I recently passed the GCIH (GIAC Certified Incident Handler) certification exam with a score of 99%. I did not expect such a high score because my practice tests scores were 89% and 92%. I did, however, aim to get at least 90% to be part of the GIAC Advisory Board.

While it is an impressive score, I think getting a high score on any certification exam is all about your preparation. Folks familiar with GIAC exams know that it is an open book format. That includes your notes or any cheat sheets provided by SANS or what you created. While the exams are open-book format, you should not underestimate the GIAC exams. It still requires you to prepare sufficiently.
My first GIAC certification was GDSA (GIAC Defensible Security Architecture). GIAC notified me that my GDSA beta exam attempt was ready on May 24, 2019, with an expiration of July 3, 2019. I had roughly five weeks to prepare for the exam, and that was not enough time for me, even as an open-book exam format. I scored 77% on that beta exam without taking the free practice tests to refine my index. Not a great score, but I managed to pass the exam.
Exam Information
The exam has the following format:
- 106 questions (including CyberLive)
- 4 hours
- 70% passing score
- Multiple-choice and single-answer
- You can skip questions (up to 10 if I remember correctly)
- You can take breaks (up to two)
CyberLive
To folks that are unfamiliar with newer GIAC exams, CyberLive is like a CTF (Capture The Flag) section of the exam. Essentially, they will give you access to a VM environment that you need to interact with to figure out the answer.
The CyberLive questions are multiple-choice and single-answer-type questions. While they are multiple-choice, you will need to perform tasks to select the correct answer. For example, the exam objective says that the candidate must demonstrate an understanding of password cracking methods. A CyberLive question could be something about password cracking, and you select the correct answer from the list.
The CyberLive questions are at the very end. That said, make sure that you give yourself enough time to answer them. Since GIAC chose not to disclose the number of CyberLive questions on the GCIH page, I decided not to reveal how many. However, I can say that they will let you know before you start the exam.
Preparation
The best way to prepare for the GCIH exam is to take the SEC504 (Hacker Tools, Techniques, and Incident Handling) course. I took the class in July and made sure that Joshua Wright was teaching it. He is, after all, the course author, so in theory, he will be the best instructor that you will ever get for the course.
This post contains affiliate links. If you use these links to buy something I may earn a commission. Full disclosure here.
SANS courses are expensive, so an alternative way to prepare for the exam is by buying the GCIH book. I do not have personal experience with the GCIH book, so this is not an endorsement to buy it. Take note that you will end up paying more for the certification attempt if you take this approach. However, you are still saving significantly compared to the SANS course and GIAC cert exam attempt prices.
After the class, I started reading the books off and on. I highlighted the texts as I read the books and did the labs. I was also creating my index as I went through the books.
Practice tests
After reading, highlighting, and creating my index, I took the first practice test. While I scored 89%, I wanted to do more to ensure I got at least 90% on the exam.
That said, I decided to reread the books and refined my index. I read all the books except half of book #5 because I ran out of time. Rereading and refining my index helped me increase my second practice test score to 92%.
I think I’m ready for this exam! #gcih pic.twitter.com/B6YGkTFVxl
— Andrew Roderos (@andrewroderos) November 13, 2021
I will say that I was a lot faster in reading and answering questions than the first time. Quickly answering the questions was why I scored lower than what I wanted to get, above 95%. I found myself not taking the practice tests seriously. It reminded me of how I was also rushing with my CISSP practice tests back in the day.
By the end of the second practice test, I had around 51 minutes left out of the 240 minutes allotted. It was a lot more compared to my first attempt. In my first attempt, I had around 23 minutes left to spare.
While the last score result was not even close to what I scored in the certification exam, it gave me enough confidence that I was ready and will get at least a 90% score. I could have pushed out my timeline, but I did not want to push it out any longer.
Other helpful materials
Before taking the SEC504 class and GCIH exam, I took the eLearnSecurity Penetration Testing Student (PTS) course and the eLearnSecurity Junior Penetration Tester exam. The eLearnSecurity course and exam covered some topics in the SEC504/GCIH. That said, it gave me some level of advantage.
Related: Passed eJPT |
Additionally, I took three Antisyphon classes with John Strand, the former author of SEC504. That also helped with some of the topics covered in the SEC504 class.
Creating index
I already knew how to create an index, for the most part, because of my past GIAC exam experience. That said, I did not need to surf the web to find articles about creating an index. I used my prior experience to create the index that works for me.
Pancake index
My index is so plain compared to others out there. For example, Lesley Carhart used a pancake index system. The method that she discussed in her article uses Post-it Tabs. Additionally, she matches those tab colors to her spreadsheet. That means you will need a color printer for your index.
This system works for a lot of people. I am sure if I used this system, it would work for me as well. However, I decided to take the minimalist approach.
