Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete skills and certifications series.
CEH vs OSCP: Which Certification First?
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 11 min read
Table of Contents
- The Core Difference Between CEH and OSCP
- CEH Overview: Certified Ethical Hacker
- OSCP Overview: Offensive Security Certified Professional
- Exam Format Comparison
- Difficulty and Preparation Time
- Skills You Actually Learn
- Career Impact and Employer Perception
- Cost Comparison
- Which Should You Take First?
- Can You Skip CEH and Go Straight to OSCP?
- Preparing for Each Certification
- Frequently Asked Questions
The Core Difference Between CEH and OSCP
The CEH vs OSCP debate comes down to one fundamental split: knowledge-based testing versus performance-based testing. CEH measures what you know about ethical hacking. OSCP measures whether you can actually do it.
Both certifications cover offensive security — the practice of testing systems by simulating attacker techniques. But they approach validation from opposite directions. CEH uses multiple-choice questions that test your understanding of tools, methodologies, and attack categories. OSCP puts you in a live network environment and requires you to compromise multiple machines within a time limit.
This distinction shapes everything: preparation methods, difficulty level, time investment, employer perception, and career trajectory. Understanding which certification aligns with your current skill level and career goals will save you months of misdirected effort.
For context on how these offensive certifications fit alongside defensive ones, see the full cybersecurity skills guide.
CEH Overview: Certified Ethical Hacker
EC-Council launched CEH in 2003, making it one of the oldest ethical hacking certifications. The current version, CEH v13 (released 2024), covers AI-driven attack techniques and updated methodologies.
What CEH covers:
- Footprinting and reconnaissance
- Network scanning and enumeration
- Vulnerability analysis
- System hacking methodology
- Malware analysis
- Sniffing and social engineering
- Denial of service attacks
- Session hijacking
- Web server and web application hacking
- SQL injection
- Wireless and mobile hacking
- IoT and OT hacking
- Cloud computing security
- Cryptography
CEH teaches the ethical hacking methodology from start to finish. You learn the five phases: reconnaissance, scanning, gaining access, maintaining access, and covering tracks. The certification provides a structured framework for thinking about offensive security.
Eligibility: You must either attend an official EC-Council training course or demonstrate two years of information security work experience and pay a $100 non-refundable application fee.
CEH satisfies DoD Directive 8570/8140 requirements for certain military and government positions, making it valuable for defense contractors and federal employees.
OSCP Overview: Offensive Security Certified Professional
Offensive Security introduced OSCP through their PEN-200 (Penetration Testing with Kali Linux) course. The certification has earned a reputation as the gold standard for hands-on penetration testing validation.
What OSCP covers:
- Information gathering and enumeration
- Vulnerability scanning
- Web application attacks
- Client-side attacks
- Buffer overflow exploitation
- Privilege escalation (Windows and Linux)
- Port redirection and tunneling
- Active Directory attacks
- Password attacks
- Antivirus evasion basics
- Post-exploitation techniques
- Report writing
OSCP’s PEN-200 course includes extensive lab access where you practice against dozens of intentionally vulnerable machines. The course material teaches methodology, but the labs are where learning actually happens. You will spend most of your preparation time in the labs, not watching videos or reading slides.
Eligibility: There are no formal prerequisites. Offensive Security recommends familiarity with Linux, networking, and basic scripting. In practice, you need a solid foundation before enrolling — the course moves fast and assumes baseline technical ability.
Exam Format Comparison
This is where the certifications diverge most sharply.
CEH Exam:
- 125 multiple-choice questions
- 4-hour time limit
- Passing score varies by exam form (typically around 60-85%)
- Proctored at Pearson VUE testing centers or online
- Questions test knowledge of tools, attacks, and methodologies
- Practical exam option (CEH Practical) available separately
OSCP Exam:
- 23 hours and 45 minutes to compromise machines in a live environment
- Plus 24 additional hours to write and submit a professional penetration test report
- Three standalone machines worth 20 points each (60 points total)
- One Active Directory set worth 40 points
- Passing score: 70 out of 100 points
- You must demonstrate proof of exploitation (screenshots, flags)
- The report is a requirement — failing to submit a proper report means failing the exam
The OSCP exam is a practical test. You receive VPN access to an isolated network containing target machines. You must enumerate, exploit, and escalate privileges on each target, documenting every step for your report.
