Incident responders detect, identify and contain cyberattacks to minimize their damage on business operations. To effectively do this and be valuable members of the incident response team, security professionals must know how to analyze logs, put together and use an arsenal of security tools and processes, conduct threat hunting exercises, and prepare and test incident response plans and playbooks.
Further, incident responders require an understanding of active threat groups and their techniques, tactics and procedures. Incident responders also need strong knowledge of cybersecurity and networking principles, especially regarding common cloud architectures.
To bolster career progression and cybersecurity skills, incident responders should determine how best to learn and then demonstrate their knowledge. Many security professionals do this by earning an incident response certification. The following are four incident response certifications and three additional cybersecurity certifications to consider earning if interested in an incident response-specific role. While the certifications focus on incident response, cybersecurity professionals can apply them toward other industry careers, including penetration tester, digital forensics investigator and cybersecurity engineer.
Editor's note: Many other sites recommend Certified Computer Security Incident Handler (CSIH). The Software Engineering Institute at Carnegie Mellon University retired CSIH in April 2021.
1. EC-Council Certified Incident Handler (ECIH)
Many incident response newcomers start by looking at EC-Council's ECIH. The ECIH program teaches candidates how to quickly detect, contain and respond to incidents, as well as address post-breach issues. The ECIH course is split into 10 modules with hands-on labs:
- Introduction to Incident Handling and Response.
- Incident Handling and Response Process.
- First Response.
- Handling and Responding to Malware Incidents.
- Handling and Responding to Email Security Incidents.
- Handling and Responding to Network Security Incidents.
- Handling and Responding to Web Application Security Incidents.
- Handling and Responding to Cloud Security Incidents.
- Handling and Responding to Insider Threats.
- Handling and Responding to Endpoint Security Incidents.
The ECIH course is available for self-study or as a three-day class, online or at an EC-Council Accredited Training Center.
While the certification is widely recognized in the industry, some industry professionals deem it too basic. Many experienced incident responders recommend new and inexperienced cybersecurity professionals not spend the time and money on such an entry-level certificate, suggesting other incident response certificates instead. Further, EC-Council's reputation has been questioned due to past high-profile plagiarism incidents and data breaches.
The ECIH exam, consisting of 100 multiple-choice questions to be completed within three hours, requires a 70% passing score. Candidates must have a prerequisite three years of cybersecurity experience. After passing, certifications holders must renew ECIH every three years.
2. GIAC Certified Incident Handler (GCIH)
Global Information Assurance Certification's (GIAC) GCIH course offers some of the broadest incident response coverage. The certification, based on the six-day SANS Institute "SEC504: Hacker Tools, Techniques, and Incident Handling" course, has a reputation of providing actionable and useful real-world knowledge. It focuses on incident response from the attacker's perspective to help defenders understand how to best react.
SEC504 covers dynamic incident response, on-premises and cloud defense strategies, and cybersecurity attack identification. The course includes hands-on exercises and labs with a variety of tools, such as Hashcat, Nmap, Zeek and Metasploit, and closes with a capture the flag event. The course is available in person, live online and on demand.
The GCIH exam paired with the SANS training course can be costly for some applicants. Test-takers could talk to their current employers to allocate training budget.
Some industry professionals have noted that the red teaming tools used in the course and the exam are out of date and recommend the more recent and complementary GIAC Certified Intrusion Analyst (GCIA) certification, based on the six-day SANS "SEC503: Networking Monitoring and Threat Detection In-Depth" course. More network-focused and technical, the GCIA exam is considered more difficult than the GCIH exam. Another complementary certification is GIAC Certified Forensic Analyst (GCFA), based on the six-day SANS "FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics" course. GCFA is considered even more difficult than the GCIH exam.
GCIH covers the following three areas:
- Incident handling and computer crime investigation. Candidates demonstrate they know how to conduct the incident handling process and best practices, such as performing investigations into suspected attacks and mitigating exploits.
- Computer and network hacker exploits. Candidates show they understand how to identify different cyberattacks and stop or mitigate each type of attack.
- Hacker tools, such as Nmap, Metasploit and Netcat. Candidates demonstrate they understand how the hacking tools work and then detect and deploy defensive strategies to stop them.
