The CEH knowledge exam is a multiple-choice assessment of broad ethical hacking concepts; CEH Practical asks candidates to demonstrate hands-on skills in a lab environment.
Last updated: 2026 guidance for EC-Council CEH v12. Exam versions, eligibility rules, delivery options, and policy details can change, so candidates should verify current requirements in EC-Council’s official exam blueprint, candidate handbook, and exam policies before booking.
The EC-Council Certified Ethical Hacker exam is designed to assess whether a candidate understands the methods, terminology, tools, and defensive context used in ethical hacking. It is aimed at security professionals, network and system administrators, SOC analysts, junior penetration testers, auditors, and others who need a structured grounding in offensive security concepts used for lawful security testing.
The CEH v12 knowledge exam is commonly described as a 125-question multiple-choice exam with a duration of about four hours. A common mistake is to prepare for a fixed passing percentage. EC-Council uses a variable pass mark by exam form, which means the required score can vary depending on the difficulty of the specific set of questions delivered. Preparation should therefore focus on objective mastery rather than chasing a single number.
CEH Practical is different. It is a performance-based lab exam that requires candidates to complete tasks in a proctored cyber range over a longer session. The better sequence for most candidates is to prepare for the CEH knowledge exam first, then attempt CEH Practical once they can complete end-to-end attack chains in a lab without relying on step-by-step prompts.
CEH is most useful for professionals who need to understand how attackers think, how common vulnerabilities are found, and how security controls are tested. For a system administrator, it can improve the ability to recognise misconfiguration and privilege escalation risks. For a SOC analyst, it can make alerts easier to interpret because the analyst understands the attack phase implied by the evidence. For a junior penetration tester, it provides a common vocabulary before deeper tool-specific or methodology-specific training.
Candidates should be careful not to treat CEH as a shortcut into advanced penetration testing. The exam rewards breadth: reconnaissance, scanning, enumeration, vulnerability analysis, system hacking concepts, malware, sniffing, social engineering, web application attacks, wireless, cloud, cryptography, and defensive countermeasures. Practical depth still comes from repeated lab work, reporting practice, and experience with real security constraints such as authorisation, scope, logging, and change control.
The CEH knowledge exam is a theory exam, even though many of the topics are technical and tool-related. Candidates should expect multiple-choice questions that test concepts, tool selection, attack phases, risk implications, and countermeasures. It is not a practical exam with separate hands-on sections inside the same sitting.
The variable pass mark is worth emphasising because it affects how candidates study. A fixed-score mindset encourages memorisation and anxiety over practice-test percentages. A mastery mindset is more reliable: candidates should be able to explain why a technique is used, what phase it belongs to, which controls can detect or prevent it, and how similar tools differ in purpose.
Official EC-Council materials should remain the source of truth for exam domains, eligibility, identification requirements, remote-proctoring rules, retake rules, and continuing education obligations. Public frameworks such as MITRE ATT&CK and OWASP can also help candidates connect CEH terminology to real attacker behaviour and web security risks, but they should support the exam blueprint rather than replace it.
A six-week plan is realistic for candidates who already understand basic networking, operating systems, and security fundamentals. Candidates starting from scratch may need longer, especially if TCP/IP, Linux commands, Windows administration, and basic scripting are unfamiliar. The goal is to build knowledge and hands-on memory together, because CEH questions often become easier when the candidate has actually performed the technique in a legal lab.
Week one should establish the baseline. Candidates should read the current exam blueprint, take a diagnostic quiz if available, and identify weak areas. The technical focus should be networking foundations, security terminology, the ethical hacking process, scope and authorisation, and reconnaissance. A small lab might include passive information gathering, DNS lookups, WHOIS review, and documenting findings in a short report.
Weeks two and three should focus on scanning, enumeration, vulnerability analysis, and system attack concepts. Lab work should be repeatable rather than elaborate: scan a deliberately vulnerable machine, compare service banners with vulnerability information, identify likely misconfigurations, and practise explaining the difference between discovery, enumeration, exploitation, and post-exploitation. Candidates should avoid memorising isolated command switches without understanding what the tool is trying to reveal.
Week four should move into web application, wireless, malware, sniffing, social engineering, and cloud topics. OWASP categories are useful for understanding web application risk, while MITRE ATT&CK can help candidates map techniques to tactics such as initial access, execution, persistence, privilege escalation, and credential access. Cloud and identity topics deserve attention because modern environments rarely stop at a flat on-premises network.
Week five should become practice-heavy. Candidates should complete timed question sets, review every incorrect answer, and write down the concept behind the mistake rather than the letter of the answer. Lab sessions should revisit recon, scanning, exploitation, privilege escalation, web testing, and wireless concepts at a small scale. The milestone is not tool fluency for its own sake; it is being able to recognise what a question is really testing.
Week six should be consolidation. Candidates should reduce new material, focus on weak domains, complete at least one full-length timed practice session, and refine exam-day pacing. The final days are better spent reviewing notes, diagrams, terminology, and mistakes than trying to absorb large new topics. Structured training can help candidates who want guided coverage and scheduled practice; the EC-Council Certified Ethical Hacker course is one route for learners who prefer an instructor-led format.
Hands-on practice matters even when the exam is multiple choice because it gives meaning to the vocabulary. A candidate who has run a scan, misread noisy results, and then narrowed findings manually is more likely to understand what a question stem is implying. The same applies to web testing, privilege escalation, packet capture, and wireless concepts.
