Security Certification: GCTI

Security Certification:

GIAC Cyber Threat Intelligence (GCTI)


"The GIAC Cyber Threat Intelligence (GCTI) certification, to me, marks an important moment in our field where we begin to move the art of cyber threat intelligence to science and codify our knowledge. In our complex and ever changing threat landscape it is important for all analysts to earn the GCTI whether or not they are directly involved in generating intelligence.

Technical training has become common and helped further our security field the same has not been true for structured analysis training, until now. Many of security practitioners consider themselves analysts but have not fully developed analysis skills in a way that can help us think critically and amplify our technical knowledge. It is in this structured analysis that we can challenge our biases, question our sources, and perform core skills such as intrusion analysis to better consume and generate intelligence. It is through cyber threat intelligence that organizations and their personnel can take on focused human adversaries and ensure that security is maintained.

Intelligence impacts us all and we are furthering the field together in a way that will extraordinarily limit the success of adversaries," Robert M. Lee, Course Author FOR578: Cyber Threat Intelligence

Areas Covered on the GCTI

  • Strategic, Operational, and Tactical Cyber Threat Intelligence
  • Open Source Intelligence and Campaigns
  • Intelligence Applications and Intrusion Analysis

SANS FOR578 alumni are eligible to challenge the GCTI exam at a discounted rate.

Who is the GCTI for?

  • Incident Response Team Members who regularly respond to complex security incidents/intrusions from advanced persistent threat adversaries and know how to detect, investigate, remediate, and recover from compromised systems across an enterprise.
  • Threat Hunters who understand threats fully and know how to effectively hunt threats and counter their tradecraft.
  • Security Operations Center Personnel and Information Security Practitioners who support hunting operations that identify attackers in their network environments.
  • Experienced Digital Forensic Analysts that have an expanded understanding of filesystem forensics, investigations of technically advanced adversaries, incident response tactics, and advanced intrusion investigations.
  • Federal Agents and Law Enforcement Officials that have mastered advanced intrusion investigations and incident response, and have expanded investigative skills beyond traditional host-based digital forensics.
  • GIAC GCFE, GNFA, GCFA or GREM Certification Holders looking to authenticate their demonstrable performance in Cyber Threat Intelligence.

*No Specific training is required for any GIAC certification. There are many sources of information available regarding the certification objectives' knowledge areas. Practical experience is an option; there are also numerous books on the market covering Computer Information Security. Another option is any relevant courses from training providers, including SANS


  • 1 proctored exam
  • 75 questions
  • Time limit of 2 hours
  • Minimum Passing Score of 71%


Certifications must be renewed every 4 years.


NOTE: All GIAC exams are delivered through proctored test centers and must be scheduled in advance.
GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt. GIAC exams must be proctored through Pearson VUE. Please click the following link for instructions on How to Schedule Your GIAC Proctored Exam GIAC exams are delivered online through a standard web browser.

Bulletin (Part 2 of Candidate Handbook)

Exam Certification Objectives & Outcome Statements

The topic areas for each exam part follow:

Analysis of Intelligence
The candidate will demonstrate an understanding of the techniques employed in analyzing information. The candidate will also demonstrate an understanding obstacles to accurate analysis, such as fallacies and bias, and how to recognize and avoid them.
Campaigns and Attribution
The candidate will demonstrate an understanding of identifying and profiling intrusion characteristics and external intelligence into campaigns. The candidate will demonstrate an understanding of the importance of attribution and the factors that are considered when making an attribution.
Collecting and Storing Data Sets
The candidate will demonstrate an understanding of collecting and storing data from collection sources such as threat feeds, domains, TLS certificates, and internal sources.
Intelligence Application
The candidate will demonstrate an understanding of the practical application of gathering, analyzing, and using intelligence. Additionally, the candidate will demonstrate an understanding of how well-known cyber attacks can inform cyber intelligence professionals today.
Intelligence Fundamentals
The candidate will demonstrate an understanding of fundamental cyber threat intelligence definitions and concepts. The candidate will also demonstrate a basic working knowledge of technologies that provide intelligence analysts with data, such as network indicators, log repositories, and forensics tools.
Kill Chain, Diamond Model, and Courses of Action Matrix
The candidate will demonstrate an understanding of the Kill Chain, Diamond Model, and Courses of Actions Matrix and how they are used together to analyze intrusions.
Malware as a Collection Source
The candidate will demonstrate an understanding of malware analysis tools and techniques to derive intelligence.
The candidate will demonstrate an understanding of pivoting to expand intelligence, pivot analysis, the ability to use link analysis tools, and ability perform domain analysis to expand intelligence collections.
Sharing Intelligence
The candidate will demonstrate an understanding of methods and practices of storing intelligence from various sources. The candidate will demonstrate an understanding of the processes, tools, and techniques used in sharing intelligence. The candidate will demonstrate an understanding of effectively sharing tactical intelligence with executives by writing accurate and effective reports and using such capabilities as assessments.

Where to Get Help

Training is available from a variety of resources including on line, course attendance at a live conference, and self study.

Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.

Finally, college level courses or study through another program may meet the needs for mastery.

The procedure to contest exam results can be found at