Top incident response certifications to consider in 2026

EC-Council Certified Incident Handler (ECIH)

Many incident response newcomers start by looking at EC-Council's ECIH. The ECIH program teaches candidates how to quickly detect, contain and respond to incidents, as well as address post-breach issues. The ECIH course is split into 10 modules with hands-on labs:

1. Introduction to incident handling and response.
2. Incident handling and response process.
3. First response.
4. Handling and responding to malware incidents.
5. Handling and responding to email security incidents.
6. Handling and responding to network security incidents.
7. Handling and responding to web application security incidents.
8. Handling and responding to cloud security incidents.
9. Handling and responding to insider threats.
10. Handling and responding to endpoint security incidents.

The ECIH course is available for self-study or as a three-day class, online or at an EC-Council Accredited Training Center.

While the certification is widely recognized in the industry, some industry professionals deem it too basic. Many experienced incident responders recommend that new cybersecurity professionals should consider more challenging incident response certificates instead. Further, EC-Council's reputation has been questioned due to past plagiarism incidents and data breaches.

The ECIH exam, consisting of 100 multiple-choice questions to be completed within three hours, requires a 70% passing score. Candidates must have a prerequisite three years of cybersecurity experience. After passing, certification holders must renew ECIH every three years.

GIAC Certified Incident Handler (GCIH)

Global Information Assurance Certification's GCIH course offers some of the broadest incident response coverage. The certification, based on the six-day SANS Institute SEC504: Hacker Tools, Techniques and Incident Handling course, has a reputation of providing actionable and useful real-world knowledge. It focuses on incident response from the attacker's perspective to help defenders understand how to best react.

SEC504 covers dynamic incident response, on-premises and cloud-defense strategies, and cybersecurity attack identification. The course includes hands-on exercises and labs with a variety of tools, such as Hashcat, Nmap, Legba and Metasploit, and closes with a capture-the-flag event. The course is available in person, live online and on demand. The course was updated in 2025 with advice and labs covering AI topics, such as how to use AI to help write incident response procedures and labs covering AI prompt-injection attacks.

The GCIH exam paired with the SANS training course can be costly. Test-takers could talk to their employers to allocate a training budget.

A viable alternative is the GIAC Certified Intrusion Analyst (GCIA) certification, based on the six-day SANS SEC503: Networking Monitoring and Threat Detection In-Depth course. More network-focused and technical, the GCIA exam is considered more difficult than the GCIH exam.

Another related certification is GIAC Certified Forensic Analyst (GCFA), based on the six-day SANS FOR508: Advanced Incident Response, Threat Hunting and Digital Forensics course. GCFA is considered even more difficult than the GCIH exam.

GCIH covers the following six areas:

1. Incident response and cyber investigations.
2. Scanning and enumeration attacks.
3. Password attacks and exploit frameworks.
4. Web application attacks.
5. Post-exploitation and AI attacks.
6. Capture-the-flag event.

The four-hour, web-based proctored exam consists of 106 questions. Candidates must score 69% to pass. The GCIH practitioner exam costs $999 for the first attempt and $899 for retakes. The exam costs $999 for the first attempt and $899 for retakes. The SEC504 course costs an additional $8,780 and can be completed in-person or as a virtual, self-paced course with four months of access. Certificate renewal, which must be done every four years, costs $499. Practice exams are available for $399.

CREST Registered Intrusion Analyst (CRIA)

Council for Registered Ethical Security Testers (CREST), best known for its pen testing certifications, offers the CRIA incident response certification. This intermediate-level certificate provides candidates with a high level of incident response education and is a useful certificate for incident responders to aim for early in their careers.

The exam tests candidates on their knowledge and skills of network and host intrusions and reverse-engineering malware, with modules that include the following:

• Incident chronology, including timestamp analysis.
• Record keeping, interim reporting and final results.
• IP protocols, including application layer protocols and how they're used by malware.
• Common classes of tools, including intrusion analysis and reverse-engineering tools.
• Host analysis techniques.
• Beaconing.
• Command-and-control channels and exfiltration of data.
• Data sources and network log sources, such as proxy, firewall and VPN logs.
• Windows and application file system essentials and structures.
• Behavioral analysis.

