GIAC Certified Incident Handler (GCIH) sits in an unusual place among security certifications. It is technical enough to require hands-on understanding of attacker tools and techniques, but it is also organised around a practical incident handling process that maps closely to how real incidents unfold. Practitioners often credit it as the certification whose content most directly translates to day-to-day work.
The Six-Step Process
The GCIH process — preparation, identification, containment, eradication, recovery, lessons learned — overlaps with NIST SP 800-61 but is more granular about handler-level activity at each step. The granularity matters. A NIST IR programme can be excellent at the policy and process level and still struggle in execution if the handlers do not have a working method. GCIH provides that working method.
Preparation: The Playbook Layer
Preparation in the GCIH sense is not just having a plan. It is having pre-built artefacts the handler reaches for during an incident: jump kits, contact lists, known-good binaries, communication templates, forensic toolchains tested before they are needed. The exam content tests this directly — and the underlying principle is that incident response speed is largely a function of how much was decided in advance.
Identification: Indicator-Driven, Not Alert-Driven
Identification under GCIH is about confirming that an event is an incident, scoping it, and classifying it. The handler does not just receive an alert — they investigate to determine what is actually happening, on which systems, with what indicators, and what the likely scope is. The skill is moving from "the SIEM alerted on this" to "we have a confirmed compromise on these specific assets, with these specific indicators of attacker presence."
A pattern the certification emphasises: most incidents look smaller initially than they actually are. The first system identified as compromised is rarely the only one. Skilled handlers expand the scope deliberately — checking lateral movement indicators, hunting for persistence, looking at credential reuse — before declaring containment achieved.
Containment Variants and Trade-Offs
GCIH separates short-term containment (stopping the immediate damage) from long-term containment (stabilising the environment for recovery work). Short-term containment is usually fast and disruptive — isolate the host, block the IP, disable the account. Long-term containment is more careful — rebuild from clean media, replace credentials, restore from verified backup. The framework forces handlers to think about both phases distinctly rather than collapsing them into a single "containment" step.
Eradication and Recovery as Distinct Activities
- Eradication — removing the attacker presence: malware, persistence mechanisms, compromised accounts, web shells, scheduled tasks
- Recovery — bringing the cleaned environment back into production with monitoring tuned for re-emergence
- Verification — explicit confirmation that eradication was complete before recovery proceeds
- Heightened monitoring — temporary increase in observation on recently-recovered assets, looking for return
Lessons Learned: Where the Programme Actually Improves
The certification places weight on the post-incident phase that practitioners often skip. The reason: incidents are the highest-quality data your security programme generates. Each one reveals what was missed, what was misconfigured, what was assumed but not true. A team that handles incidents well but does not feed the lessons back into preparation, detection, and policy is wasting that data. GCIH-trained handlers learn to treat the lessons learned phase as core to the job, not a coda.
Beyond the certification, the GCIH process is useful precisely because it is structured enough to be teachable and flexible enough to fit real incidents. Teams that adopt it as their internal incident handling framework tend to produce more consistent outcomes than teams that rely on individual handler judgement alone — and the consistency is what makes incident response programmes scalable.