search menu icon-carat-right cmu-wordmark

CERT-Certified Computer Security Incident Handler Qualification Examination

This examination is designed to demonstrate that cyber-security professionals have sufficient knowledge and skill in key areas to successfully conduct network security functions.

The SEI will be retiring this CSIH certification program and exam on April 30, 2021. After that date, the SEI will no longer process any candidate applications or certification renewals, it will no longer grant any new CERT CSIH certifications, and the CSIH certification exam will no longer be available for certification candidates. The SEI will maintain existing CERT CSIH certifications on the certified professionals list until they have expired.


This qualification exam is required for computer security professionals who wish to become a CERT-Certified Computer Security Incident Handler.


Participants must achieve a minimum passing score of 78% to be considered eligible for certification.


The closed-book exam contains 65 multiple choice questions.

Exam content areas

The exam is broken down into five content areas as follows:

Major Content Groupings Exam Weighting
  1. Protect Infrastructure 7%
  2. Event/Incident Detection 17%
  3. Triage & Analysis 28%
  4. Respond 40%
  5. Sustain

Key areas covered under these major headings are as follows:

Protect Infrastructure
  • Assist constituents with correcting problems identified by vulnerability scanning activities
  • Implement changes to the computing infrastructure (to stop or mitigate an ongoing incident, to stop or mitigate the potential exploitation of a vulnerability, or as a result of postmortem reviews or other process improvement mechanisms)
  • Provide constituents with guidance in best practices for protecting their systems and networks
Event/Incident Detection
  • Monitor networks and information systems for security
  • Analyze the data or indicators from the networks and systems being monitored
  • Enter event/incident reports received from the constituency into the incident management knowledgebase
  • Collect incident data and intrusion artifacts (e.g., malware, logs) to enable mitigation of incidents
  • Perform initial, forensically sound collection of images for forensic analysis and investigation
  • Identify missing data or additional sources of information and artifacts
Triage & Analysis
  • Categorize events using the organization's standard category definitions
  • Perform correlation analysis on event reports to determine if there is affinity between two or more events
  • Prioritize events (includes determining scope, urgency, and potential impact)
  • Assign events for further analysis, response, or disposition/closure
  • Determine cause and symptoms of the incident
  • Analyze intrusion artifacts and malware (e.g., malware, source code, Trojan horse programs) to understand their purpose and/or to identify the specific vulnerability
  • Peform vulnerability analysis
  • Determine the risk, threat level, or business impact of a confirmed incident
  • Develop an incident response strategy and plan to limit incident effect and to repair incident damage
  • Perform real-time incident response tasks (e.g., direct system remediation) to support deployable incident response teams
  • Determine the risk of continuing operations
  • Change passwords
  • Improve defenses
  • Remove the cause of the incident
  • Validate the system
  • Identify relevant stakeholders that need to be contacted or that may have a vested interest or vital role in communications about an organizational incident
  • Identify the appropriate communications protocols and channels (media and message) for each type of stakeholder
  • Coordinate, integrate, and lead team responses with other internal groups (e.g., IT, management, compliance, legal, human resources), according to applicable policies and procedures
  • Provide notification service to other constituents (e.g., write and publish guidance or reports on incident findings) to enable constituents to protect their assets and/or detect similar incidents
  • Report and coordinate incidents with appropriate external organizations or groups in accordance with organizational guidelines, policies, and procedures
  • Serve as technical experts and liaisons to law enforcement personnel (e.g., to explain incident details, provide testimony)
  • Track and document incidents from initial detection through final resolution
  • Assign and label data/information according to the appropriate class or category of sensitivity
  • Collect and retain information on all events/incidents in support of future analytical efforts and situational awareness
  • Enter information (shift change transitions, current state of activity) into an operations log or record of daily operational activity
  • Perform risk assessments on incident management systems and networks
  • Run vulnerability scanning tools on incident management systems and networks


The content for the examination was determined using a panel of content experts, consisting of randomly-selected CSIH professionals with expertise and experience, who meet to discuss the eligibility requirements for the certification, review the job-related tasks in the functional areas of the job-task analysis, and develop a composite profile of a typical minimally-qualified candidate. From these profiles, a list of job-related behaviors is developed to distinguish a candidate who is minimally qualified from one who is below the certification standard.

The list of job-related behaviors is used to develop a test specification that delineates the number of questions from each of the functional areas to be included on the exam. Qualified subject matter experts were trained in techniques for developing clear, non-trivial questions to test the knowledge and skills required for minimum performance as a Computer Security Incident Handler. Upon completion of the question writing process, other subject matter experts were asked to review the questions for clarity, correctness, and appropriateness. Questions were extensively critiqued, rewritten if necessary, and, where appropriate, rejected from inclusion in the question bank. All of the questions in the question bank underwent the same rigorous review process by multiple reviewers.

SEI CERT provides training programs to support the needs of civilian, military, and contract personnel who handle information assurance for networks and systems. Completion of one or more of these courses may help individuals to prepare for various certification programs or exams, but course completion does not guarantee successful completion of the SEI CERT CSIH examination or any other certification examination.


Before registering for the exam, participants must have received notification that the participant's certification application package has been reviewed and approved by the SEI.


Course Questions?

Phone: 412-268-7388
FAX: 412-268-7401

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.