ProfessionalVendor-neutralISO 17024GIAC / SANS· issued from US

GCTI

GIAC Cyber Threat Intelligence

Structured threat intel production, ATT&CK, analytic tradecraft.

Official page at GIAC / SANS ↔ Compare with another cert

Exam fee

$979

Ongoing

$0/yr AMF · 9 CPE/yr

Study time

100–180 hrs

Delivery

Online proctored

Validity

4 yrs (renewal cycle)

› Quality score

26.5 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor

How well-defined and rigorous the exam blueprint is.

FOR578-aligned; explicit on intel lifecycle, ATT&CK, analytic tradecraft.

8.0/10

Practical evidence

Hands-on labs / written reports vs pure MCQ.

Open-book MCQ. No production-quality intel report exercise.

4.5/10

Currency & upkeep

How aggressively content is kept current with the field.

Refresh tracks ATT&CK updates and IR-driven intel changes.

7.5/10

Market recognition

How often this signal actually moves a hiring decision.

Strong in intel-focused SOC and CTI consulting; growing reach. [Holders: 4k, 2024-12]

6.5/10

› Market signals

public, citable inputs to the recognition score

Holders worldwide

4,000

as of 2024-12 · source

› Built for these roles

Cyber Threat Intel AnalystStrategic Threat ResearcherDetection Engineer

› Exam format

Open-book MCQ exam, 75 questions over 2-3 hours, online proctored.

Passing score

71% (scaled per attempt)

Retake policy

Fee: $999 per attempt

Wait: 30d between attempts

30-day wait. SANS course bundles typically include 2 attempts.

› Recertification

36 CPE credits over four years (avg 9/yr) plus the $499 renewal fee per cycle.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

IN-WRL-001IN-WRL-002IO-WRL-001PD-WRL-001PD-WRL-003PD-WRL-005PD-WRL-006

Recognition

GlobalUSEUUK

Exam languages

› Core domains covered

The 2 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A8Threat Intelligence

CTI lifecycle, MITRE ATT&CK, IOCs/TTPs, threat modeling (STRIDE, PASTA), STIX/TAXII.

A11Detection Engineering & Threat Hunting

SIGMA/YARA/Suricata rule writing, hypothesis-driven hunting, log deep-dives, detection gap analysis.

› Also touched

Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.

A22Information Operations & Cognitive Security

Influence operations, cognitive warfare, counter-intelligence, OSINT/SOCMINT, PSYOP/MISO, foreign malign influence, hack-and-leak operations, narrative warfare, DISARM framework.

A21Malware Analysis & Reverse Engineering

Static/dynamic analysis, sandbox analysis, assembly/disassembly, packer analysis, YARA rules, malware family classification.