Expert Security Architecture & Zero-Trust at Scale
Design-authority module: candidates produce and defend reference architectures for multi-site enterprises and AI datacenters using NIST SP 800-207 zero-trust tenets. Covers macro/micro-segmentation strategy, policy enforcement point placement across Juniper SRX, Cisco Secure Firewall and PAN-OS estates, SASE/ZTNA integration (identity-aware proxying, device posture), east-west controls for GPU fabrics, and failure-domain engineering — how the security layer degrades and recovers under link, node and control-plane failure.
- Learner can translate NIST SP 800-207 tenets into a segmentation and enforcement-point design for a 3-site, 5,000-user enterprise with an AI/GPU datacenter zone
- Learner can produce HLD and LLD documents with addressing, policy zones, trust boundaries, and failure-mode analysis that survive a hostile design review
- Learner can position ZTNA/SASE components against on-prem NGFW enforcement and justify the trade-offs in latency, inspection depth and blast radius
- Learner can design east-west security for RoCEv2/GPU training fabrics where inline inspection is throughput-prohibitive, using telemetry-based detection and fabric ACLs
Zero-Trust Reference Build
In EVE-NG, build a segmented multi-vendor estate — SRX cluster at the DC edge, FTD pair for campus, VRF/zone-based macro-segmentation, and a policy-enforced GPU-fabric zone — then validate every trust boundary with scripted traffic probes.
Hostile Design Review
Author the HLD/LLD for the built estate and defend it live against RKR's red-team review checklist (single points of failure, implicit-trust paths, inspection bypasses); remediate all P1 findings in the lab.