GPEN — GIAC Penetration Tester
GPEN is the cert SANS-trained penetration testers carry, and it is one of the most respected credentials in US federal, DoD-cleared and defence-contractor environments. The exam's open-book / CyberLive format mirrors real work — you can reference your notes, but you must execute against a live VM under time pressure. GPEN sits on the DoD 8570 / 8140 baseline for CSSP-Analyst and CSSP-IR roles, and the SANS SEC560 prep course is widely considered the most thorough taught penetration-testing curriculum.
Open-book with a CyberLive VM component, so endurance is lower than OSCP — but the breadth of SANS SEC560 material and the cost of preparing for it cost-effectively make it demanding.
Cost, hours and exam shape.
- Vendor
- GIAC (SANS)
- Level
- Professional
- Exam style
- Open-book + CyberLive VM
- Prep hours (median)
- ~200 hours
- Exam cost (USD)
- $999
- Difficulty
- 4/5
Pursue this if…
- You work in (or are entering) US federal, DoD-cleared or defence-contractor environments where SANS-trained operators are preferred.
- You want SANS SEC560-grade breadth across the full network-pentest lifecycle.
- You need a cert on the DoD 8570/8140 baseline for CSSP-Analyst or CSSP-IR roles.
- Your employer will sponsor the SANS courseware — the canonical, if expensive, prep path.
What you actually sit.
Proctored exam: 82 questions, 3 hours, 75% cut score. Open-book — candidates are expected to bring an indexed reference (the 'SANS index'). Includes 'CyberLive' performance-based questions where you operate a live VM to answer.
Where you should be before you book.
- →No formal prerequisites; SANS recommends prior completion of SEC560 (Network Penetration Testing and Ethical Hacking) or equivalent experience
- →Comfortable with Linux/Windows command line, scripting, and networking fundamentals
What is on the exam.
A study plan you can actually follow.
- Take (or source) SEC560
If employer-sponsored, work the SANS SEC560 course thoroughly — it is the canonical curriculum. Self-funded candidates should budget 250+ hours against the published objectives.
- Build your indexed reference
GPEN is open-book. A well-organised index of your notes and the courseware is the single biggest predictor of passing — build and tab it as you study.
- Practise the CyberLive tasks
Drill operating against a live VM under time pressure: enumeration, password attacks, Kerberos abuse and the newer Azure attack-paths.
- Take the practice tests, then sit it
GIAC includes practice exams with the attempt — use them to validate your index and timing before the proctored sitting.
Where this cert opens doors.
From the operator side of the desk.
We hire GPEN holders for engagements that touch US federal, defence-contractor or cleared-data environments where SANS-trained operators are preferred or contractually mandated. GPEN's emphasis on Azure attack-paths and on scoping/reporting discipline complements the OSCP skill set well, and the CyberLive format is closer to real engagement work than a pure multiple-choice exam.
Questions people ask before booking.
GPEN vs OSCP — which is harder?+
Different exams. OSCP is 24 hours of uninterrupted hands-on exploitation against a chained environment, with a mandatory report. GPEN is 3 hours of open-book questions plus CyberLive VM tasks. OSCP tests endurance, exploit chaining and report-writing; GPEN tests breadth of knowledge and ability to operate tools quickly under time pressure. Most people find OSCP harder to pass but find GPEN harder to study for cost-effectively because of the SANS courseware price.
Is the SANS SEC560 course required?+
Not formally. You can sit GPEN with self-study. In practice, the SANS course is the canonical preparation path and most successful candidates take it (often employer-sponsored — the combined course + exam runs USD 8,000+). Without the course, plan on 250+ hours of self-study against the syllabus and rely heavily on prior SEC560-derived study guides.
Does GPEN expire?+
Yes — every four years. Renewal requires 36 CPE credits across the four-year cycle plus a renewal fee (USD 469 currently). CPEs come from SANS content, conferences, publications, or by retaking the exam.
Will GPEN replace OSCP on a CV?+
It will not. Hiring managers reading CVs for working pentest roles look for OSCP first; GPEN is recognised as equivalent in seniority but different in flavour. The strongest CVs carry both — OSCP for hands-on credibility, GPEN for SANS-trained breadth and federal-procurement compatibility.
What is the Azure pentest coverage like?+
GPEN added Azure-focused content in the most recent SEC560 / exam revision. Coverage includes Azure AD enumeration, role abuse, conditional access bypass, managed-identity exploitation and Microsoft Graph API attacks. It is breadth-level — for production AWS / Azure / GCP pentest depth, pair GPEN with a cloud-specific cert (AWS Security Specialty, GCSA) or with hands-on cloud lab time.
Relevant AxVeil services and field notes.
Sibling certifications worth comparing.
Need a qualified team to deliver the engagement?
We can field operators with GPEN (and the rest of the stack — OSCP, OSEP, CISSP, CISM) on engagements in 5 to 10 working days. Letter of Attestation includes the lead-tester credentials so your auditor can verify.