GIACProfessional2026 Updated

GIAC Penetration Tester

Updated May 1, 202612 min readWritten by Certsqill experts

Quick facts — GPEN

Exam cost

$949 (or included with SANS course)

Questions

82–115 (open-book)

Time limit

3 hours

Passing score

74%

Valid for

4 years

Testing

GIAC

Who this exam is for

The GIAC Penetration Tester certification is designed for professionals who work with or want to work with GIAC technologies in a professional capacity. It is taken by cloud engineers, DevOps practitioners, IT administrators, and technical professionals looking to validate their expertise.

You do not need extensive prior experience to attempt it, but you will benefit from hands-on familiarity with the subject matter. The exam tests applied knowledge and architectural judgment, not just memorization. If you can reason about trade-offs and real-world scenarios, structured practice will handle the rest.

Domain breakdown

The GPEN exam is built around official domains, each with a fixed percentage of the question pool. This distribution should directly inform how you allocate your study time.

Domain

Weight

Focus areas

Reconnaissance

15%

Covers passive and active reconnaissance techniques: OSINT via Shodan, Maltego, and theHarvester; DNS enumeration with dig and dnsenum; WHOIS analysis; and social engineering research methodology.

Scanning & Enumeration

15%

Tests Nmap scan types (SYN, UDP, version detection, script scanning), Nessus vulnerability scanning, SMB enumeration with enum4linux, SNMP enumeration, and web application fingerprinting with Nikto and Wappalyzer.

Exploitation Techniques

25%

Focuses on Metasploit Framework usage (search, use, set, exploit, sessions), manual exploitation of common CVEs, password attacks (hashcat, John the Ripper, credential stuffing), and web exploitation (SQLi, XSS, IDOR, LFI/RFI).

Post-Exploitation

20%

Addresses privilege escalation on Windows (token impersonation, unquoted service paths, DLL hijacking) and Linux (SUID/SGID, sudo misconfigurations, cron job abuse), credential harvesting with Mimikatz, and persistence mechanisms.

Pivoting & Tunneling

15%

Covers SSH port forwarding (local, remote, dynamic), Metasploit route and socks proxy for pivot chains, proxychains configuration, and chisel/socat for tunneling through restricted network segments.

Reporting

10%

Tests penetration test report structure (executive summary, methodology, findings, risk ratings), CVSS v3 scoring, remediation recommendation writing, and rules of engagement documentation.

Note the domain with the highest weight — many candidates under-invest here because it feels conceptual. In practice, this is where the exam is most precise, with scenario-based questions that test specifics.

What the exam actually tests

This is not a memorization exam. Questions require applied judgment under constraints. Almost every question includes a scenario with explicit requirements and asks you to select the most appropriate solution.

Here are examples of the question types you will encounter:

Tool Selection Scenario

"During an engagement you have shell access to a Windows host but cannot reach the internet. You need to enumerate local admin hashes without triggering AV. Which tool and technique combination is most appropriate?"

GPEN is open-book, so tool questions test whether you know which tool fits the constraint (AV evasion, no internet, specific OS). Index your notes by tool name and use case — do not rely on memorizing every flag.

Attack Chain Sequencing

"A tester has obtained NTLM hashes from a domain controller via secretsdump. The target network has SMB signing disabled. Which attack technique is enabled by these two conditions together?"

Sequencing questions require you to chain reconnaissance findings into an attack. Know which conditions enable Pass-the-Hash, Kerberoasting, AS-REP Roasting, and NTLM relay — each has specific prerequisites the exam tests.

CVSS Scoring Calculation

"A buffer overflow vulnerability in a web-facing service requires no authentication, allows arbitrary code execution as root, and has a public exploit. What is the approximate CVSS v3 Base Score range?"

CVSS v3 questions are straightforward if you memorize the metric values. AV:N (Network), AC:L (Low), PR:N (None), UI:N (None), S:U, C:H, I:H, A:H maps directly to a Critical score. Practice the scoring matrix with five to ten examples.

How to prepare — 4-week study plan

This plan assumes one hour per weekday and roughly 30 minutes of lighter review on weekends. It is calibrated for someone with some relevant experience. If you are starting from zero, add an extra week before Week 1 to familiarise yourself with the basics.

