A Roadmap to Earning Your First (or Next) SANS Certification

13 min read

Staying current matters in any technical field. In cybersecurity training, SANS is widely regarded as the leading provider, with courses and GIAC certifications covering early-career through senior practitioners. They keep expanding the catalogue, which you can see in the SANS skills roadmap:

SANS Skills Roadmap

I’ve taken a lot of SANS courses (probably too many) and I want to share what’s worked for me, including a practical approach to preparing for a GIAC exam and a template business case you can use to request employer funding.

Disclaimer

Yes, there are excellent alternatives (OffSec’s OSCP and related certs, plus platforms such as Hackthebox and Blue Team Labs Online). Those resources are genuinely useful and worth exploring before you commit to any certification route. This write-up is intentionally narrow: it focuses on SANS/GIAC because it’s what I know best and because these certs still appear frequently in job listings.

Full Disclosure

I’ve worked with SANS for several years, so I’m not unbiased. With that said, if you take a course like FOR500 or FOR508, absorb the material, and actually apply it in your day-to-day work, you’ll be operating at a very high level. The volume of information is significant.

Finally, I’m in no way saying that certs or degrees are the only path to success. There are definitely individuals in the field who’ve never taken a cert or completed a degree and are super successful. In my experience, though, a well-chosen certification is one of the fastest ways to close skill gaps.

Understanding SANS Certifications

What are SANS certifications?

SANS certifications are globally recognised credentials that validate your knowledge and skills in various cybersecurity domains. These certifications are developed and maintained by SANS instructors, who are cybersecurity professionals at the top of their field. SANS instructors go through a rigorous process before they themselves are certified to teach at SANS conferences.

Why are they important?

SANS certs are highly valued by employers because they demonstrate that you have the practical skills and expertise needed to protect organisations (whether your own as an internal security analyst, or others as a consultant) from cyber threats. They also help you stand out from other professionals in a competitive job market, and can lead to increased job opportunities, promotions, and higher salaries.

With the move from entirely multiple-choice exams to practical assessments over the last few years, the certification exams no longer reward rote learning exclusively or good indexing of the materials (as the exams are open book), but also test real-world knowledge and skills.

GIAC make it very easy to verify someone’s certs when reviewing a resume for an interview or something similar: https://www.giac.org/certified-professionals/

GIAC certified professionals search
  1. GIAC Security Essentials (GSEC): security professionals seeking a solid foundation in cybersecurity principles and practices
  2. GIAC Certified Incident Handler (GCIH): incident responders and security professionals responsible for handling cybersecurity incidents
  3. GIAC Certified Intrusion Analyst (GCIA): professionals focusing on network traffic analysis and intrusion detection (personally one of the most challenging courses, closely followed by the GNFA)
  4. GIAC Certified Forensic Examiner (GCFE): professionals responsible for digital forensics investigations, including law enforcement officers, incident responders, and IT administrators
  5. GIAC Certified Forensic Analyst (GCFA): experienced forensics professionals, incident responders, and threat hunters who want to advance their skills in complex, large-scale investigations
  6. GIAC Certified Penetration Tester (GPEN): ethical hackers and penetration testers
  7. GIAC Web Application Penetration Tester (GWAPT): professionals responsible for securing web applications

How to Prepare for a SANS Certification

Assess Your Current Knowledge

Choose a certification that aligns with your professional aspirations and fills any gaps in your knowledge. Review the objectives and prerequisites of each certification to ensure it’s the right fit for your experience level and interests. For example, here’s an excerpt from the FOR500 course page:

GIAC certified professionals search

The course pages also list learning objectives and business takeaways, which are useful when you build a funding request.

Explore Training Formats

SANS typically offers live online (virtual classroom), OnDemand (asynchronous recorded), and in-person events.

Consider the format that best suits your learning style, schedule, and budget. For example, OnDemand is a great way to approach the material over an extended period (4 months) if you can’t attend six straight days of live training. It’s also useful if you’d prefer to take the course at your own pace; not everyone’s comfortable drinking from a fire hose. Time zones can also be a consideration; SANS runs classes worldwide, so the next run of the class you want might not be in the friendliest time zone.