The four-hour, web-based proctored exam consists of 106 questions. Candidates must score 70% to pass. The GCIH practitioner exam costs $979 for the first attempt and $879 for retakes. The more rigorous and comprehensive Applied Knowledge version of the certification -- called GIAC Experienced Incident Handler -- costs $1,299 for the first attempt and $1,199 for retakes. The SEC504 course costs an additional $8,525. Certificate renewal, which must be done every four years, costs $479.
3. CREST Registered Intrusion Analyst (CRIA)
Council for Registered Ethical Security Testers (CREST), best known for its pen testing certifications, offers the CRIA incident response certification. This intermediate-level certificate provides candidates with a high level of incident response education and is a useful certificate for incident responders to aim for early in their career. CRIA isn't as well known as other qualifications listed here, so it is recommended as an extra certification or if a specific requirement from an employer.
The exam tests candidates on their knowledge and skills of network and host intrusions and malware reverse-engineering, including the following:
- Incident chronology, including timestamp analysis.
- IP protocols, including application layer protocols and how they're used by malware.
- Common classes of tools, including intrusion analysis and reverse-engineering tools.
- Data sources and network log sources, such as proxy, firewall and VPN logs.
- Windows and application file structures.
- Behavioral analysis.
Candidates must obtain the entry-level CREST Practitioner Intrusion Analyst certification to take the CRIA exam, as well as have three years or 6,000 hours of relevant professional experience.
The 2.5-hour exam consists of 150 multiple-choice, open-book questions and a practical assessment. Candidates must take the exam at a CREST Examination Center and score a minimum 60% to pass. The CRIA exam is currently only administered in the U.K., costing 395 pounds, or approximately $500.
4. CompTIA Cybersecurity Analyst (CySA+)
CompTIA has a good reputation in the industry; its certifications are considered valuable and enhance employability. The intermediate-level CySA+ demonstrates incident responders have the knowledge to interpret logs to discern if security incidents represent real threats and ensures a fundamental understanding of network and cybersecurity principles. The certification also showcases the holder's ability to create incident response reports. CompTIA updated the exam for 2024 to include cloud technologies and web applications; this represents a major improvement over the version retired in December 2023.
CySA+ aims to ensure candidates have the skills to detect malicious incidents, understand threat intelligence and threat management, respond to cybersecurity incidents, conduct incident response attacks and create post-incident reports.
The exam is split into the following four domains:
- Security Operations (33%). Candidates demonstrate knowledge of system and network architecture, such as logs, file structures, system processes, cloud vs. hybrid vs. on-premises architecture, zero trust, encryption, data protection, and identity and access management.
- Vulnerability Management (30%). Candidates implement vulnerability management for asset discovery, critical infrastructure and industry frameworks. For a given scenario, they need to handle scanning methods, analyze output from different tools, determine vulnerability prioritization and recommend how to mitigate different exploits.
- Incident Response and Management (20%). Candidates demonstrate knowledge of attack methodology frameworks, such as cyber kill chains, Mitre ATT&CK and OWASP. Candidates receive a scenario and perform incident response methods, explaining how to handle the incident management lifecycle.
- Reporting and Communication (17%). Candidates cover how to create an incident response report and communicate an event to legal, customers, media and law enforcement.
CompTIA recommends candidates have four years of professional incident response or security operations center analyst experience, as well as Network+ or Security+ certification.
The CySA+ exam, available online or in person, consists of up to 85 multiple-choice and performance-based questions. Candidates have 165 minutes to complete the exam and must score at least 750 out of 900 to pass. The exam costs $392. Basic and advanced exam bundles with trainings are available.
To renew, certification holders must earn 60 continuing education units every three years.
Additional security certifications for incident responders
Cybersecurity professionals have a variety of cybersecurity certifications that are not incident response-specific that can help along their incident responder career path, including the following:
- ISC2 Certified Information Systems Security Professional (CISSP).
- ISACA Certified Information Security Manager (CISM).
- CISA Certified Information Systems Auditor (CISA).
Rob Shapland is an ethical hacker specializing in cloud security, social engineering and cybersecurity training for companies worldwide.