The EHE (exam code 112-52) is not a hard exam β but it is a specific one. Candidates who pass quickly memorize EC-Council's exact vocabulary: attack classifications, the five hacking phases, the seven Kill Chain steps, wireless encryption hierarchy, and named laws. Candidates who fail usually studied the right topics but learned them from the wrong source, or drilled concepts without learning to map them to scenario questions. Budget 40β60 hours if you have an IT background. Budget closer to 80β120 hours if you're starting from scratch.
TL;DR
- The exam is 75 multiple-choice questions in 120 minutes with a 70% passing score. No performance-based questions, no labs, no trick formats β just multiple choice.
- The standalone exam voucher costs $74.99 USD. The full bundle with courseware, labs, and voucher costs $299. These are different SKUs, not conflicting prices.
- EC-Council positions EHE as a stepping stone to CEH, not a hiring credential. It carries limited independent weight in most job markets.
- The exam rewards vocabulary precision. "Mark, a professional hacker, does Xβ¦" β you need to know what X is called. Every time.
- Trap questions cluster around three areas: the five hacking phases (especially the Maintaining Access phase), Kubernetes node components, and active vs. passive attack classification.
- Domain weights are not published. The official EHEv1 blueprint PDF exists but does not break out percentages per domain.
- Community pass rate data is unavailable. No significant pool of "I passed the proctored 112-52" writeups exists in public forums β this exam has a small community footprint.
What This Exam Is Really About
EHE is a vocabulary exam dressed up as a technical certification. Almost every question presents a named-actor scenario β "Ruby visited her target disguised as a candidateβ¦" or "Mark, a professional hacker, injects malicious SQL codeβ¦" β and asks you to identify the technique, phase, attack type, or countermeasure from a defined list. The skill being tested is not whether you can execute these techniques. The skill is whether you know EC-Council's exact names for them.
The deeper purpose is candidate preparation for CEH. EC-Council designed EHE to give beginners a structured map of the ethical hacking knowledge domain before they encounter the harder, scenario-reasoning questions on the CEH exam. If you understand what EHE is optimizing for β vocabulary acquisition across 12 specific modules β your study strategy becomes obvious: learn the definitions cold, build tool-to-purpose mappings, memorize the named frameworks, and practice recognizing scenario descriptions in multiple-choice format.
Exam at a Glance
| Item | Value |
|---|---|
| Exam Code | 112-52 |
| Cost | $74.99 USD (voucher only); $299 USD (full bundle with courseware, labs, and voucher) |
| Duration | 120 minutes |
| Questions | 75 scored |
| Passing Score | 70% (fixed; unlike CEH's variable cut score) |
| Format | Multiple choice only |
| Validity | 3 years |
| Testing | Online proctored via EC-Council RPS / EC-Council exam portal (eccexam.com) |
| Retake Policy | No wait for 2nd attempt; 14-day wait between 3rdβ5th attempts; max 5 attempts per 12 months; 12-month wait after exhausting 5 attempts |
| Prerequisites | None |
| Recertification | Retake the exam; not part of EC-Council's ECE scheme, so no CPE credits required |
The 70% passing score is fixed β 53 correct answers out of 75. There is no adaptive scoring or variable cut score here, unlike the CEH. No negative marking applies, so answering every question is strictly correct strategy: a blank answer is always worse than a guess.
At 96 seconds per question, time pressure is real but manageable. Most candidates who have done their preparation finish in 60β80 minutes and use remaining time to revisit flagged questions. The format is exclusively multiple choice β there are no drag-and-drop, hotspot, or command-line simulation questions anywhere on this exam.
The cost structure is a genuine source of confusion. The $74.99 standalone voucher buys one proctored exam attempt. The $299 bundle adds approximately 750 pages of official ecourseware, 15+ hours of video, 11 lab activities, a CTF capstone challenge, and the exam voucher. If you have an IT background and plan to use the free Coursera or edX course for content, buy the voucher only. If you are starting from no IT background and need structured instruction, the bundle's lab activities justify the price difference.
