CEH vs ECIH vs CND

Hi folks. I took all three. In reverse order. CND first, then ECIH, then CEH.

Not because I planned it that way. It just happened. Got a CND voucher from campus, passed it, got curious about incident response so I went for ECIH. CEH came last, even though it's the most recognized in Indonesia.

The question I get most: "which one should I take first?" Depends on where you are and what door you're trying to open. After taking all three, here's what I learned.

At-a-Glance Comparison

CND (Certified Network Defender)

Nobody talks about CND. That's exactly what makes it interesting.

Most people assume CND is basic network security. It's not. It's the most underrated certification EC-Council offers.

Fourteen modules, layer 1 through 7. CEH teaches you to crack WPA2. CND teaches you to harden WPA2-Enterprise with RADIUS and EAP-TLS, and it explains why MAC filtering is useless in an enterprise network. Different level. Different mindset.

What I actually learned: how attackers get in and how to stop them at every OSI layer. Firewall placement, NGFW vs WAF, DMZ design. Reading pcaps and spotting anomalies without a SIEM. When IPsec makes sense vs SSL VPN. The difference between VLAN and micro-segmentation. Windows and Linux hardening: not a checklist, but understanding why a config is vulnerable. Risk assessment fundamentals. What to actually do when an alert fires.

CND is the most natural bridge for network engineers or sysadmins entering cybersecurity. It validates knowledge that was previously scattered across experience and gives you the words to say "I'm a certified network defender" instead of "I used to manage firewalls."

Exam reality: 100 questions, 4 hours, passing score 70%. The questions are seriously technical: lots of port numbers, protocol behaviors, tool syntax, and "what would you do if..." scenarios. iLabs are decent but won't blow you away. The real learning happens in a homelab.

ECIH (Certified Incident Handler)

If CND is "how to build the walls," ECIH is "what you do when the walls are already breached."

This is the hardest cert to explain to people new to cybersecurity. Why? Because it's not a technical certification in the tools sense. It's about process. Frameworks. Managing chaos. People expect malware reverse-engineering when what they actually get is something far more valuable: knowing what to do when everything's on fire.

The 9-Phase IR Cycle

ECIH's core is the 9-phase incident handling cycle, fully mapped to NIST SP 800-61 Rev 2 and partially to ISO 27035. You're not learning "the EC-Council way." You're learning industry standards that governments and global enterprises actually use.

Phase 1: Preparation
  └─ IR team structure, forensic tool inventory, playbook development

Phase 2: Identification
  └─ Detection & validation: incident or false positive?
  └─ Severity triage based on impact, scope, and asset criticality

Phase 3: Assessment
  └─ Determine attack vector, affected systems, exposed data
  └─ Map attacker activity to MITRE ATT&CK tactics/techniques

Phase 4: Containment
  └─ Short-term: isolate host, block malicious IPs/domains
  └─ Long-term: network segmentation, rebuild from clean image

Phase 5: Evidence Collection
  └─ Forensic acquisition: disk image, memory dump, logs
  └─ Chain of custody — admissible in court?

Phase 6: Eradication
  └─ Remove malware, remove backdoors, reset compromised credentials

Phase 7: Recovery
  └─ Restore from clean backups, staged restoration
  └─ Monitoring period: attackers often come back

Phase 8: Reporting
  └─ Technical report for IT/SOC + executive summary
  └─ Regulatory notification: PDP Law 3×24 hours

Phase 9: Lessons Learned
  └─ Post-incident review, playbook & detection rule updates

ECIH is best for L2+ SOC Analysts moving into IR, security engineers who might become first responders, and IT managers at companies without a dedicated IR team. It pairs naturally with CND: knowing defense isn't enough if you don't know what to do when defense fails.

In Indonesia, ECIH is getting requested more for SOC tier 2 and above, especially in banking and fintech. OJK regulations + PDP Law are pushing companies to need people who understand incident handling procedures, not just the technical side. But fair warning, this is a framework certification, not deep technical forensics like GCFA.

CEH (Certified Ethical Hacker)

You don't have to take CEH first. Most online content pushes the opposite narrative, but here's the reality.

CEH v13 has 20 modules covering offensive security A to Z: Footprinting, Scanning, Enumeration, Vulnerability Analysis, System Hacking, Malware Threats, Sniffing, Social Engineering, Denial of Service, Session Hijacking, Evading IDS/Firewall, Web Hacking, SQL Injection, Wireless Hacking, Mobile Hacking, IoT/OT, Cloud, and Cryptography.

I took the full v13 training through Metrodata Academy, EC-Council's official training partner in Indonesia. All 20 domains, hands-on iLabs access.

CEH v13 Domain Map, 20 modules from Footprinting to Cryptography, completed via Metrodata Academy

Here's the thing about CEH: it's wide, not deep. CEH gives you "everything a mile wide and an inch deep." You'll recognize terminology, basic techniques, and major tools across almost every offensive security domain. But don't expect to write custom exploits or understand memory corruption. That's not what CEH is for.

CEH Practical is where things get real. CEH (base) is MCQ-only. CEH Practical is a separate hands-on exam, 6 hours, 20 challenges, hacking target machines in a virtual environment. Scanning, enumeration, exploitation, escalation, documentation, all under time pressure. Without Practical, CEH gets roasted as a "theory-only cert." With Practical, you can push back: "I demonstrated skills in a 6-hour proctored lab."

HR Recognition in Indonesia

The main reason people still take CEH in 2026: HR in Indonesia searches for the keyword "CEH." Open LinkedIn, Jobstreet, Kalibrr, nearly every entry-to-mid level cybersecurity job says "CEH preferred" or "CEH is a plus."

Pak Faisal Yahya, Cybersecurity Executive at Vantage Point Security, frames it honestly: "CEH masih relevan di 2026 untuk menjadi pintu masuk ke dunia industri, namun OSCP lebih dihargai karena berbasis hands-on lab bukan teori. Jadikan CEH sebagai batu loncatan untuk mencapai sertifikasi lainnya yang lebih advanced." CEH is the door opener. OSCP is the destination. Don't confuse the two.

Is this fair? No. Is it an accurate measure of technical skill? Also no. But HR people aren't cybersecurity people. They use checklists. CEH has been on that checklist for years. OSCP might be more technically impressive, but the volume of Indonesian job postings asking for CEH is still way higher.

Exam reality: 125 questions, 4 hours. Mix of theory-heavy and scenario-based. One trap: relying on exam dumps. EC-Council rotates their question bank now. Read the official materials.

CEH, ECIH, and CND gave me a foundation. The certs that actually prove you can break and build things come from OffSec: OSCP, OSWE, OSEP, OSED. Those are next.

So Which Path Do You Take?

PATH A: Blue Team          PATH B: Red Team          PATH C: Fastest Job
──────────────────────────────────────────────────────────────────────────────
CND → ECIH → CEH           CEH → ECIH → CND           CEH → Job → ECIH + CND
defense → response         offense → response         door opener → level up

Best for: Network eng,     Best for: Fresh grads,      Best for: Get hired fast
sysadmins, IT infra        career switchers

Result: Blue teamer who    Result: Full-stack          Strategy: CEH opens doors,
can anticipate attacks     security consultant        skills keep you there

Don't chase certs. Learn the skills. Pair every certification with hands-on work: build something, break something, document it. The cert gets you the interview. Your skills get you the job.