How to Become a Certified Ethical Hacker (CEH)
The term "ethical hacker" may sound incongruous to many people, but these professional legal hackers are vital to the security and survival of many corporations and government agencies. The market demand for these professionals, who are also called penetration testers, is high, especially as data breaches and internet deep fakes and phishing scams reach new heights of sophistication and breadth.
Or, as Tech.co's "Data Breaches That Have Happened in 2022 and 2023 So Far" story relays, everyone from T-Mobile to Meta, Twitter, ChatGPT and Apple have suffered data breaches or hacks in the past 12 months, and tech industry staple tools such as Slack and Atlassian have not been spared from hackers' darkly resourceful hands either.
What does an ethical hacker do?
The National Cybersecurity Alliance states that the phrase "ethical hacking" was first used in 1995 by IBM Vice President John Patrick, but the concept has been around for a lot longer. They say that many would argue that ethical hacking is the "goal of the majority of hackers, but the current media perception is that hackers are criminals."
In the 1960s, hacking was a term "used by engineering students that simply meant finding different ways to optimize systems and machines to make them run more efficiently. Hacking was a creative activity carried out by some of the brightest people in the world, and the idea of the ethical hacker predates the criminal hacker."
The role of an ethical hacker is nothing if not multifaceted. You will need to be a master of computer code, network security architecture, cryptography and also writing—and be able to present your findings to developers and upper management. The best way to think of an ethical hacker's role is to consider it a proactive necessity.
Types of testing performed by ethical hackers
Ethical hackers test in three basic hacker methods:
- Black box ethical hackers:
- In this grouping, ethical hackers set up scenarios where they don't have knowledge of the system and test from outside the company's firewall. Black box is considered the highest level of dangerous hacking because it attempts to gain access to user data and information, which will likely be used for profit, exploitation and illegal purposes if the hacker was not hired to intentionally try and gain this information.
- White box ethical hackers:
- In a white box scenario, the tester is inside the system and has knowledge of how it works. This is the most common case for ethical hackers testing a product or version, a feature enhancement or a company's employee system prior to release.
- Gray box ethical hackers:
- The gray hat scenario is a combination of black and white testing, and these hackers generally test usability, performance and security on a system where they have some knowledge but which is limited in that knowledge and access.
Ethical hackers essentially replicate what hackers that work in the real world do as they hack into computer systems for malicious, political or other purposes. But an ethical hacker's aim is clear: find the flaws prior to the system or software being released, and continue to test for web application, server, wireless network and social platform vulnerabilities for the lifespan of the company or product to stay ahead of malicious and dangerous criminals intending to do harm and profit from their illegal actions.
Therefore, it's critical that ethical hackers can think like a criminal who wants to crack into a secure system, but they have much less time and preparation. A criminal hacker can spend as much time as needed to study a system prior to launching an attack. You, on the other hand, might have a week or two to prepare your strategy. Your goal will be to hack and test an unreleased product or system and find all the flaws and severe bugs and weaknesses before it's released to the public.
Once you have completed your simulated break-in to a client or employer system, you will then analyze the scenario, its flaws and write a detailed report. That report will need to include a breakdown of the problems for management, suggestions for fixes and improvements, and a plan for how to implement these upgrades or other changes for the development team.
How to become a Certified Ethical Hacker
Complete a four-year degree and get experience.
Prior to your enrolling in Certified Ethical Hacker (CEH) training, you will need to have at least a bachelor's degree and plenty of experience in a security department. It will be to your benefit to study and practice technical writing, be knowledgeable of managerial and financial concerns within a corporation and have a good working knowledge of system vulnerabilities and the current trends in black hat hacking. You will need well-developed problem-solving skills as well, which can be gained by working in an IT department.
Sharpen your people skills.
On top of the technical and analytical side of hacking, you will need to know how to manipulate people. Imagine how much easier it will be to break into a server if you are able to gain access to a password. This takes a sophisticated and psychologically astute mindset and knowledge not only of technical vulnerabilities, but human emotions and weaknesses. As an ethical hacker, you will likely be asked to hack into a client's computer without ever having set foot in their home or office setting.
Find a job requiring ethical hacking skills.
Ethical hackers are fortunate in that they may be able to find employment in any number of industries, from government agencies to large tech firms or small information security companies. Because so many industry sectors—finance, government, law enforcement, healthcare, home and company internet providers, mobile companies and so on—need to protect sensitive data, ethical hackers have a wealth of choices in which to practice their craft. They can also gain marketable experience by starting out in network support, network engineering or other positions related to information security, and move to ethical hacking or penetration testing from there.
Obtain Certified Ethical Hacker (CEH) certification.
