Obtaining an industry-recognized cyber security certification like EC-Council’s Certified Ethical Hacker (CEH) or Offensive Security’s Offensive Security Certified Professional (OSCP) is an excellent way for aspiring cyber security professionals to highlight their skills and capabilities. Whether you pursue CEH vs OSCP will depend on your career goals, time, and budget.
This article will compare and contrast these two popular penetration testing-focused certifications to help you decide which one is right for you. Some of the major topics we’ll cover are a breakdown of both certifications, their exam formats, attractiveness to employers, and earning potential. We’ll conclude with a “Final Verdict” of our recommendations.
About CEH and OSCP Certifications
The CEH and OSCP are popular and widely recognized penetration testing certifications. Before we dive into our comparison, it’s important to point out that there are two different CEH certifications: CEH (ANSI) and CEH (Practical).
CEH (ANSI) refers to the certification obtained through passing EC-Council’s multiple-choice exam. The lesser-known CEH (Practical) exam is a set of capture-the-flag (CTF) style scenarios to be solved in a proctored virtual lab. Completing both exams awards you the CEH (Master) designation.
The OSCP exam involves not only compromising several vulnerable machines but also collecting evidence of your exploits and providing a thorough report of the precise steps you took to achieve them. In other words, the sorts of things you’d be doing in the role of a penetration tester.
About Certified Ethical Hacker CEH (ANSI)
CEH certification was established in 2003 by EC-Council, an ANSI 17024 accredited organization. EC-Council purports its CEH certification to be the world’s most in-demand ethical hacking certification, and for good reason! More on that below.
CEH is a standalone certification acquired through successfully completing a written exam covering a breadth of ethical hacking and information security topics. For the sake of clarity, we’ll refer to this certification going forward as “CEH (ANSI).”
Although the CEH (ANSI) certification is in high demand by prospective employers, serious cyber security professionals lend far less credence to it, given the short preparation required (usually a 5-day boot camp), and its relative ease compared to hands-on examinations, such as the OSCP.
About Certified Ethical Hacker CEH (Practical)
In 2018, EC-Council introduced the CEH (Practical) exam, an optional certification CEH (ANSI) holders can pursue and consists of a hands-on, scenario-based lab. Completing both the CEH (ANSI) and CEH (Practical) awards the designation of CEH (Master).
Despite its focus on real-world competency, the CEH (Master) designation isn’t particularly well-known among employers, as we’ll demonstrate in the “Job Opportunities” section below.
About Offensive Security Certified Professional (OSCP)
OSCP is a penetration testing certification designed by the creators of Kali Linux to test your real-world penetration testing knowledge and skill set.
The OSCP certification is a departure from traditional exam formats. In place of questions is a network of systems containing exploitable vulnerabilities for you to discover, exploit and document.
Offensive Security emphasizes a learn-by-doing approach. Their mantra, “Try Harder,” is short-hand for their values of persistence, creativity, and perception. If the road to becoming a penetration tester is a journey, the OSCP is a marathon. There are no shortcuts.
CEH (ANSI) Exam Details
The CEH (ANSI) is a closed-book, knowledge-based exam. It consists of 125 multiple-choice questions covering 20 domains and must be completed within 4 hours. Some of the topics covered include:
- Information security threats and attack vectors
- Attack detection
- Attack prevention
- Information security procedures and methodologies
The minimum passing score for CEH (ANSI) exam can range from 60% to 85%, depending on the test bank you receive.
The specific topics you’ll need to know for the exam are covered in our comprehensive CEH exam cheat sheet.
CEH (Practical) Exam Details
The CEH (Practical) is an open-book, skills-based exam. It consists of 20 challenges to be completed within 6 hours. These challenges require you to demonstrate several ethical hacking techniques, including:
- Port scanning
- Vulnerability detection
- System attacks (e.g., DoS, DDoS, session hijacking, web server and web application attacks, wireless threats)
- SQL injection attacks, methodology, and evasion
The minimum passing score for the CEH (Practical) exam is 70% (i.e., 14/20 challenges completed).
As a reminder, completing both the CEH (ANSI) and CEH (Practical) awards you the CEH (Master) designation.
OSCP Exam Details
The OSCP “exam” is a proctored lab that simulates a network containing several vulnerability target systems. The tester will receive an email from Offensive Security containing the VPN path and credentials to access the lab, a list of targets, and a link to the exam control panel (a web portal used to submit evidence).
Your objective is to discover and exploit vulnerabilities on each target to gain access to a “proof” file. Proof files contain hashes that users can only view with appropriate permissions. The exam control panel includes a section you can use to submit these hashes as proof of exploitation.
