Certified Ethical Hacker Study Guide (2026) - Pass on Your First Attempt
📋 2026 Edition  ·  Updated May 2026

Certified Ethical Hacker
ceh Study Guide — Pass First Attempt

Complete exam coverage for the Certified Ethical Hacker. Every domain, every key topic — structured so you study smart, not hard. Built around the official exam blueprint.

125
Questions
240 min
Duration
70% (varies by form, typically 70–80%)
Passing score
8
Domains
Start Free Practice Test → Take Readiness Diagnostic
92%
First-attempt pass rate
47K+
Candidates prepared
4.9★
Average rating
"Passed my Certified Ethical Hacker exam on the first try after just 6 weeks of studying with Edureify AI. The domain-level analysis showed me exactly what I was missing."
— Verified Edureify User
Your readiness score — take the free diagnostic to unlock your personalised analysis
—%
Overall readiness (locked)
Reconnaissance and Footprinting
Scanning and Enumeration
System Hacking
Malware and Social Engineering
Network Attacks
Web Application and Cloud Security
Cryptography and AI in Hacking
Penetration Testing Methodology
Run 10-Minute Free Diagnostic →
Exam at a Glance

Everything you need to know before you start

Key facts about the Certified Ethical Hacker exam structure, format, and scoring.

🆔
ceh
Exam code
📝
125 questions
Total questions
240 minutes
Duration
🎯
70% (varies by form, typically 70–80%)
Passing score
📋
8 domains
Exam domains
📅
Valid 3 years
Certification validity
🌐
Online / In-person
Testing mode
🏆
Globally recognised
Credential type
ℹ️
Scoring method: . The exam may include unscored pilot questions — treat every question seriously.
Focus Areas

What should you study for the Certified Ethical Hacker exam?

To pass the Certified Ethical Hacker certification exam, you should focus on these core domains. The exam tests your ability to apply concepts in real-world scenarios — not just memorise definitions.

⚠️
Common mistake: Candidates memorise terminology but struggle with scenario-based questions. Focus on when to use what, not just what exists.
🔐
Reconnaissance and Footprinting (10%)
Passive and active information gathering techniques used to profile target organisations before an attack.
🏗
Scanning and Enumeration (10%)
Active techniques to discover live hosts, open ports, services, and users on target systems.
System Hacking (12%)
Techniques for gaining access, escalating privileges, executing malware, and covering tracks on target systems.
💰
Malware and Social Engineering (8%)
Types of malware, malware analysis, and human-based social engineering attacks.
🔄
Network Attacks (15%)
Sniffing, session hijacking, DoS/DDoS, wireless attacks, and evasion techniques.
📊
Web Application and Cloud Security (20%)
OWASP Top 10 vulnerabilities, web app attacks, SQL injection, API security, and cloud environment attacks.
🌐
Cryptography and AI in Hacking (10%)
Cryptographic concepts, PKI, and the new v13 AI-assisted hacking module.
🛡
Penetration Testing Methodology (15%)
Legal and ethical considerations, structured pen test phases, reporting, and compliance frameworks.
Full Syllabus

Certified Ethical Hacker Exam Syllabus and Topics

The Certified Ethical Hacker exam is divided into 8 domains. Each domain tests specific skills and contributes to your overall score. Click any domain to expand topics.

