- What "Open Book" Actually Means on the GCIH Exam
- What You Can (and Cannot) Bring Into the Testing Room
- Building a GCIH-Specific Index That Actually Saves Time
- Domain-by-Domain Annotation Priorities
- The CyberLive Wrinkle: When Your Notes Won't Help Enough
- Tab, Color, and Divider Strategy for 106 Questions in 4 Hours
- A Condensed Prep Timeline Tied to GCIH Domains
- Registration, Fees, and Activation Window Mechanics
- Frequently Asked Questions
- GCIH is fully open-book: printed materials are allowed, but no electronic devices or internet access permitted during the exam.
- You have 4 hours for 106 questions, including CyberLive hands-on items run in live virtual machines - your index must be lightning fast.
- The passing score is 69% for attempts activated on or after May 10, 2025, down from the previous 70%.
- Your index should map to all eight GCIH domains by name - generic study notes will waste precious time mid-exam.
What "Open Book" Actually Means on the GCIH Exam
The phrase "open book" generates a dangerous false sense of comfort for GCIH candidates. GIAC does permit printed books, handwritten or printed notes, and a physical index - but that policy does not mean you can walk in unprepared and flip through pages while the clock ticks down. With 106 questions and a hard 4-hour limit, you have roughly two minutes and fifteen seconds per question on average. Some of those questions involve CyberLive components - live virtual machine environments where you must actually execute commands, analyze tool output, or respond to a simulated incident. Those tasks can absorb five to ten minutes each.
The open-book allowance is less a lifeline and more a precision instrument. It rewards candidates who have already internalized the material deeply enough to know exactly where to look when a specific detail slips their mind - not candidates who plan to read for answers in real time.
What You Can (and Cannot) Bring Into the Testing Room
Permitted Materials
- Printed books and course materials - SANS SEC504 course books are the gold standard, but any printed reference is allowed.
- Handwritten or printed notes - Personal summaries, cheat sheets, command references, attack flow diagrams.
- A physical index - The single most important artifact you will create during your GCIH preparation.
- Highlighters, pens, sticky tabs - Physical navigation aids are your best friend in a four-hour session.
Not Permitted
- Laptops, tablets, phones, or any electronic device.
- Internet access in any form.
- Audio devices or earbuds (unless proctoring-approved for accommodation).
- Pre-loaded digital materials on any device.
For remote ProctorU testing, your physical desk space will be visually inspected. Keep only your printed materials visible and organized. For Pearson VUE onsite testing, materials are checked at the front desk. Either way, the rules are identical - physical only.
Building a GCIH-Specific Index That Actually Saves Time
A generic index is nearly useless for the GCIH. The exam spans eight distinct technical domains - from incident handling process fundamentals all the way through post-exploitation and data exfiltration. Your index needs to reflect that structure explicitly.
Index Architecture
Build your index as a two-column document: left column for the topic or term, right column for the source and page number (book title abbreviation + page). Organize it alphabetically within each domain section, not just globally alphabetical. This matters because when you're mid-question on a credential-based lateral movement technique, you don't want to scan past entries about network packet analysis to find it.
Your index entries should cover:
- Tool names and their switches - Nmap flags, Metasploit modules, Mimikatz commands, Wireshark filters.
- Attack technique names - Pass-the-Hash, Golden Ticket, SQL injection payloads, shellcode staging.
- Incident response phases - Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned, with specific sub-actions per phase.
- Log analysis indicators - Windows Event IDs, Syslog patterns, common IDS signatures.
- Protocol behaviors - TCP handshake anomalies, DNS tunneling characteristics, HTTP header manipulation.
Key Takeaway
A well-built GCIH index doesn't just list topics - it maps tool syntax, attack names, and Event IDs directly to page numbers by domain. Aim for 15-25 entries per domain, prioritizing anything you marked as uncertain during practice tests.
How Long Should Your Index Be?
Most seasoned GCIH candidates produce an index between 20 and 40 pages. Longer is not automatically better - every page you add is another page to search through. Ruthlessly prioritize items you repeatedly had to look up during practice sessions. Your practice test results on gcihexam.com will tell you exactly which domains and subtopics cost you the most time. Build your index to patch those gaps first.
Domain-by-Domain Annotation Priorities
Here is how to think about what to annotate for each GCIH exam domain and why certain domains demand more index real estate than others.
Domain 1: Incident Handling Process and Preparation
This domain covers the structured lifecycle of incident response. Candidates must understand each phase procedurally and know how to apply frameworks under pressure.
