Course Review: SANS SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling (GCIH)

With one SANS course and certification under my belt, I had a better idea of what to expect and I changed my study strategy accordingly (see below). Also, this is second course in the SANS Security Engineering Master Program.


I opted to go with the OnDemand option, which came with the following:

  • Official courseware books (sent via USPS)
  • 20+ hours of video training
  • Labs Two practice exams

There are six books, one book for each day of their in-person training.

  • 1: Incident Handling Step-by-Step and Computer Crime Investigation
  • 2: Computer and Network Hacker Exploits – Part 1
  • 3: Computer and Network Hacker Exploits – Part 2
  • 4: Computer and Network Hacker Exploits – Part 3
  • 5: Computer and Network Hacker Exploits – Part 4
  • 6: Hacker Tools Workshop (Lab)

The first book is all about incident response which I found interesting because I haven’t dealt with IR in my career. Books 2-5 are all about attacks and how the IR phases deal with them. Book 6 is one big lab and very interesting, especially if you’re new to the topics.

Studying Strategy

  • Step 1: Watched the videos at 1.25x speed, this took about a week.
  • Step 2: Read through the entire set of books with no note taking or highlighting. This step is solely for reviewing the material and not getting caught up in wanting to take notes.
  • Step 3: Go through the books for a second time but this time I will highlight topics I am not grasping fully and/or topics I feel like will definitely be asked on the exam.
  • Step 4: This will be the third and final time going through the books. I will focus more on what I highlighted rather than actually reading every word. I will only write down topics I am having trouble remembering, my goal is to keep my notes as small as possible.
  • Step 5: Edit SANS index at the back of book 5 (see below).
  • Step 6: Take practice exams (see below).


With this being my second SANS course and certification, I believe this is the area I improved the most. For the first course, I relied more on SANS index and barely made any edits. This led to one major problem…when a topic had multiple pages listed, I didn’t know which page to look at, so I would sometimes waste 2-5 minutes going through 5-10 pages looking for the answer. This time around, I would highlight the page that was the most important on the index. This little change took my testing time from almost 4 hours with the GSEC to 2.5 hours with the GCIH.

Practice Exams

Just like the GSEC practice exams, I scored in the high 80’s and the real exam was very similar to the practice exams. Once again, my only complaint is that we are not able to review the practice exam questions after submitting the exam. I would like to have time to review the questions I got wrong and why…I shouldn’t have to feel rushed to write down what I got wrong and why.


The exam was fair, and the courseware prepares you well for the exam. I passed with a 89% and found the exam easier than the GSEC.


I’ll be honest and admit I did not attempt any of the labs for this course.


A few years back I was into ethical hacking, so I feel like I had advantage going into this class and that’s a major reason why I found this certification easier than the GSEC. It’s a fun course and I would recommend it to anyone who wants to get into incident response and/or ethical hacking.