CERT-Certified Computer Security Incident Handler (CSIH)

Daniel Brecht
May 12, 2018 by
Daniel Brecht

Note: The CERT-CSIH certification is being retired on April 30, 2021. Browse current IT and security certifications.

"The SEI will be retiring this CSIH certification program and exam on April 30, 2021. After that date, the SEI will no longer process any candidate applications or certification renewals, it will no longer grant any new CERT CSIH certifications, and the CSIH certification exam will no longer be available for certification candidates. The SEI will maintain existing CERT CSIH certifications on the certified professionals list until they have expired." — Software Engineering Institute at Carnegie Mellon University

When unforeseen cyber events happen, how important is it to have the right people (Certified Computer Security Incident Handler-CSIH) or team (Computer Emergency Response Team-CERT or Computer Security Incident Response Team-CSIRT) to ensure incident response and handling materializes immediately? Extremely, most organizations would say. That is where being a certified CERT-CSIH comes into play. Such professionals are skilled in assessing risk levels and provide solutions to defend the network better against threats that might impact data and systems, as part of a business continuity response.

CSIH professionals might be working with or as part of a CSIRT and are involved in activities responsible for receiving, reviewing and responding to computer security incident reports and activities. This "security team" addresses sophisticated cyber threats before too much damage is caused to the business' infrastructure and services. With the number of cybercrime-related events on the rise, especially through the Internet, it is important for businesses to employ IT practitioners that can competently fulfill a security role, as either an incident responder or handler. A CSIH candidate can demonstrate his or her knowledge and awareness on different phases of incident handling, which includes all the activities and processes for detecting, reporting, triaging, analyzing, and responding to computer security incidents.

Why A CSIH Certification?

"The CERT-CSIH certification program prepares computer security incident response personnel, and other information security professionals, to participate in incident handling efforts. It also teaches them how to keep their organizations current on innovations and trends in computer security," explains the Software Engineering Institute (SEI), a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University of whom are the creators of the CERT-Certified Computer Security Incident Handler (CSIH) Certification which incorporates work experience, an examination, and renewal requirements. "For nearly 30 years, the cybersecurity mission of the CERT Division has been at the forefront of our nation's cyber defense," tells Edward H. (Ned) Deets, III, the New Director of CMU SEI CERT Cybersecurity Division who assumed leadership following the retirement of the CERT founder at the SEI in 1988 who is Richard Pethia.

The certification offered by the organization is geared towards ensuring that IT professionals who want to work in the incident handling field have the right skills and knowledge to conduct the required network security functions. A certified CERT-CSIH can support either internal or external response team members; the handler assumes the role of incident coordinator who manages the response to an emergency and typically acts as a communication liaison coordinating team members and keeping stakeholders informed on event-related information in person or via other means. These professionals do more than just monitoring SIEM alerts for threats, intrusions, and/or compromises; they must handle emergency events according to a well-defined computer security incident response plan (IRP). As a member of the CSIRT, the Incident Handler will coordinate the activities across the enterprise also ensuring proper security tools are being used, in accordance with the incident response process or plan, to improve prevention and detection methods. CSIRT-related incident handling team-related activities include also logging, reporting and analysis.

Incident handling (IH) and incident response (IR) responsibilities might be entrusted to the same person in smaller businesses, but in general, two different people are performing these duties within medium to large organizations. Incident response is more about the technical countermeasures deployed to counter the incident and will analyze it; it also requires pre-incident work with the devising of an effective IR plan. Handling, as seen, involves more of overall planning made of coordination, the establishment of roles, communications, and logistical support of the effort; the role is also responsible for post-incident considerations that lead to the devising of better IH plans. It is obvious that to fulfill the two roles; candidates need to display different skills: more technical, analytical, forensic skills for responders; stronger communication and project management skillsets for handlers.

It is also evident, then, how both the IR and IH functions have become more important than ever to enable and improve incident aftermaths with professionals, like a CSIH, who are dedicated to solving problems with widespread cybersecurity implications.

The CSIH certification can be, then, a much-admired qualification for computer security incident response team (CSIRT) members as well as any cybersecurity technical staff with computer network incident handling and incident responding involvement with one or more years of experience. The credential can benefit government personnel as well as incident handling educators and most cybersecurity professionals even when they are not directly involved in event response.

Because certifications can set professionals apart from non-certified applicants, an employer often prefers to hire CSIH Credential Holders with incident handling-related work experience as having the qualification signifies they have sufficient knowledge and skill in key areas to recognize, analyze, and respond to an incident successfully; as well, certified professionals also display a will to keep updated in the field through continuing education and participation in conferences and activities geared towards putting them in contact with other experts in the field.

So, What's on The CSIH Exam?

The certification is only awarded upon submission of the candidates' application and the successful completion of the SEI CERT CSIH examination ($499) with a passing score of at least 78%. All candidates will need to register for the CSIH Certification Examination via the SEI testing portal and will be able to take the test at Kryterion testing centers located worldwide. There are also provisions for candidates that do not have easy access to one of the official test sites. SEI has arranged for alternative testing center options with organizations authorized to host proctored examinations onsite using the Kryterion secure online proctoring system.