To take the CRIA exam, candidates must obtain the entry-level CREST Practitioner Intrusion Analyst certification and have three years or 6,000 hours of relevant professional experience.

The 2.5-hour exam consists of 150 multiple-choice, open-book questions and a practical assessment. Candidates must take the exam at a CREST exam center, and achieve a score of at least 60% to pass. Pricing varies by location. In the U.K., the exam costs £600.

CompTIA Cybersecurity Analyst (CySA+)

CompTIA has a good reputation, and its certifications can enhance employability. The intermediate-level CySA+ enables incident responders to demonstrate knowledge of interpreting logs to discern whether security incidents represent real threats, and it ensures a fundamental understanding of network and cybersecurity principles. CompTIA updated the exam in 2024 to include cloud technologies and web applications, and it is next due for a refresh in 2026.

CySA+ helps ensure candidates have the skills to detect malicious incidents, understand threat intelligence and threat management, respond to cybersecurity incidents, conduct incident response attacks and create post-incident reports.

The exam is split into the following four domains:

1. Security operations (33%). Candidates demonstrate knowledge of system and network architecture, such as logs, file structures, system processes, cloud vs. hybrid vs. on-premises architecture, zero trust, encryption, data protection, and identity and access management.
2. Vulnerability management (30%). Candidates implement vulnerability management for asset discovery, critical infrastructure and industry frameworks. For a given scenario, they need to handle scanning methods, analyze output from different tools, determine vulnerability prioritization and recommend how to mitigate different exploits.
3. Incident response and management (20%). Candidates demonstrate knowledge of attack methodology frameworks, such as cyber kill chains, Mitre ATT&CK and OWASP. Candidates receive a scenario and perform incident response, explaining how to handle the incident management lifecycle.
4. Reporting and communication (17%). Candidates cover how to create an incident response report and communicate an event to legal counsel, customers, media and law enforcement.

CompTIA recommends candidates have four years of professional incident response or security operations center (SOC) analyst experience, as well as Network+ or Security+ certification.

The CySA+ exam, which can be taken online or in person, consists of up to 85 multiple-choice and performance-based questions. Candidates have 165 minutes to complete the exam and must score at least 750 out of 900 to pass. The exam costs $425, or $474 with a retake included. Access to training labs is available for between $169 and $610, depending on the level of content needed.

To renew, certification holders must earn 60 continuing education units every three years.

Offsec OSDA

The Offensive Security OSDA, obtained via the SOC-200 Security Operations and Defensive Analysis course, covers incident response and other skills integral to working in a SOC. The course is appropriate for someone with up to two years' experience as an incident responder or SOC analyst, but it might be too basic for those with more experience. It covers the following modules:

• Foundations of SOC operations.
• Threat detection and analysis.
• Vulnerability and risk management.
• Endpoint and network defense.

• Access control and privilege management.

The course is delivered via videos, labs and exercises. It costs $1,749 for three months of lab access and a single exam attempt or $2,199 for 12 months of access and two exam attempts. The exam is a proctored 24-hour, lab-based assessment, consisting of 10 phases with multiple attacker actions that must be detected, understood and documented. The exam is known to be grueling, with some candidates awake for the entire 24-hour period.

Additional security certifications for incident responders

A variety of cybersecurity certifications that are not specific to incident response can help cybersecurity professionals along their career path, including the following:

• ISC2 Certified Information Systems Security Professional (CISSP).
• ISACA Certified Information Security Manager (CISM).
• ISACA Certified Information Systems Auditor (CISA).

Editor's note: This article was updated in 2026 to revise exam details and to improve the reader experience.

Rob Shapland is an ethical hacker specializing in cloud security, social engineering and cybersecurity training for companies worldwide.