The exam is delivered through EC-Council's RPS proctoring system and registered through the ASPEN portal. Results post either immediately or within a few days to your EC-Council ASPEN portal account.
Who Should Take This Exam
EHE is the right move for three specific profiles. First, complete beginners β students, career switchers, and people with no prior IT experience β who want a structured introduction to the ethical hacking knowledge domain before pursuing CEH or Security+. Second, anyone who is specifically targeting CEH and wants to internalize EC-Council's vocabulary and framework naming conventions in advance. The terminology overlap is significant, and building fluency in it at the EHE level pays dividends when CEH scenario questions use the same taxonomy. Third, students and early-career candidates who want a verifiable EC-Council credential on a resume while building toward more advanced certifications.
EHE is the wrong move if you already have an IT or security background and are looking for a credential with independent hiring weight. In most cybersecurity job markets, EHE alone does not appear as a preferred or required qualification in job postings. Candidates with existing background should evaluate Security+ or eJPT as alternatives β both carry stronger market recognition. EHE is not a destination certification; EC-Council describes it explicitly as a stepping stone.
The 12 Domains and What Actually Gets Tested
Domain weights are not published by EC-Council. The official EHEv1 blueprint PDF exists but does not break out percentages per domain. The section breakdowns below are based on the official exam content and available sample questions. Treat each domain as roughly equal in weight until official data is released.
Domain 1 β Information Security Fundamentals (weight not published)
The official exam covers the CIA triad β Confidentiality, Integrity, Availability β along with two extended elements that often appear in questions: Authenticity and Non-repudiation. The Security, Functionality, and Usability triangle appears as a concept describing trade-offs between these three attributes.
Attack classification is the highest-yield topic in this domain. Five categories appear repeatedly: Passive (eavesdropping, traffic analysis β attacker does not modify data), Active (DoS, injection, session hijacking β attacker modifies or disrupts), Close-in (requires physical proximity: shoulder surfing, dumpster diving, evil maid attacks), Insider (by someone with legitimate access: pod slurping, sabotage), and Distribution (supply chain tampering before delivery: counterfeit hardware or software). The exam tests whether you can classify a described scenario into the correct category. The word "active" appears in both attack classification and sniffing β the context determines which definition applies.
Named laws and regulations are tested directly. Memorize these by name and their domain: GDPR (EU personal data, data minimization principle), HIPAA (healthcare), SOX/Sarbanes-Oxley (investor and financial disclosures), DMCA (anti-circumvention of copy protection), PCI-DSS (payment card data), ISO/IEC 27001 (ISMS requirements), GLBA (financial services), FISMA (US federal systems), and the Computer Fraud and Abuse Act (CFAA). Questions present a scenario involving a type of data or violation and ask which regulation applies.
Limited community data exists for this domain specifically. The pattern across available sample questions shows law-name identification as a recurring format.
Domain 2 β Ethical Hacking Fundamentals (weight not published)
Two frameworks dominate this domain and both are heavily tested. The five phases of the hacking cycle β Reconnaissance, Scanning, Gaining Access, Maintaining Access, Clearing Tracks β appear in multiple question formats. The trap question pattern: "In which phase does the attacker use the compromised system as a launch pad for further attacks?" The answer is Maintaining Access, not Gaining Access. This distinction catches candidates who conflate the two.
The seven-phase Cyber Kill Chain (Lockheed Martin) is a separate framework and must not be confused with the five-phase hacking cycle. The sequence: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), Actions on Objectives. Do not conflate the two frameworks on exam day.
Hacker classification is tested by name: Black hat (malicious, unauthorized), White hat (authorized, ethical), Gray hat (no explicit authorization but discloses findings), Suicide hackers (cause maximum damage regardless of consequences), Script kiddies (use existing tools without understanding), State-sponsored hackers, Hacktivists, Cyberterrorists. Questions typically describe motivation and ask which category applies.
