CEH v13 prep, ethical hacker roadmap with ARIA
EC-Council CEH v13 is a 240-minute knowledge exam, 125 multiple-choice questions, 70 percent baseline passing (the cut score varies 60 to 85 by exam form), and an intermediate-level credential covering five domains of offensive security knowledge. The knowledge exam is not the lab; CEH Practical is a separate six-hour hands-on test. v13 added AI integration topics across the blueprint. I prep you for the knowledge exam with an adaptive evaluation, a roadmap weighted toward Tools and Systems plus Security, a daily task engine, and a pass guarantee tied to five measurable conditions. Start at claudelab.me/onboarding/select-cert?code=CEH.
TL;DR
- 240 minutes, 125 questions, 70 percent baseline passing (cut score varies 60 to 85 by form), intermediate level, no live lab on the knowledge exam.
- Five domains: Background 10, Analysis and Assessment 13, Security 25, Tools and Systems 32, Procedures and Methodology 20. Tools and Security carry 57 percent of the exam.
- v13 added AI-augmented attack and defense topics (prompt injection, deepfake recon, model poisoning) layered into the existing blueprint.
- I open with a CAT evaluation that lands a domain-by-domain skill estimate, then build a roadmap front-loaded on Tools and Systems and Security.
- Pass-guarantee eligibility is checked by a database function with five mechanical conditions, not a marketing line.
What the CEH v13 exam is
CEH v13 is the current version of EC-Council's Certified Ethical Hacker, released in 2024 and still active in 2026. It tests knowledge of offensive security tools, methodology, and the underlying security concepts an ethical hacker applies during a sanctioned engagement. The format: 125 multiple-choice questions in 240 minutes, baseline passing 70 percent (the cut score varies 60 to 85 percent by form). No lab on this exam.
| Domain | Weight | What it covers |
|---|---|---|
| Background | 10% | Networking (OSI, TCP/IP, protocols), system fundamentals, web technologies, cryptography primitives, the legal frame. |
| Analysis and Assessment | 13% | Assessment methods, risk and vulnerability assessment, threat modeling, black/white/grey box differences. |
| Security | 25% | Defense in depth, IDS/IPS and firewall behavior, incident management, network segmentation, IAM, cryptography in practice, AI-assisted defense. |
| Tools and Systems | 32% | Reconnaissance, scanning, enumeration, exploitation, post-exploitation, malware, sniffing, social engineering, DoS, session hijacking, web and wireless attack tools, mobile and IoT attack surfaces, AI-augmented offensive tooling. |
| Procedures and Methodology | 20% | The five-phase methodology end to end, scoping, rules of engagement, documentation, reporting, evidence handling, the legal authorization chain. |
Tools and Systems plus Security carry 57 percent of the exam. A roadmap that splits time evenly across all five wastes the prep window.
CEH knowledge exam vs CEH Practical
The CEH credential is awarded for the knowledge exam alone. CEH Practical is a separate six-hour hands-on lab where you exploit live targets in iLabs, and earns the CEH (Practical) designation. Passing both adds the CEH Master title. Most job listings and DoD 8570 entries reference CEH, not CEH Master. This page covers prep for the knowledge exam.
The five-phase ethical hacking methodology
The exam writes scenario stems where the right answer depends on which phase the engagement is in.
- Reconnaissance. Passive and active information gathering. OSINT, WHOIS, DNS enumeration.
- Scanning. Network and port scanning, service enumeration, vulnerability scanning.
- Gaining Access. Exploitation. The actual compromise of a system, credential, or session.
- Maintaining Access. Persistence. Backdoors, scheduled tasks, web shells, rootkits.
- Covering Tracks. Log clearing, timestomping, anti-forensics. On a sanctioned engagement this phase is documented, not executed.
Where CEH sits next to OSCP and PenTest+
CEH is the breadth credential, multiple choice, recognized by HR filters and federal compliance frameworks. OSCP is the depth credential, twenty-four hours of live exploitation in a scoped lab network plus a written report, the gold standard for offensive security roles but a much larger time investment. PenTest+ sits between them, vendor-neutral with both multiple-choice and performance-based items. Most candidates take CEH for HR gatekeeping and DoD 8570, PenTest+ for hands-on credibility without the OSCP commitment, OSCP when they want a pentest career with weeks of lab time available.
