The CEH v13 exam blueprint distributes 125 questions across nine domains, with weights ranging from 5 percent to 24 percent. Those numbers do not tell you where candidates actually lose points on exam day. After reviewing post exam debriefs from candidates I’ve trained and tracking practice test performance patterns across cohorts, the failure points are predictable enough to plan your study time around.
The mistake most candidates make is allocating study time proportionally to domain weight. That approach assumes question weight equals question difficulty, which is not how the exam actually scores in practice. A 5 percent domain that you score 40 percent on hurts you more than a 24 percent domain where you score 70 percent. This article ranks the domains by where candidates actually drop points, not by how big the section appears in the blueprint.
Network and Perimeter Hacking is the largest CEH v13 domain at 24 percent of the exam. It’s also where the most candidates fail. Cryptography, at 5 percent, is the next biggest score drain despite being one of the smallest sections.
How CEH v13 Distributes Its 125 Questions
Before ranking the difficulty, the official weights matter. The current CEH exam follows Blueprint v5.0, which has been in effect since April 2024 and carries into v13. EC-Council publishes the blueprint directly on its certification site, listing nine domains with assigned question counts and percentage weights.
Passing the CEH knowledge based exam requires a 70 percent score, which translates to roughly 88 correct answers out of 125. The cut score doesn’t sound difficult on paper. What makes the exam hard is the structure of the question pool, because the distribution forces you to perform across all nine domains rather than coasting on your strongest areas.
The Hardest Domains by Where Candidates Actually Lose Points
The ranking that follows is based on practice exam performance across the candidate base I work with, plus debrief patterns from people who failed their first attempt. This order is intentionally not the order of question weight. Failure patterns concentrate in specific subdomains rather than evenly across each domain.
Rank 1: Network and Perimeter Hacking (24%)
This is the largest domain on the exam and also the section where candidates drop the most absolute points. The combination of high question volume and broad subtopic range is what makes it brutal. You need command of sniffing techniques (MAC attacks, DHCP starvation, ARP poisoning, DNS poisoning, spoofing), social engineering categories, DoS and DDoS variants and tools, session hijacking at both application and network layers, and IDS, IPS, firewall, NAC, and honeypot evasion techniques.
The most common failure point inside this domain is the sniffing subsection. Candidates conflate similar attacks. ARP poisoning gets mistaken for MAC flooding. DHCP starvation gets mistaken for DHCP spoofing. Candidates know the names but cannot match the technique to the specific traffic pattern or countermeasure in a scenario question. Memorize the difference between active and passive sniffing, then memorize which switches’ STP, port security, DHCP snooping, and dynamic ARP inspection settings counter each specific attack. The exam will give you a network scenario and ask which control to apply.
IDS and firewall evasion is the second weak spot. Candidates know what an IDS is but cannot list specific evasion techniques like fragmentation, polymorphic shellcode, session splicing, unicode encoding, and protocol violations. Each of these has a defensive countermeasure that the exam will test you on. Spend time on the evasion methodology section of the official courseware until you can name the technique, name the defensive control, and explain why the technique defeats a signature based IDS but not necessarily a behavior based one.
Rank 2: Cryptography (5%)
Cryptography is only 5 percent of the exam but it consistently scores lower than any other domain in candidate practice data. The reason isn’t complicated. Most CEH candidates come from networking, system administration, or SOC analyst backgrounds where cryptography is a black box that just works. The exam expects you to understand the internals.
Specific failure points are symmetric versus asymmetric algorithm identification, key length implications, hash algorithm collision resistance properties, and PKI flow under different trust models. Candidates know that AES is symmetric and RSA is asymmetric, but they struggle when the question asks which algorithm provides forward secrecy in a TLS handshake or which symmetric mode of operation is vulnerable to a specific padding oracle attack. Cryptanalysis questions tend to be the hardest because they require recognizing attack patterns (chosen plaintext, known plaintext, ciphertext only, related key) rather than just naming the algorithm.
Treat this small domain as if it were 15 percent of the exam during study. The questions are harder than the weight suggests, and the difference between scoring 50 percent and 80 percent on these six questions is a swing of two raw points, which is enough to push you across the pass/fail line. Official courseware covers cryptography reasonably well, but candidates who use it as their only resource often miss the depth needed for the exam.
