How To Pass SANS GIAC Certification Exams

If you're looking for professional services on this topic or interested in other cybersecurity consulting services, please reach out to me via my Contact page to discuss further.
As I mentioned in a previous post, I recently took SANS SEC 504 and have since been studying for the accompanying GIAC Certified Incident Handler (GCIH) certification. I’m happy to say that over the weekend I passed (thank you, thank you) and wanted to share my strategy on studying for GIAC certification exams.
Don’t put off studying
SANS classes are intense experiences and you may feel worn out after a long week of technical material has been thrown at you. But if you’re serious about passing the GIAC exam, don’t wait too long after class is over to start studying. This will keep the material fresh and allow you to recall information quicker.
Build an index of the course material
GIAC exams are all open book and open note — sounds easy, right? False. The SANS books are thick and highly detailed. In order for the books and notes to be useful, you need to create an index that allows you to quickly find what you’re looking for. You’ll obviously still need a good understanding of the material, but the index will help you quickly research trickier questions. Building the index will also help you review the material since you’ll need to go through each page to determine keywords and concepts. I usually take a highlighter and highlight key points on each page. You can follow my guide on how to create a good index. Finally, remember to print out the index since you can’t bring any electronics with you to the exam.
Set aside about two months to study and prepare
We’re all busy people, and depending on your situation, you may need more time. In my experience, two months allows you to review one book a week (taking notes and building an index) and then take the practice exams.
Take the practice exams
You get two practice exams and they tend to be accurate representations of the type of questions you should expect on the real exam. You should have a “draft index” built by the time you take your first practice exam. Treat the experience like the real exam and see how effective your index is. If you find the practice exam difficult either because you don’t know the material or your index did not effectively help you, take notes on the questions that stumped you, study the material again, and add to your index. Then take the second exam and repeat this process.
Label your books
At first glance, each SANS book looks the same. During the exam you want to be able to quickly grab the book you need that has the answer you’re looking for. To help me quickly identify a book, I take a sticky note and write the number of the book on it and place it on the front cover of the book like a bookmark. This way, I can just look at the sticky note and see the big bold number rather than having to read a monotonous book cover. It’s a small thing but I’ve found the speed increase noticeable. See the image below for an example.
The process is long and time consuming but in the end well worth it. I’ve done it twice now and scored 90% on my GCIA and 98% on my GCIH. I’m confident the process will work just as well for you as it did for me. Best of luck!
If you're looking for professional services on this topic or interested in other cybersecurity consulting services, please reach out to me via my Contact page to discuss further.
Hey Eric,
Congrats on the certifications, it’s awesome to finally get that certification after what seems like endless studying.
I was considering studying for the OSCP exam and was wondering what your thoughts are with that? I have always been interested in cybersecurity but not good at programming and it seems difficult to follow cybersecurity as there are so much tools/ransomware/malware/news etc to keep up with.
Would this exam be too difficult for entry cyber security learners? What was the order you got your certifications? Was OSCP/CISSP first and then your GIACs ? Are the GIAC certifications harder compared to OSCP?
OSCP is definitely not entry-level. You need at least some familiarity with Linux, networking, and programming concepts. I did 1. OSCP, 2. GCIA, 3. CISSP, and 4. GCIH. Prior to taking the OSCP I had experience with Windows and Linux systems administration and basic python scripting.
Yes, security is incredibly broad and I’d encourage you to learn more about a few topics, determine which interest you the most, and then pursue those. Once. upon a time, I thought I wanted to be a red team pentester but as I progressed, I discovered that I enjoyed being a blue team defender a lot more.
Best of luck!
I colour-coded the books for my GSTRT and used the same colours in the index I created. Almost immediately the brain tuned into the patterns and it made it real easy to find stuff. “Blue 124” is easier to grok quickly than 1:124 for some reason.
To colour code I just got marker pens and coloured the top right corner of each page by bending the book and flicking through it holding the pen up to it. It worked surprisingly well 🙂
Thanks for the great tip, Rob!
Hi Eric,
Thanbkyou for your web blog sharing your GCIH exam tips.
Would you know what is the difference between GCIH and ECIH? Pro and Cons?
thankyou!
Hi
First of all congrats on your certification. I wanted to know where do you obtain those books. I am not that strong financially, their online courses are very expensive. Please let me know your source of books.
Thank you.
Hi Satnam, the source of my books is SANS, the developer of the courses and certifications. You receive a set of books as part of their courses.
Thank you for this guidance. I have just been accepted to the SANS Women Academy starting in March and was wondering what to expect in terms of the certification tests. I like your method of building an index. Your tips have greatly put my mind at ease that I too can do well on these courses and certs with the hard work I plan to put into them.
Congratulations on your acceptance, Amy! I’m happy to hear you enjoyed this post. Sounds like you’re going into it with a great attitude and I’m sure you’ll do well. 🙂
Could you tell me what is best practice test to get GIAC security essentials
could you tell me the process of creating the index sheet. give me example or send me the sample of index sheet
regards,
Hi Nahla — Once you register for the GSEC certification attempt (https://www.giac.org/certification/security-essentials-gsec) you will receive access to two practice exams. These are an accurate reflection of the real GSEC exam and would be a great way to prepare.
My guide to creating a SANS GIAC index can be found here: http://www.ericooi.com/how-to-build-a-sans-giac-index/
Hope that helps!
Hello Eric,
Good day to you, thanks for the tips and guidance. But for the 5th recommendation, may i know how its look like (maybe a picture of the book)? i still cant imagine on that. sorry
Thank you.
Hi Mary — I updated the post with an example of my recommendation. I hope this helps and best of luck with your studies!
ditto stuart – the .doc file describing index build process is not accessible.
eric, could you share it in another way?
thanks!
Hi Ivan,
You’re not the first to ask so I decided to write the howto myself: http://www.ericooi.com/how-to-build-a-sans-giac-index/
Enjoy and best of luck! 🙂
Eric,
The link to the page detailing how to build a good index has gone.. you dont happen to have a different link or the document to hand do you?
Stu
Thanks for your guidance on preparing the index sheet. But can you please share the one which you have developed which will definitely help us.
It turns out the process of creating the index yourself — reviewing each section, highlighting key points, and taking notes — is actually what will help you more effectively pass the exam. If I simply provided my own index, it would create a false sense of confidence and level of knowledge that would ultimately not be helpful to you.
Best of luck!