/WPA2/WPA3) weaknesses, wireless attack tools, rogue AP attacks, and wireless security best practices.

Hacking Mobile Platforms

Android and iOS attack vectors, mobile device management (MDM) evasion, mobile application threats, and OWASP Mobile Top 10.

IoT Hacking

IoT attack surfaces, firmware analysis concepts, communication protocol vulnerabilities (MQTT, Zigbee), and IoT security frameworks.

Cloud Computing

Cloud attack types (CloudJacking, side-channel attacks, cloud hopper), cloud security tools, and container security.

Cryptography

Encryption algorithms, PKI, digital signatures, disk encryption, and cryptographic attack types (birthday attack, rainbow tables).

Note the domain with the highest weight — many candidates under-invest here because it feels conceptual. In practice, this is where the exam is most precise, with scenario-based questions that test specifics.

What the exam actually tests

This is not a memorization exam. Questions require applied judgment under constraints. Almost every question includes a scenario with explicit requirements and asks you to select the most appropriate solution.

Here are examples of the question types you will encounter:

Hacking Phase Identification

A tester uses Nmap to discover open ports and running services on target systems. Which phase of the EC-Council hacking methodology is this?

EC-Council defines 5 phases: Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Clearing Tracks. Nmap is always Scanning phase. Many exam traps exist between Reconnaissance and Scanning.

Tool-to-Technique Mapping

Which tool is BEST suited for performing a man-in-the-middle attack to intercept and modify network traffic on a switched network?

CEH v13 is heavily tool-focused. Key mappings: Ettercap/Cain & Abel (MITM/sniffing), Metasploit (exploitation), Wireshark (packet capture), Nessus (vulnerability scanning), Hydra (password cracking).

Malware Classification

A malicious program installs itself without user knowledge and opens a backdoor for remote access while hiding its presence from the OS. This BEST describes which malware type?

Know exact malware definitions: Trojan (disguised as legitimate), Rootkit (hides its presence), RAT (Remote Access Trojan), Ransomware (encrypts files), Worm (self-replicating without host file). Exam tests precise classification.

How to prepare — 4-week study plan

This plan assumes one hour per weekday and roughly 30 minutes of lighter review on weekends. It is calibrated for someone with some relevant experience. If you are starting from zero, add an extra week before Week 1 to familiarise yourself with the basics.

Week 1: Reconnaissance, Scanning & Enumeration

Study modules 1-4: ethical hacking overview, footprinting techniques, Nmap scanning, and enumeration protocols
Memorize the 5-phase hacking methodology and be able to classify any given technique to a phase
Learn key recon tools: Maltego, theHarvester, Shodan, and Google dorking operators
Complete 80 practice questions on reconnaissance, scanning, and enumeration modules

Week 2: System Hacking, Malware & Network Attacks

Study system hacking: password cracking techniques (dictionary, brute force, rainbow table), privilege escalation paths
Learn malware types and characteristics in detail — CEH tests exact definitions and behaviors
Cover sniffing, ARP poisoning, DoS/DDoS techniques, and session hijacking concepts
Study social engineering module: phishing, spear phishing, vishing, baiting, and tailgating

Week 3: Web, Wireless, Mobile, IoT & Cloud

Study web server and web application hacking: OWASP Top 10, SQL injection types, XSS variants
Cover wireless security: WEP/WPA/WPA2/WPA3 weaknesses and cracking methodologies
Study mobile, IoT, and cloud attack modules — CEH v13 added significant IoT and cloud content
Complete 100 practice questions on web, wireless, and emerging technology modules

Week 4: Cryptography, Evasion & Mock Exams

Study cryptography module: algorithm types, PKI, digital signatures, and attack types against crypto
Cover IDS/firewall/honeypot evasion techniques — fragmentation, encoding, and traffic tunneling
Complete 2 full 125-question mock exams under 4-hour timed conditions
Review all incorrect answers and map each to the hacking phase or module category

Common mistakes candidates make

These patterns appear repeatedly among candidates who resit this exam. Knowing them in advance is worth several percentage points.

Memorizing tools without understanding methodology

CEH lists dozens of tools per module. Memorizing tool names without understanding their purpose, phase, and use case leads to incorrect answers on scenario questions. Focus on understanding what each tool does and in which phase it is used.

Not knowing the 5-phase hacking methodology precisely

EC-Council's phases (Reconnaissance, Scanning, Gaining Access, Maintaining Access, Clearing Tracks) are tested constantly. Many questions hinge on correctly classifying an action into its phase. Reconnaissance is passive info gathering; Scanning is active network probing.

Weak on malware type distinctions

CEH tests exact malware classification. A Trojan disguises itself but does not self-replicate. A worm self-replicates without a host file. A virus requires a host file. A rootkit hides its presence. Confusing these classifications is a common failure point.

Not studying the CEH v13 new modules

CEH v13 added AI-powered attacks, deepfake social engineering, and updated cloud/IoT content. Candidates studying v12 materials miss these new exam objectives. Verify your study resources align with v13 exam blueprint.

Is Certsqill right for you?

Honestly: Certsqill is built for candidates who have already done some studying and want to convert knowledge into exam performance. If you have never touched the subject, start with a foundational course first — then come to Certsqill when you are ready to practice.

Where Certsqill is strong: question depth, AI-powered explanations, and domain analytics. Every question is mapped to the exam blueprint. When you get something wrong, the AI tutor explains why the right answer is right and why each wrong answer fails under the specific constraints in the question.

Where Certsqill is not a replacement: video courses and hands-on labs. Use Certsqill to test and sharpen — not as your first exposure to a topic you have never encountered.

Ready to start practicing?

760 CEH v13 questions. AI tutor. 5 mock exams. 7-day free trial.