Preparing for EC-Council Certified Security Analyst Practical Exam

By Tony Wilson

Managing Director

(The document I was looking for before taking the exam – it didn’t exist but does now).

Chances are, if you’ve found this blog, you have been trawling the internet looking for information regarding the EC-Council ECSA (Practical) exam.

There is very little information about the actual process on any of the EC-Council websites or portals so, as I found myself flying half-blind through the process, I thought I’d try to help to ease the stress that the “unknown” may  bring whilst preparing for an exam as arduous as this!

I started out, like you probably, trying to find anything I could on social media and/or forums – but most of what I found pertained to v9 which, it appears, is a very different format to v10.

Just to be clear, the format I am describing is the 12 hour ECSA v10 practical exam that requires at least five challenges to be completed and a report submitted.

 Scheduling the exam

I found this process confusing as, in-order-to schedule your exam, you need to enter your relevant voucher code to enter the scheduling area. There is some wording on this page that leads you to believe that a 15 day timer has started to count down now that the code has been entered.

Don’t worry, the counter only starts to countdown when you choose to proceed at the bottom of this page.

I was relieved to find this as I’d entered the voucher code and then came back to schedule the exam a week later – thankfully I hadn’t lost any time as I hadn’t clicked the proceed button.

Once you proceed to schedule your exam, a 15 day timer counts down – yes, even before you have chosen a date. You have to book a date, sit the exam and submit a pen-test report all within 15 days – so choosing an exam 14 days away will not give you much time to write the report and submit it.

I found this idea a bit crazy – especially as I only had an option to choose an exam slot 12 days away – and that was for a 5am start!

Thankfully, after an email to EC-Council, I managed to get this changed to 9am.

 The day of the exam

Instructions are sent to you via email to inform you how to connect up to your proctor – this is supposed to be 15-30 mins ahead of the exam – but mine arrived just 5 minutes before (another area of stress I could have done without).

I recommend using a headset to talk to the proctor. English may not be their first language so anything to make your voice clearer is an advantage.

The proctor then requires you to do the following:

  • switch on your web-cam – and turn it around the room including your desk area (the proctor saw that I had a mobile phone on my desk and asked me to move it to another part of the room)
  • install some screen sharing software
  • ensure only one monitor is in use (which was a blow to me as I’d set up my environment to have all my notes on one screen and planned to use the Exam lab on the other).

 Conducting the exam

You have to agree to certain conditions before the exam starts. It’s a one-off 12 hour exam the clock ticks down as soon as you start – there is no pausing.

You are allowed to use the bathroom as-and-when required and you can take a couple of half hour screen breaks if you wish. Other than that – you have to remain in camera-shot for the duration of the exam. Only leave when you have the permission of the proctor. It did sometimes take 5 minutes for the proctor to respond to me.

The exam follows the same format as the Practice Range found in the iLabs – i.e. Capture the Flag scenarios – where the contents of secret.txt must be copied into the relevant box and submitted at the end.

A word of warning here – note that  I said “copied” and not “copied and pasted” – remember the Cyber Range is a virtual environment and you can’t paste from it. So be very careful when typing in the code to the web form!

Pay particular attention to similar characters such as 1’s and I’s.  And don’t forget to screengrab the code to use in your report!

 The report

As mentioned, the exam environment is totally virtual, so you cannot export any output files from the tools that you use (such as Nessus or nmap) – so remember to screengrab your progress using the screengrab facility on your personal computer and save to a document on your own device rather than within the virtual environment.

I used the sample report provided with the course material (you can download it from the exam scheduling portal too) – there’s a lot of creative stuff in the front of that report – I left most of it in but did change obvious things that I didn’t do, such as interview staff, read through policies etc.

Whilst writing the report I wished that I had taken more screen-grabs to help produce a more complete account of how I solved each challenge and found myself looking for the output files that I’d created (but which were, of course, back in the exam lab!).

Don’t forget, at the end of each challenge, to put the recommendations that describe how the “client” could better defend their devices against the vulnerability that you exploited.

I stopped after completing the 5th challenge, but did take a look at all eight. I recommend not spreading yourself too thin over all of the challenges – or you could run the risk of having 4 complete and 4 “almost there” at the end of the exam – there comes a time when you have start to focus on that remaining 5th machine.

I allowed myself about 4 hours over a couple of days after the exam to write the report before submitting it to the Aspen portal.

I found out 4 days later that I was successful.


Since completing the exam, I have been asked various questions by friends and colleagues – so I’ve compiled the following FAQ. I hope you find them useful:


  1. Are you allowed to go to the bathroom or is that restricted to official breaks in the exam 

I just told the proctor I need to visit the bathroom – I went whenever required.


  1. Is it a one off 12 hours or can you pause after a task and continue later. Or do you have to grab all the test results in the one off session and write the report later.

It’s a one-off 12-hour exam the clock ticks down as soon as you start and there is no pausing. You have 15 days to write the report from the time of the exam scheduling.


  1. Can you use multiple screens eg one gif the ilab environment and one for internet research whilst the exam is running

Only one screen allowed. It is an open book exam, so you can still use Google etc.


  1. Would I be using the testing tools (such as Kali Linux) on my own device – or would I be using the tools presented on an attacking machine in the virtual environment (such as that in the iLabs environment).

You will be given access to two machines in iLabs: Kali and Windows. You will be accessing these machines, just like in the Practice Range, to access the target machines and exploit them. All the tools required to compromise the targets are present in these machines.


  1. The “Practice range” in the iLabs environment asks for the contents of secret.txt to be entered into answer boxes. Does the exam ask for things in the same way – or might the challenge be to dump a table, for example?

The exam is similar to the Practice Range. In fact, the Practice Range has been designed to give you a taste of the exam. The only difference is that the exam has 8 challenges, while the practice range has 5. You need to solve at least 5 challenges out of 8, to clear the exam.


  1. If the attack machine is in the virtual environment, does it have internet access? If not, how would I download a tool if it is not on the device presented?

The attack machine does not have internet access. But you will be provided with all the tools that are required to solve the challenges.


I hope this helps you prepare for your ECSA Practical exam – Good Luck!