GCTI Open Book Policy: What You Can Bring to the Exam

What "Open Book" Actually Means on the GCTI Exam

The phrase "open book" triggers a specific reaction in most candidates: relief. That relief is understandable but dangerously incomplete. The GIAC Cyber Threat Intelligence (GCTI) certification exam is open book in a precise, limited sense - you may bring printed, physical materials into the testing environment. That's where the freedom ends.

There are no electronic devices. No tablets. No phones. No USB drives. No internet access. If your notes live only in a Google Doc or Notion database, they are completely inaccessible during the exam. The open-book policy is a license to bring a well-organized paper reference - not a shortcut around genuine preparation.

GIAC administers the GCTI exam under ANAB ISO/IEC 17024 accreditation standards, which means the proctoring and materials policies are enforced consistently and taken seriously. Understanding the policy in detail before exam day is not optional - a violation or a misunderstanding can cost you a $979 exam fee with no recourse.

Exactly What You Can Bring Into the Exam Room

GIAC's official policy permits any printed or hand-written materials you choose to bring. There is no page limit enforced by GIAC itself. Practically speaking, candidates typically bring one of the following:

• A printed and tabbed binder organized by the eight GCTI domains
• Printed course slides from SANS FOR578 (if you took the training), annotated by hand
• A custom-built index document printed double-sided and laminated or bound
• Hand-written cheat sheets for high-density technical content like YARA rule syntax, STIX 2.1 object types, or Diamond Model attribute definitions
• Printed reference cards for frameworks: the Kill Chain phases, the Courses of Action Matrix, and ATT&CK navigator notes

Books - including published references - are also permitted as long as they are physical copies. Some candidates bring a printed copy of the STIX 2.1 specification summary or the OpenIOC schema reference. Whether this is practical depends entirely on how well you have indexed it. A 300-page unmarked book is slower to use than a 20-page targeted index you built yourself.

What Is Strictly Prohibited

The prohibition list is straightforward but worth spelling out explicitly, because candidates sometimes ask about edge cases:

The key principle: if it has a battery or a screen, it does not go in. Print it, bind it, index it.

Remote Proctoring vs. Pearson VUE: How the Rules Differ

GIAC offers two delivery modalities - ProctorU remote proctoring from your home or office, and Pearson VUE onsite testing at a physical test center. The open-book policy applies equally to both, but the logistics of enforcing it differ in meaningful ways.

ProctorU Remote Testing

When testing remotely, a live proctor monitors your session via webcam. Before the exam begins, the proctor will conduct a room scan. Your printed materials must be visible and clearly physical - nothing electronic can be in the camera frame. Your binder or notes should be placed openly on the desk and not obscured. The proctor may ask you to show materials to the camera. Candidates who test at home should clear their desk of everything except their printed notes, water, and scratch paper (if permitted - confirm with GIAC/ProctorU at scheduling).

Pearson VUE Onsite Testing

At a Pearson VUE center, you will check in, present ID, and be escorted to a workstation. Your physical materials will typically be reviewed by test center staff before you enter the testing area. The same rule applies: printed and hand-written materials are fine; everything electronic stays in a locker. Pearson VUE centers vary slightly in their desk setup, so arriving early with a well-organized, easy-to-open binder (rather than a stack of loose papers) reduces friction at check-in.

Building a GCTI-Specific Index That Actually Works

A generic index won't serve you on the GCTI exam. The exam covers a highly specific set of technical and analytical frameworks, and your index needs to mirror them exactly. Start with a master list of every named framework, standard, tool, and methodology in the exam objectives, then map each to a page number in your binder.

High-priority index entries for GCTI include:

• Kill Chain phases - all seven phases with definitions and adversary actions at each stage
• Diamond Model attributes - adversary, capability, infrastructure, victim, and the six meta-features
• Courses of Action Matrix - how defenders respond at each Kill Chain phase
• STIX 2.1 object types - domain objects, relationship objects, and bundle structure
• TAXII 2.1 concepts - collections, channels, and how sharing works operationally
• OpenIOC schema - indicator structure, logic operators, and practical construction
• YARA rule syntax - rule structure, conditions, metadata, and common modifiers
• OSINT source categories - passive DNS, WHOIS history, certificate transparency, code repositories
• Pivoting techniques - infrastructure pivoting from IP to domain to registrant and back
• Intelligence report formats - executive summary vs. tactical report vs. finished intelligence product structure

If you are also using GCTI practice tests during your preparation, every question you answer incorrectly represents an index entry you need to add or expand. That feedback loop - practice test failure → binder update - is one of the most efficient ways to close knowledge gaps before exam day.

Organizing Your Notes by GCTI Domain

The GCTI exam spans eight domains. Each domain warrants its own binder section, sized according to technical density and likely question volume.

For deeper coverage of how these skills get tested in hands-on scenarios, the GCTI Domain 8: Practical Application of Threat Intelligence Study Guide 2026 walks through exactly what the practical components demand and how to prepare for them systematically.

The CyberLive Caveat: Why Notes Only Go So Far

The GCTI exam includes CyberLive hands-on items executed in live virtual environments. These tasks test your ability to actually perform threat intelligence work - collecting indicators, pivoting infrastructure, analyzing malware artifacts, and producing intelligence outputs - not just describe how it is done.

Your printed binder cannot execute a YARA rule for you. It cannot pivot from a domain to its registrant history. During CyberLive tasks, you are interacting with a real (sandboxed) environment, and the clock continues to run. Candidates who have only memorized concepts without ever practicing the underlying skills will find their binder useless during these components.

The practical implication: your exam preparation should include doing these tasks, not just reading about them. Use GCTI practice tests and exercises that simulate hands-on scenarios wherever possible. The SANS FOR578 course, which GIAC recommends as the training path for this certification, is specifically built around these applied skills and typically includes two practice attempts when bundled with an exam voucher.

A Realistic Prep Timeline for Your Binder

You have 120 days from purchase to activate your GCTI exam attempt. That window should inform how you schedule both your content study and your binder construction. Spending the first 80 days studying and the last 40 building your binder is backwards - your binder should evolve alongside your learning.

This domain sequencing reflects the logical dependency structure of GCTI content - you cannot meaningfully study pivoting (Domain 6) without first understanding what you are pivoting from (Domain 4: OSINT). The binder construction mirrors this sequence so that each new section builds on established index entries from previous sections.

For comprehensive guidance on making the most of your practical preparation, the GCTI Domain 8 study guide provides detailed breakdowns of the applied skills that appear in the exam's hands-on components.

Frequently Asked Questions