Every cybersecurity professional asks the same question at some point: can you get a CEH certification for free? It's a fair question. The credential is expensive, the training market is crowded, and there's no shortage of websites promising shortcuts. The direct answer is no โ the actual exam isn't free. But that's only part of the story.
EC-Council charges between $950 and $1,199 for the exam voucher, plus training costs on top of that if you don't qualify for the self-study route. What most people don't realize is how much of the preparation can be done without spending anything โ and how many legitimate programs exist that can cover part or all of the cost depending on your situation.
Before diving in, it helps to understand EC-Council's two-track system. If you have two or more years of documented information security work experience, you can skip mandatory training entirely and go straight to the exam โ paying only the $100 application fee plus the voucher. That route dramatically lowers the cost floor. If you don't have that experience yet, you'll need to factor in training. Each track has a different set of free resources that apply, so knowing which path you're on shapes everything else in this guide.
Even without spending anything, the free CEH preparation ecosystem is substantial. Here's what's worth your time โ and why each resource matters specifically for CEH.
Practice tests are the highest-leverage free tool available. Our CEH practice test covers all 20 domains with questions modeled on the real exam format. The reason they're so effective: CEH is a knowledge-based exam, not a performance lab. You're tested on recognizing correct methodology and understanding tools conceptually โ exactly what repeated practice questions reinforce. Don't skip these in favor of more reading.
The CEH study guide walks through all major domains without a paywall. Our CEH practice test PDF is also free to download โ useful for offline studying or printing. For book-length content, library apps like Libby and Hoopla let you borrow current cybersecurity titles at no cost; older CEH exam guides are especially well-stocked.
Reading about ethical hacking techniques isn't enough โ CEH expects you to understand how tools actually work. TryHackMe's free tier includes the "Jr Penetration Tester" learning path, which covers Nmap, Burp Suite, Metasploit, and privilege escalation. Hack The Box's free Starting Point machines let you practice real exploitation chains. Neither requires a subscription for the foundational content that maps directly to CEH domains.
NetworkChuck and David Bombal together have produced hundreds of hours of ethical hacking and networking content that's directly relevant to the CEH curriculum. EC-Council's own YouTube channel publishes domain-focused videos regularly. For foundational networking โ a significant chunk of the exam โ Professor Messer's CompTIA Network+ series is free and thorough enough to cover what CEH tests on the networking side.
These aren't theoretical โ they're programs that actively fund cybersecurity certifications for eligible candidates. Most people don't research them because they assume certification costs are non-negotiable. They're not.
The DoD 8570 compliance framework requires CEH (or equivalent) for many government cyber roles โ which means federal funding flows to pay for it. The GI Bill covers CEH training at approved providers. MyCAA scholarships provide up to $4,000 for qualifying military spouses. Some installations have direct EC-Council training partnerships that are available to service members at little or no cost.
The Workforce Innovation and Opportunity Act funds retraining for unemployed and underemployed workers. Cybersecurity is a high-priority sector in most states, and CEH is on the approved list for many state workforce boards. Approval takes a few weeks and usually requires an assessment, but the funding can cover the full training and exam cost. Check your state's workforce development website to start the process.
If you're already in IT or security, this is the most direct path. The CEH job market is active โ employers know the credential has value, and many have established reimbursement policies for certifications. The key is framing the request around business need: if your role involves security assessments, incident response, or penetration testing, CEH directly improves your capability. HR is much more receptive to "this improves our security posture" than "I want a career credential."
EC-Council periodically offers promotional pricing through its authorized training partners. Black Friday, Cyber Monday, and cybersecurity awareness month (October) are the most common windows for discounts. Partner providers sometimes bundle training and exam vouchers at significantly reduced rates. The CEH online training page covers the current partner landscape โ comparing providers is worth doing before you commit to full price.
Let's be precise about what you'll actually pay, so nothing surprises you. The CEH exam cost depends on which path you take.
Self-study path (experience required): Two or more years of documented infosec work experience qualifies you for the eligibility application route. You pay $100 for the application and $950โ$1,199 for the exam voucher. Total: roughly $1,050โ$1,299. No training purchase required.
Training + exam path: Without the experience requirement โ or if you want structured lab access โ you purchase training. EC-Council's iLearn self-paced course costs about $850 and includes the exam voucher. Instructor-led training through authorized partners runs $1,500โ$3,500. The CEH training cost guide compares current provider pricing in detail. Always verify your eligibility before assuming you need to buy training.
Renewal costs: CEH requires 120 EC-Council Continuing Education credits over three years plus a $80 annual membership fee to maintain. Budget for this when you're calculating the total cost of ownership, not just the initial certification.
Understanding what the CEH exam covers helps you allocate your free study time efficiently. The exam spans 20 domains, and they're not weighted equally. Knowing which areas carry more questions is how you avoid the common mistake of spending 80% of your prep time on network scanning because the labs are engaging โ and then arriving underprepared for cryptography or social engineering questions.
The highest-weighted domains include network scanning and enumeration, system hacking, and web application hacking. These are well-represented in free learning resources. TryHackMe's free pathways, Hack The Box's Starting Point machines, and the OWASP Testing Guide collectively cover these areas in more depth than you'll actually need for the exam. The challenge isn't finding free material here โ it's avoiding the rabbit hole of going deeper than CEH requires.