To earn certification, you'll need to take a course that will prepare you for the certification examination. The most common ethical hacker certification is the Certified Ethical Hacker (CEH) Certification. During the CEH course, you will face many real-time scenarios that will test your abilities as a hacker and person. You will have many tools—proxy tools, scanning, foot printing, vulnerability analysis and exploitation tools among them—at your disposal. While you might not use all these tools of the trade, you will need to know how to use them and be knowledgeable of all of them.
Education and CEH training
Earning a bachelor's degree is the most common education first step to becoming a CEH. A bachelor's in either computer science or cyber security can provide the well-rounded education you'll need to understand the concepts and master the tools ethical hackers use. For those who already have a degree in a related field, a bootcamp program in cyber security could help you fast track to ethical hacking by intensely focusing on the studies you'll need specifically for the job.
In your bachelor's or bootcamp program you'll dive into coursework around such topics as hardening operating systems, securing databases, cryptography concepts, hacking countermeasures and techniques and risk management. Classes may include studies in:
- Fundamentals of information security
- Networks and security foundations and applications
- Scripting and programming
- Data and information management
- Penetration testing and vulnerability analysis
- Managing Cloud security
- Digital forensics in cyber security
In a bachelor's program you'll likely get a well-rounded education by studying general education topics such as communications, ethics, critical think and reasoning and statistics, among others.
You may also be required to complete a Capstone project, which will implement all the skills and knowledge you have learned and apply them to a technical project, manage its implementation and present your analysis post-implementation.
TIP: Gain some people skills and behavior insights
One way you may be able to bring more insight and intuitiveness to your job as an ethical hacker is to hone your people skills. These aren't just about communication, but also about understanding why and how people act, react and respond as they do to pressure and emotional situations. After all, one way hackers reel in their prey is to elicit an emotional and immediate response and make them act (click that link) to the scenario—whether it be an IRS scam or purported fraudulent banking transaction—that's being presented in that phishing email or deep fake video.
As part of your bachelor's program, you'll have the opportunity to choose electives, and selecting consumer psychology or psychology classes may be a great way to have an edge on those who have opted for a strict technology track.
Certified Ethical Hacker certification
Once you've earned your degree, you'll want to consider professional certification. The training to become a CEH is usually formatted as an online or onsite, intensive, 3-to-5-day bootcamp structure. Some online courses are conducted live and in real-time, so it is unlikely that you will be able to work during those days. Many are self-paced so you can learn when your schedule permits. In the training, you will have a laundry list of learning outcomes that will include these items and more:
- Denial of Service Attacks
- Hacking Applications for the Web
- Mobile Platform Vulnerability
- Implementing Malware
- Cryptography
- Sniffing
- Hacking Cloud Computers
- Wireless Network Vulnerabilities
- How to Evade Firewalls and Honeypots
- Hijacking Sessions
- How to Scan Networks
- Understanding Trojans, viruses and worms
- Hacking Web Servers
- SQL Injection
- Data Loss Prevention
- Patch Management
The examination and training are constantly being upgraded to include new technologies that are likely targets of hackers, and classes will strive to be compatible with current operating systems, tools, best practices and tactics and known exploits. Since the field is constantly changing, you will want to adopt the attitude of a lifelong learner before you sign up to become a CEH. It might also help to be able to put yourself in the mindset of a criminal. After all, they say to catch a criminal you must think like a criminal.
Jobs after earning certification
Once you complete the above steps and get your 'hacker degree' and become a CEH, your career can take several turns. You can take on the role of a penetration tester and work as a security consultant to corporations and government agencies. If you want to work as a government contractor, it will help if you have some military training. It will be even better if your time in the military included any security clearances. Such experience will earn respect and esteem among your clients, but you can still earn those clearances without having served in the military.
You could work as a consultant, and you might even increase your consultancy by taking on newer, less-experienced CEHs. Before you know it, you could have a company that needs to hire its own penetration testers.
Not everyone will want to go out on their own and you may prefer to work with an employer to gain experience and have job security. With your certification awarded, you may also be able to find employment for a company under one (or more) of these job titles:
- Vulnerability Tester
- Security Analyst
- System Administrator
- Security Auditor
- Penetration Tester
If you decide to remain in your current role, your knowledge and skills will be of immense value in assessing, upgrading and evolving your security protocols. You'll have what it takes to analyze the problems your systems face and communicate these to developers, CTOs and top executives in a language they'll understand.
Importance of CEH certification in job applications
The CEH credential goes beyond just learning about cyber security and the high-level view that you may learn in school. It's built to give you hands-on experience and an in-depth understanding of ethical hacking stages, different attack vectors and preventative strategies. It will teach you how hackers think and act maliciously so you will be better positioned to set up your company's security infrastructure and defend it against future attacks. This type of proactive application and understanding can provide confidence to employers and strengthen your position when you apply for jobs with a company. The in-depth, hands-on approach to cyber security may give you that edge over any competition that has not attained the certification.
