HMG SANS Cyber Retraining Academy (GSEC & GCIH Tips)

A thoroughly brilliant 10 weeks, learning from some of the very best. I can do basic hacking now, and I also know how to clean up afterwards. I’ve been offered, but not yet taken, a cyber security job. Although I’m sure it’ll happen soon.

Between mid-January and the end of March this year I was part of the HMG SANS Cyber Retraining Academy (make sure you scroll down on that page). These are my thoughts on what was a challenging and eye opening 10 weeks - a lot happened, so don’t expect a short write-up!

Jump to GSEC & GCIH tips


If you’re not already into cyber security, then you’ll at least have noticed coverage of events like WanaCry and the Mirai botnet; it’s fair to say cyber crime is a pretty hot topic. One of the main issues with stopping such attacks affecting daily life is the apparent “cyber skills gap”, which various articles have reported to be growing to 1-1.5 million unfilled cyber security jobs by 2020.

I can’t comment on how accurate that number is, or how much of the skills gap is reality vs perception. But, there are clearly cyber crimes occurring and having more people capable of mitigating them is probably a good idea.

To that end, the British Government and SANS partnered to run a 10 week cyber security academy; aimed at people with no previous background in the area, but who had shown a high aptitude for the skills required. Thousands applied, I think a couple of hundred were interviewed and 55 of us made the final cut. My own background served as a good base for the course, having studied a Computing MSc and tinkering with computers on a daily basis for work.

The Academy

Phrases like fire hose of information, were consistently and accurately used! You don’t often leave somewhere able to measure the amount of content you covered in inches.

That’s a full 12 inches of cyber security knowledge.

We studied four separate SANS courses, with lots of practical hacking experience. Content in the courses acted like a funnel; taking us from general computing/security, through to a specialism in incident handling and finally onto some really exciting hacking experiences. I like a lot of detail to study; every single SANS course provided everything I could have hoped to know, along with an instructor and TA’s who were clearly experts in their respective fields. The courses and our main instructors were:

  • SEC201: Computing & Technology Essentials (Ted Demopoulos)
  • SEC401: Security Essentials Bootcamp Style (Ted Demopoulos)
  • SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling (Chris Pizor)
  • SEC580: Metasploit Kung Fu for Enterprise Pen Testing (Bryce Galbraith)

Special mention for two of our TA’s, Carlos Fragoso and Chris Dale, who I thought were particularly brilliant.

Towards the end of the course things got more and more practical, with CTF’s, two days of NetWars and a much lauded hack the drone. These were all fantastic experiences and I learnt something new from each one. I won’t name check him (unless he asks for it), but the other student who first showed me how to upload a PHP shell blew my mind!


A main aim of the academy was to have students achieve the GSEC and GCIH certifications. I passed both at 93%, but I won’t be posting up any indexes or specific materials that I used (not least because I’m fairly sure it would breach something I signed). However I have some high level advice if you’re taking either of them, that I think helps with their respective challenges.

For GSEC, a highly granular index was critical; there’s such a huge width of information to cover that I couldn’t find the detail required if I stuck to a concept-based index (grouping by tool or command, as I’d been recommended).

Instead, I worked through every single slide in the material listing the book, page number and slide title. This was easy to do in short bursts during breaks, other downtime or even during the delivery. Listing page titles doesn’t require you to understand the content when you’re doing it, so it was easy to do and still listen to Ted talking.

By having a granular index build up through the week’s delivery you’ve already got something useful before revision time. If you do want to start grouping by concept afterwards, then you’re just compressing the information in your granular index; think data management, it’s easier to cut down information than go back and create it. The breadth of information in GSEC means it’s difficult to test too much depth, so a lot of the questions are answerable by simply looking them up in the books.

For GCIH, the challenge was more around interpretation of the question and exactly what it was asking for. I still made a granular index, but I referred to it much less because the depth of understanding tested is greater.

GCIH requires that you grasp Incident Handling concepts and be able to apply them in unfamiliar situations; a few questions mentioned specifics we definitely didn’t study, so trying to look them up would have been useless.

There will be some long outputs or logs to analyse and then answer a question about. Read the answers first, then you know what to keep an eye out for in the text! The other tricky area, was selecting one of two seemingly correct answers. Questions would often ask either how to monitor, or how to stop, a behaviour. Within the possible answers, there would be options to do either; getting it right means you have to have understood the specific request from the question. This seems obvious, but the wording of questions caught lots of us out; if you can’t decide between two actions then reread the question, rephrase it in your head if required.


All this experience and certification was designed to get people working in cyber security. We had interactions with potential employers throughout, with sponsors hosting evening talks and two career days involving lots of different companies.

The range of previous career experiences in our class was huge; we had a spectrum from people fresh out of college, to individuals who’d already been very successful in IT. Finding roles to fit every one of us was always going to be a tall order, and some of the employers came better prepared for the variety than others. The academy team did fantastically though, drawing in enough employers so that everyone had someone to talk to.

Personally I interviewed for three jobs during the academy and was offered four; I don’t expect I’ll have a 133% hit rate again, at any point! One of these was with a company I contacted personally, but all the offers were thanks to the training at the academy. The job titles offered proves the range of knowledge gained, they were: Attack Analyst; Penetration Tester; Security Engineer; Incident Handler.

Unfortunately, despite them all being exciting, none of the offers were quite right for me. I’ll admit to having some pretty specific aims for location in particular; it’ll remain this way for the rest of the year at least, sometimes you need to take a risk.

Post Academy

Looking back on the academy, it was 100% worth doing. If they run another and you’re interested in computers then apply; completing the academy will only make you better. I’m now back at my old workplace, applying my new knowledge wherever I can.