NEW! GIAC Applied Knowledge Certifications

Striving for mastery and constantly pushing oneself to improve.
GIAC Applied Knowledge Certs

GIAC Applied Knowledge Certifications are designed to provide a more comprehensive and rigorous assessment of knowledge and skills. GIAC Applied Knowledge certifications take testing to the next level. These certifications are:

  • Intended to provide candidates with a more thorough understanding of a wide range of topics and subject matter
  • 100% CyberLive and are designed to push beyond individual technical skills. CyberLive questions require candidates to synthesize their skills and use them to solve real-world challenges in a virtual machine environment.
  • Ideal for candidates who wish to challenge themselves and demonstrate their mastery of a subject
  • Stackable with GIAC Practitioner Certifications, enabling candidates to build their Portfolios to become a GIAC Security Professional (GSP) and/or a GIAC Security Expert (GSE)

Applied Knowledge Certifications

GIAC’s NEW Applied Knowledge Certifications truly test your mettle and set you apart from your peers. Designed to be challenging, these new certification exams requiring you to apply your technical expertise and hands-on experience to solve complex security scenarios. Courses that include a "primary fit course" designation have the most closely aligned content for the exam but is not inclusive of all the content, tools, and platforms that will be included in testing on the Applied Knowledge exam.
Applied Knowledge CertificationDescriptionAffiliate Training
GIAC Experienced Cybersecurity Specialist Certification (GX-CS)

The GIAC Experienced Cybersecurity Specialist Certification (GX-CS) demonstrates that a candidate is qualified for hands-on IT systems roles. Certification holders will validate their ability to solve complex multifaceted problems through new and diversified security practices and tasks.

A candidate of GX-CS will perform work on a variety of hosts, primarily using the *Slingshot distribution and Windows 10. The candidate may encounter other linux-based distributions such as Debian and Ubuntu Server. In some cases a candidate will be working on a single host that could have local containerization. In other cases the candidate will find additional hosts on a network to which they do not have console access.

*Slingshot may be researched and downloaded here.

SEC401
(Primary fit course)


SEC503
FOR508
SEC560
SEC542
SEC599
SEC501
SEC505
FOR500
SEC660

GIAC Experienced Forensic Analyst Certification (GX-FA)

The GIAC Experienced Forensic Analyst (GX-FA) candidate will perform work on a Windows 10 SIFT workstation which includes a WSL Ubuntu shell containing the SANS SIFT Linux distribution. The host has a variety of GUI based and command line utilities for use during the exam including but not limited to tools for Windows forensics artifact processing and analysis, image mounting and volatile memory analysis.

The candidate will encounter raw data and processed artifacts from a variety of enterprise Windows hosts. They will be required to apply a variety of forensic and incident handling technique to identify and analyze the provided data. The SANS Linux SIFT workstation can be researched and downloaded here.

FOR508
(Primary fit course)

FOR498
FOR500
FOR501
FOR503
FOR504
FOR509
FOR572
FOR608
FOR610

GIAC Experienced Intrusion Analyst Certification (GX-IA)

The GIAC Experienced Intrusion Analyst Certification (GX-IA) demonstrates that a candidate is qualified to solve complex and unique challenges that Intrusion Analysts encounter. Certification holders will validate their ability to solve multi-step problems through incorporating various concepts and methodologies to identify malicious activity

A candidate of GX-IA will perform work on a variety of hosts, such as Xubuntu, Ubuntu Server, and Windows 10, as well as versions of the SIFT, Slingshot, and SOF-ELK *distributions. In some cases a candidate will be working on a single host that could have local containerization. In other cases the candidate will find additional hosts on a network to which they do not have console access.

*These distributions may be researched and downloaded here.

SEC503
(Primary fit course)


FOR572
SEC530
SEC450
SEC511
SEC573

GIAC Experienced Incident Handler Certification (GX-IH)

The GIAC Experienced Incident Handler Certification (GX-IH) demonstrates a candidate's superior incident response skills. Mastery of hands-on attacker techniques combined with incident response tools and practices validate that certification holders have the skills and knowledge to take teams to the next level

A candidate of GX-IH will perform work on a variety of hosts, primarily using the *Slingshot distribution and Windows 10. Some Windows 10 hosts use WSL.  In some cases a candidate will be working on a single host that could have local containerization. In other cases the candidate will find additional hosts on a network to which they do not have console access.

*Slingshot may be researched and downloaded here.

SEC504
(Primary fit course)


SEC450
SEC501
SEC503
SEC560
SEC505
FOR610
FOR508
FOR500

GIAC Experienced Penetration Tester Certification (GX-PT)

The GIAC Experienced Penetration Tester (GX-PT) Certification demonstrates that a candidate is qualified for hands-on red and purple-team penetration testing roles that require advanced skills, thorough comprehension of pentesting methods and approaches, and the ability to think critically in a time-restricted situation. Certification holders will validate their ability to map networks, identify vulnerabilities, and exploit hosts in various environments through a diverse set of tasks.

