Browse Certification Practice Tests by Exam Family

GIAC GCIA Sample Questions & Practice Test

May 1, 2026

Try 12 GIAC Certified Intrusion Analyst (GCIA) sample questions and practice-test preview prompts on packet evidence, IDS alerts, TCP behavior, DNS tunneling, beaconing, NetFlow, TLS metadata, and SIEM correlation.

On this page

GIAC Certified Intrusion Analyst (GCIA) is a network-intrusion-analysis route for candidates who interpret packets, alerts, flow records, protocol behavior, and correlated evidence to identify suspicious activity.

Use this page to preview the kind of intrusion-analysis decisions a GCIA practice route should test. The questions below are original IT Mastery sample questions, not official GIAC exam questions.

What this route should test

  • interpreting packet, flow, DNS, TLS, HTTP, and IDS evidence in context
  • distinguishing normal protocol behavior from suspicious patterns
  • reducing false positives without ignoring attack indicators
  • correlating network evidence with endpoint, identity, and SIEM data

Sample Exam Questions

Question 1

Topic: packet analysis

A packet capture shows repeated outbound connections from one host to one rare external IP at nearly fixed intervals. What is the most useful next step?

  • A. Investigate possible beaconing by checking timing, destination reputation, host context, and related logs
  • B. Ignore it because outbound traffic is always safe
  • C. Delete the capture file
  • D. Disable all network monitoring

Best answer: A

Explanation: Regular timed connections to rare infrastructure can indicate beaconing. Analysts should correlate timing, destination, and host evidence.

Question 2

Topic: IDS alerts

An IDS signature fires on one packet, but the destination host runs a different service than the signature assumes. What should the analyst do?

  • A. Declare compromise immediately
  • B. Delete the signature
  • C. Validate context, protocol, payload, asset role, and follow-on behavior before concluding
  • D. Ignore all future alerts

Best answer: C

Explanation: Alerts need context. Asset role, protocol, payload, and follow-on behavior help distinguish real attacks from false positives.

Question 3

Topic: TCP handshake

Why is a full TCP three-way handshake relevant when evaluating an attempted connection?

  • A. It proves the application data is encrypted
  • B. It helps show whether a session was established rather than merely attempted
  • C. It confirms the user was authorized
  • D. It proves the server was patched

Best answer: B

Explanation: SYN, SYN-ACK, and ACK indicate session establishment. That is different from a scan or blocked attempt that never completed the handshake.

Question 4

Topic: DNS tunneling

Which DNS pattern is most suspicious for possible tunneling?

  • A. A short query for a known corporate domain
  • B. A single query to an approved SaaS domain
  • C. Normal recursive resolver traffic
  • D. Many long, high-entropy subdomain queries to a newly registered domain

Best answer: D

Explanation: DNS tunneling often creates long, unusual, high-entropy subdomain queries. Domain age, volume, and resolver context matter.

Question 5

Topic: beaconing

What evidence best strengthens a beaconing hypothesis?

  • A. Consistent outbound timing, repeated destination patterns, rare infrastructure, and host activity that aligns with compromise
  • B. One user opening a normal web page
  • C. A printer using DHCP
  • D. A firewall rule with a description

Best answer: A

Explanation: Beaconing analysis relies on repeated timing and destination behavior plus host context. One isolated connection is weaker evidence.

Question 6

Topic: false positives

A rule flags internal vulnerability-scanner traffic as exploit attempts. What is the best response?

  • A. Turn off the IDS permanently
  • B. Ignore all exploit alerts
  • C. Tune or suppress known scanner traffic carefully while preserving detection for unexpected sources
  • D. Allow the scanner to run with administrator passwords in logs

Best answer: C

Explanation: Tuning should reduce known noise without creating blind spots. Source, schedule, and expected behavior should be documented.

Question 7

Topic: NetFlow

Which NetFlow pattern is most useful for identifying unusual data movement?

  • A. One DNS lookup for a common site
  • B. Large outbound transfers from an unusual host to an uncommon external destination
  • C. A workstation renewing its DHCP lease
  • D. A server listening on a documented internal port

Best answer: B

Explanation: Flow records can show volume, direction, endpoints, and timing. Large unusual outbound transfers deserve investigation.

Question 8

Topic: TLS metadata

Even when TLS payloads are encrypted, which metadata can still support investigation?

  • A. The plaintext password inside the encrypted stream
  • B. The exact document content uploaded
  • C. The user’s private key
  • D. SNI where available, certificate details, JA3-style fingerprints where used, destination, timing, and flow volume

Best answer: D

Explanation: TLS encryption hides payload but not all metadata. Certificate, destination, timing, and fingerprint evidence can still guide analysis.

Question 9

Topic: HTTP status

An attacker probes many application paths and receives mostly 404 responses, then one 200 response followed by a large download. What should the analyst examine?

  • A. Whether the successful path exposed sensitive content or triggered follow-on activity
  • B. Only the number of 404 responses
  • C. The color of the browser toolbar
  • D. Whether HTTP logs can be disabled

Best answer: A

Explanation: Failed probes matter, but a successful response and data transfer are higher-value evidence. Analysts should inspect the path and follow-on activity.

Question 10

Topic: segmentation evidence

A workstation in the office VLAN initiates connections to a database subnet that should be reachable only by application servers. What is the likely concern?

  • A. Normal DNS caching
  • B. A cosmetic naming issue
  • C. Possible segmentation violation, lateral movement, or misconfigured access control
  • D. A harmless monitor setting

Best answer: C

Explanation: Unexpected cross-segment traffic can indicate policy gaps or attacker movement. Analysts should verify expected flows and enforcement points.

Question 11

Topic: SIEM correlation

Why should intrusion analysts correlate IDS alerts with endpoint and identity logs?

  • A. Correlation can connect network indicators to host behavior, user activity, and account misuse
  • B. Network data is never useful
  • C. Identity logs replace packet evidence in every case
  • D. Correlation always proves attribution

Best answer: A

Explanation: Network evidence becomes more useful when linked to host and identity context. Correlation improves confidence and scope analysis.

Question 12

Topic: attacker infrastructure

A domain used in suspicious traffic was registered yesterday, uses privacy protection, and appears in several unrelated alerts. What should the analyst do?

  • A. Delete all related logs
  • B. Trust it because new domains are always safe
  • C. Block every new domain without review
  • D. Treat it as potentially suspicious and correlate with DNS, proxy, endpoint, and threat-intel context

Best answer: D

Explanation: New and rare infrastructure is a risk indicator, not proof by itself. Analysts should correlate it with other evidence before deciding response.

Quick readiness checklist

If you miss…Drill this next
packet and flow questionstiming, direction, volume, sessions, and endpoints
alert interpretation questionsasset context, rule logic, and false-positive tuning
protocol questionsTCP, DNS, HTTP, TLS metadata, and expected behavior
correlation questionsSIEM, endpoint, identity, proxy, DNS, and threat-intel evidence
Revised on Monday, May 18, 2026
GCIH