Overview

TL;DR: Start indexing early, annotate your books, focus on lab tools for CyberLive exams, take your Practice Tests seriously, watch your time, and get comfortable with the skip option.

Throughout 3 years of working with students who are preparing to take GIAC exams, one thing I see again and again is that this is a highly personal process. How you prepare for and eventually conquer the exam will depend on your mindset, your strengths and weaknesses as a student & test taker (yes, these are different things!) as well as some factors that might be outside of your control like how much time you have available, how well your background aligns with the exam material, and the stakes involved.

In this post I share the system I’ve used to pass GIAC exams and earn Practitioner certifications like GSEC, GCIH, GPEN, GPYC, GPCS, GCSA, and more.

Background

At time of writing I have 15 active GIAC certifications. I’m grateful that I have the available time and support to spend this kind of effort on professional development. This isn’t some kind of flex–some cyber wizard will always have more shiny credentials than any of us–but I think it’s important to establish that I’ve refined this process to a science at this point. It works for me.

Others have written on GIAC exam prep. I refer folks to Lesley Carhart’s Better GIAC Testing with Pancakes regularly. In the time since Lesley published the first version in 2015, they have worked tirelessly to make themselves available to help develop cybersecurity professionals. If you’re unacquainted, I encourage you to check out PancakesCon , a haven for infosec folks to meet and share about technical and non-technical topics alike. Previous PancakesCon talks include “Steganalysis & Stegosaurus” and “Teaching Security by Storytelling, with LEGO Sets”. It’s free, it’s virtual, and it’s worth your time. Lesley also makes the effort to meet with complete strangers in the industry and offer career advice and general mentorship.

I count myself among the long list of folks who have benefited from Lesley’s efforts. All of that said, parts of their indexing system don’t gel with my personal exam strategy. For GIAC exam success, one size does not fit all. So, in that light, sharing is caring.

Begin exam prep on Day 1

Though I attended my first SANS courses via the asynchronous on-demand modality, today I tend to take SANS courses live. Often online, but sometimes in person at events. This means there is an initial high-intensity information fire hose to wrangle. Here’s how I manage that:

  • I begin indexing immediately Some folks wait until after class to start preparing for the exam. I angle to pass the exam before class begins. If you are new to this type of exam prep you might want a template to get started .
A screenshot of an excel spreadsheet with columns labeled Term, Note, Book, and Page.

My exam indexes are simple spreadsheets like this. I alphabetize by term and use alternating row colors.

  • My index is a single-purpose tool A good index isn’t an attempt to re-write the books. It is a reference document that points you to thresholds and exceptions. It points you to tables of data you don’t need to memorize. It points you to commands used in the course and important options. It’s a net you’re building for yourself to fall back into when your memory fails you under pressure. It doesn’t save you time because it is complete and perfect. It saves time by dropping you into the books right where you need to be to make a fast, confident decision.

  • I take notes directly in the books Because I favor a lightweight index, I write notes in the book itself. Sometimes the way something is written distracts from its meaning. I find it helpful to take notes when I encounter this. The purpose is two-fold.

    1. Rewriting things in my own words keeps me engaged with the material. It helps me maintain focus and I think it helps my memory retention.
    2. When I refer to this page during the exam to answer a question, I don’t want to get confused all over again. I front-load that brainpower to set myself up for success. You might find highlighting key terms on the page helpful as well. For whatever reason that just isn’t my style. I think the color pulls my attention too effectively and makes it hard for me to find other things on the page.

Bonus Tip

Write the book number on the bottom-right corner of each cover with a dark marker. When your books are all stacked up in a pile during the exam, you can easily grab the one you need.
  • I note any unfamiliar commands used in the labs This is especially useful for exams that include a hands-on “CyberLive” component and lots of CLI programs. If you aren’t sure if your exam has a hands-on portion as well as the multiple choice questions you can find this info on the GIAC page for that certification. For example, if you are working on GSEC there is a page for that . Look for a badge like this:
The CyberLive banner on a course's page indicates that an exam has a hands-on component.

If you see CyberLive, pay extra attention to the labs.

It’s important to understand why we use the tools featured in the labs. It’s also good to check for options that the lab exercises don’t feature directly. I don’t think that GIAC is trying to make sure you can memorize a procedure. Instead, expect to take what you learned and synthesize new conclusions and techniques. I skim the --help output or the man page for new tools to make sure I have at least a general idea of what else it can do.

Manage your time & skip with purpose

Each exam has a published length and a set number of questions. For example, at time of writing, the GSEC exam expects you to answer 106 questions in 4 hours. That is about 2 minutes and 15 seconds per question. I strongly encourage you to know this number for your exam and use it to pace yourself.

