- GCIH Exam Structure & Domain Breakdown
- Domain 1: Incident Handling Process and Preparation
- Domain 2: Detecting and Analyzing Malicious Activity
- Domain 3: Hacker Tools and Techniques
- Domain 4: Network Attacks and Defense
- Domain 5: Malware and Persistence Mechanisms
- Domain 6: Web Application Attacks
- Domain 7: Credential Attacks and Lateral Movement
- Domain 8: Post-Exploitation and Data Exfiltration
- Study Strategies by Domain
- CyberLive Practical Components
- Common Domain-Specific Pitfalls
- Frequently Asked Questions
GCIH Exam Structure & Domain Breakdown
The GIAC Certified Incident Handler (GCIH) certification stands as one of the most comprehensive incident response credentials in cybersecurity. Understanding the exam's eight content domains is crucial for success, especially considering the GCIH pass rates and the 69% minimum passing score required for attempts activated after May 10, 2025.
The GCIH exam features a unique blend of multiple-choice questions and hands-on CyberLive components that require candidates to work with live virtual machines. This practical approach sets it apart from other cybersecurity certifications and directly aligns with real-world incident response scenarios.
Unlike many other GIAC certifications, the GCIH exam domains are listed with "varies" instead of specific percentage weights. This indicates that question distribution may change between exam versions, making comprehensive study across all domains essential.
Domain 1: Incident Handling Process and Preparation
The foundation of incident response lies in proper process implementation and organizational preparation. This domain covers the systematic approach to incident handling, establishing the framework that guides all subsequent response activities.
Core Topics in Domain 1
The incident handling process follows the NIST framework: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Understanding each phase's objectives, activities, and deliverables is crucial for exam success.
- Incident Response Team Structure: Roles, responsibilities, and communication protocols
- Documentation Standards: Proper evidence handling and chain of custody procedures
- Legal and Regulatory Requirements: Compliance considerations during incident response
- Preparation Activities: Tool deployment, training, and infrastructure readiness
- Classification Systems: Incident categorization and priority assignment methods
For detailed coverage of this critical domain, refer to our comprehensive Domain 1 study guide which provides in-depth analysis of each topic area.
Domain 2: Detecting and Analyzing Malicious Activity
Detection forms the cornerstone of effective incident response. This domain emphasizes the tools, techniques, and methodologies used to identify and analyze suspicious activities across enterprise environments.
Key Detection Technologies
Modern incident handlers must master various detection technologies and understand their capabilities and limitations. The exam tests knowledge of:
- SIEM Platforms: Log correlation, rule creation, and alert analysis
- Network Monitoring Tools: IDS/IPS systems, network flow analysis, and packet capture
- Endpoint Detection: Host-based monitoring, behavioral analysis, and anomaly detection
- Threat Intelligence Integration: IOC management and threat hunting methodologies
- Forensic Analysis Techniques: Digital evidence collection and analysis procedures
Domain 2 frequently appears in CyberLive scenarios where candidates must analyze logs, identify indicators of compromise, or use detection tools in live environments. Practice with actual SIEM platforms and analysis tools is essential.
Domain 3: Hacker Tools and Techniques
Understanding adversary tactics, techniques, and procedures (TTPs) enables incident handlers to better detect, analyze, and respond to attacks. This domain covers the offensive security landscape from a defensive perspective.
Attack Framework Knowledge
The MITRE ATT&CK framework serves as the foundation for organizing and understanding hacker methodologies. Key areas include:
- Initial Access Methods: Spear phishing, watering hole attacks, and exploit kits
- Persistence Mechanisms: Registry modifications, scheduled tasks, and service installations
- Defense Evasion: Anti-forensics techniques, encryption, and obfuscation methods
- Discovery Techniques: Network enumeration, system reconnaissance, and data collection
- Command and Control: C2 channels, communication protocols, and traffic analysis
Our Domain 3 detailed guide provides comprehensive coverage of these attack vectors and their defensive countermeasures.