The domain also covers TTPs (Tactics, Techniques, and Procedures) and MITRE ATT&CK as a framework name β recognize it when it appears, but deep ATT&CK matrix knowledge is not required at this level.
Domain 3 β Information Security Threats and Vulnerability Assessment (weight not published)
Malware taxonomy is the primary focus. Know the definitions cold: Trojan (masquerades as legitimate software), Virus (attaches to a host file, requires execution), Worm (self-replicating, no host file needed), Ransomware (encrypts files, demands payment), Rootkit (maintains privileged access while hiding presence), Backdoor (covert access mechanism), Keylogger (records keystrokes), Botnet (network of compromised machines), Fileless malware (executes in memory, no disk artifact), Logic bomb (triggers on a condition), Crypter (encrypts malware to evade detection), Wiper (destroys data). Questions typically describe behavior and ask for the malware type.
Vulnerability assessment types appear as a list: Active, Passive, External, Internal, Network, Application, Host-based, Wireless, Database. Know the distinction between active (sends probes to targets, potentially disruptive) and passive (observes traffic without sending probes).
Named vulnerability scanning tools to recognize: Nessus, Qualys, GFI LanGuard, OpenVAS, Nikto, Acunetix. CVSS (Common Vulnerability Scoring System) and CVE (Common Vulnerabilities and Exposures) appear as named standards.
Domain 4 β Password Cracking Techniques and Countermeasures (weight not published)
Attack categories follow a four-way classification: Non-electronic (shoulder surfing, dumpster diving, social engineering β no technology involved), Active online (dictionary attack, brute force, rule-based, LLMNR/NBT-NS poisoning, Pass-the-Hash, Kerberoasting β attacker interacts directly with the target system), Passive online (wire sniffing, MITM, replay attacks β attacker observes without direct interaction), and Offline (rainbow table attacks, hash cracking after obtaining a hash file).
Tool-to-purpose mappings for this domain: John the Ripper and Hashcat for offline hash cracking, Hydra and Medusa for online brute-force attacks, L0phtCrack and Ophcrack for Windows password auditing, RainbowCrack for rainbow table attacks, Cain and Abel for network sniffing and hash extraction.
Countermeasures are tested as well: password complexity policies, account lockout thresholds, MFA, salted hashes, and password managers. A question might describe an attack and ask which countermeasure most directly addresses it.
Domain 5 β Social Engineering Techniques and Countermeasures (weight not published)
Social engineering splits into human-based and computer-based vectors. Human-based techniques include: impersonation, vishing (voice-based phishing), eavesdropping, shoulder surfing, dumpster diving, tailgating (following someone through a secure door), piggybacking (with the person's unaware consent), reverse social engineering (attacker creates a problem, offers the fix), pretexting (fabricated scenario to gain trust), and quid pro quo (exchange of services).
Computer-based techniques include: phishing, spear phishing (targeted), whaling (targeting executives), pharming (DNS poisoning to redirect), smishing (SMS-based), spam, scareware (fake alerts), baiting (physical or digital lure), watering hole (compromising a site the target visits), and business email compromise (BEC).
The influence principles that underpin social engineering are testable: Authority, Intimidation, Social Proof, Scarcity, Urgency, Familiarity/Liking, Reciprocity, and Trust. A question describing a scenario where an attacker claims to be from IT support and demands urgent action maps to Authority and Intimidation β know both.
Insider threats follow their own taxonomy: Malicious (intentional harm), Negligent (careless, unintentional), Compromised (credentials stolen and used by an external actor), and Professional insider (sells data). Pod slurping β USB-based data exfiltration β is a named technique that appears in sample questions. Don't skip it.
Some community sources note that pretexting scenarios appear in sample questions for this domain, though broader exam frequency data is limited.
