Many students looking to break into cyber security find themselves overwhelmed with the number of available certifications. CompTIA’s Pentest+ and EC-Council’s Certified Ethical Hacker (CEH) are respected entry-level hacking certifications, but their similarities make it difficult to determine which to pursue.
Any certification worth having requires you to invest time and money – neither of which you want to waste. With that in mind, we will look at the differences between Pentest+ vs CEH and help you find out which is best for you.
About Pentest+ and CEH Certifications
Pentest+ and CEH are entry-level hacking certifications, placing them in the lower-mid tier of the security certification landscape.
Both exams cover technical aspects of ethical hacking, such as tools, terminology, methodology, and commands, but there are differences in their respective domain focus.
CompTIA’s Pentest+ markets itself as a penetration testing and vulnerability management certification, covering everything from the initial scope and contract, through testing and exploiting, to a completed report and client debrief.
The CompTIA website boasts that their Pentest+ exam, “…not only covers hands-on vulnerability assessment, scanning, and analysis, but also includes planning, scoping, and managing weaknesses, not just exploiting them.” This is a shot at CEH, whose exam focus will be discussed below.
Pentest+ covers both technical skills, such as running tools like Nmap and understanding foundational Python scripting, and administrative topics like scope-creep, liability, client communication, and regulatory compliance.
While Pentest+ is taking a very broad but shallow dive into pentesting, EC-Council’s CEH is focused on the, “latest commercial-grade hacking tools, techniques, and methodologies used by hackers and information security professionals to lawfully hack an organization,” according to the EC-Council website.
On the CEH exam, the focus is scanning and enumeration, exploiting vulnerabilities, malware analysis, and various attack strategies. Pentest+ covers many of the same techniques and attack vectors, but CEH dedicates 79% of its 125 questions to those topics.
While there is significant overlap between the two certifications CEH will expect you to go deeper into technical topics such as footprinting, specific sniffing techniques, and avoiding detection.
Pentest+ and CEH are often compared not only due to the overlap of material but the similarities in the exam format. They are each primarily multiple-choice exams that can be written through PearsonVue and you will receive your results immediately after completion.
That is not to say the exams are equal. So, let’s compare the length, question style, and passing score to determine which performs a more thorough examination of your skillset and knowledge base.
Pentest+ Exam Details
CompTIA’s Pentest+ has a maximum of 85 questions, combining multiple-choice and performance-based questions. Many of the multiple-choice questions follow the given this scenario format, which asks for the best answer under the prescribed conditions.
An example might be, “you discover several devices vulnerable to a buffer overflow attack, but there is no patch from the manufacturer. Which of the following mitigations would you recommend?”
The performance-based questions have you perform basic tasks, such as running Nmap with the correct flags for the required result or completing a missing snippet of Powershell or Bash script. While these may sound intimidating, they tend not to be overly complex.
The test is two hours and 45 minutes long and scored between 100 and 900 points with a passing grade of 750.
CEH Exam Details
Certified Ethical Hacker (CEH) consists of 125 multiple choice questions with no simulations. The passing score is dependent on the question bank you get and can range anywhere from 65% to 80%.
CEH questions tend to be more matter-of-fact than those on Pentest+. An example might be, “which of the following tools can be used for remote password cracking?” or “What type of attack involves pretending to be an employee and requesting a password reset?”
Being a pentester is more than just memorizing terms. As a pentester in the field, you will need to perform critical thinking. “Given this scenario, what do I do?”
CEH doesn’t give you this challenge, nor does it require you to perform any tasks expected of an ethical hacker.
If you find yourself confused when looking at prerequisites and required experience for these two exams, you’re in good company. We are often asked to clarify the requirements to sit for these exams, so let’s review these now.
Pentest+ calls for knowledge equal to a Network+ and Security+ certification holder and three to four years of experience pentesting. This is not a requirement or prerequisite to writing the exam.
Pentesting is an advanced discipline within information security, so while a working knowledge equivalent to holding the Network+ and Security+ is recommended, you do not need any certifications to be eligible to write this exam.
The years of experience are also not a requirement, unlike the CISA or CISSP. The three to four years is simply used as a metric for the level of knowledge you should possess to be successful in passing this exam.
CEH, however, gives you two options.
Option one: You take an official EC-Council partnered training course.
Option two: You have a minimum of two years in information security. You must submit an application fee of $100 (non-refundable) and await formal approval from EC-Council’s certification department.
These requirements put CEH further out of reach for some students, since you are paying for both the official training and the exam, or have already been working in the industry for a couple of years.
With no prerequisites, Pentest+ allows you to prepare however you feel most comfortable without requiring any industry experience.
Exam difficulty is subjective. That said, our experience is that Pentest+ is the more difficult of the two exams. We see this opinion reflected in reviews, blogs, and forum posts from past students who have taken both.
When assessing why Pentest+ is generally considered more difficult, there are several factors to consider.
- First is the scope of the subject matter. Planning and report writing make up a combined 32% of the Pentest+ exam. That is 32% more content than CEH to cover in your studies.
- The second is the time frame. CEH gives you an hour and 15 minutes longer to write the exam. When you consider the number of questions, CEH gives you slightly less than 2 minutes per question. Pentest+ averages about the same over its 85 questions. However, you can have anywhere from one to six performance-based tasks, which take much longer than a simple multiple-choice question. This will cut down the time you can spend per question.
- Thirdly, the performance-based questions themselves add a level of difficulty not seen in CEH. These questions take more time, need to be thought out, and due to their complexity, may be eligible for partial scoring.
- Finally, let’s take a look at the skills roadmap below. You would pursue CEH when you enter stage three, as you are ready to develop a stronger, albeit general, knowledge of cyber security. Pentest+, covering legal and administrative details, proper procedures, and some hands-on questions, would be pursued in stage four, where you begin to develop the knowledge and skill to specialize and gain a deeper understanding of cyber security.
