EC-Council pushed CEH into its 13th version with one headline change that actually matters: AI is now woven into the exam content as both an attack tool and a defensive lens. That's not spin. The blueprint explicitly covers AI-driven reconnaissance, ML-assisted fuzzing, and adversarial prompting against LLM-integrated systems. If you've been putting off CEH because it felt dated, v13 is a different animal.
This post breaks down what each domain cluster actually tests — the stuff the official marketing glosses over — plus the traps that catch candidates who trained wrong.
Before getting into the domains, the fast facts: CEH knowledge exam is 125 multiple-choice questions over 4 hours, passing score varies by form (60–85%) via a cut-score method, meaning EC-Council adjusts the threshold per form to normalize difficulty. Expect to pay $950–$1,199 USD plus EC-Council's exam fees, depending on your region and whether you go through an Accredited Training Center or the iLearn self-study path. Renewal requires 120 ECE (EC-Council Continuing Education) credits over 3 years. There's also an optional CEH Practical — a 6-hour, 20-flag hands-on lab exam on a live range. The Practical is separate, not included in the standard fee, and genuinely hard.
You can run through free CEH practice questions to get a feel for question style before committing to prep materials.
The 20 Modules, Grouped by What They're Actually Testing
CEH v13 officially lists 20 modules. Here's how to mentally organize them:
Reconnaissance and Footprinting
Modules 2–3 cover passive and active intel gathering. The exam does not just ask you to name tools. It tests your judgment: which technique is noisier, when does active scanning cross into illegal territory without authorization, what OSINT source surfaces what data type. WHOIS, Shodan, Maltego, Google dorks, metadata extraction from documents — you need to know their practical output, not just that they exist.
Scanning and Enumeration
Modules 4–5. This is Nmap territory but don't stop there. SYN scans vs. full connects vs. idle scans and why each leaves a different footprint. Enumeration covers SNMP, LDAP, NFS, DNS zone transfers, NetBIOS. Expect questions on what specific Nmap flags produce, what banner grabbing reveals, and what enumerated output tells you about an OS or service version.
Vulnerability Analysis
Module 6. Vulnerability scanners (Nessus, OpenVAS) and their output formats. CVSS scoring — you should be able to read a CVSS vector and know what it means. The exam also touches on vulnerability research workflow: NVD, Exploit-DB, vendor advisories.
System Hacking
Module 7. The classic CEH arc: gaining access, escalating privileges, maintaining access, covering tracks. Password attacks (brute force, dictionary, rainbow tables, pass-the-hash), buffer overflows at a conceptual level, privilege escalation paths in Windows and Linux, rootkit categories, log tampering. This module has historically been the densest in terms of question volume.
Malware Threats
Module 8. Trojans, viruses, worms, ransomware, fileless malware. Malware analysis phases (static vs. dynamic). Sandbox evasion techniques. You're not writing malware — you're recognizing behaviors and understanding delivery mechanisms. APT-style staging and persistence mechanisms show up here.
Sniffing and Social Engineering
Modules 9–10. Sniffing covers ARP poisoning, MAC flooding, DHCP starvation, DNS spoofing, and countermeasures. Social engineering is broader than phishing: pretexting, vishing, tailgating, baiting, impersonation. The v13 update folds in AI-generated spearphishing content as an emerging threat vector — expect at least a question or two touching on this.
DoS/DDoS and Session Hijacking
Modules 11–12. Volumetric vs. protocol vs. application-layer attacks. Amplification attack mechanics (NTP, DNS, memcached). Session hijacking: TCP sequence prediction, session fixation, cookie theft, MITM positioning. Tools like hping3 show up in this cluster.
| Domain Cluster | Key Tools/Concepts | v13 AI Angle |
|---|---|---|
| Reconnaissance | Maltego, Shodan, OSINT | AI-assisted target profiling |
| Scanning/Enum | Nmap, Nessus, SNMP enum | ML-assisted port/service fingerprinting |
| System Hacking | Mimikatz, pass-the-hash, rootkits | AI-powered password cracking |
| Social Engineering | Phishing, pretexting, vishing | Deepfake voice/video, LLM-generated lures |
| Web/App Hacking | Burp Suite, SQLi, XSS | AI-assisted fuzzing, LLM prompt injection |
| Cloud/Wireless | AWS misconfigs, WPA3 attacks | Cloud-native AI service exploitation |
Evading IDS, Firewalls, and Honeypots
Module 13. Fragmentation attacks, TTL manipulation, protocol tunneling, covert channels. Honeypot detection techniques. This module is lighter on tooling and heavier on understanding why certain packets bypass detection — the conceptual layer matters more than memorizing specific evasion flags.
