GSE Overview and Target Audience
The GSE certification is the most prestigious credential in the IT Security industry. The exam was developed by subject matter experts and top industry practitioners. The GSE's performance based, hands-on nature sets it apart from any other certifications in the IT security industry. The GSE will determine if a candidate has truly mastered the wide variety of skills required by top security consultants and individual practitioners.
Knowledge in a particular area, Intrusion Detection or Incident Handling is both important and valuable. Individuals who earn any of the GIAC certifications have worked hard, demonstrated essential technical skill, and should rightfully take pride in their accomplishment. But individuals who make the effort to not only learn, but to master all of the essential elements of information security belong in a very special group. These individuals will be the elite of Information Security, the top practitioners in the field. Those who pursue an in-depth technical education in all areas of information security are the target audience for the GSE certification.
- GSEC, GCIH, GCIA with two Gold
- GSEC, GCIH, GCIA with one Gold and one substitute*
- GSEC, GCIH, GCIA with no Gold and two substitutes*
- GCWN, GCUX, GCIH, GCIA with one Gold
- GCWN, GCUX, GCIH, GCIA with no Gold and one substitute*
GSE prerequisite baseline is: GSEC, GCIH, GCIA with two Gold certifications.
Information on Gold papers can be found here.
The GSEC prerequisite is unique because of dual Windows and Unix coverage.
Prerequisite Substitution Options
- GCWN & GCUX combined can act as a substitute for GSEC.
- GCUX no longer has an affiliated course. No new GCUX certifications will be issued. GSE candidates already GCUX certified may continue to use it as part of their prerequisite path.
In addition, you must have real world, hands-on experience in these subject areas. The GSE hands-on examination ensures each candidate has a high-degree of competence in all certification objectives.
The GSE exam has two parts:
* Note to Candidates: Part 1 GSE Entrance Exam format and content has changed as of July 7th, 2019.
Any candidates preparing to sit for the GSE Entrance Exam after the Fall 2019 Lab offering will need to pass the updated Part 1 GSE Entrance Exam.
Part 1: Entrance Exam:
The GSE Entrance Exam is a virtual machine, lab-based exam that is required to be proctored. Click here for more information.
Passing this exam qualifies a candidate to sit for the two day on-site GSE practical lab.
- GSE Entrance Exam Elements
- 1 Proctored Exam with 24 VM-based Hands-On Questions
- 3-Hour Time Limit
- Minimum Passing Score of 64%
- Follows GIAC's Standard Retake Policy
- GSE Entrance Exam Attempt
- After your application has been approved your GSE Entrance certification attempt be activated in your GIAC account.
- You will have 120 days from the date of activation to complete your certification attempt.
- The GSE Entrance Exam includes one (1) practice exam.
GIAC expects GSE candidates to have an expert-level understanding of multiple facets of information security. For this reason, the GSE objectives are intentionally broad. Aspiring GSEs are expected to independently prioritize their study goals based on the published certification objectives.
A critical aspect of Lab preparation is having hands-on experience in these subject areas. The GSE Entrance Exam ensures each candidate has a high degree of competence in all certification objectives.
The skills required to successfully pass the GSE entrance exam are comprised of three major skill groups:
- General Security skills
- Incident Handling skills
- Intrusion Detection and Analysis skills
During the GSE Entrance Exam, candidates will encounter a mix of Windows and Linux hosts in a series of VM-based environments.
Virtual machines may have the below listed tools installed (not all tools are installed on every VM); candidates are not limited to using these tools. Within the boundaries of the GIAC candidate agreement, candidates may use any tools or techniques available in their current environment to achieve their objectives.
- Intrusion analysis tools: Snort, Wireshark, tshark, tcpdump, Scapy, Zeek (formerly Bro)
- Password cracking tools: john, Cain
- Enumeration: nmap, Zenmap
- Identifying vulnerabilities: Spiderlabs responder, rpcclient, Metasploit, Scapy
- General utilities: pico/vi/nano, netcat, ssh, gpg, iptables, Process Hacker, built-in command line tools
Part 2: Hands-On Lab:Part 2 of the GSE Certification Attempt is a 2-day, in-person, hands-on lab exam. The lab is generally offered twice each year, corresponding to national SANS conferences. Pending successful completion of the lab, candidates will earn the GSE, and any other certifications current at that time will be renewed 4 years.
- Day 1 consists of an incident response scenario requiring the candidate to analyze data and present their results via written report.
- Day 2 consists of a rigorous battery of hands-on exercises drawn from the domains listed below.
To reserve a seat for a GSE lab, you must have met the following requirements at least 45 days prior to the lab date:
- Successful completion of Part 1: Entrance Exam
- Prior indication to email@example.com of your intention to attend a GSE Lab offering.
- Full payment of the Lab registration fee
GSE Lab Cancellation policy (Effective as of Network Security 2017)
Due to limited GSE Lab seating capacity, cancellation of any approved registration for the GSE lab within 45 days prior to the start of the Lab will be subject to forfeiture of the full $2,699 lab fee. This fee must be remitted prior to reserving a spot at a future lab offering.
Exceptions to Cancellation Policy may be made at GIAC's discretion based on documented reasons involving a medical emergency, severe illness, death in the family, or military deployment/leave.