Reconnaissance and Footprinting
Passive and active information gathering techniques used to profile target organisations before an attack.
10%
Passive Reconnaissance
OSINT: Google dorking, Shodan, Maltego, and social media profiling
WHOIS lookups and DNS enumeration: A, MX, NS, TXT records
Certificate transparency logs and subdomain enumeration
Job posting analysis and technology fingerprinting
Dark web monitoring and data breach checking
Active Reconnaissance
Network scanning with Nmap: TCP SYN, FIN, XMAS, NULL scans
Banner grabbing with Netcat, Telnet, and curl
Email header analysis and email footprinting
Traceroute and network topology mapping
~13 questions
125 marks
10% of exam weight
Scanning and Enumeration
Active techniques to discover live hosts, open ports, services, and users on target systems.
10%
Network Scanning
Host discovery: ICMP echo, TCP SYN ping, ARP ping
Port scanning: Nmap scan types, timing templates, and OS detection (-O)
Service version detection (-sV) and script scanning (-sC, --script)
Firewall and IDS evasion: fragmentation, decoys, and source port manipulation
Vulnerability scanning with Nessus, OpenVAS, and Qualys
Enumeration Techniques
NetBIOS and SMB enumeration: Enum4linux, Smbclient
SNMP enumeration: community strings, OIDs, and SNMPwalk
LDAP enumeration for Active Directory information
NFS, SMTP, and DNS enumeration techniques
Web application enumeration: dirbusting, Nikto, and robots.txt
~13 questions
125 marks
10% of exam weight
System Hacking
Techniques for gaining access, escalating privileges, executing malware, and covering tracks on target systems.
12%
Gaining Access
Password attacks: brute force, dictionary, rainbow table, credential stuffing
Password cracking tools: Hashcat, John the Ripper
Exploitation frameworks: Metasploit structure (exploits, payloads, encoders)
Buffer overflow concepts: stack-based and heap-based
Pass-the-hash and pass-the-ticket attacks
Privilege Escalation and Persistence
Vertical vs horizontal privilege escalation
Windows privilege escalation: unquoted service paths, weak permissions, token impersonation
Linux privilege escalation: SUID binaries, sudo misconfigurations, cron jobs
Maintaining access: backdoors, Netcat listeners, scheduled tasks
Rootkits: user-mode vs kernel-mode, detection evasion
Covering Tracks
Windows event log manipulation and MACE attribute modification
Linux log clearing: /var/log/auth.log, history manipulation
Steganography for data exfiltration and hiding payloads
Timestomping and file attribute manipulation
~15 questions
150 marks
12% of exam weight
Malware and Social Engineering
Types of malware, malware analysis, and human-based social engineering attacks.
8%
Malware Types and Analysis
Virus types: file infectors, boot sector, macro, polymorphic, metamorphic
Worms vs Trojans vs RATs: propagation and purpose
Ransomware: encryption mechanisms, delivery, and decryption keys
Fileless malware and living-off-the-land (LOLBins) techniques
Static vs dynamic malware analysis: sandbox environments
Human-Based Attacks
Phishing, spear phishing, whaling, vishing, and smishing
Pretexting, tailgating, and impersonation techniques
BEC (Business Email Compromise) attack patterns
Social engineering frameworks: SET (Social Engineering Toolkit)
Countermeasures: security awareness training and email gateway controls
~10 questions
100 marks
8% of exam weight
Network Attacks
Sniffing, session hijacking, DoS/DDoS, wireless attacks, and evasion techniques.
15%
Packet Sniffing
Passive vs active sniffing: hubs vs switches
ARP poisoning and MITM attacks: arpspoof, Ettercap
MAC flooding to overflow CAM table
Wireshark: capture filters, display filters, and protocol analysis
Countermeasures: dynamic ARP inspection, port security
Session Hijacking and DoS
