Expert tierSecurity streamLab-first · Rubric-graded

RCSERKR Certified Security Expert

Architect the defense. Hunt the adversary. Run the incident. Prove it under exam pressure.

24 weeks12 hrs / week9 modules21 labsPrerequisite: RCSP

Overview

What the RCSE certifies.

The RKR Certified Security Expert (RCSE) is the terminal credential of RKR's security stream — an expert-tier program built to the same standard of rigor as Juniper JNCIE-SEC and Cisco CCIE Security, but owned end-to-end by RKR and graded on demonstrable, verifiable competence. RCSE candidates design and defend zero-trust architectures across multi-vendor estates (Juniper SRX, Cisco Secure Firewall, Palo Alto PAN-OS, open-source enforcement), engineer SOC detection pipelines as code, hunt adversaries with hypothesis-driven methodology, and execute enterprise-grade digital forensics and incident response — culminating in a full-day, graded, live incident-response practical that no watch-only certificate can imitate.

The timing thesis is blunt: India's datacenter footprint is scaling from roughly 1,700 MW toward 5-6.5 GW to carry the AI buildout, and every megawatt of GPU fabric is an attack surface someone must architect, monitor, and defend. Simultaneously, the DPDP Act 2023 and its 2025 Rules, CERT-In's 6-hour reporting directions, and sectoral mandates like SEBI's CSCRF have converted security governance from a checkbox into a board-level engineering discipline. Generic security analysts are being automated by SOAR and LLM triage; the people who cannot be automated are those who design the zero-trust fabric, build the detection pipeline, lead the breach response, and sign the audit. RCSE manufactures exactly that person — lab-first, multi-vendor, and India-regulation fluent.

Measurable outcomes

Walk out able to do this — on record.

Learner can architect and defend a multi-vendor zero-trust security architecture (Juniper SRX, Cisco Secure Firewall, ISE/ClearPass, PAN-OS) for a 5,000+ user, multi-site, AI-datacenter estate, including HLD/LLD artefacts

Learner can engineer a production SOC detection pipeline — Zeek/Suricata sensors, Kafka transport, Elastic/Splunk analytics, Sigma detection-as-code in CI, SOAR auto-containment — and quantify its MITRE ATT&CK coverage

Learner can lead a full incident-response lifecycle for a ransomware-plus-exfiltration breach: scoping, containment across firewalls and NAC, memory and disk forensics (Volatility 3, Velociraptor, Plaso), eradication and recovery

Learner can execute hypothesis-driven threat hunts and purple-team exercises (Caldera, Atomic Red Team) that convert detection gaps into deployed, tested analytics

Learner can operationalize DPDP Act 2023 + DPDP Rules 2025 compliance — breach notification within CERT-In's 6-hour window, 180-day log retention, consent-manager integration points — and survive a mock external audit

Learner can design cryptographic infrastructure at scale: enterprise PKI, IKEv2/ADVPN overlays with RFC 8784 post-quantum PPKs, and MACsec-protected datacenter interconnects

Learner can pass an 8-hour expert practical combining build, break-fix, live IR and regulator-grade reporting — and present the results to an executive panel

Who it’s for

Built for these starting lines.

RCSP graduates and senior security engineers (6+ years) ready for architect, principal, or SOC-leadership scope

SOC leads and senior analysts who want to move from running alerts to engineering the detection platform and leading breach response

Network/datacenter engineers securing GPU and AI-infrastructure estates who need expert-tier, multi-vendor security design authority

DFIR practitioners and threat hunters seeking a lab-verified expert credential mapped to Indian regulatory reality (DPDP, CERT-In, CSCRF)

Consultants and pre-sales architects who must design and defend zero-trust programs in front of CISOs and auditors

The syllabus

9 modules. 21 graded labs. No filler.

Every module terminates in a graded lab — theory is never left unproven. This is the full RCSE module sequence, exactly as delivered.

