PracticeStudy GuidesBlogFlashcardsEspañol
All Practice Exams

100+ Free ECIH Practice Questions

Pass your Certified Incident Handler (ECIH v3) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free

Loading questions...

2026 Statistics

Key Facts: ECIH Exam

100

Exam Questions

EC-Council

70%

Passing Score

EC-Council

3 hours

Exam Duration

EC-Council

$450

Exam Fee

EC-Council

5

Content Domains

ECIH v3

3 years

Certification Validity

ECE required

The ECIH exam has 100 multiple-choice questions in 3 hours with a 70% passing score. It covers incident response lifecycle (25%), malware analysis (20%), digital forensics (25%), threat intelligence (15%), and cloud IR (15%). ECIH v3 includes expanded coverage of cloud incident response, threat hunting, and SOAR automation.

About the ECIH Exam

The Certified Incident Handler (ECIH v3) validates skills in incident response lifecycle management, malware analysis, digital forensics, cloud incident response, threat intelligence, and SIEM/SOAR operations. ECIH prepares professionals to detect, contain, eradicate, and recover from security incidents across on-premises and cloud environments.

Questions

100 scored questions

Time Limit

3 hours

Passing Score

70%

Exam Fee

$450 (exam voucher) (EC-Council / Pearson VUE)

ECIH Exam Content Outline

25%

Incident Response Lifecycle

NIST IR phases, preparation, detection, containment, eradication, recovery, lessons learned, playbooks, and CSIRT operations

20%

Malware Analysis

Static and dynamic analysis, sandboxing, persistence mechanisms, fileless malware, ransomware, packing, and YARA rules

25%

Digital Forensics

Evidence handling, chain of custody, memory forensics, email forensics, Windows artifacts, log analysis, and insider threats

15%

Threat Intelligence

STIX/TAXII, MITRE ATT&CK, Cyber Kill Chain, Diamond Model, Sigma rules, SIEM, SOAR, and threat hunting

15%

Cloud Incident Response

AWS CloudTrail, Azure Activity Logs, GCP Audit Logs, shared responsibility model, cloud forensics, and container IR

How to Pass the ECIH Exam

What You Need to Know

  • Passing score: 70%
  • Exam length: 100 questions
  • Time limit: 3 hours
  • Exam fee: $450 (exam voucher)

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

ECIH Study Tips from Top Performers

1Memorize the NIST SP 800-61 incident response lifecycle phases — they form the backbone of the exam
2Understand the difference between IOCs and IOAs and when each is most useful
3Learn the order of volatility for evidence collection — RAM first, then disk
4Master Windows event log IDs: 4624 (logon), 4625 (failed logon), 4688 (process creation), 4768/4769 (Kerberos)
5Study STIX/TAXII standards and the Diamond Model — they appear frequently on the exam
6Know the Cyber Kill Chain stages and how to disrupt each one
7Practice identifying malware persistence mechanisms: Run keys, scheduled tasks, WMI event subscriptions
8Study cloud-specific logging: CloudTrail (AWS), Activity Log (Azure), Cloud Audit Logs (GCP)

Frequently Asked Questions

What is the ECIH exam format?

The ECIH exam consists of 100 multiple-choice questions to be completed in 3 hours. The passing score is 70%. Questions cover the complete incident response lifecycle including preparation, detection, containment, eradication, recovery, and post-incident activities.

How much does the ECIH certification cost?

The ECIH exam voucher costs approximately $450. Training packages are available from EC-Council at various price points. Self-study candidates may need to submit an eligibility application with an application fee.

What is the difference between ECIH and CEH?

CEH focuses on offensive security (ethical hacking, penetration testing) while ECIH focuses on defensive security (incident response, forensics, threat intelligence). They are complementary certifications — CEH helps understand how attacks work, and ECIH teaches how to detect and respond to them.

Does ECIH cover cloud incident response?

Yes, ECIH v3 includes significant coverage of cloud incident response, including AWS CloudTrail analysis, Azure Activity Logs, GCP Audit Logs, the shared responsibility model, cloud forensics techniques, and container security incident handling.

What jobs can I get with an ECIH certification?

ECIH certification prepares you for roles including Incident Response Analyst, SOC Analyst, Threat Hunter, Digital Forensics Analyst, CSIRT Member, Security Operations Engineer, and Cybersecurity Incident Manager.