Domain 4: Network Attacks and Defense
Network-based attacks remain a primary vector for initial compromise and lateral movement. This domain focuses on understanding network protocols, attack methods, and defensive strategies.
Network Protocol Analysis
Incident handlers must understand normal network behavior to identify anomalous activities. Critical topics include:
| Protocol Category | Common Attacks | Detection Methods |
|---|---|---|
| TCP/IP | SYN floods, TCP hijacking, port scanning | Flow analysis, connection monitoring |
| DNS | DNS tunneling, cache poisoning, DGA domains | Query analysis, domain reputation |
| HTTP/HTTPS | Web shells, data exfiltration, C2 traffic | Content inspection, SSL/TLS analysis |
| Email Protocols | Phishing, credential harvesting, malware delivery | Header analysis, attachment scanning |
Network attack scenarios frequently appear in CyberLive components. Candidates should practice with Wireshark, tcpdump, and other network analysis tools to develop hands-on proficiency.
Domain 5: Malware and Persistence Mechanisms
Malware analysis and understanding persistence techniques are fundamental skills for incident handlers. This domain covers malware families, analysis methodologies, and eradication strategies.
Malware Classification and Analysis
The exam tests knowledge of various malware types and their characteristics:
- Trojans and RATs: Remote access capabilities, command structures, and detection methods
- Ransomware: Encryption mechanisms, payment systems, and recovery strategies
- Rootkits: Kernel-level persistence, detection evasion, and removal techniques
- Fileless Malware: Memory-resident attacks, PowerShell abuse, and living-off-the-land techniques
- Mobile Malware: Android and iOS threats, app-based attacks, and mobile forensics
Static and dynamic analysis techniques form a core component of this domain, with emphasis on safe analysis environments and proper containment procedures.
Domain 6: Web Application Attacks
Web applications represent a significant attack surface in modern organizations. This domain covers common web vulnerabilities, attack methods, and incident response procedures specific to web-based threats.
OWASP Top 10 Integration
The exam heavily emphasizes OWASP Top 10 vulnerabilities and their exploitation methods:
- Injection Attacks: SQL injection, command injection, and LDAP injection
- Broken Authentication: Session management flaws and credential attacks
- Sensitive Data Exposure: Data leakage and encryption failures
- XML External Entities (XXE): XML parsing vulnerabilities and file disclosure
- Security Misconfiguration: Default settings and improper configurations
Web application incident response relies heavily on log analysis. Candidates must understand web server logs, application logs, and database logs to reconstruct attack timelines and assess impact.
Domain 7: Credential Attacks and Lateral Movement
Once attackers gain initial access, credential compromise and lateral movement become primary concerns. This domain addresses password attacks, privilege escalation, and network propagation techniques.
Attack Progression Analysis
Understanding how attackers move through networks helps incident handlers identify the full scope of compromise:
- Credential Harvesting: Keyloggers, memory dumps, and credential stores
- Pass-the-Hash/Ticket: Windows authentication exploitation
- Privilege Escalation: Local and domain-level privilege abuse
- Lateral Movement Techniques: WMI, PSExec, and remote desktop abuse
- Active Directory Attacks: Kerberoasting, Golden Tickets, and DCSync attacks
For comprehensive coverage of these advanced attack techniques, consult our Domain 7 specialized guide.
Domain 8: Post-Exploitation and Data Exfiltration
The final domain covers the end goals of most cyber attacks: data theft, system manipulation, and maintaining persistent access. Understanding these techniques helps incident handlers assess true impact and implement effective containment measures.
Data Exfiltration Methods
Attackers employ various methods to extract sensitive data while avoiding detection:
- Network-Based Exfiltration: HTTP/HTTPS tunneling, DNS exfiltration, and encrypted channels
- Physical Exfiltration: USB devices, removable media, and print-based theft
- Cloud-Based Exfiltration: Public cloud storage, email, and collaboration platforms
- Steganography: Data hiding in images, documents, and network protocols
- Time-Delayed Exfiltration: Scheduled transfers and low-and-slow techniques
Study Strategies by Domain
Effective GCIH preparation requires domain-specific study strategies that align with the exam's practical focus. Understanding how challenging the GCIH exam is helps candidates allocate study time appropriately across all eight domains.
