A Roadmap to Earning Your First (or Next) SANS Certification

SANS is widely regarded as one of the leading providers of cybersecurity training. Their courses and GIAC certifications cover everything from early-career security analysts to senior incident responders and digital forensics specialists.

Because their catalogue is large and constantly expanding, a lot of people struggle with the question:

Which SANS certification should I take first, and what should come next?

The official SANS Cybersecurity Skills Roadmap is a useful starting point:

I’ve taken a lot of SANS courses over the years (probably too many), and this guide is the roadmap I wish someone had given me earlier.

In this article I’ll cover:

• how to choose the right SANS certification
• how to prepare for a GIAC exam effectively
• how to reduce the cost through the SANS Work-Study program
• how to build a business case to convince your employer to fund the training

Disclaimer

Yes, there are excellent alternatives (OffSec’s OSCP and related certs, plus platforms such as Hackthebox and Blue Team Labs Online). Those resources are genuinely useful and worth exploring before you commit to any certification route. This write-up is intentionally narrow: it focuses on SANS/GIAC because it’s what I know best and because these certs still appear frequently in job listings.

Full Disclosure

I’ve taught FOR508 for SANS for several years, so I’m not unbiased. With that said, if you take a course like FOR500 or FOR508, absorb the material, and actually apply it in your day-to-day work, you’ll be operating at a very high level. The volume of information is significant.

If you’re interested in the DFIR side of the roadmap, you might also find these useful:

• Windows Forensics Artefacts Series
• How to Develop Incident Response Playbooks

Finally, I’m in no way saying that certs or degrees are the only path to success. There are definitely individuals in the field who’ve never taken a cert or completed a degree and are super successful. In my experience, though, a well-chosen certification is one of the fastest ways to close skill gaps.

Understanding SANS / GIAC Certifications

What are SANS certifications?

SANS certifications are globally recognised credentials that validate your knowledge and skills in various cybersecurity domains. These certifications are developed and maintained by SANS instructors, who are cybersecurity professionals at the top of their field. SANS instructors go through a rigorous process before they themselves are certified to teach at SANS conferences.

Why are they important?

SANS certs are highly valued by employers because they demonstrate that you have the practical skills and expertise needed to protect organisations (whether your own as an internal security analyst, or others as a consultant) from cyber threats. They also help you stand out from other professionals in a competitive job market, and can lead to increased job opportunities, promotions, and higher salaries.

With the move from entirely multiple-choice exams to practical assessments over the last few years, the certification exams no longer reward rote learning exclusively or good indexing of the materials (as the exams are open book), but also test real-world knowledge and skills.

GIAC make it very easy to verify someone’s certs when reviewing a resume for an interview or something similar: https://www.giac.org/certified-professionals/

Popular Certifications and Who They’re For

The following certifications appear frequently in DFIR, incident response, and security operations job listings.

For people interested in digital forensics and incident response specifically, the GCFE → GCFA progression is one of the most common pathways. GCFE focuses on Windows forensic investigation, while GCFA moves into enterprise-scale incident response and threat hunting.

For practitioners working in critical infrastructure or operational technology environments, GRID focuses on responding to incidents in industrial control systems and OT networks, where investigation techniques differ significantly from traditional enterprise environments.

How to Prepare for a SANS Certification

Assess Your Current Knowledge

Choose a certification that aligns with your professional aspirations and fills any gaps in your knowledge. Review the objectives and prerequisites of each certification to ensure it’s the right fit for your experience level and interests. For example, here’s an excerpt from the FOR500 course page:

The course pages also list learning objectives and business takeaways, which are useful when you build a funding request.

Explore Training Formats

SANS typically offers live online (virtual classroom), OnDemand (asynchronous recorded), and in-person events.

Consider the format that best suits your learning style, schedule, and budget. For example, OnDemand is a great way to approach the material over an extended period (4 months) if you can’t attend six straight days of live training. It’s also useful if you’d prefer to take the course at your own pace; not everyone’s comfortable drinking from a fire hose. Time zones can also be a consideration; SANS runs classes worldwide, so the next run of the class you want might not be in the friendliest time zone.

Some GIAC exams can also be “challenged” (take the exam without the course). This is cheaper, but you lose access to the courseware, which is extremely useful for study and for the open-book exam. Take that route only if you genuinely have the experience already.

Build a Study Plan

Once you’ve registered for your course, create a study plan outlining the topics you need to cover, the resources you’ll use (i.e. the books, course videos, MP3s, cheat sheets, SANS posters, etc.), and the time you’ll allocate to each topic. Set a realistic exam date and build a schedule that allows you to study consistently and effectively.

