PenTest+ vs. CEH: Which certification is better? [2022 update]
When looking for a certification in the penetration testing realm, you’ll see that CompTIA’s PenTest+ and EC-Council’s CEH (Certified Ethical Hacker) certifications are somewhat similar to each other in terms of content as they both assess pentesting skills. They are also challenging and geared towards intermediate-level professionals with experience in a dedicated cybersecurity role.
Suppose you are preparing for a job in penetration testing, vulnerability assessment and management. In that case, you may be wondering whether one or both of these certifications will be worth pursuing.
The CompTIA PenTest+ objectives (domains) and CEH exam blueprint provide details on what the exam covers. “Objectives” and “blueprint” can be used interchangeably for exam content. Below are the details of the PenTest+ and CEH exams, along with the weight of each domain.
CompTIA PenTest+ (PTO-002) objectives
|1. Planning and Scoping||Governance, risk and compliance concepts
Scoping and organizational/customer requirements
Professionalism and integrity
|2. Information Gathering and Vulnerability Scanning||Perform passive reconnaissance
Perform active reconnaissance
Analyze the results of a reconnaissance
Perform vulnerability scanning
|3. Attacks and Exploits||Research attack vectors and perform
Common attacks and vulnerabilities against specialized systems
Social engineering or physical attack
|4. Reporting and Communication||Important components of written reports
Analyze the findings and recommend the appropriate remediation
Importance of communication during penetration testing
Post-report delivery activities
|5. Tools and Code Analysis||Scripting and software development
Analyze a script or code sample for use in a penetration test
Use of specific tools during penetration testing
CEH exam blueprint v4.0
|Domains||Sub Domain & Description||%Weight||Number of Questions|
|1. Information Security and Ethical Hacking Overview||Introduction to Ethical Hacking
|2. Reconnaissance Techniques||Footprinting and Reconnaissance
|3. System Hacking Phases and Attack Techniques||Vulnerability Analysis
|4. Network and Perimeter Hacking||Sniffing
Evading IDS, Firewalls and Honeypots
|5. Web Application Hacking||Hacking Web Servers
Hacking Web Application
|6. Wireless Network Hacking||Hacking Wireless Networks
|7. Mobile Platform, IoT and OT Hacking||Hacking Mobile Platforms
IoT and OT Hacking
|8. Cloud Computing||Cloud Computing
What are the similarities between PenTest+ and CEH?
As previously mentioned, the content of both PenTest+ and CEH are somewhat similar. Both are valid for three years from the date of the exam. However, PenTest+ requires 60 CEUs (Continuing Education Units) to renew, while CEH requires 120 credits for this purpose.
The content of both exams is designed by highly skilled subject matter experts (SMEs), who are specialists in penetration testing and ethical hacking. In addition, the PenTest+ exam is partly based on industry-wide survey results.
Both certifications are included in DoD Directive 8570 and are important assets for professionals who want to progress in the field of pentesting or ethical hacking in the government’s information assurance workforce. In addition, each credential is ANSI/IEC/ISO 17024 accredited and is mapped to NICE’s Specialty Areas.
PenTest+ and CEH certifications are vendor-neutral, globally recognized and available in various countries.
How do PenTest+ and CEH differ?
Despite similarities, the certifications differ from each other in various perspectives. CEH is an entry-level cert, while Pentest+ is at an intermediate level. Typical job roles can also differ, as shown below.
|PenTest+ Job Roles||CEH Job Roles|
|Penetration tester||Jr Penetration tester|
|Security analyst (II)||Ethical hacker|
|Network security operations||Site administrator|
|Vulnerability assessment analyst||Vulnerability assessment analyst|
|Application security vulnerability||Network security engineer|
|Cloud security specialist||Information security manager|
|Network & security specialist||Security consultant|
The difference in eligibility requirements
CompTIA recommends candidates of the PenTest+ exam have CompTIA Security+, Network+ or equivalent knowledge, in addition to a minimum of three to four years of hands-on experience in the information security or related domain. The PenTest+ exam is intended to follow CompTIA Security+, adding a technical, hands-on focus.
EC-Council’s CEH differs in that it requires a candidate to attend official network security training organized by the EC-Council’s Authorized Training Center (ATC) or meet other requirements. Below is a list of some accepted training solutions:
- Web-based training (WBT)
- Computer-based training (CBT)
- Instructor-led training (ILT)
- Academic learning
If a candidate doesn’t receive official training, they must meet the following requirements:
- Have two (2) years of work experience in the information security field
- Pay a non-refundable application fee of $100
- Submit a completed exam eligibility application
The difference in exam details
To earn CompTIA PenTest+, candidates need to pass an exam available at Pearson VUE testing centers and online that covers hands-on, performance-based simulations as well as multiple-choice questions.
