🛡️ GIAC GCIA (Intrusion Analyst)

🧠 1. Certification Name and Issuing Body

Full certification name: GIAC Certified Intrusion Analyst (GCIA)
Issuing organization: GIAC – Global Information Assurance Certification (by SANS Institute)
Official website: https://www.giac.org/certifications/intrusion-analyst-gcia/

What skills does it certify?
In-depth packet analysis, network protocol understanding, traffic anomaly detection, and use of intrusion detection systems (IDS)
Target roles or profiles:
SOC Analyst (Tier II/III), Threat Detection Engineer, Intrusion Analyst, Network Security Analyst
Practical applications:
Detecting and analyzing malicious activity via raw packet capture (PCAP), IDS tuning, alert triage, and forensic network investigation

Recommended prior certifications:
GSEC, Security+, CySA+, or equivalent foundational security knowledge
Suggested experience:
2–3 years in a SOC, NOC, or network engineering role with exposure to security monitoring
Required technical knowledge:
Deep knowledge of TCP/IP, packet headers, DNS, HTTP, ICMP, ARP, IDS/IPS operation (Snort, Suricata), Linux CLI, Wireshark/tcpdump

Key domains/modules:
1. Network Architecture and Traffic Analysis
2. Packet-Level Analysis and Protocol Dissection
3. Intrusion Detection System (IDS) Concepts and Implementation
4. Signature Creation and Tuning
5. Network Forensics and Investigation
6. Detection of Scanning, Probing, and Malware
Technologies/tools:
tcpdump, Wireshark, Snort, Suricata, Bro/Zeek, Netcat, Network Miner, tcpreplay
Framework mapping:
MITRE ATT&CK (Reconnaissance, Command and Control), NIST 800-94 (Guide to IDS), NICE Framework (PR-DE, PR-DS, PR-IP)

Style: Highly technical and analytical
Labs/environments: SANS SEC503 (optional course) includes hands-on labs with packet analysis and IDS configuration
Materials: SEC503 courseware (recommended), GCIA practice tests, PCAP samples, SANS cheat sheets
Recommended platforms: SANS OnDemand, Corelight (Zeek), Malware-Traffic-Analysis.net, Security Onion (for lab setup)

Exam-only fee: $949 USD
SEC503 course + exam bundle: ~$7,000–$8,000 USD (includes live or OnDemand course, labs, materials, 2 practice exams)
Renewal cost: $479 USD or submit 36 CPEs over 4 years

Demand/popularity: Highly respected in defense, SOC, and forensic roles; valued by government and Fortune 500 SOCs
Organizations that value it: NSA, U.S. DoD (8570 baseline cert), major banks, MSSPs, aerospace and energy sectors
Comparison:
- More in-depth than CySA+
- Stronger packet analysis focus than SC-200
- Ideal pairing with GCIH for full IR + detection skill set

Job roles:
Intrusion Analyst, SOC Tier II/III, Threat Hunter, Security Operations Engineer, Detection Engineer
Suggested paths:
→ GSEC → GCIA → GCIH / GCFA
→ CySA+ → GCIA → Zeek + MITRE-powered Threat Hunter

Validity: 4 years
Renewal options:
- Submit 36 Continuing Professional Experience (CPE) credits
- Pay renewal fee ($479 USD)
- Retake the latest GCIA exam

Ideal for:
Blue teamers, SOC professionals, and network security engineers who want to master detection, packet analysis, and IDS tuning
When to pursue:
After CySA+ or 1–2 years in SOC or network defense; before advanced certs like GCFA, GREM, or threat hunting programs
Tips:
Build a detailed open-book index for the exam. Use PCAP practice regularly. Understand the nuances between normal and malicious network behavior.