EC-Council Certification

EC-Council Certified Incident Handler (ECIH / E|CIH) Practice Test

Prepare for the EC-Council Certified Incident Handler exam with free practice tests covering incident response, first response, malware incidents, email security incidents, network incidents, application incidents, cloud incidents, insider threats, and endpoint incidents. Each 20-question test uses a proportional timer based on the official ECIH exam pace of 1.8 minutes per question.

14Practice Tests
280Total Questions
9Domains Covered
100%Free Forever

Domain Wise — ECIH Mock Tests

Target one ECIH incident response objective at a time with focused mock tests. Each domain-wise test contains 20 questions mapped to the official EC-Council Certified Incident Handler blueprint.

D1
Incident Response and Handling Process
Information security incidents, incident management, SOAR concepts, incident handling standards, legal considerations, preparation, triage, notification, containment, eradication, recovery, and post-incident activities
11% Exam Weight Start Test →
D2
First Response
First responder roles, securing and documenting the crime scene, collecting evidence, preserving evidence, packaging evidence, transporting evidence, and maintaining evidence integrity
11% Exam Weight Start Test →
D3
Malware Incidents
Preparation for malware incidents, detection, containment, eradication, recovery, malware analysis concepts, evidence handling, and guidelines for preventing future malware incidents
11% Exam Weight Start Test →
D4
Email Security Incidents
Email threat types, phishing response, preparation, detection, containment, eradication, recovery, message analysis, header review, user notification, and email security best practices
12% Exam Weight Start Test →
D5
Network Level Incidents
Network incident preparation, detection and validation, unauthorized access, inappropriate usage, denial-of-service incidents, wireless network incidents, containment, and recovery
12% Exam Weight Start Test →
D6
Application Level Incidents
Web application incident preparation, detection, analysis, containment, eradication, recovery, application log review, web application security best practices, and remediation planning
11% Exam Weight Start Test →
D7
Cloud Security Incidents
Cloud incident handling challenges, cloud security incident response, Azure incident handling, AWS incident handling, Google Cloud incident handling, shared responsibility, and cloud response best practices
10% Exam Weight Start Test →
D8
Insider Threats
Types of insider threats, preparation steps, detection, containment, eradication, recovery, user behavior analysis, access abuse indicators, and insider threat response best practices
11% Exam Weight Start Test →
D9
Endpoint Security Incidents
Endpoint incident response, preparation, detection, validation, mobile-based incidents, IoT-based incidents, OT-based incidents, containment, eradication, recovery, and endpoint security best practices
11% Exam Weight Start Test →

About the ECIH Certification Exam

The EC-Council Certified Incident Handler certification validates the knowledge and skills needed to prepare for, detect, analyze, contain, eradicate, recover from, and document cybersecurity incidents.

What Is the ECIH?

The EC-Council Certified Incident Handler (ECIH / E|CIH) is an incident handling and response certification designed for cybersecurity professionals who need a structured approach to managing security incidents. It covers planning, incident recording, triage, notification, containment, evidence gathering, forensic analysis, eradication, recovery, and post-incident improvement.

ECIH is designed for incident handlers, incident responders, SOC analysts, CSIRT members, digital forensic analysts, cybersecurity analysts, security engineers, network defenders, IT administrators, and security operations professionals who handle cyber incidents in enterprise environments.

ECIH skills support roles such as incident responder, SOC analyst, CSIRT analyst, cyber defense incident responder, digital forensic analyst, malware response analyst, security operations engineer, and incident response coordinator. In the broader U.S. cybersecurity market, information security analysts earned a median annual wage of $124,910 in May 2024.

Exam Format (2026)

Exam name: EC-Council Certified Incident Handler (ECIH / E|CIH).

Exam code: 212-89.

Testing method: EC-Council Exam Portal.

Questions: 100 multiple-choice questions.

Duration: 3 hours.

Question types: Multiple-choice questions focused on incident handling, first response, malware, email incidents, network incidents, application incidents, cloud incidents, insider threats, and endpoint incidents.

Passing score: EC-Council cut scores vary by exam form and can range from 60% to 85%.

Exam fee: ECIH certification cost varies by delivery mode, region, learning path, and training provider. Confirm the current price with EC-Council or an authorized training partner before purchase.

Eligibility Requirements

Recommended experience: EC-Council states that ECIH is designed for mid-level to senior-level cybersecurity professionals with at least 1 year of experience in the cybersecurity domain.

Recommended background: Candidates should understand cybersecurity fundamentals, incident response concepts, information security incidents, malware, email threats, network security, web application security, cloud security, endpoint protection, and forensic readiness.

Training path: Candidates commonly prepare through EC-Council’s ECIH program using in-person training, self-study, or live online delivery.

Hands-on readiness: The ECIH program includes labs, incident response tools, playbooks, runbooks, templates, and scenario-based incident handling exercises.

Ethical requirement: ECIH preparation should be performed only in authorized labs, training ranges, owned environments, or systems where monitoring and incident response permission exists.

ECIH Domain Weights — Official Exam Blueprint v2

The ECIH exam blueprint contains 9 domains. Email Security Incidents and Network Level Incidents each carry 12%, while the other major incident response domains range from 10% to 11%.

