Certified Ethical Hacker (CEH) Certification – Overview of Domains

January 16, 2019 by Howard Poston

Introduction to the CEH Exam

The Certified Ethical Hacker Exam is designed to test and certify the readiness of an applicant to perform security assessments. It is designed, maintained and administered by the EC-Council and is designed to be taken by applicants early in their career in information security. Specifically, taking the exam requires either two years of experience in the field or completion of a training program provided by the EC-Council.

The CEH exam can be attempted after completion of the training course or verification of experience by a manager or supervisor. The exam consists of 125 questions broken into seven different domains:

  • Domain 1: Background (21.79%)
  • Domain 2: Analysis/Assessment (12.73%)
  • Domain 3: Security (23.73%)
  • Domain 4: Tools/Systems/Programs (28.91%)
  • Domain 5: Procedures/Methodology (8.77%)
  • Domain 6: Regulation/Policy (1.90%)
  • Domain 7: Ethics (2.17%)

The determination of whether or not an applicant passes the exam is not based on a set threshold. Instead, the passing score for a particular instance of the exam is determined based on the difficulty of the exam, so a lower score on a more difficult version may be considered passing while a higher score on an easier one may not. The cutoff score for an exam typically lies within the range of 55-85%. Passing the exam certifies the applicant for three years, during which they must earn CPE credits to be re-accredited for the next three-year period.

The 7 CEH Domains

The material covered by the CEH exam is divided into seven different domains. Each domain is tested by a minimum of two and a maximum of thirty-six questions on a specific version of the exam. We will briefly discuss the material covered in each section of the exam.

Domain 1: Background

The first domain of the CEH exam is designed to test an applicant’s general knowledge in the field of information security. 27 questions are devoted to this section of the exam, and the domain is broken up into three subdomains:

  • Network and Communication Technologies (10 questions)
  • Information Security Threats and Attack Vectors (9 questions)
  • Information Security Technologies (8 questions)

While the current version of the CEH exam blueprint does not provide any more information about the topics covered in this (and other domains), the previous version provides a more comprehensive breakdown. This domain covers the following topics:

  • Networking technologies (hardware, infrastructure and so on)
  • Web technologies (Web 2.0, Skype and so on)
  • Systems technologies
  • Communication protocols
  • Malware operations
  • Mobile technologies (smartphones)
  • Telecommunication technologies
  • Backups and archiving (local, network and so on)

This domain is designed primarily as a catch-all for the topics that an ethical hacker should know but which are not covered in more detail later in the exam. Most of the material should be covered in a standard networking course or as part of work experience in general information technology (as opposed to cybersecurity in particular).

Domain 2: Analysis/Assessment

The second domain of the CEH exam focuses on the mechanics of the types of analysis and assessments that an ethical hacker can be expected to perform. It includes 16 questions and is broken into two equally-sized subdomains:

  • Information Security Assessment and Analysis (8 questions)
  • Information Security Assessment Process (8 questions)

As the subdomain names suggest, this section of the exam is designed to cover the procedural aspects of an assessment. This includes both general skill sets not specific to ethical hacking and understanding of the process of an assessment. The four specific topics provided by the EC-Council (in the previous CEH blueprint) are the following:

  • Data analysis
  • Systems analysis
  • Risk assessments
  • Technical assessment methods

This section of the exam is focused on understanding assessments at a high level, focusing on mechanics and processes. The actual tools and techniques are covered in later domains.

Domain 3: Security

Security is one of the three largest domains on the exam, with 30 questions devoted to it. The goal of this domain is to test all aspects of managing security incidents, including prevention, detection and proactive defenses. The three subdomains for this section are:

  • Information Security Controls (15 questions)
  • Information Security Attack Detection (9 questions)
  • Information Security Attack Prevention (6 questions)

This section of the exam tests a lot of material and covers a wide variety of topics. The goal of this domain is to test knowledge of every security tool which can be used to prevent or detect attacks, standard security controls and how to set up and operate all of these. The topics that the EC-Council explicitly mention in their previous exam blueprint are the following:

  • Systems security controls
  • Application/file server
  • Firewalls
  • Cryptography
  • Network security
  • Physical security
  • Threat modeling
  • Verification procedures (false positive/negative validation)
  • Social engineering (human factor manipulation)
  • Vulnerability scanners
  • Security policy implications
  • Privacy/confidentiality (with regard to engagement)
  • Biometrics
  • Wireless access technology (networking, RFID, Bluetooth and so on)
  • Trusted networks
  • Vulnerabilities

This section of the exam covers a lot of ground and most of the topics will be covered only by a question or two on the exam. Many of these topics (such as social engineering and verification procedures) are covered only at a high level and understanding the basic concepts of them is sufficient, but others (like application/file servers) requires more in-depth knowledge for the exam.

