dc dotCreds
Certified Ethical Hacker

CEH Practice Test

Start today's 10-question CEH set with source-backed explanations, local progress, and a fresh rotation every morning.

10 Free Daily Questions Source-backed Explanations 150 Verified Questions

Questions updated at Jul 10, 2026, 12:01 AM CDT

Guided Course Included Learn CEH step by step. Structured lessons, progress tracking, practice questions, and per-exam Course Notes covering every section in this bank.
Step-by-step lessons Per-exam Course Notes All sections included Practice tied to the same bank
CEH icon

CEH

Certified Ethical Hacker

Why this page works

  • Daily exam-aligned questions
  • Source links on every explanation
  • Local progress saved automatically
  • Email sync path ready for later
  • Apps provide deeper drills when available
One-time unlock

Unlock the full CEH bank

150 verified exam-style questions $3.99 one-time No subscription Secure checkout Instant unlock

Get the complete source-backed bank with correct-answer explanations, distractor breakdowns, saved review, full Course Mode, and per-exam Course Notes.

Instant unlock • Secure checkout • No subscription

Exam Mode Practice Mode Course Mode Course Notes Weak-area review Previous scores Source links Every choice explained No ads
See bundle and PDF options Already Pro? Open dashboard

Includes full Course Mode and Course Notes. We will confirm your site email in one quick checkout step.

Why DotCreds?

Practice with explanations that teach.

Source links for every answer Every wrong answer explained Guided Course included Practice and Exam Mode Weak-area tracking Same verified bank across web practice
Today's 10 CEH questions

Use this CEH practice test to review Certified Ethical Hacker. Questions rotate daily and each explanation links to the source used to validate the answer.

Today’s Set
10 questions
Rotates at 10:00 AM local time
Progress
0/10
Answered on this page
Accuracy
0%
Loading countdown…

150 verified questions are in the live bank. Free daily questions are selected from a rotating sample set. Unlock Pro to access the full question bank.

Question 1 of 10
Objective CEH-05 Reporting and Evidence

An ethical hacker is tasked with creating an assessment report for a client. Which of the following best describes the primary goal of this report?

Concept tested: Reporting and Evidence (CEH-05)
Question 2 of 10
Objective CEH-03 Vulnerability Analysis

Which identifier system gives publicly known vulnerabilities standardized names such as CVE-2024-12345?

Concept tested: Vulnerability Analysis (CEH-03)
Question 3 of 10
Objective CEH-04 Web Application Security

A user changes an object identifier in a request and opens another customer account. Which OWASP Top 10 category is involved?

Concept tested: Web Application Security (CEH-04)
Question 4 of 10
Objective CEH-07 Program Scope and Defensive Outcomes

How should CEH study notes be handled when official guidance or vendor material may change?

Concept tested: Program Scope and Defensive Outcomes (CEH-07)
Question 5 of 10
Objective CEH-02 Reconnaissance and Scanning

A tester is gathering information about a target organization by collecting public DNS records, domain registration details, email addresses, and technology fingerprints before conducting active scanning. Which phase of the penetration testing process is the tester performing?

Concept tested: Reconnaissance and Scanning (CEH-02)
Question 6 of 10
Objective CEH-01 Ethics and Scope

During the scoping phase of a penetration test, a login flow redirects to a third-party provider potentially managed by a different organization. Prior to initiating any testing activities related to this provider, what is the most appropriate action for the ethical hacker to take?

Concept tested: Ethics and Scope (CEH-01)
Question 7 of 10
Objective CEH-06 Remediation and Patch Management

Why do remediation plans often include software and firmware update work?

Concept tested: Remediation and Patch Management (CEH-06)
Question 8 of 10
Objective CEH-05 Reporting and Evidence

During a penetration test, a vulnerability is identified in a system, but the report provides no supporting evidence, impact assessment, or details regarding the affected asset. What is the primary concern regarding this finding?

Concept tested: Reporting and Evidence (CEH-05)
Question 9 of 10
Objective CEH-03 Vulnerability Analysis

A vulnerability scanner identifies numerous findings. Which approach best guides remediation efforts?

Concept tested: Vulnerability Analysis (CEH-03)
Question 10 of 10
Objective CEH-04 Web Application Security

Why is the OWASP Top 10 useful when assessing and reporting web application risk?

Concept tested: Web Application Security (CEH-04)
Locked preview

You are viewing today’s free 10. Unlock 140 more questions.