RCSE-M01

Expert Security Architecture & Zero-Trust at Scale

Design-authority module: candidates produce and defend reference architectures for multi-site enterprises and AI datacenters using NIST SP 800-207 zero-trust tenets. Covers macro/micro-segmentation strategy, policy enforcement point placement across Juniper SRX, Cisco Secure Firewall and PAN-OS estates, SASE/ZTNA integration (identity-aware proxying, device posture), east-west controls for GPU fabrics, and failure-domain engineering — how the security layer degrades and recovers under link, node and control-plane failure.

You will be able to
  • Learner can translate NIST SP 800-207 tenets into a segmentation and enforcement-point design for a 3-site, 5,000-user enterprise with an AI/GPU datacenter zone
  • Learner can produce HLD and LLD documents with addressing, policy zones, trust boundaries, and failure-mode analysis that survive a hostile design review
  • Learner can position ZTNA/SASE components against on-prem NGFW enforcement and justify the trade-offs in latency, inspection depth and blast radius
  • Learner can design east-west security for RoCEv2/GPU training fabrics where inline inspection is throughput-prohibitive, using telemetry-based detection and fabric ACLs
Graded labs
Lab

Zero-Trust Reference Build

In EVE-NG, build a segmented multi-vendor estate — SRX cluster at the DC edge, FTD pair for campus, VRF/zone-based macro-segmentation, and a policy-enforced GPU-fabric zone — then validate every trust boundary with scripted traffic probes.

Lab

Hostile Design Review

Author the HLD/LLD for the built estate and defend it live against RKR's red-team review checklist (single points of failure, implicit-trust paths, inspection bypasses); remediate all P1 findings in the lab.

EVE-NG multi-vendor topology bundleRKR HLD/LLD document templatesRed-team design review checklist
RCSE-M02

Multi-Vendor NGFW Engineering & Policy-as-Code

Expert firewall internals across the two dominant Indian enterprise stacks. Juniper: SRX chassis clusters (redundancy groups, RETH interfaces, control/fabric links), logical systems, unified policies, IDP tuning, asymmetric-flow troubleshooting with flow traceoptions. Cisco: FTD HA and clustering under FMC, prefilter vs access-control policy, Snort 3 custom rules, SSL decryption policy design. The module ends where modern operations lives: rendering firewall policy from Git with Ansible/Terraform, pre-change validation, and drift detection across both vendors.

You will be able to
  • Learner can build and troubleshoot an SRX chassis cluster including redundancy-group failover, fabric-link failure and split-brain scenarios using flow traceoptions and 'show chassis cluster' diagnostics
  • Learner can engineer FTD HA under FMC with correctly layered prefilter, access-control and intrusion policies, and author custom Snort 3 rules for a bespoke application
  • Learner can implement policy-as-code: render a 500+ rule policy set from a Git source of truth to both SRX (Junos PyEZ/Ansible) and FTD (FMC API/Terraform) with CI validation
  • Learner can detect and reconcile policy drift between the deployed estate and the declared state within a change window
Graded labs
Lab

SRX Cluster Break-Fix

Diagnose and repair five seeded faults in an SRX chassis cluster with logical systems — including an asymmetric-return-path drop and a mis-anchored redundancy group — using flow traceoptions and session-table analysis under time pressure.

Lab

FTD/FMC Advanced Policy Build

Deploy an FTD HA pair under FMC; layer prefilter fastpath for storage replication, tuned intrusion policy for the DMZ, custom Snort 3 detections for a proprietary API, and validated SSL decryption with enterprise CA resigning.

Lab

Policy-as-Code Pipeline

Stand up a GitLab CI pipeline that renders a 500-rule policy model to SRX and FTD, runs pre-change batfish-style validation, deploys on merge, and alerts on out-of-band drift within 15 minutes.

Seeded-fault SRX cluster snapshotsFMC API/Terraform starter repoPolicy model schema and CI templates
RCSE-M03

Advanced VPN & Cryptographic Infrastructure

Cryptography as infrastructure, not theory. IKEv2 internals (EAP, fragmentation, NAT-T edge cases), Juniper ADVPN dynamic spoke-to-spoke overlays, Cisco FlexVPN, and route-based multi-vendor interop. Enterprise PKI at scale with EJBCA/Smallstep — certificate profiles, OCSP/CRL availability engineering, automated enrollment via SCEP/EST/ACME. Post-quantum readiness with RFC 8784 post-quantum pre-shared keys and hybrid key-exchange roadmaps, plus MACsec (802.1AE) with MKA for datacenter interconnects where IPsec throughput is prohibitive.