CEH is widely considered the easier exam to pass due to the strict multiple-choice format, narrower scope, and longer sit time.
We give this verdict with a caveat. This is not to say that CEH is an easy exam, nor that you should be discouraged from writing Pentest+. Whether you think a lower comparative difficulty is a benefit or a deterrent is subjective.
Recognition and Reputation
How are Pentest+ and CEH viewed in the industry? Let’s discuss the reputation of these certifications and the organizations they belong to.
Pentest+ is fairly new to the scene, having launched in July 2018. Since then, it has become DoD 8570/ANSI/IEC/ISO 17024 approved, becoming a solid alternative to CEH. Unfortunately, it is still gaining traction in terms of name recognition.
“Pentest” is an industry-specific term, unlike “hacker,” which has its own mystique and romanticism in popular culture. When a non-technical hiring manager reads resumes, CEH certainly jumps out more.
For those in the trenches, it’s a different story. Pentest+ has the benefit of CompTIA’s reputation. Thanks to certifications like A+ and Security+, CompTIA is well known and respected among information security professionals.
The other consideration is the relevance of the knowledge gained. CEH teaches you the tips, tricks, tools, and techniques you need to know. What many people forget is that clients aren’t paying you for that.
Clients aren’t paying for you to break into their network, that’s simply a means to achieve the end goal. They’re paying for an audit report. They want a document they can hold in their hands that says what their problem is, shows them proof, and most importantly, says how to fix it.
When it comes to recognition, CEH has a lot going for it. It’s been around for over 19 years and has long been a standard for regulatory compliance, being included in DoD Directive 8570 and recognized by ANSI/IEC/ISO 17024 long before Pentest+ came on the scene.
CEH is famous enough that even those with only a periphery knowledge of offensive cyber security have heard of it, which is great when you’re trying to get noticed by a potential employer’s human resources department.
When it comes to grabbing the attention of a hiring director who isn’t themselves a cyber security expert, the title “Certified Ethical Hacker” says it all.
Unfortunately, the prestige stops there. CEH might be popular among recruiters and human resource managers, but it isn’t well-respected among cyber security professionals.
CEH does not cover report writing. Nor does it cover rules of engagement, compliance, resources and budgets, legal documents, or memorandum of agreements. Most notably, there is no practical testing, unlike Pentest+ or the more recognized and difficult OSCP.
It is also worth noting CEH is a certification managed by EC-Council, whose reputation has been under fire the last two years after they were pressured into releasing an apology for plagiarism on their official blog. See Portswigger’s article or cyber security expert Alyssa Miller’s blog for more information.
Pentest+ covers essential material missed by CEH that you will need to know to be successful as a penetration tester. Unfortunately, it is still flying under the radar for many organizations.
CEH has its fame among recruiters and years in the marketplace, but it lacks the challenges and content to be respected by cyber security professionals.
Both certifications have opposing benefits and flaws, but the fact that CEH is more well-known gives it a slight advantage in this category.
Both certifications claim to prepare you for such jobs as:
- Penetration Tester
- Security Consultant
- Network Security Operations
- Vulnerability Tester
- Security Analyst (II)
- Vulnerability Assessment Analyst
- Application Security Vulnerability Analyst
- And more…
An America-wide search on Indeed using “CEH” yielded 3,734 results. Pentest+, by contrast, only returned 359. This certainly speaks to the name recognition of CEH among recruiters and HR professionals. Pentest+ has a lot of catching up to do.
The numbers don’t lie. While many of the job listings require multiple other certifications or industry experience, CEH appears over and over while Pentest+ does not.
Cost and Recertification
There are significant differences between the costs and renewal requirements of these certifications. CEH is not only more than four times as expensive, it requires additional costs if you don’t have industry experience. Let’s break this down further.
At the time of this writing, Pentest+ costs $381 USD for a single attempt. There are no other fees associated with writing the exam.
The certification is valid for three years. It can either be renewed by rewriting the exam or earning 60 CEUs (Continuing Education Units). CompTIA has the last word on what they will consider an applicable CEU, but training courses, being involved in industry events, publishing and gaining other certifications are all ways to earn CEUs.
It currently costs $1,199 USD to write the CEH exam. If you do not have the two-years industry experience, you will be required to take an EC-Council partnered training course. These courses can run from $2,199 and up, which will include one exam attempt.
CEH is also valid for three years, but requires an $80 yearly membership fee.
Unlike Pentest+ which only requires the 60 CEU’s be completed within three-years of the certification’s start date, CEH requires 40 ECE (EC-Council Continuing Education) credits each year for a total of 120 credits.
The costs involved in earning CEH are certainly hard to swallow when compared with Pentest+, so you will need to weigh that against what you hope to get out of being a certificate holder.
Pentest+ vs CEH – The Final Verdict
There isn’t a universal correct choice between CEH vs Pentest+, but there is a correct choice for you.
If you are looking to become well-rounded in all elements of penetration testing or need to learn more about setting scope, protecting yourself and your client, and presenting a professional report, take Pentest+.
Likewise, if you are looking to take one because you need to be DoD 8570/ANSI/IEC/ISO 17024 compliant, Pentest+ is a much more affordable route.
If your goal is getting the attention of hiring managers (particularly those without much technical industry knowledge) and you are prepared to invest, CEH is the better route.
And if you’re still deciding on your long-term goals, our cybersecurity career pathway can help you map your goals and suggest skills to develop and certifications to earn.
If you are consider either CompTIA’s Pentest+ or EC-Council’s Certified Ethical Hacker (CEH) at StationX we have all the training you need in our VIP members area.