- What the CEH Credential Covers in 2026
- The Four Exam Domains Explained
- Scheduling, Locations, and Registration Mechanics
- Question Format and What to Expect on Exam Day
- Who Hires CEH-Certified Professionals
- Mapping Your Study to Each Domain
- A Domain-Anchored Preparation Timeline
- Frequently Asked Questions
- CEH v13 tests four specific domains: threats and attack vectors, attack detection, attack prevention, and procedures and methodologies.
- The exam is delivered through EC-Council's Pearson VUE network, giving candidates access to hundreds of physical test centers globally.
- Registration requires either proof of two years of information security experience or completion of an EC-Council official training program.
- Practice tests that mirror the real question format are among the most effective CEH-specific preparation tools available.
What the CEH Credential Covers in 2026
The Certified Ethical Hacker (CEH) credential issued by EC-Council remains one of the most recognized vendor-neutral cybersecurity certifications in the industry. As the threat landscape has continued to evolve, so has the exam - version 13 reflects contemporary attack methods, detection capabilities, and the procedural frameworks that professional penetration testers and security analysts are expected to apply daily.
Understanding what the CEH actually tests - not just what it is called - is the starting point for any serious candidate in 2026. The credential validates that a professional can think like an attacker: mapping attack surfaces, identifying threat vectors, detecting intrusions in progress, implementing countermeasures, and following recognized ethical hacking methodologies. These are not abstract concepts; they correspond to the four official exam domains that every question on the test is drawn from.
If you are deciding between the CEH and other hands-on credentials before locking in a registration date, the detailed breakdown in CEH Vs OSCP: Which Certification Should You Pursue is worth reading first - particularly if your target role leans toward red-team operations rather than security management or compliance-adjacent positions.
The Four Exam Domains Explained
Every question on the CEH maps to one of four officially defined domains. Knowing what each domain actually tests - and which topics sit within each one - is the difference between surface-level preparation and genuinely being ready for exam day.
Domain 1: Information Security Threats and Attack Vectors
This domain covers the full taxonomy of threats a modern ethical hacker must recognize before they can test against them. Candidates are expected to understand threat actor categories, malware classifications, social engineering tactics, and the specific vectors used to compromise systems, networks, and applications.
- Malware types: viruses, worms, ransomware, spyware, rootkits, and trojans
- Social engineering attack forms including phishing, vishing, baiting, and pretexting
- Network-layer attack vectors: man-in-the-middle, session hijacking, DNS poisoning
- Web application vulnerabilities mapped to OWASP categories
- IoT and cloud-specific attack surfaces introduced in v13
Domain 2: Attack Detection
Detection is a discipline in its own right. This domain tests whether candidates can identify the signatures, indicators of compromise (IoCs), and behavioral anomalies that signal an active or completed attack. Ethical hackers working in blue-team-adjacent roles or delivering assessment reports must be fluent in this area.
- Intrusion detection system (IDS) and intrusion prevention system (IPS) fundamentals
- Log analysis and SIEM correlation rules
- Network traffic analysis and packet inspection techniques
- Identifying covert channels and steganography-based exfiltration
- Honeypot deployment and deception-based detection strategies
Domain 3: Attack Prevention
Knowing how to prevent what you can detect and understand. This domain covers the controls, hardening procedures, and architectural decisions that reduce attack surface and limit damage when breaches occur.
- Firewall configuration and network segmentation strategies
- Encryption standards and PKI implementation
- Patch management and vulnerability remediation workflows
- Endpoint detection and response (EDR) tool capabilities
- Zero-trust architecture principles and access control models
Domain 4: Procedures and Methodologies
The CEH is not a purely technical credential - it explicitly tests the structured, authorized process under which ethical hacking engagements are planned and executed. This domain ensures candidates understand the legal, contractual, and procedural framework governing their work.
- Phases of ethical hacking: reconnaissance, scanning, enumeration, exploitation, post-exploitation, reporting
- Rules of engagement, scope documentation, and statement of work requirements
- Penetration testing methodologies: PTES, OWASP Testing Guide, NIST SP 800-115
- Legal considerations: computer crime laws, authorization requirements, evidence handling
- Report writing and vulnerability disclosure practices
Scheduling, Locations, and Registration Mechanics
Registration Prerequisites
EC-Council enforces eligibility requirements before a candidate can register. You must demonstrate either a minimum of two years of work experience in information security, or you must have completed an official EC-Council training course (such as the iLearn, iWeek, or instructor-led training options). This prerequisite is verified during the application process - candidates who self-study without an official course will need to submit their work experience for approval before a voucher is issued.
The application is submitted through the EC-Council member portal. Once approved, you receive an exam voucher that you then use to schedule directly through the Pearson VUE testing platform.