Social engineering is a domain many candidates underestimate. It appears consistently across exam instances and often trips up technically strong candidates who focused purely on tools. Free resources for this domain are thinner โ most of the good material is in dedicated security books. Cialdini's "Influence" is free through many library apps, and the underlying psychology translates directly to how CEH frames social engineering scenarios.
The IoT and OT security domains were added in newer exam versions and represent the thinnest area for free prep content. EC-Council's own blog is actually one of the better free sources here because third-party content hasn't caught up yet. Treat these domains as supplementary โ spend proportional time based on their exam weight rather than overinvesting because the material is newer and therefore feels more uncertain.
Cryptography is another domain that surprises candidates. CEH doesn't test deep math โ it tests conceptual understanding of encryption types, hash functions, PKI, and common attack vectors against cryptographic systems. The free Khan Academy cryptography course covers the foundational concepts more than adequately, and most candidates find it clearer than the official EC-Council materials on this specific topic.
The passing score is 70%, which means you have room to carry weaker domains if your core areas are solid. But don't engineer your prep around that buffer โ it exists as a recognition that no single candidate will be equally strong across all 20 domains, not as permission to skip significant chunks of the curriculum. Use free practice tests by domain to measure your actual score distribution, then spend your remaining prep time closing the gaps rather than reinforcing areas where you're already comfortable.
For someone already in a security role targeting penetration testing or ethical hacking work, CEH is one of the most recognized entry-to-mid-level credentials available. It appears on nearly every job posting for ethical hacker roles and satisfies DoD 8570 Level II requirements for government contractor positions โ which is where a substantial chunk of the cybersecurity salary premium is.
Compare it to alternatives. OSCP is more respected among pure penetration testers, but it costs similarly and has no free path. CompTIA Security+ is cheaper but doesn't satisfy DoD 8570 Level II on its own. CISSP requires five years of experience. CEH sits in a useful middle position โ accessible enough for mid-career professionals moving into security, recognized enough to move the needle on job applications. That's why it's stayed relevant for over two decades despite newer competitors.
For someone just starting out with no security background, the price tag is harder to justify before building hands-on skills. Free resources and lower-cost credentials like Security+ make more sense as a starting point. CEH delivers the most value as a second or third certification โ after you've got real-world experience behind it. The CEH certification requirements reflect this: EC-Council wants candidates who already have working knowledge, not complete beginners.
The average ethical hacker with CEH in the US earns $90,000โ$130,000. At that salary level, the certification typically pays for itself within weeks of landing the first role it enables. That's the lens to apply when evaluating the cost โ not whether it's cheap in absolute terms, but whether the return justifies the investment given your specific career situation.
For most mid-career IT professionals targeting ethical hacking or penetration testing roles, the math works clearly in favor of pursuing CEH โ especially when free preparation reduces the total cost of getting there. Start with the free resources, measure your readiness, then make the paid investment from a position of knowledge rather than guesswork.
There's a strategic reason to go deep on free resources before paying anything โ beyond just saving money. The free prep phase is where you build the intuition that separates candidates who pass from those who memorize and forget. EC-Council's exam is designed to test applied knowledge, not regurgitation. Candidates who've actually used Nmap, Burp Suite, and Metasploit โ even in free lab environments โ consistently outperform those who only read about them. The tools are the same; the free labs just require more self-direction.
Another practical advantage of free-first preparation: you start identifying gaps before you've spent anything. Most people discover they have strong surface knowledge of many domains and real gaps in two or three specific ones. That diagnostic information lets you invest paid study time precisely where it matters rather than buying comprehensive training to cover areas you already understand.
There's a strategic reason to go deep on free resources before paying anything โ beyond just saving money. Spending 60โ90 days on free prep tells you something the marketing materials for training courses won't: whether ethical hacking is actually the career direction you want to commit to.
Spending 60โ90 days on free prep tells you something the marketing materials for training courses won't: whether ethical hacking is actually the career direction you want to commit to. Some candidates discover partway through TryHackMe that they love the network side but have little patience for web application attacks. That's genuinely useful information before you've spent $1,200 on an exam voucher.
Free prep also determines which paid tier you actually need. Candidates who've spent serious time in real lab environments โ not just watched videos โ frequently qualify for the self-study path and skip the training purchase entirely. The $850 savings from avoiding iLearn is real money. Even if you end up buying some paid training, knowing your current level means you can choose the right product rather than over-buying comprehensive instructor-led training when self-paced labs are all you need.
One thing free prep won't fully replicate: the structured accountability of a paid course with a cohort, instructor access, and hard deadlines. Some people study better with that structure, and for them the training cost isn't just paying for content โ it's paying for the environment that makes them actually finish. That's a legitimate reason to buy training even if the free resources cover the same material. Know which type of learner you are before deciding.
If you're building toward a DoD 8570 role, keep records of your free study activities. Government contractors increasingly ask for evidence of continuing professional development beyond just certification. Documented lab hours on TryHackMe and Hack The Box, written notes on domains studied, and practice test score progression all demonstrate ongoing engagement with the field โ useful both for the EC-Council eligibility application and for employer conversations about sponsorship or reimbursement.