Set checkpoints. With this pace, you want to be somewhere near question 20 by the 45 minute mark. At the 2 hour mark you should be at least half way through. The earlier you identify pacing problems, the better your opportunity to adjust.

Why does time matter?

It might not matter for you. You might have a solid, intuitive sense of the time available. Sometimes, however, you can get lost in a question and time starts ticking away. Having an idea of your goal pace means that when you snap out of it and suddenly think, “Oh no I’ve wasted all of my time! 😨” you have your checkpoints to evaluate that concern. Take a moment to re-orient yourself. When the urge to panic hits, check your pace. Odds are you’re doing fine and rushing will only make things worse.

Considering time before you sit down to take your exam gives you one more tool you can reach for if you need it.

What’s so bad about speeding up?

There are two time problems folks encounter:

  1. You move too slow This can indicate a problem with mastery of material, indexing, or a failure to use the skip feature.
  2. You move too fast This can indicate that you’re not taking advantage of the one thing that makes these exams so different: They are open book! If you aren’t using your time you probably aren’t using your index. Either you’re a hotshot, in which case you don’t need this advice, or you are making guesses that you don’t need to be making. The answers are in that pile of books.

For most exams, you have enough time to look up almost every question if your index is solid and you move with purpose. I often work with students who failed their exam, but it turns out they left half their time on the table or they ran out of time halfway through and they didn’t even give themselves a chance to attempt 50 of the questions. Learn to use your time.

What’s the deal with skipping?

GIAC exams give you the opportunity to skip up to a certain number of questions. This shifts that question to the end of the exam. This is a much more powerful tool than many people realize. There are multiple ways you can capitalize on this. Here’s my strategy:

  1. Skip questions if you aren’t confident that you have a way to solve conclusively. For example, if I pull up my index and see that I just don’t have any of the terms from the question in my notes at all? That’s a candidate to skip. Or let’s say I’m only able to confidently eliminate one of four answers without spending time flipping pages and diving in deeper… just skip. Why spend more time on a 33% chance you will find the right answer when you could instead spend that time reading a new question that you might solve instantly?
  2. Keep an eye out for questions that are related to questions you skipped. Sometimes you get lucky and one question helps solve another. I’ve lost count of the number of times I’ve made it to the end of an exam and confidently answered a question I skipped earlier.
  3. Give yourself a chance to shift into gear. Let’s say you’re working on GCIH. That’s an exam that demands precise, technical work. You might need to do base conversions, identify header fields in raw hex, or understand tricky packet filters. I don’t know about you, but I typically take my exams first thing in the morning and my brain is often not ready for math in the morning. There’s nothing wrong with skipping a question just because you don’t want to deal with it right now. Build some momentum. Settle into the test.

D-D-Double Bonus Tip

Keep your books stacked up in order. Every time you need a book, replace the last one you used to its position in the pile. Don’t return a book to the stack prematurely. You might need it for the next question too. Small optimizations like this add up!

Get the most out of your Practice Tests

The Practice Tests follow the same format as the real exam. These are your opportunities not only to get a feel for your comfort with the exam material, but also to test your strategy. I take these tests as if they were the real thing. My primary focus is on my index. Do I have good coverage of the topics the exam is asking me to understand? Am I able to leverage the index to quickly get the answers I need from the books? How is my time management?

Don’t throw away this opportunity. It’s tempting to click through casually or to quit halfway through when you know that the score doesn’t matter. If you do it right and use the Practice Tests like simulations of the real deal, you will be well prepared on exam day.

Generally the Practice Tests are just as difficult as the real exam. If you find that you are clearing the minimum passing score by, say, 15% reliably that is a solid indicator that you are prepared.

Take care of yourself before the exam

For many, this does not need to be said. However, I am one of those kinds of people who simply forgets that I’m a human who has biological needs when I am lost solving tough problems (like preparing for an exam). I am here to tell you with 100% confidence: sleep, hydration, comfort, and mindset materially impact test scores.

Please don’t try to “slide into home” at the last moment. Have your index printed and your books stacked up in a nice pile the night before your exam. Don’t just know where your ID is. Go get your ID and put it next to your material. You do not want to be the person who is running to your printer and looking for a stapler ten minutes before your test. Can you pull it off? Probably. But you have the ability to choose a different path.

If you are testing from home, go through the pre-test setup early. Know that the proctor will connect to your system remotely and they’ll want to see your entire room. It is invasive, procedural, and there’s little room for compromise. I take almost all of my exams this way but it can be jarring and if you aren’t prepared it can be a stressful way to start an important test.

Accept that you are doing something difficult and give yourself some grace. Give yourself every advantage you can and don’t try to cut corners.