CERT-CSIH Domain Overview

January 10, 2019 by Graeme Messina

Note: The CERT-CSIH certification is being retired on April 30, 2021. Browse current IT and security certifications.

“The SEI will be retiring this CSIH certification program and exam on April 30, 2021. After that date, the SEI will no longer process any candidate applications or certification renewals, it will no longer grant any new CERT CSIH certifications, and the CSIH certification exam will no longer be available for certification candidates. The SEI will maintain existing CERT CSIH certifications on the certified professionals list until they have expired.” — Software Engineering Institute at Carnegie Mellon University

Businesses rely heavily on their IT infrastructure in order to function, so when cyber-threats occur within the organization, you need the right people to handle the incident from the minute it is detected. It is for this reason that certifications such as the CERT-CSIH (Certified Computer Emergency Response Team Certified Security Incident Handler) are so important for companies to have in their resource pool. The main function of such certification holders is to handle incidents and perform real-time risk assessments, as well as advise on the necessary steps to mitigate further damage to systems and information.

The skills that the CERT-CSIH candidate brings to the security team that they work with are complementary and can be leveraged by the incident commander, who is responsible for overseeing each incident that is active. As well as having operational understanding of how a cyber-incident should be handled and acted on, CERT-CSIH practitioners are also highly-skilled individuals with excellent cybersecurity knowledge and understanding, which helps them to actively participate during an incident.


You might be wondering what the overarching objectives of such a certification are, and we’ll take a look at some of the fundamentals that make this worth your while. It helps the individual candidate to demonstrate their abilities and knowledge in cybersecurity and is a great way to build up on experience and advancing further into the field of computer security in general. From the employer’s perspective, the CSIH shows that you have what it takes to be a part of the cybersecurity team, and that you understand the roles and responsibilities of a CSIRT member.

When working in a CSIRT, CSIH holders will find that they must take on several different functions in different situations. If they are the first to encounter an issue, then they will find themselves possibly taking on the role of incident commander or coordinator, where they must quickly mobilize the rest of the teams that are needed and then allocate them accordingly. At other times, the CSIH holder may find themselves acting as an important communications link between the technical teams and management, or even with customers and stakeholders. Communication is essential in times of security-related incidents, as the management of skills and resources is critical if downtime is to be minimized or avoided all together.

Individuals that hold a CSIH certification are generally knowledgeable and highly-skilled in the latest techniques and best practices in cybersecurity, incident response and handling. Because of this, they are able to produce information that is accurate and can deploy solutions quickly and effectively to help combat threats during an incident response. They are able to produce results that are effective and meaningful, giving the organization a better chance of recovering from a cybersecurity event.

Due to this, CSIH holders are far more valuable to businesses as they offer skills, methods and abilities that are current and relevant to modern threats and have a certification that is in line with international best practices.

Who Is the CSIH Aimed At?  

Security professionals that are looking to advance their careers in the field are encouraged to consider this as a valuable career track. Having the CSIH will equid qualified individuals to join incident response and cybersecurity teams, while offering potential employers a highly desirable skill set. It is also aimed at professionals who may already be handing incident-response scenarios within the organization but wish to certify and solidify the work experience that they have already gained.

The certification is good for military staff, civilians and contractors that work in either sphere. The main aim of the qualification is to enable candidates to successfully take on the responsibilities of a computer network incident-handling team member or a cybersecurity incident response handler. Other job roles that would benefit from such a certification are people that work as a member of a CSIRT, technical staff involved in incident response, system and network administrators with incident response responsibilities and experience, incident-handling educators and cybersecurity technical staff.

CSIH Domain Overview

There are five domains on the CSIH exam, also known as the Major Content Groupings Exam Weighting. They are broken down into the following:

  1. Protect Infrastructure 7%
  2. Event/Incident Detection 17%
  3. Triage & Analysis 28%
  4. Respond 40%
  5. Sustain 8%

We will go into brief detail about each domain, as well as what the required exam objectives are.

1. Protect Infrastructure

The main goal of this exam objective is quite self-explanatory and goes into quite a lot of detail about how candidates would help to fix issues that come up during a cybersecurity incident. These issues would be detected during the scanning and analysis of the assessment of the issue.

This section also require that the candidate is able to implement the changes necessary to stop and mitigate damage, as well as prevent further damage from occurring. Learning about root cause issues and conducting postmortems are important in this section, as well as other general improvements to the overall incident response system. Candidates must also provide relevant parties with guidance and best practices for better system protection and network security.

2. Event/Incident Detection

Candidates must monitor networks and information systems for improved security, as well as analyze the data and indicators from the networks and systems that are being actively monitored. Reporting on events and incidents is essential, so these must be captured into a central knowledge base for future reference. Information collection is also tested here, with things like malware instances and system logs being of crucial importance.

This helps to improve security overall and strengthens an organization’s ability to combat security challenges. Candidates must also show knowledge in the performance and collection of forensically-sound samples (such as system images) for later forensic analysis and investigation. Candidates must also show proficiency in identifying missing data as well as additional information sources and system artifacts.

3. Triage and Analysis

Candidates must categorize the events that are set out in the organization’s standard category definitions and perform correlation analysis operations on event reports to help determine if there are connections between separate events. Events must be prioritized, and the scope, urgency and potential impact must all be determined. Candidates must assign events for future analysis, response or closure, depending on the outcome of the analysis.

The cause and symptoms of an event must also be determined for future reference. Any tools that were used during a breach must be identified, collected and analyzed if possible. This helps to understand the specific vulnerabilities that led to the compromise of the information systems. Vulnerability analysis must also be understood by the candidate. The risk and threat level and business impact must also be taken into consideration of confirmed incidents.

4. Respond

Those wishing to complete the CSIH must learn how to develop an incident response strategy, as well as the techniques that allow for proper repair and cleanup operations after the fact. Other important items to learn for the exam are the tasks such as real-time incident response (like direct system remediation) and other supporting tasks that help with deployable incident response teams.

Candidates must demonstrate an understanding of how incidents occur and how the risks associated with an active incident can be mitigated. This includes countermeasures such as password changes and improved defenses, removing the cause of the incident. Responding also covers the communication that needs to take place in order for all the relevant stakeholders to stay informed and up to date about the situation. This also includes liaising functions and team coordination.

Candidates also need to provide notification services for all concerned parties so that future incidents are more easily detected and dealt with faster. Other aspects of communication include law enforcement liaison duties and acting as the technical expert in an investigation, able to explain incident details and provide testimony. Data and evidence collection are also tested on in the CSIH exam, as well as analytical support for reporting and record-keeping. This includes timeline recreation of the incident, as well as support for future analytical efforts for situational awareness.  

5. Sustain   

This is the second-smallest section of the exam and is weighted accordingly. It requires that candidates be able to perform risk assessments on incident management and networks. Candidates must show that they are able to successfully run vulnerability scanning tools on incident management systems and networks.  


All of the examination content that is found in the CSIH exam has been formed with a panel of experts and content partners, and the questions have been formulated by randomly-selected CSIH professionals with experience in the field. They are able to discuss the requirements that the role requires so that they can create a theoretical profile of what a minimally-qualified candidate might look like. Passing the exam shows that the successful candidate is at or above the certification standard and is qualified to work in an incident response environment.


  1. CERT-Certified Computer Security Incident Handler Qualification Examination, SEI
  2. CERT-Certified Computer Security Incident Handler, SEI
  3. SEI-Certified Individuals, SEI
Posted: January 10, 2019
Graeme Messina
View Profile

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.