I decided to write this blog in response to seeing multiple people on Discord and Twitter ask about the difference between eJPT and CEH. I was lucky enough to pass both of these certifications in 2020 and so I feel as though I have an appropriate amount of experience to give an opinion. Below I will outline what I believe are the major differences between the two, as well as pros, cons, and final comparison thoughts. I would like to, however, point out these are my own personal opinions and should be taken with a grain of salt, and followed up by additional research on your own. Also, as I will explain later, both of these certifications were paid for by my employer. And so, I have a unique perspective on the price of the exams, I will try and give an opinion about price points from within the mindset of had I paid out-of-pocket.
I received eJPT back in late January 2020. This was obviously before the eLearnSecurity merger with INE and so my employer paid a flat $399 for the PTS training material which included three test vouchers.
The PTS material was broken into three groups: Prerequisites, Programming, and Penetration Testing. I shall speak to each.
Prerequisites was a great introduction to all things penetration testing. It clearly explained the methodologies used by modern day penetration testers. It gave a decent overview of important networking knowledge needed to be successful in this field, and hit both network pentesting and web application pentesting topics. Indeed, it was a well presented introduction. Side note, I will be saying ‘indeed’ a lot in this post to pay homage to the amount of times eLS says that dang word.
Programming was a bit overwhelming if I may be honest. I am not a programmer and knew it would be a little surprising but I was definitely not prepared. That is not to say that the material was overwhelming however, it was simply the amount of information. This group of training featured C++, Python, and Command line (which focused on Bash primarily). I had only really dabbled in Bash at that point, so to not only expand that knowledge but also throw two other languages in was a lot for me. Now, working through this material taught me a lot, but I definitely had to slow down and read. The labs helped a lot, although I found myself mainly following along with the included walkthrough rather than doing it myself.
The real meat of this course obviously came from the last group of modules, the Penetration Testing. Indeed, this really did make this course fantastic. Walking students through a real-world penetration test beginning to end while keeping the material both up-to-date but not overwhelmingly difficult was amazing. They really did make students earn the title of Penetration Tester, however Junior that may be.
The exam was no different. Students were expected to enumerate, exploit, and pillage all on their own, within a realistic lab environment. The questions both hinted at places to look (as in if the question had something to do with a web page you obviously needed to find a web server) but stayed well away from a CTF style “look for a user flag” format.
All in all, the PTS material took me probably 30–40 hours and was well worth the time investment. Had I paid the $400 out-of-pocket I would of been more than satisfied with the investment. I am more proud of my eJPT than my Sec+, CEH, or even GSEC certifications.
With all that being said let me switch gears to the (in)famous CEH from EC-Council. I’d first like to start by saying that when I applied for funding for CEH I really did think it would make me more valuable for a future employer. You see, I was working as a VMware Administrator and I really had no mentor in the cybersecurity world. So I was really just going by articles found on Google. And boy does EC-Council pay good money for their positions within every single article.
The biggest thing CEH has going for it is it’s relationship to DoD 8570 requirements. Of which CEH satisfies four of the five CSSP (cyber security service provider) categorizes. And since I work in the government contracting world, I knew I needed to satisfy those requirements.
My employer paid, and I do not feel good saying this, $1,899 for my CEH. That probably just made some people close out of this blog post. But that should show just how out of touch the modern employer is with the requirements of the security field today. But, hey, it was no real sweat off my back.
The CEH material was broken down into 20 different modules. With topics going from the normal penetration testing steps, to cloud computing, to IoT devices, and everything in-between. All together it was a bit over 25 hours of material if I remember right.
Here is, however, the crucial problem with CEH. The material is outdated, easily found anywhere else on the internet, and is approached in a shot-gun-blast of unnecessary tools with irrelevant customizations type of deal. I am not saying I learned nothing, but the things I did learn were not very applicable. Let’s take the Nmap module for instance. If I remember right I spent the better part of 20–30 minutes watching an instructor run every single Nmap parameter under the Sun and running completely off-the-wall scripts with no to very little input back from some brick-wall web server and regurgitating the same information I got from running man nmap on my own VM. And that was it. No lab, not hands-on, nothing. I actually downloaded Metasploitable 2 into my own VMware Workstation just to run Nmap for myself. It was about that time when I found a 14-hour free course on YouTube by Heath Adams, better known as TheCyberMentor, and his Nmap walkthrough was fantastic.
There is not much else to say about the CEH material, and that alone should speak volumes. So instead I will pivot….funny pun….to the test. The CEH test is nothing more than a proctored multiple-choice exam that hits on just as much unnecessary and irrelevant tools and tricks as the material. Indeed, the training prepared me for the test. I would also like to point out my AVG anti-virus stopped EC-Council’s examination proctor program from running the first time as it registered it as malicious. Quite ridiculous. I do not want to seem one-sided but there really is not much more to my review. If I had paid almost $2,000 for CEH I would be sick to my stomach.
At the end of the day CEH left a sour taste in my mouth and a guilt on my shoulders for making my employer pay so much. But here is the worst part. As of the time of this writing the CEH is no longer a DoD 8570 powerhouse. Yes it still does satisfy those requirements I spoke about before but guess what else does? CompTIA Pentest+. That’s right, a $370 examination from a more reputable organization matches the same benefits of the $1,899 joke. And I would argue comes with with even more, in-fact as I personally know some PenTest+ certified individuals, they have all expressed their appreciation for the quality of the information covered.
I hope that my review has shed some sort of light on this subject. I hope one-day EC-Council will wise up and do a bottom-to-top revamp of their course and match the quality other organizations are known for. But until that day I will continue to recommend aspiring security professionals stay far away from CEH.