SANS Exam and study Strategy
Are you gearing up to take a SANS exam or considering investing in your education but feeling unsure about how to prepare or what to expect? Fantastic—you’re in the right place!
First, let’s quickly cover what the SANS Institute is and why investing in their training and exam materials is such a valuable choice.
The SANS Institute is a globally recognized and highly respected organization specializing in cybersecurity and information security training and certifications. They offer a wide range of courses tailored to various specialties within the cybersecurity field, including penetration testing, incident response, network defense, and much more.
What sets SANS apart is their reputation for providing practical, in-depth, and hands-on training. Their courses are developed, maintained, and taught by industry experts who bring real-world experience to the classroom. Given how rapidly the cybersecurity landscape evolves, this is no small feat—but SANS consistently rises to the challenge, ensuring their material stays current and highly relevant.
Common Exams
GIAC (Global Information Assurance Certification) exams cover a wide range of topics within information security. GIAC exams are highly regarded in the industry and are known for their practical approach to testing real-world skills. Here are a few of the most well known exams.
Certified Incident Handler (GCIH): This certification focuses on incident handling and response techniques. It covers topics such as detecting and responding to security incidents, analyzing malware, and managing incident response teams.
Certified Intrusion Analyst (GCIA) focuses on network intrusion detection and analysis. It covers topics such as network traffic analysis, intrusion detection systems (IDS), and packet analysis.
Certified Penetration Tester (GPEN) This certification focuses on penetration testing, techniques and methodologies. It covers topics such as reconnaissance, scanning, exploitation, and post exploitation techniques.
Certified Forensics Analyst (GCFA) focuses on digital forensics and incident response. It covers topics such as disk and memory forensics, forensic analysis techniques, and incident response procedures.
These exams are typically a combination of multiple-choice questions, hands on lab exercises, and practical assessments. The student will register for the full course prior to the exam (not included in the course tuition) and be provided a variety of study materials including printed books, a live or recorded session of the instructional walkthrough and additional supporting materials depending on the instructor and course.
You've chosen the course you want to take! Now what?
Now that you’ve chosen the perfect course for your needs, it’s time to consider finding the right instructor! This step isn’t strictly necessary and is more relevant for live online or on-demand classes. If you’re attending an in-person class, you’re in for a fantastic experience but likely won’t be “instructor shopping.”
For live or on-demand formats, I recommend exploring instructor options to find one whose teaching style resonates with you. This can make a big difference in optimizing your learning experience. The SANS website features detailed instructor profiles with testimonials, giving you the chance to find the perfect match for your learning preferences.
The course is selected, the class is booked, and the excitement is building. Now what? Wait!
You’ll typically receive your course materials and books pretty quickly after registering. It’s tempting to dive in immediately, but it’s best to wait until your materials arrive, which will be available in your SANS portal. When preparing for these exams, the key is a methodical and steady approach—this isn’t a race!
Fast forward: Your books are here, and you’re ready to jump in. Let’s get started!
How to Prepare for a SANS Exam!
SANS exams are open book, and you’re allowed to bring a handful of printed notes. Sounds easy, right? Not so fast! While "open book" might seem like a breeze, the reality is that you’re dealing with a lot of material—typically 6 to 8 books, each with a minimum of 100 pages. On top of that, the exams are timed, so you won’t have the luxury of endlessly flipping through your materials to find what you need.
Don’t worry—I’m not trying to stress you out, just setting realistic expectations. And the good news? I’ve got a strategy that works for me, which I’m happy to share! Feel free to tweak and adapt it to suit your learning style.
Step 1: Read your books thoroughly.Take your time and go through the material carefully. As you read, create a comprehensive index. I recommend using a tool like Excel or another private spreadsheet solution. Your index should be straightforward, well-organized, and easy to navigate quickly during the exam.
To give you an idea of what this looks like, I’ve created a sample index using random cybersecurity terms and commands (since sharing actual SANS material publicly isn’t allowed). Your index will focus on key terms, topics, and concepts from your course material, tailored specifically to your needs.
4 Columns
Key Word: Keywords from your learning material
Book: Indicate which book the key word is found in
Page: Indicate which page of the book the key word is on
Comments: Any supporting information or details about the keyword.
In the sample index, you’ll notice red text—these are notes about how I structure my index to make it as effective as possible. For example, I like to bold important keywords in the comments to make them stand out, and I use a different color for input variables in commands.
Here’s an example:For a Netcat port scanning command, I’d format it like this:nc -v -n 8.8.8.8 1-1000This command tells Netcat to scan ports 1–1000 on the IP address 8.8.8.8.
