ProfessionalVendor-neutralISO 17024GIAC / SANS· issued from US

GCIH

GIAC Certified Incident Handler

Incident handling methodology and lifecycle.

Official page at GIAC / SANS ↔ Compare with another cert

Exam fee

$979

Ongoing

$0/yr AMF · 9 CPE/yr

Study time

80–150 hrs

Delivery

Online proctored

Validity

4 yrs (renewal cycle)

› Quality score

29.5 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor

How well-defined and rigorous the exam blueprint is.

SEC504 blueprint maps NIST SP 800-61 lifecycle to detailed tasks.

8.5/10

Practical evidence

Hands-on labs / written reports vs pure MCQ.

Cyber Live segment plus open-book MCQ — middling lab signal, not deep DFIR.

5.5/10

Currency & upkeep

How aggressively content is kept current with the field.

Refreshed alongside SEC504 every ~2 years; recent additions on cloud IR.

7.0/10

Market recognition

How often this signal actually moves a hiring decision.

DoD 8570 IAT-II / CSSP-IR; widely accepted on IR postings. [Holders: 25k, 2024-12] [DoD 8140 listed]

8.5/10

› Market signals

public, citable inputs to the recognition score

Holders worldwide

25,000

as of 2024-12 · source

DoD 8140 baseline

Listed

IAT-III, CSSP-IR

› Built for these roles

Incident ResponderDFIR AnalystSOC LeadDoD 8570 IAT-II / CSSP-IR checkbox

› Exam format

Open-book MCQ exam, ~106 questions over 4 hours plus a Cyber Live hands-on component, online proctored.

Passing score

73% (scaled per attempt)

Retake policy

Fee: $999 per attempt

Wait: 30d between attempts

Retake fee $999. 30-day wait between attempts. SANS course bundle includes 2 attempts.

› Recertification

36 CPE credits over four years (avg 9/yr) plus the $499 renewal fee per cycle.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

PD-WRL-003PD-WRL-001IN-WRL-001

Recognition

GlobalUSEUUK

Exam languages

› Core domains covered

The 2 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A7Incident Response & Forensics

IR playbooks, memory/disk/network forensics, chain of custody, malware analysis.

A10Security Operations

SOC operations, SIEM tuning, SOAR playbooks, alert triage, log analysis, runbook development.

› Also touched

Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.

A21Malware Analysis & Reverse Engineering

Static/dynamic analysis, sandbox analysis, assembly/disassembly, packer analysis, YARA rules, malware family classification.

A11Detection Engineering & Threat Hunting

SIGMA/YARA/Suricata rule writing, hypothesis-driven hunting, log deep-dives, detection gap analysis.

› Prerequisites

Experience

Two to three years of SOC or IR experience recommended. Often paired with SANS SEC504.

Knowledge assumed

Incident response lifecycle (PICERL / NIST SP 800-61)
Windows and Linux log analysis
Common attack tradecraft

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (2)

GSECGIAC / SANS Security+CompTIA

GCIH

GIAC / SANS

Required by (0)

No certs require this one.

Recommended next (6)

GSEGIAC GCFAGIAC / SANS GREMGIAC / SANS GDATGIAC GCFRGIAC GCTIGIAC / SANS

› Study materials

Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.

Official guides

SANS SEC504 Course Materials (included with course) — SANS

Training providers

SANS SEC504 Hacker Tools, Techniques, and Incident Handling
GIAC self-study path (without SANS course)

Practice tests

GIAC Practice Tests (2 included with exam)

Free / community

GIAC Index Building Tips (multiple community guides)
r/SANSGIAC

› Version & lifecycle

Current version

2024 SEC504 refresh

Released

2024-04

SANS SEC504 is updated continuously; GIAC certification objectives track the course.

› Salary signal

Incident responder / blue team analyst, US, 3–5 years.

$100K–$150K

median $120K

Robert Half Salary Guide + SANS-affiliated salary data · 2024 · US base only · p25–p75 range

› How it compares

GCFA

GCIH is incident response (live); GCFA is forensic analysis (post-incident, evidence). Often paired.

↔ Compare side-by-side

CySA+

GCIH goes deeper than CySA+ but at >5x the cost.

↔ Compare side-by-side

› Careers that commonly pursue this cert

Incident Responder / DFIR

Investigate breaches, contain threats, and perform digital forensics. The first call when an attack is discovered.

Vulnerability Management Lead

Owns the end-to-end find → prioritize → fix → verify loop at scale, now increasingly AI-driven.

Threat Exposure Management / Attack Surface Analyst

External-first role: inventories what an attacker can see, tracks what's new, and drives closure through the org. The outside-in counterpart to vuln management.

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain map Browse all certifications