Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

CERT-Certified Computer Security Incident Handler Certification FAQ

1. What requirements must I meet to become a CERT-Certified Computer Security Incident Handler?

Submission of the Certification Application package, including

  • completed Certification Application, accompanied by a current resume and signed Code of Professional Conduct form
  • completed Certification Recommendation Form signed by your current manager

Successful completion of the application review by the SEI  

Passing score on the qualification examination as administered by the SEI

2. What courses are available to prepare me for the CSIH exam?

SEI CERT provides training programs to support the needs of civilian, military, and contract personnel who handle information assurance for networks and systems. CERT STEPfwd provides online courses that support several certification programs, as well as development of core information assurance and security based skills.  Completion of one or more of these courses may help individuals to prepare for various certification programs or exams, but course completion does not guarantee successful completion of the SEI CERT CSIH examination or any other certification examination.  

3.  How long do I have to take the examination after approval of the application and submission of the appropriate fees? 

You have 12 months to complete the exam before a new application must be submitted. The 12 month window begins when the candidacy approval email is sent from the SEI. The SEI will refund the examination fee upon written request from the candidate.

4.  What types of professional experience meets the criteria for application? 

We are looking for security professionals who have experience in various tasks and processes related to computer security incident management activities. Incident management processes include preparing for, detecting, analyzing, and responding to computer security events and incidents. This includes steps taken to contain or prevent threats and incidents from spreading throughout systems and networks. 

Experience in incident management can cover a wide spectrum of tasks, including the initial detection or reporting of a security event or incident, the categorization or prioritization of reports, analyzing incidents and events, determining the appropriate response strategies, performing the actual response, resolving the incident, communicating with appropriate individuals throughout the process, and documenting or recording actions taken. 

Specific experience would include, for example 

  • Activities involved in operating and/or managing a CSIRT, or working in a security operations center or network operations center
  • Teaching courses in incident, vulnerability, or artifact handling
  • Taking action to protect systems and networks affected or threatened by intruder activity (such as filtering network traffic, patching or repairing systems, and rebuilding systems)
  • Collecting evidence (following established rules of evidence)
  • Performing computer forensic analysis on compromised systems (following established rules of evidence)
  • Performing artifact analysis or malicious code analysis
  • Analyzing networks and systems to look for security weaknesses, anomalous activity, or intruder activity
  • Providing solutions, mitigation strategies, or work-arounds through hands-on assistance or via alerts, bulletins, advisories, technical documentation, web sites, phone calls, emails, or other dissemination mechanisms
  • Coordinating response efforts and incident data exchanges
  • Coordinating and collaborating with management, legal, law enforcement, and other internal or external organizations
  • Coordinating communications with stakeholders involved in computer security events and incidents such as affected individuals, management, and other internal or external organizations

5.  What is the fee to take the examination to become certified? 

A fee of $499 (USD) is required from all applicants. The exam can be purchased on our testing services portal. Register for the CSIH exam by visiting the exam portal at

6.  How do I submit my Certification Application? 

Please visit the Application Center to complete and submit your application to the SEI. You will receive a confirmation when your application is successfully submitted to the SEI. 

7.  How do I submit my manager's recommendation?

Your recommendation form must be submitted in a sealed envelope, signed by the person recommending you across the seal, and mailed to the address below by you or the person recommending you:
Software Engineering Institute
Carnegie Mellon University
Attn: SEI Certification Program
4500 5th Avenue
Pittsburgh, PA 15213

8.  How much time will there be between when I submit my application for certification and when I hear from the SEI Certification Program Manager?

You will hear from the SEI Certification Program approximately 2-6 weeks after we receive and process your completed application package. The SEI Certification Program will review your application materials for completeness. At that point, one of the following will occur:  

  • If you meet the experience requirements, the SEI Certification Program will approve the application and contact you to make arrangements for the certification examination.
  • If you have not met the requirements, the SEI Certification Program will notify you with the specific steps that you must take to meet the requirements and complete the application process. 

9. What if I do not qualify to take the certification examination?  

The SEI Certification Program will provide you with the gaps identified from your application documentation.  

10.  When is the certification examination offered?

Administration of the certification examination is available from approved testing centers throughout the world. Proceed to the testing services portal, create a personal account and schedule a day and time at the location of your choice. 

11.  Where can I take the certification examination?

The certification examination can be taken at the SEI offices located in Pittsburgh, Pennsylvania or in Arlington, Virginia, as well as at through SEI testing network locations or in written format at selected conferences and events. Register for the CSIH exam by visiting the exam portal at

12.  What types of identification are required to enter the examination facility?

Candidates will need to present two forms of identification to be admitted into the examination facility. At least one form of identification must have a picture and a signature (driver's license, passport). State or government issued identifications are valid with photograph. Candidates who do not have the required identification will not be allowed to take the examination.  

13.  How many attempts can I make to pass the certification examination?

If you do not pass the certification examination on the first attempt, you may retake the examination up to two (2) additional times within twelve (12) months of the initial attempt. All retakes have the same exam fee as the initial attempt.  After two retakes or 12 months from your initial attempt, you must reapply to retake the examination. Once you reapply, you are then permitted to take the examination up to two additional times under the following terms: 

  • Each successive time you want to retake the examination, you must pay the same examination fee as the initial attempt.
  • For these subsequent requests to retake the examination, you do not need to submit a new certification application package
  • If you do not pass the examination after these subsequent attempts, you are required to wait two years and show evidence of further incident handling and/or security experience and knowledge before you can reapply again. 

14.  How much time is allowed to complete the exam?

Two (2) hours are allotted for an individual to complete the CSIH Certification examination

15.  How long is the certification valid?

The certification is valid for three (3) years after the award date, after which it will expire. The certification may be renewed by applying for CSIH Certification Renewal. The application fee for renewal is $150 (USD).

16.  What are the requirements for renewing my certification? 

Renewal involves:  

  1. Obtaining continuing education or professional experience, as measured by Professional Development Units (PDUs) earned by participating in qualifying events equal to 60 PDUs. Qualifying events must be relevant to the practice of Computer Security Incident Management. Additional qualifying events are explained on the CSIH Certification Renewal page. 
  2. Submission of a $150 (USD) certification renewal fee

17.    What are Professional Development Units (PDUs)?

A Professional Development Unit (PDU) is a measuring unit used to quantify learning and development activities. One (1) PDU can be earned for every one (1) hour spent in a planned structured experience or activity as approved by the SEI. Additional information about PDUs is available on the Certification Renewal page.