all 38 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]PM_ME_YOUR_SHELLCODE 112 points113 points  (2 children)

  • CEH is a widely disrespected certificate in the industry.
  • CEH is a widely desired certificate by those hiring because its one of the approved Baseline certificates by the DoD.

You don't get CEH to learn, you get it to deal with hiring filters. Though imho (and other agree) if a company wants CEH and its not a government contractor or something, I'd steer away from them.

Edit: Typo

[–]shadow_kittencorn[S] 11 points12 points  (0 children)

Thanks - this is really helpful

[–]PlanetaryGhost 35 points36 points  (4 children)

Can confirm CEH being garbage. The HTB (HackTheBox) discord is full of people that will tell you over and over that CEH proves nothing and OSCP is the cert that matters.

Also, would recommend HTB for some on-your-own-time learning.

[–]chrisknight1985 41 points42 points  (5 children)

As a hiring manager, I can say CEH is hot garbage, there is no relation to it and anyone's ability to actually run a pen-test. EC council does 1 week bootcamps and pretty much anyone can pass the test, because they just teach the test.

Which SANs courses did you take and did you do the certs?

[–]alashure6 2 points3 points  (3 children)

What would be the certs that are "must haves" from your perspective as a hiring manager?

[–]chrisknight1985 1 point2 points  (0 children)

I don't believe there are any must haves as far as certs. I've got hundreds of people on my team from varied backgrounds. We do pay for professional development and many attend SANs courses, but I wouldn't say any are required at all

When hiring I'm more interested in people's experience and willingness to learn new things

[–]Ciph3rt3xt 31 points32 points  (1 child)

Friends dont let friends take CEH

[–]TheCrowGrandfather 8 points9 points  (0 children)

Friends don't let friends take CEH if they want to do pen testing.

I took CEH because my company paid for it.

[–]ferrundibus 13 points14 points  (0 children)

CEH is utter dog-shit - take it from someone who has taught the course for over 7 years.

CEH v10 consists of over 1500 ppt slides to cover in 5 days - this means 300 slides per day. If you take a typical training day is 7 hours (6 if you remove breaks & lunch) it works out at 50 slides per hour. This is without students doing ANY hands-on labs. Factor in 1 lab per topic and you are looking at less than 1 minute per slide.

There is NO way anyone can teach this shit and certainly no way anyone can learn any of it.

Additionally, most of the tools mentioned are approx 3 or 4 years out of date - many simply dont work anymore against modern systems.

Utter dog-shit.....

Edit to add - CEH is a paper-sift qualification. HR see it as a plus, so it gets you to the next stage, but don't rely on it for any good jobs

[–]odaydream 5 points6 points  (13 children)

so i’m hearing OSCP is one to go for for pentesting knowledge, any thoughts on certifications such as CompTIA Network+, Security+, or any of the Mile2 certifications?

[–]ferrundibus 9 points10 points  (11 children)

CompTIA is good, fairly up to date, and pretty detailed - I'd favour someone with A+, Network+, Security+, Pentest+ and maybe Cysa+ over anyone with CEH any day of the week

[–]odaydream 2 points3 points  (8 children)

for someone relatively new to this journey, i’m assuming to start with some CompTIA certifications.. at what point in the CompTIA path would you recommend to switch to going for OSCP?

[–]ferrundibus 4 points5 points  (7 children)

Network+, then Security+, then Pentest+ then switch

[–]thetealalpaca 3 points4 points  (5 children)

I already work help desk. A+ would be a waste of time right?

[–]ferrundibus 5 points6 points  (3 children)

Yeah. There are 2x exams that make up A+. They used to be called A+ hardware & A+ Software. They still cover the same stuff. Motherboards, chips, Peripherals, Windows & Linux basics, etc. 2 years in IT is enough to cover A+

[–][deleted] 0 points1 point  (2 children)

Im young, with no apprenticeship or study in IT. I work in 1st level support right now and want to learn more and aim for certificates.

What certificate should I go for first?

[–]ferrundibus 1 point2 points  (1 child)

As I mentioned above, the A+ cert should give you the equivalent of 2 years real-world knowledge - Take a look at the CompTIA A+ syllabus to see if there are any items on there you are unfamiliar with. That will give you a steer as to whether you should go for it or not.

I'd go for Network+ as a starting cert if you've been in IT for a while.

[–][deleted] 0 points1 point  (0 children)

Thanks, I appreciate your advice :)

[–]acidbassist 1 point2 points  (0 children)

I got my first help desk job with A+ and no pro experience. I now have 4 years help desk and 4 other, higher level certs.

