Six top SANS GIAC Cybersecurity Certifications

Woman does cybersecurity concept

Thousands of information security professionals around the world earned their "masters" level certifications through the SANS Institute's Global Information Assurance Certification (GIAC) curriculum. The SANS GIAC program offers highly specialized certifications designed to allow security professionals the opportunity to demonstrate their expertise in niche fields of information security.


While some of these certifications appeal to general audiences and have thousands of certificate holders, others are highly focused and have only a few hundred holders. In this article, we examine the six most popular SANS GIAC certifications and explain how they can advance your information technology career.


No. 1: GIAC Security Essentials Certification (GSEC)

GIAC does offer a few certifications that have mass market appeal, and it's no surprise that one of them is the most popular GIAC certification. As of June 2015, 37,106 individuals held the entry-level GIAC Security Essentials Certification (GSEC). That's nowhere close to the more than 100,000 individuals holding the more popular Certified Information Systems Security Professional (CISSP) and more than 45,000 individuals with the CompTIA Security+ credential. While CISSP and Security+ continue to dominate the general security certification space, however, GSEC certainly retains a decent market share.


Earning your GSEC credential requires passing a single multiple-choice exam given through a proctored testing center. The exam consists of 180 questions and candidates have five hours to complete the test. Topics covered on the exam run the gamut of information security, from network security to hardening operating systems and handling security incidents. Earning the credential requires achieving a minimum passing score of 73 percent, which translates to providing accurate answers for 132 of the exam questions. Students who wish to take a comprehensive GSEC prep course may consider the SANS SEC401 course: Security Essentials Bootcamp Style.


No. 2: GIAC Certified Incident Handler (GCIH)

Given the number of security incidents reported in the media recently, there's high demand for skilled incident response personnel. That's one of the reasons that at least 25,546 individuals have earned the GIAC Certified Incident Handler (GCIH) certification. The GCIH exam covers the steps of the incident handling process, knowledge about identifying and detecting attacks and vulnerabilities and discovering the root causes of security incidents to improve controls and prevent future incidents.


The GCIH exam, administered through the Pearson VUE proctored testing centers, requires completing a 150 question exam within a four-hour time limit. Candidates must achieve a passing score of 72 percent by answering 108 of the exam questions correctly. Candidates may prepare for the GCIH through a combination of practical experience, self-study and training. SANS offers the SEC504: Hacker Tools, Techniques, Exploits and Incident Handling course that is specifically tailored to the exam objectives.


No. 3: GIAC Certified Forensic Analyst (GCFA)

The next most popular credential also covers the skills needed in the aftermath of a security incident. The GIAC Certified Forensic Analyst (GCFA) credential certifies that an individual has the skills necessary to collect and analyze security data from both Windows and Linux systems in the wake of an intrusion or other event. Currently, 11,028 individuals hold the GCFA credential. Exam topics cover deep forensic skills, including file carving and data extraction, file system structures, acquiring and preserving forensic images, conducting timeline analysis and handling volatile data.


The GCFA exam is shorter than other GIAC certification tests, coming in at 115 questions administered over a three-hour time period. Passing the exam requires answering 80 questions correctly to meet the passing score of 69 percent. Candidates preparing for the GCFA exam may take the SANS FOR508 course: Advanced Digital Forensics and Incident Response. This six-day course covers the complete exam objectives.


No. 4: GIAC Certified Intrusion Analyst (GCIA)

Coming in fourth is yet another credential focused on reacting to successful security attacks. The GIAC Certified Intrusion Analyst (GCIA) credential focuses on ensuring that candidates have the ability to configure and monitor intrusion detection systems, recognizing and interpreting the signs of an attack. As of June 2015, 10,687 individuals hold the GCIA credential. The exam objectives for GCIA are highly technical, zeroing in on the security and networking skills required to work deeply with intrusion detection systems. Topics covered on the exam include creating intrusion detection rules, using the Wireshark protocol analyzer, tuning IDS performance and correlating results with output from other security systems.


As with other GIAC certifications, earning the GCIA credential requires completing a proctored exam. The GCIA exam contains 150 questions administered over a four-hour time period. The passing score for this exam is 67 percent, corresponding to answering 101 questions correctly to join the elite ranks of GCIA certified security professionals. Candidates seeking a training course for this exam may wish to take the SANS SEC503 course: Intrusion Detection In-Depth.


No. 5: GIAC Penetration Tester (GPEN)

It isn't until we reach the fifth slot on the top certifications list that we find a specialized credential that actually focuses on preventing attacks, rather than responding to successful system breaches. The GIAC Penetration Tester (GPEN) credential assures employers that a security professional has the skills necessary to assess systems and networks to identify known vulnerabilities. The exam itself covers penetration testing techniques, legal issues, and technical approaches to penetration testing. As of June 2015, 9,574 individuals held the GPEN credential.


Man does cybersecurity concept

You probably won't be surprised to learn that earning the GSEC credential involves passing a multiple choice examination! As with GCFA, the GPEN exam is on the shorter side with 115 questions administered over a three-hour time period. The passing score for this exam is 74 percent, requiring that candidates answer 86 questions correctly. Individuals may prepare for the exam with the SANS SEC560 course: Network Penetration Testing and Ethical Hacking.


No. 6: GIAC Security Leadership (GSLC)

Technical managers seeking to work in the information security field also may wish to certify their expertise. The GIAC Security Leadership (GSLC) credential is designed with these individuals in mind. It include some of the technical topics found on the GSEC exam, such as network security, software security and attack techniques. In addition, candidates will find a range of security management topics that would be less relevant for technical specialists. These include writing security policy, managing legal liability, conducting negotiations, leading staff and understanding total cost of ownership (TCO). As of June 2015, 8,724 individuals hold the GSLC certification.


The multiple choice exam for the GSLC credential comes in on the long side, with 150 questions. Candidates have four hours to successfully complete the exam by answering 102 questions correctly to achieve a passing score of 68 percent. Students preparing for the GSLC exam may benefit from the SANS MGT512: SANS Security Leadership Essentials for Managers training course. As with other SANS programs, this course takes place at many locations around the world on a regular basis.



The GIAC certification programs are some of the mainstay credentials of the information security field. If you already hold a base level security certification, such as the Security+, CISSP or GIAC's own GSEC credential that demonstrates your breadth of security knowledge, considering earning one of the GIAC certifications to demonstrate your depth in one or more narrow areas of technical expertise. In addition to the six popular credentials covered in this article, GIAC offers a wide variety of other certifications, covering software security, auditing, legal issues, security administration and other topics. There's bound to be something of interest to anyone working in security!


Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author

Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.