I recently passed the GCIA (GIAC Certified Intrusion Analyst) certification exam, and I wanted to share my experience. As a follower, you may remember that I scored almost perfect on my GCIH exam. With this exam, however, I scored nowhere near it, and I am okay with that.

Exam information
The exam has the following format:
- 106 questions (including CyberLive)
- 4 hours
- 68% passing score
- Multiple-choice and single-answer
- You can skip questions (up to 10 if I remember correctly)
- You can take breaks (up to two)
SEC503 class
The SEC503 was the lengthiest SANS class I have ever taken. If you do the homework after class, that means you are spending 8 to 10 hours a day. It will depend on how fast you can do the challenges. The points you earn from these daily challenges also count towards the Day 6 competition.
The sixth day is really just the class’ Capture The Flag (CTF) event. It is where you utilize what you learned during the week and apply it in a lab environment. Some people will not call it a competition, but so long as you get a prize at the end, I think it is still a competition. If you are in the top 3 or 5, you will most likely get the class challenge coin. If your team wins, all members will get the coin. It seems that the number of challenge coins per class varies. However, in my experience, they usually give out up to five challenge coins.
Related: Working with PCAPs |
I believe the class is great for network engineers, network security engineers, and other cybersecurity roles. It covers packet analysis using tcpdump and Wireshark, IDS/IPS concepts, Snort, Zeek, etc. Even if you know how to use Wireshark and tcpdump as a network engineer, you may still learn something from it. For example, I have always ignored the hexadecimal section of the packet bytes pane on Wireshark. I may still gloss over it, but I know how to read them now when I need to.
Moreover, I loved that it covered more about the BPF (Berkeley Packet Filter). While I know the basics of tcpdump, I never delve deeper into it outside my needs. With this class, I learned about the BPF bit masking, which came in handy when I needed to write an exemption rule in our DDoS mitigation solution.
Preparation
The best way to prepare for the GCIA exam is to take SEC503 (Intrusion Detection In-Depth) course. I took the class on February 7, 2022. If you are familiar with GIAC exams, you may have noticed that I took it past their four-month deadline. Yes, I did ask for a 30-day extension, and they granted me a complimentary extension.
When I took the class, Donald Williams was the instructor. Since I liked the Live Online format, I decided to do it again. It seems like the course author does not teach anymore, so I picked a schedule that worked for me.
After the class, I started reading the books off and on. I highlighted the texts as I read the books and did the labs. I was also creating my index as I went through them. Though, I will say that majority of my reading time was not until four or five weeks before the exam. I still believe I did not adequately prepare for the exam even though I passed.
Practice test
After reading, highlighting, and creating my index, I took a practice test and scored poorly. I do not seem to take practice tests seriously as I would on the exam. I noticed I was reading the questions fast and misunderstanding them, which resulted in picking the wrong answers.

While I scored poorly on the practice test, I decided not to take another practice test. Part of my decision not to take the second practice test was because I was running out of time. I did not think I had more time to read even a few days before the exam.
Additionally, I was confident that I would score at least 68%. My inner voice was telling me that there was no way I would get below the passing score. I figured if I took my time reading the questions correctly and carefully read the CyberLive questions, I would score at least 80%, and I was right.
Moreover, I did not have the same motivation to score at least 90% to be part of the advisory board as I did when I was preparing for the GCIH. With that said, I was okay with scoring lower than 90%. Do I wish I scored higher than 85%? Of course, who wouldn’t? But, as others would say, a pass is a pass.
Note
Before you ask, I already gave my second practice away via the GIAC Advisory Board email list.
Creating an index
Since this is my third GIAC exam, I think I have a pretty good idea of how to create an index for myself. Though, I am sure there are still things I can improve on since I can not seem to get 100% on the exam! 🙂
Having an index on the exam day is good to have. As you may know, it is not required, but it is helpful if you forget specific details and want to quickly look them up. I read/heard some folks have passed GIAC exams without an index, so it is possible not to have one.
Minimalist index
As previously mentioned in my GCIH post, I use a minimalist approach with my index. While I discussed that I have three columns in my index, I revised it for my GCIA index by reducing the columns into two. Essentially, I combined the book and page number into one column. I used the period or dot symbol to separate the book and page numbers.

