- GCTI's 82-question exam includes CyberLive hands-on tasks executed inside live virtual environments - not simulations.
- The 3-hour time limit and 71% passing threshold make CyberLive pacing a critical prep focus, not an afterthought.
- CyberLive items draw heavily from Domains 4, 5, 6, and 8: OSINT, malware analysis, pivoting, and practical application.
- The exam is open-book for printed materials only - pre-built reference sheets for YARA, STIX/TAXII, and IOC syntax are essential.
What Are CyberLive Questions?
If you've spent any time researching the GIAC Cyber Threat Intelligence certification, you've probably noticed that GIAC describes the exam as containing CyberLive components alongside standard multiple-choice questions. For many candidates, that phrase raises more questions than it answers. What exactly runs in a live environment? How long do these tasks take? Are they scored differently?
CyberLive questions are hands-on, practical items that run inside actual virtual machines or sandboxed environments provisioned during your exam session. You are not reading a scenario and selecting A, B, C, or D. You are doing something - querying a dataset, analyzing a file, pivoting through threat infrastructure, or constructing a structured intelligence output - and your actions or findings are evaluated directly.
GIAC introduced CyberLive across several of its certifications to close the gap between theoretical knowledge and applied skill. For a certification like GCTI, which is built around the idea that threat intelligence is an operational discipline rather than an academic one, CyberLive is a natural fit. Employers hiring CTI analysts, threat hunters, and intelligence team leads expect candidates to work with tools, not just describe them.
Exam Structure and Format Breakdown
Before diving into how to prep for CyberLive tasks, it helps to understand the full exam architecture so you can allocate your 3 hours intelligently.
| Exam Element | Detail |
|---|---|
| Total Questions | 82 (multiple-choice + CyberLive practical items) |
| Time Limit | 3 hours |
| Passing Score | 71% |
| Exam Fee | $979 USD (standalone); retake ~$899 |
| Practice Test (standalone) | $399 |
| Delivery Method | ProctorU remote or Pearson VUE onsite |
| Open Book? | Yes - printed materials only, no electronic devices |
| Activation Window | 120 days from purchase |
| Certification Valid | 4 years; renewable with 36 CPE credits or exam retake |
With 82 questions and 180 minutes, your average per-question budget is just over two minutes. That sounds reasonable until you account for CyberLive items, which require spinning up a virtual environment, reading the task, executing work, and recording your answer. These tasks will consume more time per item than a multiple-choice question. Candidates who have not practiced under timed conditions routinely underestimate how quickly the clock moves during practical tasks.
GIAC does not publish the exact number of CyberLive items on the GCTI exam, nor does it disclose per-domain weighting percentages. This ambiguity is intentional - it prevents candidates from gaming the exam by skipping domains they deem unlikely to appear. Treat every domain as testable in a practical context.
Domains Most Likely Tested in CyberLive
While GIAC does not publish which domains contain CyberLive items, the nature of the content tells you a great deal. Domains with procedural, tool-based, or analytical skill requirements are the natural candidates for practical testing. Here is how the eight GCTI domains map to that expectation:
Domain 4: OSINT Collection and Analysis
This domain is a primary CyberLive candidate. Candidates must demonstrate the ability to collect, validate, and pivot through open-source intelligence sources - not merely describe the process. Tasks may involve querying passive DNS data, analyzing WHOIS records, or correlating infrastructure indicators.
- Passive DNS lookups and infrastructure correlation
- Identifying threat actor registration patterns
- Evaluating source reliability and data freshness
Domain 5: Malware Analysis and Threat Attribution
Candidates may be asked to perform static or behavioral analysis on a sample, extract indicators, or map observed behaviors to a known threat group using the Diamond Model or Kill Chain framework. This domain requires practical familiarity with analysis tools, not just conceptual knowledge.
- Extracting network and host-based indicators from samples
- Applying the Diamond Model to attribute activity
- Mapping behaviors to Kill Chain phases
Domain 6: Pivoting and Expanding Intelligence
Pivoting is the art of using one confirmed indicator to discover related infrastructure, actors, or campaigns. CyberLive tasks here likely involve starting with a seed indicator - an IP, a domain, a hash - and systematically expanding the picture using available data.
- Infrastructure pivoting from IP to domain to registrant
- Identifying shared hosting patterns across campaigns
- Correlating malware families through shared code sections or packing techniques
Domain 8: Practical Application of Threat Intelligence
As the domain named "practical application," this is explicitly designed for hands-on demonstration. Expect tasks that require producing an intelligence output - a structured indicator set, a STIX bundle, a YARA rule, or a summary report - rather than selecting a definition.
