CERT-CSIH Domain #1: Protect Infrastructure

January 14, 2019 by Graeme Messina

Note: The CERT-CSIH certification is being retired on April 30, 2021. Browse current IT and security certifications.

“The SEI will be retiring this CSIH certification program and exam on April 30, 2021. After that date, the SEI will no longer process any candidate applications or certification renewals, it will no longer grant any new CERT CSIH certifications, and the CSIH certification exam will no longer be available for certification candidates. The SEI will maintain existing CERT CSIH certifications on the certified professionals list until they have expired.” — Software Engineering Institute at Carnegie Mellon University

The CERT-CSIH is a useful certification for individuals that have worked in an incident response environment and wish to certify their knowledge. The CERT-CSIH (Certified Computer Emergency Response Team Certified Security Incident Handler) is designed to help you demonstrate your cybersecurity skills in the area of incident response and command. The overall qualification delves into several different areas which are covered in a series of topics, all of which require a solid understanding of how incident response is conducted. The current domain layout and exam weighting looks like this:

  • Protect Infrastructure 7%
  • Event/Incident Detection 17%
  • Triage & Analysis 28%
  • Respond 40%
  • Sustain 8%

Today we will be looking at the first domain, Protect Infrastructure. Although it is not weighted heavily, it is still very important in the examination process and needs to be understood fully if candidates are going to pass the exam.

The exam itself consists of 65 multiple-choice questions, and the exam is tested in a closed-book format. The passing score on the exam is 78%, meaning that candidates that score lower than that will not be eligible for CERT-CSIH certification.

The Software Engineering Institute (SEI) requires that users that plan to certify in the CERT-CSIH must first create an account here. The certification is valid for a period of three years and is renewable. In order to renew a certification, members must submit the required documentation 30 days prior to the last day of the month in which the certification expires. The full renewal process can be found here. The examination fee is $499 USD, and the renewal fee is $150 at time of writing. For further pricing queries, you can contact the SEI here.

Importance of Incident Handling

Incident handling is a critical element in the fight against cyber-attacks, both in business and government agencies as well as the military. It is for this reason that many people are finding a great number of opportunities within the Incident Response line of work. Incident Handling is a part of this same area.

Incident handling can mean many things to different people, but some the core functions of an incident-handling role could be:

  • Identifying threats, outlining the scope of the threats and managing incidents, both internal and external to the business or department
  • Act as the Subject-Matter Expert (SME) for incident response and cyber-forensics teams
  • Incident response technical analysis and report generation after an incident has occurred
  • Help to develop remediation planning and help strengthen security by finding and removing weaknesses within the system
  • Threat hunting and vulnerability scanning could also form part of your job responsibilities, especially while ongoing threats have been detected
  • Help to develop and test incident response plans and playbooks in conjunction with the CSIRT, based on scenarios that are determined by the information security management team
  • Communicate with different layers within the organization, altering the technical level of information for each layer. This means that you should be able to explain the operational impact of the threat to certain managers and staff, the technical nature of the threat to the information systems teams and the financial implications to the executives

These points are very basic and are somewhat generic in their scope, but they should give you a rough idea of what you could to expect to learn about when taking on the CERT-CSIH certification.

Certification Process

Getting certified with the SEI is a little different from some of the other certifications that you might have achieved in the past, so it is worth looking at the process carefully.

The SEI will first review your application and the submitted documentation and once all is in order, they will contact you within two to six weeks. If a candidate is accepted, they will receive an email instructing them how to create a user profile, as well as what steps they need to take before they will be admitted. If a candidate does not meet the requirements that the SEI is looking for, then they will receive correspondence explaining what needs to be improved before they will be allowed to take the exam.

Candidates must pass the exam within 12 months of receiving the confirmation email, or else they must apply again. Taking the exam is possible by attending a testing session at a Kryterion testing facility. If you aren’t able to get to a testing location, then the SEI offers and alternative testing program which you can find out about here. They will give your organization access to the secure portal and allow you to write it online if you are not close to a testing venue.

Three attempts are allowed in a twelve-month cycle. After passing the exam, candidates can opt in to be featured on the SEI website as an SEI-Certified Individual.

Domain #1 Objectives Overview: Protect Infrastructure

The first domain focuses on the protection of infrastructure and what that means for the company that you will be working for. There isn’t too much weight to this section of the exam as it only accounts for around 7% of the total score, but it is still very important that you understand all of the concepts within it.

This section teaches candidates that all data and information that is associated with the incident needs to be collected and kept safe for analysis after the fact. Customer data must be protected and kept safe, and any intrusions or attacks on the network must be dealt with as soon as possible. The exam seeks to test the candidate’s knowledge of vulnerability scanning as well as the general administration of IT systems during an active incident.

The direct objectives obtained from SIE are as follows:

Protect Infrastructure

  • Assist constituents with correcting problems identified by vulnerability scanning activities
  • Implement changes to the computing infrastructure (to stop or mitigate an ongoing incident, to stop or mitigate the potential exploitation of a vulnerability or as a result of postmortem reviews or other process improvement mechanisms)
  • Provide constituents with guidance in best practices for protecting their systems and networks

There are five domains in total for the CERT-CSIH, each with their own specific testing objectives to help you show your competence in the field of incident response and handling. The Protect Infrastructure domain is critical for the continued operations of an organization or department once an attack has been detected, so be sure to fully cover all of the information in this section to ensure a great pass mark in the exam.


Following a career in cybersecurity and incident response is an exciting opportunity for anyone looking to expand their horizons by landing that dream job within a CSIRT. However, there is a lot to learn and a lot of pressure, especially in times of crisis. This makes the role somewhat difficult for some, which is why the certification is so critical. It takes all of the guesswork out of the position, and it teaches real-world solutions to challenging cybersecurity problems.


  1. CERT-Certified Computer Security Incident Handler Qualification Examination, Software Engineering Institute
  2. Benefits of the Computer Security Incident Handler Certification, Software Engineering Institute
  3. Webassessor, Software Engineering Institute
Posted: January 14, 2019
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.