EC-Council Certified Incident Handler (ECIH) Practice Test

The ECIH is designed for cybersecurity professionals who are directly involved in detecting, analyzing, or responding to security incidents. Primary target roles include incident response team members, SOC (Security Operations Center) analysts, cyber forensic investigators, vulnerability assessment auditors, penetration testers, and risk assessment administrators. System administrators, network managers, firewall administrators, and IT managers responsible for organizational security posture are also well-suited candidates.

The certification is appropriate for professionals with at least one year of experience in cybersecurity who want to formalize and deepen their incident handling expertise. It is also pursued by federal employees and defense contractors seeking to meet compliance or role-specific requirements in government and regulated industry environments.

EC-Council recommends that candidates have at least one year of experience working as a cybersecurity professional before attempting the ECIH exam. This foundational experience ensures familiarity with networking concepts, operating systems, common attack vectors, and basic security tooling—all of which are assumed knowledge within the curriculum.

There are no mandatory formal educational prerequisites, but a working understanding of TCP/IP networking, Windows and Linux system administration, log analysis, and basic digital forensics concepts will significantly aid comprehension of the course material. Candidates with prior exposure to security frameworks such as NIST SP 800-61 or SANS incident response methodology will find the structured approach of the ECIH program familiar. EC-Council also requires candidates to complete an eligibility application if they are challenging the exam without attending official training.

The ECIH exam (code 212-89) consists of 100 multiple-choice questions and must be completed within 3 hours (180 minutes). The exam is delivered through EC-Council's ECC Exam Center or at Pearson VUE testing centers worldwide, offering both online proctored and in-person options.

EC-Council uses a variable cut-score methodology based on the specific exam form administered. While the generally cited passing score is 70%, cut scores can range from 60% to 85% depending on the difficulty calibration of the form assigned to the candidate—this is determined through psychometric analysis and subject matter expert review during beta testing. There are no separate unscored pilot questions disclosed publicly. Certification must be renewed every three years through EC-Council's continuing education program.

• 1.Module 1 – Introduction to Incident Handling and Response: Covers the fundamentals of incident handling, key definitions, types of incidents, the role of the incident handler, incident response team structure, and relevant legal and regulatory frameworks governing incident response activities.
• 2.Module 2 – Incident Handling and Response Process: Examines the end-to-end IH&R process model including preparation, detection and analysis, classification, escalation, notification procedures, and post-incident activities. Emphasizes building and maintaining incident response plans and playbooks.
• 3.Module 3 – First Response: Addresses first responder duties including incident documentation, evidence preservation, chain of custody, volatile and non-volatile data collection, initial containment decision-making, and coordinating with stakeholders during the early stages of an incident.
• 4.Module 4 – Handling and Responding to Malware Incidents: Covers malware classification (viruses, worms, ransomware, trojans, rootkits), malware behavior analysis techniques, static and dynamic analysis, containment strategies, and tools used for malware incident investigation.
• 5.Module 5 – Handling and Responding to Email Security Incidents: Focuses on phishing, spear-phishing, business email compromise (BEC), email header analysis, identifying malicious attachments and links, and response procedures specific to email-based attack vectors.
• 6.Module 6 – Handling and Responding to Network Security Incidents: Covers detection and response to network intrusions, DoS/DDoS attacks, man-in-the-middle attacks, network traffic analysis using tools such as Wireshark, and containment and recovery for network-layer incidents.
• 7.Module 7 – Handling and Responding to Web Application Security Incidents: Examines OWASP Top 10 attack scenarios (SQL injection, XSS, CSRF, etc.), web server log analysis, web application firewall (WAF) response, and eradication and hardening procedures following web-based attacks.
• 8.Module 8 – Handling and Responding to Cloud Security Incidents: Addresses incident response in AWS, Azure, and GCP environments, shared responsibility model implications, cloud-native logging and monitoring tools, and procedures for investigating and containing cloud infrastructure incidents.
• 9.Module 9 – Handling and Responding to Insider Threats: Covers detection of malicious and negligent insider activity, behavioral indicators, user and entity behavior analytics (UEBA), data loss prevention (DLP) integration, and legal considerations when handling insider threat investigations.
• 10.Module 10 – Handling and Responding to Endpoint Security Incidents: Focuses on endpoint detection and response (EDR) tools, host-based forensic analysis, memory forensics, incident containment at the endpoint level, and recovery procedures for compromised workstations and servers.

• Download and study the official ECIH Exam Blueprint v2 (available at cert.eccouncil.org) before beginning preparation—it maps all tested domains and is the authoritative guide for what will appear on the 212-89 exam.
• Complete all official EC-Council courseware labs: the ECIH program includes 95+ hands-on lab exercises covering real tools used in incident response. Hands-on practice with tools like Wireshark, Volatility, FTK Imager, and SIEM platforms directly reflects exam scenarios.
• Build a personal incident response playbook as you study each module. Documenting the response workflow for each incident type (malware, insider threat, cloud, web app) reinforces procedural knowledge tested in the multiple-choice questions.
• Study NIST SP 800-61 (Computer Security Incident Handling Guide) and SANS Incident Response methodology in parallel with EC-Council materials—the ECIH exam draws on industry-standard frameworks and terminology from both.
• Focus extra attention on Modules 4 (Malware), 6 (Network), and 9 (Insider Threats), as these represent some of the most complex incident categories and are heavily represented in the exam content based on the course structure.
• Use the EC-Council CodeRed or iClass platform for official practice tests and review questions. Third-party question banks can supplement preparation but should not replace the official study materials.
• Review relevant legal frameworks (such as GDPR breach notification requirements, HIPAA incident response obligations, and US federal laws like CFAA) since the ECIH exam tests knowledge of compliance and legal considerations in incident response.

The ECIH certification positions holders for roles such as Incident Responder, SOC Analyst (Tier 2/3), Cyber Forensic Analyst, Threat Intelligence Analyst, and Information Security Manager. In the United States, incident handlers and response professionals earn an average salary of approximately $96,000 per year, with ranges typically between $85,000 and $108,000 depending on experience, industry, and location—with government, defense, and financial services sectors commanding premium compensation.

Compared to alternatives like the SANS GIAC Certified Incident Handler (GCIH), the ECIH is more accessible in terms of cost and entry requirements, making it a practical stepping stone for professionals earlier in their security careers. The ANSI accreditation and ACE approval add credibility recognized by government agencies and academic institutions. For professionals targeting compliance-heavy industries or federal positions, the ECIH also aligns with the NICE Cybersecurity Workforce Framework's 'Protect and Defend' work role category, broadening its applicability in government contracting environments.