Difficulty and Preparation Time
CEH difficulty: Moderate. The exam tests breadth of knowledge across many topics. The challenge is memorizing tool names, output formats, and attack classifications. Someone with a solid IT background and two to three months of study can pass.
OSCP difficulty: High. The exam tests depth of skill under time pressure. Many experienced security professionals fail on their first attempt. The challenge is not knowing the theory — it is executing attacks against unfamiliar systems while managing time and stress.
Typical preparation timelines:
| Factor | CEH | OSCP |
|---|---|---|
| Study time | 2-3 months | 3-6 months |
| Daily commitment | 1-2 hours | 2-4 hours |
| Lab hours needed | 20-40 hours | 200-400+ hours |
| First-attempt pass rate | ~60-70% (estimated) | ~40-50% (estimated) |
| Background needed | IT fundamentals | Networking + Linux + scripting |
The OSCP lab time estimate is not exaggerated. Successful candidates typically spend 200 or more hours in the labs before scheduling their exam. The labs contain machines of varying difficulty, and working through them builds the methodology and persistence needed for exam day.
Skills You Actually Learn
After CEH, you can:
- Explain the ethical hacking methodology and its five phases
- Identify attack types from descriptions or scenarios
- Name appropriate tools for each phase of a penetration test
- Understand defense strategies from an attacker’s perspective
- Discuss common vulnerabilities and how they are exploited
After OSCP, you can:
- Enumerate services and identify vulnerabilities on live systems
- Exploit web applications, network services, and operating systems
- Escalate privileges on Windows and Linux machines
- Pivot through networks and attack Active Directory environments
- Write professional penetration test reports
- Work through unfamiliar problems methodically under pressure
The gap between these skill sets is significant. CEH provides the vocabulary and framework. OSCP provides the execution ability. Employers who understand the difference weight them accordingly.
Career Impact and Employer Perception
CEH opens doors for:
- Government and military cybersecurity roles (DoD 8570 compliance)
- Security analyst positions at large organizations
- Compliance-driven environments where certification checkboxes matter
- Job postings that list “CEH or equivalent” as a requirement
OSCP opens doors for:
- Penetration testing firms and red team positions
- Senior security roles at security-focused companies
- Consulting engagements where demonstrated skill matters
- Organizations that value practical ability over certification names
In job postings, CEH appears more frequently because HR departments recognize the name and it satisfies compliance requirements. In hiring decisions — especially at security firms — OSCP carries more weight because hiring managers know what passing it proves.
Many penetration testing firms list OSCP as a hard requirement. Some will not interview candidates without it. This is less about credentialism and more about confidence that OSCP holders can perform the work from day one.
For a broader look at which technical skills drive hiring decisions, see top cybersecurity skills employers want.
Cost Comparison
CEH costs:
- Official training course: $2,199-$3,499 (depending on format)
- Exam voucher (without training): $1,199 + $100 application fee
- Study materials: $50-$200 for third-party books and practice tests
- Total range: $1,349-$3,699
OSCP costs:
- PEN-200 course + 90 days lab access: $1,749
- PEN-200 course + 365 days lab access: $2,499
- Exam retake: $249
- Total range: $1,749-$2,748 (including one retake)
OSCP is often less expensive overall because the course, labs, and one exam attempt are bundled together. CEH’s official training is expensive, though self-study with just the exam voucher is possible for those with experience.
Which Should You Take First?
