5-Day Instructor-Led Programme
The XCIR Certification Programme is the practitioner standard for incident responders who need to contain, eradicate, and recover from cyber incidents across enterprise environments while meeting regulatory notification obligations. Assessed on Day 6 through a supervised live incident response scenario — no multiple choice, no exam, no certprep guide.
Duration
5 Days
Price
$4,995
A cyber incident does not wait. When the call comes at 2am, the incident responder who has only passed a multiple choice test is dangerous. XCIR is built for professionals who need to perform under pressure — containing the attacker, preserving evidence, communicating with leadership, and meeting the regulatory notification timelines that NIS2 and DORA now mandate.
Across six instructor-led days, participants build capability across the complete IR lifecycle: preparation and planning, detection and scoping, containment strategy, evidence preservation, eradication, recovery, and post-incident activities. Sessions cover Windows and Linux IR, active directory compromise response, cloud IR across AWS and Azure, ransomware playbooks, insider threat response, and regulatory notification workflows aligned to NIS2 Article 23, DORA Article 17, and UK GDPR Article 33.
On Day 6, participants manage a live simulated incident from initial detection through containment, eradication, recovery, and final incident report. The senior practitioner observes decision-making, technical execution, communication, and regulatory compliance. XCIR certificate and Practitioner Assessment Report issued together. Aligned with NIST SP 800-61, ISO 27035, CISA IR Playbooks, NIS2, DORA, and UK GDPR.
Live IR scenario exercises covering Windows triage, AD compromise response, cloud IR (AWS/Azure), ransomware containment, evidence preservation, and regulatory notification decision-making under time pressure.
Mentor-led sessions covering real incident decision-making, regulatory notification workflows, stakeholder communication during active incidents, and IR playbook construction from lessons learned.
Lead structured incident response engagements from detection through recovery, maintain regulatory notification compliance, and produce professional post-incident reports that satisfy legal and regulatory requirements.
Lead structured incident response engagements from initial detection through containment, eradication, recovery, and post-incident review
Execute Windows and Linux live response, active directory compromise triage, and cloud incident response across AWS and Azure
Manage ransomware response scenarios including blast radius scoping, backup integrity, regulatory notification, and recovery sequencing
Meet regulatory notification obligations under NIS2 Article 23, DORA Article 17, and UK GDPR Article 33 during live incidents
Preserve legally sound evidence during active IR while balancing speed of containment with forensic integrity requirements
Produce professional post-incident reports with root cause analysis, timeline reconstruction, and actionable recommendations
Minimum 12 months in a SOC, security operations, or IT infrastructure role with exposure to security incidents
Basic understanding of Windows and Linux operating systems, networking, and Active Directory
Familiarity with at least one security monitoring tool: SIEM, EDR, or log analysis
Organized by professional domains with comprehensive coverage
Master these in-demand skills through hands-on practice
A clear view of the roles this programme supports, what typically comes next, and where learners progress over time
Choose the learning format that works best for you and your team
Instructor-Led Training
Join live instructor-led sessions from anywhere. Interactive, engaging, and flexible.
Price per person
Group enrolments and early planning options available.
All prices are exclusive of VAT where applicable. Group enrolments and custom packages available on request.
Not everyone learns best in a group. If you want focused guidance, faster clarity, and confidence you can use on the job, our 1-to-1 Fast-Track Training gives you private, mentor-led support tailored to your experience and goals.
"Many learners choose 1-to-1 when they want understanding, not memorisation."
Credential
On successful completion of Xcademia Cyber Incident Response Practitioner, learners receive an Xcademia Certificate of Completion. This standalone certificate is issued directly by Xcademia and recognised by employers across the UK defence and security sector.
Everything you need to know about the certification exams
You will receive an Xcademia certificate of completion based on participation and successful completion of labs and scenario simulations.
Everything you need to know about this course
GCIH is a 6-day course followed by a 5-hour open-book exam. The total cost is approximately $9,779. XCIR is 6 instructor-led days ending in a supervised live incident response scenario on Day 6 — not an open-book exam but an observed real-time response engagement. The Practitioner Assessment Report documents your incident management decisions, regulatory compliance, and technical execution. Less than half the GCIH price.
Take the next step in your professional development