As part of your documentation, you will need to prepare a penetration test report describing the steps you took to gain privileged access to each target system. You must include screenshots of each compromised proof file’s contents (hash) from their original location and IP addresses.
Late last year, Offensive Security announced that the exam structure was changing to introduce Active Directory and de-emphasize buffer overflow. The current test breaks down as follows:
- Three individual machines worth 20 points each (10 points for low-privilege, 10 points for privilege escalation)
- An Active Directory set (two clients, one domain controller) worth 40 points (points are awarded for the full exploit chain of the domain only)
Participants have 23 hours and 45 minutes to complete the exam and another 24 hours to submit their documentation. The minimum passing score for the OSCP is 70 points.
You can earn an additional 10 bonus points, which will count toward your score by completing the self-paced labs included in the coursework.
CEH (ANSI) Requirements
As a prerequisite to taking the CEH (ANSI) exam, EC-Council requires candidates to either:
- To complete EC-Council’s official CEH training course or
- Possess at least two years of work experience in Information Security
If you have the relevant information security experience and wish to skip the official training course, you must submit an eligibility application form and pay a fee (details below). This fee is non-refundable, regardless of whether or not your application to sit for the exam is accepted. Learn more from our "How to Get the Certified Ethical Hacker (CEH) ANSI Certification" article.
CEH (Practical) Requirements
The CEH (Practical) exam is intended for those who have successfully completed the CEH (ANSI), but has no other requirements otherwise.
Offensive Security lists the course prerequisites for the OSCP exam as follows:
- Solid understanding TCP/IP networking
- Reasonable Windows and Linux administration experience
- Familiarity with basic Bash and/or Python scripting
It’s worth noting that unlike CEH (ANSI), these are “soft” requirements; there is no eligibility application; the only validation of the experience above is whether or not you pass the exam.
There is no eligibility requirement to sit for the OSCP exam; regardless of experience, anyone may attempt it.
The roadmap below shows us where each of these certifications fall in terms of skills and abilities.
The CEH (ANSI) exam tests your knowledge of cyber security and penetration testing concepts. You pursue this in stage three, gaining a general knowledge of cyber security principles.
The CEH (Practical) exam takes this one step further by requiring you to demonstrate these skills at a component level, each designed to test competency in a specific area (e.g., packet sniffing, steganography, etc.). It would be pursued early in stage four, developing some practical skills in penetration testing.
The OSCP is exponentially more difficult (and more realistic) because it does not provide any guidance as to what you’ll need to do to exploit each system - that’s for Offensive Security to know and for you to find out… within 23 hours and 45 minutes. It is more advanced than the CEH Practical and takes you further into a stage four knowledge and skill level.
Winner: CEH (ANSI)
Most beginners looking for an entry-level cyber security certification will find the OSCP prohibitively difficult. The CEH (ANSI) exams offer a means to build foundational knowledge and the confidence to tackle progressively more difficult certifications like the CEH (Practical) and OSCP.
Recognition and Reputation
CEH (ANSI)’s Reputation
The CEH (ANSI) certification carries a certain mystique with prospective employers due to its maturity, ANSI accreditation, and endorsement from the Department of Defense. However, the CEH (ANSI) garners less enthusiasm from the cyber security community due to its ease of acquisition.
CEH (Practical)’s Reputation
The CEH (Practical) lacks both the rigor of the OSCP and CEH (ANSI)’s recognition.
The OSCP is widely known and respected as a highly challenging certification, even for experienced penetration testers. It requires you to perform penetration testing instead of rote memorization of terms and utilities.
Further, it requires that the tester provide sufficient elaboration of the steps taken to execute the compromise - a skill overlooked in CEH but crucial to penetration testing as a profession.
While EC-Council boasts that CEH is the “gold standard” of ethical hacking, holders of this certification are not known for being prepared for a penetration testing role. In contrast, those who’ve completed with OSCP exam successfully have proven their capability.
We searched US-based opportunities across three popular job boards and found that “CEH” was included in job descriptions 1.5 to 3 times more often than “OSCP”. Job descriptions featuring “CEH (Practical)” received the fewest hits at approximately 1-5% of the numbers we observed for the “CEH” search term.
Between 4-16% of the postings included both search terms, suggesting either certification would be acceptable.
The table below was compiled from data* published on Payscale.com, comparing salary ranges by certification and job title. They did not differentiate between CEH (ANSI) and CEH (Practical) holders, but we’ll assume they meant the prior:
*The figures above were current as of September 2022. The CEH certification was based on 2,612 individual reports, while the OSCP salaries came from a much smaller sample size of 440 individuals.
