Most of the people I see step into incident response did not plan it that way. They were a systems administrator or a help desk lead or a junior analyst, and one day a real incident landed in their lap. Nobody had taught them a process, so they improvised, and the improvising is exactly where things go sideways. After decades designing certification curriculum, the pattern that stands out to me with the EC-Council Certified Incident Handler is that it is one of the few credentials built entirely around the process most people never got trained on.
That is what makes ECIH worth understanding before you sign up for it. It is not a broad security cert, and it is not a pen testing cert. It teaches you to run a structured response when an organization is in the middle of a bad day. This guide covers what the exam actually tests, who it fits, and how to study it so the knowledge holds up when you need it under pressure, not just long enough to pass.
ECIH teaches one thing well, a repeatable way to handle an incident from the first alert through recovery and the after-action review. The exam rewards you for knowing that process cold rather than for memorizing tool names.
What Is the EC-Council ECIH Certification?
ECIH stands for EC-Council Certified Incident Handler. It is a specialist-level certification focused on detecting, responding to, and recovering from security incidents. The current version is ECIH v3, and the exam code is 212-89. Where a foundational cert like Security+ touches incident response as one topic among many, ECIH spends the entire program on it, from building a response plan and assembling a team through handling specific kinds of incidents and writing the report that closes the case.
The credential maps to a real job function. Organizations large enough to have a security team eventually need someone who can take charge when something goes wrong, coordinate the people involved, preserve evidence correctly, and keep a cool head while the business is asking when systems will be back. That role shows up under titles like incident responder, SOC analyst, and incident handler, and ECIH is built to validate that you can do the work, not just describe it.
When I design a course around a cert like this, the first question I ask is whether the skill transfers to a real moment of pressure. Incident response is one of those skills where the gap between knowing the steps and executing them during a live event is enormous. A good ECIH study plan closes that gap by making the response process automatic, so that under stress you fall back on something you have rehearsed instead of improvising.
ECIH Exam Details: Format, Cost, and Passing Score
Here are the numbers that matter before you commit. The 212-89 exam runs 100 multiple-choice questions over a three-hour window, delivered through the EC-Council exam portal with remote proctoring available. The exam voucher is priced at $450. One detail that surprises people: there is no single published passing percentage.
That variable cut score throws students who are used to a fixed number like 70 percent. EC-Council runs multiple forms of the exam, and each form gets its own cut score depending on how hard its questions test out. The practical takeaway is the one I give every class. Stop chasing a magic percentage and study for mastery across every domain, because you do not get to pick which form you sit. You can confirm the current specifics on the official EC-Council ECIH page before you book.
What Does the ECIH Exam Cover? The Nine Domains
The ECIH v3 blueprint is organized into nine domains, and the way they are sequenced tells you how to study them. The first three build the foundation, a way of thinking about incidents, the response process itself, and how to be ready before anything happens. The remaining six apply that foundation to specific kinds of incidents you will actually face.
From an instructional standpoint this is a gift, because once you internalize the core process from the early domains, the incident-type domains stop feeling like six separate things to memorize. They become the same process applied to malware, then to email, then to a network event, and so on. Learn the spine first and the rest hangs off it.
The Foundation Domains
Introduction to incident handling and response. The vocabulary and the framing. What counts as an event versus an incident, the types of threats, the role of a response team, and the relevant laws and standards. This is where the NIST incident response lifecycle gets introduced, and it underpins almost everything else.
The incident handling and response process. The heart of the certification. Preparation, detection and analysis, containment, eradication, recovery, and the post-incident review. Know this cold and you can reason your way through most of the scenario questions even when the specifics are unfamiliar.
First response and forensic readiness. What to do in the first minutes, how to preserve evidence without contaminating it, chain of custody, and getting an organization prepared before an incident lands. The evidence-handling material here trips up people who have never done forensics work.
The Incident-Type Domains
The back half of the blueprint walks through handling and responding to six categories of incident: malware, email security, network security, web application, cloud, and insider threats. Each one takes the core process and adapts it to the indicators, containment moves, and recovery steps that fit that category.
Three of these reliably cause the most trouble. Cloud incident response is newer territory and the shared-responsibility wrinkle confuses people. Insider threats lean heavily on behavioral indicators rather than technical signatures, which is a different mode of thinking. And malware handling is dense with specifics about identification and containment. Weight your study time toward those three.
Who Should Consider ECIH?
ECIH sits at the specialist level, which means it is not where most people start. It assumes you already understand security fundamentals, so the candidates who get the most from it tend to have a foundational cert or equivalent experience under their belt. If you are brand new to the field, you will get more out of building that base first, which is why pieces like our guide to entry-level cybersecurity certifications exist as a starting point.
