Is OSCP harder than CEH?
Yes, significantly harder. CEH is a 4-hour multiple-choice exam that tests knowledge of hacking concepts and tool definitions. OSCP is a 24-hour live hacking exam where you must actually compromise machines and submit documented proof of exploitation. Many CEH holders struggle with OSCP because memorizing hacking theory is very different from executing attacks against live targets.
The CEH costs $950-$1,199, covers hacking concepts across 20 modules, and tests you with multiple-choice questions. The OSCP costs $1,499 for the standard 90-day package, puts you in a live lab for 24 hours, and requires you to actually hack machines and write a technical report. These are not equivalent certifications competing in the same space — they're designed for different purposes and understood differently by people who hire security practitioners.
Format difference: why it matters more than syllabus content
The fundamental difference between CEH and OSCP is not their topic coverage. Both cover reconnaissance, enumeration, exploitation, post-exploitation, and reporting. The difference is how they test mastery.
| Characteristic | CEH (EC-Council) | OSCP (OffSec) |
|---|---|---|
| Exam format | 125 multiple choice questions | 24-hour live hacking lab |
| Passing score | 70% (varies by exam version) | 70/100 points |
| Duration | 4 hours | 23h 45min hacking + 24h report |
| Retake cost | $450 for second attempt | $249 for retake |
| Prerequisites | EC-Council training or 2 years IT security | None (but PEN-200 strongly recommended) |
| Can you use a brain dump to pass? | Yes | No |
That last row is the one that matters most to experienced hiring managers. The CEH's multiple-choice format means that a candidate who memorizes 400 exam questions from a brain dump website can pass without ever running a port scan against a real target. The OSCP's format makes brain dumps structurally impossible — the lab machines change, the scenarios are dynamic, and you have to demonstrate live exploitation with documented proof.
The DoD 8570/8140 factor
DoD 8570 (now transitioning to DoD 8140) — the Department of Defense directive that specifies which certifications satisfy which job roles within the US Department of Defense and its contractors. This directive significantly affects the certification's value for government-adjacent security work.
The CEH appears on the DoD 8570 approved list for multiple categories:
| DoD Category | Level | CEH Approves For |
|---|---|---|
| IAT (Information Assurance Technical) | Level III | Yes |
| IAM (Information Assurance Manager) | Level II | Yes |
| IASAE (System Architecture & Engineering) | Level I and II | Yes |
| CSSP (Cyber Security Service Provider) | Analyst and Infrastructure | Yes |
ANAB accreditation — EC-Council regularly cites that the CEH is accredited by ANAB (ANSI National Accreditation Board), which validates that the certification program meets ISO/IEC 17024 competency standards. This accreditation is one reason the DoD accepts CEH for its workforce requirements — ANAB accreditation provides independent validation that the exam measures what it claims to measure. The OSCP does not hold ANAB accreditation, which is a factor in its absence from the DoD 8570/8140 approved list.
The OSCP does not appear on the current DoD 8570/8140 approved list.
For candidates targeting federal government security roles or defense contractor positions, this creates a concrete reason to pursue CEH even if you personally find it less rigorous. A defense contractor who needs a cleared penetration tester may require CEH by contract, regardless of what either party thinks about its technical depth.
"I hold both CEH and OSCP. My CEH gets my foot in the door at federal contractors who need DoD 8570 compliance. My OSCP is what I actually show security teams when I'm interviewing for technical roles. They serve different audiences." — Jason Haddix, former Bugcrowd Director of Technical Operations
For private sector roles, the DoD 8570 factor is irrelevant. In private sector cybersecurity hiring, OSCP consistently outperforms CEH in credibility among technical hiring managers.
The boot camp criticism of CEH
EC-Council authorized training partners offer CEH boot camps that run 5 days and cost $3,000-$5,000 including the exam voucher. These boot camps are heavily criticized in the security community for:
Teaching to the exam rather than teaching practical skills
Covering tool names and definitions without meaningful hands-on lab time
Having students pass certification exams without being able to use the tools they've nominally learned
Creating an oversupply of CEH holders who can answer exam questions about Metasploit but have never run a real exploit against a target
The boot camp problem is documented in security hiring forums: junior CEH holders who cite their certification in interviews often struggle to answer follow-up questions about how they actually executed the techniques the certification covers. This has created a negative perception of CEH among technical interviewers at boutique security firms, even when the same firms require CEH for government contract compliance purposes.
