CISSP (Certified Information Systems Security Professional) is the right certification if you have 5 years of paid security experience and your career target is security management, architecture, or leadership — it is the credential that proves you can run an organization’s entire security program and consistently earns $140,000 to $180,000 in the US. CEH v13 (Certified Ethical Hacker) is the right certification if your career target is penetration testing, ethical hacking, or offensive security — it requires only 2 years of experience or official EC-Council training, validates attacker-methodology knowledge across 20 modules, and earns $95,000 to $130,000 in the US. The critical fact: CISSP is not better than CEH and CEH is not a stepping stone to CISSP. They certify completely different professional functions at different career stages.
Quick Comparison Table
| Factor | CISSP | CEH v13 |
| Issuing body | ISC2 | EC-Council |
| Current version | CISSP (no version number, continuously updated) | CEH v13 |
| Exam cost | $749 USD | $950 USD (exam only) |
| Mandatory training cost | None | $850-$2,500 (if using experience pathway waiver) |
| Total typical cost | $749 | $1,800-$3,500+ |
| Exam questions | 125-175 (CAT adaptive) | 125 (fixed linear) |
| Exam duration | 3 hours | 4 hours |
| Passing score | 700 / 1000 | 60-85% (varies by exam form) |
| Experience required | 5 years (2+ domains), 4 with degree/qualifying cert | 2 years info security experience OR official EC-Council training |
| Maintenance | $125/year, 120 CPE/3 years | Annual renewal fee, 120 CPE/3 years |
| DoD 8570 compliance | IAT Level III, IASAE I/II, ISSEP, ISSM | CEH: CSSP Inspector/Incident Handler/Auditor |
| Avg US salary | $140,000-$180,000 | $95,000-$130,000 |
| Career direction | Security management, architecture, CISO | Penetration testing, ethical hacking, red team |
| Job posting frequency | 3.6-5.7x more than CEH | High in offensive security and gov contracting |
The Core Difference: Defense vs Offense, Management vs Technical
This is the most important framing for this comparison, and it is the one most articles get wrong. CISSP and CEH are not ranked versions of the same credential. They certify professionals who do fundamentally different jobs.
CISSP asks: How would you protect an organization? CISSP holders design security programs, manage risk across the enterprise, make architectural decisions that align security with business objectives, and translate technical security requirements into board-level strategy. The CISSP exam tests whether your instincts, when confronted with complex business scenarios, align with the decisions an experienced senior security leader would make. Questions rarely have one obviously correct technical answer. They test whether you understand organizational risk, business impact, and security governance at a strategic level.
CEH v13 asks: How would you attack a system? CEH holders understand attack methodologies, exploitation techniques, and hacking tools from the attacker’s perspective. They conduct penetration tests, vulnerability assessments, and red team engagements. CEH v13 specifically tests knowledge of 20 attack modules covering everything from footprinting and reconnaissance through cloud computing vulnerabilities, IoT security, and AI-powered attack techniques. Questions test whether you know the tools, techniques, and methodologies an attacker uses.
| Career dimension | CISSP | CEH v13 |
| Primary question | How do I protect this organization? | How would an attacker compromise this system? |
| Career trajectory | Generalist security leadership path | Technical specialist offensive security path |
| Typical roles | Security Manager, CISO, Security Architect, Director | Penetration Tester, Red Team Operator, Vulnerability Analyst |
| Organizational level | Strategic and managerial | Technical and operational |
| Daily work | Risk management, policy, governance, team leadership | Testing, exploitation, vulnerability discovery, reporting |
| Eventually leads to | CISO, VP of Security, Security Partner | Senior Red Team, Principal Pen Tester, Security Consultant |
CISSP: The Eight Domains in Depth
CISSP covers eight domains of the Common Body of Knowledge (CBK). The exam tests breadth across all eight, and each domain directly maps to a core function of enterprise security leadership.
