GIAC GCIH (SANS SEC504) Course & Exam Review
In March 2026, I completed the in-person 6-day SANS SEC504 (Hacker Tools, Techniques, and Incident Handling) training course. After almost 2 months of study I then passed the GIAC Certified Incident Handler (GCIH) exam with a score of 98%. This article serves as a review of my experience (and tips during) the SEC504 training course / GIAC GCIH Certification.
I'm bound by the GIAC Candidate Agreement and cannot share exam questions, materials, or index/reference content. All information on this page is either public by SANS or my personal experiences. All information I'm willing to share is below.
The Course - SEC504:
SEC504 is SANS' self-described "flagship incident handling course", designed to provide the essential skills required to detect, respond to, and neutralise threats across Windows, Linux, and Cloud platforms (Source: SANS). What sets it apart from a purely defensive course is its two-sided approach. Rather than studying offensive techniques and defensive response in isolation with two different courses, each concept is taught together. The course teaches how to execute a technique as an attacker, and then immediately how to detect, respond and prevent it. This builds a much deeper understanding than either perspective could offer alone.
The course runs over 6 days, with each day dedicated to a new section and its accompanying course book. Day 1 sets the foundation everything else builds on, covering the incident response process and methodology, as well as live, network and malware analysis (Source: SANS, SEC504 Syllabus). Days 2-5 then went through attacks from an offensive perspective, paired with the defensive counterparts a responder needs to know. Day 6 is a Capture the Flag exercise that brings everything together, giving you the chance to apply the weeks techniques in a simulated environment. It's a satisfying way to close out the week and a good check on how well the content has actually landed.
The final day CTF competition involved splitting into teams, and thanks to working alongside some incredibly talented people, our team took out first place with each of us earning the SEC504 SANS Offensive Operations Challenge Coin!
I found the course to be more updated than I had expected walking into it, covering concepts such as bypassing M365 authentication defenses, bypassing AI guardrails and integrating attacks with AI using Model Context Protocol (MCP) (Source: SANS, SEC504 Syllabus).
The Exam - GIAC GCIH:
The GIAC GCIH exam is a proctored 4 hour exam consisting of 106 questions (Source: GIAC). An undisclosed number of questions in the exam are referred to as "CyberLive" questions in which a virtual machine is spun up for performance (practical) based challenges (Source: GIAC). In my experience, the CyberLive VMs where ready to go in seconds and with almost no input delay, which was a relief as I wasn't wasting exam time waiting for machines and their services to boot up.
It's also important to note that GIAC exams are open book. All printed books, notes, and study guides are allowed (no digital items) (Source: GIAC).
I passed on my first attempt with a score of98% - which also got me an invite to the GIAC Advisory Board, and my honest take is that the exam is very manageable if you've put the work in. Below are my tips:
- During the 6-day course, try to suck in as much information as possible. If you've fallen behind on a practical lab and the class is moving on, leave it. You can complete the labs later. Listen to the content.
- After the course, take about a week break to refresh your mind.
- Re-read the course books and re-complete the labs (I spent about 1 day a week on average per book). As you're going through the content, write your index and command notes (see below).
- Do a practice test (under exam conditions)! On my practice test I scored
99%, only a 1% difference to what I got on my real exam. - Depending on your score you'll now either know if you're ready, or if not, which areas to focus on.
- I gifted away my second practice exam voucher, but doing the second practice would be a great chance to reassess yourself if there were areas that needed more focus.
- Sit the real exam! (You've made your index, notes, and done 2 practice exams. There shouldn't be any big surprises!)
Please don't ask for my index or notes. I am unable to provide them.
An important part of the studying process is creating your index. An index is a guide that allows you to match key terms or concepts to the page(s) that those are referred to in the books. I've heard that some people like to alphabetically sort all the terms, however I preferred to keep them all in the order they were presented through the material. My index format looked something like below:
I also created a reference guide of tools/commands. The format of these notes looked something like the below:
Overall
SEC504 and the GCIH certification are (in my opinion) genuinely excellent. The course is well-structured, consistently updated, and the dual offensive/defensive teaching approach makes it one of the most effective ways to build real incident handling skills quickly. The CTF on day 6 is a great way to close out the week, and the exam (if you've put the work in) is very achievable.
That said, I'd be doing you a disservice if I didn't mention the cost. SANS courses are expensive, and SEC504 is no exception. If your employer is footing the bill, it's a no-brainer (and can have a strong ROI for a large business). If you're self-funding though, it's worth being honest with yourself. There are cheaper paths. Platforms like HTB cover a lot of ground (but not all), though you'll likely get there a lot slower, with a lot less guidance, a lot more headaches and with a lot less structure, but you will get there.
