1.5 The CEH Domains & Your Study Priority Map

The 9 Official CEH Domains

The CEH v13 exam blueprint organizes the 125 questions into nine domains, each with an official weight. Use the weights as a study-time budget: the exam rewards depth in the heaviest domains.

Malware, sniffing, and social-engineering content in this guide supports the System Hacking and Network/Perimeter domains, where those attack techniques are assessed.

Domains vs. the 20 Modules

Do not confuse the 9 weighted domains (how the exam is scored) with the 20 training modules (how the course is taught). They cover the same material at different granularity: e.g., the single Reconnaissance Techniques domain (17%) spans the Footprinting, Scanning, and Enumeration modules, while Network and Perimeter Hacking (24%) absorbs the Sniffing, Social Engineering, DoS, Session Hijacking, and Evasion (IDS/Firewall/Honeypot) modules. Studying by domain weight is the efficient way to budget; studying by module is the efficient way to learn techniques.

Weight Distribution

How to Budget Study Time

The top three domains — Network and Perimeter Hacking (24%), Reconnaissance Techniques (17%), and System Hacking Phases and Attack Techniques (15%) — total 56% of the exam. Master these and stay competent everywhere else and you clear the cut score comfortably.

A proportional starting plan:

1. Spend roughly half your time on the top three domains. They have the most questions and the most interconnected concepts (ports, Nmap, sniffing, system hacking).
2. Give the 14% Web Application domain solid coverage. Injection (especially SQL injection), the OWASP-style flaw classes, and web-server attacks are dense and heavily tested.
3. Do not skip the three 5% domains. Wireless, Cloud, and Cryptography are individually small but collectively 15% — easy points if you know the core concepts (WPA2/WPA3, the cloud shared-responsibility model, symmetric vs. asymmetric keys, hashing).
4. Treat this 6% Overview domain as the glue. Low weight, but its vocabulary (CIA triad, threat/vuln/risk, the five phases, authorization, hacker classes) is assumed in every other domain's questions.
5. Re-weight toward your weak areas. After a full-length practice test, add time to your lowest-scoring domains regardless of blueprint weight — a 45% score anywhere leaves easy points on the table.

Mapping Domains to the Five Phases

The domains are not random — most expand a phase from Section 1.2:

• Reconnaissance Techniques -> Phase 1 (Recon) + Phase 2 (Scanning/Enumeration)
• System Hacking Phases -> Phase 3 (Gaining Access) + Phase 4 (Maintaining Access) + Phase 5 (Clearing Tracks)
• Network/Perimeter, Web, Wireless, Mobile-IoT-OT, Cloud -> attack surfaces and techniques used across Phases 2-4
• Cryptography -> cross-cutting; it protects confidentiality and integrity and is attacked across phases

Thinking in phases keeps the large blueprint coherent instead of a flat list of 20 modules to memorize, and it tells you which countermeasure a question is really asking about.

A Concrete Four-Week Study Map

Weights translate into a workable schedule. For a typical four-week sprint of full-length practice plus targeted review:

This front-loads the 24% + 17% + 15% triad (56% of the exam) while still guaranteeing every domain is touched. Reserve the last few days exclusively for timed, full-length practice so you internalize the ~1m55s-per-question pace.

High-Yield Quick Facts to Anchor

Regardless of domain, a handful of facts recur often enough to be worth memorizing cold: well-known ports (FTP 21, SSH 22, Telnet 23, SMTP 25, DNS 53, HTTP 80, HTTPS 443, SMB 445), the five phases in order, the CIA triad mapping, and the difference between symmetric and asymmetric cryptography. These anchor points let you reason out unfamiliar questions instead of guessing blindly.

A final scoring reality check: because the cut score floats between 60% and 85% by form, you should not aim for the minimum. Treat 80% on full-length, mixed-domain practice as your readiness signal. If you are passing the 24%/17%/15% triad consistently and not bombing any single 5% domain, you have built the margin needed to clear whatever form you are assigned on test day.