GIAC Certification Cheat Sheet 2026
The 30 highest-yield GIAC Certification facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
106 questions
240 min time limit
70.00% to pass
- Which technique allows an attacker to move laterally in a Windows environment using captured NTLM hash values without cracking them? → Pass-the-Hash
- Which Burp Suite feature automatically tests web application parameters for common vulnerabilities like XSS and SQL injection? → Scanner
- In the x86 calling convention, which register holds the 32-bit integer return value of a function call? → EAX
- Which of the following IP packet components handles authentication when IPSec is being used? → Authentication Header (AH)
- Which of the following programs generates cryptographic hashes of all important system files that need to be checked for changes automatically? → Tripwire
- Which practice in DevSecOps involves automatically creating and destroying ephemeral environments for each test run? → Immutable infrastructure
- Which free, open-source reverse engineering framework developed by the NSA is widely used for static disassembly and analysis of malware binaries? → Ghidra
- What does the GWAPT exam primarily test candidates on? → Web application security assessment and exploitation
- During a GPEN-level penetration test, which tool is most commonly used for password cracking via brute force? → Hashcat
- Which type of firewall guarantees that the packets are a part of the established session, out of the following? → Stateful inspection firewall
- What binary analysis technique allows examining program behavior without executing it by reading disassembled or decompiled code? → Static analysis
- Which Windows artifact tracks program compatibility information and serves as forensic evidence of application execution? → AppCompatCache (ShimCache)
- What cloud security model defines who is responsible for securing what aspects of a cloud deployment? → Shared responsibility model
- Which exploitation technique bypasses ASLR by leaking a memory address from a loaded module to calculate base addresses? → Information leak / ASLR bypass
- What type of cloud security tool scans Infrastructure as Code templates for security misconfigurations before deployment? → IaC security scanner (SAST for IaC)
- What is the GXPN exam's primary focus area that distinguishes it from the standard GPEN certification? → Custom exploit development and advanced vulnerability research
- Which of the following attack types is only meant to prevent users from using a computer resource? → Denial of Service attack
- What is the Master File Table (MFT) in NTFS forensics? → A database containing metadata for every file and folder on an NTFS volume
- What hashing algorithm is most commonly used to verify forensic image integrity during acquisition? → SHA-256
- What is the GPEN exam format in terms of question count and passing score? → 115 questions, 71% passing
- Why do malware authors predominantly use HTTP or HTTPS for Command and Control (C2) communications? → To blend C2 traffic with legitimate web traffic and bypass firewall rules
- What is insecure direct object reference (IDOR) in web application security? → Accessing unauthorized objects by manipulating reference parameters like user IDs
- Which attack exploits NTLM authentication by responding to broadcast name-resolution requests with the attacker's IP address? → LLMNR Poisoning
- What exploit technique uses a sequence of existing executable code snippets (gadgets) ending in RET instructions to bypass DEP/NX? → Return-Oriented Programming (ROP)
- What is file carving in digital forensics? → Recovering files from unallocated disk space based on file signatures
- The database of a Web server can be accessed by an attacker using which of the following attacks? → SQL injection attack
- Which debugging tool is commonly used for exploit development on Linux to examine memory, set breakpoints, and analyze crashes? → GDB
- What forensic artifact in Windows records the number of times an application was run via the GUI, along with last execution time? → UserAssist
- Which container security practice ensures base images are regularly scanned and updated to remove known vulnerabilities? → Vulnerability scanning in CI/CD
- Which GIAC certification validates skills in conducting authorized penetration tests using hacking techniques and methodologies? → GPEN
Turn these facts into recall: