CERT-CSIH - Exam Information

Rodika Tollefson
January 10, 2019 by
Rodika Tollefson

Note: The CERT-CSIH certification is being retired on April 30, 2021. Browse current IT and security certifications.

"The SEI will be retiring this CSIH certification program and exam on April 30, 2021. After that date, the SEI will no longer process any candidate applications or certification renewals, it will no longer grant any new CERT CSIH certifications, and the CSIH certification exam will no longer be available for certification candidates. The SEI will maintain existing CERT CSIH certifications on the certified professionals list until they have expired." — Software Engineering Institute at Carnegie Mellon University

Many cybersecurity professionals consider certifications an essential part of advancing in the field. So do employers looking for talent. According to the job-analytics company Burning Glass Technologies, more than a third of job openings in cybersecurity ask for a certification, compared to less than a quarter of all jobs in IT.

If you’re interested in a career in incident response, one certification to consider is Computer Security Incident Handler (CSIH) from CERT, a division of the Software Engineering Institute (SEI) at Carnegie Mellon University. Although not as popular as some other similar certifications, CERT-CSIH is a solid credential and SEI has a longstanding reputation in doing work with the Department of Defense and other government agencies, as well as the private sector.

Incident responder is one of the industry’s top-paying jobs, according to Tripwire. As the role requires a broad range of skills — from Web-application security and threat detection to forensics — CERT-CSIH is a good way to demonstrate you have the knowledge of the latest best practices, can produce high-quality results and have the skills and ability to help your employer achieve its objectives.

Topics Covered on the CERT-CSIH Exam

The closed-book CERT-CSIH exam contains a total of 65 questions in five content areas: infrastructure protection, event and incident detection, triage and analysis, response and sustainability. The certification was designed for military, contractor and civilian personnel based on a rigorous multi-phase process that included a panel of subject-matter experts and multiple reviewers.

Here’s a sampling of topics that each section covers:

Protect Infrastructure (7 percent of the exam)

  • Implement infrastructure changes to help mitigate an incident or potential vulnerability exploitation
  • Give guidance to your constituents (e.g., CISO or IT administrator) on best practices for protecting information systems (IS)

Event/Incident Detection (17 percent)

  • Monitor the security of the IS infrastructure and analyze logs and data
  • Collect the data necessary to mitigate incidents and perform an initial forensic investigation

Triage and Analysis (28 percent)

  • Prioritize events based on criteria such as urgency and potential impact
  • Analyze the data (malware, artifacts) after an intrusion to understand its purpose and identify related vulnerabilities

Respond (40 percent)

  • Develop a strategy for incident response and coordinate the internal incident response team
  • Report incident to, and coordinate with, applicable external organizations such as law enforcement
  • Improve infrastructure defenses and retain incident information to help with future situational awareness

Sustain (8 percent)

  • Conduct risk assessments on incident management systems
  • Perform vulnerability scanning on networks and incident management systems

Exam Requirements

To take the CERT-CSIH exam, you need at least one year of experience in incident handling, or related experience. Some of the related fields include:

  • Military, contract or civilian role that handles information systems
  • Member of a computer security incident response team
  • Cybersecurity technical staff

Taking a course can help you better prepare for the exam but completing a course doesn’t guarantee that you’ll pass. You need a 78 percent score to receive the certification.

Before you can register to take the CERT-CSIH exam, SEI needs to review and approve your candidacy application. This process takes about two to six weeks. If your application is not approved, SEI will notify you which areas of your application package need to be improved.

What to Expect After Application Approval

SEI will notify you by email regarding the status of your application. Once you are approved to take the exam, you have 12 months to register via SEI’s online portal. Proctored exams are conducted at Kryterion, which has more than 1,100 testing centers worldwide. If there’s no location near you, Kryterion also offers a secure online testing alternative.

Before registering for the exam, participants must have received notification that their certification application package has been reviewed and approved by the SEI.

What Happens If You Fail the Exam

If you don’t score a minimum of the 78 percent to pass the exam, you can make two more attempts within the same year. You’ll be charged the exam fee for each attempt.

Those who still don’t pass after three tries will need to send a letter to SEI. The SEI Certification Program may allow two more attempts, but if you fail again, you’ll have to wait two years to reapply as well as include evidence of further training or experience in incident handling.

What to Expect After Certification

After you receive the diploma for your CERT-CSIH certification, you have the option of being listed on SEI’s website, which publishes a list of CERT-certified individuals. As of the end of December 2018, the website listed 371 total CERT-certified professionals, but only 49 of them specifically for CSIH.

As with many security certs, the CSIH credential is valid for three years and must be renewed through a continuing education program. SEI’s renewal program is based on professional development units (PDUs), which include four categories of professional development activities such as attending seminars and association meetings, taking continuing education courses, presenting workshops and publishing books and articles.

You’ll need to maintain an activity log for the 60 PDUs required to renew your CSIH certification. To encourage incident-handling professionals to pursue a mix of professional development options, SEI has a limit for how many PDUs can be earned for each of the four activity categories.

Advancing Your Career — Takeaways

A broad range of certifications are available to security professionals, and typically there are multiple choices for each career path. Choosing the right one for you will take a little homework — ask your peers, peruse job boards to see what employers require, check industry surveys, research the reputation of the certification program, etc.

The CSIH can be helpful in gaining and demonstrating your ability to respond to security incidents such as attacks and mitigate risks. The bottom line is that it’s an effective way to prove to your employer or potential employer your commitment to your job and your industry.


  1. How to Get a Cybersecurity Job in Three Charts: a Degree, a Certification and a Clearance, Burning Glass Technologies blog
  2. The Top 10 Highest Paying Jobs in Information Security, Part 1, Tripwire blog
  3. CERT-Certified Computer Security Incident Handler, Software Engineering Institute
  4. CERT-Certified Computer Security Incident Handler Qualification Examination, Software Engineering Institute
  5. Army COOL Credentialing Snapshot
  6. SEI-Certified Individuals, SEI
  7. How to Renew CSIH Certification, SEI
Rodika Tollefson
Rodika Tollefson

Rodika Tollefson splits her time between journalism and content strategy and creation for brands. She’s covered just about every industry over a two-decade career but is mostly interested in technology, cybersecurity and B2B topics. Tollefson has won various awards for her journalism and multimedia work. Her non-bylined content appears regularly on several top global brands’ blogs and other digital platforms. She can be reached at