The Certification Process
- Obtain a voucher
Whether you are attempting the eCIR certification exam on your own or after having attended one of our approved training courses, you will need to obtain a voucher before you can start your certification process.
Once you obtain the voucher you will receive login credentials to our Certification area where you will manage the exam, the VPN credentials and anything related to the certification process from the beginning up to the delivery of your certificate.
- Begin the certification process
Regular vouchers expire after 180 days from purchase.
Infinity vouchers do not expire.
Before the certification expires, you will have to begin the certification process by clicking on "Begin certification process". The expiration date will always be available in your certification area and reminder emails are sent to make sure you take advantage of the voucher.
- Perform your tests
As soon as you click on the "Begin certification process" button you will receive an email with instructions regarding the scope of engagement.
This letter will contain exactly what you should test and how. At this point you will start your Incident Response activities utilizing the provided data, take note of your findings and document all the detection and analysis steps.
The exam network will always be available 24/7 for 2 days and dedicated to you.
At any time you will be the only one on the network and will be able to reset the scenario should you damage it during your tests.
You can also pause the lab and resume from where you left off by simply clicking Start/Stop buttons in the Certification area as you would do with any other Hera Lab scenario.
- Upload your report
Once you have comprehensively responded to all incidents, it's time to finalize documenting the detection and analysis steps.
Familiarity with reporting activities is assumed, so no commercial-grade report will be required during the eCIR examination process. You will be required to thoroughly document how you detected the attacker’s actions though, to prove your findings.
When ready and not after 4 days from the beginning of the certification process (step 2), you will upload your report in PDF format for review.
- Obtain your results
One of our instructors will carefully review your report. If your findings, and your Incident Response skills are deemed sufficient to pass the exam, you will be granted the eCIR certification.
Should you fail the first attempt, the instructor will provide you with valuable feedback. Armed with this information you will have a free retake to be used within 2 days to upload a new report.
The retake will commence the moment you view the instructor’s feedback, or automatically 14 days after it is received. During this period the exam lab network will be re-opened for further tests. In any case a new report should be uploaded no later than 4 days from the date the retake begins.
Once you pass the exam you will find the digital certificate immediately downloadable and verifiable.