🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GMON
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GMON GIAC Certifications Coming Soon

GMON

GIAC Continuous Monitoring Certification (GMON) teaches security analysts and engineers to design, implement, and operate continuous monitoring solutions, covering architecture, network and endpoint monitoring, log management, SIEM, and threat intelligence.

180
Minutes
115
Questions
74.3/100
Passing Score
$979
Exam Cost

Who Should Take This

It is ideal for security analysts, incident responders, and SOC engineers with at least two years of experience who need to deepen their expertise in continuous monitoring. These professionals aim to design robust monitoring architectures, integrate SIEM and log pipelines, and translate threat intelligence into actionable alerts across enterprise environments.

What's Covered

1 Security Architecture and Continuous Monitoring Foundations
2 Network Security Monitoring
3 Endpoint Security Monitoring
4 Log Management and SIEM
5 Threat Detection and Intelligence
6 Monitoring Operations and Incident Workflow

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

69 learning goals
1 Security Architecture and Continuous Monitoring Foundations
3 topics

Security Architecture for Monitoring

  • Identify the components of a defensible security architecture and describe how network segmentation, choke points, and visibility zones enable effective continuous monitoring.
  • Describe the NIST Continuous Monitoring framework phases including define, establish, implement, analyze and report, respond, and review and update, and explain how each phase contributes to ongoing security posture assessment.
  • Implement a sensor placement strategy that positions network taps, SPAN ports, and inline sensors at critical network boundaries, internal segmentation points, and high-value asset zones to maximize traffic visibility.
  • Analyze an enterprise network topology to identify monitoring blind spots, evaluate sensor coverage gaps, and recommend architectural changes that improve detection capabilities without degrading network performance.

Continuous Diagnostics and Mitigation

  • Identify the CIS Critical Security Controls relevant to continuous monitoring and describe how hardware asset management, software asset management, and secure configurations form the baseline for monitoring programs.
  • Implement automated hardware and software asset inventory collection using network scanning, agent-based discovery, and passive network monitoring to maintain a current asset database for monitoring coverage validation.
  • Configure continuous vulnerability assessment scanning with authenticated and unauthenticated scans, risk-based prioritization, and integration with patch management workflows to reduce the attack surface.
  • Evaluate the effectiveness of a continuous diagnostics and mitigation program by analyzing asset coverage rates, vulnerability remediation timelines, and configuration compliance drift to identify areas requiring improvement.

Monitoring Strategy and Frameworks

  • List the key data sources for continuous monitoring including network traffic, endpoint telemetry, authentication logs, DNS queries, and application logs, and describe the security value each provides.
  • Implement a data collection strategy that maps organizational assets and threat models to specific monitoring data sources, collection frequencies, and retention policies aligned with compliance and operational requirements.
  • Assess a monitoring program's maturity level by comparing data collection comprehensiveness, detection rule coverage, mean time to detect, and mean time to respond against industry benchmarks and organizational risk tolerance.
2 Network Security Monitoring
4 topics

Network Traffic Analysis

  • Describe the network security monitoring data types including full packet capture, session data, NetFlow/IPFIX records, and transaction logs, and explain the storage, processing, and analysis tradeoffs of each.
  • Configure NetFlow/IPFIX collection and analysis to establish network communication baselines, detect anomalous traffic patterns, and identify lateral movement and data exfiltration indicators.
  • Implement full packet capture infrastructure using tools such as tcpdump, Wireshark, and Moloch/Arkime to record, index, and retrieve network traffic for retrospective analysis and incident investigation.
  • Analyze captured network traffic to identify reconnaissance activity, command-and-control communications, data exfiltration channels, and protocol anomalies using protocol dissection and statistical analysis techniques.

Network Intrusion Detection

  • Describe the differences between signature-based, anomaly-based, and stateful protocol analysis detection methods and identify when each approach is most effective for network threat detection.
  • Configure Snort or Suricata IDS/IPS with custom rule sets, preprocessors, and output plugins to detect known attack signatures and protocol violations at network monitoring points.
  • Implement Zeek (Bro) network analysis framework to generate structured connection logs, protocol metadata, file extraction, and custom scripted detection logic for enterprise network visibility.
  • Evaluate IDS alert output to differentiate true positive detections from false positives, tune detection thresholds and suppression rules, and assess overall detection efficacy against current threat landscape.

DNS and HTTP Monitoring

  • Describe how DNS monitoring detects malicious activity including domain generation algorithms, DNS tunneling, fast-flux networks, and command-and-control callback domains.
  • Implement passive DNS logging and analysis using Zeek DNS logs, response policy zones, and threat intelligence feeds to detect and block connections to known malicious domains.
  • Configure HTTP/HTTPS traffic monitoring using SSL/TLS inspection proxies and Zeek HTTP logs to detect web-based attacks, data exfiltration over HTTP, and unauthorized web application usage.
  • Analyze DNS query patterns and HTTP traffic metadata to identify beaconing behavior, encoded data channels, and covert communication methods used by advanced persistent threats.