Pearson VUE Delivery and Test Center Locations
CEH is delivered exclusively through Pearson VUE - either at a physical authorized test center or via Pearson VUE's online proctored (OnVUE) platform. For candidates in 2026, both options remain available, giving flexibility to those who prefer a controlled home testing environment over traveling to a center.
Physical test centers are located in major metropolitan areas across North America, Europe, Asia-Pacific, the Middle East, and Africa. The Pearson VUE site allows you to search by postal code or city to find the nearest authorized center. Slots at popular urban centers - particularly in cities like New York, London, Singapore, Dubai, and Sydney - can book out weeks in advance during peak testing periods (typically January through March and August through October as many candidates align testing with fiscal year hiring cycles).
For the definitive breakdown of all 2026 available windows, center listings, and date-specific registration guidance, see CEH Exam Schedule 2026: Dates, Locations and Registration.
Exam Fees and Retake Policy
The exam fee varies by region due to currency adjustments applied by EC-Council and Pearson VUE. The base fee covers one attempt. If a candidate does not pass, a retake voucher must be purchased; EC-Council's policy requires a waiting period between attempts and limits the number of retakes within a twelve-month window. Candidates should factor this into their timeline and ensure preparation is thorough before booking - rushing to an early date without adequate domain coverage is a common and costly mistake.
Question Format and What to Expect on Exam Day
The CEH v13 exam consists of multiple-choice questions presented in a fixed-time, computer-based format. Questions are scenario-based: rather than asking for a bare definition, the exam presents a situation - a network diagram, a log excerpt, a social engineering scenario - and asks the candidate to identify the correct course of action, the correct tool, the attack type present, or the appropriate countermeasure.
This scenario-driven structure is why passive reading of study materials is insufficient. The exam rewards candidates who can apply concepts, not simply recall terminology. A question about Domain 1, for example, might describe the behavior of an executable on an endpoint and ask which malware classification best describes it - testing both definitional knowledge and practical recognition skills simultaneously.
| Exam Attribute | Detail |
|---|---|
| Question Type | Scenario-based multiple choice |
| Delivery Platform | Pearson VUE (test center or OnVUE) |
| Domain Coverage | All four domains tested; proportional weighting applies |
| Passing Score | Cut score varies by exam form (adaptive scoring) |
| Credential Validity | Three years; renewable via EC-Council CPE credits |
| Retake Wait Period | Mandatory waiting period between attempts |
Practicing with realistic, exam-format questions before your sitting is one of the highest-leverage activities you can invest in. The CEH Exam Prep practice test platform is built around the actual four-domain structure of v13, so every question you answer in practice maps directly to a domain you will be tested on.
Who Hires CEH-Certified Professionals
The CEH occupies a particular niche in the cybersecurity hiring market: it is recognized by government and defense contractors, financial services firms, healthcare organizations, and large enterprise security teams as a benchmark for foundational ethical hacking competency. Unlike purely hands-on credentials that carry more weight in specialized offensive security roles, the CEH's breadth - covering detection, prevention, methodology, and threat knowledge - makes it relevant for a wider range of security positions.
Roles that commonly list CEH as a preferred or required qualification include:
- Penetration tester / ethical hacker - using Domain 4 methodology knowledge and Domain 1 threat knowledge daily
- Security analyst (SOC Tier 2/3) - applying Domain 2 detection skills to triage and investigate alerts
- Vulnerability assessment engineer - combining Domain 1 and Domain 3 to identify and remediate weaknesses
- Security consultant - leveraging all four domains to assess client environments and deliver structured reports
- Information security officer (in government or DoD contexts) - the CEH satisfies baseline 8570/8140 requirements under U.S. Department of Defense directives
The DoD 8570/8140 alignment is particularly significant for candidates pursuing roles with U.S. federal agencies or contractors. The CEH maps to the IAT Level II and CND-SP categories within that framework, making it a direct pathway into government-adjacent cybersecurity work that other vendor-neutral certifications do not always cover.
Key Takeaway
If your career target includes U.S. federal or defense contractor roles, the CEH's alignment with DoD 8570/8140 requirements makes it one of the most direct credential choices available. No other similarly structured certification covers the same breadth of domains while meeting those baseline requirements.
Mapping Your Study to Each Domain
Because the CEH tests across four distinct and substantively different domains, a flat, undifferentiated study approach - simply reading a single reference book cover to cover - tends to underserve the domains a candidate finds hardest. Instead, candidates benefit from treating each domain as its own mini-curriculum with specific resources, tools, and practice questions aligned to that domain's content type.
Domain 1 Study Approach
Domain 1 (threats and attack vectors) rewards breadth of exposure. Candidates should work through malware analysis labs, review MITRE ATT&CK framework tactics and techniques, and practice classifying attack scenarios. Hands-on labs using isolated virtual environments to observe malware behavior reinforce recognition skills far better than reading alone.
