What are your thoughts on the Certified Ethical Hacker (CEH)? If you were offered a scholarship to take the cert for $200 instead of the standard $1k would you take it? Would you say it would benefit someone’s efforts towards getting interviews for a role in vulnerability analysis/pentesting? Asking for a friend, I’m trying to help her rn 🥴 #infosec#cybersecurity
@taeluralexis I know there are some probelms with the corporatization of OffSec certs of late, but last year I spent a bit more than the 1k you mentioned for CEH and got my OSCP instead. I learned the basics of attacks and developed the mindset needed for pentesting. There were a lot of basic things I didn’t learn until I was on the job (poisoning, relays, ADCS exploitation), but it did teach me enough to be successful. I also landed a job about a week after getting the cert, so it holds a lot of pulling power still.
If possible, I’d see if the money could be redirected to other certs that provide more practical value and education.
@SecTestAnna I actually saw your LinkedIn before! I was looking up diff profiles to get a sense of how people got into their pentester roles and I liked yours lol. The OSCP is the goal for me! I’m currently going for the PNPT, it taught me diff attacks like poisoning, kerberoasting, golden ticket etc and it’s only $300. I’ve really enjoyed the journey so far. You’re an inspiration for me Anna :-)
@taeluralexis that means so much to me! There are a lot of times where it feels like my posts go out into the void, and I am so incredibly grateful that they have been able to help and inspire you. If you ever need any advice or feedback, I’m always happy to lend an ear.
@SecTestAnna I would really appreciate that! And I get how you feel about feeling like posts go into the void but I do hope you share more! At least with me lol 🫶🏾
@taeluralexis my personal feeling is that it is an entry level cert, and as a hiring manager I would consider it a plus for entry level positions, alongside other entry level certs like Security+. Beyond entry level, the CEH probably doesn't do much good other than to check some boxes, and there are better certs for experienced specialists.
Certs can be useful to get past highly automated initial HR filters. There are a lot of paths to infosec, including certs, formal education, open source software dev, CTFs, home lab work, and lateraling in from adjacent fields (e.g., IT support). None of these paths is inherently better than the other, and ideally there should be some combination of several of them, but some automated HR systems have hard requirements for some of them like certs. Given that the tech sector downturn has made this all much more challenging, I'd say a cert would be a generally good idea, all other things being equal.
That said, it was not my personal route. I have never had certs. I came in to the field with a comp sci degree and some sysadmin experience at the turn of the century, and I had the privilege of a personal connection with someone at my then-prospective employer.
My personal take – I’m not in the field of pentesting/vuln. analysis so take this with a grain of salt:
Personally, I’ve never bothered that much with certificates. I took a few (not many) at uni since it was part of the syllabus for some courses.
In general, my strategy has been to just dive in to those things I’ve found to be interesting.
Certificates can be a way to get a foot in the door but my preference is that if employer’s don’t trust my knowledge without certificates, then they might not be a good match for me.
Some related discussions on HN that might be interesting:
People have some strong opinions about this kind of things – again, take it with a grain of salt. But it can still be a useful input when you make up your mind on what paths to take and what paths to not take.
@giffengrabber Thank you for adding to the discussion and providing these links as well! I've had one person say they wouldn't trust someone without a CISSP for any security role but I think alot of other ppl don't hold such strong convictions about it like they do
@taeluralexis There are indeed people who hold that view, but IMO it’s not sensible to require CISSP. I know for a fact that there are many extremely talented security professionals who don’t hold a CISSP.
I think of it like this: There are many paths to wisdom. Certifications can be part of those paths, but IMHO lack of certifications should not be a reason to refuse a candidate.
(Except for stuff where it’s legally required like physicians etc, but after all it’s not like that in tech.)
@taeluralexis@giffengrabber That's elitist gatekeeping nonsense. The CISSP is a test that focuses on your ability to retain information and "think like a manger". I would avoid working with anyone with that attitude. I have nothing but respect for the certification but it's not for everyone, especially someone looking for an entry-level security engineer type role.
@sbj@giffengrabber I'm with you lol I have literally no professional experience in security and they tell me everyday I need to set my sights on the CISSP right now. But just like you said, it teaches you to think like a manager and I feel like more practical pentester-focused certs may be beneficial considering my goals. But I mean hell I love feedback lol
@taeluralexis@giffengrabber CISSP is certainly a good cert to have, especially to get through the "filters" to get an interview. However, there are a lot of valuable certs and experience and demonstrated knowledge matter the most. Anyone in a hiring position that is filtering on the CISSP alone is doing it wrong. Personally I think the CompTIA Security+ is still the best first cert for just about anyone.
For Pentesting, I can't say that there is a cert that "gets it done" but the CEH doesn't really have a good reputation. Maybe the Pentest+ ?
@taeluralexis the free isc2 certified in cybersecurity might be worthwhile! It is free (for now), it’s the same group that does the cissp, and it was intended as entry level. I’m making my sister do it. https://www.isc2.org/certified-in-cybersecurity
@0xdaeda1a I've heard about it! The only thing is the lack of recognition for the cert itself compared to the Sec+ and how they make you pay the $50 to get actually be certified
@taeluralexis normally I say get any cert that teaches you stuff that’s useful and you can afford but the org that provides it is pretty shady and disreputable.