How ARIA preps you for it
ARIA owns your CEH prep end to end.
The CAT evaluation. Your first session is a 15-to-25-question adaptive test that converges on your real skill across the five CEH domains. Difficulty adjusts after every answer. The test stops at 95 percent confidence or 25 questions, whichever comes first. Read the full CAT explainer for the mechanics.
The personalized roadmap. The moment the eval closes, I generate three to five phases sequenced from your weakest domain to your strongest, each with two to four milestones. Novice on Tools and Systems gets the most milestones; proficient on Background gets the fewest. Because Tools and Security together carry 57 percent of the exam, the roadmap front-loads them unless your CAT baseline says otherwise. Full structure: the roadmap overview.
The daily task engine. Every time you reopen the app, I pick the next thing to work on, today. One task, not a list. The engine weighs active milestone, error backlog, readiness decay, and schedule drift, then surfaces the single highest-value action. Roadmap tasks advance milestones; free-play tasks improve readiness but do not.
The error backlog with tool-syntax categorization. Every wrong answer is tagged with the tool, flag pattern, and methodology phase. The backlog gets aggressive on this cert because so many traps are syntax-shaped: an Nmap miss on -sT instead of -sS returns with the connect-vs-syn distinction explicit; a Metasploit miss on module category brings back the exploit-vs-auxiliary-vs-post-vs-payload split. Items return at 1, 3, 7, and 21 days and retire only after three correct in a row.
Scenario-based practice. Practice sessions on CEH run scenario stems: a scoped engagement, a phase, a target, and a question about the next correct action. The pattern matches the exam, which is rarely "name this tool" and usually "given this stage and this finding, which move keeps you inside scope".
The readiness score. A single 0-to-100 number estimating your probability of passing CEH today. It blends coverage, accuracy, and recency, and decays roughly 3 points per day of inactivity past the grace window. See readiness and decay. At 60 it unlocks the demo test, at 80 the gauntlet. With every milestone done, two mock passes, one gauntlet pass, and live readiness at 80, the pass guarantee flips eligible.
Common pitfalls on CEH
These are the patterns that quietly cost the most points on this exam.
Nmap scan types and timing flags
Scan-type flags are one letter apart and the exam writes stems where two sound right. -sS is the SYN half-open scan, stealthier because the handshake does not complete. -sT is the full TCP connect scan, used without raw-socket privileges, noisier because the connection completes. -sU is the UDP scan, slow and prone to false negatives. -sV is service and version detection layered on top. -sC runs the default NSE script set. Timing flags -T0 through -T5 trade speed for stealth (-T3 default, -T4 practical aggressive). Every Nmap miss tags the flag family and the backlog returns variants that swap one letter.
Metasploit module categories
Metasploit organizes everything under exploit/, auxiliary/, post/, and payload/. Exploits actively compromise a target. Auxiliaries scan, fingerprint, brute-force, or DoS without delivering a payload. Post modules run after a session is established (privilege escalation, credential dumping, pivoting). Payloads are the code delivered (single, stagers, stages, meterpreter). Credential gathering after a foothold is a post/ module, not an exploit.
SQL injection variants
UNION-based extracts data through a UNION SELECT into the original query result. Boolean-based blind asks true/false questions and reads the answer from a page diff. Time-based blind uses a sleep primitive when there is no observable response difference. Error-based abuses verbose errors to leak data. Out-of-band exfiltration uses DNS or HTTP to a controlled host. The right answer follows the feedback the application gives.
XSS types
Stored XSS lives in the database and triggers for every viewer. Reflected XSS bounces off a server-side response, usually delivered through a crafted link. DOM-based XSS executes entirely client-side, with the payload read by JavaScript from the URL or document properties without a server round-trip. Stems describe delivery; the answer follows the delivery.
Wireless attack categories
Deauthentication forces a client to disconnect using forged management frames, often as a setup for handshake capture. Evil twin stands up a rogue AP with the same SSID and waits for association. KARMA exploits clients that probe for known SSIDs by responding affirmatively. WPS Pixie recovers the WPS PIN offline from a single handshake.
