What courses do I need for CIS-SIR?

Required courses: . Recommended: .

What is on the CIS-SIR exam?

The CIS-SIR exam covers 6 domains: Security Incident Response Overview and Data Visualization (15%), Security Incident Creation and Threat Intelligence (14%), Security Incident and Threat Intelligence Integrations (14%), Security Incident Response Management (15%), Risk Calculations and Post Incident Response (12%), Automation and Standard Processes (30%).

CIS-SIR Exam Preparation

Certified Implementation Specialist - Security Incident Response

Official Exam Page ↗Official Study Guide ↗Practice Questions (50+)

Exam Details

Questions

90 min

Duration

70%

Passing Score

$315

Exam Fee

Exam Blueprint

ServiceNow Official Exam Blueprint

Domain	Weight
Automation and Standard Processes • Automate Security Incident Response overview, security incident process automation using playbooks and runbooks, and User Reported Phishing	30%
Security Incident Response Overview and Data Visualization • Introducing Security Incident Response, data visualization, and Security Incident Response components	15%
Security Incident Response Management • Security Incident Response Workspace, standard automated assignment options, escalation paths, security tags, and process definitions	15%
Security Incident Creation and Threat Intelligence • Creating security incidents, major security incident management, understanding threat intelligence, and MITRE ATT&CK Framework	14%
Security Incident and Threat Intelligence Integrations • ServiceNow Store and Share, managing pre-built integrations, creating custom integrations, and Threat Intelligence Service Center	14%
Risk Calculations and Post Incident Response • Security incident calculator groups and risk scores, post incident reviews, and Event Management	12%

Study Plan

Focus on high-weight topics first for maximum impact. Topics are ordered by exam weight.

Automation and Standard Processes

30% weight

Configure playbooks, automated responses, and standard operating procedures to accelerate incident response.

Key Concepts to Master:

Security playbooksAutomated enrichmentResponse automationOrchestration actionsFlow Designer for SIR+3 more

Practice (10 questions)Learn Concepts

Security Incident Response Overview and Data Visualization

15% weight

Understand the Security Incident Response application architecture, data visualization capabilities, and how SIR fits within Security Operations.

Key Concepts to Master:

Security Incident Response architectureSecurity incident lifecycleSecurity Operations suite overviewData visualization and dashboardsObservables and indicators+3 more

Practice (9 questions)Learn Concepts

Security Incident Response Management

15% weight

Master the tools and processes for managing security incidents through investigation, containment, and resolution.

Key Concepts to Master:

Incident response phasesInvestigation workflowsContainment actionsTask managementAnalyst collaboration+3 more

Practice (8 questions)Learn Concepts

Security Incident Creation and Threat Intelligence

14% weight

Learn how security incidents are created, classified, and enriched with threat intelligence data.

Key Concepts to Master:

Manual incident creationAutomated incident creationThreat intelligence feedsSTIX/TAXII integrationObservable extraction+3 more

Practice (8 questions)Learn Concepts

Security Incident and Threat Intelligence Integrations

14% weight

Configure integrations with SIEM, SOAR, and threat intelligence platforms to enhance security incident response capabilities.

Key Concepts to Master:

SIEM integration (Splunk, QRadar, etc.)Endpoint detection integrationThreat intelligence platform integrationEmail security integrationNetwork security integration+3 more

Practice (8 questions)Learn Concepts

Risk Calculations and Post Incident Response

12% weight

Understand how security risks are calculated, reported, and how post-incident activities improve future response.

Key Concepts to Master:

Risk scoring methodologySeverity and impact calculationBusiness impact analysisPost-incident review processLessons learned documentation+3 more

Practice (7 questions)Learn Concepts

Required Courses

Official Now Learning courses that cover the exam content.

Course information coming soon. Visit the official exam page for the latest requirements.

Official Documentation

ServiceNow docs pages that map to the exam domains.

Documentation links coming soon. Visit docs.servicenow.com for the official documentation.

Prerequisites

•ServiceNow CSA certification
•Security Operations experience
•Understanding of security incident response

Ready to Practice?

Test your knowledge with 50+ practice questions

Start Practicing