When looking for a certification in the penetration testing realm, you’ll see that CompTIA’s PenTest+ and EC-Council’s CEH (Certified Ethical Hacker) certifications are somewhat similar to each other in terms of content. If you are preparing for a job in the field of penetration testing, you may need to decide whether one or both of these certifications will be worthwhile for your cybersecurity career.
At the conclusion of this article, you will be able to understand the similarities, differences and benefits of both PenTest+ and CEH certifications, as well as knowing which certification is right you.
CompTIA PenTest+ objectives (domains) and CEH exam blueprint
CompTIA PenTest+ (PTO-001) objectives
“Objectives” and “blueprint” can be used interchangeably for exam content. Below are the details of PenTest+ and CEH exam content, along with the weight of each domain.
|1. Planning and Scoping||15%|
|2. Information Gathering and Vulnerability Identification||22%|
|3. Attacks and Exploits||30%|
|4. Penetration Testing Tools||17%|
|5. Reporting and Communication||16%|
CEH exam blueprint v3.0
|Domains||Objectives||%Weight||Number of Questions|
|1. Background||Network and Communication Technologies/Information Security Threats and Attack Vector/Information Security Technologies||21.79%||27|
|2. Analysis/Assessment||Information Security Assessment and Analysis/Information Security Assessment Process||12.73%||16|
|3. Security||Information Security Controls/Information Security Attack Detection/Information Security Attack Prevention||23.73%||30|
|4. Tools, Systems, Programs||Information Security Systems/Information Security Programs/Information Security Tools||28.91%||36|
|5. Procedures/Methodology||Information Security Procedures/Information Security Assessment Methodologies||8.77%||11|
|6. Regulation/Policy||Information Security Policies/Laws/Acts||1.90%||2|
|7. Ethics||Ethics of Information Security||2.17%||3|
What are the similarities between PenTest+ and CEH?
As previously mentioned, the content of both PenTest+ and CEH are somewhat similar. In addition, both certifications are alike in their recertification process. Both are valid for three years from the date of the exam. However, PenTest+ requires 60 CEUs (Continuing Education Units) to renew, while CEH requires 120 credits for this purpose.
The contents of both exams are designed by highly skilled Subject Matter Experts (SMEs), who are experts in penetration testing and ethical hacking. In addition, the PenTest+ exam is partly based on industry-wide survey results.
Both certifications are ANSI-accredited. ANSI/IEC/ISO 17024 is a well-known accreditation body that requires trustworthy certification providers to have their own recertification program. CEH certification has also received the endorsement from several government agencies including the U.S. Federal Government through Montgomery GI Bill, Committee on National Security Systems (CNSS) and National Security Agency (NSA).
Both PenTest+ and CEH certifications are globally recognized and therefore available in various countries. In addition, both certifications are vendor-neutral.
How do PenTest+ and CEH differ?
Despite some similarities, both certifications differ from each other in various perspectives. CEH is an entry-level cert, while Pentest+ is at an intermediate level. Other differences are shown below.
The difference in job roles
|PenTest+ Job Roles||CEH Job Roles|
|Penetration tester||Penetration tester|
|Security analyst (II)||Ethical hacker|
|Network security operations||Site administrator|
|Vulnerability assessment analyst||Security consultant|
|Application security vulnerability||Network security specialist|
The difference of eligibility requirements
CompTIA PenTest+ exam requires candidate having a CompTIA Security+, Network+ or equivalent knowledge. In addition, they also require a minimum of three to four years of hands-on experience in the information security domain.
Conversely, EC-Council’s CEH requires that a candidate should attend official training organized by the EC-Council’s Authorized Training Center (ATC). Below is a list of some accepted training solutions:
- Web-based training (WBT)
- Computer-based training (CBT)
- Instructor-led training (ILT)
- Academic learning
In this case, a candidate doesn’t receive official training; rather, he or she must meet the following requirements:
- Having two (2) years of work experience in the information security field
- Paying a non-refundable application fee of USD $100
- Submitting a completed exam eligibility application
The difference in exam details
|Number of Questions||Maximum of 80||Total of 125|
|Test Format||Multiple choice and performance-based||Multiple choice|
|Test Duration||165 minutes||4 hours|
|Passing Score||750 (On a scale of 100-900)||60% to 85%|
Benefits of CompTIA PenTest+
As per the NICE Cybersecurity Workforce Framework utilized by the U.S. military, CompTIA PenTest+ covers two more job roles — namely, vulnerability management and vulnerability assessment — in addition to penetration testing. According to Indeed.com, there are approximately three times more vulnerability management and assessment jobs in the U.S. than penetration testing jobs.