| Domain | Weight | What it covers |
| 1. Security and Risk Management | 16% | Laws, regulations, risk frameworks, business continuity, ethics |
| 2. Asset Security | 10% | Data classification, asset ownership, data lifecycle, privacy |
| 3. Security Architecture and Engineering | 13% | Secure design principles, cryptography, physical security, SDLC |
| 4. Communication and Network Security | 13% | Network protocols, segmentation, VPN, wireless, transmission security |
| 5. Identity and Access Management (IAM) | 13% | Authentication, authorization, access provisioning, federation |
| 6. Security Assessment and Testing | 12% | Audit planning, vulnerability assessment, penetration testing concepts, compliance |
| 7. Security Operations | 13% | Incident management, forensics, DR/BCP, monitoring, patch management |
| 8. Software Development Security | 10% | Secure SDLC, DevSecOps, code review, application security controls |
Security and Risk Management at 16% is the heaviest domain and reflects what makes CISSP unique: it does not test configuration skills. It tests whether you think like a security leader who understands how risk, law, business continuity, and ethics interact. Candidates who approach CISSP as a technical exam consistently underperform on this domain.
The CISSP exam format: Computerized Adaptive Testing (CAT)
CISSP uses CAT for the English version, which means the exam adapts in real time based on your responses. The number of questions ranges from 125 to 175 depending on how quickly the algorithm reaches statistical confidence in your ability level. Most candidates report between 125 and 150 questions. The exam ends when the algorithm is confident in a pass or fail determination — not when you have answered a fixed number of questions.
The CAT format has a practical implication: you cannot guess your way through. The algorithm is specifically designed to converge on your true ability level by adjusting question difficulty dynamically. Candidates with surface knowledge who guess on hard questions will see the exam continue longer and probe deeper until their actual level is revealed.
The CISSP mindset requirement
The single most cited reason for CISSP exam failure is applying the wrong mindset. CISSP questions almost always offer two or three technically correct answers. The exam asks you to select the best answer from the perspective of a senior security manager considering risk, business impact, organizational culture, and strategic alignment simultaneously.
A question might describe a vulnerability in a production system and offer choices including:
- Patch it immediately
- Implement a compensating control temporarily while scheduling maintenance
- Report to management and let them decide
- Accept the risk if business impact is low
The correct answer depends on context. CISSP tests whether you understand which contextual factors — severity, business criticality, available maintenance windows, risk tolerance — determine the right course of action. The most secure technical option is not always the right organizational decision.
CEH v13: All Twenty Modules
CEH v13 is EC-Council’s most comprehensive update to the Certified Ethical Hacker certification. Version 13, current as of 2026, integrates AI-powered attack and defense techniques throughout all 20 modules — the first version of CEH to formally incorporate generative AI, AI-driven reconnaissance, and AI-assisted exploitation content.
| Module | What it covers |
| 1. Introduction to Ethical Hacking | Hacking methodology, footprinting concepts, attacker mindset |
| 2. Footprinting and Reconnaissance | OSINT, Google hacking, social media footprinting, web scraping |
| 3. Scanning Networks | TCP scanning, port scanning, banner grabbing, vulnerability scanning |
| 4. Enumeration | NetBIOS, SNMP, LDAP, NFS, DNS, SMTP enumeration techniques |
| 5. Vulnerability Analysis | Vulnerability scoring (CVSS), vulnerability scanning tools (Nessus, OpenVAS) |
| 6. System Hacking | Password cracking, privilege escalation, maintaining access, covering tracks |
| 7. Malware Threats | Trojan types, viruses, worms, ransomware, fileless malware, APT techniques |
| 8. Sniffing | Packet sniffing, ARP poisoning, MAC flooding, DHCP attacks, defensive countermeasures |
| 9. Social Engineering | Phishing, vishing, smishing, impersonation, insider threats |
| 10. Denial of Service | DoS/DDoS attack types, botnets, detection and mitigation |
| 11. Session Hijacking | TCP/IP session hijacking, application-level hijacking, countermeasures |