Choose CEH first if:
- You are new to offensive security and want a structured introduction
- You need a DoD 8570-approved certification for a government role
- Your employer is paying for the training and it satisfies a job requirement
- You want to build foundational knowledge before attempting OSCP
- Your target role is security analyst rather than penetration tester
Choose OSCP first if:
- You already have IT experience and basic penetration testing skills
- Your goal is a dedicated penetration testing or red team career
- You are comfortable with Linux command-line operations
- You can dedicate 3-6 months of intensive study with significant lab time
- You want the certification that carries the most weight among security practitioners
The common path: Many professionals earn CEH first, gain one to two years of experience, then pursue OSCP. This path makes sense because CEH builds the theoretical foundation, work experience provides context, and OSCP validates the practical skills developed along the way.
If you already hold CompTIA Security+, you have a solid base for either certification. Security+ covers many of the same defensive concepts that CEH tests from an offensive perspective.
Can You Skip CEH and Go Straight to OSCP?
Yes, but with conditions. If you have:
- Strong Linux command-line skills
- Working knowledge of TCP/IP networking
- Basic scripting ability (Python or Bash)
- Familiarity with web application architecture
- Experience using tools like Nmap, Burp Suite, or Metasploit
Then you can attempt OSCP without CEH. Many successful OSCP holders never earned CEH. The certifications are independent — OSCP does not require or assume CEH knowledge.
However, if you lack the prerequisites above, CEH’s structured curriculum provides a useful learning path. The risk of jumping straight to OSCP without preparation is burning through your lab time while still learning basics.
A middle path: study CEH material (books and videos) without taking the exam, then use that foundation to prepare for OSCP. You get the educational benefit without the cost of a certification you may not need.
Preparing for Each Certification
CEH preparation strategy:
1. Read a CEH study guide cover to cover (Matt Walker’s guide is widely recommended)
2. Take notes on tool names, attack types, and methodology phases
3. Complete 500+ practice questions from multiple sources
4. Review the EC-Council exam blueprint for topic weights
5. Focus extra time on your weakest domains
OSCP preparation strategy:
1. Before enrolling: complete introductory CTF platforms (TryHackMe, Hack The Box)
2. Build foundational skills: Linux administration, Python/Bash scripting, web applications
3. Enroll in PEN-200 and work through all course material
4. Spend the majority of your time in the labs — aim for 30+ machines
5. Practice Active Directory attack chains (this is 40% of the exam)
6. Write practice reports for every machine you compromise
7. Take the exam only when you can consistently root medium-difficulty boxes
Use our certificate roadmap tool to see how CEH and OSCP fit into your broader career trajectory, including what to pursue after either certification.
Related Guides in This Series
- CompTIA Security+ Study Guide 2026
- CISSP Certification: Complete Requirements Guide
- Top 10 Cybersecurity Skills Employers Want
Take the Next Step
Plan your certification path — Use our Certificate Roadmap to determine whether CEH, OSCP, or both belong in your career plan.
Identify skill gaps — Take a skills assessment to see where you stand before committing to a certification track.
Frequently Asked Questions
Is CEH worth it in 2026?
CEH remains worth it for specific situations: DoD 8570 compliance, employer-required certifications, and structured learning for offensive security beginners. If none of these apply and your goal is a penetration testing career, OSCP provides better return on investment. If you need a checkbox certification for a government role, CEH fills that requirement effectively.
How many times do people fail OSCP before passing?
First-attempt pass rates are estimated around 40-50%. Many successful penetration testers passed on their second or third attempt. Failing OSCP is not a negative signal — it means you challenged yourself with a difficult exam. Each attempt costs $249 for a retake, and the additional lab time between attempts typically makes the difference.
Can I get a penetration testing job with only CEH?
CEH alone can qualify you for junior security roles that include some penetration testing responsibilities, particularly in government and large enterprise environments. Dedicated penetration testing firms almost universally require OSCP or equivalent practical certifications. CEH plus strong lab experience (documented through platforms like Hack The Box) can compensate for the lack of OSCP in some cases.
— HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.
