How to pass CIS-SIR & CIS-VR in 2026
CIS-Security Incident Response and CIS-Vulnerability Response form ServiceNow's Security Operations track. This guide covers both exams: format, domain weights, study timelines, shared concepts, and the career value of becoming a certified SecOps specialist.
The SecOps track
Security Operations is one of ServiceNow's fastest-growing product lines. Organizations that already use ServiceNow for IT workflows are extending the same platform to their security teams. That creates demand for professionals who understand both the platform and security-specific configurations.
The SecOps track consists of two certifications: CIS-SIR (Security Incident Response) and CIS-VR (Vulnerability Response). They are complementary. SIR handles security incidents after they happen. VR handles vulnerabilities before they become incidents. Together, they cover the full lifecycle of security operations on the ServiceNow platform.
Both certifications require CIS-Data Foundations as a prerequisite. CIS-DF validates your knowledge of CMDB and CSDM, which are foundational to how SIR and VR track affected configuration items, map vulnerabilities to business services, and calculate risk scores. If you have not passed CIS-DF yet, start there. The CIS-DF mandate article explains why ServiceNow made it mandatory and what happens if you miss the deadline.
You do not need to take SIR before VR or VR before SIR. They are independent certifications with no ordering requirement between them. Many candidates choose to study for both within the same quarter because the domain overlap makes the second exam significantly easier after passing the first.
If you are still deciding which ServiceNow certification to pursue first, the which certification first guide walks through the decision framework. For a full picture of every available certification, see the 2026 certification path overview.
CIS-SIR overview
CIS-Security Incident Response tests your ability to configure and manage the Security Incident Response application in ServiceNow. The exam focuses on how security teams use the platform to detect, investigate, contain, and remediate security incidents.
The exam has 60 questions. You get 90 minutes. It costs $450 per attempt, with retakes at $225. The exam runs on the Pearson VUE platform, available at testing centers or proctored online through the OnVUE app.
Questions are multiple-choice. Some ask you to select one answer, others ask you to select two or three. Multi-select questions do not award partial credit. If a question asks for two correct answers and you get one right, the entire question scores zero.
The exam targets the Zurich release. Documentation for later releases may reference features or configurations that do not exist in Zurich, so always check the release selector on docs.servicenow.com before relying on any page.
What CIS-SIR covers
The SIR application is built for Security Operations Center (SOC) analysts and engineers. The exam tests your knowledge across these areas:
- Security incidents. Creation, categorization, assignment, escalation, and closure. How incidents flow through the lifecycle from detection to post-incident review.
- Playbooks. Automated and semi-automated response workflows. How playbooks trigger based on incident type, how they execute containment actions, and how they integrate with external tools.
- Threat intelligence. How ServiceNow ingests threat indicators from external feeds, how those indicators create sighting records, and how sightings connect to active incidents.
- MITRE ATT&CK framework. How ServiceNow maps security incidents to ATT&CK tactics and techniques. How this mapping informs investigation and response decisions.
- SOC workflows. The security operations workspace, analyst workbench, assignment rules for security teams, and SLA tracking for incident response timelines.
- Integrations. SIEM tool connections, email ingestion for phishing reports, enrichment from third-party sources, and containment actions that push commands to firewalls or endpoint tools.
The CSA certification covers general ServiceNow platform skills. CIS-SIR assumes you already have that foundation and tests security-specific application knowledge on top of it.
CIS-SIR domain weights
ServiceNow publishes domain weights for every CIS exam. These weights tell you exactly where to focus your study time. Ignoring them is the fastest way to fail.
| Domain | What it covers | Weight |
|---|---|---|
| Security Incident Management | Incident lifecycle, severity classification, assignment rules, post-incident reviews, major security incident workflows | 30% |
| Threat Intelligence | Threat feeds, indicators of compromise (IOCs), sighting records, observables, STIX/TAXII integration | 20% |
| Playbooks and Automation | Playbook design, automated response actions, containment workflows, orchestration integrations | 20% |
| Integrations and Data Sources | SIEM connections, email parsing, enrichment actions, third-party tool integrations, API-based ingestion | 18% |
| Reporting and Dashboards | SOC dashboards, mean time to detect/respond metrics, security posture reporting, Performance Analytics | 12% |
Security Incident Management at 30% is the highest-weighted domain. If you spend equal time on all five areas, you are under-preparing for the section that determines nearly a third of your score.
CIS-SIR 5-week study plan
This plan assumes 8 to 10 hours per week. If you have more time, compress it. If you have less, stretch to 7 weeks but do not skip the timed practice tests in week 5.