The most effective labs are small and repeatable. A candidate might build a routine around one vulnerable host, one Windows target, one Linux target, and one deliberately vulnerable web application. Each lab should end with a short written summary: what was attempted, what was found, what the risk was, and which mitigation would reduce exposure. That habit prepares candidates for questions that include defensive wording, reporting language, or scope constraints.
There are also common traps. Candidates often spend too much time memorising flags, neglect Windows and Active Directory concepts, skip cloud security vocabulary, or use illicit question dumps. Brain dumps create policy and ethics problems, and they are poor preparation because they reward answer recognition instead of understanding. CEH preparation should reflect the same ethical boundary the certification is meant to represent.
CEH questions often become clearer when the candidate identifies the attack phase first. If the stem describes public information gathering, the likely answer is different from a stem describing service enumeration, credential attacks, privilege escalation, lateral movement, or evidence removal. Reading the scenario before looking at the options can prevent the candidate from being pulled toward a familiar tool name too early.
Distractors are frequently plausible. Two tools may appear to fit, but one may be used for packet analysis while another is used for exploitation, scanning, password auditing, or web proxying. The candidate should ask what the question is really asking: the next step, the best tool, the most likely risk, the mitigation, or the ethical constraint.
Scope and authorisation clues are especially important. Ethical hacking questions may include wording about permission, rules of engagement, reporting, or production impact. An answer that is technically powerful may still be wrong if it violates scope, causes unnecessary disruption, or skips documentation and approval.
A four-hour window for 125 questions gives enough time, but only if candidates avoid getting stuck. A practical pacing model is to answer the first pass at roughly 90 seconds per question, flag uncertain items, and preserve the final 20 to 30 minutes for review. Some questions will take far less time, which creates room for longer stems and calculation-style reasoning if they appear.
The first pass should separate known answers from uncertain ones. If the candidate can identify the correct answer with confidence, answer and move on. If two options remain plausible after reasonable elimination, choose the stronger answer, flag it, and continue. Long pauses on a single question often cost more marks than they save.
During review, candidates should change answers only when they can point to a specific reason: a missed keyword, a scope clue, a misunderstood tool, or a better match to the attack phase. Changing answers because of fatigue or doubt is rarely a disciplined strategy. The review period is for correcting misreads, not re-taking the whole exam mentally.
Exam-day issues are usually administrative rather than technical knowledge gaps. Candidates should check identification requirements, appointment time, exam delivery method, and any remote-proctoring instructions well before the exam. If testing remotely, the room, camera, microphone, internet connection, permitted materials, and system checks should be completed in advance rather than minutes before the appointment.
Break rules and exam conduct policies should also be reviewed before the day. Candidates should not assume they can pause freely, leave the room, use notes, or access external resources unless the current rules explicitly allow it. For in-person testing, travel time, identification, and arrival instructions matter more than last-minute revision.
The final hour before the exam should be calm and practical. Reviewing a short personal sheet of weak concepts can help, but cramming new tools or unfamiliar attacks usually increases confusion. Sleep, hydration, and a clear plan for pacing are more valuable than another rushed practice quiz.
After passing, candidates should confirm certification status, digital badge or certificate availability, and continuing education obligations through EC-Council’s current guidance. Certification is not the end of the skill path; ethical hacking knowledge needs regular updating because tools, cloud platforms, identity systems, and attacker tradecraft change.
If the result is unsuccessful, the best next step is a structured review rather than immediately booking another attempt. Candidates should identify weak domains, review timing notes, rebuild labs around missed concepts, and check EC-Council’s current retake policy before scheduling. A failed attempt can still be useful if it reveals whether the issue was knowledge depth, question interpretation, pacing, or exam-day stress.
Some candidates continue into CEH Practical, while others branch toward incident response, cloud security, governance, or advanced penetration testing. Comparing options across the EC-Council training catalogue can help clarify whether the next step should deepen ethical hacking practice or broaden security responsibilities.
The key to passing CEH is disciplined breadth: learn the objectives, practise enough to make the terminology real, and treat question analysis as a skill in its own right. Candidates who understand the attack phase, recognise distractors, respect ethical boundaries, and manage time carefully are better prepared than those who rely on memorised questions or fixed-score myths.
Readynez can support CEH preparation through structured training, but the strongest results come when training is paired with consistent lab work, careful review, and official policy checks. A practical next step for professionals planning several security certifications is to consider Unlimited Security Training as part of a longer-term development plan.
The CEH v12 knowledge exam is generally described as 125 multiple-choice questions with a duration of about four hours. Candidates should always confirm the current format in EC-Council’s official exam information before scheduling.
There is no single fixed percentage that candidates should rely on. EC-Council uses a variable pass mark by exam form, so the required score can vary depending on the difficulty of the questions delivered.
A candidate with networking, operating system, and security fundamentals may be able to use a focused six-week plan. Candidates with less background should allow more time to build foundations and complete hands-on labs.
Practice should combine timed question sets with small legal labs. Labs for reconnaissance, scanning, vulnerability analysis, web testing, privilege escalation, wireless concepts, and defensive reporting make the theory easier to understand.
Candidates should avoid chasing a fixed passing score, memorising tool switches without understanding methods, skipping Windows, Active Directory, and cloud topics, and using illicit brain dumps. Those habits weaken preparation and can create policy or ethics issues.
Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course.
You're viewing our global site from United States
Would you like to view the site in
English
with prices in
Dollar?