Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free ECIH Practice Questions

Pass your Certified Incident Handler (ECIH v3) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

What is the primary risk of using Bring Your Own Device (BYOD) policies from an incident response perspective?

A
B
C
D
to track
Same family resources

Explore More EC-Council Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CEH

Practice Questions
1 blog

CND

Practice Questions

EC-Council CEH Practical (312-50 Practical, 6-hr Cyber Range)

Practice Questions

EC-Council Certified Application Security Engineer (CASE .NET 312-95 / Java 312-96)

Practice Questions

EC-Council Certified Blockchain Professional (CBP)

Practice Questions

EC-Council Certified Chief Information Security Officer (CCISO 712-50)

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleCEH v13 in 2026: A 12-Week Study System That Balances Theory, Labs, and Exam Speed15 min read
2026 Statistics

Key Facts: ECIH Exam

100

Exam Questions

EC-Council

70%

Passing Score

EC-Council

3 hours

Exam Duration

EC-Council

$450

Exam Fee

EC-Council

5

Content Domains

ECIH v3

3 years

Certification Validity

ECE required

The ECIH exam has 100 multiple-choice questions in 3 hours with a 70% passing score. It covers incident response lifecycle (25%), malware analysis (20%), digital forensics (25%), threat intelligence (15%), and cloud IR (15%). ECIH v3 includes expanded coverage of cloud incident response, threat hunting, and SOAR automation.

Sample ECIH Practice Questions

Try these sample questions to test your ECIH exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1What is the first phase of the incident response lifecycle as defined by NIST SP 800-61?
A.Detection and Analysis
B.Preparation
C.Containment, Eradication, and Recovery
D.Post-Incident Activity
Explanation: The NIST SP 800-61 incident response lifecycle begins with the Preparation phase, which involves establishing the incident response capability, creating policies and procedures, setting up communication channels, deploying monitoring tools, and training the incident response team. Without adequate preparation, organizations cannot effectively detect or respond to security incidents.
2Which type of malware replicates itself across networks without requiring user interaction?
A.Trojan horse
B.Worm
C.Adware
D.Ransomware
Explanation: Worms are self-replicating malware that spread across networks autonomously without requiring user action such as opening a file or clicking a link. They exploit network vulnerabilities, email systems, or shared resources to propagate. Notable examples include WannaCry and Conficker. Unlike viruses, worms do not need to attach themselves to a host program to spread.
3What is the primary purpose of a SIEM (Security Information and Event Management) system in incident response?
A.To block malicious traffic at the network perimeter
B.To aggregate, correlate, and analyze security events from multiple sources for threat detection
C.To encrypt sensitive data at rest and in transit
D.To perform vulnerability scanning on network assets
Explanation: A SIEM system collects and normalizes log data from diverse sources (firewalls, IDS/IPS, servers, endpoints, applications), correlates events using rules and analytics, and generates alerts for potential security incidents. This centralized visibility enables incident handlers to detect threats that would be invisible when examining individual log sources in isolation, and provides the forensic data needed for investigation.
4During incident triage, what is the primary goal?
A.Complete eradication of the threat
B.Determining the scope, impact, and priority of the incident for resource allocation
C.Collecting forensic evidence for legal proceedings
D.Restoring all affected systems to production
Explanation: Incident triage is the process of quickly assessing an alert or reported event to determine whether it is a true security incident, its severity, scope of impact, and priority level. This assessment guides resource allocation decisions, ensuring that critical incidents receive immediate attention while lower-priority events are queued appropriately. Triage prevents response teams from being overwhelmed by false positives.
5Which email header field is most useful for tracing the origin of a phishing email?
A.Subject
B.Received headers (trace route from origin to destination)
C.Content-Type
D.MIME-Version
Explanation: The Received headers in an email trace the path from the originating mail server to the recipient's server, with each mail transfer agent (MTA) adding its own Received header. By analyzing these headers from bottom to top, an incident handler can identify the true origin IP address, detect spoofed sender addresses, and determine which mail servers processed the message. This is essential for phishing investigation and attribution.
6What is the chain of custody in digital forensics?
A.The encryption method used to protect evidence during storage
B.A documented record of who handled evidence, when, and what actions were performed to maintain its integrity
C.The hierarchical reporting structure of the incident response team
D.The sequence of tools used during forensic analysis
Explanation: The chain of custody is a chronological documentation trail that records every person who handled the evidence, timestamps of transfers, the purpose of each access, and any changes made. Maintaining an unbroken chain of custody is critical for ensuring evidence admissibility in legal proceedings and demonstrating that evidence has not been tampered with or contaminated.
7Which containment strategy involves isolating an affected system while keeping it powered on to preserve volatile evidence?
A.Long-term containment
B.Short-term containment with network isolation
C.Full system shutdown and reimaging
D.Evidence destruction
Explanation: Short-term containment with network isolation disconnects the affected system from the network (by disabling the NIC, changing VLAN, or adjusting firewall rules) while keeping it running. This prevents the threat from spreading to other systems while preserving volatile evidence in memory such as running processes, network connections, logged-in users, and malware artifacts that would be lost if the system were powered off.
8What type of malware analysis examines the binary without executing it?
A.Dynamic analysis
B.Static analysis
C.Behavioral analysis
D.Runtime analysis
Explanation: Static analysis examines malware binaries without executing them, using techniques such as string extraction, disassembly (IDA Pro, Ghidra), PE header analysis, import table examination, and signature matching. It is safer than dynamic analysis because the malware never runs, but may be hindered by obfuscation, packing, or encryption. Static analysis typically precedes dynamic analysis in a malware investigation workflow.
9What is the purpose of a threat intelligence platform (TIP) in incident response?
A.To block all incoming network traffic during an incident
B.To aggregate, enrich, and operationalize threat intelligence from multiple sources for proactive and reactive defense
C.To replace the need for a SOC team
D.To automatically patch all vulnerabilities in the environment
Explanation: A Threat Intelligence Platform (TIP) collects, normalizes, enriches, and distributes threat intelligence from multiple feeds (OSINT, commercial, ISACs, internal). It correlates indicators of compromise (IOCs) with internal telemetry, prioritizes threats relevant to the organization, and integrates with SIEM, SOAR, and EDR tools. During incidents, TIPs help analysts quickly assess whether observed IOCs match known threat actor campaigns.
10Which network forensics tool captures and analyzes full packet data on a network segment?
A.Nessus
B.Wireshark
C.Nmap
D.Metasploit
Explanation: Wireshark is a network protocol analyzer that captures full packet data in real time and provides deep inspection of hundreds of protocols. In incident response, it is used to analyze network traffic for malicious communication, data exfiltration, lateral movement, and command-and-control channels. Wireshark supports packet filtering, TCP stream reconstruction, and export of captured objects for further analysis.

