The GIAC Certified Incident Handler (GCIH) certification validates a professional's ability to detect, respond to, and resolve computer security incidents. Offered by GIAC through the SANS Institute, GCIH covers the full incident handling lifecycle including identification, containment, eradication, and recovery. The certification also tests knowledge of common attack techniques such as denial of service, worms, trojans, buffer overflows, password attacks, network scanning, session hijacking, and web application attacks. GCIH holders understand both the attacker's tools and methods and the defender's response procedures, making them effective incident responders.
The GCIH exam contains 106 questions to be completed within four hours. A minimum score of 70% is required to pass. Like other GIAC exams, it is open-book, and candidates may bring printed reference materials. The associated SANS course is SEC504: Hacker Tools, Techniques, and Incident Handling, which is one of SANS' most popular offerings. The course walks through real-world attack scenarios and teaches students to build incident handling processes from the ground up. Topics include reconnaissance, scanning, exploitation, post-exploitation, and covering tracks, all viewed through the defender's lens. Recertification requires 36 CPE credits every four years.
GCIH is one of the most sought-after certifications for incident response and security operations roles. As cyberattacks grow more sophisticated, organizations need skilled incident handlers who can contain breaches quickly and minimize damage. GCIH proves that a professional can manage the entire incident lifecycle under pressure. It is recognized under DoD 8570/8140 for CSSP Incident Responder and CSSP Analyst roles. The certification is particularly valued in organizations with mature security operations centers, managed security service providers, and government agencies. GCIH frequently appears in job listings for SOC Analyst, Incident Responder, and Threat Hunter positions.