| 12. Evading IDS, Firewalls, and Honeypots | Intrusion detection evasion, firewall rule bypass techniques |
| 13. Hacking Web Servers | Web server attack methodologies, banner grabbing, HTTP response splitting |
| 14. Hacking Web Applications | OWASP Top 10, SQL injection, XSS, CSRF, API security testing |
| 15. SQL Injection | Blind SQL injection, error-based, UNION-based, time-based techniques |
| 16. Hacking Wireless Networks | WEP/WPA/WPA2/WPA3 attacks, evil twin, Bluetooth attacks |
| 17. Hacking Mobile Platforms | Android and iOS attack surfaces, mobile malware, MDM bypass |
| 18. IoT and OT Hacking | IoT attack surface, OT/SCADA attacks, ICS security |
| 19. Cloud Computing | Cloud attack models, S3 bucket misconfigurations, cloud IAM abuse |
| 20. Cryptography | Encryption algorithms, PKI attacks, cryptanalysis techniques |
CEH v13 AI integration — what changed:
The most significant v13 update is the formal integration of AI across modules. Specific new AI content includes:
- ShellGPT and AI-powered command generation for automation of attack workflows
- FraudGPT and WormGPT: understanding AI-generated malware and AI-assisted phishing
- AI-driven OSINT and social media scraping for enhanced reconnaissance
- AI-powered vulnerability scanning and exploitation assistance
- Defensive AI: using machine learning for anomaly detection and behavioral analysis
This AI content makes CEH v13 the most current ethical hacking certification in terms of representing real 2026 threat actor techniques.
The CEH exam format:
The knowledge exam is 125 multiple-choice questions over 4 hours. Unlike CISSP’s CAT format, CEH is fixed-linear — you get 125 questions regardless of performance. The passing score varies by exam form (60-85%) and is not disclosed in advance. CEH also offers a separate practical exam (6-hour hands-on lab) for candidates who want to demonstrate hands-on hacking skills beyond the knowledge test. The practical is optional but increasingly valued by technical employers.
Experience Requirements: A Decisive Difference
The experience requirements for CISSP and CEH differ fundamentally and often determine which credential is currently achievable.
| Requirement | CISSP | CEH v13 |
| Years of experience | 5 years cumulative, paid, full-time | 2 years in information security |
| Domains required | Must span at least 2 of 8 CISSP domains | No domain specificity required |
| Alternative to experience | Official EC-Council training (no experience waiver) | EC-Council official training (replaces experience requirement entirely) |
| Experience waiver (degree) | 4-year degree reduces requirement to 4 years | N/A |
| Endorsement required | Yes — ISC2-certified professional must endorse you after passing | No |
| No experience path | Associate of ISC2 (pass first, 6 years to earn experience) | Complete official EC-Council training instead |
| Experience window | Must fall within past 10 years | No specified window |
The CISSP endorsement requirement is often overlooked and is genuinely important. After passing the CISSP exam, you must be endorsed by an ISC2 member who can vouch for your professional experience. If you do not know any ISC2 members, ISC2 itself will review your application — but this adds time and documentation requirements to the process.
The April 2026 CISSP waiver change:
As of April 1, 2026, ISC2 significantly reduced the list of certifications that can waive one year of CISSP experience. CEH was removed from the waiver list effective April 1, 2026. This is a critical fact for candidates who were planning to use CEH as a CISSP experience waiver — that path no longer exists for applications submitted on or after April 1, 2026. See our CISSP Experience Waiver 2026 guide for the complete updated list of qualifying certifications.
DoD 8570 / 8140 Compliance: Where Each Cert Qualifies
For candidates pursuing US government, military, or defense contractor roles, DoD compliance alignment is a concrete career requirement, not just a nice-to-have.
| DoD 8570 Category | CISSP | CEH v13 |
| IAT Level III | Yes | No |
| IASAE I | Yes | No |
| IASAE II | Yes | No |
| ISSEP | Yes | No |
| ISSM | Yes | No |
| CSSP Inspector | No | Yes |
| CSSP Incident Handler | No | Yes |
| CSSP Auditor | No | Yes |
CISSP is one of the most broadly DoD-recognized certifications for information assurance management roles. CEH is specifically mapped to CSSP (Cyber Security Service Provider) categories, making it valuable for contractor roles focused on security assessment and incident handling.
