Obtaining the CEH (Certified Ethical Hacker) Certification - My Journey and Tips for the Exam

This February, I successfully obtained my CEH (Certified Ethical Hacker) certification, which is an entry-level penetration testing certification that has become popular and much-sought after in the industry today. By entry-level, I only mean it will get your foot in the door to the world of penetration testing and ethical hacking; as you may be aware, this is a difficult test, especially if you don't have much experience in the security world. After completing it, I dumped my study strategy in the r/CEH subreddit for fellow CEH students, and I received a ton of positive feedback as well as more questions. I figured it'd be best to just describe my entire journey here, and lay out exactly what you need to succeed.

There are many challenging aspects to obtaining this certification; the price is astronomical compared to other certifications, the available study materials are vast, and it's difficult to tell how long you should spend studying. It's easy to fall into, what I like to call, "tutorial hell," where you collect too many study materials, watch too many YouTube videos, and end up studying indefinitely. At some point, you need to bite the bullet and walk into the test with pride and confidence. I was extremely nervous, but I promise following my advice will help you to pass the test in a reasonable amount of time.

First I will address the massive purchase. This exam is ridiculously expensive, but it's a real investment, and Key Cyber Solutions can ensure you the security of a 100% refund if it does not work for you (which is NOT offered by EC-Council, the proctor of the exam itself). The issue of price was kindly mitigated by my employer, who paid for the cert in full, no questions asked. I didn't have to pay a dime; my boss AJ invested in me and believed in me. I promise this is not a paid advertisement (I'm writing this blog to give knowledge back to the community that helped me, not for any money), but you need to hear me out. You NEED to purchase this certification through Key Cyber Solutions (KCS) here. There is a 100% refund guarantee if you pass and do not get a job, but, most importantly, for every CEH voucher/class purchase, KCS will donate directly to Tech4Troops, an amazing initiative to provide technological resources for veterans. EC-Council WILL NOT give you a refund if you're not placed in a job. EC-Council is not a small business like Key Cyber Solutions. Also, EC-Council makes 100% of the profit if you do not purchase through KCS. There is absolutely no reason not to purchase through Key Cyber Solutions. Again, this is not an advertisement, I'm telling you to do this for the sake of your wallet's security, and of course to give back to veterans. Again, here is the link. And again; KCS is not doing this for profit, and they're a small business. Support small business and amazing initiatives.

Now, you've made the purchase, you've made the decision to study and take the exam, but you're not sure where to start. Googling "CEH" is terrifying and will return thousands of opinions. That's what I'm here for; I've already poured over all of the options.

Step one: schedule the exam NOW. Yes, do it immediately, and do it before you begin studying. Choose a date several weeks out, and just schedule it. Create a study schedule for yourself and stick to it; having this exam date planned in advance will motivate you to learn. This will also allow you to pick an appropriate time slot for your schedule. Please note that if you choose to take this exam online, there are very limited options available. The online proctors live in India, and my only available time slot was midnight. I made the mistake of not scheduling ahead. I had only the option of midnight on a Saturday, unless I wanted to wait more than three months to take the exam, so I was backed into a corner; totally my fault. So seriously, schedule the exam ASAP. Now, onto the study materials.

Study time! The most common questions I receive are typically along the lines of, "How long did you study? What did you use to prepare?" Personally, I used four study resources and was over-prepared for the test despite being a complete beginner. I used EC-Council's 2000-page CEH course material, their virtual iClass environment for hands-on training, Matt Walker's CEH book, and the Boson practice exams. Depending on your skill level, you could easily use only one or two of any of those resources and pass the test. Assess your current knowledge, and use whatever you think you need. Don't be afraid to be over-prepared.

I was working full-time, so I had to spread my studying over a couple of months. EC-Council will provide you with a wealth of content, and it can be a little overwhelming. This included quizzes, a 2000-page book, and their "iClass" virtual environment. Personally, I ignored the quizzes (some of the answers are objectively wrong), and read most of the 2000-page book. There are videos as well, but I recommend either reading the book or watching the videos, not both, as they are essentially the exact same material. The book was great, as it is laid out in chapters mirroring the typical ethical hacking methodology of recon, scanning, enumeration, gaining access, maintaining access, and clearing tracks. It really does build a great foundation for you to begin hacking, and this methodology is absolutely critical to understand. The virtual environment was PRICELESS. All accessible from a browser, you will have access to a Windows Server machine, Kali Linux machine, Android machine, a standard Windows 10 machine, and more. All of these machines are on the same network and available for you anytime - this is also critical to understanding what you are being taught, especially if you're a hands-on learner like myself.