Domain 2 Study Approach
Domain 2 (attack detection) requires familiarity with real tools: Snort rules, Wireshark packet captures, and SIEM alert scenarios. Reviewing sample log files and walking through IDS alert triage is the most effective way to prepare. EC-Council's official courseware includes lab exercises specifically designed for this domain.
Domain 3 Study Approach
Domain 3 (attack prevention) is the most policy and architecture-heavy domain. Candidates should build familiarity with common hardening benchmarks (CIS Controls, NIST frameworks), study firewall rule configuration logic, and understand cryptographic concepts at a practical level - not just the theory of how AES works, but when and why to apply it in a given scenario.
Domain 4 Study Approach
Domain 4 (procedures and methodologies) is frequently underestimated. Candidates who focus entirely on technical tools often struggle with methodology-based questions. Reviewing the six phases of ethical hacking in sequence, understanding scope documentation requirements, and practicing report-writing scenarios all strengthen performance in this domain.
Pairing domain-specific reading with targeted practice questions on the CEH Exam Prep platform lets you identify which domains you're weakest in before exam day, rather than discovering gaps after submitting your answer sheet.
A Domain-Anchored Preparation Timeline
Generic study schedules rarely account for the uneven difficulty distribution of the CEH's four domains. The timeline below anchors each week to specific domain work, with the most conceptually dense domains placed earlier when retention capacity is highest and the methodology domain placed later as a synthesis layer.
Domain 1: Threats and Attack Vectors
- Build malware classification reference sheet (types, behaviors, indicators)
- Work through MITRE ATT&CK tactics: initial access, execution, persistence, privilege escalation
- Complete at least one social engineering scenario analysis per day
- Practice Domain 1 question sets; target consistent pattern recognition
Domain 2: Attack Detection
- Review Snort rule syntax and alert interpretation
- Analyze at least three Wireshark capture files for known attack signatures
- Study honeypot deployment scenarios and deception-based detection logic
- Practice Domain 2 question sets with log and traffic analysis questions
Domain 3: Attack Prevention
- Review CIS Controls v8 and NIST Cybersecurity Framework core functions
- Study firewall rule architecture and network segmentation design
- Work through cryptography scenarios: when to apply symmetric vs. asymmetric encryption
- Practice Domain 3 question sets with architecture and hardening scenarios
Domain 4: Procedures and Methodologies
- Memorize and sequence the six ethical hacking phases with associated tools per phase
- Review PTES and OWASP Testing Guide structure
- Study rules of engagement templates and scope limitation examples
- Practice Domain 4 question sets focused on scenario-based methodology application
Full-Length Practice and Gap Closure
- Sit two full-length timed practice exams under exam conditions
- Score each domain separately to identify remaining weak areas
- Return to the weakest domain for focused re-study
- Review exam logistics: test center location, required ID, check-in process
For candidates who are also weighing whether the CEH fits their long-term career trajectory versus a more hands-on credential, revisiting CEH Vs OSCP: Which Certification Should You Pursue after completing your domain review can clarify whether the CEH is the right next step or whether a different path serves your goals better.
Frequently Asked Questions
Yes. EC-Council offers the CEH through Pearson VUE's OnVUE online proctoring platform in addition to physical test centers. The online option requires a compatible computer, a stable internet connection, and a private, distraction-free environment. You will be monitored via webcam throughout the exam. Check Pearson VUE's current system requirements before booking to ensure your setup qualifies.
EC-Council requires either a minimum of two years of verifiable information security work experience or completion of an official EC-Council training program. Candidates who self-study must submit their work history for approval through the EC-Council application portal before receiving an exam voucher. There is an application fee for the eligibility verification process.
The CEH credential is valid for three years from the date of passing. To renew without retaking the exam, holders must accumulate EC-Council Continuing Professional Education (CPE) credits during that period and pay the annual member fee. CPE activities include attending security conferences, completing additional training, publishing research, or contributing to the cybersecurity community in approved ways.
Based on the structure of the exam, Domain 4 (Procedures and Methodologies) is frequently the area where technically strong candidates lose points, because it requires knowledge of engagement frameworks, legal considerations, and structured phases rather than purely technical tool knowledge. Domain 2 (Attack Detection) can also be challenging for candidates who have not worked in a SOC or reviewed traffic analysis tools before preparing.
Practice tests are most effective when used diagnostically - not just for score tracking, but to identify which specific domains and question types expose knowledge gaps. After each practice session, review every question you answered incorrectly and trace it back to its domain. This lets you redirect study time toward weak areas before your actual exam date. The CEH Exam Prep practice platform organizes questions by domain, making this diagnostic process straightforward.