You will be able to
  • Learner can deploy a certificate-authenticated IKEv2 ADVPN overlay across 10+ sites with dynamic shortcut tunnels and prove failover behavior under hub loss
  • Learner can design and operate an enterprise PKI (root/issuing hierarchy, OCSP responder SLOs, automated EST/ACME enrollment) supporting VPN, 802.1X and TLS inspection use-cases
  • Learner can harden IKEv2 deployments against harvest-now-decrypt-later attacks using RFC 8784 PPKs and articulate a hybrid post-quantum migration plan
  • Learner can implement MACsec with MKA on a DC interconnect and validate line-rate encryption with fallback behavior on key-server failure
Graded labs
Lab

ADVPN + PKI at Scale

Build a two-tier EJBCA PKI, auto-enroll 12 SRX/IOS-XE spokes via SCEP, bring up a certificate-authenticated ADVPN overlay with dynamic shortcuts, then revoke a compromised spoke and prove OCSP-driven isolation within minutes.

Lab

Quantum-Safe DCI

Encrypt a datacenter interconnect two ways — MACsec/MKA at layer 2 and IKEv2 with RFC 8784 PPK at layer 3 — benchmark throughput on both, and write the selection memo for a 100G AI-fabric replication link.

EJBCA/Smallstep deployment playbooksInterop matrix: SRX-IOS XE-strongSwan
RCSE-M04

Identity-Driven Access & Microsegmentation

Identity becomes the perimeter. Expert 802.1X with EAP-TLS at scale, Cisco ISE and Aruba ClearPass policy engineering, RADIUS Change-of-Authorization for dynamic quarantine, posture assessment, and profiling for unmanaged/IoT/OT devices. Enforcement translated into the fabric: TrustSec SGTs and SGACLs, VXLAN Group Policy Option in leaf-spine datacenters, and downloadable ACLs — including the operational reality of scaling group-based policy across thousands of endpoints without TCAM exhaustion.

You will be able to
  • Learner can deploy EAP-TLS 802.1X with ISE or ClearPass integrated to the M03 PKI, including MAB fallback and differentiated authorization profiles for user, IoT and OT classes
  • Learner can trigger automated quarantine via RADIUS CoA from a SIEM/SOAR verdict and verify enforcement end-to-end within 60 seconds
  • Learner can implement group-based microsegmentation (TrustSec SGT/SGACL or VXLAN-GBP) in a leaf-spine fabric and prove east-west policy with per-segment traffic evidence
  • Learner can analyze and remediate policy-scale problems: SGACL TCAM budgeting, profiler misclassification, and CoA failures behind NAT
Graded labs
Lab

EAP-TLS Estate with Dynamic Quarantine

Stand up ISE with EAP-TLS against the module PKI, profile a mixed endpoint estate (corporate, BYOD, IP cameras), then wire a SOAR verdict to CoA so a 'compromised' endpoint is VLAN-quarantined and its sessions torn down in under a minute — with packet captures as evidence.

Lab

Fabric Microsegmentation

In a VXLAN EVPN leaf-spine lab, implement group-based policy separating GPU-training, storage and management segments; demonstrate that a compromised management host cannot reach the training fabric, and document SGT/VNI-to-policy mappings.

ISE/ClearPass policy export bundlesEndpoint-profiling test device catalogue
RCSE-M05

SOC Engineering & Detection-as-Code

Build the SOC, don't just sit in it. Sensor engineering with Zeek and Suricata (tuning, file extraction, JA4 fingerprinting), telemetry transport over Kafka with schema discipline, and analytics on Elastic or Splunk with correctly engineered index lifecycle and EPS budgets. Detection engineering as a software practice: Sigma rules in Git, CI pipelines that replay attack PCAPs/EVTX to validate every detection before deploy, MITRE ATT&CK Navigator coverage scoring, and SOAR playbooks (Shuffle/Cortex XSOAR) that automate triage and containment with human-in-the-loop gates.