About the ECIH Exam

The Certified Incident Handler (ECIH v3) validates skills in incident response lifecycle management, malware analysis, digital forensics, cloud incident response, threat intelligence, and SIEM/SOAR operations. ECIH prepares professionals to detect, contain, eradicate, and recover from security incidents across on-premises and cloud environments.

Questions

100 scored questions

Time Limit

3 hours

Passing Score

70%

Exam Fee

$450 (exam voucher) (EC-Council / Pearson VUE)

ECIH Exam Content Outline

25%

Incident Response Lifecycle

NIST IR phases, preparation, detection, containment, eradication, recovery, lessons learned, playbooks, and CSIRT operations

20%

Malware Analysis

Static and dynamic analysis, sandboxing, persistence mechanisms, fileless malware, ransomware, packing, and YARA rules

25%

Digital Forensics

Evidence handling, chain of custody, memory forensics, email forensics, Windows artifacts, log analysis, and insider threats

15%

Threat Intelligence

STIX/TAXII, MITRE ATT&CK, Cyber Kill Chain, Diamond Model, Sigma rules, SIEM, SOAR, and threat hunting

15%

Cloud Incident Response

AWS CloudTrail, Azure Activity Logs, GCP Audit Logs, shared responsibility model, cloud forensics, and container IR

How to Pass the ECIH Exam

What You Need to Know

  • Passing score: 70%
  • Exam length: 100 questions
  • Time limit: 3 hours
  • Exam fee: $450 (exam voucher)

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

ECIH Study Tips from Top Performers

1Memorize the NIST SP 800-61 incident response lifecycle phases — they form the backbone of the exam
2Understand the difference between IOCs and IOAs and when each is most useful
3Learn the order of volatility for evidence collection — RAM first, then disk
4Master Windows event log IDs: 4624 (logon), 4625 (failed logon), 4688 (process creation), 4768/4769 (Kerberos)
5Study STIX/TAXII standards and the Diamond Model — they appear frequently on the exam
6Know the Cyber Kill Chain stages and how to disrupt each one
7Practice identifying malware persistence mechanisms: Run keys, scheduled tasks, WMI event subscriptions
8Study cloud-specific logging: CloudTrail (AWS), Activity Log (Azure), Cloud Audit Logs (GCP)

Frequently Asked Questions

What is the ECIH exam format?

The ECIH exam consists of 100 multiple-choice questions to be completed in 3 hours. The passing score is 70%. Questions cover the complete incident response lifecycle including preparation, detection, containment, eradication, recovery, and post-incident activities.

How much does the ECIH certification cost?

The ECIH exam voucher costs approximately $450. Training packages are available from EC-Council at various price points. Self-study candidates may need to submit an eligibility application with an application fee.

What is the difference between ECIH and CEH?

CEH focuses on offensive security (ethical hacking, penetration testing) while ECIH focuses on defensive security (incident response, forensics, threat intelligence). They are complementary certifications — CEH helps understand how attacks work, and ECIH teaches how to detect and respond to them.

Does ECIH cover cloud incident response?

Yes, ECIH v3 includes significant coverage of cloud incident response, including AWS CloudTrail analysis, Azure Activity Logs, GCP Audit Logs, the shared responsibility model, cloud forensics techniques, and container security incident handling.

What jobs can I get with an ECIH certification?

ECIH certification prepares you for roles including Incident Response Analyst, SOC Analyst, Threat Hunter, Digital Forensics Analyst, CSIRT Member, Security Operations Engineer, and Cybersecurity Incident Manager.