@taeluralexis as someone who treads a lot in this certification space, I'd probably go for it, and the reason why is that there are still a number of jobs (especially government) where CEH can cut through some of the HR blocks. And ultimately that's what certifications are for.
There are other folks here that have addressed the concerns about (a) quality of the cert and (b) the fact that EC-Council is hot garbage, so keep those in mind. It's just a tool for defeating HR. But it's not a bad one, if you're ok with it.
@mav that’s what I think too, I see the cert a lot in job descriptions for the roles she wants, even for blue team. Thank you for adding your thoughts 💜
@taeluralexis I didn't get the certification but took a couple courses back in the day and learned a lot, nothing wrong with learning a little. CEH seems in the pentest wheelhouse to me...
@taeluralexis PNPT is nice. I took the exam last year and I had a blast :D Sadly it's fairly new, so it lacks proper recognition. The golden standard for "entry level" certs is definitely the OSCP. I wouldn't approach it as a first cert anyway, so I guess my suggestion would be eJPT -> eCPPT for the network part, and integrate it with PortSwigger Academy (free) for the web application part. The HackTheBox Academy, while also lacking proper recognition, is also a really good place to learn. Just my 2 cents
@hyp0x90 sounds like I’m on a good path then! I’m using HTB’s CPTS path for more practice as I prepare for the PNPT, hoping to take it this summer. I love Portswigger too >.<. I’m hoping these certs get more recog. I would do the OSCP if it didn’t cost twice my rent rn lol 😂. I’m gonna save for it eventually
@taeluralexis I have a CEH. I refer to it as “Certified Ethical Hamburglar”. It’s a pre-101 level qualification IMO. Granted I took it a very long time ago so it may have changed, but at the time the course played out like someone had googled “hacking tools” and downloaded a bunch to CD and we just read about how “powerful and dangerous” they were without any real context for a few days.
@taeluralexis it’s a meh medium difficulty cert but not bad and $200 seems like a fine price. If I were interviewing someone and they brought it up I would ask them to wall through the part of the test that challenged them the most and explain how they addresses those challenges.
@taeluralexis if a particular job literally requires it, I’d consider. If an employer is paying for it? Sure.
Otherwise, run screaming the other direction and choose literally any other cert.
Not only does the organization that writes it have some serious ethical issues, but it’s literally a poorly written exam. I’ve taken many certs from many vendors, and have never had 10% of the questions not even make sense the way I did on CEH.
So, any org that requires it had better be government or contracting for them, because otherwise they don’t understand what it is they’re requiring people to do, and that does not bode well for my ability to not get frustrated with management.
@taeluralexis I do not like the EC Council certs personally. They’ve made some pretty scummy moves as an org (like plagiarizing blog entries).
I have it and sat for the CHFI exam. I reported multiple questions as unanswerable and never heard back. If it helps you get a job you’re looking for, go for it. I just don’t place a lot of value in it.
@taeluralexis EC Council is shady and untrustworthy. It depends on what you want to do. For some jobs there’s a requirement to have one of X certs, where the CEH would fit. Otherwise I wouldn’t list it on my resume. I’ve generally seen it as a negative thing to list on a resume.
@taeluralexis I was drunk and the other two were skilled hackers with a bunch of CVEs to their name and for some reason it seemed a good idea to do a pirate copy of the CEH exam. We failed. It was awesome.
@taeluralexis if you can get past the unethical past behaviour of EC Council, I found the cert a really valuable starting point so much so that I wrote a blog post suggesting all IT Managers should do it.
It won't make you an ethical hacker, it might open your eyes and feed your knowledge.
@taeluralexis It's not very well-respected anymore but for $200? I'd probably do it for $200 just so I can say I did. I don't think having a CEH will help get a foot in the door many places anymore.
@taeluralexis Can't recommend neither EC-Council nor their C|EH, especially for their regular pricing. Lots of strange tooling stuff in their courseware and exam... and I remember Snowden passport was leaked because they didn't safeguard their own candidate database. 🫣
But it is well known within HR circles nowadays (although not respected by professionals).
Would recommend any of the CompTIA security certificates instead: better content, better pricing, performance based exam (fun!) https://arstechnica.com/information-technology/2014/02/security-certification-group-ec-councils-website-defaced-with-snowden-passport/
@taeluralexis it's a garbage cert. The only reason to get it (and it's not a good one) is if you're required to because some government reg requires it. And even then you shouldn't use your own money to get it, but make work pay for it. I let mine expire.
@taeluralexis I took the exam through work ten years ago and EC Council was terrible in every way. The test (version 8) was bad (academic knowledge of attack types, no practical knowledge), the post exam continuing education system was bad and consistently got worse , and the EC Council shifted membership requirements to grab as much money as possible with dues. Personally I’d avoid it. I let mine expire over 5 years ago and haven’t looked back.
@taeluralexis My experience is quite outdated because I was certified about 10 years ago in the version 7. Not a great fan when it came to the content and the exam, you could pass it with just a shallow knowledge. But, at least in Spain, it was fairly known by the HR teams and it got me several interviews so I guess that is worth those 200 bucks 😅
Add comment