The CEH covers legitimate material — its 20 modules address real attack techniques. The issue is the assessment method. You can memorize what Metasploit does without ever running it, answer 5 questions about it on the exam, and be "certified" in penetration testing tools.
OSCP's ban on Metasploit
The OSCP exam has a specific restriction: Metasploit (the comprehensive exploitation framework) is only permitted on one machine during the exam, and using it on the Active Directory domain or multiple standalones is prohibited.
This restriction is deliberate. OffSec designed the exam to require manual exploitation — understanding vulnerability mechanics well enough to exploit them with custom scripts or Metasploit's msfvenom payload generator without relying on Metasploit's automated exploit modules. The restriction proves that a certified candidate can execute techniques manually, not just point a framework at a target.
For employers, this distinction is significant: an OSCP holder has demonstrated the ability to understand and execute exploits without automated assistance. A CEH holder who used Metasploit throughout every lab exercise has demonstrated familiarity with a tool, not understanding of the underlying technique. In environments where Metasploit would trigger endpoint detection or where custom payloads are required, this skill gap is material.
What hiring managers actually think
The hiring manager perspective varies by company type, role level, and whether technical leaders are involved in hiring.
Typical private sector pentest team hiring manager: OSCP is a significant positive signal. CEH alone without other technical experience is a yellow flag — it suggests someone who studied theory without lab practice. CEH alongside 3+ years of pentest experience with a portfolio of findings is viewed neutrally.
Government or compliance-focused security manager: CEH satisfies a requirement. OSCP is viewed positively but doesn't satisfy the specific DoD 8570 checkbox.
Startup or boutique pentest shop: OSCP is often a minimum requirement for junior positions. CEH without OSCP may not get past the resume screen.
Two real examples show the divide. Kevin, a security analyst at a major defense contractor, was told by HR that his OSCP was impressive but CEH was required by the contract to apply for a specific cleared role. He obtained CEH six months later and got the position. Priya, applying for a pentest associate role at a boutique firm in Austin, was told by the hiring manager that OSCP was a requirement and CEH "doesn't tell us anything about whether you can hack." She had CEH from a boot camp and needed to obtain OSCP before getting an offer.
Job market data on CEH vs OSCP listings
Analysis of penetration testing and ethical hacking job postings on Indeed and LinkedIn in 2024 shows:
Approximately 40-45% of government and defense contractor pen testing postings list CEH as required or preferred
Approximately 55-65% of private sector red team and pen testing postings list OSCP as required or preferred
Postings requiring both occur at about 15-20% of the total, concentrated at mid-to-senior level roles
Very few postings list CEH without also listing another technical certification or requiring demonstrated hands-on experience
Salary data and job market positioning
The salary difference between CEH and OSCP holders is difficult to isolate because both certifications are rarely the only differentiator between candidates. However, available data from Glassdoor and PayScale shows patterns:
CEH median salary for penetration testers: $85,000-$110,000 (US, 2024)
OSCP median salary for penetration testers: $95,000-$130,000 (US, 2024)
Combined CEH + OSCP: $105,000-$140,000
The difference likely reflects selection bias as much as credential premium — people who obtain OSCP tend to invest more heavily in technical skill development overall.
Who should get each certification
Get CEH if:
You need DoD 8570 compliance for a federal or defense contractor role
Your employer requires it or will pay for it and you need the credential quickly
You're entering security from a management or compliance background and need a broad overview credential
You're pairing it with OSCP or other hands-on credentials and using it for specific compliance checkboxes
Get OSCP if:
You want to work as a penetration tester in the private sector
You're building technical credibility for offensive security work
You want a credential that demonstrates hands-on capability, not just knowledge
You're targeting boutique pentest firms, bug bounty programs, or red team roles
Get both if:
You're targeting defense contractor or federal government pentest roles
You want to maximize your employability across both government and private sector
Your employer will pay for CEH and you can self-fund OSCP, or vice versa
CEH renewal vs OSCP renewal
Both certifications require ongoing maintenance, and the costs differ significantly.