Domain 6 β Network Level Attacks and Countermeasures (weight not published)
Sniffing mechanics require understanding the active/passive distinction in a switched-LAN context. Passive sniffing works on hub-based networks. Active sniffing on switched networks requires injecting traffic to redirect frames: MAC flooding (overflow the CAM table, force switch to broadcast), ARP poisoning (poison ARP cache to redirect traffic), DHCP starvation (exhaust the IP address pool). Active sniffing tools: Wireshark, tcpdump, Ettercap, Cain and Abel, NetworkMiner.
DoS and DDoS attacks fall into three categories: Volumetric (UDP flood, ICMP flood, amplification attacks β measured in bits/second), Protocol (SYN flood, ping of death, Smurf attack β measured in packets/second), Application-layer (HTTP flood, Slowloris β measured in requests/second). Know which category each named attack belongs to.
The Mirai botnet appears as a named case study: at its November 2016 peak it enslaved over 600,000 IoT devices using 62 default credential pairs. The October 2016 attack on Dyn disrupted GitHub, Twitter, Reddit, Netflix, and Airbnb. Questions might reference "exploiting default credentials on IoT devices" as the attack vector.
Session hijacking covers two levels: network-level (TCP/UDP hijacking, IP spoofing, RST hijacking, blind hijacking, MITM) and application-level (session sniffing, session fixation, session prediction, XSS-based token theft, CSRF). Know which level each technique operates at.
Domain 7 β Web Application Attacks and Countermeasures (weight not published)
The EHE v1 coursebook is aligned to OWASP Top 10:2021, not the more recent 2025 update. Study the 2021 list: Broken Access Control (A01), Cryptographic Failures (A02), Injection (A03), Insecure Design (A04), Security Misconfiguration (A05), Vulnerable and Outdated Components (A06), Identification and Authentication Failures (A07), Software and Data Integrity Failures (A08), Security Logging and Monitoring Failures (A09), Server-Side Request Forgery (A10). Questions may present a vulnerability description and ask which OWASP category it falls under β use the 2021 list.
SQL injection breaks into three categories: in-band (Error-based: uses database error messages; UNION-based: uses UNION SELECT to append results), inferential/blind (Boolean-based: infers data from true/false responses; Time-based: infers data from response delays), and out-of-band (uses DNS or HTTP requests to an external server). Named SQLi tools: sqlmap, Havij, jSQL, BBQSQL. The correct countermeasure for SQLi is parameterized queries / prepared statements β that answer appears in sample questions and is the right answer every time it appears alongside input filtering options.
XSS prevention via Content Security Policy (CSP) appears in community sample questions. Web application testing tools to recognize: Burp Suite (intercepting proxy and scanner), OWASP ZAP (open-source alternative to Burp), Nikto (web server scanner), w3af, Acunetix.
Domain 8 β Wireless Attacks and Countermeasures (weight not published)
The wireless encryption hierarchy is the single highest-yield topic in this domain: WEP (broken, uses RC4 stream cipher) < WPA (RC4 with TKIP for key mixing) < WPA2 (AES-CCMP, the current standard) < WPA3 (SAE/Dragonfly handshake with forward secrecy). When a question asks which is most secure and WPA3 is an option, choose WPA3. When WPA3 is not listed, choose WPA2. Sample questions available in community sources confirm this pattern.
Named Wi-Fi attacks: Rogue AP (unauthorized access point), Evil Twin (AP impersonating a legitimate one), Deauthentication attack (using aireplay-ng to force disconnection), KRACK (key reinstallation attack against WPA2 4-way handshake), WPS PIN cracking (Reaver exploits WPS to recover the WPA/WPA2 passphrase), War-driving (scanning for wireless networks while mobile).
Bluetooth attacks follow their own naming convention: Bluesnarfing (unauthorized data theft), Bluejacking (sending unsolicited messages), Bluebugging (gaining full device control), BluePrinting (fingerprinting a device's capabilities), Bluesmacking (Bluetooth DoS), BlueBorne (remote exploitation without pairing). Questions typically describe the outcome and ask for the attack name.