You will be able to
  • Learner can build a sensor-to-SIEM pipeline (Zeek + Suricata → Kafka → Elastic/Splunk) sized to a stated EPS budget with index lifecycle management and 180-day retention meeting CERT-In directions
  • Learner can operate a detection-as-code workflow: Sigma rules versioned in Git, CI validation via attack replay, automated deploy, and rollback on false-positive regression
  • Learner can quantify and defend detection coverage against MITRE ATT&CK for a named threat model, prioritizing engineering work by technique criticality
  • Learner can author SOAR playbooks that triage phishing and execute firewall/NAC containment automatically, with approval gates and full audit trails
Graded labs
Lab

Pipeline Build-Out

Deploy Zeek and Suricata sensors on estate SPAN/TAP points, ship via Kafka into Elastic with ILM policies for 180-day retention, and prove the pipeline sustains the assigned EPS target without drop under a replayed traffic storm.

Lab

Detection-as-Code CI

Convert ten raw threat-intel reports into Sigma detections, wire a CI job that replays curated EVTX/PCAP corpora to assert each rule fires (and only when it should), and publish an ATT&CK Navigator layer scoring estate coverage before and after.

Lab

Auto-Containment Playbook

Build a SOAR playbook that takes a high-confidence C2 verdict, enriches with VirusTotal/OTX, blocks at SRX and FTD via API, quarantines the endpoint through ISE CoA, and opens a ticket — end-to-end in under 90 seconds with a human approval gate for production scope.

Curated EVTX/PCAP attack corporaSigma CI pipeline reference repoEPS sizing worksheet
RCSE-M06

Threat Hunting & Adversary Emulation

Hypothesis-driven hunting as a repeatable engineering loop: frame a hypothesis from threat intel, express it as queries over Zeek/EDR/DNS telemetry, hunt, and convert findings into permanent detections. Techniques include C2 beacon detection via timing/jitter analysis and JA3/JA4 TLS fingerprinting, DNS tunneling detection with entropy and query-volume analytics, LOLBin abuse hunting in Windows telemetry, and YARA-based sweeps. Purple teaming with MITRE Caldera and Atomic Red Team closes the loop — emulate a named adversary, measure what the M05 pipeline caught, and fix the gaps.

You will be able to
  • Learner can design and execute a hypothesis-driven hunt over 30+ days of telemetry and document findings in a structured hunt report with detection hand-offs
  • Learner can identify C2 beaconing using inter-arrival timing analysis and JA3/JA4 fingerprints, and DNS exfiltration using entropy and label-length analytics
  • Learner can run adversary emulation of a named APT profile with Caldera/Atomic Red Team and produce a quantified detection-gap report mapped to ATT&CK techniques
  • Learner can convert every confirmed hunt finding into a CI-validated Sigma or Suricata detection deployed to production
Graded labs
Lab

The 30-Day Haystack

Hunt a 30-day, 400 GB telemetry dataset seeded with a low-and-slow intrusion: find the JA4-fingerprinted C2 channel, the DNS-tunneled exfil, and the LOLBin persistence — then ship validated detections for all three.

Lab

Purple-Team Gauntlet

Emulate an APT29-style operation with Caldera against the full M01-M05 estate; score the detection pipeline technique-by-technique, remediate the three worst gaps, and re-run to prove measurable coverage improvement.

400 GB seeded hunt datasetCaldera adversary profilesRKR hunt-report template
RCSE-M07

Advanced DFIR & Enterprise Forensics

Court-defensible forensics at enterprise scale. Memory forensics with Volatility 3 (process injection, credential material, rootkit artefacts), disk forensics with The Sleuth Kit/Autopsy (NTFS internals, $MFT/$UsnJrnl, shadow copies), fleet-wide triage and collection with Velociraptor (VQL artefacts), super-timeline construction with Plaso/Timesketch, static/dynamic malware triage in an isolated sandbox, and network forensics — full-PCAP reconstruction, carving exfiltrated files, decrypting TLS with captured key material. Chain-of-custody, evidence hashing and report standards run through everything.