Network Forensics and Encrypted Traffic

  • Describe the challenges of monitoring encrypted network traffic and identify techniques including JA3/JA3S fingerprinting, certificate analysis, and encrypted traffic analytics that provide visibility without decryption.
  • Implement JA3 and JA3S TLS fingerprinting to profile client and server applications, detect anomalous TLS implementations, and identify known malware families by their unique cryptographic handshake signatures.
  • Compare the effectiveness of TLS inspection, metadata analysis, and behavioral analytics approaches for detecting threats in encrypted traffic and assess their privacy, performance, and compliance implications.
3 Endpoint Security Monitoring
3 topics

Windows Endpoint Monitoring

  • Identify the critical Windows event log channels for security monitoring including Security, System, PowerShell, and Sysmon logs, and describe the key event IDs that indicate authentication, process creation, and privilege escalation activity.
  • Configure Sysmon with a comprehensive configuration file to capture process creation with command-line arguments and hashes, network connections, file creation timestamps, registry modifications, and WMI activity for endpoint visibility.
  • Implement Windows Event Forwarding to centrally collect security-relevant event logs from distributed Windows endpoints using subscription-based collection with appropriate event filtering and batching.
  • Analyze Windows endpoint telemetry to detect MITRE ATT&CK techniques including credential dumping, lateral movement via PsExec or WMI, persistence mechanisms, and defense evasion through process injection or AMSI bypass.

Linux and macOS Endpoint Monitoring

  • Identify the key Linux audit subsystem components including auditd, audit rules, and the audit log format, and describe how they provide process execution, file access, and system call monitoring on Linux endpoints.
  • Configure Linux auditd rules to monitor critical security events including privilege escalation via sudo, unauthorized file modifications to sensitive paths, kernel module loading, and suspicious network connections.
  • Analyze Linux endpoint logs to detect post-exploitation activities including reverse shells, cron job persistence, shared library injection, and container escape attempts in containerized environments.

Endpoint Detection and Response

  • Describe endpoint detection and response platform capabilities including real-time telemetry collection, behavioral detection engines, threat hunting query interfaces, and automated response actions.
  • Implement EDR detection rules using MITRE ATT&CK technique identifiers to alert on specific attack patterns including living-off-the-land binary usage, fileless malware execution, and memory injection techniques.
  • Evaluate EDR detection coverage against MITRE ATT&CK matrix to identify gaps in technique visibility, assess false positive rates across detection rules, and recommend tuning adjustments to optimize detection fidelity.
4 Log Management and SIEM
3 topics

Log Collection and Aggregation

  • Describe log management architecture components including log sources, collection agents, transport protocols (syslog, Beats, WEF), aggregation layers, storage tiers, and retention policies for enterprise security monitoring.
  • Implement centralized log collection using syslog-ng or rsyslog with TLS-encrypted transport, structured data parsing, and source-based routing to aggregate logs from network devices, servers, and security appliances.
  • Configure log normalization and enrichment pipelines using Logstash or similar tools to parse heterogeneous log formats into common schemas, add contextual metadata, and ensure consistent field naming across data sources.
  • Assess a log collection infrastructure for completeness by mapping collected sources against the asset inventory, identifying gaps in log coverage, and evaluating transport reliability and latency under peak load conditions.

SIEM Configuration and Correlation

  • Describe SIEM platform core capabilities including event correlation, alerting, dashboarding, and reporting, and explain how correlation rules combine multiple log sources to detect complex attack patterns.
  • Implement SIEM correlation rules that detect multi-stage attack patterns such as brute force followed by successful login, privilege escalation chains, and lateral movement sequences across multiple log sources.
  • Configure SIEM alert prioritization and escalation workflows using risk scoring, asset criticality weighting, and threat intelligence enrichment to reduce alert fatigue and focus analyst attention on high-fidelity detections.
  • Evaluate SIEM rule effectiveness by analyzing true positive to false positive ratios, detection coverage against MITRE ATT&CK techniques, and analyst response times to recommend correlation rule tuning and new detection content.

Splunk and ELK Stack Operations

  • Implement Splunk searches using SPL to query security events, create statistical summaries, build time-series visualizations, and generate scheduled reports for security operations center dashboards.
  • Configure Elasticsearch, Logstash, and Kibana stack for security monitoring with index lifecycle management, ingest pipelines, detection rules, and Kibana Security dashboards for threat visibility.
  • Compare Splunk SPL and Elasticsearch KQL query capabilities for security analytics use cases and assess platform-specific strengths for log volume scaling, real-time alerting, and threat hunting workflows.
5 Threat Detection and Intelligence
4 topics

Threat Intelligence Integration

  • Describe the types of threat intelligence including strategic, tactical, and operational intelligence, and identify common formats and sharing standards such as STIX, TAXII, and OpenIOC used in security monitoring.
  • Implement threat intelligence feed integration with SIEM and IDS platforms using STIX/TAXII automated ingestion to enrich security events with indicator context and enable indicator-based detection rules.
  • Evaluate threat intelligence source quality by assessing timeliness, accuracy, relevance, and actionability of indicators, and determine the operational impact of feed integration on detection rates and false positive volumes.