Study the SIR application architecture. Understand the security incident record, its fields, lifecycle states, and how it differs from a standard IT incident. Set up a Personal Developer Instance (PDI) with the Security Incident Response plugin activated. Create security incidents manually, assign severity levels, and walk through the full incident lifecycle from creation to closure. Read the official Zurich documentation on the security incident form and workspace.
Focus on how ServiceNow ingests threat intelligence. Study STIX and TAXII protocols, threat indicator records, sighting creation, and how observables link to security incidents. Understand how threat feeds connect to the platform and how analysts use sighting data to prioritize investigations. Practice configuring a threat source in your PDI. Study the MITRE ATT&CK integration and how tactics and techniques map to incidents.
Cover playbook design, triggers, actions, and approval gates. Study how playbooks automate containment (blocking IPs, disabling accounts, isolating endpoints) and how they integrate with external security tools through orchestration. Understand the difference between fully automated and analyst-approved playbook steps. Build a sample playbook in your PDI that triggers on a high-severity incident and executes a containment action.
Study SIEM integrations, email parsing for phishing reports, and enrichment actions that pull context from external sources. Cover the security operations workspace layout, analyst assignment rules, and SLA definitions for response timelines. Understand how SIR connects to the CMDB to identify affected configuration items and business services. Review the reporting and dashboard domain: SOC metrics, mean time to detect, mean time to respond, and security posture indicators.
Take full-length timed tests. 60 questions, 90 minutes, no pausing. After each test, review every wrong answer and identify which domain it falls under. If any domain scores below 70%, go back to that section of the documentation before your next attempt. Target 80% or higher on practice exams before booking the real exam. Stress reduces performance by 5 to 10 points on exam day.
CIS-VR overview
CIS-Vulnerability Response tests your ability to configure and manage the Vulnerability Response application in ServiceNow. While SIR focuses on what happens after a security event, VR focuses on identifying and remediating weaknesses before they get exploited.
The exam has 60 questions. You get 90 minutes. It costs $450 per attempt, with retakes at $225. Same as SIR, it runs on the Pearson VUE platform with testing center and online proctoring options.
The question format mirrors SIR: multiple-choice with single-select and multi-select questions. No partial credit on multi-select. All questions reference the Zurich release.
What CIS-VR covers
The VR application is built for vulnerability management teams. The exam tests your knowledge across these areas:
- Vulnerability groups. How scanner data creates vulnerability items, how those items get grouped by CI or business service, and how grouping drives remediation efficiency.
- Remediation tasks. Task creation, assignment to IT teams, tracking through resolution, and verification that patches were applied successfully.
- Scanner integrations. How ServiceNow connects to Qualys, Tenable, Rapid7, and other scanners. Third-party entry rules, data transformation, and scheduling.
- Risk scoring. How VR calculates risk using CVSS base scores combined with business context from the CMDB. How environmental and temporal CVSS scores modify the base calculation.
- Exception management. When vulnerabilities cannot be patched, how exception requests work, approval workflows, expiration dates, and re-assessment triggers.
- Compliance and reporting. Vulnerability age tracking, SLA compliance for remediation timelines, executive dashboards, and trend reporting.
If you are curious about the full cost breakdown for CIS exams, the certification cost guide covers every ServiceNow exam fee, retake policy, and available discounts.
CIS-VR domain weights
| Domain | What it covers | Weight |
|---|---|---|
| Vulnerability Management | Vulnerability items, groups, lifecycle states, assignment rules, approval workflows | 28% |
| Remediation | Remediation tasks, patching workflows, verification, bulk remediation, change request integration | 22% |
| Scanner Integration | Third-party scanner connections, import rules, data mapping, scheduling, deduplication | 20% |
| Risk Scoring and Prioritization | CVSS scoring, business criticality weighting, vulnerability calculators, risk-based prioritization | 18% |
| Reporting and Compliance | Dashboards, vulnerability age reports, SLA tracking, exception management, executive reporting | 12% |
Vulnerability Management at 28% is the largest domain. Combined with Remediation at 22%, the top two domains account for half of your exam score. If you understand how vulnerabilities flow through the system and how remediation tasks get created and tracked, you have a strong foundation for the rest.
CIS-VR 4-week study plan
This plan assumes 8 to 10 hours per week. If you already passed CIS-SIR, you can likely compress weeks 1 and 3 because the shared concepts carry over. See the shared concepts section for what overlaps.
Study the VR application architecture. Understand vulnerability items, vulnerability groups, third-party entry rules, and how scanner data flows into ServiceNow. Activate the Vulnerability Response plugin in your PDI. Create vulnerability records manually and study how grouping works by CI, by business service, and by vulnerability identifier. Read the Zurich documentation on VR setup and configuration.
