EC-Council · ECIH
Validates competency across all stages of incident handling and response, including preparation, incident recording, triage, containment, evidence gathering, forensic analysis, eradication, recovery, and post-incident activities for network security incidents, malicious code incidents, and insider threats.
Questions
590
Duration
180 minutes
Passing Score
70%
Difficulty
AssociateLast Updated
Feb 2026
Use this ECIH practice exam to prepare for EC-Council Certified Incident Handler (ECIH) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 590 questions for EC-Council ECIH, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The EC-Council Certified Incident Handler (ECIH) is a specialist-level certification that validates a cybersecurity professional's ability to manage the complete lifecycle of security incident handling and response. Carrying exam code 212-89, the ECIH program covers all phases of the incident response process—from preparation and initial triage through containment, forensic evidence gathering, eradication, system recovery, and post-incident review. The curriculum addresses a wide range of incident categories, including network security incidents, malicious code and malware outbreaks, email security incidents, web application attacks, cloud security incidents, endpoint compromises, and insider threats.
Accredited by the American National Standards Institute (ANSI) and approved by the American Council on Education (ACE), the ECIH is recognized as a rigorous, academically vetted credential. The program exposes candidates to over 800 incident handling and response tools and more than 95 hands-on labs, emphasizing practical, method-driven competency over theoretical knowledge alone. The current version (v3) reflects the evolving threat landscape, incorporating modern attack vectors such as cloud-based incidents and advanced persistent threats.
The ECIH is designed for cybersecurity professionals who are directly involved in detecting, analyzing, or responding to security incidents. Primary target roles include incident response team members, SOC (Security Operations Center) analysts, cyber forensic investigators, vulnerability assessment auditors, penetration testers, and risk assessment administrators. System administrators, network managers, firewall administrators, and IT managers responsible for organizational security posture are also well-suited candidates.
The certification is appropriate for professionals with at least one year of experience in cybersecurity who want to formalize and deepen their incident handling expertise. It is also pursued by federal employees and defense contractors seeking to meet compliance or role-specific requirements in government and regulated industry environments.
EC-Council recommends that candidates have at least one year of experience working as a cybersecurity professional before attempting the ECIH exam. This foundational experience ensures familiarity with networking concepts, operating systems, common attack vectors, and basic security tooling—all of which are assumed knowledge within the curriculum.
There are no mandatory formal educational prerequisites, but a working understanding of TCP/IP networking, Windows and Linux system administration, log analysis, and basic digital forensics concepts will significantly aid comprehension of the course material. Candidates with prior exposure to security frameworks such as NIST SP 800-61 or SANS incident response methodology will find the structured approach of the ECIH program familiar. EC-Council also requires candidates to complete an eligibility application if they are challenging the exam without attending official training.
The ECIH exam (code 212-89) consists of 100 multiple-choice questions and must be completed within 3 hours (180 minutes). The exam is delivered through EC-Council's ECC Exam Center or at Pearson VUE testing centers worldwide, offering both online proctored and in-person options.
EC-Council uses a variable cut-score methodology based on the specific exam form administered. While the generally cited passing score is 70%, cut scores can range from 60% to 85% depending on the difficulty calibration of the form assigned to the candidate—this is determined through psychometric analysis and subject matter expert review during beta testing. There are no separate unscored pilot questions disclosed publicly. Certification must be renewed every three years through EC-Council's continuing education program.
The ECIH certification positions holders for roles such as Incident Responder, SOC Analyst (Tier 2/3), Cyber Forensic Analyst, Threat Intelligence Analyst, and Information Security Manager. In the United States, incident handlers and response professionals earn an average salary of approximately $96,000 per year, with ranges typically between $85,000 and $108,000 depending on experience, industry, and location—with government, defense, and financial services sectors commanding premium compensation.
Compared to alternatives like the SANS GIAC Certified Incident Handler (GCIH), the ECIH is more accessible in terms of cost and entry requirements, making it a practical stepping stone for professionals earlier in their security careers. The ANSI accreditation and ACE approval add credibility recognized by government agencies and academic institutions. For professionals targeting compliance-heavy industries or federal positions, the ECIH also aligns with the NICE Cybersecurity Workforce Framework's 'Protect and Defend' work role category, broadening its applicability in government contracting environments.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 590 questions.
