Is the CEH Certification Worthless?

---

I just finished watching a video on youtube about the best certs for becoming a pentester. The guy in the video, who is a pentester, says that the Certified Ethical Hacker Cert is basically worthless. He says he's been laughed at from hiring people because he said he had CEH. He says I would be much better off with something like OSCP, Offensive Security Certified Professional. He says CEH is nothing more than a memorization exam, that I'm not learning real practical skills.

Is this true? Am I wasting my time with learning CEH?

Here's a link to the video:
https://www.youtube.com/watch?v=wIt_VAM4q-Y

@Joshua-Havins Damn, if you recognize the Person by the Quote :)

I am actually interested on ITPro's take on this as well. Being a Comptia partner, would you advocate the Pentest+ instead or also go with the, in my view rather hard OSCP certification?
Or are all 3 of these certs on different levels (as in associate/expert for MCS*)

@Joshua-Havins & @Andreas-Hoffmann ,

I hope you are both well. So it is an interesting set of questions that you both have posed, and like most great questions, there is not one single great answer.... :)

What I mean is that it really depends on what you are looking to do, or accomplish, as part of taking one or more exams in any given knowledge area.

#1. If you are looking to gain skills and build, or pursue, a career path that is targeted at becoming a Red Team/Pen Test professional, then that is one thing.

#2. If you are looking to build a broad ranging set of skills in the security arts and areas, and ARE NOT focused on becoming a specialist in any one area as part of your career path, then that is another thing.

#1 is a path that sees you going deep in a very narrowly defined area and becoming a specialist in that area as you acquire/build ever deepening skills as a hands-on practitioner.

#2 is a path that sees you building a broader base of skills across multiple areas of knowledge and practice, and while you may choose to specialize in one or more over time, you are looking to gain broad knowledge about many things as you figure out what will be of interest to you.

With that being said, to Andres's point, there is a hierarchy of skill and knowledge that exists in ALL things, and as a result, the smart people pay attention to it in order to understand how to build successfully as they build/acquire knowledge.

No exam is a "waste of time", because you are studying and acquiring knowledge, and hopefully retaining and applying that knowledge over time. HOWEVER, there are exams that are more or less valuable to you at any particular point of your plan, or growth curve, depending on where you are, and where you want to be...

The EC-Council CEH exam is a good base exam, as it has a broad area of knowledge and skills that it draws on for it's coverage, BUT, it is relatively shallow in any/all of those areas in terms of detail and application of skills.

The CompTIA PenTest+ and CySA+ exams are also a very good set of exams that offer a great set of skills and knowledge areas for you to learn about and apply. A bit narrower in focus than the CEH exam, but a bit deeper in the areas focused on.

The OSCP certification is a very very very deep technical exam that seeks to blend knowledge and application of skill together in one experience. It is one of the more difficult exams currently available, and is not something that a security focused professional attempts until they have put in a significant amount of study time, hands-on time doing Capture The Flag (CTF)'s, hack challenges, etc... to understand how to synthesize and apply their knowledge in a focused, practical, creative and time bounded way to accomplish successfully a series of hack the box challenges over a 24 hour period as well as writing up a full report documenting all of their activity.

My point is that exams are not a one-size fits all thing, lots of people do them, but they do them, or do not do them, for a very wide array of reasons.

Focus on what your end result(s) that you are hoping to achieve should be, and then work backwards to plan the best career path, and the supporting elements like exams that will play a crucial part in helping you to achieve them.

Take lots of people's opinions into account/under advisement, but, at the end of it all, you need to do what seems to make sense for you at the time.

I have never had a student, or an employee, come to me in over 35 years, and tell me that they regretted taking an exam.

I have had A LOT of people come to me over the years and tell me that they regretted NOT TAKING an exam, as it was a missed opportunity, often in hindsight, to accomplish something, or to be positioned to accomplish something that they wanted to do, but just did not see that connection at the time.

Good luck to you both...