Focus on remediation task workflows. Study how tasks get created from vulnerability groups, how they assign to IT teams, and how verification confirms that patches were applied. Cover CVSS scoring in detail: base, temporal, and environmental scores. Understand how ServiceNow combines CVSS data with CMDB business criticality to calculate a final risk score. Study exception management, including approval workflows and expiration rules.
Cover how ServiceNow connects to major vulnerability scanners: Qualys, Tenable, and Rapid7. Study third-party entry rules, data transformation mappings, and import scheduling. Understand deduplication logic and how ServiceNow prevents duplicate vulnerability records when the same scanner runs multiple times. Review the reporting domain: dashboards, vulnerability age tracking, SLA compliance for remediation timelines, and executive-level trend reports.
Take full-length timed tests. 60 questions, 90 minutes, no pausing. Review every wrong answer by domain. If your score on any domain falls below 70%, revisit that section of the documentation before scheduling the real exam. Target 80% or higher on practice tests. The real exam environment adds pressure that costs most candidates 5 to 10 points compared to practice conditions.
Both the CIS-SIR and CIS-VR practice tests on Udemy include detailed per-option explanations sourced from official ServiceNow Zurich documentation. Each exam attempt costs $450. Each retake costs $225. Preparation is cheaper than retaking.
CIS-SIR practice test CIS-VR practice testShared concepts between SIR and VR
SIR and VR share a significant amount of underlying infrastructure. If you study one first, the second becomes easier. Here are the concepts that appear on both exams.
Security operations workspace
Both applications use the security operations workspace as their primary interface. SOC analysts and vulnerability management teams work from the same workspace framework. The layout, navigation, list views, and record interactions are consistent across SIR and VR. Study the workspace once and you cover both exams.
Sighting records and observables
Sightings link external intelligence data to internal records. In SIR, a sighting connects a threat indicator to a security incident. In VR, sightings connect vulnerability data from scanners to vulnerability items. The underlying sighting record structure is the same. Observables (IP addresses, domain names, file hashes, URLs) appear in both applications as the raw data points that sightings reference.
Threat intelligence
Both exams test your understanding of how ServiceNow ingests and processes threat intelligence. SIR focuses more on indicators of compromise (IOCs) and STIX/TAXII feeds. VR focuses more on vulnerability disclosures and CVE data. But the ingestion mechanism, the threat source configuration, and the way intelligence data connects to operational records are shared concepts.
CMDB for affected CIs
Both SIR and VR rely heavily on the CMDB to identify affected configuration items. When a security incident occurs, SIR maps it to the CIs involved. When a vulnerability is discovered, VR maps it to the CIs that need patching. This is why CIS-DF is a prerequisite for both certifications. Without solid CMDB knowledge, you cannot understand how either application prioritizes and tracks work.
The CMDB connection also drives risk scoring in both applications. A vulnerability on a production database server scores higher than the same vulnerability on a development workstation because the CMDB provides the business criticality context that adjusts the calculation.
Integration patterns
Both applications integrate with external tools through similar patterns: REST APIs, MID Server connections, scheduled imports, and orchestration activities. The specific tools differ (SIEM for SIR, vulnerability scanners for VR), but the integration architecture is the same ServiceNow framework. Understanding how one integration works gives you a transferable mental model for the other.
For additional study techniques that apply to both exams, see the general exam study guide. And for free resources to supplement your preparation, check the free study resources list.
Career value of SecOps certifications
ServiceNow security professionals are among the highest-paid specialists on the platform. The combination of ServiceNow platform skills and security domain knowledge creates a profile that is difficult to find and expensive to hire.
Security-focused ServiceNow roles (security engineer, SecOps architect, security operations lead) command salaries in the $143,000 to $160,000+ range in the US market. That is 15 to 25% higher than general ServiceNow developer or administrator roles. The salary guide breaks down compensation by role and certification level.
The supply-demand imbalance is significant. Most ServiceNow professionals specialize in ITSM, HRSD, or CSM. Security Operations has fewer certified practitioners because the domain requires both platform knowledge and security expertise. That scarcity drives salaries up and makes certified SecOps professionals highly recruitable.
Holding both CIS-SIR and CIS-VR positions you as a full-stack SecOps specialist on the ServiceNow platform. Organizations that implement Security Operations need professionals who can configure both applications, design the workflows between them, and maintain integrations with the broader security toolchain. Having both certifications eliminates the "can you do the other half?" question in interviews.
The investment math works out clearly. Each exam costs $450. Two exams total $900. Even with practice test preparation costs added, your total investment stays under $1,000. The salary premium for SecOps specialization is $15,000 to $30,000 per year. The return on investment pays back within the first month of a new role.
If you are weighing whether the certification investment is worth it, the ROI analysis covers the numbers for every ServiceNow certification tier.
