December 2025 Update

I recently completed my GCFE and GX-FE. I found that the GX-FE was easier than the GX-IH / GX-FA but perhaps I am just more experienced. Either way I finished in approximately 3 hours with a better mark than either of the previous exams. 2 more exams remain for GSE!

Background Information

In 2023 GIAC revised the GIAC Security Expert Program and split it into 4 parts. Now by holding 6 GIAC certifications and passing 4 additional ‘Applied Knowledge’ exams, you can earn the GSE credential from home.

There are currently 6 available Applied Knowledge exams:

• GIAC Experienced Forensics Expert (GX-FE)
• GIAC Experienced Cybersecurity Specialist Certification (GX-CS)
• GIAC Experienced Forensic Analyst Certification (GX-FA)
• GIAC Experienced Intrusion Analyst Certification (GX-IA)
• GIAC Experienced Incident Handler Certification (GX-IH)
• GIAC Experienced Penetration Tester Certification (GX-PT)

Each of these exams are 25 questions that are exclusively practical, virtual machine based questions. With a 4 hour time limit, that leaves approximately 9 minutes per question.

Additionally, they added a ‘half-way point’ to GSE called the GIAC Security Professional which only requires 3 GIAC Certifications and 2 Applied Knowledge certifications. Earning either the GSP or the GSE has the additional benefit of co-terminating and renewing all of your existing certifications.

Although all of my older certifications had their validity extended, I did not receive new course materials for the older courses. SANS Staff said they were looking into strategies around this in April 2025 but I haven’t had any updates yet.

Why pursue this?

When I first transitioned from IT to Cybersecurity proper my mentor shared Paul Jerimy’s certification roadmap with me. At the time it looked like this - with the easiest to earn certifications at the bottom and the hardest certifications at the top.

I almost immediately set my sights on the GIAC Security Expert—represented by the black bar at the very top of the roadmap. However, at the time, earning the GSE required flying to Las Vegas for a hands-on lab exam. As an Australian, I decided it could wait. I’ve always been goal-oriented and found value in having long-term aspirations that seem just out of reach. These goals keep me on track and motivated to continue learning. So when the email went out to the GIAC Advisory Board announcing the first batch of Applied Knowledge exams, I knew I wanted to attempt them.

These aren’t credentials you’ll typically see listed in job requirements—I doubt most hiring managers even know they exist. As of April 2025, I was the 114th person worldwide to pass GX-FA and only the 453rd GSP holder. However, I believe these certifications are gaining popularity and prestige over time. If a hiring manager does include one of these in a job posting, it signals they’re staying current with industry certifications and would likely be impressed by candidates who hold them. That said, I’ve spoken with DFIR leads who are completely unaware of these credentials. They’re not a golden ticket, but to me, they represent a significantly higher level of practical ability than standard GIAC exams.

Primary Fit and Affiliate Training

Each Applied Knowledge exam has a “Primary Fit” course most closely aligned with the exam content, along with relevant “Affiliate” courses. Many people have asked what this means in practice. Let me demonstrate with GX-IH:

Primary Fit: SEC504 Affiliate Training: SEC450, SEC501, SEC503, SEC560, FOR610, FOR508, FOR500

When I completed GX-IH, I had only taken SEC504 and SEC501 from this list. I encountered questions highly similar to those in the GCIH exam—questions that wouldn’t have felt out of place in terms of difficulty. However, I also received questions covering tools and procedures I’d expect from SEC503/SEC560 labs. You don’t need to complete all affiliate courses to be ready, but you should expect questions well outside the scope of the primary fit course alone. Any lab or technique from any affiliate course that could reasonably be turned into a question completable by an expert in nine minutes is fair game.

One important benefit: if you’ve passed the certification for the Primary Fit course, you receive a significant discount on the Applied Knowledge exam voucher. Without the Primary Fit certification, a voucher costs $1,299 USD. With it, the price drops to $499 USD. This discount stacks with other promotions—during a 20% off sale last year, I purchased my voucher for $399.20, which by GIAC standards is remarkably affordable. Retake fees are also only $399.

Preparation

The official GIAC page at https://www.giac.org/get-started/applied-knowledge/ provides specific information about the exam environment. For GX-FA, it states:

you will perform work on a Windows 10 SIFT workstation which includes a WSL Ubuntu shell containing the SANS SIFT Linux distribution. The host has a variety of GUI based and command line utilities for use during the exam including but not limited to tools for Windows forensics artifact processing and analysis, image mounting and volatile memory analysis. The candidate will encounter raw data and processed artifacts from a variety of enterprise Windows hosts. They will be required to apply a variety of forensic and incident handling technique to identify and analyze the provided data.