Rank 3: Web Application Hacking (14%)
This domain splits cleanly into three subareas, which are web servers, web applications, and SQL injection. The SQL injection subsection is where candidates lose the most points. Knowing what SQL injection is gets you maybe two of the six SQL questions correct. The exam expects you to identify specific types (union based, error based, blind boolean, blind time based, second order, out of band), recognize injection payloads in code snippets, and select the correct evasion technique when a WAF is in the path.
Web app methodology questions are the second weak spot in this domain. Candidates who have never actually tested a web application struggle to remember the sequence (footprint infrastructure, analyze the application, bypass client side controls, attack authentication, attack authorization, attack session management, attack data validation, attack business logic, and so on). This is a methodology you have to internalize, not just memorize as a list. The exam will give you a scenario where you’ve completed three steps and ask what comes next. Without context for what each step actually accomplishes, the answers all look plausible. For grounding on how the broader testing methodology fits together, NIST SP 800-115 covers the same phases at a more formal level, which is useful background for the methodology questions on the exam.
Candidates who set up a basic lab with DVWA, OWASP Juice Shop, or PortSwigger Web Security Academy and actually run through the labs do significantly better on this domain than candidates who only read about web app attacks. Hands on familiarity with Burp Suite as the workflow tool is what separates a 60 percent score on this section from a 90 percent score.
Rank 4: Mobile Platform, IoT, and OT Hacking (10%)
The OT subsection inside this domain is the score drain. Operational technology covers industrial control systems, SCADA, ICS protocols (Modbus, DNP3, IEC 61850), and the security model differences between IT and OT environments. Most candidates have zero OT exposure in their day jobs. They study mobile platform attacks, get comfortable with Android and iOS attack vectors, then assume the IoT and OT questions will follow similar patterns. Those questions don’t.
OT security inverts the CIA triad. Availability matters most, integrity second, confidentiality third, which is the opposite of how IT security prioritizes. Candidates miss questions because they apply IT thinking to OT scenarios. The exam will ask about patching schedules in an ICS environment, and the right answer is the one that prioritizes operational continuity over rapid remediation. A candidate who doesn’t understand why OT defenders accept longer patch cycles will pick the IT answer and lose the question.
Rank 5: Reconnaissance Techniques (17%)
Reconnaissance is the second largest domain at 17 percent and most candidates do reasonably well on the footprinting and basic enumeration questions. Where they lose points is the scanning subsection, specifically Nmap option flag questions. The exam tests specific Nmap flags (-sS, -sT, -sU, -sA, -sF, -sX, -sN, -sV, -O, -A, -p, -PE, -PP, -PM) and what each one does at the packet level. Candidates who use Nmap regularly at work often pick the wrong answer because they remember the command they actually type, not the underlying packet behavior the exam is testing.
The enumeration subsection is the other weak spot. SNMP, LDAP, NTP, NFS, SMTP, DNS, and the various protocol enumeration techniques (IPsec, VoIP, RPC, Telnet, FTP, TFTP, SMB, IPv6, BGP) need to be memorized at a level most candidates underestimate. For more detail on the specific scan types, our piece on Nmap scan types in 2026 gives the working level breakdown you need.
Why the Small Domains Are More Dangerous Than They Look
There’s a common assumption among self study candidates that the 5 percent domains can be safely skimmed. The math behind this is wrong. Consider a candidate who scores 80 percent on the large domains (which is solid performance) and only 40 percent on Cryptography, Cloud Computing, and Wireless. The combined raw score across the three 5 percent domains is roughly 7 correct out of 18 questions. On a 125 question exam with a 70 percent cut score, those 11 missed questions can push someone from a passing 88 to a failing 77.
The small domains compound. Wireless covers WEP, WPA, WPA2, WPA3, Bluetooth attacks, and wireless security tools across only six questions. Cloud Computing covers cloud concepts, container security, serverless, cloud hacking, and cloud defensive controls across six questions. Cryptography covers algorithms, PKI, encryption, and cryptanalysis across six questions. None of these subjects are hard if you study them. They are all hard if you skim them, because the question depth doesn’t drop proportionally with the domain weight.
Practice exams are useful for diagnosing which small domains are pulling your overall score down, but only if you use them correctly. Hitting 100 percent on a practice test is usually a sign that you’ve memorized the test bank, not that you’ve learned the material. Our piece on why hitting 100 percent on practice tests is a red flag covers the diagnostic approach in detail.