In addition to Job title, experience also goes a long way toward determining overall compensation for a given role. The graph below illustrates a breakdown of the average experience level of CEH (ANSI) holders according to payscale.com:
Although CEH (ANSI) is considered an entry-level ethical hacking certification, the data implies that very few entry-level job candidates hold that certification. By comparison, far fewer late-career and experienced candidates are pursuing an OSCP:
Winner: CEH (ANSI)
Prospective employers are asking for CEH-certified applicants far more often than OSCP holders. The job postings we reviewed usually didn’t specify whether they were looking for CEH (ANSI), CEH (Practical), or both ( i.e., CEH (Master) designation).
While a CEH (ANSI) certification alone might help you to get your foot in the door, the competency demonstrated by attaining a CEH (Practical) certification and, to a greater extent, the OSCP certification may help you be successful in that role.
Cost and Recertification
CEH (ANSI) Cost
Before purchasing an exam voucher, you must spend $850 for the official CEH training course.
Alternatively, if you have at least two years of information security experience can submit an eligibility application form and a non-refundable $100 application fee. If EC-Council rejects your application, they will not issue a refund.
The current cost of the CEH (ANSI) exam voucher through Pearson Vue is $1,199. If you plan to take the exam online via ProctorU, you can save a little money by purchasing an ECC exam voucher for $950.
If you fail your CEH (ANSI) exam, you can apply for a retake, and if approved, you can purchase the voucher for $499.
CEH (Practical) Cost
The CEH (Practical) exam voucher is $550.
At a minimum, an experienced Information Security Professional will pay $1,600 for their CEH (Master) designation.
Candidates that don’t meet the experience eligibility requirements can expect to pay at least $2,350 for their CEH (Master) designation.
Upon successful completion, all EC-Council certifications are valid for three years. To recertify, you must:
- Pay an annual membership fee of $80
- Earn 120 EC-Council Continuing Education (ECE) credits within the three-year window (per certification)
You can earn ECE credits by earning other security-related certifications and attending information security-related conferences and events. You can read more about EC-Council’s ECE Policy here.
Offensive Security doesn’t sell a stand-alone exam voucher. Instead, they offer a bundle for $1,499 that includes the following:
- The course (PEN-200)
- 90 days of lab access (online)
- OSCP exam certification fee (1 attempt)
You can purchase additional lab access for $359/per 30-day extension. If you don’t pass the first time, you can retake the exam for $249.
Another option is to purchase Offensive Security’s Learn One subscription plan. For $2,499 annually, you will receive the following:
- Access to the OSCP course material and two exam attempts
- One year of access to the course labs
- One year of access to the Proving Groups Practice targets (virtual lab)
- Access to pre-requisite content
- Access to the Kali Linux Certified Professional (KLCP) course material and exam voucher
- Access to the Offensive Security Wireless Professional (OSWP) course material and exam voucher
The OSCP (and other certifications offered by Offensive Security) do not expire and do not need to be renewed.
If you can commit to a significant amount of study time and lab practice over a relatively short period (90 days), the OSCP certification bundle may be the right choice. It’s between $100-850 less expensive than earning a CEH (Master) designation.
This gap widens when you factor in the cost of CEH recertification ($80/year, not including any other expenses incurred through earning ECE credits).
The Learn One subscription is a better option for those who need more time to prepare since you’ll have an entire year’s worth of access. While it’s more expensive than the CEH, the hands-on lab access and additional certification coursework offer more value (provided you can complete all three courses and their exams within a year).
CEH vs OSCP - The Final Verdict
The decision of OSCP vs CEH (or possibly both) ultimately rests on your career goals. The table below summarizes the criteria we evaluated in this article:
If you’re serious about pursuing a career as a penetration tester, you should be working toward your OSCP certification.
Otherwise, if you’re looking to make a career change, perhaps from a general IT background into a more cyber security-focused role, earning your CEH (ANSI) certification may help you get recognized by prospective employers.
Since most employers aren’t looking for CEH (Practical) candidates, we can’t recommend going beyond CEH (ANSI).
While CEH (ANSI) and CEH (Practical) can be used as stepping stones to prepare for OSCP, those who earn their OSCP won’t have use for a CEH (Master) designation.
StationX offers bundles for both CEH and OSCP certification through our membership. The StationX Accelerator Program provides you with the relevant content needed to successfully prepare for and pass either exam and unlimited access to hundreds of other courses covering information technology, information security, computer networking, and much more!