The clearest fit is someone already working in or moving toward a blue-team role. SOC analysts who want to handle escalations rather than just triage them. System and network administrators who keep ending up as the de facto responder and want the formal process behind it. Security professionals on a defensive track who need a credential that says they can run an incident from start to finish. If you are curious how that day-to-day actually looks, our look at what a SOC analyst does all day gives useful context for where ECIH fits.
Who should hold off? If your goal is offensive security or pen testing, your time is better spent elsewhere, because ECIH is squarely a defensive credential. And if you have no security grounding yet, jumping straight to a specialist cert usually means memorizing terms you have no context for, which fades fast. Specialist certs reward people who already have somewhere to attach the new knowledge.
How to Study for ECIH So the Knowledge Sticks
This is the part I care about most, because passing the exam and being able to use the material are not the same thing, and a good study approach gets you both. The biggest mistake I watch people make is treating ECIH as a list of facts to cram. The scenario questions punish that approach immediately, since they describe a situation and ask what you should do next, which you cannot answer from rote memory.
Start by making the response process automatic. Before you touch any incident-type domain, you should be able to recite the phases of the handling process and explain what happens in each one without looking. Containment before eradication, eradication before recovery, and a post-incident review every single time. When that sequence is reflexive, the scenario questions get much easier, because most of them are really asking which phase you are in and what the right move is for that phase.
From there, learn each incident type as a variation on that spine rather than a fresh subject. Ask the same questions for each one. What are the early indicators? What does containment look like here? How do you eradicate and recover? What evidence do you preserve? Answering that consistent set of questions across malware, email, network, web, cloud, and insider incidents builds a mental template you can apply to a scenario you have never seen, which is exactly what the exam is testing.
A study habit that works: for every practice question you miss, do not just note the right answer. Write one sentence on which phase of the process the scenario was in and why the correct action belonged to that phase. That single habit turns a wrong answer into reinforcement of the framework instead of an isolated fact, and it is the difference between students who plateau on practice tests and students who keep climbing.
On practice exams, treat consistent scores above 80 percent across all domains as your readiness signal, not a single high score on one attempt. Because the real exam draws from multiple forms with shifting cut scores, a comfortable buffer in every domain is what protects you from drawing a harder form on test day. Some people pull this together through self-study, others through a structured boot camp that compresses the timeline and keeps the process front and center. Training Camp runs an ECIH boot camp if that accelerated format fits how you learn, though the study principles here apply no matter which path you take.
Frequently Asked Questions
What is the EC-Council ECIH certification?
ECIH is the EC-Council Certified Incident Handler, a specialist-level certification focused entirely on detecting, responding to, and recovering from security incidents. The current version is ECIH v3, exam code 212-89. It validates that you can run a structured incident response from the first alert through recovery and the after-action review.
How much does the ECIH exam cost?
The ECIH exam voucher is priced at $450. Training and courseware are separate costs that vary by provider, and many providers bundle the course materials with the exam voucher. Always confirm current pricing on EC-Council\u2019s official page before booking.
What is the passing score for the ECIH 212-89 exam?
There is no single fixed passing percentage. EC-Council uses multiple exam forms and sets a cut score for each one based on its difficulty, so the bar can range depending on which version you sit. The practical advice is to study for mastery across all domains rather than aiming at a specific number.
How many questions are on the ECIH exam?
The ECIH v3 exam has 100 multiple-choice questions and a three-hour time limit. Many of the questions are scenario based, describing a situation and asking what action you should take next, which is why memorizing facts alone is not enough to pass.
Is ECIH good for beginners?
ECIH is a specialist-level certification, so it works best for people who already have a security foundation through a cert like Security+ or equivalent hands-on experience. Complete beginners usually get more value from building that base first, then moving to ECIH once they have context to attach the incident response material to.
How many domains does the ECIH v3 exam cover?
Nine. The first three cover the foundations: an introduction to incident handling, the response process itself, and first response with forensic readiness. The remaining six cover handling specific incident types: malware, email, network, web application, cloud, and insider threats.
VP of Educational Services | Training Camp
Jeff Porch is the VP of Educational Services and Operations at Training Camp, where he leads the company's educational initiatives with a focus on accelerated learning and student success. Beyond overseeing curriculum development, Jeff serves as the lead course designer for Training Camp's CompTIA Security+ program, one of their most popular offerings. He is deeply involved in the instructional side of the business — developing certification courses, training instructors, and ensuring that complex IT concepts are delivered in ways that maximize retention and minimize time-to-certification.