MITRE ATT&CK Framework Application

  • Describe the MITRE ATT&CK framework structure including tactics, techniques, sub-techniques, and procedures, and explain how it provides a common language for categorizing adversary behavior observed in monitoring data.
  • Apply MITRE ATT&CK technique identifiers to map existing detection rules and monitoring data sources to framework coverage, creating a detection coverage heatmap across the enterprise kill chain.
  • Analyze ATT&CK coverage gaps to prioritize new detection rule development, assess which techniques pose the greatest risk based on threat intelligence, and recommend monitoring improvements for underserved tactic categories.

Threat Hunting

  • Describe the threat hunting methodology including hypothesis generation, data collection, investigation, and pattern discovery, and explain how proactive hunting complements reactive monitoring and alerting.
  • Implement threat hunting queries using SIEM search languages and endpoint telemetry to investigate hypotheses about specific ATT&CK techniques including living-off-the-land attacks, PowerShell abuse, and scheduled task persistence.
  • Configure automated threat hunting workflows that periodically execute hunting queries, identify statistical anomalies in baseline behavior, and escalate findings for analyst review to bridge the gap between hunting and continuous detection.
  • Evaluate the outcomes of threat hunting campaigns by assessing new detections discovered, hunting hypothesis success rates, data source adequacy, and recommend converting successful hunt queries into production detection rules.

Behavioral Analytics and Anomaly Detection

  • Describe user and entity behavior analytics concepts including baseline profiling, peer group analysis, and anomaly scoring, and identify how UEBA complements rule-based detection for insider threat and compromised account scenarios.
  • Implement statistical baseline models for network traffic volumes, authentication patterns, and data access behaviors to detect deviations that may indicate compromised credentials or insider threat activity.
  • Assess the trade-offs between signature-based detection, rule-based correlation, and behavioral analytics approaches for different threat categories, and determine the optimal combination for an organization's risk profile and monitoring maturity.
6 Monitoring Operations and Incident Workflow
3 topics

SOC Operations and Alert Triage

  • Describe security operations center operational models including tiered analyst structure, shift handoff procedures, and escalation paths, and explain how SOC workflows integrate with continuous monitoring infrastructure.
  • Implement alert triage procedures that classify incoming security alerts by severity, validate alert context against asset criticality and threat intelligence, and document investigation findings in standardized formats.
  • Analyze SOC operational metrics including mean time to detect, mean time to respond, alert volume trends, and escalation rates to identify workflow bottlenecks and recommend process improvements.

Automation and Orchestration

  • Describe security orchestration, automation, and response platform capabilities including playbook execution, case management integration, and automated enrichment that reduce analyst workload in monitoring operations.
  • Implement automated alert enrichment workflows that query threat intelligence platforms, DNS records, WHOIS databases, and asset management systems to provide analysts with contextual information at alert triage time.
  • Configure automated response playbooks for common alert types including phishing email quarantine, malicious IP blocking, and compromised account disablement with appropriate human approval gates for high-impact actions.
  • Evaluate the effectiveness of SOAR automation by measuring analyst time savings, automated response accuracy, and false positive handling rates, and assess risks of over-automation in security response workflows.

Monitoring Program Metrics and Reporting

  • Implement security monitoring dashboards that visualize key performance indicators including detection coverage, alert volumes by category, incident trends, and asset monitoring completeness for executive and operational audiences.
  • Assess overall monitoring program effectiveness by correlating detection metrics with vulnerability exposure data, red team findings, and incident post-mortem outcomes to identify systemic visibility gaps requiring investment.

Scope

Included Topics

  • All domains covered by the GIAC Continuous Monitoring Certification (GMON) aligned with SANS SEC511: Security Architecture and Continuous Monitoring, Network Security Monitoring, Endpoint Monitoring, Log Management and SIEM, Continuous Diagnostics and Mitigation, and Threat Detection.
  • Intermediate-level security operations and continuous monitoring including network traffic analysis, endpoint telemetry collection, SIEM correlation rules, security architecture design for visibility, and proactive threat detection using behavioral analytics and signature-based methods.
  • Key tools and frameworks: Zeek (Bro), Snort/Suricata, YARA, Sysmon, Windows Event Forwarding, ELK Stack, Splunk, Security Onion, MITRE ATT&CK framework, CIS Critical Security Controls, NIST CSF continuous monitoring guidelines, NetFlow/IPFIX, packet capture analysis, and endpoint detection and response platforms.
  • Scenario-driven monitoring decisions requiring balancing detection coverage, alert fidelity, operational cost, and analyst workload across enterprise environments.

Not Covered

  • Advanced malware reverse engineering, binary analysis, and exploit development beyond what is needed for detection rule authoring.
  • Cloud-specific monitoring tools and architectures unless directly relevant to hybrid monitoring strategies covered in SEC511.
  • Digital forensics investigation procedures and legal chain-of-custody processes beyond incident detection and initial triage.
  • Penetration testing and offensive security techniques except as context for understanding attacker behavior patterns.
  • Vendor-specific SIEM administration tasks beyond configuration for security monitoring use cases.

Official Exam Page

Learn more at GIAC Certifications

Visit

GMON is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.