Unlike several other pentesting certifications, PenTest+ comprehensively covers everything a penetration tester should know, from project planning and scoping to project reporting and communication.
PenTest+ analysis provides vital cybersecurity strategy. In addition to secure practices, the concept of attack strategy must be understood by IT pros. CompTIA PenTest+ encourages cybersecurity pros to think offensively, while CompTIA Cybersecurity Analyst (CySA+) tests defensive skills. The top-notch security experts use both security approaches to defend against vulnerabilities. Thinking like a hacker and a penetration tester can help organizations to discover porous holes in security systems.
In the words of EC-Council: “To beat a hacker, you need to think like one!”
The CEH certification makes ethical hackers capable of implementing a proactive security approach in offensive manners. This is in addition to the reactive security approach, which is more defensive in nature. Using a proactive security defense, ethical hackers use advanced tools and techniques to perform penetration testing on their own computer(s). They act like real hackers, albeit ethical ones, to look for weaknesses and vulnerabilities in targeted systems.
In just five days of CEH training, you will learn 20 modules, 140 hands-on labs, 340 attack techniques and approximately 2,285 tools, according to EC-Council.
In addition, a specific number of questions are taken from each domain of CEH. For example, 27 questions are taken from the first domain.
EC-Council offers various authorized testing centers across the world. The candidates can also take the CEH exam virtually while being proctored via ProctorU.
The CEH is mapped with the NICE 2.0 framework’s Protect and Defend specialty area to directly mirror various different job roles. The NICE framework consists of the most-detailed combination of cybersecurity works, including precise skills, knowledge and abilities required to conduct specific tasks in a job role.
PenTest+ versus CEH: Which certification is right for me?
CompTIA PenTest+ exam allows penetration testers to perform penetration testing, vulnerability assessment and vulnerability management on the targeted system(s). This exam also incorporates management skills for planning, scope, management and exploitation of weaknesses. Being a PenTest+-certified professional, you will be able to perform penetration testing in various IT environments such as mobile, cloud, desktops, and servers. Many employers in all sizes of companies are looking for penetration testers. If you already have three or four years of experience in information security and are looking for a career in penetration realm, taking a PenTest+ exam may be right for you.
A CEH — Certified Ethical Hacker — is a highly skilled security professional who is well-versed in understanding and knowing the weaknesses and vulnerabilities in targeted systems. They use the same tools and techniques as the hacker do, but in a legitimate and lawful manner to test security defenses of targeted systems.
A candidate can have various CEH career path opportunities. EC-Council also offers the master program, EC-Council University (ECU)’s Master of Security Sciences (MSS), in IT security. By attaining the CEH certification, you will automatically earn three credits towards the master program.
You can become a licensed security consultant by earning the EC-Council Certified Security Analyst (ECSA) certification and then apply to win a position of Licensed Penetration Tester (LPT).
The bottom line
In this article, we took a close look into the PenTest+ and CEH certifications. Both certifications primarily focus on penetration skills. However, PenTest+ covers other areas of vulnerability management and assessment, while CEH concentrates more on a proactive approach which allows ethical hackers to perform a pentest using the same tools and techniques that the hackers do. PenTest+ requires three to four years of experience in information security, while CEH needs two years of experience in the same field.
Do you have two to three years of penetration testing or information security experience? If yes, then why not apply for both PenTest+ and CEH? Due to the same practice areas and somewhat similar exam content, looking for both certifications is a wise approach. Having a bundle of these two certifications will provide you a competitive edge over other candidates and give you peace of mind on interview day.
- Certified Ethical Hacker Certification, EC-Council
- CompTIA PenTest+ Exam Code PT0-001, CompTIA
- CompTIA PenTest+ Certification Exam Objectives, CompTIA
- CEH Candidate Handbook, EC-Council
- CEH Exam Blueprint v3.0, EC-Council
- CompTIA PenTest+ vs. CEH: Which Should You Choose?, Start a Cyber Career
- ETHICAL HACKING: CHOOSING THE RIGHT PATHWAY! EC-Council
- 5 Reasons Cybersecurity Experts Love CompTIA PenTest+, CompTIA