Free GCIH Practice Test 2026 — GIAC Certified Incident Handler Exam Questions
Master the GIAC Certified Incident Handler (GCIH) exam — aligned with SANS SEC504 — with 590+ free practice questions across all 14 GIAC exam domains. Each question includes a detailed explanation grounded in real-world incident response and offensive techniques. No signup required.
GCIH Exam Overview
- Questions: 106 multiple choice (proctored)
- Time: 4 hours
- Passing score: 69% (exam versions from May 2025 onward)
- Format: Open book (printed/handwritten only)
- Cost: $999 (GIAC certification attempt)
- Validity: 4 years (renew with 36 CPEs)
- DoD 8570/8140: Approved for IAT Level III, IAM Level I, CSSP Incident Responder
Practice by GIAC Exam Domain (14 domains)
Incident Response & Cyber Investigation
Practice this domain → IR Lifecycle (PICERL) · Evidence Handling & Chain of Custody · Containment Strategies
Detecting Covert Communications
Practice this domain → DNS Tunneling · ICMP Tunneling · HTTPS C2 Channels
Detecting Evasive Techniques
Practice this domain → AV / EDR Evasion · Code Obfuscation · Fileless Malware
Detecting Exploitation Tools
Practice this domain → Metasploit Indicators · Cobalt Strike Artifacts · Empire / PowerShell Empire
Drive-By Attacks
Practice this domain → Malicious Websites · Browser Exploits · Watering Hole Attacks
Endpoint Attack & Pivoting
Practice this domain → Lateral Movement (RDP/WMI/PsExec) · Pass-the-Hash · Pass-the-Ticket
Memory & Malware Investigation
Practice this domain → Volatility Framework · Memory Acquisition · Process Tree Analysis
Network & Log Investigations
Practice this domain → Wireshark / tcpdump · Zeek (Bro) Logs · NetFlow Analysis
Networked Environment Attack
Practice this domain → ARP Spoofing · Man-in-the-Middle (MITM) · DHCP Attacks
Password Attacks
Practice this domain → Brute Force Attacks · Dictionary Attacks · Rainbow Tables
Post-Exploitation Attacks
Practice this domain → Privilege Escalation · Persistence Mechanisms · Credential Dumping (Mimikatz)
SMB Security
Practice this domain → SMB Enumeration · EternalBlue (MS17-010) · NTLM Relay Attacks
Scanning & Mapping
Practice this domain → Nmap Scan Types · Masscan · Service / Version Detection
Web App Attacks
Practice this domain → SQL Injection · Cross-Site Scripting (XSS) · CSRF
10 Free GCIH Sample Questions with Answers
Each question below includes 4 answer options, the correct answer, and a detailed explanation.
Sample Question 1 — Detecting Covert Communications
You are investigating a suspected covert communication channel on a compromised server. You notice an unusual amount of traffic on port 443, but the traffic pattern does not match typical HTTPS traffic. You suspect the use of a tool like Netcat for tunneling. Which of the following command outputs would confirm that Netcat is being used for covert communications over port 443?
- A. The output shows a continuous stream of encrypted data packets with a valid SSL handshake.
- B. The output shows a series of SYN and ACK packets with no payload data, indicating a port scan.
- C. The output displays repeated 'GET' and 'POST' HTTP requests with malformed headers.
- D. The output shows a steady stream of unencrypted data with no SSL handshake, indicating a raw data transfer. (Correct answer)
Correct answer: D
Explanation: Option D is correct because Netcat can be used to transfer raw data over a port without encryption or a formal handshake like SSL, which is typical for HTTPS traffic on port 443. Option A is incorrect because it describes legitimate HTTPS traffic. Option B is incorrect as it indicates a port scan, not data transfer. Option C is incorrect because malformed HTTP requests suggest a different type of attack, such as a web application attack, not covert communication using Netcat.
Sample Question 2 — Detecting Evasive Techniques
During an incident investigation, you suspect that an attacker has used a rootkit to hide their presence on a compromised server. Which of the following tools would be most effective in detecting a rootkit that manipulates kernel-level processes?
- A. Wireshark
- B. Volatility (Correct answer)
- C. Metasploit
- D. Nmap
Correct answer: B
Explanation: Volatility is a memory forensics tool that can be used to analyze memory dumps and detect rootkits that operate at the kernel level by examining the memory structures that these rootkits manipulate. Wireshark is used for network traffic analysis, Metasploit is a penetration testing framework, and Nmap is used for network scanning, none of which are specifically designed for detecting rootkits in memory.
Sample Question 3 — Detecting Exploitation Tools
During an incident response investigation, you suspect that an attacker has used the Metasploit Framework to exploit a known vulnerability on a server. Which Metasploit command would you use to search for available exploits related to a specific CVE identifier?
- A. search cve:2021-1234 (Correct answer)
- B. exploit -c CVE-2021-1234
- C. find CVE-2021-1234
- D. lookup CVE-2021-1234
Correct answer: A
Explanation: The 'search cve:2021-1234' command in Metasploit Framework is used to search for modules related to a specific CVE identifier. This allows incident handlers to quickly identify potential exploits that may have been used by attackers. The other options are incorrect because they do not represent valid Metasploit commands for searching exploits by CVE.