DomainObjective AreaWeight
Domain 1Incident Response and Handling Process11%
Domain 2First Response11%
Domain 3Malware Incidents11%
Domain 4Email Security Incidents12%
Domain 5Network Level Incidents12%
Domain 6Application Level Incidents11%
Domain 7Cloud Security Incidents10%
Domain 8Insider Threats11%
Domain 9Endpoint Security Incidents11%

How Our Practice Tests Are Designed

Official blueprint alignment — The mixed and domain-wise tests follow the ECIH Exam Blueprint v2 domains: Incident Response and Handling Process, First Response, Malware Incidents, Email Security Incidents, Network Level Incidents, Application Level Incidents, Cloud Security Incidents, Insider Threats, and Endpoint Security Incidents.

Incident-handler scenario style — Questions focus on practical response decisions such as incident triage, containment, evidence gathering, malware response, phishing response, network incident validation, cloud incident handling, insider threat detection, and endpoint incident response.

Proportional timer — The real ECIH exam has 100 questions in 3 hours, or 1.8 minutes per question. Each 20-question practice test is timed at approximately 36 minutes to match the real exam pace.

Domain-specific improvement — Use mixed sets to measure overall readiness, then use domain-wise tests to target weak areas. For example, repeated misses in Email Security Incidents, Network Level Incidents, or Endpoint Security Incidents should guide your next study session.

ECIH Exam Preparation Tips

Study Strategy

Master the incident lifecycle: Learn the full response process from preparation and incident recording through triage, notification, containment, evidence gathering, eradication, recovery, and post-incident activity.

Study incident types separately: Malware, email, network, application, cloud, insider, and endpoint incidents require different evidence sources, containment decisions, and recovery steps.

Practice first response discipline: First responder decisions affect evidence integrity. Review crime scene documentation, evidence collection, preservation, packaging, transportation, and chain of custody.

Connect response to prevention: For every incident type, learn the follow-up controls that reduce recurrence, such as improved monitoring, patching, user awareness, access control, logging, segmentation, and playbook updates.

Test-Taking Strategy

Read for the response stage: Identify whether the question is about preparation, detection, triage, containment, eradication, recovery, forensics, communication, or lessons learned before selecting an answer.

Choose evidence-safe actions: Prefer answers that preserve logs, collect evidence correctly, minimize damage, document actions, and maintain legal and organizational requirements.

Manage the timer: The real exam pace is 1.8 minutes per question. These practice tests give about 36 minutes for 20 questions so you can read incident scenarios carefully.

Eliminate weak responses: Remove answers that skip containment, destroy evidence, fail to notify stakeholders, ignore scope, or move to recovery before the incident is understood.

Frequently Asked Questions

How many questions are on the real ECIH exam?+
The EC-Council Certified Incident Handler exam contains 100 multiple-choice questions.
How long is the ECIH exam?+
The ECIH exam duration is 3 hours. That equals 1.8 minutes per question, so each 20-question practice test on this page is timed at approximately 36 minutes.
What is the passing score for ECIH?+
EC-Council cut scores vary by exam form and can range from 60% to 85%. The exact cut score depends on the specific exam form delivered.
Are these ECIH practice tests free?+
Yes. All EC-Council ECIH practice tests on Security Practice Test are free, and a free PDF is available for offline review and focused revision.
How are mixed set questions distributed across domains?+
Mixed ECIH practice tests follow the official blueprint weights: Incident Response and Handling Process 11%, First Response 11%, Malware Incidents 11%, Email Security Incidents 12%, Network Level Incidents 12%, Application Level Incidents 11%, Cloud Security Incidents 10%, Insider Threats 11%, and Endpoint Security Incidents 11%.
What does the ECIH exam cover?+
The ECIH exam covers incident response process, first response, malware incidents, email security incidents, network level incidents, application level incidents, cloud security incidents, insider threats, and endpoint security incidents.
What experience is recommended before ECIH?+
EC-Council states that ECIH is designed for mid-level to senior-level cybersecurity professionals with at least 1 year of cybersecurity experience.
What is the ECIH exam code?+
The EC-Council Certified Incident Handler exam code is 212-89.
How much does ECIH cost?+
ECIH certification cost varies by program delivery mode, region, training bundle, and provider. Confirm the current price with EC-Council or an authorized training partner before purchase.

Ready to Test Your ECIH Knowledge?

Start with a mixed ECIH practice test to measure your readiness, then use the domain-wise tests to strengthen weak incident response areas before exam day.

Start ECIH Practice Test 1 →

Authors

  • Security Practice Test Editorial Team

    Security Practice Test Editorial Team is the expert content team at SecurityPracticeTest.com dedicated to producing authoritative cybersecurity certification exam-prep resources. We create comprehensive practice tests, study materials, and exam-focused content for top security certifications including CompTIA Security+, SecurityX, PenTest+, CISSP, CCSP, SSCP, Certified in Cybersecurity (CC), CGRC, CISM, SC-900, SC-200, AZ-500, AWS Certified Security - Specialty, Professional Cloud Security Engineer, OSCP+, GIAC certifications, CREST certifications, Check Point, Cisco, Fortinet, and Palo Alto Networks exams. Our content is developed through careful review of official exam objectives, cybersecurity knowledge domains, and practical job-relevant concepts to help learners build confidence, strengthen understanding, and prepare effectively for certification success.

  • Sudhanshu Thakur - Reviewer

    Enterprise Technology and Digital Transformation Professional with 18+ years of experience in enterprise software, SaaS, industrial automation, and business consulting. Formerly associated with Rockwell Automation, Tech Mahindra, Emerson, ABB, L&T Infotech, and Hewlett Packard Enterprise.