- Index the six IR phases with concrete actions at each step.
- Note legal and evidence handling requirements - chain of custody, volatile data order of collection.
- Preparation activities: jump bag contents, communication trees, playbooks.
Domain 2: Detecting and Analyzing Malicious Activity
Detection relies on log correlation, packet analysis, and anomaly identification. This is index-heavy territory.
- Windows Event IDs for logon types, process creation, service installation.
- Wireshark display filters and tcpdump command syntax.
- Common IDS/IPS signatures and what they indicate.
Domain 3: Hacker Tools and Techniques
You will need to recognize and explain the output of offensive tools, not just name them. CyberLive items here may require you to run a tool in a VM.
- Nmap scan type flags (-sS, -sU, -O, -A, -p) and their output interpretation.
- Netcat usage for reverse shells and file transfer.
- Metasploit module structure: exploit/payload/auxiliary naming conventions.
Domain 4: Network Attacks and Defense
Covers reconnaissance techniques, scanning, enumeration, and denial-of-service attacks alongside countermeasures.
- ARP spoofing, VLAN hopping, and man-in-the-middle attack mechanics.
- Firewall rule logic and IDS evasion techniques.
- Packet fragmentation and its use in IDS bypass.
Domain 5: Malware and Persistence Mechanisms
Focus on how malware achieves persistence and how analysts identify it during an incident.
- Windows registry run keys, scheduled tasks, and service-based persistence.
- Rootkit detection approaches and memory forensics basics.
- Common malware families and their behavioral indicators.
Domain 6: Web Application Attacks
SQL injection, XSS, CSRF, and command injection are high-frequency exam topics.
- SQL injection payloads and blind SQLi detection techniques.
- XSS payload construction and reflected vs. stored variants.
- HTTP request manipulation using tools like Burp Suite.
Domain 7: Credential Attacks and Lateral Movement
This domain is among the most technically dense and appears frequently in CyberLive tasks.
- Pass-the-Hash, Pass-the-Ticket, and Kerberoasting attack flow.
- Mimikatz command syntax: sekurlsa::logonpasswords, lsadump::dcsync.
- PsExec, WMI, and RDP-based lateral movement techniques.
Domain 8: Post-Exploitation and Data Exfiltration
Covers attacker objectives after initial compromise - privilege escalation, pivoting, and covert data removal.
- Common exfiltration channels: DNS tunneling, HTTP POST beaconing, steganography.
- Privilege escalation techniques on Windows and Linux.
- Covering tracks: log clearing, timestomping, artifact removal.
The CyberLive Wrinkle: When Your Notes Won't Help Enough
GCIH is one of the GIAC certifications that includes CyberLive items - a live virtual machine environment where you execute actual commands and analyze real tool output. No amount of index-building compensates for not having hands-on fluency here. When a CyberLive task asks you to run an Nmap scan and interpret the results, or use Metasploit to identify a vulnerable service, the clock is running and your printed notes are a secondary resource at best.
Your preparation strategy must include genuine hands-on lab time - not just reading about tools but operating them. If you're using the SANS SEC504 course path, lab exercises are built into the curriculum. If you're self-studying, platforms offering virtual lab environments where you can practice with actual incident response and offensive tooling are essential. After each lab session, cross-reference what you learned against your index and add any command syntax gaps you discovered.
Tab, Color, and Divider Strategy for 106 Questions in 4 Hours
Physical organization of your printed materials is not a minor detail - it directly affects how many questions you can reach in four hours. The following approach works consistently for GCIH candidates.
| Material Type | Recommended Organization | Why It Matters for GCIH |
|---|---|---|
| Course books (e.g., SEC504 volumes) | Large color-coded tabs per domain; one color per domain | Eight domains means eight tab colors; instant visual location |
| Personal notes / cheat sheets | Separate binder, tabbed by domain to match books | Keeps handwritten summaries instantly accessible without rifling through full books |
| Index document | Placed on top, first thing you open; printed in large font | Your first reference point for every question - must be scannable in seconds |
| Command syntax sheets | Laminated or heavy stock single page per major tool | Nmap, Metasploit, Mimikatz, Wireshark - single-glance reference for CyberLive tasks |
| Windows Event ID quick reference | Single laminated page in Domain 2 section | Event IDs appear across detection and credential attack questions; must be instant |
Use bright adhesive tabs that extend beyond the page edge - flip tabs, not just sticker labels flush with the page. Your hands will thank you after the second hour.
