GCTI Exam Tips

Almost got it!

TLDR

  • For the most part, what applied to my GCIH tips will apply here
  • GCTI is a straightforward exam testing your understanding of the different campaigns and ops, your understanding of how terms such as campaigns and intrusions are defined, your understanding of the Kill Chain and Diamond Model and their application, awareness on the analysis frameworks and how bias and fallacies can affect assessment.
  • GCTI is not a “technical exam” in any way. The most “technical” part of it is knowing how to do basic parsing of PCAPs on Wireshark and running simple commands using Volatility for memory forensics.
  • Cyberlive weightage is huge. Getting all 7 of them correct goes a long way to passing and getting a high score
    • Do the labs multiple times until you are completely comfortable with them
    • You should run through the MISP, Maltego, Wireshark and Volatility sections multiple times until you are comfortable with it
    • Also learn how to write yara rules and executing it
  • Proper Indexing is key to getting a good score. More on that below.
  • Three hours is plenty of time. I completed both practice exams and the actual exam under 1.5 hours respectively.

The Exam

As of April 2025, the three hour exam consisted of 75 MCQ and 7 Cyberlive questions. Cyberlive questions are weighted much heavily than MCQs so it is important to get most if not all the Cyberlive questions correct if you want to get a good score.

It is an open book exam and you are allowed to bring in the books as well as any custom index you may have.

If given a choice to take it at a Pearson VUE location or remotely at home, I suggest doing it at the Pearson VUE location to avoid any potential issues with software incompatibility or banned applications on your host pc.

If you attended the live or on demand course and purchased the exam package, you will receive two practice exams. For all intent and purpose, the practice exams are a very good barometer of the actual exam. In fact, some questions do appear again either exactly or with slight modifications on the actual exam.

CTF is great and all but not tested so feel free to skip it if you dont have time.

Preparation

Make sure to do the Labs! You should be comfortable with the following:

  1. Basic Display filtering on Wireshark. Know filters such as ip.addr ==, tcp.port ==, http.request.method == “GET” and what they do. Get familiar with using the Statistics tab and how to limit results to the display filter. Know what you are looking at when you right click a packet and follow TCP/HTTP Stream.
  2. Know how to import data into Maltego, how to customize entity properties and how to do basic link analysis
  3. Know how to use MISP, including determining related events, and where to get statistics on galaxies, and creating new events
  4. Know how to use Volatility 2 on memory dumps and which module to provide to get the results you want. pslist to show processes, netscan for connections, malfind for injected malicious code into existing processes and so on
  5. Know how to write yara rules and running it against binaries, memory dumps, or directory paths

Indexing

My index was on an Excel sheet with four columns; keyword, description of the term, page number and book number. See example below.

Started indexing from the notes under each slide on the books. I indexed anything that looks like a keyword and write a short explanation in the index. My aim was to minimise flipping the books and to have the answer on my index to save time.

For the indexing some of the terms might be better grouped together because of thematic reasons such as Kill Chain, Attribution. Example below.

I went through the lightning labs and the labs. It is good to have a reference for likely commands that you will use. I also have a sample syntax for yara.

Practice Exams

My first practice exam was solely used to gauge the strength of my index and to see how much time I needed for the exam. I used solely my index for the practice without referring to any of the books. I scored 90% and completed everything in 1.5 hours with full marks for the Cyberlive. At this point I knew I could afford to slow down and use the time to do book flipping. Cyberlive questions were surprisingly easy and took me anywhere from 20 seconds for the easiest question to maybe two minutes for the more tedious ones. The practice exams will provide an explanation if you get a question wrong so I used the explanation to further strengthen my index.

My second practice exam took me about 1.5 hours with a score of 95%. Plenty of new questions but this time I am a lot more prepared for the style of the exam.

I scheduled my exam two days after my second practice exam as it was clear I can pass it without much difficulty.

Actual Exam

I made sure to choose a good time after lunch. I had a nice cup of coffee and then went in with my index and all the books for the course including the labs.

Actual exam was fairly straightforward and similar in difficulty to the practice exams.

Finished the exam in 1.5 hours. Wanted that 100% but well 99% aint bad. I find the exam to be on the easy side compared to some of the other cyber exams that I have done.

Closing Remarks

Go crush it:D Best of luck to those taking GCTI!

Tags

Related Posts

Trending now

✨OSEP 2025 Review – The Non-Tech Mid-Careerist Edition
Malware Analysis – SillyPutty
GCIH Exam Tips
Struggle