GSE Multiple Choice Exam

I passed the first part of the GSE today.  The GIAC Security Expert (GSE) consists of  a  multiple choice exam, this is what I passed today, and a two-day lab. 

The certification bulletin for the exam portion of the GSE is a bit light.   I’m not sure that page is actually linked anywhere.   It is missing the number of questions (150), passing score (75%) and length of time allowed (3 hours).     The exam bulletin lists the prerequisite certifications (GSEC, GCIH and GCIA) as the test objectives.  I would suggest looking at the exam bulletin for each of those quite carefully.   Consider these certifications your practice tests.   There are no GSE practice tests.  

In preparing, one of the first things I did was re-read Preparing for the GSE.  Kevin Bong’s advice on preparing for the multiple choice exam applies to all GIAC tests.   If you’re smart you’ll follow this advice on all certs and not have to redo the indexes.   I don’t follow his advice exactly.

When preparing, the first thing I do is create an Excel doc and create headers for Term, Book, Page, and definition.   Under cell formating, you’ll want to enable word wrap on the term and definition columns.   The page column needs to be treated as text if you have any old style SANS books that number using the section-page method (e.g. 2-35).   Otherwise Excel will think you’re entering a formula.

I next go through the book page by page, entering terms and key concepts.   I use the definition field as much as possible so during the test, I may quickly be able to gather the answer without opening the book.

After I’ve made it through all the books, I’ll review the test goals in the certification bulletin.   In the case of the GSE, that would be the certification bulletins for the GSEC, GCIH and GCIA.   Review each item and make sure it is covered in your glossary.   If you did a good job, you shouldn’t have to add too many things to the glossary/index.   The last thing you do before the test is sort into alphabetical order and print (preferably doublesided and stapled)

Depending on the course and the age of your books, you may not have a table of contents.   I have books with no table of contents, table of contents that are wrong, and table of contents without page numbers.   Take the time to create your own table of contents.   If you get a question you don’t know, and it’s not in your index, then you’ll be able to find the correct section that much more easily.  

Next I printed all of the SANS Cheat Sheets I could find: Netcat Cheat Sheet by Ed Skoudis, Google Hacking and Defense Cheat Sheet, Intrusion Discovery Cheat Sheets for Linux and Windows, IPv6 TCP/IP and tcp dump Pocket Reference Guide, Windows Command Line Cheat Sheet by Ed Skoudis, Misc Tools Cheat Sheet by Ed Skoudis, TCP/IP AND tcpdump Pocket Reference Guide .

I printed out the wikipedia page for the SIP protocol and the MAN pages for SNORT, netcat, syslogd, tcpdump.   I also printed out the headers spreadsheet from Mike Poor.   I also had the Nmap Network Scanning book by Fyodor but that is abit of overkill.

Where I take the exams they tend to not lump SANS test takers in with genpop.   I guess they’ve had experiences with us flipping through the book and disturbing other people.    So instead of taking the test in a cubicle, we take them at a L shaped desk.   Plenty of room to organize the open-book portion of the exam.   The limitation on the amount of things you can bring in remains the same.   This can be kind of rough because the test is drawn from 3 courses.   I found the SANS bookbag to hold a good amount of things, and I think it falls under the “bookbag” size limit.  

So that’s it for part one.   The next GSE lab is scheduled for Orlando at the end of March.


  1. Hey Roger,
    Congrats on passing the GSE. Been reading your blog here when I can. You are really starting to collect the certs my friend. Impressive. I’m not sure (at this point) that I’d go for any more certs myself, but it did get me to think about them after seeing how many you’ve amassed. I also know how exclusive the GSE is. Was the written part harder than the CISSP?

    Take care,


    • Steven,
      nice hearing from you.

      I’m only half way there on the GSE. Hands on lab/test in Orlando at the end of March. No jinxing me!

      Its hard to compare the CISSP and the SANS certifications. CISSP lines up more with the GSEC (security essentials). I dont recall if I blogged that comparison when I picked that cert up earlier this year or not.I got the CISSP SANS testing format is a lot easier. I got the CISSP in 2005. I have so much more experience now that things are much easier.
      The SANS exam format is makes things easier as well. Its (limited) open book. life is open book. But as you know from our courses, that can allow the questiosn to be much more specific. The GSE covers Intrusion Analyst (snort and IP). I understand packet analysis now so much better than when we took networking.

      I know some people don’t like certs and think less of those than have them, but its just something I collected. As a single guy I have more free time, and I want to make the most of it. Also, my company pays for one course per year. I feel that I owe it to them to get the cert. Along the way, I decided to make the GSE a goal.

      At this point I think I’m over halfway to the SANS Institute Masters degree. trying to decide if that is something I want to work on or not. A Masters degree unlike certifications will never expire. On the other hand I have two masters already. Personal development-wise, It may be better for me to become a SANS mentor. Teach some of these things.

  2. Roger,

    The very best of luck with the GSE exam in the next few days.
    Drink plenty of liquids, keep a cool head and one eye on the clock!

    Hope to see your name on the GSE list in the coming weeks.

    Chris Mohan – GSE #30

  3. Do you mind if I quote a small number of your blog posts as
    long as I provide credit and sources returning to your site:
    I most certainly will aslo be sure to give you the
    proper anchortext link using your blog title: GSE Multiple Choice
    Exam | Roger’s Information Security Blog. Please be sure to let me know if this is okay with you. Many thanks

    • given this was posted with a fake address, I’m going to assume that you aren’t real and didn’t want a response. If you are real, ask using the content form.

Comments are closed.