Web Server and Web Application Hacking
Modules 14–15. Web server attacks: directory traversal, HTTP response splitting, web cache poisoning, banner grabbing against web servers. Web app hacking pulls heavily from OWASP: injection flaws, broken authentication, IDOR, SSRF, XXE. Burp Suite is referenced constantly. v13 adds LLM-integrated application testing — prompt injection and model extraction as new attack surfaces.
SQL Injection
Module 16. Enough to warrant its own module. In-band (union-based, error-based), blind (boolean, time-based), out-of-band SQLi. sqlmap mechanics. Stored procedures as injection vectors. Mitigation: parameterized queries, WAFs, input sanitization. The exam asks you to identify SQLi from code snippets and pick the correct mitigation.
Wireless, Mobile, and IoT/OT Hacking
Modules 17–19. Wireless: WEP weaknesses, WPA/WPA2 4-way handshake capture, WPA3 dragonblood vulnerabilities, evil twin attacks. Mobile: Android APK decompilation, iOS jailbreak security implications, mobile malware delivery. IoT/OT: Shodan for device discovery, Modbus/DNP3 protocol weaknesses, firmware extraction. This cluster has expanded substantially in v13 and the OT content in particular catches candidates who skimmed it.
Cloud Computing and Cryptography
Modules 18 and 20. Cloud: shared responsibility model, S3 bucket misconfigurations, IAM privilege escalation, container escape from Docker/Kubernetes, cloud-native logging blind spots. Cryptography: symmetric vs. asymmetric, PKI, digital signatures, hashing algorithms, steganography. Crypto questions test concept, not math — you won't be factoring primes.
The Real Traps
Tool-name memorization without context. CEH questions don't ask "which tool does X." They give you a scenario and ask which tool fits and why. Knowing that Metasploit exists does nothing if you can't reason about when you'd use a specific module type.
Port numbers as trivia. You need to know critical port numbers (21, 22, 23, 25, 53, 80, 110, 143, 443, 445, 3306, 3389) but the exam tests them in context — "traffic to port 445 from an external IP is blocked, attacker pivots to port X using Y protocol." Pattern recognition, not a number lookup.
Ignoring the legal and ethical framing. Several questions per form test authorization boundaries, rules of engagement, and what constitutes legal vs. illegal hacking. These feel obvious but are written to be tricky.
The Cost/Value Question
CEH runs $950–$1,199 before add-ons. That's real money. The honest read: the cert carries weight in government contracting, compliance-heavy environments, and DoD 8570/8140 roles (it maps to IAT Level II and IAM Level II). If you're targeting enterprise security roles, managed security providers, or federal work, it's a recognized checkbox. If you're targeting red team or bug bounty work, OSCP still dominates that conversation.
The CEH Practical changes the calculus somewhat. Passing both the knowledge exam and the Practical signals actual hands-on capability, not just multiple-choice test-taking. Employers in 2026 are increasingly asking for both.
Full domain breakdown, exam registration links, and prep resource recommendations are on ExamCert.
What a Solid Study Plan Looks Like
Six to eight weeks is realistic if you have a security foundation. Weeks 1–2: modules 2–7 (recon through system hacking). Weeks 3–4: modules 8–13 (malware through evasion). Weeks 5–6: modules 14–20 (web through cloud/crypto). Week 7: full practice exams, identify weak domains. Week 8: targeted review on gaps plus hands-on labs if you're pursuing the Practical.
The official EC-Council courseware is expensive and not necessary. Matt Walker's CEH guide and iCollege labs are the community-standard cheaper path. Run practice questions at volume — the exam's question style is specific and you need reps.
Domain coverage, scoring details, and a full breakdown of prep options are at ExamCert's EC-Council exam page.
Top comments (0)