The terms included in the index will vary from one person to another. It is why I am a firm believer that you must create your own and not rely on someone else’s index. Think about it, another person’s index may not include terms they know by heart, which you may need during the exam.
Exam day
While this is my second time using ProctorU, I had to install the software again since I changed computers from the last time I took my GIAC exam. However, this time, I made sure not to use Incognito mode and disable the uBlock Origin browser extension to avoid issues.
Issues
Unfortunately, I did not entirely avoid an issue. While in the middle of the exam, with about one hour and 30 or 50 minutes left, my Wi-Fi disconnected. When it reconnected, either the proctor stopped my exam or automatically did it. I had to talk to the proctor to restart it. Luckily, the proctor did not give me a hard time about it.
Experience
I thought the exam questions were fair, and some questions were similar to the practice test I took. However, some questions on the exam were not even in my practice test. I firmly believe that if I had taken the second practice test, I would have seen similar questions on the exam that were not in the first one. Access to a different set of questions would have given me the advantage of scoring a higher percentage.
As previously mentioned, I did not have the same motivation to score over 90% this time as on my last GIAC exam. My goal was to score better than my practice test and give away my second one to give back to the community.
I first offered it on my Instagram story and then on Twitter. Since there were no takers, I posted it on GIAC advisory board email list and got claimed within minutes.
#GIAC #GCIA is no joke! One of the hardest GIAC exams I’ve taken thus far. I can finally relax now. #SANS #SEC555 might be my next class. I didn’t use the second practice test so if you NEED one, then DM me.
— Andrew Roderos (@andrewroderos) July 18, 2022
In the multiple-choice section, I skipped about six questions because I did not know the answer to them. Since I could not find the answers, I decided to move on to other questions. I knew that I needed to reserve enough time for the CyberLive questions as they are weighted higher.
In the CyberLive section, I encountered one question where I did not know which book and page to help me answer the question. It is not something I saw in my practice test, so I did not know how to do it. I also have not needed to do at work, so I was clueless. I vaguely remember reading about it in the books, but I was already freaking out because I had about 15 minutes left.
With that said, I had to skip that CyberLive question and answer some more. Luckily, the other CyberLive questions left were not that hard, so I answered them just fine. By then, I only had about five minutes left and had to go through the multiple-choice questions and one CyberLive question.
Since I knew that CyberLive questions are weighted more than multiple-choice questions, I quickly answered them and focused on the CyberLive question. Unfortunately, I ran out of time and left it unanswered. I could have easily picked one from the answers but decided not to.
Tips
I still think that people read these types of posts to help them prepare for the exam. Without further delay, the following are my tips for passing the GCIA exam.
- Start studying right after taking a rest day or two after class. The books are dense compared to other SANS classes out there.
- Do the labs until you are comfortable solving the questions without looking at the solutions.
- Read the questions carefully. Reread it to make sure you fully understand the question.
- Do not be afraid of skipping a question.
- Make sure you give yourself sufficient time for the CyberLive questions.
- Even if you are sure about your answer, look it up anyway. Only do this if you have a lot of time.
- Do not rely on someone else’s index. Create your index!
- Print these cheatsheets: Binary/Hex/Decimal Chart, TCP/IP and tcpdump, and IPv6 pocket guide.
- If your goal is to get the highest score possible, then take two practice tests.
Final thoughts
I highly recommend SANS SEC503 for network engineers and network security engineers. As mentioned earlier, it is also great for cybersecurity professionals. My instructor told us that he had penetration testers take the class as well. He informed us that penetration testers found it valuable to know how the blue team works, which makes sense. Many folks would say the blue team informs the red team and vice versa.
You might like to read
BUY ME COFFEE ☕