100+ Free GCED Practice Questions

Pass your GIAC Certified Enterprise Defender (GCED) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~70-78% Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

Which IDS engine uses Lua-based scripting and protocol parsers to produce rich network logs rather than match signatures?

Snort

Suricata

Zeek

Bro-Enterprise

to track

2026 Statistics

Key Facts: GCED Exam

115

Questions

GIAC

70%

Passing Score

GIAC

180 min

Duration

GIAC

$979

Exam Fee

GIAC (retake)

4 years

Validity

GIAC

DoD 8570

IAT III

Approved

GCED validates advanced enterprise defense skills beyond GSEC. The exam has 115 questions in 3 hours with a 70% passing score. Domains include network defense (Snort, Suricata, Zeek, SIEM), Active Directory hardening (LAPS, tiering, PAW, golden/silver ticket detection), endpoint defense (AppLocker, WDAC, Defender ASR), incident handling (NIST 800-61, PICERL), threat hunting, vulnerability management, web defense, cloud baselines (CIS, AWS WAF, Azure Security Benchmark), and compliance (NIST CSF, ISO 27001, PCI-DSS, HIPAA). Open book, 4-year validity.

Sample GCED Practice Questions

Try these sample questions to test your GCED exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which IDS engine uses Lua-based scripting and protocol parsers to produce rich network logs rather than match signatures?

A.Snort

B.Suricata

C.Zeek

D.Bro-Enterprise

Explanation: Zeek (formerly Bro) is a network security monitoring framework that generates structured logs of protocol activity (conn.log, dns.log, http.log, ssl.log, files.log, etc.) rather than primarily signature matching. Its scripting language enables rich, stateful detection. Snort and Suricata are signature-based IDS/IPS engines, though Suricata can also produce similar protocol logs via its eve.json output.

2Which Active Directory mitigation technique assigns different tiers (T0, T1, T2) to administrative accounts based on the asset sensitivity they administer?

A.Just-in-Time (JIT) access

B.Tiered administration model

C.LAPS

D.Protected Users group

Explanation: The tiered admin model (Microsoft's Enterprise Access Model / Red Forest / PAW approach) separates administrative privileges into tiers: Tier 0 (domain controllers, AD infrastructure), Tier 1 (servers and business applications), and Tier 2 (workstations and users). Admins are restricted to their tier, with separate accounts and dedicated workstations. This breaks attacker escalation paths by preventing Tier 2 compromises from becoming Tier 0 takeover.

3What Windows feature rotates the local Administrator password on domain-joined endpoints to a unique value per machine, stored in AD?

A.LAPS (Local Administrator Password Solution)

B.BitLocker

C.SmartScreen

D.WSUS

Explanation: LAPS stores a unique, automatically-rotated local Administrator password per domain-joined computer in a protected AD attribute. It eliminates shared local-admin password reuse, which is a primary pass-the-hash propagation vector. Modern Windows 11 / Server 2022 has built-in LAPS (Windows LAPS); older versions use the legacy Microsoft LAPS product. Permissions control who can read the password attribute.

4Which Windows feature provides application allow-listing using code integrity policies and supports signed-policy deployment at kernel level?

A.AppLocker

B.Windows Defender Application Control (WDAC)

C.Defender ASR

D.BitLocker

Explanation: WDAC (Windows Defender Application Control) enforces code integrity policies at the kernel level, allowing only approved applications/drivers to run. Policies can be signed for tamper resistance and are scoped by publisher, product, file name, hash, or file attribute. AppLocker is an older, user-mode allow-listing feature. WDAC is more secure but typically harder to manage. Microsoft recommends WDAC for high-security environments.

5Which attack uses a compromised user's NTLM hash directly — without knowing the plaintext password — to authenticate to other systems?

A.Golden ticket

B.Pass-the-Hash

C.Pass-the-Ticket

D.Kerberoasting

Explanation: Pass-the-Hash (PtH) uses an NTLM hash extracted from a system (usually LSASS) to authenticate to other systems using the NTLM protocol without needing the cleartext password. Mitigations: LAPS (unique local admin passwords), Protected Users group (disables NTLM for members), Credential Guard (protects LSASS), Defender Credential Guard, disabling SMBv1, and restricting NTLM usage via GPO.

6What is a 'golden ticket' in Kerberos attack terminology?