Week 1: Reconnaissance, Scanning & Enumeration

Set up a lab with Kali Linux and vulnerable VMs (Metasploitable 2/3, VulnHub targets); perform passive recon using theHarvester, Shodan CLI, and Maltego CE.
Run Nmap scan types against lab targets: SYN scan, UDP top-100, version detection (-sV), OS detection (-O), and NSE scripts (smb-enum-shares, http-title).
Enumerate SMB with enum4linux and smbclient; enumerate SNMP with snmpwalk; fingerprint web applications with whatweb and nikto.
Build an indexed reference notebook (physical or digital) for GPEN tools: Nmap, Nessus, enum4linux, theHarvester — include common flags and their outputs.

Week 2: Exploitation & Metasploit Framework

Work through Metasploit fundamentals: msfconsole navigation, search by CVE and platform, configure payloads (windows/meterpreter/reverse_tcp), and manage sessions.
Exploit EternalBlue (MS17-010) and other common CVEs on Metasploitable; document the exact module path, required options, and post-exploitation commands.
Practice password attacks: crack NTLM hashes with hashcat using rockyou.txt wordlist, perform rule-based mutations, and use John the Ripper for shadow file cracking.
Perform web exploitation: manual SQLi with sqlmap, reflected XSS in a form field, and LFI to read /etc/passwd on a PHP lab environment.

Week 3: Post-Exploitation, Pivoting & Tunneling

Escalate privileges on Windows: exploit unquoted service paths, DLL hijacking in a writable directory, and impersonate tokens using incognito in Meterpreter.
Escalate on Linux: find SUID binaries with find / -perm -4000, exploit sudo misconfigurations via GTFOBins, and abuse writable cron jobs for persistence.
Set up a pivot chain: compromise Host A, route traffic through Metasploit to reach Host B on an isolated subnet, and exploit a service on Host B from the attacker machine.
Configure SSH dynamic port forwarding and proxychains to route Nmap and browser traffic through a compromised bastion host; verify with a DNS leak test.

Week 4: Reporting, CVSS Scoring & Mock Exams

Write a sample penetration test report for a completed lab engagement: executive summary, scope, methodology, findings table with CVSS scores, and remediation steps.
Practice CVSS v3 scoring for 15 vulnerabilities from NVD; compare your scores to the official NVD ratings and identify where your metric interpretations differ.
Take two full open-book mock exams under 3-hour limits; use your index notebook as you would on exam day to simulate the real open-book experience.
Review the open-book strategy: bookmark the 10 most commonly referenced tool syntax pages in your notes and practice looking up answers within 60 seconds.

Common mistakes candidates make

These patterns appear repeatedly among candidates who resit this exam. Knowing them in advance is worth several percentage points.

Mismanaging the open-book advantage

GPEN's open-book format is only an advantage if your notes are well-organized. Candidates who arrive with disorganized materials spend too long searching and run out of time. Build a structured index before the exam: tool name, use case, key flags, and example output. Timed lookup practice is as important as content knowledge.

Neglecting Active Directory attack prerequisites

Kerberoasting, AS-REP Roasting, Pass-the-Hash, and NTLM relay each require specific conditions (service accounts with SPNs, accounts without pre-auth, SMB signing disabled). Candidates who memorize attack names without their prerequisites consistently answer multi-step attack chain questions incorrectly.

Confusing local and remote SSH port forwarding

Local forwarding (ssh -L) forwards a local port to a destination via the SSH server; remote forwarding (ssh -R) exposes a local port on the SSH server side. Dynamic forwarding (ssh -D) creates a SOCKS proxy. These three modes appear in pivoting scenarios and are frequently swapped by candidates who have not practiced them hands-on.

Undervaluing the Reporting domain

At 10% of the exam, reporting questions are easy marks that many candidates skip during preparation. CVSS v3 scoring, rules of engagement components, and finding severity classification (Critical/High/Medium/Low) are straightforward with focused study. Losing points here due to under-preparation is avoidable and costly.

Is Certsqill right for you?

Honestly: Certsqill is built for candidates who have already done some studying and want to convert knowledge into exam performance. If you have never touched the subject, start with a foundational course first — then come to Certsqill when you are ready to practice.

Where Certsqill is strong: question depth, AI-powered explanations, and domain analytics. Every question is mapped to the exam blueprint. When you get something wrong, the AI tutor explains why the right answer is right and why each wrong answer fails under the specific constraints in the question.

Where Certsqill is not a replacement: video courses and hands-on labs. Use Certsqill to test and sharpen — not as your first exposure to a topic you have never encountered.

Ready to start practicing?

520 GPEN questions. AI tutor. 3 mock exams. 7-day free trial.