Certified Ethical Hacker salary and job outlook
Statista reports that in the past five years data breaches have grown significantly, creating a need for qualified and skilled ethical hackers and cyber security professionals. With AI already posing significant security issues, the problem of breaches continues to grow. Here are breaches and number of individuals impacted by them in the past four years:
| Year | Number of breaches | Number of people impacted (in millions) |
|---|---|---|
| 2022 | 1,802 | 422.14 |
| 2021 | 1,862 | 298.08 |
| 2020 | 1,108 | 310.12 |
| 2019 | 1,279 | 883.56 |
Because of the rapid growth of cyber attacks, the job growth rate for jobs to counter these breaches is also growing. The U.S. Bureau of Labor Statistics anticipates a 31.5% job growth through 2032 for information security analysts, which is much faster than average for all jobs combined, saying the high demand is expected because cyberattacks have grown in frequency and these analysts will be needed to "create solutions to prevent hackers from stealing critical information or creating problems for computer networks." They also cite the shift to "remote work and the rise of e-commerce" as the reason for increased need for enhanced security, and that "growth in digital health services and telehealth specifically" will also increase data security risks for healthcare providers.
Where the ethical hacking jobs are
Where you live can have an impact on where you may be able to find a job as an ethical hacker. While almost every industry needs to lockdown user and proprietary information and data, you can expect certain geographical areas to have higher concentrations of tech or government agencies and therefore, ethical hacker jobs. The BLS reports these areas are the leading metro areas for information security analyst employment:
As you can see, top on the list in the number 1, 2 and 4 spots is the Washington D.C. area, which is the seat of federal government, politics and defense and requires national security at a high level. A bit further down the list is Washington State's Seattle-Tacoma area, home to Microsoft, Amazon and other tech companies, which rely on ethical hackers to help test and keep data secure. A bit further down but still in the top 10 is California's Silicon Valley area, which has slipped a bit but still has a high presence as an employer of ethical hackers and information security analysts.
Median salary expectations for CEH professionals
It's not only job growth that is promising for ethical hackers and other cyber security professionals. Salaries are just as promising. Here are the median annual salaries by state for information security analysts:
You can see that professionals in the cyber security field are well-compensated for their skills. Here are salaries for comparable careers in the cyber security and computer science fields:
Advancement opportunities for Certified Ethical Hackers
The surest way to move up the ranks and into management roles, or other roles in the cyber security field, is by expanding your knowledge and skillset base. Once you've earned your bachelor's degree, the logical next step is to earn your master's degree. A master's degree takes approximately two years to complete and may be taken in an onsite or online environment. The goal of a master's program is to provide leadership skills and solutions and a more global outlook toward cyber security. An example of a master's program outcome looks something like this:
- Provide the knowledge and skills to manage and maintain the security of an organization's infrastructure, networks and applications.
- Provide an understanding of data network infrastructure, architecture and management.
- Teach strategies to mitigate security risks for Cloud-based and traditional environments.
- Explain and incorporate enterprise information security policies that address internal and external national / international threats.
With a master's you might go on and secure employment with a job title such as:
- Information security engineer
- Data security officer
- Cyber security risk analyst
- Information systems manager
If you don't have the time to spend two more years in school, a great way to expand your knowledge base quickly is to enroll in bootcamps or pursue professional certifications that may open doors to other areas of cyber security. Some certifications to consider include:
- CompTIA PenTest+:
- Provides next-level penetration tester skills and knowledge covering hands-on vulnerability assessment, scanning and analysis, as well as planning, scoping and managing systems weaknesses.
- Offensive Security Certified Professional (OSCP):
- The OSCP is considered a more technical certification than other ethical hacker certifications and requires students to successfully attack and penetrate live machines in a safe environment.
- Certified Security Testing Associate (CSTA):
- A 3-to-5-day intensive course for people from different network, systems and security roles across all industry sectors who are looking to offer support to their company's cyber security team.
- Computer Hacking Forensic Investigator (CHFI):
- This certification takes a lab-focused approach to digital forensics and evidence analysis in the worlds in which malicious hackers operate, including the Dark Web and the Cloud.
- GIAC Penetration Tester (GPEN):
- The GPEN professional certification provides reconnaissance skills for penetration testers by engaging in staged exploits.
Getting started as a CEH
If you want to serve this vital role on a security team, finding an accredited ethical hacker education program could have you on your way to a challenging, rewarding and necessary career. Whether you decide to work for a consulting firm or go out on your own, the training you receive will equip you with the skills and knowledge you need to succeed. Don't wait—start your journey to a successful career in ethical hacking today!
To find the right cyber security degree program for you, use the Find Schools widget on this page. Simply enter your zip code and request enrollment information.
Updated: June 7, 2023