GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) – Review

I recently passed GXPN with great score (96%) and here I write my review about the course and the exam.

SANS/GIAC is the most informative and prestigious training/certification in information security industry. GXPN is the most advanced certification in Penetration Testing offered by SANS/GIAC.

My Background

I’ve almost 7 years experience in Penetration Testing and almost 75% hands-on and scattered knowledge of the course syllabus.

SANS 660 Course

SEC 660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking is the course for GXPN. The course is very informative and giving almost everything you want to start writing finding vulnerabilities and writing exploits.

The course has 6 days where:

Day 1: This day talks mainly network level attacks starting with bypassing NAC, MitM attacks, routing protocols attacks, SNMP, network manipulation and others.

Day 2: This day talks about crypto algorithms and attacks then it goes back to network booting attacks, then Powershell for penetration testers and finally attacks on restricted environment like Kios, SRP and AppLocker.

Day 3: Here things are getting more difficult. This day talks about Python, Scapy, Sulley and other fuzzing tools.

Day 4: This day talks about Linux exploitation, but it starts with introduction about memory and CPU especially in Linux.

Day 5: This day talks about Windows exploitation and anti-exploitation techniques.

Day 6: Bootcamp (CTF).


The exam is objective with about 60 questions. There are 7 lab exams where I had access to remote desktop in order to be able to figure out the answer.

The exam is open book and I had prepared two indexes for it. The first is about every tool used in the course, the usage and the page number. The other index, is the term index.

I had two practical tests before the real attempt, for the first practical test I decided to take it to measure my understanding for the course so I set immediately after the course and without the books and without preparing my index. I got 89% score which was very promising for me.

I needed about 10 days to go through the books and build my indexes. Then I set for the second practical exam with the index and the books. I got 87% this time which also gave the confidence that I am well prepared for the exam so I scheduled the exam.

In the exam, I’ve my the following with me:
– The books
– PE File format
– TCP/UDP common ports
– Metasploit Meterpreter commands

I’ve finished the exam after 2 hours and 30 minutes and got 96% score :D.

SANS Advisory Board

In the same day, I got an invitation from SANS to join their advisory board as I got high score in GXPN.

EnCase Certified Examiner (EnCE) Review

Although it is vendor-specific, EnCE is considered to be one of the top certifications in digital forensics and most covers most job postings regarding forensics.

The requirements to have this certificate:
– 64 Hours of official training Or 12 months of digital forensics experience.
– Passing exam phase I (multiple choices) and phase II (scenario and lab).

[My Path]
I’ve attended four on-demand courses from Guidance:
– Foundations in Digital Forensics with EnCase
– EnCase(R) Computer Forensics II
– EnCase(R) Computer Forensics I
– EnCe Prep Course

This path was expensive and long-term as it needed for me to be ready for the exam about 6 months.

My friend has more than one year experience in EnCase, so he applied for the exam without any course. For this case, Guidance will ask for proof of experience.

[Exam Phase I]
It is objective assessment with multiple-choice questions vary from general questions about computers, filesystem and Guidance forensic methodology. You can study from “EnCE Study Guide” which available and I believe you will not get less than 50%. I’ve passed the exam with 97% score :D.

[Exam Phase II]
This exam is to show how you do forensic practically using EnCE. I’ve got a harddisk image with PDF. In the PDF there are the description about the case and 15 questions which you need to do investigation in the image in order to be able to answer them. The output of this exam phase is a report contains all answers with evidences. There is no score for this part, but only pass or fail.

After submitting the report, it took about 3 weeks to be officially certified with EnCE.