Unlock full bank
Daily sample Rotating practice Free daily questions are selected from a rotating sample set.
Pro bank Full access Unlock Pro to access the full question bank, Exam Mode, Practice Mode, and random tests.
CEH Pro $3.99 one-time

Pro mode for this exam includes the full bank, Practice Mode, Exam Mode, full Course Mode, and Course Notes.

50 Exam Practice Test $1.99 one-time

A 50-question CEH PDF for short review sessions. Questions come first, then the answer review and explanations later in the file.

Cybersecurity Access Bundle $6.99/month

Unlock Pro mode across security, defensive analysis, and network security practice.

Pro mode forSecurity+, CySA+, Certified Ethical Hacker, CCNA

Choose an unlock option to continue. We will confirm your site email in one quick checkout step.

Secure checkout powered by Stripe. Source-backed questions. Not brain dumps. Checkout stays on this page and unlocks the same Pro builder on this practice page.

Purchase options

Unlock the full CEH bank. No ads.

Get the full bank, Exam Mode, Practice Mode, question sets, random tests, readiness tracking, saved box scores, and review tools for this exam.

The PDF versions keep questions first and move the answer review, explanations, and distractor notes to the back of the file.

150 verified exam-style questions Every choice explained Exam Mode and Practice Mode Question sets and random tests Readiness score and trends Previous test box scores

You've answered 0/10 questions in today's set.

Locked: 140 more questions in the full bank.

Locked: exam simulation mode, practice mode, readiness tracking, and saved review history.

Checkout stays on this page, so you can keep practicing, unlock the full bank, and start Exam Mode or Practice Mode when you are ready.

No ads

7-day score keeper

Answer questions today and this will become a rolling 7-day scorecard.

Local history
Optional progress sync

Keep today’s practice moving

Guest progress saves automatically on this device. Add an email later when you want a magic link that keeps your daily CEH practice in sync across browsers.

Guest progress saves on this device automatically

Guest progress is available without an account.

Official exam resources

Use these official EC-Council resources alongside the daily practice set. They cover the provider's own exam page, study guide, or prep material.

Need adjacent EC-Council practice pages too? EC-Council practice hub.

Source-backed answer review

The free daily CEH set includes crawlable question text, answer choices, correct answer labels, objective mapping, and source links. Only the first SEO card includes answer explanations. Pro-only bank questions stay locked; this section mirrors only the 10 free daily questions already shown on this page.

Question 1 An ethical hacker is tasked with creating an assessment report for a client. Which of the following best describes the primary goal of this report?

Answer choices

  1. A. A longer list of unvalidated scanner messages
  2. B. Only cloud cost optimization and billing changes
  3. C. Disabling scanners to reduce alert volume
  4. D. Better remediation decisions and stronger defenses, not just a longer list of issues

Correct answer

Better remediation decisions and stronger defenses, not just a longer list of issues

A strong report helps the organization make remediation decisions and improve defenses. The value is not the number of listed issues; it is clear risk communication that leads to effective fixes. The answer "Better remediation decisions and stronger defenses, not just a longer list of issues" is supported because reporting should drive better remediation decisions and stronger defensive outcomes.

Wrong-answer review

  • A. A longer list of unvalidated scanner messages: A long unvalidated list can distract teams from the highest-value fixes.
  • B. Only cloud cost optimization and billing changes: Cost optimization may matter elsewhere, but a security report should support risk reduction.
  • C. Disabling scanners to reduce alert volume: Turning off scanners hides signals instead of improving remediation.

Objective/domain: Reporting and Evidence (CEH-05)

Source: NIST SP 800-115, Technical Guide to Information Security Testing and Assessment

Question 2 Which identifier system gives publicly known vulnerabilities standardized names such as CVE-2024-12345?

Answer choices

  1. A. MTTR
  2. B. LDAP
  3. C. CSP
  4. D. CVE (Common Vulnerabilities and Exposures)

Correct answer

CVE (Common Vulnerabilities and Exposures)

Objective/domain: Vulnerability Analysis (CEH-03)

Source: Process - CVE: Common Vulnerabilities and Exposures

Question 3 A user changes an object identifier in a request and opens another customer account. Which OWASP Top 10 category is involved?

Answer choices

  1. A. Cryptographic Failures
  2. B. Security Misconfiguration
  3. C. Server-Side Request Forgery
  4. D. Broken Access Control

Correct answer

Broken Access Control

Objective/domain: Web Application Security (CEH-04)

Source: OWASP Top Ten Web Application Security Risks

Question 4 How should CEH study notes be handled when official guidance or vendor material may change?