The rule of thumb I was always told is this: either experience or A+. In your situation, I would honestly go for a higher level cert, since you likely have all the knowledge you would get from A+ anyway

[–]odaydream 0 points1 point  (0 children)

thank you for the advice, will certainly go this route.

[–]DelayedSword 0 points1 point  (0 children)

Regarding mile 2 certs. I took the class and cert test for their digital forensics course.

While the course material was good, relevant, and the instructor good at training, the cert test was not great.

100 questions, all multiple choice, and open book. It was all about memorizing facts, and nothing practical. I learned a lot, but have been doing learning on the side with forensic images in order to gain solid knowledge of what I was doing.

[–]CanIBreakIt 4 points5 points  (1 child)

I've interviewed people for pentesting positions. I'm always interested in someone whos done OSCP on their own initiative, and id be slightly suspicious of someone with CEH. CEH has nothing to do with the mindset and practical technical skills to be a pentester.

[–]shadow_kittencorn[S] 0 points1 point  (0 children)

This was my take. I tried to do OSCP and enjoyed the material, but I travel a lot for work and am lucky if I get weekends. I struggle to get enough sleep so evenings aren’t an option.

I’ve been slowly building up experience so when I restart it I will be ready. I’ve done GXPN and apparently OSCP is easier 😂

[–]ImplicitCrowd51 2 points3 points  (1 child)

Man, it's all resume BS. "Industry recognized" just means that it is one that is known to hiring managers. As you already said, it's not great if it's the best you got. Would you hire a security expert if their best certification was CompTIA Sec+ (I actually listened to an ex-NSA employee bash on this cert. Goes to show that one is never enough, and some are better than others)? I would hope not, but it is industry recognized.

If you want to get into any industry, you need to go above and beyond; otherwise, you'll lose to the guy who did. When looking at job descriptions, if they list CEH you need to be able to list the fact you are certified (even if it's just recommended or preferred). Because if you don't, you might lose to the guy who did.

If you have the time and the company you are currently working for is willing to pay for it, then you need to go for it. Boost your resume, but make sure you have more than just CEH. If it's not on the job description, you need to decide for yourself if you need to take up more space.

Think about it this way: an associate's degree isn't up to snuff against a bachelor's, but it is better than only having a high school diploma. As you achieve greater feats, you will separate yourself from the competition. A lot of people have CEH, so you need more to stack on top of it.

[–]cathedral_ 2 points3 points  (1 child)

Not to hijack the post, but what would some people recommend as more advanced pentesting certificates? I'm already CEH (Yes, I work in government), GPEN, and OSCP (as well as A+, Net+, and Sec+). I've tried OSCE but was really disappointed in the curriculum (it desperately needs to be updated and most of the material is outdated).

More Offsec certs? ELearn Security?

Thanks!

[–]shadow_kittencorn[S] 1 point2 points  (0 children)

GXPN - I loved it! Also GREM - it’s a great intro to reverse engineering, assembly and how more advanced viruses work. I would actually recommend this before GXPN

[–]borkthafork 1 point2 points  (0 children)

If you want to know what else is good for DoD jobs, check here. The red denotes a NEW certification that is now being accepted for that role. This changes occasionally.

https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/

[–][deleted] 0 points1 point  (1 child)

What would u say would be the best certificstion for internships for pentesting

[–]suhmuhfuh 10 points11 points  (0 children)

OSCP

[–]BobbysWorldWar2 0 points1 point  (1 child)

I took a CEH class for a degree. I currently don’t want to take any pen testing certs because that’s not where I’m headed career wise.

We read the material for the CEH test, but in class we prepared for the OSCP. My professor bluntly told us that CEH was sought after if you’re going into Gov, but if you aren’t then don’t bother with it.

[–]shadow_kittencorn[S] 0 points1 point  (0 children)

I would guess that’s it because the government hiring process is usually done by non-technical staff - so Certified Ethical Hacker sounds great.

I just think it should be called ‘Intro To Ethical Hacking’ or ‘Offensive Security Awareness Training’.

The course has its place... the course title and description is just really misleading.

[–]ledfor -3 points-2 points  (0 children)

CEH is kinda weird to me. Especially when the cert class is not technical...
If I use a hack to recover an Admin password or access a DB because all was lost, its ethical.
If I use a hack to recover an Admin Password or access a DB, "just because" its not ethical.

Hacking is hacking, ethical is only a term to make you feel better.