Sign in Subscribe

I Passed the GCDA. Here's What Nobody Tells You About SEC555

Last updated on 
I Passed the GCDA. Here's What Nobody Tells You About SEC555

All right class.

Three months of preparation, five books read twice, a physical index that grew to four pages, and an exam experience that reminded me why I have a love-hate relationship with certifications.

Here is everything nobody tells you before you book this one.

What Is This Exam Actually For

SEC555: Detection Engineering and SIEM Analytics by SANS leads to the GCDA certification. The course covers SIEM architecture, detection engineering, network and endpoint log analysis, baselining, cloud logging across Azure and AWS, alerting pipelines, and UEBA. It is genuinely broad, and that breadth is intentional.

This is not a beginner course. If you are coming in with a couple of years of IT work behind you and some security exposure, you are probably ready. If you are fresh with no operational background, you will struggle. To put the difficulty in perspective: AZ-500 (Microsoft Azure Security Engineer Associate) certification  sits at around a 5 out of 10, SC-200 (Security Operations Analyst Associate) is a 2, and SEC555 is a solid 7 (obviously, it's my take, all of them if any may feel vastly different)

The people who get the most from this course are SOC analysts, detection engineers, senior security engineers, threat hunters, and architects. Penetration testers also benefit because understanding how defenders build detections directly improves how you think about evading them.

What Three Months Actually Looks Like

I started with the video course. Roughly 30 hours of content. After each section, SANS gives you a set of practice questions. I did not move forward until I scored perfectly on every set, and more importantly until I understood why each answer was correct. Just memorising the answer and moving on is how people fail exams and learn nothing.

After finishing the video content, I read all five books that come with the course. Then I read them again. The first read is comprehension. The second read is retention. Skipping the second read is a mistake.

The Index Is the Entire Game

This is an open book exam. You bring your physical books into the test centre. You can write notes and build an index. Most people underestimate how much the index matters until they are sitting in front of question 47 with 30 minutes left.

I built mine using small sticky notes that I attached to the actual book pages, after a day all of them looked like a porcupine. I then created a separated Excel spreadsheet organised by topic, cross-referenced by book, page number and a short description. By the end I had three full pages covering detection concepts, protocols, event IDs, and attack techniques, plus a separate standalone page dedicated entirely to software types mentioned throughout the course.

Do not use AI to build your index. This is the part that is really important. When you write something down in your own words, following your own logic and your own associations, you remember it differently than if you read something generated for you. Your index should reflect how your brain connects concepts. When you are on question 60 with 18 minutes left and you need to find something fast, you will instinctively go to the right page because you wrote it. That does not happen with an index someone else built for you.

Build it alongside the books, not after. Every time you see a bolded term, a port number, a Windows Event ID, a piece of software, or anything that looks like it could appear on a test, index it immediately. If you wait until the end to build it, you will miss half of what matters.

How to Actually Use the Practice Tests

GIAC gives you two practice exams. You can take each one exactly once. Do not waste them.

I finished the course and both book reads, then opened practice test one. Scored 79%, which is exactly the passing threshold for the GCDA. That number looked fine on paper until I thought about walking into the real exam with zero buffer.

The practice tests tell you when you get something wrong and give you context on the correct answer. I documented every single question I missed and went back through the books to understand the full picture, not just read the explanation and move on.

That process took another two weeks. I added an entire extra page to my index covering areas I had underweighted: HTTP status codes, common ports, DNS attacks, Windows Event ID calculations for EPS, Syslog PRI values, and IIS log formats. Stuff that felt like background knowledge turned out to be directly tested.

Practice test two: 86%. At that point I felt ready to book.

What the Test Centre Is Actually Like

You book through Pearson VUE online. Straightforward process, and there will almost certainly be a location within an hour of you. In my case, exactly that.

The admin process at the centre is what you expect. Show documents, sign paperwork, get walked through the rules. Nothing surprising. What nobody prepares you for is the desk space.

The desk had room for approximately one book. One. I had five books and a four-page index. The staff were kind and gave me two extra chairs to stack books on, which I appreciated, but shuffling between a stack of books on chairs next to you while a timer ticks is not efficient. It is genuinely disruptive.