Wireless tools: Aircrack-ng, Kismet, Reaver, Wifite, NetStumbler.
Domain 9 β Mobile Attacks and Countermeasures (weight not published)
Platform-specific attack vectors include malicious apps, repackaged apps (legitimate apps modified with malware), jailbreaking (iOS, removes Apple's restrictions) and rooting (Android, gains superuser access), SS7 protocol attacks (exploiting the signaling protocol used by telecom networks), and Simjacker β a named vulnerability that exploits the S@T browser embedded in SIM cards to send covert SMS instructions to a target device.
MDM concepts tested: BYOD (Bring Your Own Device), COPE (Corporate-Owned, Personally Enabled), geofencing (location-based policy enforcement), remote wipe, app sandboxing, and containerization (separating corporate and personal data on the same device).
Named mobile testing tools to recognize: Drozer (Android security testing), MobSF (Mobile Security Framework, static and dynamic analysis), Frida (dynamic instrumentation), zANTI (Android network analysis).
Domain 10 β IoT and OT Attacks and Countermeasures (weight not published)
IoT protocols appear as a vocabulary list: MQTT (lightweight publish-subscribe messaging), CoAP (constrained application protocol), AMQP (message queuing for enterprise), ZigBee (low-power mesh networking), BLE (Bluetooth Low Energy), Z-Wave (smart home mesh), LoRaWAN (long-range, low-power WAN). Know the protocol names and their primary use contexts.
The Purdue Model for industrial control system network segmentation uses levels 0β5. This is a trap question area. Level 0 represents physical sensors and actuators at the process floor. Level 1 is intelligent devices and PLCs. Level 2 is supervisory control (HMI, SCADA). Level 3 is manufacturing operations. Level 4β5 are enterprise IT systems. The trap question pattern: "Which Purdue Model level represents physical sensors and actuators?" The answer is Level 0.
ICS/SCADA component names to recognize: PLC (Programmable Logic Controller), RTU (Remote Terminal Unit), HMI (Human-Machine Interface), DCS (Distributed Control System), Historian (time-series data logging). The Mirai botnet case study from Domain 6 applies here as well β insecure default configurations on IoT devices as the primary attack vector is confirmed in sample questions.
Domain 11 β Cloud Computing Threats and Countermeasures (weight not published)
Cloud service models require knowing who controls what. In IaaS, the customer controls the OS, runtime, middleware, and applications. In PaaS, the customer controls only applications and data. In SaaS, the customer controls only user access and data. These responsibility boundary questions appear in a "shared responsibility" framing.
Cloud deployment models: Public (shared infrastructure, managed by provider), Private (owned, managed, and operated exclusively by a single organization), Community (shared by organizations with common interests), Hybrid (combination of two or more), Multi-cloud (multiple public cloud providers). The trap question: "Which deployment model is owned and managed exclusively by a single organization?" The answer is Private β not Hybrid or Community.
Container and Kubernetes component questions appear in sample banks. Kubernetes control plane components: kube-apiserver, etcd, scheduler, controller-manager. Worker node components: kubelet (registers the node with the control plane and manages pod lifecycle), kube-proxy, container runtime. The trap question: "Which component runs on each worker node and registers it with the control plane?" Answer: kubelet.
The correct answer to container security questions is consistently: regularly scan containers and images for vulnerabilities. This phrasing appears verbatim in available practice questions and maps to the defense-oriented framing used throughout the course.
Named cloud threats: data breaches via misconfigured storage (S3 buckets), insecure APIs, side-channel attacks (VM co-residency), account hijacking, cryptojacking (unauthorized use of compute resources for mining).
