GCIH

GIAC Certified Incident Handler

GIACPersonnel certification (ISO 17024)Security Operations

Created per CertMap methodology · Updated 12 May 2026 · About the editorial team →

▾ Jump to …4 sections

Overview

What is GCIH?

The GCIH is the leading certification for incident responders and targets individuals who actively respond to and investigate security incidents. It is typically based on the SANS course SEC504 and provides practical knowledge of attack techniques as well as their detection and containment. The open-book format of the exam favors understanding-based learning over rote memorization, making it more challenging than it initially appears. For blue team professionals in SOC environments, the GCIH is one of the most valuable proofs of operational competence. However, the SANS course path is very expensive – self-study is possible, but significantly more difficult without lab access.

Quick facts

AccreditationISO/IEC 17024 by ANAB

Languagesen

RecognitionGlobal

Key details

Cost, prerequisites, exam & renewal

Cost over 5 years

Exam fee (acquisition)€8,744

Renewal fees (5 years)€441

5-year total€9,185

How is TCO calculated? →

Classification

CertMap score and matching roles

Rating

Market recognition2 / 32 / 3

Scheme quality2 / 32 / 3

Practice evidence2 / 32 / 3

Maintenance2 / 32 / 3

Matching NICE roles

Operational Technology (OT) Cybersecurity Engineering Infrastructure Support Systems Security Analysis Technical Support Cybersecurity Curriculum Development Cybersecurity Instruction Privacy Compliance Systems Security Management Technology Portfolio Management Defensive Cybersecurity

Mapping from NIST NICE Framework SP 800-181, status 2025. NIST source ↗

More certifications

From GIAC

GASAEGIAC AI Security Automation Engineer GCFAGIAC Certified Forensic Analyst GICSPGIAC Global Industrial Security Professional GOAAGIAC Offensive AI Analyst GPENGIAC Certified Penetration Tester GSEGIAC Security Expert GSECGIAC Security Essentials Certification

In Security Operations

CCOAISACA CySA+CompTIA GCFAGIAC MAD CTIMITRE Engenuity MAD FundamentalsMITRE Engenuity MAD Purple TeamingMITRE Engenuity MAD SOCAMITRE Engenuity MAD Threat HuntingMITRE Engenuity PECB CCTAPECB PECB CIRPECB PECB LCFEPECB

This page follows CertMap methodology: editorial content is curated by hand. Score, costs and NICE mapping are aggregated from official provider documents. Score methodology → · TCO methodology →

Transparency: CertMap is operated by Daniel Thomas Heessel, who is also managing director of Threat‑Informed, a company specialising in Threat‑Informed Defense. He additionally offers consulting services on CertMap. CertMap currently receives no commissions from certification providers, no affiliate links, no sponsored placements. Podcast and interview guests are not paid for appearances and receive no affiliate commissions.

From the knowledge base

View all articles →

Methodology

About the CertMap editorial team

CertMap is an independent platform for comparing cybersecurity certifications, built on data-journalism standards that combine editorial curation with mechanical aggregation.

3 min read

Fundamentals