Passed my GCIA considering going gold

sb97sb97 Member Posts: 109
First off, I attended a SANS training class in person which really helped. I actually took the class nearly a year before taking the exam. Even so, having the classroom experience really helped me in terms of exposure to the many tools the course covers.

My exam experience was similar to what Docrice talked about.

I struggled quite a bit with Microsoft protocols. Oddly enough, I also struggled a bit with Wireshark filters even though this was the tool I had the most experience and familiarity with coming into the course. One thing I would add is that it is very important to spend some time studying all the various tools covered in the course. Not just the main ones, but those covered in the analyst toolkit as well. By luck of the draw, I had to answer to some pretty detailed questions in that section.

My advice to people studying is nothing really new:

  1. Index your reference material.
  2. Take your practice exams and review the results.
  3. After your first practice exam revisit your indexing scheme.
  4. Also take some time to assess if you need any additional reference material or if you have some that is unnecessary.
  5. Go into the exam well rested. The actual exam only took me just over 2 hours but my practice exams took much longer. I was suffering from some fatigue at the end of my practice exams.
The indexing scheme that worked for me was to directly mark some pages in my reference material and to carry a sort of table of contents that covered all of my various materials and notes. I ended up using my table of contents a bit more than the direct marking because it was easier to navigate but both were helpful. I advise against marking too many pages. It can make navigating your various marks difficult.

I am considering trying to get the Gold level certification but am not sure what kind of topic I would like to cover.

Anyway, there was a lot of helpful advice in this forum so thanks to everyone!


  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Good job on the pass. It was a fun exam, wasn't it? Did you have any intrusion analysis experience before you took the course and / or the exam?
    Hopefully-useful stuff I've written:
  • sb97sb97 Member Posts: 109
    docrice wrote: »
    Good job on the pass. It was a fun exam, wasn't it? Did you have any intrusion analysis experience before you took the course and / or the exam?
    Yes I did. I have spent some time in a SOC reviewing traffic and alarms. Even so, the class taught me a lot of new techniques and tricks. I had never walked through a packet bit by bit before. Simply having that ability has given me the ability to really make the most out of the various tools we use. Although, I do not need to go that deep into every packet, this one ability makes analyzing the tough packet much easier.

    I took the course because it is one of the training tracks required by my job. But I have to admit, I really did enjoy both the course and running through the material and labs again. Now that this process is over I am seriously looking in to taking another course or two in the near future. Even if it is at my own expense. I enjoyed it that much. For me, the GCIH really looks interesting. On the other hand, the GCFW looks like it approaches some of the same material covered in the GCIA from a different angle and could help complete some of those skills. Since I enjoyed the GCIA, I would imagine the GCFW would also be interesting.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Like others here who have gone through both the GCIA and GCFW, I'd say that the GCIA is more intense a learning experience than the other. That said, I felt my investment into SEC502 / GCFW was worth it. It approaches things more from a perimeter perspective and doesn't dive deep into the bit level as much, and the first day does review the same "this is how TCP/IP works" thing, but will eventually get into log analysis, etc..

    If you are interested in firewalls and VPNs, it's a good complementary course to the GCIA.

    The GCIH / SEC504 is a different type of ball game. It goes over common attack methods, intrusions, and how to respond to them. Again, not a course which goes into the microscopic-examination level like SEC503 / GCIA, but definitely fun. I feel the 502 / 503 / 504 line-up is a very good rounded experience of seeing the attackers, defending against the attackers.
    Hopefully-useful stuff I've written:
Sign In or Register to comment.