Some GIAC exams can also be “challenged” (take the exam without the course). This is cheaper, but you lose access to the courseware, which is extremely useful for study and for the open-book exam. Take that route only if you genuinely have the experience already.

Build a Study Plan

Once you’ve registered for your course, create a study plan outlining the topics you need to cover, the resources you’ll use (i.e. the books, course videos, MP3s, cheat sheets, SANS posters, etc.), and the time you’ll allocate to each topic. Set a realistic exam date and build a schedule that allows you to study consistently and effectively.

Also, make time to complete the labs. The labs probably provide the most return on investment when it comes to the exam. While the other course materials and the lectures are useful, the labs and the hands-on, practical exercises are worth the time to complete (multiple times) until you’re comfortable with the tools and the processes discussed in the course.

Personally, I want to take the exam as close to finishing the course as possible. If I leave it too long, I’ll forget too many of the details to be successful in the exam. There’s plenty of time after acquiring the cert to go back and review the material and incorporate it into my DFIR workflow and practice.

Preparing for and Sitting the Exam

A successful exam experience requires not only becoming familiar with the course material but also employing effective test-taking strategies. Lesley Carhart (aka hacks4pancakes) has developed a popular method for preparing for and taking GIAC exams that many people, including myself, have found useful. Let’s discuss their approach and how you can adapt it to suit your needs.

(My method is a modified version of this which is probably less extensive, but it’s served me well regardless, and I expect most people will adapt their own method that works for them.)

(Modified) Pancakes Method

  1. Create an index

While going through the course material (during or after the course), create a detailed index with references to the course books and any supplemental resources. Organise the index by topics, subtopics, and keywords to make it easy for you to navigate during the exam.

Over the years I’ve developed a spreadsheet with macros to help me expedite this process. The attached spreadsheet has instructions embedded to enable you to generate an index of the books. It’s important (I cannot overstate how important) that you create your own index. It not only gives you an opportunity to review the course material, but it means you’ll be familiar with the index and where the material you need lives in the books. Using someone else’s index, or the index provided by SANS, is not recommended. It won’t work nearly as well as an index you create yourself.

As you create your index, you will get bored. You will space out. Break it down into smaller chunks (like 20 – 30 pages at a time), then take a break or do something else entirely and come back to it. I find that there’s usually ~20-30 entries per page, with multiple permutations of the content, i.e.:

Index permutations

Then, it’s a matter of tabbing up your books in a way that makes sense to you (I colour code the books; Lesley recommends tabbing each section of each book. For me, that’s too much, but I know a lot of people use that method and use it very successfully. Do what works for you.)

Here’s the Excel index template (with macro) that I use to generate my indexes:

Download: SANS Index Template

  1. Take the practice exams

SANS provides two practice exams for each certification. Take the first practice exam after completing the course to assess your knowledge and identify areas where you need to focus your review. Save the second practice exam for when you feel ready for the actual test. Generally speaking, if you get 70-80% or better on the practice test, you’re probably ready for the exam

It’s worth noting, the question pool for the actual exam is vast. You will not receive the same questions on the real exam that you did on the practice exam. The practice exams just give you a feel for the types of questions you’ll be asked. Additionally, GIAC can only test you on what is in the books. If it doesn’t appear between the covers of the courseware, it’s not testable.

If you need more than the two practice tests provided, you have two options:

  1. Review and refine your index

After each practice exam, review your index and refine it based on any difficulties you encountered. Add new entries, clarify existing ones, and reorganise as necessary to improve its usability.

  1. Practice using the index

Develop your ability to quickly locate information in your index by simulating exam conditions. Set a timer, and use your index to answer practice questions under time pressure.

  1. Manage your time during the exam

GIAC exams are time-limited, typically allowing 3-5 hours, depending on the certification. Use your index to quickly find answers to questions you’re uncertain about, and don’t spend too much time on any one question. Remember to monitor your time and pace yourself accordingly.