Social engineering vectors
Phishing splits into spear phishing (targeted), whaling (executives), vishing (voice), smishing (SMS), and pharming (DNS or hosts-file redirection). Pretexting is the broader frame: fabricating a scenario to make the request plausible. Tailgating is physical entry behind a credentialed person. The exam asks for the named technique, not the tool.
AI-augmented attack topics added in v13
v13 layered AI topics across the blueprint. Prompt injection against LLM-backed apps. Deepfake-driven reconnaissance and social engineering, where a synthesized voice or video lifts a vishing or whaling success rate. Model poisoning and adversarial inputs, training-time or inference-time manipulation that degrades a defensive model. AI-assisted enumeration where an offensive operator uses an LLM to translate output or chain commands. The defender side: AI-assisted detection and response triage. Volume is moderate, not a separate domain, but topics show up across Analysis, Security, and Procedures.
Legal scoping and authorization
The line between an ethical hacker and a felon is the authorization paper. The exam writes stems where a finding is real but the scope did not cover it. The answer is almost always: stop, document, escalate to the authorizing party, do not proceed. Paperwork to know cold: rules of engagement (targets, techniques, hours), master service agreement (the contract), statement of work (the scope), and the signed authorization letter the tester carries on site.
Common questions
Do I need to take CEH Practical too, or is the knowledge exam enough?
The CEH credential issues from passing the knowledge exam alone. CEH Practical is a separate six-hour hands-on lab and earns the CEH (Practical) designation; passing both adds the CEH Master title. Most employers list CEH as the requirement, not CEH Master. Take Practical only if your role explicitly asks for it or you want the resume distinction.
How does ARIA cover tool syntax without a real terminal?
The CEH knowledge exam tests recognition and reasoning about tool output, not live execution. ARIA drills the syntax patterns the exam actually asks: which Nmap flag produces which scan, which Metasploit module category fits the scenario, what a given Wireshark filter returns, what the output of an enumeration tool means. Every miss tags the specific tool and flag so the backlog returns the right variant.
How long does CEH prep take at 30 to 45 minutes per day?
At 30 minutes per day, median time-to-ready sits between ten and fourteen weeks. At 45 minutes, eight to eleven weeks. The roadmap is sized from your CAT baseline, not a fixed window. A novice on Tools and Systems plus Security gets the longest plan; someone with prior pentest or Network+ time lands closer to eight weeks.
CEH vs OSCP vs PenTest+, which one fits my path?
CEH is the breadth credential, multiple choice, recognized by HR filters and DoD 8570. OSCP is the deep hands-on lab credential, twenty-four hours of live exploitation, the gold standard for offensive security roles but a much larger time investment. PenTest+ sits between them, vendor-neutral with both multiple choice and performance items. Take CEH for HR gatekeeping and federal compliance, PenTest+ for hands-on credibility without the OSCP commitment, OSCP if you want a pentest career and have weeks of lab time available.
What AI integration topics did v13 add to the CEH exam?
v13 introduced AI-augmented attack and defense topics across the existing domains. Expect questions on prompt injection against LLM-backed apps, deepfake-driven reconnaissance and social engineering, model poisoning and adversarial inputs, AI-assisted enumeration and exploitation, and the defender side: AI-assisted detection and response. The volume is moderate, not a separate domain, but the topics show up across Analysis, Security, and Procedures sections.
What are the prerequisites for CEH v13?
EC-Council requires either two years of verified information security work experience or completion of an official EC-Council training course. Self-study candidates without two years of experience must apply for an exam eligibility waiver, which involves a fee and verification of background. Most candidates either route through an authorized training provider or document their work history through the eligibility application.
Start your CEH v13 prep
The cheapest possible signal is the 15-minute CAT evaluation. It tells you which of the five CEH domains you actually own, which one will cost you the exam if you sit it tomorrow, and where the roadmap starts. After that, you decide whether to commit.
Start your free CEH v13 evaluation now.
Background reading: the AI cert prep guide covers the four categories of AI prep tools, readiness and decay explains the score that drives the experience, and Security+ is the entry-level breadth credential most candidates take before or alongside CEH.