TCP session hijacking: sequence number prediction
Cookie theft and XSS-based session attacks
DoS vs DDoS: volumetric, protocol, and application-layer attacks
Botnets and C2 infrastructure for DDoS
DDoS mitigation: rate limiting, scrubbing centres, Anycast
Wireless Hacking
WEP, WPA, WPA2, and WPA3 vulnerabilities
PMKID attack and 4-way handshake capture with Aircrack-ng
Evil twin attacks and rogue access points
Bluetooth attacks: Bluejacking, Bluesnarfing, KNOB
Wireless IDS evasion techniques
IDS, Firewall, and Honeypot Evasion
Firewall types: packet filter, stateful, NGFW, WAF
Evasion: fragmentation, tunnelling, encrypted payloads
IDS evasion: session splicing, obfuscation, TTL manipulation
Honeypots and honeytraps: types and detection
~19 questions
188 marks
15% of exam weight
Web Application and Cloud Security
OWASP Top 10 vulnerabilities, web app attacks, SQL injection, API security, and cloud environment attacks.
20%
OWASP Top 10 and Attack Techniques
Injection attacks: SQL injection (union-based, blind, error-based), command injection
XSS: reflected, stored, DOM-based and exploitation techniques
IDOR: insecure direct object references and broken access control
SSRF: server-side request forgery and internal network pivoting
XXE: XML external entity attacks
CSRF: cross-site request forgery and SameSite cookie defences
Security misconfiguration and default credentials
Web Attack Tools
Burp Suite: proxy, scanner, intruder, and repeater modules
SQLmap: automated SQL injection detection and exploitation
OWASP ZAP: active and passive scanning
Directory brute-forcing: Gobuster, Dirbuster, Feroxbuster
Cloud Security
AWS, Azure, GCP attack surfaces: IAM misconfigurations, exposed buckets, SSRF
Container security: Docker escape, Kubernetes RBAC misconfigurations
Cloud enumeration tools: Scout Suite, Prowler, CloudSploit
Serverless attacks: function injection and over-privileged roles
IoT and OT/ICS
IoT attack surface: firmware extraction, default credentials, insecure protocols
Shodan for IoT device discovery
OT/ICS protocols: Modbus, DNP3, SCADA vulnerabilities
ICS attack case studies: Stuxnet, Colonial Pipeline
~25 questions
250 marks
20% of exam weight
Cryptography and AI in Hacking
Cryptographic concepts, PKI, and the new v13 AI-assisted hacking module.
10%
Cryptographic Algorithms and PKI
Symmetric encryption: AES, DES, 3DES, Blowfish
Asymmetric encryption: RSA, ECC, Diffie-Hellman
Hashing: MD5, SHA-1, SHA-256, bcrypt
PKI: certificate lifecycle, CA hierarchy, CRL, OCSP
SSL/TLS: handshake process, cipher suites, and certificate pinning
Cryptographic attacks: birthday, MITM on TLS, padding oracle
AI-Assisted Attack and Defence
Using AI/ML for automated vulnerability discovery
AI-powered phishing and deepfake social engineering
LLM prompt injection attacks
AI-based anomaly detection and AI-driven SIEM
Adversarial machine learning: evasion attacks on ML models
~10 questions
100 marks
10% of exam weight
Penetration Testing Methodology
Legal and ethical considerations, structured pen test phases, reporting, and compliance frameworks.
15%
Legal and Ethical Framework
Rules of engagement (RoE) and statement of work
Types of pen tests: black box, white box, grey box
Authorisation and scope: why written permission is essential
Computer crime laws: CFAA (US), Computer Misuse Act (UK)
Security assessment types: vulnerability assessment vs pen test vs red team
Pen Test Phases and Reporting
CEH pen test phases: pre-attack, attack, post-attack
Pen test report structure: executive summary, technical findings, CVSS scores
CVSS v3.1: base, temporal, and environmental metrics
Remediation prioritisation and re-testing
Responsible disclosure vs full disclosure
~20 questions
187 marks
15% of exam weight
🔥 1,247 professionals tested in the last 24 hours