Domain 12 β Penetration Testing Fundamentals (weight not published)
Four key definitions must be precise. A penetration test proves exploitability β the tester actually exploits a vulnerability. A vulnerability assessment identifies and lists weaknesses without exploiting them. A security audit checks compliance against a standard. A red team exercise simulates an adversary's full attack chain. Questions describe an activity and ask which category it represents β precision on these four definitions is required.
Engagement strategies: Black box (no prior knowledge), Gray box (partial knowledge, often used for internal testing), White box (full knowledge, most thorough). Pen testing methodologies by name: OSSTMM, PTES (Penetration Testing Execution Standard), NIST SP 800-115, OWASP Testing Guide, ISSAF. Know these names β questions ask which methodology is being referenced.
Legal and contractual elements: Statement of Work (SOW), Rules of Engagement (RoE), NDA, scope definition, and the "get-out-of-jail letter" (formal written authorization that protects the tester). Questions in this area test whether candidates know which document authorizes specific activities. Sample questions confirm the five penetration testing phases β Reconnaissance, Scanning/Enumeration, Gaining Access, Maintaining Access, Clearing Tracks β as testable content here as well.
What Trips Candidates Up
The failure patterns in community sources are consistent on one point: overconfidence about the vocabulary. Candidates who have general IT experience assume they already know this material. They do not β not at EC-Council's naming-convention level.
Conflating the five hacking phases with the seven Kill Chain phases. These are two different frameworks with different step counts and different names for overlapping concepts. "Reconnaissance" appears in both; that's where the similarity mostly ends. Learn them as separate lists. Write them out. Know which framework a question is referencing based on whether it uses Kill Chain terminology (Weaponization, C2, Actions on Objectives) or hacking cycle terminology (Maintaining Access, Clearing Tracks).
Getting burned on the active/passive distinction. This distinction applies in three separate contexts: attack classification, sniffing, and vulnerability assessment. In sniffing, active sniffing injects traffic on a switched network. In attack classification, active attacks modify or disrupt data. In vulnerability assessment, active scanning sends probes. A question that uses the word "active" can be asking about any of these β read the context carefully before answering.
Neglecting the named laws. Questions like "which regulation addresses anti-circumvention of copy protection?" (DMCA) or "which law governs investor financial disclosures?" (SOX) feel like trivia until they show up and cost a point. They appear. Memorize the law names and their domains.
Skipping cloud and IoT modules. Some candidates treat these as lightweight or new-to-the-blueprint content and underinvest. Limited community data suggests these modules are covered. The Kubernetes/kubelet trap and the Purdue Model Level 0 trap both come from this area. Don't treat them as optional.
Time management in reverse. Allocating approximately 96 seconds per question is the right average, but distributing time evenly is not the right strategy. Scenario questions that require parsing a paragraph-length setup take longer than single-sentence vocabulary questions. Flag the long ones, answer the fast ones first, then return. The no-penalty-for-guessing rule means leaving questions blank at time's end is a preventable error.
What not to study: Deep practical tool usage. You do not need to know Nmap flag syntax, how to write a SQL injection payload, or how to configure Aircrack-ng. The exam tests whether you know what these tools do and which category they belong to β not whether you can use them. Spending study time on hands-on labs may build real skills, but it is not what this exam measures.
How to Prepare
Foundation: EC-Council makes the EHE course available for free through its Essentials Series program, with the same content accessible via Coursera and edX audits. The Coursera version carries a 4.6/5 rating based on over 600 reviews, with 75,000+ enrolled students. The course is well-structured and covers all 12 modules directly. Its one genuine weakness: it is easier than the exam. Completing the course gives you coverage β it does not mean you are ready to sit. Most candidates who treat course completion as exam readiness score in the low 70s or fail.
Official study guide: The EHEv1 Exam Blueprint PDF is available at cert.eccouncil.org/images/doc/EHEv1%20Exam%20Blueprint.pdf. Use it as a domain checklist β every topic listed should be covered and understood before you schedule.
