- What the CEH Exam Actually Looks Like
- Question Types You Will Face
- Time Limits and Pacing Strategy
- Scoring Mechanics and What It Takes to Pass
- Domain Breakdown: What Each Section Tests
- The Practical Exam Component
- Registration, Eligibility, and the Approval Process
- Preparing by Domain: A Targeted Schedule
- Frequently Asked Questions
- The CEH knowledge exam consists of 125 multiple-choice questions with a four-hour time limit.
- Passing requires demonstrating competency across four specific domains, including attack detection and prevention.
- EC-Council uses a cut score model, meaning the passing threshold can shift slightly between exam versions.
- A separate CEH Practical exam exists and must be completed independently if you want the CEH Master designation.
What the CEH Exam Actually Looks Like
The Certified Ethical Hacker exam is not a general cybersecurity quiz. It is a tightly scoped, scenario-weighted knowledge assessment designed to verify that a candidate understands how attackers think, what tools they use, and how defenders detect and disrupt them. Understanding the precise format before you sit down is one of the most actionable things you can do to avoid surprises on exam day.
EC-Council administers the CEH knowledge exam through Pearson VUE testing centers worldwide as well as through remote proctoring via ProctorU. The exam code is 312-50, and the current version under active testing is CEH v13. The exam contains 125 multiple-choice questions and carries a four-hour time limit. That works out to roughly 115 seconds per question - tight enough to reward candidates who have genuinely internalized concepts, not just memorized surface-level definitions.
Questions are delivered in randomized order and candidates cannot return to flagged questions in all proctoring modes, so developing a disciplined pacing habit during practice is essential. If you want to simulate true exam conditions, the CEH practice test platform at cehv13exam.com replicates the four-hour timed environment so you can identify your weak domains before the real attempt.
Question Types You Will Face
Multiple-Choice: The Primary Format
Every question on the CEH knowledge exam is multiple-choice with four answer options. The distractor design is intentional - EC-Council engineers questions so that two of the four options are plausible to someone with partial knowledge. The correct answer typically requires understanding why a technique works, not just that it exists.
Common question structures you will encounter include:
- Scenario-based stems: "A penetration tester observes the following network traffic… which attack is most likely occurring?" These tie directly to the Attack Detection domain.
- Tool identification: Questions name a specific hacking tool and ask what phase of the methodology it belongs to, or vice versa.
- Best-action questions: Given a described vulnerability or threat vector, candidates choose the most appropriate countermeasure - testing Attack Prevention knowledge.
- Procedural sequencing: Questions that ask which step comes first or next in a defined ethical hacking methodology, drawing from the Procedures and Methodologies domain.
What the CEH Does Not Include (in the Knowledge Exam)
The knowledge exam does not include drag-and-drop, fill-in-the-blank, or interactive lab simulations. Those elements appear in the separate CEH Practical exam. On the knowledge exam, every interaction is selecting one answer from four options. This matters because candidates sometimes over-prepare for performance-based formats when they should be drilling recognition speed on multiple-choice scenarios.
Key Takeaway
Because every knowledge-exam question has four options with deliberately plausible distractors, practicing elimination strategy on realistic CEH-style questions is more productive than reading textbook definitions passively.
Time Limits and Pacing Strategy
Four hours for 125 questions is generous on paper, but it becomes a real constraint when you encounter unfamiliar tool names or lengthy scenario stems. Candidates who have not timed themselves under realistic conditions routinely run short at the end.
A practical pacing benchmark: aim to complete your first pass through all 125 questions in approximately 2 hours and 45 minutes. That leaves over an hour for review. If a question is consuming more than 90 seconds on the first pass, flag it and move on. Dwelling on a single hard question risks leaving easier questions unanswered at the end.
| Exam Phase | Recommended Time Allocation | Purpose |
|---|---|---|
| First pass (all 125 questions) | ~165 minutes | Answer confidently, flag uncertain items |
| Second pass (flagged questions) | ~60 minutes | Revisit with fresh perspective |
| Final review buffer | ~15 minutes | Check for misread questions or accidental selections |
Remote proctoring adds a layer of consideration: your physical environment must be cleared before the clock starts, and technical interruptions can eat into your four-hour window. Arrive at your test station at least 20 minutes early when testing remotely.