Adapting the method

While Lesley’s method is highly effective, you might find that you need to modify it to suit your learning style, preferences, or time constraints. Here are a few ways you can adapt it:

  1. Customise the index format: Experiment with different formats for your index, such as a spreadsheet, a physical notebook, or a digital note-taking app. Choose the format that works best for you and allows you to quickly locate information during the exam (NB: you’ll have to print the index to take with you, there are no electronic materials allowed in the exam)
  2. Focus on your weak areas: If you’re short on time or already have a strong grasp of certain topics, prioritise your study efforts on the areas where you need the most improvement
  3. Use additional resources: Complement your SANS course materials with other resources such as blog posts, online forums, and video tutorials to deepen your understanding of specific topics. You’ll usually receive some cheat sheets with the course materials, but all the SANS cheat sheets are available here: The Ultimate List of SANS Cheat Sheets. Use them
  4. Practice with peers: If possible, form a study group with others preparing for the same exam. Share your indexing methods, discuss questions, and learn from each other’s experiences

By following the Pancakes method (or a customised version that works for you), you’ll be well-prepared to tackle your GIAC exam. Remember to remain calm during the test, trust your index, and manage your time effectively.

Leveraging the SANS Work-Study program

What is the SANS Work-Study Program?

The SANS Work-Study Program, also known as the Facilitator Program, allows you to attend a SANS training event at a significantly reduced tuition rate in exchange for assisting SANS staff during the event. What that means in practice: you’ll arrive a day early to help set up the conference (e.g. the rooms, the tables, the chairs, the AV, etc.); you’ll provide support during the event (managing the classroom like temperature, making sure students are actually in attendance, reporting any issues with material/environment/student experience to the SANS event team), and helping to break everything down again on the last day.

I’ve been fortunate and moderated/facilitated a lot of the classes I’ve taken as part of the work-study program. 95% of the time you’re just a regular student (albeit with a discounted training seat). The other 5% is managing the room and student requirements. Plus, you get the OnDemand version of the class, and the cert attempt included, so if you miss something during the week, you can easily catch up after the fact and before taking the exam. In my opinion, the work-study program is the best way to take SANS classes.

Benefits of the Program

The Work-Study Program offers several benefits, including reduced tuition fees (often around 60% off, check the website for the most up to date information), networking opportunities with cybersecurity professionals and instructors, and the chance to gain a deeper understanding of the course material.

Eligibility Criteria and Application Process

To be eligible for the program, you must have strong communication skills and be able to commit to the entire duration of the training event. To apply, submit an application through the SANS website, including your resume and a statement of interest.

Keep in mind that spots are limited, and acceptance is competitive. You likely won’t know if your application was successful until a couple of weeks before the event, which can make logistics challenging.

Tips for Successfully Applying and Making the Most of the Program

  1. Apply early: spots fill up quickly, so submit your application as soon as you know which class and event you want to attend
  2. Showcase your passion: in your statement of interest, highlight your enthusiasm for cybersecurity and explain how the program will help you advance your career
  3. Be flexible: be prepared to work in various roles during the event, such as registration, set up and break down, and assisting instructors
  4. Network: Take advantage of networking opportunities to build relationships with instructors, SANS staff, and fellow attendees

Creating a Business Case for SANS Training

SANS courses are expensive and often require employer support.

Between you and me, training your team should be a no-brainer. It’s a significant investment, but I’m always reminded of these two quotes:

“What if I train them and they leave?” “What if you don’t and they stay?” — W. Edwards Deming

“Train people well enough so they can leave, treat them well enough so they don’t want to.” — Richard Branson

What Makes a Strong Business Case

A good business case ties the course outcomes to your organisation’s risk reduction and operational needs.

Use the course learning objectives and business takeaways.

Explain how you’ll apply the skills immediately.

Include an ROI narrative (reduced incident duration, improved triage, better containment decisions, fewer external consulting hours, etc.).

Here’s a template that you can use, just replace the highlighted text with the relevant information for your particular case:

Download: SANS Training Business Case Template

I expect this template could be repurposed for other training courses as well, with some minor tweaks.

Obtaining a SANS certification is a valuable investment in your professional development and can significantly impact your career and trajectory in cybersecurity. By understanding the various certs available, preparing effectively, leveraging the SANS Work-Study Program, and presenting a solid business case to your employer, you’ll be well on your way to earning your first (or next) cert.

I encourage you to take this step toward advancing your career and invite you to share your experiences and questions. Together, we can continue to grow and strengthen the cybersecurity community.