Associate tierSecurity streamLab-first · Rubric-graded

RCSARKR Certified Security Associate

Build the edge, break it, and defend it — on real SRX, ASA and Firepower.

12 weeks10 hrs / week7 modules18 labs

Overview

What the RCSA certifies.

The RKR Certified Security Associate (RCSA) is the entry point of RKR's security stream and the fastest lab-first path from a networking or IT background into a hire-ready security operations role. It rejects the watch-only certificate model: every one of its competencies is built, broken and defended on live SRX, ASA and Firepower hardware and RKR digital-twin topologies. Over seven modules the learner moves from the attacker's playbook and applied cryptography, through stateful and next-generation firewalling, IPsec and SSL VPNs, and 802.1X identity control, to running the whole estate through a SIEM. The result is not familiarity but demonstrable, verifiable competence a hiring manager can trust on day one.\n\nRCSA exists because India's market is inverting exactly as RKR's core thesis predicts: commodity IT work is being automated away while demand explodes for people who can actually build and operate secure infrastructure, and roughly 73% of security operations roles now go hard-to-fill. The program is benchmarked to the associate rigor of Juniper JNCIA-SEC and the security foundations of Cisco CCNA, but it is RKR-owned, RKR-branded and deliberately multi-vendor so graduates are not locked to a single platform. It ladders directly into the RKR Professional and Expert security tiers, and slots into RKR's broader AI-Readiness Curriculum and Network Twin platform, where students can practice against twins of real enterprise and campus networks.

Measurable outcomes

Walk out able to do this — on record.

Design and enforce zone-based stateful and next-generation firewall policy on Juniper SRX and Cisco ASA/Firepower, including NAT and screens.

Stand up and operate a working two-tier PKI and reason about cryptography and TLS 1.3 in production terms.

Reconstruct real intrusions against the Cyber Kill Chain and MITRE ATT&CK, and reproduce and mitigate common L2/L3 attacks.

Build and troubleshoot IPsec site-to-site (IKEv2) and remote-access SSL VPNs across SRX and ASA.

Gate the LAN with 802.1X, RADIUS/TACACS+, EAP-TLS and dynamic VLAN assignment, with MAB fallback.

Operate the security estate through centralized syslog/SIEM correlation and NetFlow/J-Flow anomaly detection.

Apply device-hardening baselines and India DPDP Act 2023 breach-handling obligations to a live network.

Who it’s for

Built for these starting lines.

Networking and IT graduates who want to enter cybersecurity through infrastructure, not theory.

CCNA/JNCIA-level network engineers pivoting into firewall, VPN and NAC roles.

SOC L1 analysts who need hands-on perimeter and identity engineering skills to move up.

System and NOC administrators tasked with securing an enterprise or campus edge.

Career-changers seeking a verifiable, lab-proven first credential in the security stream.

The syllabus

7 modules. 18 graded labs. No filler.

Every module terminates in a graded lab — theory is never left unproven. This is the full RCSA module sequence, exactly as delivered.

RCSA-M01

Threat Landscape & Security Foundations

Establishes the attacker's-eye and defender's-eye baseline: the CIA triad, the AAA model, and defense-in-depth expressed as trust/untrust/DMZ zoning. Learners taxonomize attacks against the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK, then reproduce and mitigate concrete Layer 2/3 attacks (ARP spoofing, MAC flooding, VLAN hopping, DHCP starvation, IP spoofing). Grounds everything in India's DPDP Act 2023 obligations.

You will be able to
  • Learner can reconstruct an intrusion across Cyber Kill Chain phases and map adversary TTPs to MITRE ATT&CK tactics and techniques.
  • Learner can apply the CIA triad, AAA, and defense-in-depth zoning to classify and place security controls.
  • Learner can execute and mitigate L2/L3 attacks (ARP spoofing, MAC flooding, VLAN hopping, DHCP starvation) using DAI, DHCP snooping and port security.
  • Learner can summarize the network-security-relevant obligations of India's DPDP Act 2023, including breach handling.
Graded labs
Lab

Kill-chain reconstruction from a captured intrusion

Given a packet capture and log bundle on the RKR range, reconstruct the attack phase-by-phase in Wireshark, map each observed step to MITRE ATT&CK, and produce a defensible incident timeline.