- Writing syntactically correct YARA rules
- Structuring threat data using STIX/TAXII frameworks
- Producing intelligence outputs formatted for operational consumption
Domains 1, 2, 3, and 7 contain substantial theoretical content - CTI fundamentals, Kill Chain and Diamond Model concepts, collection source taxonomy, and intelligence storage and sharing standards - and are more likely to appear as multiple-choice questions. However, do not ignore them. A CyberLive task in Domain 8 may require you to correctly apply a Courses of Action Matrix concept from Domain 2 to complete it.
Specific Skills You Must Demonstrate
Generic "threat intelligence knowledge" is not sufficient preparation for GCTI CyberLive tasks. You need hands-on fluency with specific tools, syntaxes, and analytical frameworks. The following are non-negotiable skill areas based on the exam's stated coverage:
YARA Rule Authoring
YARA rules are a core deliverable for any CTI practitioner targeting malware detection. For the exam, you need to be able to write a rule from scratch given a set of indicators or file characteristics, understand string modifiers, and troubleshoot why a rule might produce false positives or fail to match. Memorizing YARA syntax in the abstract is not enough - you need to write rules against actual content under time pressure.
STIX/TAXII and OpenIOC
STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information) are the dominant standards for structured threat intelligence sharing. Domain 7 covers these standards, but CyberLive tasks in Domain 8 may require you to construct or parse STIX objects correctly. OpenIOC format is also covered and represents an alternative indicator encoding scheme you must be fluent in.
Kill Chain and Diamond Model Application
Domain 2 covers both the Lockheed Martin Cyber Kill Chain and the Diamond Model of Intrusion Analysis alongside the Courses of Action Matrix. These are not just frameworks to describe - they are analytical lenses you apply to real intrusion data. In a CyberLive context, you may be given observed behaviors and asked to classify them within a Kill Chain phase or populate a Diamond Model for a given intrusion event.
Open-Book Strategy for Live Tasks
The GCTI exam is open-book - but only for printed materials. No laptops, no phones, no tablet access. This means your "index" and reference sheets must be physically printed before exam day. For CyberLive tasks specifically, this changes how you should build your notes.
Most GCTI candidates prepare a printed index organized by concept. For CyberLive preparation, you should additionally prepare:
- YARA syntax reference sheet - string types, modifiers (nocase, wide, ascii, fullword), condition logic, and common pitfalls
- STIX 2.x object type cheat sheet - indicators, threat actors, malware, relationships, and bundle structure
- OpenIOC element reference - common IndicatorItem contexts and content types
- Diamond Model template - blank template with adversary, capability, infrastructure, and victim axes labeled
- Kill Chain phase table - each phase with corresponding defensive courses of action from the Matrix
- OSINT pivot workflow - a procedural checklist for moving from seed indicator through infrastructure and attribution enrichment
The goal is not to have everything memorized - the exam allows your notes. The goal is to spend zero time searching for basic syntax during a timed CyberLive task. Your printed reference should let you verify, not discover.
Visit our GCTI practice test platform to work through scenario-based questions that mirror the analytical thinking required for both multiple-choice and practical items.
A Structured Prep Schedule Tied to GCTI Domains
If you are working with the 120-day activation window and aiming to sit the exam at the end of that period, here is a domain-sequenced schedule built around the GCTI content areas. This is not a generic study template - each week targets specific GCTI domains and practical skills in the order that builds on prior knowledge.
Domains 1 & 2: Foundations and Frameworks
- CTI lifecycle, producer/consumer models, and intelligence types (strategic, operational, tactical)
- Kill Chain phases and corresponding defender actions
- Diamond Model axes and intrusion event mapping
- Courses of Action Matrix - understand how it bridges Kill Chain phases to defensive response options
Domains 3 & 4: Collection Sources and OSINT
- Collection source taxonomy: technical feeds, human reporting, OSINT, and finished intelligence
- Hands-on OSINT tool practice: passive DNS, WHOIS, certificate transparency, and threat platform querying
- Source reliability evaluation and confidence scoring
- Begin building your printed OSINT pivot workflow reference sheet
Domains 5 & 6: Malware Analysis, Attribution, and Pivoting
- Static analysis basics: PE header analysis, string extraction, hashing
- Behavioral indicator extraction and sandbox output interpretation
- Infrastructure pivoting from network indicators to actor attribution
- Diamond Model application to real-world intrusion data
- Daily YARA rule writing practice - start simple, build to complex multi-condition rules
Domains 7 & 8: Sharing Standards and Practical Application
- STIX 2.x object types, relationships, and bundle construction
- TAXII server/collection concepts and sharing workflow
- OpenIOC indicator authoring
- Intelligence report writing for executive audiences
- Full timed CyberLive practice scenarios - treat each as an actual exam task
Full Exam Simulation and Gap Remediation
- Two full timed practice exams via gctiexam.com practice tests
- Identify weak domains from practice scores and revisit targeted content
- Finalize and print all reference sheets - index, YARA cheat sheet, STIX object guide, pivot workflow
- Complete one timed run under exam-realistic conditions (no electronic references)
Spaced repetition works well for the conceptual domains (1, 2, 3, 7) - revisit Kill Chain phases and Diamond Model elements at increasing intervals rather than cramming. For the practical domains (4, 5, 6, 8), daily hands-on repetition builds the speed you need under a live exam timer.