Scoring Mechanics and What It Takes to Pass
EC-Council uses a cut score model for the CEH exam. Rather than publishing a fixed percentage that applies universally to every exam form, EC-Council statistically calibrates the passing threshold based on question difficulty across each version. This means the raw number of correct answers needed to pass can vary slightly between different exam sittings.
What candidates can rely on: the passing score typically falls in a range that reflects genuine competency across all four domains. Scoring extremely well on two domains while neglecting the others creates serious risk because domain-level weakness can disqualify a candidate whose overall raw score looks close to passing.
After completing the exam, Pearson VUE typically delivers a preliminary pass/fail result immediately at the testing center. EC-Council then validates results and issues the official score report, which breaks down performance by domain - giving you actionable feedback if you need to retake.
Domain Breakdown: What Each Section Tests
The CEH exam is organized around four official domains. Understanding what each domain actually tests - not just its name - is the single most important structural insight for an efficient study plan.
Domain 1: Information Security Threats and Attack Vectors
This domain covers the landscape of adversarial techniques: malware categories, social engineering methods, network-based attacks, web application vulnerabilities, and emerging threat categories. Candidates must understand not just what attacks exist but how threat actors select and chain attack vectors in real intrusions.
- Types of malware and their behavioral characteristics
- Phishing, vishing, and physical social engineering techniques
- OWASP Top 10 web application vulnerabilities
- Network-layer attack types including session hijacking and man-in-the-middle scenarios
- Cloud, IoT, and mobile attack surfaces covered in CEH v13 updates
Domain 2: Attack Detection
This domain shifts perspective from the attacker to the defender. Candidates must demonstrate they can recognize the indicators of compromise, anomalous traffic patterns, and signatures associated with active or completed attacks. Questions frequently present log snippets, packet captures, or IDS/SIEM alert descriptions.
- Intrusion Detection System (IDS) evasion techniques and how to counterdetect them
- Network traffic analysis and anomaly recognition
- Log analysis scenarios and what they indicate about attacker activity
- Honeypot deployment and threat intelligence gathering
Domain 3: Attack Prevention
Prevention questions test whether candidates can select the most effective countermeasure for a described threat. This domain bridges technical controls (firewalls, encryption, patch management) with procedural controls (security policies, access control models).
- Firewall types, configurations, and placement strategies
- Cryptographic protocols and appropriate use cases
- Vulnerability management and patch prioritization
- Hardening techniques for operating systems, applications, and network devices
Domain 4: Procedures and Methodologies
This domain covers the structured process of ethical hacking engagements: scoping, reconnaissance, scanning, exploitation, post-exploitation, and reporting. Candidates must understand which phase produces which type of output and what legal and ethical obligations govern each step.
- Rules of engagement and scope documentation
- Reconnaissance techniques: passive vs. active information gathering
- Penetration testing phases and the tools associated with each
- Report writing standards and executive vs. technical findings
For a deeper look at how to structure your preparation across all four domains, the article on CEH Training Options 2026: Self-Study vs Bootcamp vs Official Course compares the tradeoffs of different learning formats in the context of CEH v13 specifically.
The Practical Exam Component
Separate from the knowledge exam is the CEH Practical, a six-hour performance-based assessment conducted entirely in a live lab environment. Completing both the knowledge exam and the Practical earns the CEH Master designation - EC-Council's way of verifying that a candidate can execute as well as recognize.
The Practical presents real machines and networks. Candidates must perform reconnaissance, identify vulnerabilities, exploit systems, and document findings - all within the six-hour window. Tools available during the Practical mirror those covered in the CEH courseware, so candidates who have hands-on experience with the actual toolset perform significantly better than those who only studied tool names theoretically.
The Practical is optional but increasingly sought by employers, particularly in roles that involve active penetration testing or red team work. If your target role involves hands-on offensive security work, the Practical is a meaningful differentiator worth planning for alongside the knowledge exam preparation.