Sample Question 4 — Drive-By Attacks
During an incident response investigation, you discover that several users within your organization were compromised through a drive-by attack. The attack leveraged a known vulnerability in a popular web browser, which was exploited using an exploit kit. What is the most effective immediate action to prevent further exploitation of this vulnerability?
- A. Instruct users to avoid using the affected browser until a patch is released.
- B. Deploy a firewall rule to block traffic to the exploit kit's known IP addresses.
- C. Apply the latest security patches to all instances of the affected web browser across the organization. (Correct answer)
- D. Implement network segmentation to isolate compromised systems.
Correct answer: C
Explanation: Applying the latest security patches to the affected web browser is the most effective immediate action to prevent further exploitation. This directly addresses the root cause by fixing the vulnerability that the exploit kit targets. While instructing users to avoid the browser (A) or blocking known IPs (B) can help, they are not comprehensive solutions. Network segmentation (D) is useful for containment but does not address the vulnerability itself.
Sample Question 5 — Endpoint Attack and Pivoting
During an incident response, you discover that an attacker has gained access to a workstation within your network and is attempting to move laterally to other systems. Which of the following PowerShell commands could the attacker use to gather information about other computers in the network to facilitate lateral movement?
- A. Get-NetIPAddress
- B. Get-Process
- C. Get-NetNeighbor
- D. Get-ADComputer -Filter * (Correct answer)
Correct answer: D
Explanation: The 'Get-ADComputer -Filter *' PowerShell command is used to query Active Directory for a list of computers. This can provide attackers with information about other systems in the network, which is useful for lateral movement. 'Get-NetIPAddress' retrieves IP configuration information for the local machine, 'Get-Process' lists processes on the local machine, and 'Get-NetNeighbor' displays information about neighboring network devices, but does not provide the same level of detail about other computers in the domain as 'Get-ADComputer' does.
Sample Question 6 — Incident Response and Cyber Investigation
During an incident response, what is the correct order of steps in the PICERL methodology?
- A. Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned (Correct answer)
- B. Identification, Preparation, Containment, Eradication, Recovery, Lessons Learned
- C. Preparation, Containment, Identification, Eradication, Recovery, Lessons Learned
- D. Identification, Containment, Preparation, Eradication, Recovery, Lessons Learned
Correct answer: A
Explanation: PICERL stands for Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. This is the standard incident response methodology used by security teams to systematically handle cybersecurity incidents.
Sample Question 7 — Memory and Malware Investigation
Which Volatility plugin would you use to identify running processes in a Windows memory dump?
- A. psxview
- B. pslist (Correct answer)
- C. psscan
- D. psverify
Correct answer: B
Explanation: The pslist plugin displays a list of running processes by following the doubly-linked list pointed to by PsActiveProcessHead. While psscan and psxview provide additional verification capabilities, pslist is the primary plugin for viewing running processes.
Sample Question 8 — Network and Log Investigations
What TCP flag combination indicates a SYN flood attack in network traffic analysis?
- A. Multiple SYN packets with ACK responses
- B. Multiple SYN packets without corresponding ACK responses (Correct answer)
- C. Multiple RST packets from the same source
- D. Multiple FIN packets without prior connections
Correct answer: B
Explanation: A SYN flood attack is characterized by multiple SYN packets sent to a target without the attacker responding to the SYN-ACK replies. This exhausts the target's connection table by leaving many half-open connections.
Sample Question 9 — Networked Environment Attack
During an incident response, you suspect that an attacker is performing a Man-in-the-Middle (MitM) attack on your network. You decide to use Wireshark to analyze the network traffic. Which of the following indicators in the packet capture would most likely confirm the presence of a MitM attack?
- A. Numerous ARP requests and replies with conflicting IP and MAC addresses. (Correct answer)
- B. A high number of HTTP 404 errors in web traffic.
- C. Unusually large DNS query responses.
- D. Consistent TCP retransmissions and out-of-order packets.
Correct answer: A
Explanation: Option A is correct because ARP spoofing is a common technique used in MitM attacks, which can be detected by observing conflicting IP and MAC addresses in ARP requests and replies. Option B (HTTP 404 errors) can indicate broken links or misconfigurations but is not specific to MitM attacks. Option C (large DNS responses) might suggest DNS amplification attacks, not MitM. Option D (TCP retransmissions) could indicate network congestion or packet loss, not necessarily a MitM attack.
Sample Question 10 — Password Attacks
When using John the Ripper for password cracking, what does the "--incremental" mode do?
- A. Performs dictionary attacks only
- B. Generates passwords using character combinations (Correct answer)
- C. Uses rainbow tables for hash lookups
- D. Performs brute-force attacks with patterns
Correct answer: B
Explanation: The --incremental mode in John the Ripper generates passwords by trying different character combinations based on character frequency analysis. This is more efficient than pure brute-force as it tries more likely combinations first.