Also, make time to complete the labs. The labs probably provide the most return on investment when it comes to the exam. While the other course materials and the lectures are useful, the labs and the hands-on, practical exercises are worth the time to complete (multiple times) until you’re comfortable with the tools and the processes discussed in the course.

Personally, I want to take the exam as close to finishing the course as possible. If I leave it too long, I’ll forget too many of the details to be successful in the exam. There’s plenty of time after acquiring the cert to go back and review the material and incorporate it into my DFIR workflow and practice.

How to Prepare for the GIAC Certification Exam

A successful exam experience requires not only becoming familiar with the course material but also employing effective test-taking strategies. Lesley Carhart (aka hacks4pancakes) developed one of the most widely used approaches for preparing for and taking GIAC exams. If you ask people who consistently pass their exams, this method comes up again and again. Let’s walk through the approach and how you can adapt it for your own study process.

(My method is a modified version of this which is probably less extensive, but it’s served me well regardless, and I expect most people will adapt their own method that works for them.)

(Modified) Pancakes Method

1. Create an index

While going through the course material (during or after the course), create a detailed index with references to the course books and any supplemental resources. Organise the index by topics, subtopics, and keywords to make it easy for you to navigate during the exam.

Over the years I’ve developed a spreadsheet with macros to help me expedite this process. The attached spreadsheet has instructions embedded to enable you to generate an index of the books. It’s important (I cannot overstate how important) that you create your own index. It not only gives you an opportunity to review the course material, but it means you’ll be familiar with the index and where the material you need lives in the books. Using someone else’s index, or the index provided by SANS, is not recommended. It won’t work nearly as well as an index you create yourself.

As you create your index, you will get bored. You will space out. Break it down into smaller chunks (like 20 – 30 pages at a time), then take a break or do something else entirely and come back to it. I find that there’s usually ~20-30 entries per page, with multiple permutations of the content, i.e.:

Then, it’s a matter of tabbing up your books in a way that makes sense to you (I colour code the books; Lesley recommends tabbing each section of each book. For me, that’s too much, but I know a lot of people use that method and use it very successfully. Do what works for you.)

Here’s the Excel index template (with macro) that I use to generate my indexes:

Download: SANS Index Template

2. Take the practice exams

SANS provides two practice exams for each certification. Take the first practice exam after completing the course to assess your knowledge and identify areas where you need to focus your review. Save the second practice exam for when you feel ready for the actual test. Generally speaking, if you get 70-80% or better on the practice test, you’re probably ready for the exam

It’s worth noting, the question pool for the actual exam is vast. You will not receive the same questions on the real exam that you did on the practice exam. The practice exams just give you a feel for the types of questions you’ll be asked. Additionally, GIAC can only test you on what is in the books. If it doesn’t appear between the covers of the courseware, it’s not testable.

If you need more than the two practice tests provided, you have two options:

• Trade a practice exam from someone with a spare
• Purchase additional practice exams: https://www.giac.org/frequently-asked-questions/?q=practice

3. Review and refine your index

After each practice exam, review your index and refine it based on any difficulties you encountered. Add new entries, clarify existing ones, and reorganise as necessary to improve its usability.

4. Practice using the index

Develop your ability to quickly locate information in your index by simulating exam conditions. Set a timer, and use your index to answer practice questions under time pressure.

5. Manage your time during the exam

GIAC exams are time-limited, typically allowing 3-5 hours, depending on the certification. Use your index to quickly find answers to questions you’re uncertain about, and don’t spend too much time on any one question. Remember to monitor your time and pace yourself accordingly.

Adapting the method

While Lesley’s method is highly effective, you might find that you need to modify it to suit your learning style, preferences, or time constraints. Here are a few ways you can adapt it:

1. Customise the index format: Experiment with different formats for your index, such as a spreadsheet, a physical notebook, or a digital note-taking app. Choose the format that works best for you and allows you to quickly locate information during the exam (NB: you’ll have to print the index to take with you, there are no electronic materials allowed in the exam)
2. Focus on your weak areas: If you’re short on time or already have a strong grasp of certain topics, prioritise your study efforts on the areas where you need the most improvement
3. Use additional resources: Complement your SANS course materials with other resources such as blog posts, online forums, and video tutorials to deepen your understanding of specific topics. You’ll usually receive some cheat sheets with the course materials, but all the SANS cheat sheets are available here: The Ultimate List of SANS Cheat Sheets. Use them
4. Practice with peers: If possible, form a study group with others preparing for the same exam. Share your indexing methods, discuss questions, and learn from each other’s experiences

By following the Pancakes method (or a customised version that works for you), you’ll be well-prepared to tackle your GIAC exam. Remember to remain calm during the test, trust your index, and manage your time effectively.

