How To Pass SANS GIAC Certification Exams

How To Pass SANS GIAC Certification Exams

If you're looking for professional services on this topic or interested in other cybersecurity consulting services, please reach out to me via my Contact page to discuss further.

As I mentioned in a previous post, I recently took SANS SEC 504 and have since been studying for the accompanying GIAC Certified Incident Handler (GCIH) certification.  I’m happy to say that over the weekend I passed (thank you, thank you) and wanted to share my strategy on studying for GIAC certification exams.

Don’t put off studying

SANS classes are intense experiences and you may feel worn out after a long week of technical material has been thrown at you.  But if you’re serious about passing the GIAC exam, don’t wait too long after class is over to start studying.  This will keep the material fresh and allow you to recall information quicker.

Build an index of the course material

GIAC exams are all open book and open note — sounds easy, right?  False.  The SANS books are thick and highly detailed.  In order for the books and notes to be useful, you need to create an index that allows you to quickly find what you’re looking for.  You’ll obviously still need a good understanding of the material, but the index will help you quickly research trickier questions.  Building the index will also help you review the material since you’ll need to go through each page to determine keywords and concepts.  I usually take a highlighter and highlight key points on each page.  You can follow my guide on how to create a good index.  Finally, remember to print out the index since you can’t bring any electronics with you to the exam.

Set aside about two months to study and prepare

We’re all busy people, and depending on your situation, you may need more time.  In my experience, two months allows you to review one book a week (taking notes and building an index) and then take the practice exams.

Take the practice exams

You get two practice exams and they tend to be accurate representations of the type of questions you should expect on the real exam.  You should have a “draft index” built by the time you take your first practice exam.  Treat the experience like the real exam and see how effective your index is.  If you find the practice exam difficult either because you don’t know the material or your index did not effectively help you, take notes on the questions that stumped you, study the material again, and add to your index.  Then take the second exam and repeat this process.

Label your books

At first glance, each SANS book looks the same.  During the exam you want to be able to quickly grab the book you need that has the answer you’re looking for.  To help me quickly identify a book, I take a sticky note and write the number of the book on it and place it on the front cover of the book like a bookmark.  This way, I can just look at the sticky note and see the big bold number rather than having to read a monotonous book cover.  It’s a small thing but I’ve found the speed increase noticeable.  See the image below for an example.

The process is long and time consuming but in the end well worth it.  I’ve done it twice now and scored 90% on my GCIA and 98% on my GCIH.  I’m confident the process will work just as well for you as it did for me.  Best of luck!

If you're looking for professional services on this topic or interested in other cybersecurity consulting services, please reach out to me via my Contact page to discuss further.

18 thoughts on “How To Pass SANS GIAC Certification Exams”

  • Hey Eric,
    Congrats on the certifications, it’s awesome to finally get that certification after what seems like endless studying.
    I was considering studying for the OSCP exam and was wondering what your thoughts are with that? I have always been interested in cybersecurity but not good at programming and it seems difficult to follow cybersecurity as there are so much tools/ransomware/malware/news etc to keep up with.

    Would this exam be too difficult for entry cyber security learners? What was the order you got your certifications? Was OSCP/CISSP first and then your GIACs ? Are the GIAC certifications harder compared to OSCP?

    • OSCP is definitely not entry-level. You need at least some familiarity with Linux, networking, and programming concepts. I did 1. OSCP, 2. GCIA, 3. CISSP, and 4. GCIH. Prior to taking the OSCP I had experience with Windows and Linux systems administration and basic python scripting.

      Yes, security is incredibly broad and I’d encourage you to learn more about a few topics, determine which interest you the most, and then pursue those. Once. upon a time, I thought I wanted to be a red team pentester but as I progressed, I discovered that I enjoyed being a blue team defender a lot more.

      Best of luck!

  • I colour-coded the books for my GSTRT and used the same colours in the index I created. Almost immediately the brain tuned into the patterns and it made it real easy to find stuff. “Blue 124” is easier to grok quickly than 1:124 for some reason.

    To colour code I just got marker pens and coloured the top right corner of each page by bending the book and flicking through it holding the pen up to it. It worked surprisingly well 🙂

  • Hi Eric,

    Thanbkyou for your web blog sharing your GCIH exam tips.

    Would you know what is the difference between GCIH and ECIH? Pro and Cons?


  • Hi
    First of all congrats on your certification. I wanted to know where do you obtain those books. I am not that strong financially, their online courses are very expensive. Please let me know your source of books.
    Thank you.

    • Hi Satnam, the source of my books is SANS, the developer of the courses and certifications. You receive a set of books as part of their courses.

  • Thank you for this guidance. I have just been accepted to the SANS Women Academy starting in March and was wondering what to expect in terms of the certification tests. I like your method of building an index. Your tips have greatly put my mind at ease that I too can do well on these courses and certs with the hard work I plan to put into them.

    • Congratulations on your acceptance, Amy! I’m happy to hear you enjoyed this post. Sounds like you’re going into it with a great attitude and I’m sure you’ll do well. 🙂

  • Could you tell me what is best practice test to get GIAC security essentials
    could you tell me the process of creating the index sheet. give me example or send me the sample of index sheet

  • Hello Eric,
    Good day to you, thanks for the tips and guidance. But for the 5th recommendation, may i know how its look like (maybe a picture of the book)? i still cant imagine on that. sorry

    Thank you.

  • ditto stuart – the .doc file describing index build process is not accessible.
    eric, could you share it in another way?

  • Eric,

    The link to the page detailing how to build a good index has gone.. you dont happen to have a different link or the document to hand do you?


  • Thanks for your guidance on preparing the index sheet. But can you please share the one which you have developed which will definitely help us.

    • It turns out the process of creating the index yourself — reviewing each section, highlighting key points, and taking notes — is actually what will help you more effectively pass the exam. If I simply provided my own index, it would create a false sense of confidence and level of knowledge that would ultimately not be helpful to you.

      Best of luck!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.