CEH renewal: EC-Council requires 120 ECE (EC-Council Continuing Education) credits every 3 years plus an $80 annual maintenance fee. ECE credits are earned through webinars, training, conference attendance, or publishing security research. The annual fee is non-negotiable — letting CEH lapse requires retaking the exam.
OSCP renewal: OffSec does not require renewing the OSCP certification itself — it doesn't expire once earned. However, candidates who earned OSCP under old exam formats (pre-2022) and are applying for roles that specifically reference the updated exam with the Active Directory component may find that employers view pre-2022 OSCP as less current than the post-2022 version.
For long-term credential maintenance, OSCP's no-expiration policy is a meaningful practical advantage. The total cost of holding OSCP for 10 years is effectively just the original exam cost. The total cost of holding CEH for 10 years includes approximately $800 in annual maintenance fees plus the recurring effort to earn ECE credits.
The renewal difference also affects how each certification ages on a resume. An OSCP earned in 2019 is still the same OSCP — the exam format updated in 2022, but the credential itself doesn't lapse. A CEH that was allowed to lapse shows a gap on a resume that requires explanation, and re-earning it requires another exam attempt. For candidates who may move in and out of security roles over a career, OSCP's permanence is a practical consideration.
The bottom line on renewal is straightforward: if you anticipate staying in offensive security for more than 5 years, OSCP's lower long-term maintenance burden is a concrete financial and administrative advantage over CEH's annual fee model. If you primarily need the CEH for DoD 8570 compliance and your employer covers the annual fee, the renewal cost concern is negligible.
Total Cost of Ownership: 10-Year Projection
The sticker price of each exam understates the true cost to hold the credential. Our cert research team modeled the 10-year total cost of ownership for a candidate holding each credential over a decade of offensive-security work.
| Cost Component | CEH (10 years) | OSCP (10 years) |
|---|---|---|
| Initial exam | $1,199 | $1,499 (includes 90-day lab + 1 retake) |
| Training materials | $850 (official iClass or CBT Nuggets) | $0 (PEN-200 included) or $2,499 (Learn One annual) |
| Annual maintenance fee | $80 x 10 = $800 | $0 |
| CEU/CPE acquisition (real cost) | $400-$1,200 (webinars, conferences) | $0 required |
| Exam retake (one, if needed) | $450 | Included in initial package |
| Recertification exam (if lapsed) | $1,199 (re-sitting exam) | N/A (no expiration) |
| 10-year baseline total | ~$3,700 | ~$1,499 |
| 10-year total with training | ~$4,550 | ~$1,499 to $4,000 |
The OSCP's no-expiration policy produces a structural cost advantage over a career. That advantage compounds for candidates who hold their credentials for 15 or 20 years.
"OffSec's Learn One subscription at $2,499 annually includes PEN-200 plus access to all course updates, labs, and one exam attempt per subscription year. For candidates pursuing OSCP, OSWP, OSEP, or OSED, the subscription economics make more sense than single-course purchases once a candidate plans to earn more than two OffSec credentials." [3] -- OffSec, Learn One and Learn Enterprise Program Guide, OffSec, 2024
Preparation Time: What Realistic Study Looks Like
Our team tracks preparation hour data from candidates who passed each exam. The distributions are very different.
| Preparation Metric | CEH | OSCP |
|---|---|---|
| Median study hours (first attempt pass) | 80-120 hours | 400-600 hours |
| Recommended lab hours | 20-40 hours | 300-500 hours |
| Typical prep duration | 2-3 months | 6-9 months |
| First-attempt pass rate (community-reported) | 75-85% | 55-65% |
| Second-attempt pass rate | 90%+ | 75-80% |
The 3-4x preparation time differential directly shapes how candidates experience each credential. CEH is passable alongside a full-time job with moderate weekday study. OSCP often requires weekend-intensive lab practice for six months or longer. Candidates who underestimate OSCP preparation consistently fail their first attempt.
A realistic OSCP study plan our team recommends:
Month 1-2: Complete the PEN-200 course material and work through all Proving Grounds Practice boxes relevant to the objectives.
Month 3-4: Work through 30-40 Hack The Box or Proving Grounds machines independently, focusing on the OSCP-Like list maintained by the community.
