GIAC Certification Cheat Sheet 2026

The 30 highest-yield GIAC Certification facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

106 questions
240 min time limit
70.00% to pass
  1. Which technique allows an attacker to move laterally in a Windows environment using captured NTLM hash values without cracking them? Pass-the-Hash
  2. Which Burp Suite feature automatically tests web application parameters for common vulnerabilities like XSS and SQL injection? Scanner
  3. In the x86 calling convention, which register holds the 32-bit integer return value of a function call? EAX
  4. Which of the following IP packet components handles authentication when IPSec is being used? Authentication Header (AH)
  5. Which of the following programs generates cryptographic hashes of all important system files that need to be checked for changes automatically? Tripwire
  6. Which practice in DevSecOps involves automatically creating and destroying ephemeral environments for each test run? Immutable infrastructure
  7. Which free, open-source reverse engineering framework developed by the NSA is widely used for static disassembly and analysis of malware binaries? Ghidra
  8. What does the GWAPT exam primarily test candidates on? Web application security assessment and exploitation
  9. During a GPEN-level penetration test, which tool is most commonly used for password cracking via brute force? Hashcat
  10. Which type of firewall guarantees that the packets are a part of the established session, out of the following? Stateful inspection firewall
  11. What binary analysis technique allows examining program behavior without executing it by reading disassembled or decompiled code? Static analysis
  12. Which Windows artifact tracks program compatibility information and serves as forensic evidence of application execution? AppCompatCache (ShimCache)
  13. What cloud security model defines who is responsible for securing what aspects of a cloud deployment? Shared responsibility model
  14. Which exploitation technique bypasses ASLR by leaking a memory address from a loaded module to calculate base addresses? Information leak / ASLR bypass
  15. What type of cloud security tool scans Infrastructure as Code templates for security misconfigurations before deployment? IaC security scanner (SAST for IaC)
  16. What is the GXPN exam's primary focus area that distinguishes it from the standard GPEN certification? Custom exploit development and advanced vulnerability research
  17. Which of the following attack types is only meant to prevent users from using a computer resource? Denial of Service attack
  18. What is the Master File Table (MFT) in NTFS forensics? A database containing metadata for every file and folder on an NTFS volume
  19. What hashing algorithm is most commonly used to verify forensic image integrity during acquisition? SHA-256
  20. What is the GPEN exam format in terms of question count and passing score? 115 questions, 71% passing
  21. Why do malware authors predominantly use HTTP or HTTPS for Command and Control (C2) communications? To blend C2 traffic with legitimate web traffic and bypass firewall rules
  22. What is insecure direct object reference (IDOR) in web application security? Accessing unauthorized objects by manipulating reference parameters like user IDs
  23. Which attack exploits NTLM authentication by responding to broadcast name-resolution requests with the attacker's IP address? LLMNR Poisoning
  24. What exploit technique uses a sequence of existing executable code snippets (gadgets) ending in RET instructions to bypass DEP/NX? Return-Oriented Programming (ROP)
  25. What is file carving in digital forensics? Recovering files from unallocated disk space based on file signatures
  26. The database of a Web server can be accessed by an attacker using which of the following attacks? SQL injection attack
  27. Which debugging tool is commonly used for exploit development on Linux to examine memory, set breakpoints, and analyze crashes? GDB
  28. What forensic artifact in Windows records the number of times an application was run via the GUI, along with last execution time? UserAssist
  29. Which container security practice ensures base images are regularly scanned and updated to remove known vulnerabilities? Vulnerability scanning in CI/CD
  30. Which GIAC certification validates skills in conducting authorized penetration tests using hacking techniques and methodologies? GPEN