Know if you'll pass Certified Ethical Hacker before exam day

Take our 10-minute diagnostic and get a personalised report showing your exact readiness, weak domains, and how many days you need to be ready.

Start Free Diagnostic →
100% Free No credit card Results in 10 minutes
Study Plan

Certified Ethical Hacker Structured Study Roadmap

Designed for candidates studying 1-2 hours per day. Select your timeline below.

Exam Strategy

Tips to pass Certified Ethical Hacker on your first attempt

Tactical advice beyond content knowledge — what separates candidates who pass from those who retake.

🗓
CEH is a broad exam: do not try to memorise every tool. Instead, know what each major tool does (Nmap, Metasploit, Wireshark, Burp Suite, Aircrack-ng) and when you would use it.
🔍
SQL injection is the most tested web application topic: know union-based, blind boolean, blind time-based, and error-based injection techniques and how to detect each.
Memorise Nmap scan types and what each reveals: SYN scan (-sS) is the default; NULL, FIN, and XMAS scans are for firewall evasion; -sV detects service versions.
📊
The five phases of ethical hacking (Reconnaissance, Scanning, Gaining Access, Maintaining Access, Covering Tracks) are the backbone of the exam — expect questions that ask which phase an activity belongs to.
🔁
Know the difference between active and passive reconnaissance: passive involves no direct contact (WHOIS, OSINT), active involves direct interaction (scanning, banner grabbing).
🧪
CEH v13 added AI content: expect a handful of questions on AI-powered attacks (deepfakes, LLM injection) and AI-based defences. These are straightforward conceptual questions.
📝
Wireless attack questions focus on WPA2 handshake capture with Aircrack-ng and evil twin attacks — know the steps and the tools involved.
🎯
Session hijacking questions often focus on TCP sequence number prediction and ARP poisoning as the enabler of MITM — understand the mechanism, not just the name.
🗓
For cryptography, focus on which algorithms are symmetric vs asymmetric, key lengths for AES (128/192/256), and common attacks (birthday attack on MD5, BEAST on SSL).
🔍
Practise with EC-Council's official mock exams — question style, terminology, and distractors closely match the real exam and differ from other vendors' practice questions.
Recommended Resources

Official and trusted study materials

Curated resources ranked by usefulness. Quality over quantity — focus on a small set of authoritative sources.

Official
Official Exam Guide
The authoritative blueprint. Know every objective before studying anything else.
→ Vendor website
Practice Tests
Edureify Practice Tests
Full-length Certified Ethical Hacker simulations with detailed per-domain analysis and explanations.
→ Start free test
Video Course
Structured Video Course
Pick one highly-rated course and complete it end-to-end before switching resources.
With edureify Convert Tutorial to AI Tutor
Reference
Domain Cheat Sheets
One-page summaries for each Certified Ethical Hacker domain — ideal for last-week revision.
→ Get free Cheat Sheet
Community
Study Groups & Forums
Reddit r/certifications and exam-specific Discord servers for peer support and tips.
→ Reddit / Discord
AI Tutor
Edureify AI Mentor
Get instant answers to Certified Ethical Hacker concepts, domain-level weak-area coaching, and adaptive questions.
→ Try free
⚠️
Avoid brain dumps. Sites selling "real exam questions" violate most vendor NDAs and are legally risky. Questions rotate regularly — brain dumps lead to overconfidence on outdated material and a higher retake rate.
Reviews

What candidates say after passing

★★★★★
"Passed Certified Ethical Hacker on my first attempt after 5 weeks. The domain-level diagnostic showed me exactly where my gaps were — I stopped wasting time on topics I already knew."
Rahul S.
Solutions Architect, Bangalore
★★★★★
"The structured study plan kept me on track. I tried studying on my own for 3 months and failed. With Edureify's roadmap I passed in 6 weeks."
Priya M.
Cloud Engineer, Mumbai
★★★★★
"The AI mentor was like having a personal tutor available at 2am. Every concept I didn't understand was explained until I got it. Invaluable for the Reconnaissance and Footprinting domain."
David K.
DevOps Engineer, London
FAQ

Frequently asked questions about Certified Ethical Hacker

Ready to pass Certified Ethical Hacker on your first attempt?

Get your personalised study plan in 10 minutes — free, no credit card required.

Start My Free Diagnostic →
92% first-attempt pass rate 47,000+ candidates 4.9★ rating No credit card needed