Cheers,

Adam

@Adam-Gordon Thanks for the information Adam

@Adam-Gordon thanks for the detailed answer :)

I find myself more in the #2 category, as i do want to branch out in all things security, but dont feel comfortable just yet to go dive into the deep end of one specialization. From my current employeer standpoint, i could fit into the blue team, as red teams are hired Outsiders with my company. Switching into red teaming would mean for me becoming a Freelancer/Consultant, which i do not feel comfortable due to family reasons. Maybe in 10 years when the kids are bigger.

That being said, i totally am on your side of "no exam is wasted". Neither the prep work nor the writing itself. Sadly we dont have unlimited funds to pay for those exams. I did write the CySa+ beta in january, transition exams for Microsoft and also helped test the LPIC2 beta when they renewed their content in 2016. Cheap tries for each of those. Maybe i can get into the beta for PenTest+ (i believe that is slated for end of the year or maybe next year), if you can pull strings there dont mind doing that ;)

I already watched the complete CEH-series from your content, i watched the VCP-DCV series as well, as i play around with ESXi at home. Both are things i wont have the Money for, i feel the prices are a tad ridicilous. Especially as you have to take the Courses and cannot self study to get by.

Damn, rambling of a cert-addict maybe. Trying for MCSA2016 through update and Core Infra with 70-744 before they expire thumbsup

Cheers, Andreas

@Joshua-Havins & @Andreas-Hoffmann ,

You are both welcome... @Andreas-Hoffmann ... Moving through a Blue Team path can look like many different things depending on the focus area(s) that your company may have a need for.

For instance, ITIL certification is a very important building block as is Project Management.

Also, cloud services such as Google (GCP), Amazon (AWS) and / or Microsoft Azure are all also very important areas to consider.

Cisco and the CCNA certification is also something else to focus on.

On the surface none of these areas have anything to do with Security, and even less so with Blue Team activities, BUT... a well rounded and grounded I.T. professional, who has a breadth of skills in technology platforms, networking, and Service and Project Management makes a FORMIDABLE and VALUABLE employee, and/or new hire for another company...

Keep fighting the good fight... and lay out your plan smartly, economically, and see if your organization is willing to invest in you and your plan as part of a development goal...

If I can be of any assistance, or just lend a "sounding-board" ear from time to time... Please call on me as needed.

Cheers,

Adam

@Adam-Gordon Thanks for all the Input. You can be sure that i will lean on you from time to time ;) The ITIL-part i really didnt want to read. i dont like the word "Management" … but it is what it is. AWS/Azure are on my hit list, Cisco not too much, as there is not enough job postings in Germany for it.

Thanks also for all your awesome content, no exam missed with ITProTV as part of my preparation yet ;)

See ya,
Andreas

Hello,
I took a CEH course and found it not very helpful. Some companies, especially the government, require this certificate.
The content of the CEH certificate is nothing special, you get a book or a pdf with a thousand pages and learn the stuff. The questions are sometimes asked strangely and have little to do with reality. If your future employer cooperates with the government, he sees a value in it, otherwise probably not.

The PTP course or the course leading to the OSCP is quite different. In these courses it is of no help if you only learn questions by heart, because the exam consists of two parts: A 100% practical part and you have to write a report. This is much more realistic and valuable than the CEH course. OSCP and PTP together cost less than CEH and are much more valuable for the job. The OSCP is very well respected, PTP is not as well known but still super useful.

But the CEK course is not useless, because it gives a very large overview. The cyber-security field is incredibly large and there is so much to learn. The CEH course covers every topic, even if it is only one inch deep. The CEH training courses of IT-ProTV even go much deeper than the exam requires. I enjoyed the videos a lot.

The CEH course, like all theoretical courses, has the problem of brain dumps. You can therefore pass the certificate in a very short time with practically no real knowledge.

The CEH does not help in a pentest interview, especially not if you have to root a small test machine.

About compTIA's pentest+: I have the book at home and it is a good supplement when you are in the field, because you learn a lot about law and regulations. PTP and OSCP has no such part.

In the beginning you should choose a path and focus on it. There are so many possibilities, it takes at least 5 years to become reasonably good in a single path. Relatively cheap and good providers are OffensiveSecurity or eLearnSecurity, but there are a few more. GIAC is also very good, but not affordable as a private person. What they all have in common is that they are relatively difficult and very technical.