How to Allocate Your Study Time
A reasonable allocation for a candidate with two to three years of IT experience and limited offensive security background looks roughly like this. Network and Perimeter Hacking plus Reconnaissance combined should get 30 percent of total study hours. System Hacking and Web Application Hacking together get another 25 percent, weighted toward hands on lab work. The small domains (Cryptography, Cloud, Wireless, Information Security overview) get another 25 percent, specifically because they are easy to underweight. Reserve the remaining 20 percent for Mobile Platform, IoT, and OT Hacking, with particular focus on the OT subsection because the mental model is different from typical IT security.
A typical candidate needs 120 to 150 hours of structured study to pass CEH v13. Candidates with strong networking backgrounds can compress that into 80 to 100 hours. Anyone coming from helpdesk or system administration without security exposure typically needs 180 to 200 hours. The variance comes almost entirely from how much time you need on the four hardest domains identified above.
For candidates who want a baseline reference on the overall exam structure before diving into the domain study, our CEH v13 exam structure piece covers the test format, scoring, and the Practical exam track. Use it as orientation before you build the per domain study plan.
Frequently Asked Questions About CEH v13 Domains
What is the hardest domain on the CEH v13 exam?
Network and Perimeter Hacking is the hardest in raw point loss because it’s the largest domain at 24 percent of the exam and covers the widest range of subtopics. Cryptography is the hardest in difficulty per question because the questions test internals that most candidates haven’t worked with directly. Together, these two domains account for most CEH v13 first attempt failures.
What is the CEH v13 passing score?
The CEH v13 knowledge based exam requires a 70 percent score to pass. That translates to roughly 88 correct answers out of 125 questions. The exam follows EC-Council Exam Blueprint v5.0, which has been in effect since April 2024.
How many domains are on the CEH v13 exam?
CEH v13 covers nine domains: Information Security and Ethical Hacking Overview (6%), Reconnaissance Techniques (17%), System Hacking Phases and Attack Techniques (15%), Network and Perimeter Hacking (24%), Web Application Hacking (14%), Wireless Network Hacking (5%), Mobile Platform IoT and OT Hacking (10%), Cloud Computing (5%), and Cryptography (5%).
Why do candidates fail the Cryptography section if it’s only 5 percent of the exam?
Cryptography is small but technically deep. Most CEH candidates come from networking, system administration, or SOC analyst backgrounds where cryptography is a black box. The exam expects you to understand algorithm internals, key length implications, hash collision properties, and PKI flow. Candidates who skim cryptography because of the low weight typically score 40 percent or less on this section, which costs enough raw points to fail an otherwise passing exam.
How many study hours does CEH v13 take to pass?
A typical candidate needs 120 to 150 hours of structured study to pass CEH v13. Candidates with strong networking backgrounds can compress that into 80 to 100 hours. Anyone coming from helpdesk or system administration without security exposure typically needs 180 to 200 hours. The variance comes primarily from how much time is needed on the four hardest domains: Network and Perimeter Hacking, Cryptography, Web Application Hacking, and the OT subsection of Mobile Platform IoT and OT Hacking.
Should I study the CEH domains in proportion to their weight?
No. Study allocation should be weighted toward difficulty per question, not toward domain percentage. A reasonable split is 30 percent of study time on Network and Perimeter Hacking and Reconnaissance combined, 25 percent on System Hacking and Web Application Hacking combined with lab work, 25 percent on the small domains (Cryptography, Cloud, Wireless), and 20 percent on Mobile IoT and OT with emphasis on the OT subsection.
Where do candidates lose the most points on the Network and Perimeter Hacking domain?
The sniffing subsection accounts for the most point loss because candidates conflate similar attacks (ARP poisoning versus MAC flooding, DHCP starvation versus DHCP spoofing). IDS and firewall evasion is the second weak spot, where candidates know what an IDS is but cannot match specific evasion techniques like fragmentation, polymorphic shellcode, session splicing, and unicode encoding to their defensive countermeasures.
Director, Educational Services | Training Camp
Mark Sabo is the Director of Educational Services at Training Camp, where he oversees the training team, course design, and certification program development. He holds a B.S. in Information Sciences and Technology from Penn State University and more than 50 industry certifications. Mark joined Training Camp in 2005, became a Technical Trainer in 2007, and assumed his current leadership role in 2015. His specialty is practice exam development and exam preparation strategy, built from years of teaching students in the classroom and studying how certification exams are constructed. His writing focuses on the technical details that matter most to professionals preparing for high stakes exams.