CompTIA Security+ vs CEH — which cybersecurity cert should you actually get first?

Both badges open doors. But they open very different ones — and picking wrong could cost you months of prep time and thousands of dollars.

Every week someone posts the same question on r/cybersecurity: “Should I start with Security+ or CEH?” It gets hundreds of replies, most of them contradictory. Some swear by CompTIA. Others insist CEH is the only cert that proves you can actually hack something. A few rogue voices say skip both and go straight to OSCP.

Here’s the thing — there’s no universally correct answer. But there is a right answer for you, depending on where you are in your career, how much you can spend, and what kind of work you actually want to do. Let’s break it down without the noise.

First, what are these certs, really?

Security+ is a broad-spectrum foundation. It covers everything from cryptography and access control to threat intelligence and incident response — the conceptual scaffolding every security professional needs. CEH zooms in on one narrow lane: how attackers think, what tools they use, and how to ethically replicate their methods.

Neither is wrong. They just aim at different targets.

The numbers that matter

Higher CEH salaries reflect specialization in penetration testing and offensive security — roles that typically require experience before a cert adds significant value.

What each exam actually tests

CompTIA Security+ (SY0-701)

The current version leans heavily into real-world scenarios. You’ll encounter performance-based questions that drop you into a simulated environment — configure a firewall, analyze a SIEM alert, identify a phishing artifact in a mail header. The domains include: general security concepts, threats and vulnerabilities, security architecture, security operations, and security program management. It’s comprehensive by design. No single topic gets too deep, but nothing is skipped either.

CEH v13

This one is purely multiple choice — 125 questions testing your knowledge of attack phases, tools, and countermeasures. It follows the EC-Council’s 20-module framework, covering footprinting and reconnaissance, scanning, enumeration, vulnerability analysis, system hacking, malware threats, sniffing, social engineering, denial-of-service attacks, web application hacking, and more. The newest version also touches on AI-assisted attack vectors, which reflects how the threat landscape has evolved.

Prerequisites: the honest version

CompTIA says Security+ has no formal prerequisites, but recommends Network+ and two years of IT experience. That’s genuinely good advice — without some networking foundation, the exam will feel like learning to swim in the deep end. That said, plenty of career changers pass Security+ with focused self-study in 8–12 weeks.

CEH is more demanding. EC-Council requires either: two years of documented work experience in information security, or completion of an official EC-Council training course (which costs between $1,000 and $3,500 on its own). If you walk into CEH cold, without networking fundamentals and at least a basic grasp of Linux and TCP/IP, you’re going to have a rough time.

Who should pick which?

The career path that actually makes sense

A word on the CEH controversy

Security practitioners are divided on CEH’s real-world value. In many technical communities, the certification gets criticized for being a memorization exercise rather than a skills test. The main exam is entirely multiple choice — you never actually exploit anything. EC-Council offers a separate “CEH Practical” exam that tests hands-on hacking skills in a lab, but it’s rarely required by employers and costs extra.

That said, dismissing CEH entirely misses the point. For government contractors, federal positions, and any role requiring DoD 8570 compliance, CEH checks a real box that OSCP — however technically rigorous — does not. Name recognition in HR systems is a genuine career asset, even if it frustrates security purists.

The honest take: CEH is a career strategy cert as much as a skills cert. There’s nothing wrong with that, as long as you know what you’re buying.

Cost breakdown: what you’re actually spending

Security+ all-in runs roughly $400–$900. That covers the exam voucher (~$400), study materials, and a practice exam or two. Professor Messer’s free YouTube videos and affordable study guides mean you can get prepared for very little if you’re disciplined about it.

CEH is a different story. The exam alone is ~$950. If you don’t qualify via work experience, EC-Council’s official training course is required and can add $1,000–$3,500 to the total. The full pathway — training, exam, and renewal — often runs $3,000–$4,700. That’s a meaningful financial commitment, especially early in a career.

The final verdict

For most people reading this, Security+ comes first. It teaches concepts that CEH assumes you know, qualifies you for more entry-level jobs, and costs a fraction of the price. It’s a lower-risk way to validate your interest in cybersecurity before committing to a specialty.

Then, once you’re in the field and have some experience under your belt, CEH becomes a meaningful addition — especially if your employer will pay for it or your target role specifically requires it.

The good news? You don’t have to choose just one forever. Many of the strongest cybersecurity professionals hold both, using Security+ as the broad foundation and CEH (or OSCP) as the offensive specialization layer on top.

The cybersecurity certification landscape changes frequently. Exam codes, costs, and DoD approval statuses are accurate as of April 2026 but should be verified against official CompTIA and EC-Council documentation before registering.