How Much Does the GCIH Exam Cost in 2026?
The GCIH is one of the pricier security certifications, which makes free practice questions especially valuable before you commit:
- Standalone certification attempt: $999 USD
- Retake: $899 USD
- Official GIAC practice tests: $399 each (two are included if you buy the SANS course bundle)
- SANS SEC504 course bundle: roughly $8,780–$9,045 including the exam attempt, 2 practice tests, and 4 months of lab access
- Renewal: every 4 years, $499 with 36 CPE credits
There are no prerequisites — you can challenge the GCIH exam directly without taking SEC504. Many self-studiers pass by combining the exam objectives with heavy question practice, which is exactly what this free GCIH practice test is built for.
How Hard Is the GCIH Exam?
GCIH sits at a moderate difficulty level within the GIAC lineup — more demanding than entry-level certs like Security+ or GSEC, but less brutal than GCIA or GCFA. Three things trip up most candidates:
- Tool-specific questions. The exam references tools from SEC504 labs — Metasploit, Scapy, netcat, log and SIEM analysis. If you self-study, drill practice questions that name real tools and flags.
- Incident-handling phase confusion. Expect scenario questions asking what to do first — preparation, identification, containment, eradication, recovery, or lessons learned. Mixing up phases is the most common wrong answer.
- CyberLive hands-on items. Some questions require working in a live environment during the exam, so pure memorization isn't enough.
The good news: GCIH is open book. You can bring printed notes and a custom index. Candidates who build an index and score consistently above 75% on practice tests across all domains typically pass comfortably.
Is the GCIH Worth It in 2026?
For incident response, SOC, and blue-team careers — yes. The GCIH is DoD 8570/8140 approved (IAT Level III, IAM Level I, CSSP Incident Responder), making it a requirement-checker for many government and defense roles. It validates hands-on ability to detect, respond to, and resolve real incidents, which hiring managers weight more heavily than purely theoretical certifications. Common roles include incident responder, SOC analyst, threat hunter, and security engineer.
How to Use This GCIH Practice Test
- Baseline yourself with the 10-question quick-start test to see where you stand.
- Drill by domain using the 14 domain-specific practice tests above, starting with your weakest areas.
- Read every explanation — even for questions you get right. GCIH rewards understanding attacker techniques, not memorizing answers.
- Build your index as you practice. Add tools, flags, and phase definitions you miss to your open-book index.
- Simulate exam conditions before test day: 4 hours, printed materials only, aiming above 75%.
GCIH Frequently Asked Questions
Is this GCIH practice test free?
Yes. FlashGenius offers 590+ free GCIH practice questions across all 14 GIAC exam domains with detailed explanations and no signup required. Premium unlocks the full question bank, exam simulations, and adaptive practice.
How many questions are on the GCIH exam?
The GCIH exam has 106 questions, including multiple-choice and CyberLive hands-on items, completed in a 4-hour proctored session.
What is the passing score for the GCIH exam?
The GCIH passing score is 69% for exam versions released on or after May 10, 2025 (previously 70%). GIAC sets passing scores using psychometric standard-setting studies.
Is the GCIH exam open book?
Yes. GCIH is open book — you may bring printed books, notes, and a custom index into the exam. No electronic devices are allowed. Most candidates build a detailed index of SEC504 materials before exam day.
How much does the GCIH exam cost?
A standalone GCIH certification attempt costs $999 USD, with retakes at $899. Official GIAC practice tests cost $399 each. The SANS SEC504 course bundle runs roughly $8,780–$9,045. Renewal every 4 years costs $499.
How hard is the GCIH exam?
GCIH is moderately difficult within the GIAC lineup — harder than entry-level certs but easier than GCIA or GCFA. The open-book format helps, but the exam tests applied incident-handling skills, specific tools, and CyberLive hands-on tasks.
Do I need to take SANS SEC504 before the GCIH exam?
No. There are no prerequisites — you can challenge the GCIH exam directly without taking SEC504. Self-studiers should practice heavily with realistic questions since the exam references tools from SEC504 labs.
How long should I study for the GCIH?
Most candidates with some security experience study 4–8 weeks. Beginners should plan 2–3 months and focus on weak domains identified through practice tests.
How long is the GCIH certification valid?
GCIH is valid for 4 years. Renew with 36 CPE credits and a $499 renewal fee, or retake the current exam version.
Is the GCIH worth it in 2026?
Yes for incident response and SOC careers. GCIH is DoD 8570/8140 approved, widely recognized by employers, and validates hands-on skills in detecting and responding to real attacks.
Quick 10-Question GCIH Practice Test
Take a free 10-question GCIH quick-start practice test mixing all 14 GIAC exam domains. Get instant scoring with detailed explanations.
Start the free GCIH quick-start practice test now | Get premium GCIH question bank
Free GCIH Cheat Sheet
Revising last-minute? Use the free GCIH cheat sheet for a one-page summary of incident-handling phases, attacker tools, and key commands — perfect for building your open-book index.
Related Free Security Practice Tests