Practice tests
The best way to identify gaps in your knowledge is to take timed practice exams under real conditions. Knowing the material and performing under time pressure are different skills. 90 minutes feels generous until you hit three consecutive multi-select questions that each require careful elimination of every option.
The CIS-SIR practice test covers all five exam domains with per-option explanations. Every question includes a reference to the specific Zurich documentation page where the answer is sourced. When you get a question wrong, the explanation tells you exactly where to study.
The CIS-VR practice test follows the same format. Domain-mapped questions, per-option explanations, and source links to official documentation.
Both practice tests are also available through the certification recommendation quiz, which can help you identify which exam to prioritize based on your current experience and career goals.
Take at least two full-length timed tests for each exam before booking your real attempt. If your practice scores are below 80%, you need more study time. ServiceNow does not publicly disclose the exact passing threshold, and exam-day stress consistently costs candidates 5 to 10 points compared to practice conditions. An 80% practice score gives you the margin you need.
Frequently asked questions
Do I need CIS-DF before taking CIS-SIR or CIS-VR?
Yes. CIS-Data Foundations is a mandatory prerequisite for both certifications. ServiceNow requires CIS-DF before you can register for either CIS-SIR or CIS-VR. If you already hold SIR or VR but have not passed CIS-DF yet, you need to complete it by December 31, 2026 or your existing certification expires. CIS-DF is currently free for your first attempt through June 30, 2026.
Should I take CIS-SIR or CIS-VR first?
There is no required order between the two. Most candidates start with whichever application they have more hands-on experience with. If you work in a SOC or handle incident response, start with CIS-SIR. If your role involves vulnerability scanning and patch management, start with CIS-VR. If you have no preference, CIS-VR has a slightly smaller scope and a 4-week study plan compared to SIR's 5 weeks, making it a marginally faster first win.
How much do the exams cost?
Each exam costs $450 for the first attempt and $225 for a retake. Taking both CIS-SIR and CIS-VR costs $900 total if you pass each on the first attempt. The certification cost guide covers all ServiceNow exam fees and available discounts.
Can I take both exams in the same week?
Technically, yes. Pearson VUE allows you to schedule exams on consecutive days. Strategically, it is risky unless you have extensive hands-on experience with both applications. A better approach is to space them 2 to 4 weeks apart. Pass the first, then use the shared concepts momentum to accelerate your study for the second.
What is the passing score?
ServiceNow uses scaled scoring and does not publicly disclose the passing threshold. The exact cutoff varies by exam form and is not always the same percentage. Aim for 80% or higher on practice tests to build a safety margin for exam-day conditions.
Do I need security experience to pass these exams?
Direct security experience helps but is not strictly required. The exams test your knowledge of the ServiceNow applications, not your ability to perform penetration testing or malware analysis. If you understand ServiceNow platform fundamentals and study the security-specific documentation thoroughly, you can pass without a security background. That said, candidates with SOC or vulnerability management experience consistently report shorter study times.
Which ServiceNow release do the exams target?
Both exams currently target the Zurich release. Always check the release selector on docs.servicenow.com before studying any documentation page. Features introduced after Zurich may not be valid answers on the exam.
Are CIS-SIR and CIS-VR worth it for career growth?
Yes. Security-focused ServiceNow roles pay $143,000 to $160,000+ in the US market, which is 15 to 25% higher than general platform roles. The supply of certified SecOps professionals is low relative to demand. Holding both certifications positions you as a full-stack SecOps specialist, which is one of the most in-demand profiles in the ServiceNow ecosystem.
Where to go from here
Start with CIS-DF if you have not passed it yet. It is free through June 30, 2026, and both SIR and VR require it. The CIS-DF study guide has a 4-week plan and domain breakdown.
Once CIS-DF is done, pick the SecOps exam that aligns with your current role or interests. Follow the study plan in this guide, use the official Zurich documentation as your primary source, and take timed practice tests before booking your exam.
The official ServiceNow documentation for both applications is at docs.servicenow.com. Filter by Zurich release. Read the Security Incident Response and Vulnerability Response sections in full. These are long reads, but the exam pulls directly from them.
For a broader view of how SIR and VR fit into the full ServiceNow certification landscape, the 2026 certification path guide maps every certification and its prerequisites. And the certification landscape overview covers industry trends and which certifications are gaining the most value.
Each CIS-SIR and CIS-VR exam attempt costs $450. Each retake costs $225. The practice tests cover all exam domains with per-option explanations sourced from official Zurich documentation.
Preparation costs a fraction of a retake fee. Two exams, two practice tests, and you have the credentials for one of the highest-paying specializations in the ServiceNow ecosystem.
CIS-SIR practice test CIS-VR practice testGet the free certification roadmap
A PDF with all 18 ServiceNow certifications, recommended order, and prerequisite chains. Yours for free.