Lab

L2 attack reproduction and mitigation

In a mixed Juniper/Cisco topology, launch ARP spoofing and DHCP starvation with ettercap/yersinia, then remediate with DHCP snooping, Dynamic ARP Inspection and port security, and verify the attacks are blocked.

Study GuideLab GuideCommand GuideSolution GuideGlossaryLab Outcomes & Verification5-part Workbook
RCSA-M02

Applied Cryptography & PKI

Turns cryptographic theory into working infrastructure. Covers symmetric ciphers (AES-GCM, 3DES), asymmetric algorithms (RSA, ECDSA, DH/ECDH), hashing and HMAC (SHA-2 family), and digital signatures, then applies them to X.509 certificates, CA hierarchies, CSR issuance, and revocation via CRL/OCSP. Dissects the TLS 1.2/1.3 handshake and perfect forward secrecy.

You will be able to
  • Learner can select appropriate ciphers, modes and key lengths to meet confidentiality, integrity and authentication requirements.
  • Learner can build a two-tier PKI, generate CSRs, issue and revoke X.509 certificates, and validate chains via OCSP and CRL.
  • Learner can trace a TLS 1.3 handshake and explain perfect forward secrecy via ephemeral Diffie-Hellman.
  • Learner can compute and verify hash and HMAC values and explain collision and preimage resistance.
Graded labs
Lab

Stand up a two-tier PKI

Using OpenSSL and EJBCA, build a root and issuing CA, issue server and client certificates, publish a CRL and an OCSP responder, then validate and revoke a certificate end-to-end.

Lab

TLS 1.3 handshake dissection

Capture a TLS 1.3 session, decrypt it in Wireshark using logged session keys, identify the negotiated cipher suite and key-share, and confirm perfect forward secrecy.

Study GuideLab GuideCommand GuideSolution GuideGlossaryLab Outcomes & Verification5-part Workbook
RCSA-M03

Stateful Firewalls & Security Zones

Builds the enterprise perimeter with stateful inspection. Contrasts packet filtering with connection-tracking stateful inspection and the session/flow table, then implements zone-based policy on Juniper SRX (security zones, screens, address books, application objects) and Cisco ASA (interfaces, security-levels, ACLs). Covers source, destination and static NAT with translation verification.

You will be able to
  • Learner can design and implement a trust/untrust/DMZ zone-based security policy on both Juniper SRX and Cisco ASA.
  • Learner can configure source, destination and static NAT and verify translations in the session/xlate table.
  • Learner can build and troubleshoot stateful policies using zones, address books and application objects.
  • Learner can apply SRX screens to mitigate reconnaissance sweeps and SYN/ICMP/UDP floods.
Graded labs
Lab

SRX zone policy and NAT

Configure security zones, address/application objects and inter-zone policies on an SRX, add source and static NAT, and verify sessions and translations from the flow table.

Lab

Cisco ASA security-level policy

Bring up an ASA with inside/outside/DMZ interfaces and security-levels, write ACL-based policy and NAT, and validate connectivity and xlate entries.

Lab

Screen-based DoS mitigation

Enable SRX screens to detect and block a scripted port scan and SYN flood, then confirm the ids-option counters and dropped traffic.

Study GuideLab GuideCommand GuideSolution GuideGlossaryLab Outcomes & Verification5-part Workbook
RCSA-M04

Next-Generation Firewalls & UTM

Extends the perimeter to application awareness. Covers NGFW capabilities on Juniper AppSecure and Cisco Firepower (FMC/Snort): application identification, user-ID, IPS/IDS policy, URL filtering, antivirus and content filtering, plus Security Intelligence feeds. Introduces SSL forward-proxy decryption and its privacy, performance and compliance trade-offs.