Practical Application Focus
Each domain benefits from hands-on practice with relevant tools and scenarios. Consider these approaches:
- Lab Environment Setup: Create isolated networks for practicing attack and defense techniques
- Tool Proficiency: Master common incident response tools used in each domain
- Scenario-Based Learning: Work through realistic incident response scenarios
- Documentation Practice: Develop skills in proper incident documentation and reporting
Regular practice with our comprehensive practice tests helps reinforce domain knowledge and identify areas needing additional study focus.
Since domain weights vary, avoid spending disproportionate time on any single area. Comprehensive coverage across all eight domains provides the best foundation for exam success.
CyberLive Practical Components
The CyberLive components distinguish the GCIH exam from traditional multiple-choice certifications. These practical exercises require candidates to demonstrate actual incident response skills using live virtual machines and real security tools.
CyberLive Integration Across Domains
CyberLive scenarios can draw from any of the eight domains, requiring integrated knowledge and practical application skills. Common CyberLive activities include:
- Log Analysis: Examining system and network logs to identify indicators of compromise
- Network Traffic Analysis: Using packet capture tools to analyze suspicious network activity
- Malware Analysis: Performing basic static and dynamic analysis of suspicious files
- Forensic Investigation: Collecting and analyzing digital evidence from compromised systems
- Tool Operation: Demonstrating proficiency with common incident response tools
Success in CyberLive components requires both theoretical knowledge and practical experience. Our comprehensive study guide provides strategies for developing these essential hands-on skills.
Common Domain-Specific Pitfalls
Understanding common mistakes helps candidates avoid pitfalls that can impact exam performance. Each domain presents unique challenges that require specific attention.
Domain-Specific Challenges
The GCIH exam balances technical depth with breadth across incident response disciplines. Avoid focusing too heavily on any single technical area at the expense of comprehensive domain coverage.
Common challenges by domain include:
- Domain 1: Overemphasis on tools rather than process understanding
- Domain 2: Insufficient hands-on experience with detection platforms
- Domain 3: Focusing on attack mechanics rather than defensive applications
- Domain 4: Weak foundational networking knowledge
- Domain 5: Limited practical malware analysis experience
- Domain 6: Inadequate understanding of web application architecture
- Domain 7: Confusion between different Windows authentication protocols
- Domain 8: Difficulty identifying subtle exfiltration techniques
Considering the significant investment required for GCIH certification, thorough preparation across all domains maximizes the likelihood of first-attempt success and optimal return on investment.
GIAC lists all eight GCIH domains with "varies" instead of specific percentages, indicating that question distribution may change between exam versions. This makes comprehensive study across all domains essential rather than focusing on any particular area.
CyberLive scenarios can draw from any of the eight domains and often require integrated knowledge across multiple areas. These hands-on components test practical application of domain knowledge using live virtual machines and real security tools.
Key tools vary by domain but include SIEM platforms, Wireshark, malware analysis tools, web application scanners, and Windows administration utilities. Focus on tools commonly used in enterprise incident response environments rather than specialized research tools.
Since domain weights vary and aren't publicly specified, allocate study time based on your existing knowledge and experience. Generally, spend more time on domains where you have less professional experience while ensuring adequate coverage of all eight areas.
While the GCIH is an open-book exam allowing printed materials, CyberLive components require actual tool operation where command syntax knowledge is essential. Focus on understanding concepts and common command structures rather than rote memorization.
Ready to Start Practicing?
Test your knowledge across all eight GCIH domains with our comprehensive practice questions. Our practice tests simulate the actual exam environment and include detailed explanations for every question.
Start Free Practice Test