You will be able to
  • Learner can extract injected code, credential artefacts and persistence indicators from a memory image using Volatility 3 and corroborate against disk artefacts
  • Learner can deploy Velociraptor across a 50-host fleet, author custom VQL artefacts, and complete scoped collection and triage inside an hour
  • Learner can build a Plaso super-timeline fusing disk, memory, EVTX and NetFlow evidence to reconstruct an intrusion narrative with defensible timestamps
  • Learner can perform safe malware triage (static analysis, sandbox detonation, IOC extraction) and feed indicators into the detection pipeline
  • Learner can maintain chain-of-custody with cryptographic evidence hashing suitable for legal and regulatory scrutiny
Graded labs
Lab

Memory Autopsy

Analyze a memory image from a ransomware-detonated server with Volatility 3: identify the injection technique, recover the staged payload, extract encryption-key remnants and produce an artefact-by-artefact findings report.

Lab

Fleet Triage at Speed

A 50-endpoint estate has three compromised hosts. Use Velociraptor with custom VQL to find them, collect forensically sound triage bundles, and build the Plaso/Timesketch super-timeline that pins initial access to a single phishing attachment.

Lab

Wire Evidence

From 20 GB of full PCAP, reconstruct the intrusion: carve the exfiltrated archive from a DNS tunnel, decrypt a TLS session using recovered key material, and match transferred file hashes to disk evidence for the final report.

Forensic image and PCAP evidence packsCustom VQL artefact libraryChain-of-custody documentation kit
RCSE-M08

DPDP Act, CERT-In & Security Governance Engineering

India's regulatory stack, engineered rather than memorized. DPDP Act 2023 and DPDP Rules 2025 obligations for Data Fiduciaries and Significant Data Fiduciaries — consent architecture, data-principal rights workflows, breach notification, cross-border transfer conditions, and penalties up to Rs 250 crore. CERT-In directions: the 6-hour incident-reporting window, 180-day log retention, synchronized NTP. Sectoral overlays (RBI cyber framework, SEBI CSCRF) and ISO 27001:2022 as the audit backbone. Candidates build the compliance machinery — evidence automation, breach runbooks, audit programs — and then get audited.

You will be able to
  • Learner can perform a DPDP gap assessment for a Significant Data Fiduciary, producing a records-of-processing map, consent-flow architecture, and remediation roadmap with engineering owners
  • Learner can author and rehearse a breach-notification runbook that satisfies both the CERT-In 6-hour reporting direction and DPDP data-principal notification duties, with pre-drafted regulator templates
  • Learner can map deployed technical controls (M01-M07) to ISO 27001:2022 Annex A and sectoral requirements, with automated evidence collection rather than screenshot archaeology
  • Learner can represent the security function in a mock external audit — presenting evidence, handling nonconformities, and negotiating corrective-action plans
Graded labs
Lab

DPDP Engineering Sprint

Given a realistic fintech case company, produce the DPDP compliance pack: data-flow inventory, consent-manager integration design, data-principal rights SLA workflows, cross-border transfer assessment, and a breach runbook exercised against a simulated incident on the CERT-In 6-hour clock.

Lab

The Mock Audit

Face a two-day simulated external audit of the estate built across M01-M07: present automated evidence for 25 sampled controls, respond to three seeded nonconformities, and deliver a management-review report that would survive a real certification body.

DPDP/CERT-In obligation matrixRegulator notification templatesAutomated evidence-collection scripts
RCSE-M09

Expert Incident-Response Practical & Capstone

The full rehearsal for the RCSE practical exam. Candidates take command of a live, multi-vendor estate into which RKR detonates a realistic double-extortion campaign — initial access, lateral movement through a misconfigured segment, ransomware staging, and DNS exfiltration. They must lead detection, scoping, containment across SRX/FTD/ISE, forensic investigation, eradication and recovery, then close with regulator notifications and an executive briefing. Incident-command discipline (roles, comms cadence, decision logs) is graded alongside technical execution, followed by a marked mock exam and viva.