Practice questions: The CertCompanion EHE question bank is the primary practice recommendation. Multiple-choice vocabulary questions from the course feel different from timed scenario-format exam questions. You need to practice the scenario mapping: read a paragraph describing an attack, strip out the named actor and the narrative detail, identify the action, and match it to the correct term. Aim for 80%+ on practice exams before scheduling. If you are hitting 65β70%, that is not readiness β that is a study gap in specific domains that practice data will make visible.
Official exam tools:
- EC-Council ASPEN portal (aspen.eccouncil.org) for exam registration and credential management
- EC-Council CyberQ Exam Prep (approximately $22) β EC-Council's own practice bank, mapped to the official syllabus
- EHE iLabs (available as a standalone SKU, approximately $44) β 11 lab activities for candidates who want hands-on exposure, though labs are not tested on the exam
- Free Coursera or edX audit of the official EHE course for content coverage
Discount and pricing note: EC-Council's Essentials Series launched the EHE course content as a free entry-level program. If you only need the exam credential and have existing IT knowledge, the standalone voucher at $74.99 is the cost-efficient path. If you're starting with no background, the $299 bundle provides lab activities and courseware that the free course does not include.
Study Timeline by Background
| Background | Estimated Hours | Notes |
|---|---|---|
| IT professional with networking or security background | 30β50 hours | Content overlap is high. Focus on EC-Council's specific naming conventions, the legal frameworks, and the tool taxonomy. Most of the concepts will be familiar; the vocabulary may not be. |
| IT background without security focus | 50β80 hours | The technical domains (networking, web, wireless) will move quickly. Budget extra time for the legal/regulatory module and the full malware taxonomy. |
| Non-technical / true beginner | 80β120 hours (limited community data) | One community source suggests approximately 2 months at a minimum of 2 hours per day for beginners. At this level, the free Coursera course plus a full read of the official coursebook is the right foundation before attempting practice exams. |
Exam-Day Tactics
Schedule through the EC-Council ASPEN portal after receiving your voucher. The exam is delivered via EC-Council's RPS remote proctoring system at eccexam.com, not through Pearson VUE or PSI. For remote testing: quiet room, functioning webcam and microphone, government-issued photo ID, clear desk, stable internet connection with pop-ups disabled and other applications closed. Log in 15β20 minutes before your scheduled time. There are no formal breaks, so handle logistics before starting.
For the 75-question format, a practical time budget: allocate roughly 90 seconds to answer each question on the first pass, flagging anything that requires more than a quick scenario match. This leaves a 15β20 minute buffer for flagged questions. No negative marking applies β every unanswered question at time's end is a missed point that a guess could recover.
On scenario questions, use the stripping technique: ignore the name, ignore the narrative setup, focus on the action and the artifact. "Mark, a professional hacker, uses a tool to capture network traffic without actively injecting frames on a hub-based network" = passive sniffing. Once you identify the action and context, the answer is a vocabulary lookup.
Watch for qualifier words embedded mid-question: "NOT," "EXCEPT," "BEST," "FIRST," "LEAST." These flip the question. Read every question twice before selecting. The first read identifies the topic. The second read confirms whether the question is asking for the attack or the countermeasure, the most secure option or the least secure, the correct phase or the one that does NOT apply.
Results post either immediately or within a few days to your EC-Council ASPEN portal. Your badge and certificate are accessible through the ASPEN portal after your credential is processed.
After You Pass
EHE certifies that you understand EC-Council's ethical hacking knowledge taxonomy at a foundational level. The roles it most logically supports are entry-level: Security Analyst, Junior Penetration Tester, Ethical Hacker roles in training, and Network Security Engineer positions where a foundational security credential is listed as preferred rather than required.
No specific salary data tied to the EHE credential is available from Glassdoor, LinkedIn, or other major sources. The certification is new enough and niche enough that EHE-specific compensation data does not appear in public salary databases. Broader EC-Council certifications like CEH are associated with cybersecurity roles in the $70,000β$120,000+ range depending on experience and geography, but EHE is a stepping stone to those credentials, not a salary lever on its own.