Answer choices

  1. A. Assume old practice notes override current documentation
  2. B. Use study material as support, but verify concepts against current official guidance
  3. C. Ignore primary guidance once a local quiz is passed
  4. D. Treat every online forum post as authoritative

Correct answer

Use study material as support, but verify concepts against current official guidance

Objective/domain: Program Scope and Defensive Outcomes (CEH-07)

Source: Certified Ethical Hacker (CEH) v13 | EC-Council

Question 5 A tester is gathering information about a target organization by collecting public DNS records, domain registration details, email addresses, and technology fingerprints before conducting active scanning. Which phase of the penetration testing process is the tester performing?

Answer choices

  1. A. Footprinting and reconnaissance
  2. B. Patch deployment
  3. C. Post-incident recovery
  4. D. Change-management approval

Correct answer

Footprinting and reconnaissance

Objective/domain: Reconnaissance and Scanning (CEH-02)

Source: Certified Ethical Hacker (CEH) v13 | EC-Council

Question 6 During the scoping phase of a penetration test, a login flow redirects to a third-party provider potentially managed by a different organization. Prior to initiating any testing activities related to this provider, what is the most appropriate action for the ethical hacker to take?

Answer choices

  1. A. Continue because the asset is reachable from the client application
  2. B. Exploit it quickly so the client can see the business risk
  3. C. Treat it as approved if the scan tool lists it beside client hosts
  4. D. Pause and get explicit clarification before touching the third-party asset

Correct answer

Pause and get explicit clarification before touching the third-party asset

Objective/domain: Ethics and Scope (CEH-01)

Source: Certified Ethical Hacker (CEH) v13 | EC-Council

Question 7 Why do remediation plans often include software and firmware update work?

Answer choices

  1. A. Hardware firmware is immune to logical exploits
  2. B. Patching always removes the need for monitoring
  3. C. Many validated findings depend on software or firmware that needs to be updated or mitigated
  4. D. Only end-user awareness training can fix technical flaws

Correct answer

Many validated findings depend on software or firmware that needs to be updated or mitigated

Objective/domain: Remediation and Patch Management (CEH-06)

Source: NIST SP 800-40 Rev. 3, Guide to Enterprise Patch Management Technologies

Question 8 During a penetration test, a vulnerability is identified in a system, but the report provides no supporting evidence, impact assessment, or details regarding the affected asset. What is the primary concern regarding this finding?

Answer choices

  1. A. The report is acceptable as long as the severity score is high
  2. B. The finding is not actionable because the report lacks evidence and context
  3. C. The finding should be removed because all vulnerabilities are theoretical
  4. D. The owner should patch every system immediately without review

Correct answer

The finding is not actionable because the report lacks evidence and context

Objective/domain: Reporting and Evidence (CEH-05)

Source: NIST SP 800-115, Technical Guide to Information Security Testing and Assessment

Question 9 A vulnerability scanner identifies numerous findings. Which approach best guides remediation efforts?

Answer choices

  1. A. Prioritize by exploitability, exposure, and likely business impact
  2. B. Prioritize only the newest findings
  3. C. Prioritize only findings with the shortest titles
  4. D. Prioritize alphabetically by product name

Correct answer

Prioritize by exploitability, exposure, and likely business impact

Objective/domain: Vulnerability Analysis (CEH-03)

Source: Known Exploited Vulnerabilities Catalog | CISA

Question 10 Why is the OWASP Top 10 useful when assessing and reporting web application risk?

Answer choices

  1. A. It replaces written authorization for penetration testing
  2. B. It guarantees every web application has exactly ten vulnerabilities
  3. C. It removes the need to validate findings
  4. D. It provides a recognized way to organize common web application risk areas during assessment and reporting

Correct answer

It provides a recognized way to organize common web application risk areas during assessment and reporting

Objective/domain: Web Application Security (CEH-04)

Source: OWASP Top Ten Web Application Security Risks

Where to go after the daily web set

How are CEH questions generated?

dotCreds builds CEH practice questions from public exam objectives and EC-Council exam and documentation references. The questions are written for realistic study practice, not copied from exam dumps.

How are explanations sourced?

Each question includes an explanation and, when available, a source link back to the provider documentation or reference used to validate the answer. That keeps the practice tied to study material you can actually review.

What score do I get?

The page tracks today's answered count and accuracy for the 10-question daily set, then saves a 7-day score history on this device so you can see your recent practice trend.

Why use this site?

The site is the fastest way to start CEH practice without installing anything. It is built for daily recall, quick weak-topic discovery, and source-backed explanations you can review immediately.

Why use the app when available?

The web page is the quick daily practice layer. If a dotCreds app is available for CEH, the app is better for larger banks, focused weak-domain drills, longer review sessions, and mobile study routines.