Back in March, I passed the GMON (GIAC Continuous Monitoring) certification exam, and I wanted to share my experience. As a follower, you may remember that I passed the GCIA exam last year. With this certification exam, I scored a bit higher than my GCIA exam, but not quite like my GCIH exam results.

Exam information
The exam has the following format:
- 82-115 questions
- 3 hours
- Minimum passing score of 74%
- Multiple-choice and single-answer
- You can skip questions (up to 15 if I remember correctly)
- You can take breaks (up to two)
SEC511 class
The SEC511 was the second lengthiest SANS class I have ever taken – the first one was SEC503. If you do the daily challenges after class, that means you are spending 8 to 10 hours a day. It will depend on how fast you can do them.
The sixth day is just the class’ Capture The Flag (CTF) event – in this class, they call it Defend The Flag (DTF). It is where you utilize what you learned from the class and daily challenges. While some people will not call it a competition, so as long as you get a prize at the end, I consider it as such. If your score is in the top 3 or 5, you will most likely get the class challenge coin. If your team earns the highest score, all members will get the coin.
Related: Working with logs |
I believe the class is great for SOC analysts, security engineers, and other cybersecurity roles. Some of the software that you will learn how to use are Wireshark, Zeek, Security Onion, etc. What I noticed with Security Onion was how different it looked compared to when I first learned about it during my CCNA CyberOps scholarship days. It was nice to play with it again in more depth than CCNA CyberOps’ coverage.
I noticed during the class that some sections were a repeat of SEC530 that I took five years ago. A little disappointing when that happens since it seems like fluff, but I get that not all folks get to attend multiple SANS class, so adding it to this class makes sense.
Preparation
The best way to prepare for the GCIA exam is to take SEC511 (Continuous Monitoring and Security Operations) course. I took the class on October 5, 2022 and took some time off from studying.
When I took the class, Christopher Crowley was the instructor. Since I liked the Live Online format, I decided to do it again. While I would have welcomed taking the class with the authors as instructors, I was ok having a different instructor.
After taking a few weeks off from studying, I started reading the books off and on. As usual, I highlighted the texts as I read the books and indexed. Majority of my studying was about five weeks before I took the exam.
Practice test
After reading, highlighting, and creating my index, I took a practice test and scored pretty good. As usual, I found myself not taking the pratice tests seriously as I would on the exam. I noticed I was reading the questions fast and misunderstanding them, which resulted in picking the wrong answers.

Since my practice test score was a bit on the high side, I decided not to take another practice test. I was confident I would score at least 74% on the certifcation exam. My inner voice told me there was no way I would get below the passing score. I also knew that if I took my time reading the questions correctly, I would score at least 85%, and I was right.
Moreover, I did not have the same motivation to score at least 90% to be part of the advisory board as I did when I was preparing for the GCIH. I was content with scoring lower than 90%, if ever. A pass is a pass.
Note
Before you ask, I already gave my second practice away via the GIAC Advisory Board email list.
Creating an index
Since this is my fourth GIAC exam, I think I have a pretty good idea of how to create an index for myself. Though, I am sure there are still things I can improve on since I can not seem to get 100% on the exam! 🙂
Having an index on the exam day is good to have. As you may know, it is not required, but it is helpful if you forget specific details and want reference something quickly. I read/heard some folks have passed GIAC exams without an index, so it is possible not to have one.
Minimalist index
As mentioned in my GCIH post, I use a minimalist approach with my index. While I discussed that I have three columns in my index, I used the same method I used with GCIA, which reduced it to two columns. Essentially, I combined the book and page number into one column. I used the period or dot symbol to separate the book and page numbers.

The terms included in the index will vary from one person to another. It is why I am a firm believer that you must create your own and not rely on someone else’s index. If you think about it, another person’s index may not include terms they know by heart, which you may need during the exam.
Experience
I found out that ProctorU has a new requirement now, which is to download and install Guardian Browser. I encountered no issues during the exam, which was nice.
I thought the exam questions were fair, and some were similar to the pratice test. However, some questions on the exam were not even in my practice test. If I had taken the second practice test, I believe I would have seen similar questions on the exam that were not in the first one.
As previously mentioned, I did not have the same motivation to score over 90% this time as on my last GIAC exam. My goal was to get higher than my practice test score and give away my second one to give back to the community.
Tips
I still think that people read these types of posts to help them prepare for the exam. Without further delay, the following are my tips for passing the GMON exam.
- Take a break after the class. Maybe a week or so. Up to you.
- Read the questions carefully. Reread it to make sure you fully understand the question.
- Do not be afraid of skipping a question.
- Even if you are sure about your answer, look it up anyway.
- Do not rely on someone else’s index. Create your index!
- While the exam does not have CyberLive, include the lab books when indexing. As past SANS instructors have said, it is fair game.
- Get enough sleep. Getting enough sleep will help you be alert and focused during the exam.
- If your goal is to get the highest score possible, take two practice tests.
Final thoughts
I learned a lot from the class and the daily challenges. The DTF was great as well. Winning the class challenge coin is always good. While it is a good and valuable class, I am not 100% convinced that I would recommend it if you have other SANS class in mind. Maybe SEC555 is a better class than this one.
You might like to read
BUY ME COFFEE ☕