Preview — answers shown1. A healthcare organization experiences a ransomware incident that encrypts patient records. The incident response team needs to determine whether to attempt decryption, restore from backups, or consider other options. Which two factors are MOST critical in making this decision? (Select two!)
Multiple correct answersExplanation
Ransomware response decisions depend on technical recovery capabilities and available remediation options. The existence of tested offline backups with acceptable Recovery Point Objectives determines whether data can be restored without paying ransom or attempting decryption. Checking resources like nomoreransom.org for free decryption tools is critical, as some ransomware families have known weaknesses or law enforcement has obtained decryption keys. The marketing budget for awareness is irrelevant to immediate recovery decisions. The ransom note appearance has no bearing on recovery options. IT department staffing size does not directly impact the availability of backups or decryption tools, though adequate staffing helps with recovery execution.
2. A CSIRT follows NIST SP 800-61 Rev 2 for incident prioritization. They encounter an incident with high functional impact, proprietary data breach, and extended recovery time required. How should they prioritize this incident? (Select one!)
Explanation
According to NIST SP 800-61, incidents with high functional impact, proprietary breach information impact, and extended recoverability should be prioritized as high priority requiring immediate escalation. The combination of significant business impact, data breach, and lengthy recovery meets high priority criteria. Low priority is for minimal impact events. Medium priority is for moderate single-factor incidents. Critical priority is typically reserved for catastrophic not-recoverable scenarios threatening organizational survival.
3. A forensic investigator collects a hard drive from a crime scene and must maintain proper chain of custody. The investigator photographs the drive, documents serial numbers, and creates a forensic image using FTK Imager with SHA-256 hashing. Which additional step is required to ensure legal admissibility? (Select one!)
Explanation
Maintaining chain of custody requires documenting every custodian transfer with signatures, dates, times, and purposes to demonstrate that evidence has not been tampered with or contaminated. This documentation is essential for legal admissibility in court. Faraday bags are used for mobile devices to block wireless signals, not for hard drives. Creating backup copies improves preservation but does not address chain of custody requirements. Using write blockers is critical during imaging to prevent modification, but this is a preservation step rather than a custody documentation requirement. Chain of custody specifically refers to the documented chronological transfer of evidence between custodians.
4. A CSIRT analyst investigates a web application compromise and needs to identify the attack vector. Application logs show the following SQL query executed: SELECT * FROM users WHERE username='admin' OR '1'='1' --' AND password='anything'. Which attack technique was used? (Select one!)
Explanation
SQL Injection is evident from the malicious SQL syntax where the attacker injected OR '1'='1' to bypass authentication logic and -- to comment out the password check, causing the query to return all users. This manipulation of SQL query structure through user input is classic SQL injection. Cross-Site Scripting involves injecting malicious JavaScript into web pages viewed by other users, not SQL query manipulation. Command Injection involves executing operating system commands through application vulnerabilities, not database query manipulation. XML External Entity attacks exploit XML parsers to access files or internal services, not relevant to SQL query manipulation.
5. An incident handler performs static malware analysis and needs to disassemble a suspicious executable to understand its functionality without executing it. Which tools provide disassembly capabilities for static analysis? (Select two!)
Multiple correct answersExplanation
IDA Pro is a commercial disassembler and debugger providing advanced static analysis capabilities including disassembly, decompilation, and graph visualization. Ghidra is a free NSA-developed reverse engineering tool with disassembly and decompilation features. Both tools convert machine code to assembly language for analysis without execution. Process Monitor monitors runtime process behavior. Regshot captures registry changes before and after execution. Wireshark analyzes network traffic. For static disassembly, IDA Pro and Ghidra are appropriate tools.
Certified Threat Intelligence Analyst (CTIA)
CTIA · 740 questions
Certified Cybersecurity Technician (CCT)
CCT · 630 questions
Certified Secure Computer User (CSCU)
CSCU · 630 questions
EC-Council Certified Encryption Specialist (ECES)
ECES · 627 questions
Ethical Hacking Essentials (EHE)
EHE · 627 questions
ICS/SCADA Cybersecurity
ICS-SCADA · 627 questions
$17.99
One-time access to this exam