Understanding the CEH v13 Exam Structure

Originally published December 2024. Updated May 2026 with current Blueprint v5.0 details, AI Proficiency Testing information, and revised exam structure data.

The CEH v13 exam isn’t a knowledge check, it’s a five hour decision tree. You walk in, sit down, and answer 125 multiple choice questions in four hours, then face a 30 minute scoring window that decides whether the cert goes on your resume or whether you reschedule. After running candidates through Training Camp’s CEH bootcamp for years and sitting through the exam modules myself with the v13 update, here’s what the test actually looks like in 2026.

Most of the CEH v13 coverage online is either marketing copy from EC-Council or vague summaries from study sites trying to sell practice questions. Neither tells you what the exam actually feels like or how the new AI components have changed the day of experience. This article is the version I wish candidates had read before showing up at Pearson VUE for their first attempt.

CEH v13 follows EC-Council Exam Blueprint v5.0, in effect since April 2024. 125 questions, four hours, 70 percent to pass, nine domains. The AI Proficiency Testing component is part of the CEH Master track, not the base knowledge exam.

What the CEH v13 Exam Actually Tests

The CEH v13 knowledge exam covers nine domains drawn from 20 modules and over 550 attack techniques in the official courseware. The questions split between conceptual knowledge (what is a technique called, when would you use it, which countermeasure stops it) and scenario application (here’s a network diagram, here’s a list of symptoms, what’s happening and what do you do). About 60 percent of the questions are conceptual and 40 percent are scenario based, in my experience watching candidates work through practice exams.

The domains cover the offensive security workflow end to end. Reconnaissance and footprinting come first because that’s where every real engagement starts. Scanning and enumeration follow because once you have a target, you have to map its attack surface. System hacking, web app attacks, SQL injection, wireless attacks, mobile and IoT attacks, cloud hacking, and cryptography round out the technical content. Social engineering, denial of service, session hijacking, and IDS/firewall evasion fill out the network and perimeter section, which is the largest single domain at 24 percent of the exam.

The current weights and question distributions come from EC-Council’s official Blueprint v5.0, which has been in effect since April 2024 and carries forward into v13. Anyone studying from older blueprint references is using stale information.

What’s New in v13 vs v12

The headline change is AI integration. EC-Council added AI focused content across the 20 modules rather than creating a separate AI domain. You’ll see ShellGPT in the labs as a command generation tool for pentest tasks. FraudGPT and WormGPT show up on the defensive side as awareness material so you can recognize what attackers are building. AI assisted reconnaissance and OSINT tooling appears in the recon modules. The exam testing for AI content is woven into existing domains rather than carved out separately, so you won’t see a clearly labeled AI section on your score breakdown.

A second major change is depth on cloud and post exploitation. v12 covered cloud at a surface level. v13 expects you to understand container security concepts, serverless function attack surface, and post exploitation techniques across cloud environments. Wireless attack content is lighter than in v12 because the focus shifted toward modern infrastructure.

The third change is more emphasis on LLM specific vulnerabilities, particularly prompt injection, model theft, and training data poisoning. Coverage is roughly comparable to the OWASP Top 10 for LLMs, which is to say introductory but real.

The Exam Format: What Happens on Test Day

CEH v13 is a four hour, 125 question, multiple choice exam. Passing requires 70 percent, which means you need roughly 88 correct answers. The exam uses scaled scoring, so the exact number of questions you need correct varies slightly by exam form, but 88 is the working target.

You have two delivery options. Pearson VUE testing centers give you a quiet, controlled environment with a desktop machine and a proctor down the hall. Online proctoring via ECC EXAM portal lets you take the exam from home with a webcam, microphone, and a clean room (no second monitor, no notes on the desk, no phone within reach). The remote option saves the drive but adds technical risk; a wifi hiccup can interrupt the session, and the proctor’s room sweep requirements are strict. For first time CEH candidates, I generally recommend Pearson VUE because the environment is more predictable.

Time Management Inside the Four Hour Window

115 seconds per question sounds generous until you hit a scenario question with a three paragraph setup and four plausible answers. Candidates who fail the time test usually do it by spending too long on the first 20 questions, trying to get everything perfect before moving on. The right strategy is to flag anything you’re unsure about, answer your best guess, and keep moving. Come back to flagged questions after you’ve seen the rest of the exam, because later questions often jog your memory on earlier ones.

A reasonable pace is 30 questions per hour for the first three hours, then 35 questions in the final hour with built in review time. If you’re significantly behind that pace at the two hour mark, you have a time problem and need to speed up. If you’re significantly ahead, you’re probably skimming and need to slow down on scenario questions.

The CEH Master Track and AI Proficiency Testing

A common confusion with v13 is around where the AI assessment actually lives. Base CEH is earned by passing the 125 question knowledge exam. AI content is woven into the study material and shows up on the knowledge exam, but you don’t take a separate AI exam to earn the base CEH.

CEH Master is the stacked credential for candidates who pass both the knowledge exam and the CEH Practical. The Practical is a six hour, hands on assessment with 20 real challenges delivered in EC-Council’s Cyber Range. v13 added formal AI Proficiency Testing to the Practical track, which means candidates pursuing Master will have AI specific challenges as part of the assessment. If you’re only chasing base CEH, AI proficiency isn’t formally assessed beyond the multiple choice questions on the knowledge exam.

For most candidates, base CEH is the right target. Master is worth pursuing if you’re aiming at senior pentest roles where the credential carries weight, or if you’re working in a DoD 8140 work role that calls out the Practical specifically. For the deeper breakdown of where Master fits, see our piece on whether you need CEH to get a penetration testing job and our analysis of how AI is changing ethical hacking.

Eligibility and Prerequisites

EC-Council allows two paths to the CEH v13 exam. The first is completing official EC-Council training (the CEH bootcamp), which removes the experience requirement. Path two is the eligibility waiver, which requires two years of documented information security work experience plus a $100 application fee and an approval review.

Most candidates I work with go the training route because it’s faster and removes the documentation burden. The eligibility waiver makes sense for people with strong security backgrounds who want to self study, though most of those candidates are honestly better served by hands on certifications. CEH’s value sits in its broad coverage and DoD 8140 alignment, not in being the hardest pentesting credential available.

Practical preparation expectations regardless of path are similar. You need solid TCP/IP fundamentals, working knowledge of both Windows and Linux command lines, comfort with common network services and ports, and basic scripting fluency in Python or Bash. Most candidates also hold Network+ or Security+ first, which builds the foundational vocabulary that makes CEH study go faster.

Why CEH v13 Still Matters in 2026

The honest case for CEH in 2026 rests on three things. The first is DoD 8140 alignment. CEH is approved for multiple work roles under the DCWF, which means federal employees and contractors in those roles need the credential. That demand stream is locked in regardless of broader market conditions. The second is brand recognition. HR teams and recruiters know the CEH name, even when they don’t know what it covers, and that name recognition opens doors that more technically rigorous certs sometimes don’t because hiring managers haven’t heard of them.

The third is the v13 AI integration. It’s not graduate level offensive AI work, but it does get candidates fluent enough to have a competent conversation about AI risk with developers and security architects. That fluency matters more than it sounds. I’ve sat in too many client meetings where the security team and the dev team were talking past each other about AI risk because nobody on the security side had vocabulary for prompt injection or training data poisoning. CEH v13 doesn’t solve that problem completely, but it gets you into the conversation.

For work role mapping, the NICCS catalog maintained by CISA is the authoritative source. It’s worth checking before committing study time if you’re targeting federal or contractor positions, because the work role list changes periodically as DCWF updates.