A Condensed Prep Timeline Tied to GCIH Domains
If you have eight weeks before your exam, here is a domain-anchored structure that prioritizes CyberLive-heavy and technically dense domains in the middle weeks when your retention is strongest. This is not generic study advice - it is calibrated to the GCIH domain distribution and exam format.
Domain 1 - Incident Handling Process and Preparation
- Map all six IR phases; draft initial index entries for procedural steps.
- Review evidence handling and legal considerations; note volatile data order.
- Run a timed diagnostic practice test at gcihexam.com to establish your baseline.
Domains 2 and 4 - Detection and Network Attacks
- Memorize key Windows Event IDs; build your quick-reference card.
- Practice Wireshark and tcpdump filtering on captured PCAP files.
- Study network attack mechanics - ARP spoofing, IDS evasion, fragmentation.
Domains 3 and 7 - Hacker Tools and Credential Attacks
- Hands-on lab time with Nmap, Metasploit, and Mimikatz - document every flag used.
- Practice lateral movement techniques in a safe lab environment.
- Build command syntax cheat sheets; add all tool entries to index.
Domains 5, 6, and 8 - Malware, Web Attacks, Post-Exploitation
- Study Windows persistence locations; build registry key quick reference.
- Practice SQL injection and XSS payload construction.
- Review exfiltration techniques and how to detect them in logs.
Full Simulation and Index Refinement
- Take full-length timed practice exams using your physical notes - simulate exam conditions exactly.
- Identify every question you had to look up; add missing index entries.
- Organize all printed materials; do a final physical tab check.
Registration, Fees, and Activation Window Mechanics
The GCIH exam carries a standalone attempt fee of $999 USD. If you need to retake, the fee drops to $899, but a mandatory 30-day waiting period applies and you are limited to three attempts per year. A standalone practice test is available for $399 - valuable if you want a GIAC-formatted assessment without triggering your live exam attempt.
Once you purchase, you have a 120-day activation window to schedule and sit the exam. Extensions are available for a fee, and the overall exam lifecycle is capped at 570 days from purchase. Do not let the activation window lull you into procrastination - the 570-day ceiling is an absolute limit.
The SANS SEC504 course bundle typically runs around $8,780 and includes two GIAC practice tests alongside the exam attempt. If budget allows, this is the most structured path because the course materials are explicitly aligned to GCIH domains and the lab exercises directly support CyberLive readiness. For candidates who are self-studying, supplementing with the practice test resources at gcihexam.com helps fill the gap.
The GCIH also appears on the DoD 8570/8140 baseline list, which means federal and defense contracting roles frequently require or prefer it. This is relevant to your preparation context - the exam is rigorous enough to satisfy credentialing requirements for roles with real operational consequence, and the open-book format should not lead you to underestimate the depth of knowledge required.
Frequently Asked Questions
Yes. GIAC's open-book policy permits any printed books or notes - they are not restricted to official SANS course materials. You can bring third-party references on network security, malware analysis, or any relevant technical topic, as long as the materials are printed and not electronic.
CyberLive items can take significantly longer than standard multiple-choice questions - some candidates report spending five to ten minutes on a single CyberLive task. There is no public breakdown of how many CyberLive items appear, but budgeting extra time by working efficiently through multiple-choice questions first is a common strategy. Flag CyberLive items and return to them if time allows.
For exam attempts activated on or after May 10, 2025, the minimum passing score is 69%. Attempts activated before that date were subject to the prior threshold of 70%. Always confirm the current threshold with GIAC directly at the time of your registration, as policies can change.
Absolutely. The $399 standalone practice test provides a GIAC-formatted experience and is your clearest indicator of readiness. However, supplement it with domain-specific practice using resources like gcihexam.com to get broader question variety across all eight GCIH domains before committing to a live attempt.
Not meaningfully. The GCIH's time pressure and the depth of technical knowledge required across eight domains means that candidates who rely on looking up answers in real time will run out of time. The open-book allowance helps with specific syntax or a forgotten Event ID - it does not substitute for genuine comprehension of incident handling processes, attack techniques, and defensive measures. Review the full GCIH Open Book Strategy guide (this article) alongside consistent practice testing for best results.
Ready to Start Practicing?
Test your GCIH knowledge across all eight domains with realistic, timed practice questions. Identify your weak spots before exam day - not during it. Your index-building strategy starts with knowing exactly where you need the most help.
Start Free Practice Test