You will be able to
  • Learner can enable and tune application identification (AppSecure / Firepower App Detection) within a security policy.
  • Learner can deploy an IPS/IDS policy and interpret signature-based alerts and false positives.
  • Learner can configure URL-filtering, antivirus and content-filtering UTM profiles.
  • Learner can implement SSL forward-proxy decryption and reason about its privacy and performance impact.
Graded labs
Lab

Application-ID enforcement

Enable AppSecure/App-ID, write a policy that permits business applications and blocks peer-to-peer and anonymizers, and verify identification against generated traffic.

Lab

Firepower IPS with Security Intelligence

On Cisco FMC, apply an IPS policy and Security Intelligence blocklists, generate matching traffic, and analyze the resulting intrusion events.

Lab

SSL forward-proxy decryption

Deploy forward-proxy TLS decryption with a trusted CA, confirm inspection of previously-encrypted flows, and document the privacy and latency trade-offs.

Study GuideLab GuideCommand GuideSolution GuideGlossaryLab Outcomes & Verification5-part Workbook
RCSA-M05

VPNs: IPsec & SSL/TLS

Delivers secure connectivity end-to-end. Covers the IPsec framework (IKEv1/IKEv2, ISAKMP, ESP/AH, transport vs tunnel mode, Phase 1/Phase 2, PSK vs certificate auth, DH groups, PFS), route-based (st0) vs policy-based tunnels on SRX and crypto maps on ASA, and remote-access SSL VPN with split tunneling. Emphasizes systematic negotiation troubleshooting.

You will be able to
  • Learner can build a route-based IKEv2 site-to-site IPsec VPN between SRX devices and verify Phase 1/Phase 2 SAs.
  • Learner can configure a policy-based/crypto-map IPsec tunnel on Cisco ASA and match interesting traffic.
  • Learner can deploy a remote-access SSL VPN with split tunneling and certificate authentication.
  • Learner can troubleshoot Phase-1 and Phase-2 negotiation failures using IKE debug and SA output.
Graded labs
Lab

SRX-to-SRX IKEv2 route-based VPN

Configure a route-based IPsec tunnel over st0 between two SRX firewalls with certificate authentication and PFS, and verify SAs and encrypted traffic across the tunnel.

Lab

Cisco ASA site-to-site crypto map

Build a policy-based IPsec tunnel on ASA with a crypto map and interesting-traffic ACL, and confirm SA establishment and packet encryption/decryption counters.

Lab

Remote-access SSL VPN

Stand up a remote-access SSL VPN with split tunneling and client-certificate auth, connect a client, and validate the assigned address, routes and reachability.

Study GuideLab GuideCommand GuideSolution GuideGlossaryLab Outcomes & Verification5-part Workbook
RCSA-M06

AAA, 802.1X & Network Access Control

Gates the LAN by identity. Covers the AAA model, RADIUS versus TACACS+, and 802.1X port-based authentication (supplicant, authenticator, authentication server) with EAP methods (EAP-TLS, PEAP, EAP-TTLS), MAC Authentication Bypass, and dynamic VLAN/downloadable-ACL assignment. Uses FreeRADIUS (and Cisco ISE concepts), device-administration AAA and Change-of-Authorization.

You will be able to
  • Learner can deploy 802.1X port-based authentication with a RADIUS server and dynamic VLAN assignment.
  • Learner can differentiate RADIUS and TACACS+ and configure device-administration AAA for CLI access.
  • Learner can configure EAP-TLS with client certificates and a MAB fallback for non-supplicant devices.
  • Learner can troubleshoot authentication failures using RADIUS accounting, logs and debug output.
Graded labs
Lab

802.1X with FreeRADIUS dynamic VLAN

Configure switch-port 802.1X against FreeRADIUS so authenticated users land in a dynamically-assigned VLAN, and verify Access-Accept and VLAN placement.

Lab

EAP-TLS with PKI and MAB fallback

Issue client certificates from the M02 PKI, enforce EAP-TLS, and configure MAC Authentication Bypass for a printer, verifying both the certificate and MAB paths.

Lab

TACACS+ device administration

Configure TACACS+ authentication, authorization and command accounting for device CLI access, and confirm per-command authorization and accounting records.

