After months of studying SEC504 material alongside a full-time role in IT security operations at one of Africa’s largest hydroelectric power plants, I passed the GIAC Certified Incident Handler (GCIH) exam. Here’s the honest version of what that process looked like.
Why GCIH
My day job involves incident handling in an IT environment. Most certification paths in this space either go too broad (Security+) or too deep into a single domain. GCIH sits at exactly the right level — it covers the full incident handling lifecycle from preparation through lessons learned, while also going into attacker techniques, tooling, and network forensics at a depth that’s actually useful on the job.
It’s also a DoD 8140 baseline certification for incident responder roles, which matters if you’re working in or adjacent to critical infrastructure anywhere in the world.
The SANS SEC504 course that pairs with GCIH is genuinely one of the better security courses I’ve taken. It covers attack techniques not to teach you to be an attacker, but so you understand what you’re looking at when responding to one. That framing makes a difference.
The Exam Format
The GCIH is 106 multiple choice questions over 4 hours, with a passing score of 69%. It’s open book — you can bring any printed material, including the full SEC504 courseware and handwritten or printed notes. No electronic devices.
The open book format sounds like a safety net. It isn’t. The questions don’t test your ability to look things up — they test your understanding, and most of them are scenario-based. You need to know the material well enough to reason through it; the books are there for specifics like command syntax, event IDs, and tool flags that are easy to forget under pressure.
I sat the exam remotely via Guardian Browser over Starlink from home. The proctoring setup was straightforward — ID check, room scan, and then you’re in. The only difference from previous exams I’ve sat was the second camera requirement, which you can handle with your phone.
The Index
Everyone who passes a GIAC exam will tell you the same thing: the index is everything. I spent more time building it than I did on any other part of prep.
The SEC504 courseware runs to several hundred pages across multiple books. I built a keyword index that mapped every significant topic, tool, attack technique, and incident handling phase to a specific page number. Colour-coded by book. Alphabetically sorted. I printed and bound it before the exam.
The index served two purposes. The obvious one is exam-day lookup speed. The less obvious one is that building it forced me to process every section of the material a second time, which is where a lot of the actual learning happened.
I ended up taking four indexes into the exam: the official SANS book index, my own books-by-topic index, my books-by-keyword index, and a condensed summary of the entire courseware — just under 80 pages — with its own index. That last one was my main instrument on the day. Be realistic about what you can actually search through under exam pressure: 80 pages beats six books every time. The books are there as a backstop if something genuinely isn’t in your notes. They shouldn’t be your first stop.
If you’re preparing for any GIAC exam, start your index early and treat it as a primary study deliverable, not an afterthought.
Working in Critical Infrastructure
One thing that shaped my approach to this material is context. Working in IT security at one of Africa’s largest hydroelectric power plants means incident handling isn’t abstract. Understanding attacker techniques and having a solid incident handling methodology matters in that context in a way it might not in a generic small to medium business.
SEC504 and GCIH are IT-focused, but the discipline transfers. The incident handling lifecycle — preparation, identification, containment, eradication, recovery, lessons learned — applies regardless of what’s on the other side of the network.
Was It Worth It
Yes, without hesitation. Not because of the letters after the name, but because the process of preparing for it — working through the material seriously, building the index, sitting two practice exams — filled real gaps in my understanding of attacker techniques and sharpened how I think about incident response methodology.
If you’re in security operations and considering GCIH, do the SEC504 course if you can. Build the index properly. Take both practice exams seriously. The cert is achievable and the material is genuinely good.