Minimalist index
My index is simple: it has three columns, and they are book, page, and topic. The topic column can be a Linux command, file name, etc. The book and page columns are pretty self-explanatory, but for completeness’ sake, it is the book and page number where you can find the terms.
The index did not have any colors, nor did I need Post-it tabs or spiral binding. As I said, it is minimalistic. Essentially, I created a plain Excel spreadsheet, printed using black and white ink and double-sided, and stapled on the side.
Example terms
The index’s primary purpose is for you to look up the keywords quickly. You have roughly two minutes and 26 seconds to answer a question on the exam. The faster you can locate the keyword in the book, the better. For example, if you’re looking for Metasploit, you may find the topic in two or so books and several pages. You may end up reading or flipping through pages until you find the correct term. But, if you make it specific enough, you will only need to go to one or two pages of the book.

Additionally, you may want to put the file or registry path in case you need it. For example, include /etc/shadow
in your index, so you do not have to memorize what that file does. Even if you know it by heart, you may want to add it to your index just in case.
Exam day
While I have taken certification exams using the remote testing method, it was my first time using ProctorU. ProctorU is a bit different than other ones I have experience in, that you need to download two software. One of the software is a browser extension (Chrome or Firefox only). The second one is when you start your exam, which is the LogMeIn Rescue app.
If you need more information about the ProctorU system requirements, then check this page out.
Issues
I had issues starting the exam and had to spend some time troubleshooting. My exam schedule was 7:20 AM, but I did not answer exam questions until 7:45 AM.
Related: Passed GCIA |
I think the main issue was that I had uBlock Origin, and I was using Incognito mode. If you opt for the remote testing method, remove uBlock Origin temporarily and do not use Incognito mode to avoid issues.
Computer changes
The exam proctor will make some changes on your computer before starting the exam. Since I am a macOS user, there were a few of Security & Privacy related permissions that I needed to allow. Do not worry; the exam proctor will help you with this. There are some privacy-related settings on Google Chrome that you or the exam proctor will need to accept.
Additionally, the proctor will disable the screenshot keyboard shortcuts to protect the integrity of the GIAC exams. If you do not know how to return to the original settings, make sure to ask the proctor after you finish your exam.
Exam experience
The exam questions were very similar to the practice tests. So, if you take the practice tests and score pretty high, then you should pass. Though, there were questions that surprised me a little bit.
Additionally, there was at least one question that I do not remember being part of the books. That said, I had to guess the answer. I believe that question was under the incident handling and digital investigations exam objective, which I got at least one wrong.
The CyberLive questions were very similar to the practice tests. There is at least one that will throw you off a bit, however. If you practice the workbook during your preparation and fully understand them, I assure you that you can figure it out.
Tips
😲💪🏼 #GIAC #GCIH pic.twitter.com/qXpuaADvK4
— Andrew Roderos (@andrewroderos) November 18, 2021
I think it is safe to assume that people read these posts to get some tips for the exam. Without further ado, the following are my tips for passing the GCIH exam.
- Do the labs at least twice – during the class and exam preparation. The CyberLive section seems to be worth more than the regular multiple-choice questions. I know this because I bombed one CyberLive question during my first practice test.
- Take at least one practice test. If you scored in the 70% or low 80% range, then take the second practice test.
- Read the questions carefully. Reread it to make sure you fully understand the question.
- Use the skip question button if you find yourself spending more than two minutes on a question.
- Make sure you give yourself sufficient time for the CyberLive questions. Depending on your knowledge and skill level, it may take you more than 10 minutes to answer one CyberLive question.
- Even if you are very sure about your answer, look it up anyway. It helped me get a 99% score using this method.
- Do not rely on someone’s index. Create your index! Even though Joshua Wright gave us a pre-made index, I did not use it. I created my own.
- If you took notes, use them during the exam.
- You do not need to print any SANS-provided cheat sheets. A good index will be all you need.
Final thoughts
SANS SEC504 is a good class. You will learn a lot from it, especially if you do not have incident handling, forensics, and offensive security knowledge and skills. Even if you have eJPT under your belt, you will still learn from this class.
While GIAC certifications seem to have a good reputation in the security community, I think they can raise the bar even higher by transitioning their exams to more CyberLive type-questions. Also, I believe it is a good idea to transition the CyberLive questions to a fill-in-the-blank instead of multiple choice.
Transitioning to a more hands-on type exam demonstrates a better understanding of the material than the regular multiple-choice type exam. At least, I think so. It forces candidates to understand the material than memorize terms or look it up on their index to find the answers. Once they do that, I think the negative folks will stop criticizing the exam itself. Though, they will still complain about the price of the courses and exams.
Disclosure
AndrewRoderos.com is a participant of a few referral programs, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to company websites.
You might like to read
BUY ME COFFEE ☕