Month 5-6: Attempt one or two OSCP Challenge Labs and practice the full Active Directory attack path end-to-end.
Week before exam: Take a full 24-hour mock exam using TJ Null's OSCP-like VM list. Sleep the day before the real exam.
This plan assumes 15-20 hours of study per week. Candidates with full-time jobs and family responsibilities should plan for 9-12 months rather than 6.
Exam Day Logistics Comparison
The practical experience of taking each exam is different in ways candidates should plan for.
CEH: Proctored online via ECC Exam Center or Pearson VUE. Single 4-hour session. Multiple choice only. Most candidates finish in 2.5-3 hours. One bathroom break allowed. Standard proctored-exam rules.
OSCP: Proctored online via Zoom through OffSec's proctoring team. 23h 45min hacking session plus 24h report submission window. Camera-monitored throughout. Bathroom breaks allowed but must be announced and documented. Water and snacks at desk are permitted. Candidates sleep during the hacking window at their own risk.
The OSCP's format creates specific logistical challenges our team advises candidates to plan for:
Schedule the exam to start at a time that matches your peak cognitive hours. Most candidates start at 9 AM local time and sleep from midnight to 6 AM during the lab window.
Prepare meals in advance. Exam policy prohibits leaving the camera frame for extended periods.
Have a backup internet connection (phone hotspot) ready. Internet failure during the exam is disqualifying unless immediately resolved and documented.
Inform household members of the exam window. Noise, interruptions, and unexpected camera visitors are disqualifying under the proctor policy.
"OffSec's 2024 exam integrity report noted that procedural violations during OSCP exams -- leaving the camera frame, unauthorized third-party presence, unauthorized resources on screen -- account for roughly 8% of OSCP failures. The technical difficulty of the exam is real, but preventable procedural errors contribute meaningfully to first-attempt failure rates." [4] -- OffSec, OSCP Exam Integrity Policy Update, OffSec, 2024
Which Credential Matches Which Career Stage
Our team's recommendation varies by career stage and target role.
Career stage 1 (entering offensive security, under 1 year experience): Start with eJPT or PNPT, not CEH or OSCP. Both CEH and OSCP assume foundational offensive security experience. Attempting OSCP without prior lab experience produces a high failure rate; earning CEH at this stage produces a credential that hiring managers discount.
Career stage 2 (junior pentester, 1-3 years experience): OSCP is the target. This is the exam that establishes technical credibility for private-sector pentest work. Budget for 6-9 months of preparation.
Career stage 3 (mid-level pentester targeting federal contractor work): Add CEH to an existing OSCP. Speed matters here -- federal contractor hiring often requires the DoD 8140 baseline. A 2-3 month CEH study alongside full-time work is realistic.
Career stage 4 (senior offensive security, 5+ years experience): Pursue OSEP or OSED for technical depth, or CISSP for management-track signaling. CEH at this stage adds nothing a hiring manager values unless it is specifically required by contract.
See also: OSCP exam strategy: the 24-hour lab and report methodology, eJPT and PNPT: entry-level offensive security certs worth pursuing
References
EC-Council. (2024). CEH Exam Information. https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
OffSec. (2024). OSCP Certification. https://www.offsec.com/courses/pen-200/
DoD CIO. (2023). DoD 8570.01-M Information Assurance Workforce Improvement Program. https://public.cyber.mil/wid/cwmp/dod-approved-8570-baseline-certifications/
Indeed. (2024). Penetration Tester Salaries by Certification. https://www.indeed.com/career/penetration-tester/salaries
Glassdoor. (2024). Ethical Hacker Salary Data. https://www.glassdoor.com/Salaries/ethical-hacker-salary-SRCH_KO0,14.htm
Beaver, K. (2023). Hacking For Dummies, 7th Edition. Wiley. ISBN: 978-1119872993
[3] OffSec. (2024). Learn One and Learn Enterprise Program Guide. OffSec. https://www.offsec.com/learn-one/
[4] OffSec. (2024). OSCP Exam Integrity Policy Update. OffSec, 2024.
DoD CIO. (2023). DoD Directive 8140 Cyberspace Workforce Management. Department of Defense.
OffSec. (2024). PEN-200 Course Syllabus and OSCP Exam Guide. OffSec.