INE’s Certified Threat Hunting Professional (eCTHP) Certification Exam Review – Passed (11/2025)

I passed the eCTHP exam on 11/22/2025. I am writing about my experience with the course and the exam because I have not seen many posts referencing this certification exam.

The Course: Threat Hunting Professional (New!)

The course’s instructor is Brian Olliff. It is divided into 6 domains: Introduction to Threat Hunting, Intelligence in Threat Hunting, Threat Hunting Strategies, Network Threat Hunting, and Threat Hunting Communications & Reporting. As of last 11/2025, when I went through the course materials, only the first 5 domains were available, and the Threat Hunting Communications & Reporting is not available. The total runtime of the course videos is ~26 hours. It is a PowerPoint-heavy material, but don’t get me wrong, since I don’t do a lot of threat hunting in my current role, I learned a lot from Brian. 26 hours is the perfect length, compared to 160+ hours, I think, for eCPPT. The course content is sufficient to pass the certification exam. Enough information was included on how to use Splunk, ELK, and Wireshark to perform threat hunting. The hands-on labs were also helpful to reinforce what was taught in the course.

The Certification Exam: Tips Included To Help You Pass The Exam

Looking at INE’s website, this is what they say about the exam:

They made it sound like there are no multiple-choice questions, but there are. There are 60 questions in total, and you have 10 hours to complete them. 40 multiple-choice questions, and the remaining 20 are the hands-on part. For the multiple-choice questions, you can Google or use your favorite AI to answer them, but I don’t recommend doing so. The better way to do it is to download the slides, since the multiple-choice questions are based on them. Here’s a list of all the slides in PDF form:

For the most part, the multiple-choice questions didn’t require looking at the slides, but some were confusing, and I had to reference them. I strongly think that some questions will need to be reviewed for clarity.

The Certification Exam: Hands-on Part

After getting access to the course and the exam, and even before starting the course, one of the best preparations you can do is to go to the exam portion. I am using the Certified Incident Responder here as an example because I’ve already done the eCTHP and forgot to take screenshots. Go to your certifications, and hit the “Start Exam” button. Don’t worry, this will not start the exam.

Once you click “Start Exam,” you will be presented with another window where you will have to check a checkbox and click “Start Exam” again to actually begin the exam. As long as you did not check the box and click on the second “Start Exam” then your certification attempt will not start:

The reason I advised doing the above steps before starting the course, so you can access the “Letter of Engagement” document.

The Letter of Engagement will provide you with the information you need for the exam, particularly the hands-on part. It includes the tools and situations expected of you during the exam. You will know which part of the course to focus on, or if you are weak in an area, where you are expected to do some tasks during the exam.

Overall, I enjoyed the course and the exam. The exam was neither hard nor easy. It is challenging enough to force you to think and do research online. If you have done online challenges such as CyberDefenders, Security Blue Team, or TryHackMe, they provide asterisks in the answer field to help you with clues like how many characters are the correct answer, or if there are special characters included in the answers. For the eCTHP exam, there’s no clue as to how many characters the correct answer is. This forces you to really be sure of your answer, and not to count the characters needed and match them with what you’ve found in the labs. I am saying this because I’ve done it in multiple challenge rooms. For example, if I see xxx.xx.xxx.x in the answer field, that helps me narrow down the possible answers by matching the IP address pattern. Again, for eCTHP, you don’t get that “pattern” assistance.

Good luck! I hope sharing my experience will help you pass the exam. But more than passing the exam, it is what you learn from the course materials that is the real gem; getting the certificate is just an additional reward.

Go, fellow soon-to-be certified Threat Hunters!!!!