Two certifications dominate the conversation in Cyber Threat Intelligence: GIAC's Cyber Threat Intelligence (GCTI) certification and SANS FOR578: Cyber Threat Intelligence. They are related — FOR578 is the course, GCTI is the exam — but they serve different purposes and are not interchangeable in how the market perceives them.
This comparison will help you decide where to invest your time and money.
The Basics
FOR578 is a SANS training course, currently available in live, OnDemand, and OnSite formats. The course runs five days and covers threat intelligence tradecraft from foundational concepts through advanced analytical techniques, with significant emphasis on MITRE ATT&CK, diamond model, kill chain methodology, and intelligence production.
GCTI is the GIAC certification associated with FOR578. It is a standalone, proctored exam — you do not need to take FOR578 to sit the GCTI, though most candidates prepare via the course. The exam is 2-3 hours, 82 questions, open-book (physical materials allowed), and requires a 70% pass rate.
Cost
This is where they diverge sharply. FOR578 training costs approximately $7,800–$9,000 depending on delivery format, with GCTI included. The certification alone (exam only) costs approximately $979. Many employers will cover FOR578 as a training expense; fewer will pay for the exam without the training.
What the Market Thinks
Both credentials are well-regarded, but they signal different things. GCTI signals that you have passed a rigorous, vendor-neutral exam on CTI tradecraft. FOR578 alumni often mention that the course material — particularly the practical exercises — is the more valuable part of the investment, regardless of whether you sit the exam.
In job postings, GCTI appears as a preferred or required certification more frequently than FOR578 is explicitly named, because hiring managers list certifications, not courses. If your goal is meeting a job listing requirement, GCTI is the credential to target.
Who Should Prioritize Each
Take FOR578 (and GCTI) if: Your employer will fund it, you are early in your CTI career and want comprehensive structured training, or you want the live course experience with practical exercises and peer interaction.
Self-study for GCTI if: Budget is constrained, you already have significant CTI experience and just need the credential, or you learn effectively from self-directed study and can build equivalent knowledge independently.
Alternatives Worth Considering
Before committing, consider two alternatives. EC-Council's CTIA (Certified Threat Intelligence Analyst) is significantly cheaper and covers similar conceptual ground, though it carries less brand recognition. Mandiant's CTI certification offerings have gained market credibility as Mandiant's reputation for intelligence production is unmatched.
For analysts specifically interested in the DFIR/malware analysis side of CTI, FOR610 (Malware Analysis) may be more directly applicable than FOR578.
The Honest Answer
If you can get your employer to fund FOR578, take it — the course is excellent and the GCTI credential is genuinely valued. If you are paying out of pocket, the ROI calculation is harder to justify unless you are applying for roles that explicitly require it. The time you would spend studying for GCTI might generate more career value invested in building a public portfolio of analytical work.