I mentioned two other critical resources: Matt Walker's CEH book and the Boson practice exams. Matt Walker's book was absolutely invaluable in that it filled in knowledge gaps related to advanced networking that I was lacking. The Boson practice exam environment is perfect for practicing a week or so prior to taking the exam itself; the number of questions and time are all identical to taking the real exam, and the content is perfect. I highly recommend at least using the Boson practice exams.

Use these resources, and you will pass. The main factor to take into consideration is of course your experience level. You need to be able to follow along with EC-Council's material and identify your gaps in knowledge, whether that be networking, cryptography, etc., and fill those gaps. That is the key to passing. Well, that, and the sheer cost of study materials. If you're short on money, I recommend sticking to EC-Council's base study material, and Matt Walker's book which you can get for about $20 at the moment. Having that physical book also makes for a great on-the-job reference.

You've studied, you're confident in your knowledge, and now, it's exam time. Take a breath, you can do this! A few days before the exam, make sure you have everything prepared. If you decided to take the exam in-person, double check your appointment, and be sure to understand exactly how long it will take to drive to the location. Give yourself plenty of time in case of traffic, and be sure to get plenty of sleep. Take the day off if necessary - this is an important moment for your career! This will all help you manage some of that pre-test anxiety. Personally, I decided to schedule for a virtual session because the traffic here in unpredictable, and I'm more in my element at home.

If you scheduled the exam virtually, there are a few more considerations to keep in mind. Make sure you have an HD webcam (1080p), and make sure that it works. Also, make sure that either 1) you have a working microphone, or 2) that your camera has a working built-in microphone. I used this webcam and it was excellent. Plug it in and download any drivers necessary. Most importantly, you will receive an email from EC-Council giving you instructions for preparing for the remotely & virtually proctored exam. This link will allow you to perform an audio/visual test that determines whether or not you have the proper equipment and are ready for the exam. Log into that link (I believe it was called the Test Center), and triple check that you are 100% prepared. EC-Council will provide you will all the checks you need to take. I've heard of a few people who did not read the instructions properly and failed because their hardware was insufficient. EC-Council doesn't mess around with requirements! Another thing you should know, is that when you are in the online exam room, your remote proctor will ask you to move your camera around your desk area. If there is anything within reach, he or she will tell you to remove it before they give you the exam. Additionally, if your eyes stray from the screen for too long, they have full discretion to end your exam. This can be contested of course, as, during your exam, every keystroke is recorded as well as the video itself (for this reason, being a security guy, I did not use my main, personal PC out of pure paranoia). So, keep focused, don't falter until you hit that submit button, and also don't forget to ask your proctor if you can use the restroom before walking away. I know this may seem excessive, but, if you want the CEH, these are the realistic considerations you'll have to keep in mind. Some certifications are even more demanding, notably the OSCP, which is a 24-hour exam.

Finally, and especially for the reasons I mentioned about, do not ignore your own physical and mental state prior to the exam. I am a big believer in, "sound mind, sound body." Take a walk, empty your mind of negative thoughts, and focus! If you spend the prior night partying, drinking, eating junk, and staying up (or any combination of the above), you're physiologically not going to be 100% for the exam, and that's a fact. Get plenty of sleep, workout if that's your thing, take a multivitamin, relax, get some coffee or tea, use the restroom, and whatever it takes to be at your absolute best right before you hit that start button. As I said earlier, I failed to schedule my remote exam early enough, and was stuck with the midnight-3am time slot. Thankfully, I'm a night owl. It's not unusual for me to stay up that late on weekends anyway, and, after a great evening workout followed by a nice meal, I was right in my element. So don't ignore your body - a healthy body contributes to a sharp mind. Don't forget your confidence; you've studied, you're prepared, and you can do this!!

Before hitting submit, take any remaining time you have to look over each question. Use every minute to your advantage. I finished with about an hour and a half remaining, and I used roughly 30-45 minutes just pouring over each question. I found a couple that I answered wrongfully out of haste - many of the toughest questions are only tough because of their tricky wording. Read each question and understand every line, especially the longer questions, and review as many as you can before finishing the exam. Every extra minute you have is an extra minute you can spend processing those tougher questions you weren't sure about. You never know when something may come back to you.

I hope my account of the exam helps someone to pass. I couldn't be happier that I decided to pivot from analyst to penetration tester. I spend every single day honing my pen testing skillset, and I know this is something I truly love. It's amazing how many different career paths you can take in security alone - if ethical hacking is one you're passionate about, the CEH will get your foot in the door at the very least. I understand the IT certification world is a sprawling and confusing industry, especially in the eyes of beginners, so that is probably going to be my next blog topic. Regardless, whatever path you choose, I wish you the best of luck!