Check the test centre before you go or call them and ask about the physical setup. It will not always matter, but when you have 1.5 minutes per question and you are hunting through books, desk space is time.

The Calculator Problem Nobody Mentions

There are 75 questions. You have 2 hours. That is 1.5 minutes per question on average, and that average does not feel generous when you hit a question asking you to calculate EPS from a three-year traffic diagram.

The exam has a built-in calculator. It does not display number separators. So 1,000,000,000 shows as 1000000000 on what was approximately a 20-inch monitor. When you are working with large numbers under time pressure, that becomes a genuine problem. I ended up writing numbers on the physical notepad first to count digits, then typing into the calculator. Annoying, avoidable if you know it is coming.

The Two Things That Will Save You Time

You can take a 15-minute break and split it across two breaks, but you only have 15 minutes total across the whole exam. Take the break even if you feel fine. Step away, breathe, look through your index, revisit any questions you flagged. You will come back sharper (no, you cannot use your mobile phone during breaks to check for answers, it's locked in the locker)

You can also postpone up to 15 questions and return to them. Use this aggressively. If a question is going to cost you two or three minutes of book hunting, postpone it. Bank the time for questions you can answer cleanly. Come back to the hard ones at the end when you know exactly how many minutes you have left.

I finished with roughly three minutes remaining. Not comfortable, but I got through it.

The Exam Is Harder Than the Practice Tests

Not in the same way harder. The question structure is similar. But the actual content goes deeper into specifics. Some questions require very precise knowledge about individual protocols or one-line items buried in the books that you would never prioritise unless you indexed obsessively.

Some of those questions have no relationship to real-world security work. The justification GIAC uses is that these questions test your ability to navigate your index and locate correct answers under pressure. I partially accept that argument. But there is a difference between testing navigational skill and asking questions that are obscure for the sake of obscurity.

The good news is that a solid portion of the exam tests what you actually want to be tested on. DNS flux and double-flux, Windows event channel selection, the purpose of honeytokens, SIEM architecture tradeoffs, detection engineering methodology, pretty much everything you can find already in the book. Those questions have a good chance to appear, and if you did the work, you answer them without needing the books at all.

The Course Itself: 9/10

Nick Mitropoulos does excellent work walking through the labs. The virtual machines are well set up, the content is practical, and the material genuinely translates to real security work. After finishing the course, I had around 80 actionable ideas to bring back to my own environment. Architecture changes, new analytic rules, workbook improvements, GitHub repositories I had not come across before, and a completely different lens on how detection engineering fits together as a discipline.

The one section I skipped mentally was Wazuh. I understand why it exists in the course because not everyone works in a Microsoft environment, but if you live in Sentinel and Defender XDR like I do, those labs will not be relevant to you. Skip them without guilt, but make sure to at least index some of the core topics.

The Exam: 5/10

I dislike exams that rely on obscure recall over genuine understanding. This one leans into that approach more than it should for something meant to validate detection engineering competence. The structure feels similar to Microsoft certifications in that it is designed to be difficult to pass, not necessarily to assess whether you can do the job.

The knowledge from the course itself is excellent. The way the exam tests that knowledge is a different story.

Before You Sit Down

Work through this in order:

Preparation:

  • Read every book twice, build your index alongside the second read
  • Retake section quizzes until you score perfectly and understand every answer
  • Take practice test one only after completing everything above
  • Document every wrong answer, go back into the books, fill the gaps
  • Explicitly add HTTP codes, ports, DNS attack types, Windows Event IDs, EPS calculations, Syslog PRI values, and IIS log formats to your index. Basically anything with code, numbers, or scripts.
  • Take practice test two when you feel genuinely ready, not before
  • Aim to be above 85% before you book the real exam

Logistics:

  • Call the test centre in advance and ask about desk space
  • Bring all five books plus your full index
  • On the day, use the postpone function for anything that will cost you more than 90 seconds
  • Take the break even if you do not feel like you need it

Class dismissed

Consent Preferences