A candidate of GX-PT will perform work from a variety of hosts, primarily using Windows 10 and the Slingshot* Linux distribution against various other OS types. The candidate may encounter other Linux-based distributions such as Debian and Ubuntu Server. In some cases, a candidate will be working on, or attacking, a single host that could have local containerization, working against enterprise environments that include various Windows Server versions, or dropped into a machine with only console access.

*Slingshot may be researched and downloaded here.

SEC560
(Primary fit course)

SEC401
SEC501
SEC503
SEC504
SEC542
SEC565
SEC580
SEC617
SEC660
SEC670
SEC760

Study Guide Infographic

How to Prepare for Applied Knowledge Certifications

Unlike our traditional GIAC Practitioner Exams, preparation for GIAC Applied Knowledge exams is not directly linked to a specific affiliate training course. To prepare for a GIAC Applied Knowledge Certifications, GIAC recommends that candidates review the content within the primary fit affiliate course, however, candidates should not rely on this course alone. Along with content and labs included in primary fit course, candidates should review the Areas Covered list found on each Applied Knowledge certification page. Additionally, work experience will also equip candidates for success.

Are You Ready for an Applied Knowledge Exam?

These hypothetical exam takers were created to showcase various backgrounds and preparation methods. Candidates may use these examples to better understand how they are projected to perform on an Applied Knowledge exam.
  • Erik is a renowned cyber expert and multi-time winner of Capture-the-Flag (CTF) competitions demonstrated their expertise by taking an Applied Knowledge exam in their area of proficiency without taking the affiliate partner primary fit course. This individual is a true cybersecurity rockstar. Remarkably, the expert passed the exam on their first attempt, showcasing their exceptional skills and knowledge in the field.

  • Kendra is a recent college graduate with a degree in computer science and exceptional aptitude and talent, enrolled in her first SANS class. On day 6 of the course, she led her team to victory in the Capture-the-Flag (CTF) exercise. During her certification attempt, the student demonstrated outstanding performance and passed with remarkable scores.

  • A cyber practitioner with a decade of technical experience in the industry enrolled in a SANS course and demonstrated exceptional skills in the labs. As a result, Ravi excelled in the practitioner level GIAC exam with outstanding marks. The practitioner was confident that they could adapt the techniques learned in the labs to new and unique environments without further instruction. However, when attempting the Applied Knowledge exam, Ravi fell just short of passing and ultimately failed.

  • Jason is new to cybersecurity and enrolled in their first SANS course, but failed to complete all the labs in class. Consequently, he struggled to apply the techniques learned in class to unfamiliar scenarios in his own environment. Despite this, he managed to pass the certification on his first attempt, with a score in the upper 70s. Encouraged, Jason felt ready for a specialist exam, and attempted it two weeks later using his course index. Unfortunately, he failed. In a second attempt, Jason revisited the course labs but failed again.

  • Olivia has two decades of experience in cybersecurity and took a course in their area of expertise. Olivia’s employer used an expensive commercial suite to perform the tasks covered in the course for the past five years. While Olivia's extensive experience and familiarity with the domain enabled them to pass the primary fit affiliated certification exam, they were unable to pass the specialist exam due to unfamiliarity with the tools available. Her employer's expensive commercial suite was not available for her to use during the exam and Olivia was unaware of any other methods to solve the challenges, which resulted in her failing the exam.

  • Sarah is an experienced and highly skilled cybersecurity professional enrolled in a course in an unfamiliar domain. Due to their proficiency in taking certification exams, they passed the primary best fit certification exam with ease. Overconfident, Sarah assumed that passing the specialist exam would be a breeze since she paid attention to the labs. However, Sarah failed the first specialist exam attempt, underestimating its difficulty. On impulse, she purchased a retake, but with a full-time job and busy family life, she lacked the time to delve deeper into an unfamiliar domain. Despite being exposed to the types of challenges on the exam, Sarah failed her second attempt primarily due to a lack of additional study time.

What Others Are Saying About Applied Knowledge Certifications

The GX–CS exam questions are amazingly well designed. They require the candidate to combine and chain several actions, demonstrating not only usage of tools, but also understanding and real-world applicability.
Bojan Zdrnja
Chief Technical Officer INFIGO IS, SANS Certified Instructor
I'm proud of all my certs, but the satisfaction I felt after passing the GX- CS exam was nothing like I had felt after any prior cert or exam. These exams will test your mettle!
Bryan E. Simon
President of Xploit Security Inc., SANS Senior Instructor/Author
The questions on the GX – IH challenged me, like I experience in my consulting work every day. It's hard to imagine a more real-world exam.
Josh Wright
SANS Author & Fellow
    • No. There are no prerequisites. Please visit our Applied Knowledge Certifications page for helpful information about the associated exam and how to prepare.

    • No, practice tests are not included. However, we offer Demo Questions to help you prepare.

    • Check out our preparation tips here.

    • Applied Knowledge exams are comprised of 25 CyberLive hands-on questions. CyberLive testing creates a lab environment where cyber practitioners prove their knowledge, understanding, and skill.

    • GIAC Applied Knowledge Certifications require successfully passing a proctored exam & are applicable to the same policies as GIAC Practioner Certification exams. Please review our proctored exam overview here.