Passed SANS GCIA Exam - after failing both practive exams,

0xFEEDBEEF0xFEEDBEEF Registered Users Posts: 1 ■□□□□□□□□□
Hello All, First time poster, long time lurker...

Some backstory:
I took the SANS GCIA live training in Las Vegas Sept 2016, Mike Poor did an amazing job at teaching me these skills, while providing great anecdotes, and analogies that allowed me to understand the core fundamentals as best I could.

I took my first practice test two weeks prior to my exam, I scored 60%. For some odd reason, I did not reference my index or notes, whatsoever. I also only used two of the allotted four hours. I thought this was a decent mark for not referencing any material, I continued my studies in the areas SANS gave me my failing summary.

Come four days before my exam, I take practice test two, this time I used my index, and 2.5 of the allotted four hours, I still failed with a 65%. Now I was scared. I had no idea how I did so bad, I didn't reference as many answers as I liked, and I finished way ahead of schedule... Keep in mind, they give you the four hours for a reason... Use it.

Again, I took the output of my failing summary and began to meticulously scrub through each section I got under three stars in, re-writing my index for those subjects, while also reading the notes in the books. I started to use some packet **** because I was doing real bad on mapping headers / finding ports / protocols and checksums...

After re-reading the books (actually reading and highlighting) in the sections I didn't do well on, running through packet ****, familiarizing myself with concepts I was not comfortable with, re-indexing certain areas where I struggled, and being able to explain key concepts to my peers, I believe I was ready.

Exam day.
For some reason the testing centers in my city we're unavailable to book the GCIA, so I had to take a four hour road trip, I had my partner drive me, on the way to the exam, I kept going over the concepts I was not familiar with (IPv6, Packet Crafting, DNS, Application Protocols).

Once I got to the testing center I had some issues with the proctor not allowing me to bring my books into the exam, good thing I printed off the SANS FAQ that states they're allowed. I was brought to my desk, and I began the exam... Without getting into too much detail, I ended up referencing most questions(unless I was 100% sure), and using most of my time (used 3.5/4 hrs). I passed the exam with a whopping 84%... 84%!!! - I had no idea I was going to get a mark like that after failing both practice exams... I believe that the shock of failing kicked in after failing both practice tests, and this booted my brain into some kind of overdrive...

To sum it up; as long as you understand the base concepts, and how the underlying technologies work, you should be able to pass this exam.Also the index and packet headers, these helped immensely.

Questions were not binary, most questions were situational...

Materials going into Exam:
1. I have my 40+ page index (sorted A-Z by excel) (Followed this guide)
Example: (not sure if this falls under bad rules)


Fragmentation (DF Bit)

basic info
if flag set, packet will not be fragmented

Snort (Process Flow)

process flow

Packets > Decoder > Pre-processors > Snort Rules > Alerts / Logs


SHITTY, Low end, Half duplex, only understands layer 1 traffic

Silk (Flow)


Flow is unidirctional 5-tuple of:
- Source IP
- Dest IP
- Sport
- Dport
- Protoccol

Flow terminates when a FIN/RST found, inactivity of 63 seconds/ Activity for 30m

2. Had all my packet headers, and other docs
- IPv4
- IPv6
- ICMP & ICMPv6 (w/ Message Codes)
- Ethernet Header
- IPv6 Extension Headers

3. A few 'breakdown' images I made, that really clarified the fix position headers.

4. A 'Hex Math' sheet, so I could reference in case I forget something (although, extremely fundamental)

5. I practiced multiple packet hex ****, courtesy of malwarejake.blogspot.ca

You can do it! Believe in yourself, but make sure you know your stuff!

Let me know if you have any questions!


  • Options
    grouchy_Smurfgrouchy_Smurf Member Posts: 15 ■□□□□□□□□□
    Great write up! Thanks for the share and congrats on the pass!
  • Options
    SaSkillerSaSkiller Member Posts: 337 ■■■□□□□□□□
    Great job!
  • Options
    cyberguyprcyberguypr Mod Posts: 6,928 Mod
  • Options
    NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Grats on the pass!!
  • Options
    Abdullah.AAAbdullah.AA Member Posts: 50 ■■□□□□□□□□
    Congratulations the GCIA is on my to do list for 2017, I hope I get accepted into SANS work study program, other wise i'm not sure how one could learn the material well enough to use the intrusion analysis skills this course covers.
  • Options
    quogue66quogue66 Member Posts: 193 ■■■■□□□□□□
    Congrats! You put in a lot of hard work and earned that cert. Well done.
  • Options
    UnixGuyUnixGuy Mod Posts: 4,564 Mod
    Thanks for the write up! Congrats!!!!

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • Options
    DAVIS NGUYENDAVIS NGUYEN Member Posts: 1,472 ■■■□□□□□□□
  • Options
    FillAwfulFillAwful Member Posts: 119 ■■■□□□□□□□
    Congrats on your GCIA!

    I agree that reading the coursebooks thoroughly to the point of understanding and being adept at analyzing packet **** is the key to success on this exam.
  • Options
    yomistayomista Member Posts: 23 ■■□□□□□□□□
    Congrats and your index is awesome!
    I thought of taking GCIA after my GCED but damn it looks tough.
  • Options
    joeimpjoeimp Registered Users Posts: 4 ■□□□□□□□□□
    I had the same experience. After failing both practice exams, I passed the GCIA (barely). I have taken seven SANS courses and 503/GCIA was by far the hardest.
  • Options
    CIPHERSTONECIPHERSTONE Member Posts: 30 ■□□□□□□□□□
    Hey 0xFEEDBEEF - I was in your class with Mike Poor. I'm looking for a backup index to accompany mine. Shoot me an email if you could, I'd like to chat. stvlange (at) gmail (dot) com.
  • Options
    CIPHERSTONECIPHERSTONE Member Posts: 30 ■□□□□□□□□□
    Passed it the other day. Was challenging but fun.
  • Options
    E Double UE Double U Member Posts: 2,229 ■■■■■■■■■■
    Congratulations! I'm studying for this now.
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
  • Options
    CIPHERSTONECIPHERSTONE Member Posts: 30 ■□□□□□□□□□
    E Double U - I posted my index on another thread, feel free to use as a supplimental if you like.
Sign In or Register to comment.