Back to Blog
Exam Reviews

CREST CRTIA vs GIAC GCTI: Which should you choose?

CREST CRTIA vs GIAC GCTI: Which should you choose?

Okay I admit, I had a massive case of Red Team FOMO last year.

In this industry, offensive security has a certain "gravity." It’s flashy, the tools are cool, and there’s an undeniable rush when you pop a shell. I took a detour into that world, started chasing exploits and collecting a few of those very sexy credentials. But eventually, the novelty started to wear off, and I realised I was focusing on being the smartest person in the room instead of making my stakeholders feel smart for using the intelligence that I provide.

akyd25

I decided to double down on my core vocation and went back to basics, formally certifying with the CREST CRTIA and the GIAC GCTI. It was a grind, but it was the reality check I needed. This is my experience.

The CRTIA: Learning to Speak "Strategy"

The CREST Registered Threat Intelligence Analyst (CRTIA) is a certification that validates your ability to move from technical analysis to strategic decision-making. It focuses on the Intelligence Lifecycle and the "So What?" of threat data for stakeholders.

Exam Structure:

  • Time: 3 hours.
  • Format: 120 multiple-choice questions plus 2 long-form essays.
  • Passing Grade: At least 70% in both the technical and written sections.
  • Key Frameworks: Tests your ability to apply Multiple CTI frameworks like PESTLE-M, the Admiralty Code, and ACH to real-world scenarios.
  • The Goal: Proves you can create a defensible narrative for senior management.

Going into the CRTIA, I didn't quite know what to expect. I knew there were 120 multiple-choice questions and two long-form essays, but the "how" was a mystery.

The arcX Experience

To prep, I used the arcX Advanced CTI course. I honestly struggled with it at first. It’s a very video-heavy course, and I was too used to reading PDFs and messing around with the terminal. I felt like the knowledge-to-time ratio was off, and found myself getting impatient.

But as I stuck with it, my perspective shifted. The author, Stewart Bertram, shares a level of personal experience and nuance that can’t be captured in a PDF or a textbook. The way he structures the content is designed to challenge how you think. I started to appreciate that the video format was the only way to deliver that "mentor" vibe.

The "Long-Form" Essays

The exam is very different challenge compared to the OffSec and SANS courses that I did before. You can’t just memorize definitions and vomit them back out. It’s easy to mouth off about what the Intelligence Lifecycle is, but it’s another thing entirely to articulate how the Admiralty Code or Analysis of Competing Hypotheses (ACH) fits into a specific phase. How do legal frameworks dictate your collection plan?

You have to be able to synthesise these frameworks and understand how they work together.

Pro-Tips:

  1. Three hours feels like an eternity for 120 questions + 2 essays. It isn't. I barely scraped by.
  2. Blitz the multiple choice. If you aren't 100% sure, skip it. Unlike the GCTI, you can review your answers later. I found that while I was writing my 1,000-word essays, I’d suddenly remember an answer to a skipped MCQ or find "inspiration" in the essay prompt itself.
  3. Remember who you’re writing for. I spent an hour on each essay, making sure the language was articulate and appropriate for senior management.

akyehf

The GCTI: A Test of Experience

The GIAC Cyber Threat Intelligence (GCTI) is a certification that tests an analyst's ability to perform tactical and operational threat intelligence. It is focused on the "How" of the tradecraft.

Exam Structure

  • Format: A proctored, open-book exam consisting of multiple-choice questions and hands-on CyberLive labs.
  • Key Focus: Heavily emphasises on application, including extracting C2 infrastructure and writing YARA rules.
  • Core Frameworks: Tests your mastery of the Diamond Model, Kill Chain, and Analysis of Competing Hypotheses (ACH).
  • The Difficulty: Since you cannot go back to change answers, it requires extreme diligence.
  • The Goal: Proves you can map multiple intrusion sets and extract IOCs from certain artefacts.

For the GIAC GCTI, I didn't study as much as I should have. I used it as a "litmus test" to see if my years in the trenches and previous training held up to a rigorous benchmark.

The Reality Check

While I don't regret my approach, it definitely highlighted my gaps. I hit a few "stumbling blocks" here and there, as I didn't even fully grasp what the question was asking—things I might have known if I had spent more time on the SANS materials.

Even as an experienced analyst, some of the esoteric theory questions caught me off guard. It made me realise that daily experience doesn't always mean that you know everything.

Pro-Tips

  1. The labs take significantly less time than you’d expect. If you have even a baseline level of experience, they are straightforward and logical.
  2. Focus heavily on the theory. This is where the danger lives. Some of the very confusing questions caught me off guard because I hadn't done a deep dive into the SANS-specific materials.
  3. Since you cannot go back and change your answers on a GIAC exam, you need to be diligent. Don't let the "open-book" nature make you arrogant.

Which One Should You Pick?

In my opinion, both certifications are valuable and prove different things.Do you want to be the one explaining the "why" to the Board, or the one proving the "how" in the logs?

FeatureCREST CRTIAGIAC GCTI
The Vibe"I can explain the strategic impact to the Board"."I can find the technical proof in the data".
Primary LensStrategic & Governance: Focusing on the "Why" and the geopolitical drivers.Tactical & Operational: Focusing on the "How" and technical attribution.
Career TrackLeadership, Management, and Strategic Consultancy.Technical Lead, Incident Response, and Deep-Dive Analysis.
The "So What?"Validates your Voice: Making stakeholders feel informed.Validates your Hands: Handling raw data and fighting biases.

In my personal opinion, if you can afford it, just take both!

What’s Next?

I realized that studying for the sake of a "shiny new cert" is fun. It’s a dopamine hit every time you add a new digital badge to your collection. But I’ve also realized that if you don't apply that information immediately, you eventually lose it.

I still feel that itch to go after the next certificate but I’m consciously trying to pull back. I’m doubling down on my current vocation, focusing on depth rather than just another acronym. Interestingly, this blog post has clocked in at just over 1,000 words, roughly the length of one of those CRTIA long-form essays.

The I Have a Problem Disclaimer: While I just spent the last few hour talking about "stopping the cert chase", my willpower has the structural integrity of a wet paper towel. I am, of course, already looking for the next thing to study. We’ll just call it "vocational depth" so I can sleep at night.

aku9cd