For the majority of DoD IAM (Information Assurance Manager) and IASAE (Information Assurance System Architecture and Engineering) roles, CISSP is the required or strongly preferred credential. CEH fills specific CSSP provider categories that CISSP does not cover.
Career Path: Where Each Certification Leads
| Stage | CEH v13 path | CISSP path |
| Certification earned | Certified Ethical Hacker v13 | Certified Information Systems Security Professional |
| Entry roles opened | Junior Penetration Tester, Vulnerability Analyst, Security Analyst | Security Manager, Security Architect, Information Security Officer |
| After 3-5 years | Senior Penetration Tester, Red Team Lead, Security Consultant | Director of Security, VP of Information Security, Deputy CISO |
| Senior destination | Principal Red Team Operator, Security Research Lead, OSCP+/GPEN holder | CISO, Chief Security Officer, Security VP |
| Common additional certs | OSCP (for hands-on credibility), GPEN, GWAPT | CISM, CISSP concentration (ISSAP, ISSEP, ISSMP) |
The CEH and CISSP paths eventually converge for the most senior security professionals, many of whom hold both. Security architects who have CISSP benefit from having the attacker perspective that CEH provides. Penetration testers who grow into security management roles often pursue CISSP as they take on leadership responsibility.
Total Cost: What You Will Actually Spend
The cost difference between CISSP and CEH is frequently understated in comparison articles.
| Cost component | CISSP | CEH v13 |
| Exam fee | $749 | $950 |
| Mandatory training | Not required | Required unless you have 2 years experience |
| Official EC-Council training cost | N/A | $850-$2,500 (authorized partner) |
| Retake fee | $699 (same as first attempt minus admin fee) | $100 (exam only) or full training if using training pathway |
| Annual maintenance | $125/year | Varies (check EC-Council) |
| Total first-year cost estimate | $749-$1,200 (with study materials) | $1,800-$4,700 (exam + training + materials) |
| ISC2 membership (optional) | $50 application fee | N/A |
CEH is more expensive to earn than CISSP when training costs are included. EC-Council requires either 2 years of documented security experience or completion of an official EC-Council training program before you can sit the exam. That training ranges from $850 through self-study vouchers to $2,500 or more at authorized training partners.
Salary: The Honest Data
| Certification | Typical US role | Salary range | Source |
| CEH v13 | Security Analyst | $70,000-$90,000 | Entry roles |
| CEH v13 | Penetration Tester | $95,000-$130,000 | Mid-career |
| CEH v13 | Senior Pen Tester | $120,000-$155,000 | 5+ years experience |
| CISSP | Security Manager | $110,000-$145,000 | Management entry |
| CISSP | Security Architect | $130,000-$170,000 | Design-focused roles |
| CISSP | CISO (mid-size org) | $150,000-$200,000 | Executive role |
| Both CISSP + CEH | Security Consultant | $140,000-$190,000 | Consulting premium |
The salary advantage of CISSP over CEH reflects the career stage each credential validates, not that CISSP is inherently more valuable. CISSP holders are senior professionals managing organizational security programs. CEH holders may be early in their career. A senior principal penetration tester with OSCP, CEH, and 10 years of real exploit experience can out-earn a junior security manager who just passed CISSP. Experience always compounds certification value.