Leveraging the SANS Work-Study program

What is the SANS Work-Study Program?

The SANS Work-Study Program, also known as the Facilitator Program, allows you to attend a SANS training event at a significantly reduced tuition rate in exchange for assisting SANS staff during the event.

In practice, the program works like this:

• You’ll arrive a day early to help set up the conference, e.g. the rooms, the tables, the chairs, the AV, etc.
• You’ll provide support during the event, managing the classroom like temperature, making sure students are actually in attendance, reporting any issues with material/environment/student experience to the SANS event team, and
• You’ll help break everything down again on the last day

I’ve been fortunate and moderated/facilitated a lot of the classes I’ve taken as part of the work-study program. 95% of the time you’re just a regular student (albeit with a discounted training seat). The other 5% is managing the room and student requirements. Plus, you get the OnDemand version of the class, and the cert attempt included, so if you miss something during the week, you can easily catch up after the fact and before taking the exam. In my opinion, the work-study program is the best way to take SANS classes.

Benefits of the Program

The Work-Study Program offers several benefits, including reduced tuition fees (often around 60% off, check the website for the most up to date information), networking opportunities with cybersecurity professionals and instructors, and the chance to gain a deeper understanding of the course material.

Eligibility Criteria and Application Process

To be eligible for the program, you must have strong communication skills and be able to commit to the entire duration of the training event. To apply, submit an application through the SANS website, including your resume and a statement of interest.

Keep in mind that spots are limited, and acceptance is competitive. You likely won’t know if your application was successful until a couple of weeks before the event, which can make logistics challenging.

Tips for Successfully Applying and Making the Most of the Program

1. Apply early: spots fill up quickly, so submit your application as soon as you know which class and event you want to attend
2. Showcase your passion: in your statement of interest, highlight your enthusiasm for cybersecurity and explain how the program will help you advance your career
3. Be flexible: be prepared to work in various roles during the event, such as registration, set up and break down, and assisting instructors
4. Network: Take advantage of networking opportunities to build relationships with instructors, SANS staff, and fellow attendees

Creating a Business Case for SANS Training

SANS courses are expensive and often require employer support.

Between you and me, training your team should be a no-brainer. It’s a significant investment, but I’m always reminded of these two quotes:

“What if I train them and they leave?” “What if you don’t and they stay?” — W. Edwards Deming

“Train people well enough so they can leave, treat them well enough so they don’t want to.” — Richard Branson

What Makes a Strong Business Case

A good business case ties the course outcomes to your organisation’s risk reduction and operational needs.

Use the course learning objectives and business takeaways.

Explain how you’ll apply the skills immediately.

Include an ROI narrative (reduced incident duration, improved triage, better containment decisions, fewer external consulting hours, etc.).

For organisations that run their own incident response capability, training like this often has measurable operational benefits. Teams that understand forensic investigation and incident handling at a deeper level tend to:

• Scope incidents faster
• Reduce containment time
• Rely less on external consultants
• Produce clearer post-incident reports for leadership

These improvements are exactly the kinds of outcomes security leaders look for when evaluating training investments.

Here’s a template that you can use, just replace the highlighted text with the relevant information for your particular case:

Download: SANS Training Business Case Template

I expect this template could be repurposed for other training courses as well, with some minor tweaks.

Final Thoughts

SANS certifications remain one of the most effective ways to build deep technical capability in cybersecurity, particularly in digital forensics and incident response.

Whether you’re early in your career or already working in security, the key is choosing certifications that align with the type of work you want to do, not just collecting badges.

If you’re just starting out, focus on building strong foundations with courses like GSEC, GCIH, or GCFE.

If you’re already working in digital forensics or incident response, courses like FOR508 (GCFA) can significantly deepen your investigative capability.

And if you’re responsible for running or improving incident response programs inside an organisation, the challenge often shifts from personal skill development to validating whether your team and processes actually work under pressure.

If that’s where you are, you might also find these useful:

• Incident Response Plan & Playbooks: 10-Minute Quality Check
• How to Test and Exercise Your Incident Response Capability

Either way, investing in your skills and understanding how incidents actually unfold in the real world will pay dividends throughout your career.