To earn EC-Council’s CEH certification, candidates must pass an exam available at Pearson VUE (in-person or remotely proctored) or EC-Council (ECC) test centers. The test only includes multiple-choice questions.
|Number of questions||Maximum of 85||Total of 125|
|Test format||Multiple choice and performance-based||Multiple-choice|
|Test duration||165 minutes||240 minutes|
|Passing score||750 (On a scale of 100-900)||60% to 85% (depending on which exam question bank is used)|
Benefits of CompTIA PenTest+
According to CompTIA, a PenTest+ certification provides professionals with three times more employability. As per the NICE Cybersecurity Workforce Framework, CompTIA PenTest+ covers two more job roles — namely, vulnerability management and vulnerability assessment — in addition to penetration testing. It also reports that, according to Indeed.com, there are approximately three times more vulnerability management and assessment jobs in the U.S. than penetration testing jobs.
Unlike several other pentesting certifications, PenTest+ provides a more comprehensive overview of what a penetration tester should know, from project planning and scoping to project reporting and communication.
CompTIA PenTest+ encourages cybersecurity pros to think offensively with an investigative mindset that can help them assess a modern network’s resiliency against cyberattacks, identify vulnerabilities and mitigate risks before something bad happens. Thinking like a penetration tester can help organizations discover weaknesses in security systems.
CompTIA PenTest+ certification validates technical skills and soft ones related to business processes, best practices and professionalism in penetration testing. These skills match the demand and needs of employers and, in the end, provide IT security practitioners with opportunities to earn a good salary and have several job prospects.
In the words of EC-Council: “To beat a hacker, you need to think like one!” This is what the CEH exam and certification is all about: preparing professionals to apply the same knowledge and tools as malicious hackers, but lawfully and legitimately.
According to EC-Council, the CEH program concentrates on ethical hacking, defined as a comprehensive term to encompass a series of functions, including penetration testing.
The CEH certification enables ethical hackers to implement a proactive security approach offensively. This is in addition to the reactive security approach, which is more defensive. Ethical hackers use advanced tools and techniques to perform penetration testing on their computers using a proactive security defense. They act like real hackers, albeit ethical ones, to look for weaknesses and vulnerabilities in targeted systems; in this way, they help their clients keep their networks and data safe against ever-evolving threats.
The credential can provide a career path to IT professionals who have the right mindset that is interesting, stimulating and financially rewarding. The average salary earned by a CEH is $83,591 per annum in 2021.
PenTest+ versus CEH: Which certification is right for me?
CompTIA PenTest+ certification suits highly skilled security professionals who perform penetration testing and vulnerability assessments on the targeted systems. This exam also incorporates management skills for planning, scope, management and exploitation of weaknesses. PenTest+-certified professionals can perform penetration testing in various IT environments such as mobile, cloud, desktops, and servers. They identify possible entry points for breaches, weaknesses in systems and organizational structures, and deficiencies in policies and training while protecting the organizational security infrastructure from malicious hackers.
Suppose you already have three or four years of experience in information security and are looking for a career in the penetration realm. In that case, pursuing this credential may be right for you.
EC-Council’s CEH certification suits highly skilled security professionals who are well-versed in understanding and knowing the weaknesses and vulnerabilities in targeted systems. In roles as “white-hat hackers,” professionals keep corporate networks and data safe against the ever-evolving threats of the Internet by using the same tools and techniques as attackers, but in a lawful manner.
If you already have at least two years of work experience in the information security domain, then pursuing this credential may be right for you.
The bottom line
In this article, we looked closely at the PenTest+ and CEH certifications. Both credentials primarily focus on penetration skills. However, PenTest+ covers other areas of vulnerability management and assessment. At the same time, CEH concentrates more on a proactive approach which allows ethical hackers to perform a pentest using the same tools and techniques that the hackers do. PenTest+ requires three to four years of experience in information security, while CEH needs two years of experience in the same field.
Do you have two to three years of penetration testing or information security experience? If yes, then why not apply for both PenTest+ and CEH? Due to the same practice areas and somewhat similar exam content. Both certifications prepare you for different aspects of the ethical hacking world. They can complement each other in a way that can provide you a competitive edge over other candidates and give you peace of mind on interview day and the job.
- Certified Ethical Hacker Certification, EC-Council
- CompTIA PenTest+ Exam Code PT0-002, CompTIA
- CEH Candidate Handbook v6.0, EC-Council
- Ethical Hacking: Choosing the Right Pathway, EC-Council
- The NEW CompTIA PenTest+: Your Questions Answered, CompTIA
- CompTIA PenTest+ vs. CEH: Which Is the Best Fit for You?, CompTIA
- CEH vs. CompTIA PenTest+: Thoughts from a Penetration Tester, CompTIA
- 5 Reasons Cybersecurity Experts Love CompTIA PenTest+, CompTIA