Registration, Eligibility, and the Approval Process
EC-Council enforces eligibility requirements that distinguish CEH from self-service certifications. Candidates can qualify through two paths:
- Official EC-Council Training: Completing an authorized CEH training program (through an Accredited Training Center or EC-Council directly) satisfies the eligibility requirement automatically. The training provider submits confirmation and candidates can register for the exam without a separate application.
- Experience-Based Application: Candidates with at least two years of work experience in information security can apply directly. This path requires submitting an eligibility application, providing verifiable employment documentation, and paying a non-refundable eligibility application fee. EC-Council reviews and approves applications before issuing an exam voucher.
The exam voucher obtained through either path is valid for a defined period. Candidates who let vouchers expire without testing forfeit the fee and must repurchase. Booking your exam date at the time you receive the voucher - rather than waiting until you feel "ready" - creates a productive deadline that most candidates find accelerates preparation.
Exam fees vary by region and delivery method. EC-Council periodically runs promotional pricing through its official channels, so checking the current fee schedule directly on the EC-Council website before committing is worthwhile. Retake policies also apply: a waiting period and additional fee are required if a candidate fails and needs to retake.
Preparing by Domain: A Targeted Schedule
Rather than generic weekly templates, the structure below is built around the relative depth and interconnectedness of CEH's four specific domains. Domain 1 (threats and attack vectors) is the broadest and should anchor your first study block because its content underpins questions in every other domain.
Domain 1: Threats and Attack Vectors
- Map every malware category to its behavioral signature - exam questions test recognition, not just naming
- Work through OWASP Top 10 with a focus on how each vulnerability is exploited in scenarios
- Study cloud and IoT threat surfaces added in v13; these appear with increasing frequency
- Use spaced repetition for tool names and their associated attack phase
Domain 4: Procedures and Methodologies
- Memorize the ethical hacking phases in sequence - questions often hinge on ordering
- Distinguish passive from active reconnaissance with concrete tool examples
- Study rules of engagement documents and what constitutes scope creep
Domain 2: Attack Detection
- Practice reading IDS alert formats and identifying what attack each represents
- Study log analysis scenarios: Windows event logs, syslog entries, and firewall logs
- Understand honeypot types and what threat intelligence they generate
Domain 3: Attack Prevention + Full Practice Exams
- Focus on matching countermeasures to specific attack vectors studied in Week 1-2
- Complete timed full-length practice exams on cehv13exam.com to simulate real conditions
- Review every incorrect answer by domain to identify remaining gaps
The detailed breakdown of which training format delivers each domain most effectively is covered in CEH Training Options 2026: Self-Study vs Bootcamp vs Official Course, which is worth reading alongside this format guide to complete your preparation picture. And for ongoing timed practice across all four domains, the main practice test library is updated to reflect the CEH v13 blueprint.
Frequently Asked Questions
The CEH knowledge exam (312-50) contains 125 multiple-choice questions and carries a four-hour time limit. Questions are randomized and cover all four official domains: Information Security Threats and Attack Vectors, Attack Detection, Attack Prevention, and Procedures and Methodologies.
EC-Council uses a cut score model rather than a fixed percentage. The passing threshold is calibrated based on the statistical difficulty of each exam form. This means the exact number of correct answers required can shift slightly between sittings. Broadly distributed preparation across all four domains is the safest strategy.
CEH refers to passing the 125-question multiple-choice knowledge exam (312-50). CEH Master requires passing both the knowledge exam and the separate CEH Practical, which is a six-hour live lab performance exam. The Practical is purchased and scheduled independently and tests hands-on execution rather than recognition.
Yes. Candidates with at least two years of verified work experience in information security can apply directly through EC-Council's eligibility application process. This requires submitting employment documentation and paying a non-refundable application fee. Approval must be granted before an exam voucher is issued.
The knowledge exam (312-50) is entirely multiple-choice with no interactive lab components. Performance-based tasks exist exclusively in the CEH Practical exam, which is a separate six-hour assessment. For the knowledge exam, focus your preparation on scenario-based multiple-choice practice rather than hands-on lab time.