I took all three. In reverse order. CND first, then ECIH, then CEH.
Not because I planned it that way. It just happened. Looking back, I should have done CEH first, but that's getting ahead of myself.
The question I get most: "which one should I take first?" The real answer depends on where you are and what door you're trying to open. Here's what I wish someone told me before I spent the money.
At-a-Glance Comparison
| Aspect | CEH | ECIH | CND |
|---|---|---|---|
| Focus | Offensive Security | Incident Response Process | Defensive Network Defense |
| Role | Pentester, Red Teamer | SOC Analyst, IR Handler | Network Security Engineer, Blue Teamer |
| Scope | 20 Modules (wide, breadth) | 9-Phase IR Cycle (deep dive) | 14 Modules (technical depth) |
| Style | Think like an attacker | Manage incidents | Build the fortress |
| Exam | 125 Q / 4 hrs MCQ | 100 Q / 4 hrs MCQ | 100 Q / 4 hrs MCQ |
| Labs | Hacking scenarios | Forensic investigation | Network defense tools |
| Cost | ~$1,199 (with retake) | ~$950 (with retake) | ~$950 (with retake) |
| HR Recog* | Very high | Growing in SOCs | Under the radar |
| Best For | Aspiring pentesters | SOC analysts, IR handlers | Network admins transitioning |
* Indonesian job market observation, 2025-2026
CND (Certified Network Defender)
Nobody talks about CND. That's exactly what makes it interesting.
Most people assume CND is basic network security. It's not. It's the most underrated certification EC-Council offers.
14 modules covering network defense from layer 1 through layer 7. CEH teaches "here's how to crack WPA2 WiFi." CND teaches "here's how to harden WPA2-Enterprise with RADIUS + EAP-TLS in an enterprise network, and here's why MAC filtering is useless." Different level. Different mindset.
The CND modules break down like this:
- Network Attacks & Defense Strategies: how attackers get in, how to stop them at every OSI layer
- Network Perimeter Security: firewalls (stateful, NGFW, WAF), IDS/IPS placement, DMZ design
- Endpoint Security: HIDS/HIPS, application whitelisting, endpoint detection fundamentals
- Network Traffic Analysis: reading pcaps, spotting anomalies from flow data
- VPN & Network Segmentation: when IPsec makes sense vs SSL VPN, VLAN vs micro-segmentation
- Risk & Incident Management: risk assessment basics, what to do when an alert fires
- Windows & Linux Hardening: not a checklist, but understanding why a config is vulnerable
CND is the most natural bridge for network engineers or sysadmins entering cybersecurity. It validates knowledge that was previously scattered across experience and gives you the words to say "I'm a certified network defender" instead of "I used to manage firewalls."
Exam reality: 100 questions, 4 hours, passing score 70%. The questions are seriously technical: lots of port numbers, protocol behaviors, tool syntax, and "what would you do if..." scenarios. iLabs are decent but won't blow you away. The real learning happens in a homelab.
CND is for people who want to understand how to secure infrastructure, not just find holes in it. In Indonesia this cert rarely appears in job descriptions, but the knowledge directly translates to security engineer, network security specialist, or SOC analyst who actually understands the traffic they're looking at. Underrated. Rock solid.
ECIH (Certified Incident Handler)
If CND is "how to build the walls," ECIH is "what you do when the walls are already breached."
This is the hardest cert to explain to people new to cybersecurity. Why? Because it's not a technical certification in the tools sense. It's about process. Frameworks. Managing chaos. People expect malware reverse-engineering when what they actually get is something far more valuable: knowing what to do when everything's on fire.
The 9-Phase IR Cycle
ECIH's core is the 9-phase incident handling cycle, fully mapped to NIST SP 800-61 Rev 2 and partially to ISO 27035. You're not learning "the EC-Council way." You're learning industry standards that governments and global enterprises actually use.
Phase 1: Preparation
└─ IR team structure, forensic tool inventory, playbook development
Phase 2: Identification
└─ Detection & validation: incident or false positive?
└─ Severity triage based on impact, scope, and asset criticality
Phase 3: Assessment
└─ Determine attack vector, affected systems, exposed data
└─ Map attacker activity to MITRE ATT&CK tactics/techniques
Phase 4: Containment
└─ Short-term: isolate host, block malicious IPs/domains
└─ Long-term: network segmentation, rebuild from clean image
Phase 5: Evidence Collection
└─ Forensic acquisition: disk image, memory dump, logs
└─ Chain of custody — admissible in court?
Phase 6: Eradication
└─ Remove malware, remove backdoors, reset compromised credentials
Phase 7: Recovery
└─ Restore from clean backups, staged restoration
└─ Monitoring period: attackers often come back
Phase 8: Reporting
└─ Technical report for IT/SOC + executive summary
└─ Regulatory notification: PDP Law 3×24 hours
Phase 9: Lessons Learned
└─ Post-incident review, playbook & detection rule updatesECIH is best for L2+ SOC Analysts moving into IR, security engineers who might become first responders, and IT managers at companies without a dedicated IR team. It pairs naturally with CND: knowing defense isn't enough if you don't know what to do when defense fails.