You will be able to
  • Learner can lead an end-to-end response to a ransomware-plus-exfiltration incident on a live estate, meeting containment inside 90 minutes and eradication inside the exercise window
  • Learner can run incident command: role assignment, decision logging, stakeholder communications and a legally reviewable incident record
  • Learner can produce the complete closure bundle — CERT-In 6-hour notification, DPDP breach assessment, forensic report and executive board briefing — to the published rubric
  • Learner can score 75%+ on a full-conditions mock of the RCSE 8-hour practical and defend decisions in a recorded viva
Graded labs
Lab

Live-Fire Incident Command

An 8-hour live-fire exercise: RKR's range team detonates a double-extortion campaign into your estate. Detect it, contain it across firewalls and NAC, investigate it with the M07 toolkit, eradicate, recover, and file the regulator notifications — all while running formal incident command and being scored on the 1,000-point rubric.

Lab

Executive Debrief & Viva

Convert the incident record into a board-grade briefing: business impact, root cause, regulatory exposure and a costed remediation program — delivered live to an RKR panel role-playing CISO, legal counsel and an auditor, followed by the mock viva.

Live-fire range access1,000-point grading rubricIncident-command templates and decision-log kit

How you’re examined

The RCSE exam format.

Two-stage expert assessment. Stage 1 — Proctored theory: 90 scenario-based questions in 150 minutes covering architecture trade-offs, protocol internals (IKEv2, MACsec, 802.1X/CoA, TLS fingerprinting), detection engineering, forensics artefacts, and DPDP/CERT-In obligations; 75% pass mark, item-banked and psychometrically reviewed. Stage 2 — 8-hour graded practical on RKR's cloud lab fabric: hours 0-3, build and repair a broken multi-vendor zero-trust estate (SRX chassis cluster, FTD HA pair, ISE-driven segmentation, ADVPN overlay) against a marked requirements sheet; hours 3-8, a live incident is detonated into the estate — candidates must detect, contain, forensically investigate (Volatility 3 memory image, Velociraptor triage, PCAP carve), eradicate, and produce a CERT-In-compliant 6-hour notification plus an executive incident report. Grading uses a published 1,000-point rubric (400 build/fix, 400 IR execution, 200 reporting and regulatory accuracy); a 30-minute recorded viva defends key decisions. Every passing candidate's artefact bundle is hash-signed and verifiable by employers via the RKR credential registry.

Career plan

Where the RCSE takes you.

RCSE is engineered for the jump from senior individual contributor to architect and principal scope — the roles that design zero-trust programs for AI-era datacenters, run SOC and DFIR functions, and own DPDP accountability at board level. These are precisely the positions Indian employers report hardest to fill and pay the niche premium for.

Roles unlocked
Security Architect / Zero-Trust ArchitectPrincipal Security Engineer (Datacenter & AI Infrastructure)SOC Engineering Lead / Detection Engineering ManagerDFIR Lead / Incident Response ManagerDeputy CISO / Head of Cyber Defense (CISO track)
Salary band
Rs 18-60 LPA (senior to architect band, security stream)
Rung 1 - Entry point after RCSE
Senior Security Engineer / SOC Lead
Rs 18-28 LPA
Rung 2 - 1-2 years applying RCSE scope
Principal Security Engineer / DFIR Lead
Rs 26-40 LPA
Rung 3 - Design authority
Security Architect (Zero-Trust / AI Datacenter)
Rs 35-50 LPA
Rung 4 - Leadership
Chief Security Architect / Deputy CISO
Rs 45-60+ LPA
Demand signal

As of June 2026, with India's AI skills gap running near 53% and datacenter capacity scaling from ~1,700 MW toward 5-6.5 GW, employers report ~73% of security-operations and infrastructure-defense roles are hard to fill — and practitioners with verified niche skills (zero-trust architecture, DFIR, DPDP audit) command a ~1.7x pay premium over generalist security staff, against a backdrop of ~100,000 new datacenter jobs expected by 2030.

9 modules. 21 graded labs. One verifiable credential.

24 weeks at 12 hours a week — proven at the lab pod, scored against a published rubric.

Compare all certifications