How to Become a Certified Ethical Hacker

a long view of a man sitting in a hallway working on a laptop
Westend61/Getty Images

The term “hacker” hasn't always had a negative connotation, but it's developed one through years of news coverage on malicious individuals and groups that identify as hackers. Despite how paradoxical the term “ethical hacker” may seem, the credentials of a Certified Ethical Hacker are no joke.

Certified Ethical Hacker (CEH) is a computer certification that indicates proficiency in network security, especially in thwarting malicious hacking attacks through pre-emptive countermeasures.

While malicious hacking is a felony in the U.S. and most other countries, identifying and pursuing these digital criminals requires other programmers to be trained in the same technical skills possessed by the perpetrators.

About the CEH

The CEH credential is a vendor-neutral certification for information technology professionals who want to specialize in identifying and blocking malicious hackers.

Even before the credential was introduced, private firms and government agencies were hiring reformed malicious hackers because they believed that was the best method for securing their networks. The CEH credential takes this a step further by requiring recipients to agree in writing to abide by the law and honor a code of ethics.

The credential is sponsored by the International Council of E-Commerce Consultants (EC-Council), a member-supported professional organization. Its goal, is to establish and maintain standards and credentials for ethical hacking as a profession, and to educate IT professionals and the public on the role and value of such specialists.

In addition to the CEH certification, the EC-Council offers several other certifications relevant for network security jobs, as well as those for secure programming, e-business, and computer forensics jobs. Certification proficiency levels range from entry-level to consultant (independent contractor).

How to Become a CEH

Students who have a minimum of two years of security-related job experience can apply for approval to take the EC-Council exam. Those without two years of experience will be required to attend training at an accredited (and EC-Council-approved) training center, online program, or academic institution. These requirements prepare applicants for the exam and help screen out malicious hackers and hobbyists.

As of 2018, the courseware price for the five-day certification course was $850. The application fee for those seeking to bypass the training course was $100, and the exam voucher price was $950.

The Course

The CEH Training Program prepares students to take the CEH 312-50 exam. It consists of 18 modules covering 270 attack technologies and mimics real-life scenarios in 140 labs. The course is run on an intensive five-day schedule with training for eight hours per day.

The goal of the program is to prepare students for their exam, and to give them an idea of the scenarios they may face in a career as an IT security specialist.

The Exam

The 312-50 exam lasts four hours, comprises 125 multiple-choice questions, and tests CEH candidates on the following 18 areas:

  • Introduction to ethical hacking
  • Footprinting and reconnaissance
  • Scanning networks
  • Enumeration
  • System hacking
  • Malware threats
  • Sniffing
  • Social engineering
  • Denial of service
  • Session hijacking
  • Hacking web servers
  • Hacking web applications
  • SQL injection
  • Hacking wireless networks
  • Hacking mobile platforms
  • Evading IDS, firewalls, and honeypots
  • Cloud computing
  • Cryptography

Job Outlook

IT security is a rapidly-growing field, and the U.S. Bureau of Labor Statistics (BLS) projects job growth at a rate of 28% for the decade ending in 2026. This is far greater than the 7% job growth projected for all professions combined. According to the BLS, the median annual wage for IT security analysts in 2017 was about $95,000.

Most jobs that CEH-credentialed professionals pursue put candidates through background checks and rigid personnel security investigations. Security clearances likely will be required at government agencies or private firms with government contracts.

Searching Indeed reveals that many security jobs require or recommend a CEH credential, and that those candidates who possess one will be more marketable to potential employers.

Success Stories

Ethical hacking tends to be encouraged by the largest tech companies in the market, who celebrate and reward the hackers that make their platforms stronger. Companies like Apple, Google, and Amazon have a history of challenging CEHs to break their respective security measures as a way to help the companies find security vulnerabilities and improve their products (while offering a cash reward to anyone who can find a weakness).

In 2016, Nimbus Hosting listed some of the most famous success stories of ethical hackers. Among them are examples of a security team offering a reward to anyone who could take over an iPhone or iPad, and an anonymous hacker who went by the name Pinkie Pie who helped identify a bug in Google Chrome. Not all of these examples involve professionals following the CEH-certification route, but they show the value companies place on trustworthy hackers as a way to shore up network security.