GCIH certification overview

Security Ninja
July 2, 2018 by
Security Ninja

The GIAC Certified Incident Handler (GCIH) is one of the most prestigious certs for IT professionals who are starting their journey into the world of Incident Handling, and even for seasoned employees as well. This article provides an overview of the GCIH Certification, its objectives, exam style and other relevant details.

Exam Style

The GCIH exam consists of the following characteristics:

Get certified with an Exam Pass Guarantee

Get certified with an Exam Pass Guarantee

Looking to get certified? Many of our boot camps are backed by an Exam Pass Guarantee, ensuring you leave with the certification you want.

  • Exam Questions:150
  • Type: Proctored
  • Time Limit: 4 Hours
  • Minimum Passing Score: 73%
  • Renewal of cert: At 4-year intervals


The GCIH cert requires the candidate to understand what a Security Incident is and to deal with an incident after it has occurred. The following are the exam objectives upon which a candidate is expected to demonstrate their skills.

  • Reconnaissance
    • Gathering information about any inbuilt tools like whois.com and be able to interpret the information generated from such them.
    • Knowledge around the DNS and how misconfiguration like DNS Zone can be identified using tools such as nslookup, dig, etc.
    • Knowledge of how to use web search engines for reconnaissance such as GHDB.
  • Scanning
    • How to map networks to reveal misconfigurations and vulnerabilities.
    • An understanding of ports mapping and OS fingerprinting.
    • How to evade certain network security tools such as IDS/IPS when launching a mock Cyber-attack.
    • Knowledge of different vulnerability management tools such as Nessus, Nikto, etc.
    • How to configure SMB mapping to gather information around the Windows environment. This includes executing various commands to map and enumerate smb shares both from Windows to Windows and Linux to Windows OS environments.
  • Exploitation
    • Gathering information and mapping network, services.
    • Knowledge around Netcat to achieve persistence and data transfer.
    • Configuring around IP address and the ability to spoof with tools like Wireshark and Dsniff etc.
    • Know the fundamentals around Session hijacking using tools like Ettercap.
    • How to launch DNS cache poisoning attacks and mitigating them as well.
    • How Buffer overflow attack works as well as the various parser problems such as protocol parser for a buffer overflow situation.
    • A working knowledge of format string attacks and their defenses.
    • How the Windows OS stores password hashes and how they can be extracted via a brute force attack using tools such as John the Ripper, Cain & Abel, Rainbow Tables, etc.
    • How the Pass the Hash attack works.
    • A knowledge of worms, such as:
      • Multi exploit worms;
      • Multi-platform worms;
      • Zero-day exploit worms;
      • Fast-spreading worms;
      • Polymorphic worms,
      • Metamorphic worms.
    • Knowledge of Bots, how are they distributed, and communicate amongst one another.
    • An understanding on the OWASP Top 10 Attacks list, such as SQL Injections, Cross Site Scripting, etc.
    • How Distributed Denial (DDoS) attacks can be launched, their types and defenses.
  • Maintaining Access
    • How to maintain access to a rooted system.
    • Know what backdoors are and how they work in the software development world.
    • A working knowledge around rootkits, in particular:
      • User Mode Rootkit;
      • Kernel Mode Rootkit.
  • Covering Tracks
    • How to covertly hide files in both Linux and Windows OS environments.
    • Editing of important log files such as bash and how to remove artifacts from them.
    • How to use various covert and tunneling channels, such as:
      • Reverse HTTP shells;
      • ICMP tunnels;
      • Backdoor sniffers
      • Steganography.

An understanding of how to protect against the above-mentioned covert channels.


While studying for the GCIH takes hard work and lots of effort,t indeed, it does not appear to be perhaps as difficult when compared to some of the other Cybersecurity cert exams. A primary reason for this is that all the GIAC based exams are open book and open notes exam (but not open Internet or open computer), which very much, unlike other IT certs.

A specific GIAC preparation guide can be downloaded here.

There are other GCIA related certs to the GCIH, and are as follows:

Get certified with our Exam Pass Guarantee

Get certified with our Exam Pass Guarantee

Many of our boot camps come with an Exam Pass Guarantee: if you fail on your first attempt, we'll invite you to re-sit the course for free and cover the cost of your second exam.

A recommended study book is the "GIAC Certified Incident Handler Certification (GCIH) Exam Preparation Course in a Book for Passing the GCIH Exam - The How to Pass on Your First Try Certification Study Guide - Second Edition." It can be purchased here.


Security Ninja
Security Ninja