A.A Kerberos Ticket Granting Ticket (TGT) forged by an attacker who has stolen the krbtgt account's hash, granting unlimited AD access

B.A service ticket for a single service

C.A ticket auto-issued to all users at login

D.A Windows license

Explanation: A golden ticket is a forged Kerberos TGT signed with the krbtgt account's password hash. With krbtgt's hash (usually extracted via DCSync), an attacker can forge TGTs for any user — including high-privileged accounts — for up to 10 years. Mitigation: rotate krbtgt twice (KRBTGT Reset script from Microsoft), detect unusual TGT lifetimes, monitor Event IDs 4769/4624 patterns, and watch for anomalous TGS_REQ sequences.

7What is a 'silver ticket'?

A.A forged Kerberos service ticket signed with a service account's NTLM hash, granting access to that single service

B.A forged TGT

C.A password reset token

D.A backup ticket

Explanation: A silver ticket is a forged Kerberos TGS (service ticket) signed with the target service account's NTLM hash. Unlike a golden ticket, it bypasses the KDC entirely (no 4769 events on the DC), making detection harder. Scope is limited to the specific service. Mitigation: rotate service account passwords, use managed service accounts (gMSA), enable Kerberos armoring (FAST), and monitor for unusual service ticket flags.

8Which framework breaks an incident response lifecycle into six phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned?

A.NIST 800-61

B.SANS PICERL

C.ISO 27035

D.COBIT

Explanation: SANS PICERL (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned) is the classic six-phase model taught in SANS incident handling courses. NIST 800-61 Rev 2 uses a four-phase model (Preparation; Detection & Analysis; Containment, Eradication & Recovery; Post-Incident Activity). Both are widely used and compatible. The GCED exam expects familiarity with each.

9Which NIST publication is the primary reference for computer security incident handling?

A.NIST 800-53

B.NIST 800-61 Revision 2

C.NIST 800-171

D.NIST 800-207

Explanation: NIST SP 800-61 Revision 2 ('Computer Security Incident Handling Guide') is the U.S. government's primary reference for incident response. It covers organization, policy, lifecycle phases, and coordination. NIST 800-53 is the security controls catalog; 800-171 covers CUI protection; 800-207 is the Zero Trust architecture. Defenders should know all four but 800-61 specifically for IR.

10What does the MITRE ATT&CK matrix organize?

A.Adversary tactics (columns/why) and techniques (rows/how) observed in real-world intrusions

B.Vulnerability CVE IDs

C.IP reputation scores

D.Open-source licenses

Explanation: MITRE ATT&CK documents adversary behavior in a tactic/technique matrix. Tactics are goals (Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact). Techniques are the 'how' — with sub-techniques for specificity. Defenders use ATT&CK for detection engineering, red team planning, and SOC coverage gap analysis.

About the GCED Exam

The GIAC Certified Enterprise Defender (GCED) certification validates advanced enterprise defense skills including network defense, Active Directory security, Windows and Linux hardening, endpoint defense, incident handling, threat hunting, vulnerability management, web application defense, cloud security baselines, and compliance frameworks. Based on SANS SEC501.

Questions

115 scored questions

Time Limit

180 minutes

Passing Score

70%

Exam Fee

$979 (GIAC (SANS) / ProctorU)

GCED Exam Content Outline

12%

Network Defense and Monitoring

IDS/IPS (Snort, Suricata, Zeek), network security monitoring (NSM), SIEM correlation, flow analysis (NetFlow, IPFIX), encrypted traffic analysis, DNS monitoring, and egress filtering

12%

Active Directory and Identity Security

Tiered administration, Privileged Access Workstations (PAW), LAPS, Protected Users group, Just-in-Time admin, Kerberos hardening, golden/silver ticket detection, SIDHistory abuse, krbtgt rotation, and Pass-the-Hash mitigations

10%

Windows and Linux Hardening

CIS Benchmarks, DISA STIGs, GPO baselines, Windows Defender policies, Linux auditd, AppArmor, SELinux, sudoers, PAM, and secure configuration management

10%

Endpoint Defense and EDR

AppLocker, Windows Defender Application Control (WDAC), Defender Attack Surface Reduction (ASR) rules, exploit protection, Controlled Folder Access, EDR architecture, and bypass considerations

10%

Incident Handling and Threat Hunting

NIST 800-61 lifecycle, SANS PICERL, hypothesis-driven hunting, ATT&CK mapping, sigma rules, pyramid of pain, and structured analytic techniques