In Indonesia, ECIH is getting requested more for SOC tier 2 and above, especially in banking and fintech. OJK regulations + PDP Law are pushing companies to need people who understand incident handling procedures, not just the technical side. But fair warning, this is a framework certification, not deep technical forensics like GCFA.
CEH (Certified Ethical Hacker)
CEH is the elephant in the room. You don't have to take it first, despite what most online content suggests.
CEH v13 has 20 modules covering offensive security A to Z: Footprinting, Scanning, Enumeration, Vulnerability Analysis, System Hacking, Malware Threats, Sniffing, Social Engineering, Denial of Service, Session Hijacking, Evading IDS/Firewall, Web Hacking, SQL Injection, Wireless Hacking, Mobile Hacking, IoT/OT, Cloud, and Cryptography.
I took the full v13 training through Metrodata Academy, EC-Council's official training partner in Indonesia. All 20 domains, hands-on iLabs access.
Here's the thing about CEH: it's wide, not deep. CEH gives you "everything a mile wide and an inch deep." You'll recognize terminology, basic techniques, and major tools across almost every offensive security domain. But don't expect to write custom exploits or understand memory corruption. That's not what CEH is for.
CEH Practical is where things get real. CEH (base) is MCQ-only. CEH Practical is a separate hands-on exam, 6 hours, 20 challenges, hacking target machines in a virtual environment. Scanning, enumeration, exploitation, escalation, documentation, all under time pressure. Without Practical, CEH gets roasted as a "theory-only cert." With Practical, you can push back: "I demonstrated skills in a 6-hour proctored lab."
HR Recognition in Indonesia
The main reason people still take CEH in 2026: HR in Indonesia searches for the keyword "CEH." Open LinkedIn, Jobstreet, Kalibrr, nearly every entry-to-mid level cybersecurity job says "CEH preferred" or "CEH is a plus."
Pak Faisal Yahya, Cybersecurity Executive at Vantage Point Security, frames it honestly: "CEH masih relevan di 2026 untuk menjadi pintu masuk ke dunia industri, namun OSCP lebih dihargai karena berbasis hands-on lab bukan teori. Jadikan CEH sebagai batu loncatan untuk mencapai sertifikasi lainnya yang lebih advanced." CEH is the door opener. OSCP is the destination. Don't confuse the two.
Is this fair? No. Is it an accurate measure of technical skill? Also no. But HR people aren't cybersecurity people. They use checklists. CEH has been on that checklist for years and it's not going anywhere. OSCP might be more technically impressive, but the volume of Indonesian job postings asking for CEH is still way higher.
Exam reality: 125 questions, 4 hours. Mix of theory-heavy and scenario-based. Passing score varies. One trap people fall into: relying on exam dumps. EC-Council rotates their question bank aggressively now. Read the official materials, that's where the actual exam questions come from.
Where I'm Going Next
CEH, ECIH, and CND gave me a solid foundation. But the certs that actually prove you can break and build things, the ones that command real technical respect, come from OffSec. OSCP is the obvious next step: 24-hour hands-on exam, no multiple choice, pass or fail based on whether you compromise the targets. Beyond OSCP: OSWE for web exploitation, OSEP for evasion and advanced pentesting, OSED for exploit development, all the way to OSCE³.
For now, these are targets on a whiteboard. But every certification on this page started there too.
CEH is a marketing success story. The curriculum is solid for beginners who want to understand the full attack surface. The problem is expectations: CEH is a foundational offensive security certification, not a "you are now a professional hacker" badge. Understand its limits and CEH is worth it, especially for the Indonesian market. Take the Practical. MCQ-only CEH in 2026 is starting to lose respect from hiring managers who actually understand security.
So Which Path Do You Take?
PATH A: Blue Team PATH B: Red Team PATH C: Fastest Job
──────────────────────────────────────────────────────────────────────────────
CND → ECIH → CEH CEH → ECIH → CND CEH → Job → ECIH + CND
defense → response offense → response door opener → level up
Best for: Network eng, Best for: Fresh grads, Best for: Get hired fast
sysadmins, IT infra career switchers
Result: Blue teamer who Result: Full-stack Strategy: CEH opens doors,
can anticipate attacks security consultant skills keep you thereAre These Certs Still Worth It in 2026?
For HR filters: YES. Indonesian HR still types "CEH" into job portals. These certs get you past the gatekeeper. You could be genuinely skilled without a cert, but if your CV never passes HR screening, nobody will ever see your skills.
For structured knowledge: YES. You won't get a vendor-reviewed, structured curriculum from scattered YouTube tutorials. CEH, ECIH, and CND each give you a systematic thinking framework, not just "how to exploit SQL injection" but why it happens, the business impact, and where it fits in the IR cycle.
For standalone value: NOT ENOUGH. Certs alone won't carry you. Pair them with homelab experience, CTF participation, real projects, and a documented portfolio. Nobody hires a piece of paper.
EC-Council certifications are like a driver's license. Having one doesn't make you instantly good at driving, you still need hours on the road. But without it, you're not allowed behind the wheel. The certificate proves you passed a standardized exam, your skills determine whether you survive the actual job. Don't stop at the cert. The cert is the beginning, not the destination.
Closing Thoughts
Don't chase certs. Learn the skills. Pair every certification with hands-on work: build something, break something, document it. The cert gets you the interview. Your skills get you the job.