RKR Certified Security Associate
Lab-first perimeter, crypto, VPN and identity engineering aligned to Juniper JNCIA-SEC and Cisco CCNA Security foundations
The blueprint
RCSA builds a job-ready network security operator who can stand up and defend an enterprise edge end-to-end: model the threat landscape, run a working PKI, enforce zone-based stateful and next-generation firewall policy on Juniper SRX and Cisco ASA/Firepower, terminate IPsec and SSL VPNs, gate the LAN with 802.1X/RADIUS, and operate the whole estate through syslog/SIEM and flow telemetry. Every competency is proven on live RKR range hardware and digital-twin topologies, not slideware.
Skill domains
5 assessed domainsThreat Landscape & Cryptographic Foundations
- Cyber Kill Chain and MITRE ATT&CK mapping of real captures
- CIA/AAA, defense-in-depth and trust/untrust/DMZ zoning
- L2/L3 attacks: ARP spoof, MAC flood, VLAN hop, DHCP starvation
- Symmetric/asymmetric crypto, two-tier X.509 PKI, TLS 1.3 + PFS
Stateful & Next-Generation Firewalls
- SRX security zones, screens, policies, address/application objects
- Cisco ASA interfaces, security-levels and zone-based policy
- Source/destination/static NAT and session-table verification
- AppSecure/App-ID, IPS/IDS, URL filtering, SSL forward-proxy decryption
VPN & Secure Connectivity
- IKEv2 route-based site-to-site IPsec on SRX (st0)
- ASA policy-based crypto-map tunnels and interesting-traffic matching
- Remote-access SSL VPN with split tunneling and certificate auth
- Phase-1/Phase-2 negotiation troubleshooting via IKE debug
Identity, AAA & Access Control
- 802.1X supplicant/authenticator/auth-server with dynamic VLAN
- RADIUS vs TACACS+ and device-administration AAA
- EAP-TLS with client certificates and MAB fallback
- Change-of-Authorization and posture-based access
Security Operations & Compliance
- Centralized syslog/SIEM correlation of firewall and device logs
- NetFlow/J-Flow/IPFIX anomaly detection
- NIST incident-response lifecycle on a simulated breach
- Device-hardening baselines and India DPDP Act 2023 breach obligations
Signature labs
Rack time, not watch timeKill-chain reconstruction from a captured intrusion mapped to MITRE ATT&CK
Two-tier PKI: issue, validate via OCSP/CRL, and revoke an X.509 certificate
SRX zone policy + NAT and screen-based DoS mitigation, cross-checked on Cisco ASA
IKEv2 route-based SRX-to-SRX site-to-site VPN plus remote-access SSL VPN
802.1X + FreeRADIUS with dynamic VLAN assignment and EAP-TLS/MAB fallback
Firepower IPS with Security Intelligence and SSL forward-proxy decryption
Syslog/SIEM pipeline with correlation searches and J-Flow anomaly detection
How you are examined
RKR RCSA is assessed in two blocks. Block A is a 90-minute remotely-proctored theory exam: 65 multiple-choice, multiple-select and drag-map items on threat modeling, crypto/PKI, firewall/NAT logic, IPsec/SSL VPN, AAA/802.1X and security operations (pass mark 70%). Block B is a 4-hour graded practical lab exam on the live RKR range: candidates zone and NAT an SRX and an ASA to a supplied policy matrix, mitigate a scripted L2/flood attack, bring up one IPsec site-to-site and one remote-access SSL VPN, enable 802.1X dynamic VLAN against RADIUS, and pipe logs to the SIEM — each task auto-scored against reachability, session-table, SA and authentication verifiers (pass mark 75%, both blocks required).
Career ladder
- EntrySOC Analyst L1 / Security Operations TraineeRs 4-8 LPA
- FoundationFirewall Administrator (SRX / ASA / Firepower)Rs 8-13 LPA
- GrowthNetwork Security Engineer (Perimeter / VPN / NAC)Rs 12-16 LPA
Rs 4-16 LPA