Which Should You Take First: A Decision Framework
This is the question the title promises to answer, and the answer is straightforward once you know what each cert is for.
| Your situation | Right first cert |
| Less than 3 years security experience | CEH v13 — CISSP requires 5 years |
| Target role: penetration testing or red team | CEH v13 regardless of experience |
| Target role: security management or architecture | CISSP if you have 5 years; CEH while building experience |
| Currently a network/sysadmin moving into security | CEH v13 — offensive understanding is valuable before management |
| Already passed CISSP, want offensive credibility | CEH v13 as a supplementary credential |
| Already hold CEH, have 5 years total security experience | CISSP is a natural next step toward leadership |
| Government/DoD role requiring IAT Level III | CISSP — CEH does not satisfy this requirement |
| Want to combine both eventually | CEH first while building experience, CISSP when eligible |
The community consensus from security professionals in 2026: CEH first if you do not yet have 5 years of security experience, want to validate offensive techniques, or are targeting penetration testing roles. CISSP when you have the experience, want to move into leadership, and are ready to demonstrate broad security management judgment.
FAQs
What is the difference between CISSP and CEH v13?
CISSP validates strategic security leadership: risk management, security architecture, governance, and the ability to manage an organization’s entire security program. CEH v13 validates offensive security knowledge: penetration testing methodology, ethical hacking techniques, and attacker mindset across 20 attack modules. CISSP is for security managers and architects. CEH is for penetration testers and ethical hackers.
Which is harder, CISSP or CEH v13?
CISSP is generally considered harder for most candidates. It covers 8 domains using adaptive testing that probes until it finds your actual ability level, requires 5 years of verified experience, and demands managerial thinking where multiple technical answers can be correct. CEH v13 is challenging due to breadth across 20 modules, but the linear format and technical focus make it more approachable for candidates with hands-on security experience.
Can I use CEH to waive a year of CISSP experience?
Not for applications submitted on or after April 1, 2026. CEH was removed from the CISSP experience waiver list on that date. Previously it qualified for a 1-year reduction. For the current list of qualifying credentials, see our CISSP Experience Waiver 2026 guide.
How much does CEH v13 cost in 2026?
The CEH exam itself costs $950. However, EC-Council requires either 2 years of documented information security experience or completion of an official EC-Council training program, which costs $850 to $2,500 at authorized training partners. Total first-year cost for most candidates is $1,800 to $4,700.
How much does CISSP cost in 2026?
The CISSP exam fee is $749. Annual maintenance after certification is $125. Retakes are $699. No mandatory training is required, so total first-year cost is typically $749 to $1,200 including study materials.
What is the CEH v13 AI content?
CEH v13 was the first ethical hacking certification to formally integrate AI. New AI-specific content includes ShellGPT for AI-assisted command generation, FraudGPT and WormGPT for understanding AI-generated malware, AI-powered OSINT and reconnaissance techniques, and defensive AI using machine learning for anomaly detection. This makes CEH v13 significantly more current than v12 for 2026 threat actor techniques.
Does CISSP satisfy DoD 8570 requirements?
Yes. CISSP satisfies DoD 8570 IAT Level III, IASAE I, IASAE II, ISSEP, and ISSM categories, making it one of the most broadly recognized DoD certifications for information assurance management and architecture roles. CEH satisfies CSSP Inspector, CSSP Incident Handler, and CSSP Auditor categories.
What jobs does CEH v13 qualify you for?
Penetration Tester, Vulnerability Analyst, Red Team Operator, Security Assessment Consultant, Ethical Hacker, Cyber Defense Analyst (DoD CSSP roles), and Information Security Specialist with offensive focus. CEH is listed in significantly fewer job postings than CISSP overall, but is highly relevant in the specific offensive security and government contracting niches.
What is the CISSP Associate of ISC2 path?
Candidates who pass the CISSP exam but do not yet have 5 years of qualifying experience become Associates of ISC2. They have 6 years to accumulate the experience needed for full CISSP certification. Passing the exam first and building experience afterward is a valid path that allows candidates to demonstrate exam-level knowledge before meeting the experience requirement.
Should I get both CISSP and CEH?
Many senior security professionals hold both — CISSP for leadership credibility and broad recognition, CEH for validated offensive technique knowledge. The typical sequence is CEH during early career while building experience toward CISSP, then CISSP once the 5-year experience threshold is met. The combination signals both technical depth and strategic leadership capability.