The test consists of a closed-book exam with 65 multiple-choice questions broken down into five content areas. All items in the test were determined by a panel of CSIH experts who designed the exam and ensures its updated regularly; they periodically review the tasks and the needed knowledge requirements of successful professionals in the field. The domains embedded in the content area of study include the following:

  • Protect Infrastructure (7%) – Ensure all data, information, etc. associated with the incident are afforded all the protections they need. This section of the test measures the ability of the candidate to provide solutions to problems identified through vulnerability scans and perform changes to the IT infrastructures in response to incidents.
  • Event/Incident Detection (17%) – Provide a response and handling capability that is necessary to detect incidents rapidly. These questions test applicants on their ability to monitor systems and use data gathered for proper analysis: this includes collecting data, identifying missing ones and collect forensically important images and info.
  • Triage & Analysis (28%) – Perform incident triage and handling by determining scope, urgency, and potential impact of a security breach. This section tests the ability to categorize and prioritize events correctly, perform correlation analysis to identify links between incidents, referred for further analysis to understand the causes of events; as well, it focuses on the knowledge required to analyze the means of intrusions and perform vulnerability analysis in the determination of risks and threat levels posed by the incident.
  • Respond (40%) – This includes a series of questions that cover more specifically incident response strategies and tasking. The professional is tested on a number of steps that need to be taken in response to an incident, from changing passwords and hardening the system to removing the causes of the incident to communicating with and informing all stakeholders, as well as coordinating with other sections in the organization and law enforcement to ensure the most organic response to the incident. Logging and tracking gathered information is also the object of this section together with the correct sensitivity classification for all data collected. The variety and importance of all these topics explain why this section comprises of almost half of the questions of the exam.
  • Sustain (8%) – A section that focuses on aspects of sustaining the incident management function over time. This includes preparing staff and the infrastructure for better detection and response through risk assessments and vulnerability scanning tools.

Passing the test and obtaining the certification is, of course, only the first step. It is up to the credential holder to keep the CSIH certification current, as the certification is valid for 3 years. To retain official recognition, a professional must complete 60 professional development units during the 3-year renewal cycle and pay a $150 renewal fee.

What's the Best Way to Train for the CSIH Exam?

There are several different pieces of training with the goal to educate new CSIHs, as well as annual conferences that bring professionals together to share their experiences and expertise with others in the field. Spreading info among members and the community at large, for example, is the main objective behind FIRST (the global Forum of Incident Response and Security Teams) Events and their Conferences on Computer Security Incident Handling around the world.

Of course, Carnegie Mellon University's Software Engineering Institute provides training courses (Fundamentals of Incident Handling and Advanced Incident Handling) for computer security professionals who wish to become CERT-Certified Computer Security Incident Handlers. However, professionals can find online several other programs that can help them gain or refresh their knowledge required to pass the exam. The InfoSec Institute's award-winning Incident Response Course, for example, that is part of its Network Forensics Training Boot Camp for the CERT-CSIH teaches students how to detect, contain and mitigate security incidents effectively. What's more, there is even an opportunity to work on incident response fundamental skillsets while discovering incident handling.

As other certifications address the material covered by the CSIH exam, IT professionals can also look at studying options for these tests as well in order to broaden their knowledge: the EC-Council CIH certification, or the CREST-accredited Cyber Security Incident Response (CSIR) if not the GIAC Certified Incident Handler (GCIH) career paths—all are suitable choices.


Cyber-related security incidents could materialize at any time into a network of connected devices. A CSIH is very helpful in identifying sufficient details to enable the incident response team to respond to the event and allow the prompt resolution for the continuity of the business functions.

So, who needs a CSIH? Knowing organizations are prone to cyber incidents, for that reason they can see a valuable reason why not use the knowledge of such professionals. Those who are certified prove to their employers they have the knack and skills to ensure all events are handled properly. That's why the exam tests the ability of candidates on a variety of topics that are essential in incident response and handling: This takes account of the technical skills required to face the incident and mitigate it on to the analysts' abilities necessary to assess the attack and gather data to prevent future occurrences; as well, to identify culprits in addition to the soft skills (communication ability, team working and coordination skills) required to synchronize the efforts of all stakeholders for a prompt resolution of any IT incidents.


Beaupre, A. (2009, April 16). Incident Response vs. Incident Handling. Retrieved from

Brecht, D. (2011, September 11). How to be a CSIR Professional. Retrieved from

CMU/SEI. (n.d.). CERT-Certified Computer Security Incident Handler. Retrieved from

CMU/SEI. (n.d.). CERT-Certified Computer Security Incident Handler Qualification Examination. Retrieved from

CMU/SEI. (2012, April 5).

SEI Certification Program Earns ANSI Accreditation. Retrieved from

Cormack, A. (2017, December 11). Security, Incident Response, Privacy and Data Protection. Retrieved from

CSIAC. (2016, February 29). CERT-Certified Computer Security Incident Handler. Retrieved from

Hurley, E. (2003, July 30). CERT creates incident-response certification.

Retrieved from

InfoSec Institute. (n.d.). How to become an Incident Responder. Retrieved from


Khan, M. (2018, February 28). 9 Tips for Improving Your Incident Response Strategy. Retrieved from


Messina, G. (2018, February 9). Incident Responder Career Roadmap: From Entry Level to Executive. Retrieved from


Microsoft Store Online. (n.d.). Certified Computer Security Incident Handler (CSIH) - Secrets To Acing The Exam and Successful Finding And Landing Your Next Certified Computer Security Incident Handler (CSIH) Certified Job.

Retrieved from

Sullivan, K. (2018, February 27). How to Create an Effective Incident Response Plan. Retrieved from


Trend Micro. (2015, September 22). Follow the Data: Dissecting Data Breaches and Debunking the Myths. Retrieved from

Valentin, J. (2013, February 28). Building an Incident Response Team and IR Process. Retrieved from


Zeltser, L. (2015, February 11). The Critical Role of the Security Incident Response Coordinator. Retrieved from

Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.