10%

Vulnerability Management

CVSS scoring, EPSS, KEV catalog, patch management cycles, emergency patching, risk-based prioritization, scanners (Nessus, OpenVAS, Qualys), and remediation workflows

10%

Web Application and API Defense

OWASP Top 10, web application firewalls, CSP, HSTS, SameSite cookies, CORS, API security (OAuth, JWT, mTLS), and defense against SSRF, IDOR, and deserialization attacks

10%

Cloud Security Baselines

AWS Well-Architected Security Pillar, Azure Security Benchmark, GCP CIS, IAM least privilege, guardrails (SCPs, Azure Policy), CSPM, CNAPP concepts, and encryption of data at rest and in transit

Data Protection and DLP

Classification, labeling, DLP policies, rights management (IRM/AIP/Purview), tokenization, key management (HSM, KMS), and mobile device management (MDM/MAM) basics

Compliance, Risk, and Continuity

NIST CSF, ISO 27001, PCI-DSS, HIPAA, SOX, GDPR, risk registers, backup/DR strategies, BCP, RTO/RPO, supply chain (SBOM, SLSA), and tabletop exercises

How to Pass the GCED Exam

What You Need to Know

Passing score: 70%
Exam length: 115 questions
Time limit: 180 minutes
Exam fee: $979

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

GCED Study Tips from Top Performers

1Understand Snort and Suricata rule syntax and Zeek's log types and scripts

2Know Active Directory tiered administration, PAW, and LAPS rotation cadence

3Memorize indicators of golden/silver tickets and how to detect them in Windows event logs

4Master AppLocker vs WDAC differences and when to use each

5Know all Defender ASR rules and what behavior each blocks

6Understand CVSS vectors, EPSS, and how KEV drives emergency patching

7Practice NIST 800-61 incident lifecycle and map to SANS PICERL

8Understand OWASP Top 10 mitigations and WAF rule tuning

9Know CIS benchmark structure for Windows, Linux, and major cloud platforms

10Understand cloud guardrails: AWS SCPs, Azure Policy, and GCP Organization Policies

11Build a printed, tabbed, indexed reference book — open book means a fast index is a force multiplier

Frequently Asked Questions

What is the GIAC GCED exam format?

The GCED exam consists of 115 questions with a 180-minute (3-hour) time limit. The passing score is 70%. It includes multiple choice and may include CyberLive hands-on practical items. GCED is open book — printed notes and indexes are permitted. It is proctored by ProctorU online or Pearson VUE onsite.

How does GCED differ from GSEC?

GSEC is foundational and validates broad security essentials knowledge. GCED is the logical follow-on and focuses on defensive operations — network defense, hardening, incident handling, threat hunting, and applied compliance. GCED expects a deeper, more practical understanding of enterprise blue team work.

Is GCED a good certification for blue teamers?

Yes. GCED is one of the most direct blue team certifications available. It validates practical enterprise defense skills across identity, endpoint, network, cloud, and incident handling — making it strong for SOC analysts, security engineers, and defensive architects. It is DoD 8570/8140 approved for IAT Level III and CSSP Infrastructure Support positions.

Is GCED open book?

Yes. Like other GIAC certifications, GCED is open book. Candidates may bring printed notes and reference indexes. Building a well-organized, tabbed index from study materials is one of the most impactful preparation activities. Electronic devices are not permitted.

What are the GCED renewal requirements?

GCED is valid for 4 years. Renewal requires 36 CPE credits or retesting, plus a renewal fee ($479 as of 2026). CPEs can be earned via SANS training, publishing, conference attendance, and relevant work experience in defensive operations.

How long should I study for GCED?

Plan for 100-150 hours over 6-10 weeks. Most candidates take SANS SEC501. Hands-on practice matters: build lab Active Directory environments, configure AppLocker/WDAC and Defender ASR, tune Snort/Suricata rules, deploy SIEM correlations, and rehearse incident handling playbooks. A candidate with 2+ years of defense experience can study more efficiently.

What jobs can I get with GCED certification?

GCED qualifies you for senior defensive roles: Security Engineer ($100,000-150,000), SOC Lead/Manager ($110,000-160,000), Incident Handler ($95,000-140,000), Threat Hunter ($100,000-150,000), Cybersecurity Architect ($120,000-175,000), and Security Consultant ($105,000-155,000). GCED is DoD 8570/8140 approved for IAT Level III and CSSP Infrastructure Support.