Study GuideLab GuideCommand GuideSolution GuideGlossaryLab Outcomes & Verification5-part Workbook
RCSA-M07

Security Monitoring, Logging & Operations

Operationalizes the defenses. Covers centralized syslog, SNMP, and flow telemetry (J-Flow/NetFlow/IPFIX), SIEM log correlation, and firewall session/traffic-log analysis via Juniper Security Director and Cisco FMC. Runs the NIST incident-response lifecycle on a simulated breach, applies device-hardening baselines, and maps DPDP Act 2023 breach-notification duties.

You will be able to
  • Learner can centralize firewall and device logs to a syslog/SIEM collector and build correlation searches for security events.
  • Learner can analyze NetFlow/J-Flow/IPFIX telemetry to detect anomalous or exfiltration traffic.
  • Learner can execute the NIST incident-response lifecycle (prepare, detect, contain, eradicate, recover) on a simulated breach.
  • Learner can apply and validate a device-hardening baseline against a checklist and DPDP breach-notification requirements.
Graded labs
Lab

Syslog/SIEM correlation pipeline

Forward SRX/ASA and switch logs to a SIEM collector, build correlation rules that flag a brute-force and a policy-violation event, and confirm alerts fire on generated traffic.

Lab

Flow-based anomaly detection

Enable J-Flow/NetFlow export, ingest the telemetry, and identify a scripted data-exfiltration flow by baseline deviation, documenting the detection for incident response.

Study GuideLab GuideCommand GuideSolution GuideGlossaryLab Outcomes & Verification5-part Workbook

How you’re examined

The RCSA exam format.

RKR RCSA is a two-block certification. Block A is a 90-minute remotely-proctored theory exam of 65 items (multiple-choice, multiple-select and drag-and-map) spanning threat modeling, cryptography/PKI, stateful and next-generation firewalling, NAT logic, IPsec/SSL VPN, AAA/802.1X and security operations; pass mark 70%. Block B is a 4-hour graded practical lab exam on the live RKR security range: the candidate implements a supplied zone/policy matrix on both a Juniper SRX and a Cisco ASA, configures NAT and verifies translations, mitigates a scripted L2 and flood attack with screens/DAI/port-security, brings up one route-based IKEv2 site-to-site tunnel and one remote-access SSL VPN, enables 802.1X dynamic-VLAN authentication against a RADIUS server, and forwards logs to a SIEM collector. Each task is auto-scored against objective verifiers (end-to-end reachability, session/flow tables, IKE/IPsec SA state, RADIUS Access-Accept and correct VLAN assignment); pass mark 75%. Both blocks must be passed in a single 30-day window; the credential is valid for 3 years and renews via a delta practical.

Career plan

Where the RCSA takes you.

RCSA converts a networking or IT graduate into a hire-ready perimeter and access-control operator. The certificate targets the entry-to-mid rungs of India's security-stream ladder, opening SOC and firewall-administration roles immediately and setting up a fast climb to network security engineering as VPN, NGFW and NAC competence is proven on the job.

Roles unlocked
SOC Analyst L1 / Security Operations TraineeFirewall Administrator (SRX / ASA / Firepower)Network Security EngineerVPN / Remote-Access EngineerNAC / Identity (802.1X) Engineer
Salary band
Rs 4-16 LPA
Entry
SOC Analyst L1 / Security Operations Trainee
Rs 4-8 LPA
Foundation
Firewall Administrator (SRX / ASA / Firepower)
Rs 8-13 LPA
Growth
Network Security Engineer (Perimeter / VPN / NAC)
Rs 12-16 LPA
Demand signal

As of Q1 2026, Xpheno/TeamLease reporting shows ~73% of network and security operations roles remain hard to fill in India, against a projected ~53% AI-and-infrastructure skills gap by 2026; niche security specialists command roughly a 1.7x salary premium over generic IT roles, and datacenter build-out from ~1,700 MW toward 5-6.5 GW is expected to add close to 100,000 infrastructure jobs by 2030.

7 modules. 18 graded labs. One verifiable credential.

12 weeks at 10 hours a week — proven at the lab pod, scored against a published rubric.

Compare all certifications