Domain 4: Tools/Systems/Programs

The CEH exam is intended to test an applicant’s ability to operate as an ethical hacker professionally, so testing only memorization and book knowledge is insufficient. Domain 4 is the largest one on the exam with 36 questions, and is focused on knowledge of the common systems, programs and tools that an ethical hacker will likely encounter in their work. This section is broken up into three subdomains:

  • Information Security Systems (7 questions)
  • Information Security Programs (5 questions)
  • Information Security Tools (24 questions)

This section of the exam contains a mix of theoretical and hands-on material. The EC-Council is attempting to test an applicant’s knowledge of the tools used for a variety of purposes, including the following topics:

  • Network/host-based intrusion
  • Network/wireless sniffers (Wireshark, AirSnort and so on)
  • Access control mechanisms (smartcards and similar)
  • Cryptography techniques (IPsec, SSL, PGP)
  • Programming languages (C++, Java, C#, C)
  • Scripting languages (PHP, JavaScript)
  • Boundary protection appliances
  • Network topologies
  • Subnetting
  • Port scanning (Nmap)
  • Domain Name System (DNS)
  • Routers/modems/switches
  • Vulnerability scanners (Nessus, Retina and so on)
  • Vulnerability management and protection systems (such as Foundstone and Ecora)
  • Operating environments (Windows, Linux, Mac)
  • Antivirus systems and programs
  • Log analysis tools
  • Security models
  • Exploitation tools
  • Database structures

As the question breakdown between the subdomains suggests, this domain is heavily focused on knowledge of the specific tools used in ethical hacking. These questions range from identifying the best tool for a specific job to reading output or formatting input for a given tool. In order to pass this section of the exam, an applicant needs hands-on experience with the most common information security tools.

Domain 5: Procedures/Methodology

This domain tests knowledge of common information security procedures and methodologies with 11 questions. It is broken into two subdomains:

  • Information Security Procedures (5 questions)
  • Information Security Assessment Methodologies (6 questions)

In order to circumvent defenses and attack protocols, an ethical hacker first needs to understand how they work. This domain of the exam tests knowledge of the underlying design and architecture of a variety of systems, including the following:

  • Cryptography
  • Public Key Infrastructure (PKI)
  • Security Architecture (SA)
  • Service-Oriented Architecture (SOA)
  • Information security incident
  • N-tier application design
  • TCP/IP networking (network routing)
  • Security testing methodology

The material covered in this domain is largely taken from information technology and software development. An applicant with this background should have little trouble with this section of the exam, and understanding these topics provides a good foundation for understanding ethical hacking.

Domain 6: Regulation/Policy

This domain is the smallest one tested in the CEH exam, with only two questions. As an ethical hacker, the applicant needs to know how to behave in accordance with information security policies, laws and acts while operating under their jurisdiction. This section of the exam tests the applicant’s knowledge of some of the major information security regulations and the evaluation of organizational security policies (such as benefits and shortcomings).

Domain 7: Ethics

The final domain of the Certified Ethical Hacker exam tests whether the applicant knows how to use their skills in the right way. In this section of the exam, the applicant will see three questions regarding ethics and testing their knowledge of how to behave appropriately in situations that they may face as an ethical hacker. This section tests the applicant’s knowledge of the Code of Conduct that they signed before attempting the exam and whether or not hacking is appropriate in given situations.

Preparing for the CEH Exam

Theoretically, the CEH exam covers material that should be known by any practitioner with the required amount of experience (two years in the field). In reality, the difference between academia and the real world means that most practitioners will need to study in order to pass the exam.

Multiple options exist for preparing for the CEH exam. The EC-Council offers a preparatory course and makes their material (in the form of printed PowerPoint slides) available for self-study. Other boot camp-style courses are available as well, with the benefit of both preparing students for the exam and for real-world careers as ethical hackers. Finally, test preparation books are designed to cover the material, focusing on the necessary vocabulary and pointing applicants to the tools and software that they need to know to pass the exam.

In practice, some combination of these training methods is the best bet of passing the exam. The available test preparation books do an excellent job of covering material that must be memorized but can’t replace hands-on experience. Boot camps are invaluable for experience, but a single exposure to the material is unlikely to be enough for memorizing vocabulary. In order to pass the exam, an applicant needs to be willing to put in the time to gain both the necessary book knowledge and hands-on experience.


The Certified Ethical Hacker exam is a great way for someone relatively new to the field of information security to demonstrate knowledge and experience to current or potential clients or employers. The CEH exam covers a wide variety of material in 125 questions. The seven domains are each focused on a specific aspect of operating as an ethical hacker, and together they cover most of the knowledge and skill sets expected of an ethical hacker.

Posted: January 16, 2019
Articles Author
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in cryptography and malware analysis. He has a Master’s degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity R&D at Sandia National Labs. He currently provides consulting and technical content writing for cybersecurity, cryptocurrency, and blockchain.

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117