I really don’t know what to add, because others before me have already provided pretty much the same info. Anyway, here it goes.
Some background: I attended the SANS 560 course (in May 2010). I really liked it. The course objectives, the exercises, the instructor’s performance, everything was great. Huge amount of material, just as an example, the instructor took the time to show us topics that were not even in the book (how to use meterpreter encoders for IDS evasion just to name one). The course was excellent, packed out with cool stuff, full of action, exercises that actually worked 100% of the time, real-life examples, etc. Recommended.
The exam: Well worded concise questions for the most part. I really appreciate that. Some screenshots of tcpdump, I really like those questions, they made me think hard. The “open book” part of the exam? Well, for the GPEN exam at least, the candidate either knows his stuff or he will struggle and even fail, even with the open book policy, even with the SANS books. Realistically, when the question is “analyze the tcpdump output on the screen and select what tool / command would cause it”, you are not going to find the answer in the book. The open book policy makes a difference, but only for so many questions. If it was an easy task, everybody would be scoring 99-100%.
Something I hated about the exam: You have to answer the first question in order to move on to the second question. Once answered, you cannot go back to the previous question. And you can only skip 5 questions to answer them later.
Something I REALLY hated about the exam: The counter on the right side telling you how many correct / wrong answers so far. I almost rather not know my score till the end.
One last thing - the exam is indeed harder than the practice runs
Conclusion: The course was really good. This was my first SANS course, and I can’t wait to do it again. And the exam was pretty hard, fair, and straightforward, I’d do it again as well.