Renewal: EHE is valid for 3 years. It is not part of EC-Council's Continuing Education (ECE) scheme β you do not need to earn CPE credits during the 3-year term. Recertification requires retaking and passing the exam. Retake vouchers are available through the EC-Council store.
Logical next certifications: CEH (Certified Ethical Hacker) v13 is the direct next step in the EC-Council track. It covers the same 12 knowledge domains at a significantly deeper level with more complex scenario reasoning and a variable cut score. CISSP is a longer-horizon goal, appropriate after several years of security experience, covering a much broader governance and architecture scope. Both are legitimate next steps depending on whether your goal is technical depth in ethical hacking (CEH) or breadth across security management and architecture (CISSP).
Frequently Asked Questions
Is the EHE exam hard? Not for candidates who prepare systematically. The exam tests vocabulary and framework recognition, not hands-on execution. It is generally considered easier than CompTIA Security+ and significantly easier than CEH. The primary failure mode is entering without timed practice under exam conditions, not a lack of technical depth.
How many hours should I study for the EHE? It depends on background. Candidates with IT or networking experience typically report 30β50 hours of preparation. Those without IT background should plan for 60β80 hours minimum, and limited community data suggests complete beginners may need approximately 2 months at 2+ hours per day. Use practice exam scores as your readiness signal: schedule when you're consistently hitting 80% or above.
Does the EHE expire? Yes. EHE is valid for 3 years from the date you pass. Unlike CEH, it is not part of EC-Council's ECE continuing education program, so no CPE credits are required during the validity period. Recertification requires retaking and passing the exam.
Are there prerequisites for the EHE? None. EC-Council lists no formal prerequisites for EHE. No prior IT experience, no mandatory training, no experience verification. Anyone can register and sit the exam.
What happens if I fail the EHE? You can attempt a second sitting immediately with no waiting period. A 14-day waiting period applies between your 3rd and 5th attempts. After 5 failed attempts within a 12-month window, you must wait 12 months before trying again. Per EC-Council's official retake policy, the maximum is 5 attempts per 12-month period.
Is the EHE worth it for job applications? As a standalone credential, EHE carries limited independent hiring weight in most cybersecurity job markets. Its value is primarily as a stepping stone: it builds the EC-Council vocabulary that makes CEH preparation more efficient, and it provides a verifiable credential for early-career candidates or students applying for internships and entry-level roles. If a hiring credential is the primary goal, Security+ or eJPT typically appear more frequently in job postings.
What's the difference between the free EHE course and the proctored 112-52 credential? This is a genuine source of confusion. The free EHE course on Coursera and edX, and its completion certificate, are a MOOC certificate β not the proctored EC-Council 112-52 credential. The proctored exam requires purchasing a voucher (separately or as part of a bundle), registering through EC-Council ASPEN, and completing a remotely proctored test session. Many LinkedIn posts celebrating "earning EHE" refer to the Coursera completion certificate. The two are different things.
How much does the EHE exam cost? The standalone exam voucher is $74.99 USD (with regional variations for UK and Canada). The full bundle including official courseware, 15+ hours of video, 11 lab activities, a CTF capstone, and the exam voucher is $299 USD. If you plan to use the free Coursera or edX course for content, buy the voucher only.
The EHE is a well-scoped entry-level exam for a specific audience: beginners building toward CEH, students who need a structured cybersecurity foundation, and career switchers who want a credential to attach to a resume while they develop real skills. Passing it requires memorizing EC-Council's exact vocabulary across 12 modules, learning to map scenario descriptions to defined terms, and practicing timed multiple-choice questions until the scenario-stripping process becomes fast. The free Coursera course covers the content. Timed practice questions build the exam muscle. When you're hitting 80% consistently, you're ready to schedule.
Start with the CertCompanion EHE practice questions to identify which of the 12 domains need more time before you book your exam date.