Registration, Fees, and Logistics
The GCTI exam carries a standalone fee of $979 USD. If you bundle through SANS FOR578 - GIAC's recommended preparatory course, which typically runs around $8,780 - you receive two GIAC practice tests included with the bundled exam attempt. Those practice tests alone carry a standalone value of $399 each, making the bundle the most cost-effective path if you are pursuing both training and certification.
Retakes are available at approximately $899 - still a significant investment. This pricing structure strongly incentivizes thorough preparation before your first attempt. A failed attempt is not just a setback; it is a near-thousand-dollar setback.
GIAC does not mandate any formal prerequisites for GCTI, but the FOR578 course is explicitly recommended. Candidates without a CTI background who attempt the exam based solely on self-study should be realistic about the depth of practical skill required - particularly for CyberLive tasks in malware analysis and pivoting.
Your exam attempt activates a 120-day window from purchase. This is your scheduling deadline, not just a study guideline. Remote delivery via ProctorU offers more scheduling flexibility; Pearson VUE onsite centers have fixed appointment availability. If you are planning around a specific date, book your Pearson VUE appointment early in your prep window rather than waiting until you feel ready.
GCTI is accredited by ANAB to ISO/IEC 17024 standards, which means it carries recognized professional credential weight beyond GIAC's own ecosystem. For those working toward or already holding the certification, renewal requires 36 CPE credits over 4 years or a current-exam retake, with a renewal fee of $499. See our detailed guide on GCTI Renewal Requirements: CPE Credits and Process 2026 for the full renewal workflow.
Key Takeaway
The GCTI exam's $979 entry price and CyberLive practical components mean you cannot afford to treat this as a cram-and-pass certification. Build hands-on skill in YARA authoring, STIX structuring, and OSINT pivoting before you schedule your exam date. Use the 120-day window strategically - it is a prep runway, not a deadline extension.
Frequently Asked Questions
GIAC does not publicly disclose the exact number of CyberLive items on the GCTI exam. The total exam is 82 questions, combining standard multiple-choice questions with CyberLive practical tasks. Because the split is not published, candidates should prepare for practical task execution across all applicable domains rather than assuming CyberLive is a minor portion of the exam.
Yes. The GCTI exam is open-book for printed materials. This applies to CyberLive tasks as well as multiple-choice questions. You cannot access electronic notes, the internet, or any device other than the exam terminal. Prepare printed reference sheets specifically covering YARA syntax, STIX object types, OpenIOC structure, and your OSINT pivot workflow before exam day.
Based on the nature of the content, Domains 4 (OSINT Collection and Analysis), 5 (Malware Analysis and Threat Attribution), 6 (Pivoting and Expanding Intelligence), and 8 (Practical Application of Threat Intelligence) are the most natural fits for live virtual environment tasks. Domain 8 is explicitly named "practical application," making it a strong candidate. However, GIAC does not publish which specific domains contain CyberLive items.
No formal prerequisites exist for GCTI. GIAC recommends SANS FOR578 Cyber Threat Intelligence training, which typically costs around $8,780 and includes two bundled practice tests when purchased with an exam attempt. Experienced CTI practitioners can and do self-study for the exam, but the practical depth required for CyberLive components makes structured lab experience important regardless of your preparation path.
Practice tests help you internalize the domain weighting, question logic, and analytical reasoning patterns the exam tests. For CyberLive preparation specifically, use practice tests to identify conceptual gaps in domains like malware analysis and pivoting, then follow each gap with hands-on tool practice. Visit our GCTI practice test platform to run timed sessions that reflect the analytical demands of both multiple-choice and practical components. Also review our full guide to GCTI CyberLive questions for targeted preparation strategies.
Ready to Start Practicing?
Our GCTI practice tests are built around the same domain structure, question logic, and analytical scenarios you will face on exam day - including the conceptual foundations behind CyberLive tasks. Start identifying your gaps now, while you still have time to close them.
Start Free Practice Test