ProfessionalVendor-neutralISO 17024GIAC / SANS· issued from US

GCFA

GIAC Certified Forensic Analyst

Advanced host forensics, memory analysis, timeline reconstruction.

Official page at GIAC / SANS ↔ Compare with another cert

Exam fee

$979

Ongoing

$0/yr AMF · 9 CPE/yr

Study time

150–250 hrs

Delivery

Online proctored

Validity

4 yrs (renewal cycle)

› Quality score

32.5 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor

How well-defined and rigorous the exam blueprint is.

Tight mapping to SANS FOR508; arguably the most comprehensive enterprise-DFIR blueprint.

9.0/10

Practical evidence

Hands-on labs / written reports vs pure MCQ.

Cyber Live segment with timeline / memory artefacts. Closer to the bench than MCQ.

6.5/10

Currency & upkeep

How aggressively content is kept current with the field.

FOR508 refreshed in 2023 with cloud-host forensics.

8.5/10

Market recognition

How often this signal actually moves a hiring decision.

Default DFIR signal in incident-response consulting and federal investigation roles. [Holders: 15k, 2024-12] [DoD 8140 listed]

8.5/10

› Market signals

public, citable inputs to the recognition score

Holders worldwide

15,000

as of 2024-12 · source

DoD 8140 baseline

Listed

CSSP-IR

› Built for these roles

DFIR AnalystIncident Responder (Senior)Threat HunterForensic Investigator

› Exam format

Open-book MCQ exam, 82 questions over 3 hours plus a 15-min Cyber Live hands-on component, online proctored.

Passing score

71% (scaled per attempt)

Retake policy

Fee: $999 per attempt

Wait: 30d between attempts

$999 retake. 30-day wait. SANS course bundle typically includes 2 attempts.

› Recertification

36 CPE credits over four years (avg 9/yr) plus the $499 renewal fee per cycle.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

DD-WRL-009PD-WRL-004IN-WRL-001PD-WRL-002

Recognition

GlobalUSEUUK

Exam languages

› Core domains covered

The 2 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A7Incident Response & Forensics

IR playbooks, memory/disk/network forensics, chain of custody, malware analysis.

A21Malware Analysis & Reverse Engineering

Static/dynamic analysis, sandbox analysis, assembly/disassembly, packer analysis, YARA rules, malware family classification.

› Prerequisites

Experience

Two-plus years of DFIR experience. Usually paired with SANS FOR508.

Knowledge assumed

Memory analysis (Volatility, Rekall)
Timeline analysis (Plaso / log2timeline)
Windows forensic artifacts

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (2)

GCIHGIAC / SANS GCFEGIAC / SANS

GCFA

GIAC / SANS

Required by (0)

No certs require this one.

Recommended next (6)

GREMGIAC / SANS GX-FAGIAC GNFAGIAC GCFRGIAC GIMEGIAC GASFGIAC

› Study materials

Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.

Official guides

SANS FOR508 Course Materials — SANS

Training providers

SANS FOR508 Advanced IR & Threat Hunting

Practice tests

GIAC Practice Tests (2 included with exam)

Free / community

› Version & lifecycle

Current version

2024 FOR508 refresh

Released

2024-08

› Salary signal

DFIR analyst / forensic examiner, US, 5+ years.

$110K–$160K

median $130K

Robert Half Salary Guide + Glassdoor 'Forensic Analyst' aggregations · 2024 · US base only · p25–p75 range

› How it compares

GCIH

GCFA is post-incident forensic analysis; GCIH is live incident response. Often paired.

↔ Compare side-by-side

› Careers that commonly pursue this cert

Incident Responder / DFIR

Investigate breaches, contain threats, and perform digital forensics. The first call when an attack is discovered.

Malware Reverse Engineer

Dissect malicious software to understand capabilities, extract indicators, and produce attribution. A specialist role that powers threat intelligence, detection engineering, and advanced IR.

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain map Browse all certifications