My Preparation Approach:

First, I redid labs from various SANS courses without following the step-by-step instructions. For courses where I had the books but not the VMs, I converted each lab into a challenging question and solved it without referencing the materials. I also completed Xintra.org Incident Response labs. While they require a subscription, they provided excellent sources of memory evidence based on real-world TTPs—invaluable practice before the exam. Additionally, I worked through HackTheBox Sherlocks on SIFT workstations, restricting myself to information from SANS materials and posters only—no Google allowed. Anything that proved difficult to find or remember went into my notes and cheatsheets. I specifically sought Sherlocks with memory evidence and alternated between analyzing dumps with Volatility 2, Volatility 3, MemProcFS, and traditional strings/grep analysis. For GX-IH, I also completed relevant HTB and HTB Academy modules. While I use some of these tools daily in my professional work, others are rare in my environment, having been replaced by commercial solutions. I’m fortunate to use Wireshark regularly and perform packet-level forensics multiple times weekly, but I rarely analyze memory dumps with Volatility or MemProcFS anymore—mostly just for demonstration purposes. I made sure to practice extensively with these tools until I felt confident I could use any exam tool without referencing the manual page and could operate “the SANS way” in a SANS environment. Of course, the very first question on GX-FA required me to construct a command with five switches in a specific order for a tool I’d forgotten to review. I had to painfully reconstruct it using the manual and trial and error. Don’t make my mistake—overprepare. Finally, GIAC offers demo questions for $39 USD—a set of three questions similar to the actual exam experience. These provide valuable insight into what to expect.

What to Bring

Bring the course books and your index for any mentioned courses, especially the Primary Fit—particularly the lab books, but I can say with certainty there was one question I only answered correctly because of information in the FOR508 theory books. SANS posters and cheatsheets are invaluable. I brought two forensics posters along with multiple printed cheatsheets. I also created a custom cheatsheet for GX-FA containing information that wasn’t on any SANS DFIR posters. Consider everything you normally Google during analysis. For example, I know what error code 0x18 means on a 4771 event without looking it up—but what about 0x25? In real life, I’d quickly Google it, but you can’t do that during the exam, and you never know what might be relevant.

Questions

Unfortunately, I can’t discuss the questions in specific detail.

The majority of questions on both exams were considerably harder than those in their respective certification exams. The increased difficulty manifested in several ways:

• Tasks requiring obscure or specific command-line switches, demanding extreme familiarity with tools or the ability to quickly read documentation and adapt
• Simple tasks that would take too long if approached directly, requiring you to find methods to reduce processing time
• Multiple techniques chained together sequentially to arrive at one answer
• Additional processing needed to transform the ’evidence’ into the ‘answer’
• Straightforward requests with unexpected twists

Example question in a similar style:

One of the users on this computer deleted a .pdf on 2021-04-30 and accidentally entered the password into a Google search in the Edge browser. What word is written in the .pdf?

To solve this, you’d need to examine the Recycle Bin contents of several users to find one deleted on the specific date, convert the Recycle Bin folder SID to a username, review the user’s browser history, and proceed from there. However, there are no PDFs in the Recycle Bin. Then you notice a Volume Shadow Copy dated 2021-04-30, and the PDF is actually stored there. I’ve encountered significantly harder questions in easy HackTheBox Sherlocks—but those don’t have time limits. With an average of 9 minutes per question, you need to understand the approach immediately and find the answer fast.

Exam Strategy

During the exam, you’re allowed to skip up to 10 questions, but you must complete them before taking a break. Ten questions out of 25 is nearly half the exam! I strongly recommend strategising to avoid needing bathroom breaks to maximise the advantage of question skipping.

My strategy was based on the assumption that some questions would take significantly less than 9 minutes (easy), some would be solvable within 9 minutes (medium), and some would require significantly longer (hard).

For easy and medium questions, I solved them immediately—some took only one or two minutes. Hard questions where I knew I would be browsing through lab books and cheat sheets to find information that just wasn’t in my head, I skipped almost immediately to save for the end.

This approach left me with about an hour and a half remaining and a complete understanding of every unanswered question. I had no stress about potentially missing “easy” questions due to time constraints. I then dedicated substantial time to each remaining question. Ultimately, some questions I couldn’t solve in a reasonable timeframe, so I made informed guesses and moved on.

A Critical Advantage for GX-FA and GX-FE:

These exams use a persistent single virtual machine for ALL questions. This means you can export tool outputs to files for later reference and, critically, take contemporaneous notes. On one occasion, I encountered a medium-difficulty question where I couldn’t locate the relevant file, so I skipped it. While investigating a later question, I accidentally discovered the file, immediately viewed its contents, and recorded the answer in Notepad++. I also documented potential pivot points and anomalies I noticed while examining logs and artifacts. On multiple occasions, these notes helped me answer subsequent questions immediately.

Note on exam performance

Taking time for notes and exporting tool outputs is a calculated risk in GX-FE and GX-FA—if the system crashes, everything is lost. However, in my experience, the GX-FA system performance was significantly better and more reliable than other GX- exams I’ve taken, with no crashes or restarts. Demanding activities like searching entire memory images for strings or filtering supertimelines require patience, but that’s part of the time management challenge of the exam—just like real-world incident response.

During GX-IH, VMs occasionally crashed or became unresponsive when switching between questions. I had to reset the VM using available controls, and some extra time was provided. It was stressful and disrupted my flow state. I’m glad GX-FA uses a single persistent machine and hope other exams adopt a similar format in the future.