Retake of the GSE multiple choice exam may be necessary if a Lab cancellation results in surpassing the 18-month eligibility window following your initial passing the GSE exam.
GIAC reserves the right to:
- Require candidates who are unsuccessful in one domain of the GSE lab by a slim margin complete additional work outside of the GSE lab before awarding any credential
- Require any candidate to retake the entire lab
- Change exam specifications at any time, up to 45 days prior to a scheduled Lab offering
GSE Lab Retake Policy - Candidates who fail the hands-on lab must wait one (1) year to be eligible for another attempt. If you wish to retake prior to 1 year, you may apply for a waiver by submitting this form to firstname.lastname@example.org.
The price for each lab attempt is the same. Due to the hands-on nature of the GSE lab, there is a *3 attempt limit* on GSE lab attempts.
GSE Application Process
- Once you have completed the necessary pre-requisites, you may apply for the GSE Entrance Exam by clicking the Register Now button.
- Once your application is reviewed and approved you may complete the registration process and pay the $559 exam fee.
- Upon passing the multiple choice exam, you will be eligible to attempt the GSE hands-on lab. The lab fee is an additional $2,699.
- Please allow up to 10 business days for application processing and approval.
GSE Certification Objectives
The skills required to successfully earn the GSE certification can be broken up into three major groups:
- General security skills
- Incident handling skills
- Intrusion detection and analysis skills
During the GSE lab, GIAC will provide you a laptop with the following tools installed:
- Windows 7 Professional
- VMWare Player
- The Putty SSH suite and WinSCP
- Burp Suite
- We have also installed Snort, SiLK and Bro IDS.
- You can find a list of standard tools included with Kali Linux here
To ensure a level playing field for all candidates, you will not be permitted to load data, software, or electronic references onto the computer for the exam. We will provide external mice, but you will not be permitted to attach additional peripherals (monitors, keyboards) to the candidate laptops. To complete the exercises, you must exclusively use the tools and virtual machines provided by GIAC. Failure to comply will result in dismissal from the examination.
The following is a partial list of some tools and techniques you can expect to encounter during GSE exercises.
- sniffers/IDS - wireshark, snort
- Scanners - nmap, Nessus vulnerability scanning results
- utilities - netcat, ssh, gpg, iptables
- miscellaneous - metasploit, command line tools, and common attack techniques
All Exercises are Derived from the following General Objectives
|Objective||Outcome - The GIAC promise is that holders of the GSE will have the following capabilities.|
|IDS and Traffic Analysis Domain|
|Capture Traffic||Demonstrate competence with common IDS tools and techniques for capturing traffic.|
|Analyze Traffic||Demonstrate the ability to decipher the contents of packet capture headers.|
|Interpret Traffic||Make correct judgments as to the nature of traffic to or from specific hosts in packet captures.|
|IDS Tools||Demonstrate proficiency using common Open Source IDS tools including Snort, tcpdump, and Wireshark|
|Incident Handling Domain|
|IH Process||Demonstrate mastery of the Incident Handling process.|
|Common Attacks||Demonstrate a broad knowledge of computer and network attacks.|
|Malware||Demonstrate solid understanding of malware and how to handle infected computers.|
|Preserving Evidence||Demonstrate the ability to preserve evidence relevant to an Incident investigation.|
|Windows Security||Demonstrate general knowledge of Windows Security and proficiency in a Windows environment.|
|Unix Security||Demonstrate knowledge of Unix Security and proficiency in a Unix environment.|
|Secure Communications||Demonstrate an understanding of basic cryptography principles, techniques, and tools.|
|Protocols||Demonstrate a solid understanding of TCP/IP, UDP, ICMP, DNS, and other common protocols.|
|Security Principles||Consistently demonstrate and practice bedrock security principles.|
|Security Technologies Domain|
|Firewalls||Demonstrate competence with firewalls.|
|Vulnerability Scanners, and Port Scanners||Demonstrate competence with scanning tools including vulnerability and port scanners.|
|Sniffers and Analyzers||Demonstrate competence with Sniffers and Protocol Analyzers|
|Common Tools||Demonstrate competence with common tools including netcat, SSH, Ettercap, p0f, etc...|
|Soft Skills Domain|
|Security Policy and Business Issues||Demonstrate an understanding of the security policy and business issues including continuity planning.|
|Information Warfare and Social Engineering||Demonstrate an understanding of Information Warfare and Social Engineering.|
|Ability To Write||Demonstrate the ability to write quality technical reports or articles.|
|Ability to Analyze||Demonstrate the ability to analyze complex problems that involve multiple domains and skills.|
GSE Lab Retake Policy — A person who has unsuccessfully attempted the hands-on lab must wait one (1) year before they are eligible for another attempt. If you wish to retake prior to 1 year, you may apply for a waiver by filling out the following form and emailing it to email@example.com.The price for each lab attempt is the same. Due to the hand-on nature of the GSE lab, there is a *3 attempt limit* on GSE lab attempts.
The GSE is renewed every four years by taking the current version of the GSE Multiple Choice exam. Renewing your GSE will renew all of your active GIAC certifications! The GSE may not be renewed via CPE's.
Please email firstname.lastname@example.org to begin the renewal registration process. At the time of registering for a GSE Renewal, you have the option to receive updated courseware for the SANS course associated with any certifications you hold. You will also receive 3 practice tests to help you prepare.