By highlighting input variables (like the IP address and port range) in a distinct color, I can quickly identify what the command does and what type of input information I’ll need to use it effectively. This method works well for most commands and tools, making it easier to decode and apply them quickly during the exam.
Now that we’ve built an awesome index (mine usually ends up around 30 pages with hundreds—sometimes thousands—of rows), it’s time to move on to the next step! While it may seem like a lot, this method has consistently worked for me.
Watch the videos and focus on the labs.
At this stage, you can either create a separate index for the labs or integrate it into your existing one. Personally, I prefer to make a separate lab index. Instead of organizing it alphabetically, I structure it by tool and include step-by-step instructions for completing specific tasks. This layout makes it easy to follow along and reference during hands-on activities.
Some people prefer to alternate between reading the books, indexing, and watching videos simultaneously. While that approach works for many, I find it easier to stick to one learning style at a time. I like to start by reading the books and creating my index, then shift my focus to watching the videos and completing the labs.
When doing labs, I don’t focus heavily on them during my initial read-through of the materials. Labs often come with additional resources or walkthroughs provided by the instructors, and I like to take full advantage of those guides—especially when working with new tools. This hands-on approach allows me to deepen my understanding while building confidence in applying what I’ve learned.
First round reading: Check
Solid Index: Check
Videos and Labs: Check
Now what? It’s time for the PRE-TEST!
Your exam comes with two pre-tests, and they’re a fantastic way to gauge your readiness. Here’s how to make the most of them:
Take the First Pre-Test:Once you feel confident with the material, print your index and any other reference materials, then sit down for the first pre-test. Treat it like the real thing—don’t rush, and stick to the time limits. This is your opportunity to identify any knowledge gaps.
Analyze the Results:After completing the pre-test, you’ll receive a detailed report showing how you performed across the tested domains, rated by stars. Use this report to pinpoint areas where your knowledge is weaker.
Refine and Review:Focus your study efforts on the areas where you didn’t perform as strongly. Brush up on those topics by revisiting your books, refining your index, and reviewing key concepts. Skim all the materials again with extra attention to your weaker domains. Depending on how much you need to review, dedicate another week or two to this process.
Take the Second Pre-Test:By now, you should have a much stronger grasp of the material. Take the second pre-test and, just like before, treat it as if it were the real exam.
At this point, you’ll have a clear understanding of what to expect and where to focus your energy. With your preparation on point, you’re ready to tackle the real exam and knock it out of the park on your first try!
Ready to roll? It’s time to book your exam!
You have two options: take your exam online with a proctor from the comfort of your home, or head to a test center. Each option has its pros and cons, so choose the one that works best for your needs and setup.
Once you’ve booked your exam, it’s time to gear up for success!
In the days leading up to your exam:
Avoid last-minute cramming—your brain will thank you for the rest.
Be methodical: print out your latest, polished index and organize all your materials.
Double-check your setup, whether you’re testing at home or in a center, to ensure everything is ready to go.
You’ve put in the work, and now it’s your time to shine. You’ve got this—go crush your SANS GIAC exam!
Lessons learned...From mistakes I've made...
Don't waste your pre tests. Really focus on these tests as tools to help shape your understanding of the material and practice using your index.
Don't trust an office supply store will print your index on time. Make sure to leave plenty of buffer room and double check the print.
You get breaks during the exam, TAKE THEM. You may want to just power through but these exams are intense. Take the breaks, get some water, recalibrate, don't rush.
Take care of yourself during the entire process. If you are burning out while you study, take a break. The night and days before the exam get good rest and stay hydrated. This is not the time to cram.
Really understand the labs, there had been a few times in labs I had to get the answer in a round about way because the step by step was not getting the results I needed. The more you know, the better you can trouble shoot.
Pace your time out. If you have 4 hours and 106 questions that leaves you just about 2.2 minutes per question. You'll want to factor in extra time for lab questions if your exam has them (called cyber live questions). I'd recommend 10 minuets per lab question. Say there are 6 labs in the above scenario, that means you need to leave an hour for labs. At 100 remaining questions and 3 hours outside of labs that leaves you 1.8 minuets per question and the more you can cut that down the more time you will have for labs. Nothing is worse than that "oh @#$%" moment when you have run out of time on lab #2....yes it's happened...and re testing isn't cheap.
All in all you are absolutely capable, just put in the work and be mindful! If you have any questions or topic recommendations drop me a line. I'm happy to chat!
Comments