Professional tierSecurity streamLab-first · Rubric-graded

RCSPRKR Certified Security Professional

Engineer zero-trust networks that assume breach — from App-ID firewalls to identity-driven segmentation at datacenter scale.

16 weeks10 hrs / week8 modules18 labsPrerequisite: RCSA

Overview

What the RCSP certifies.

The RKR Certified Security Professional (RCSP) is a lab-first, professional-tier network security certification built for engineers who must design and operate the security fabric underneath India's AI-infrastructure buildout. Where associate-level programs teach you to configure a firewall, RCSP teaches you to engineer a defensible network: application-aware NGFW policy with TLS decryption on Juniper SRX and PAN-OS, custom IPS detection with Snort 3 and Suricata, macro-segmentation with VRFs and firewall hairpinning, micro-segmentation with TrustSec SGTs and EVPN-VXLAN group-based policy, and identity-driven access control with Aruba ClearPass and Cisco ISE. Every module terminates in a graded rack lab — candidates leave with configurations, packet captures, and detection content they can show an interviewer, not a watch-completion badge.

RCSP exists because the security job market is splitting in two. Generic firewall-ticket work is being absorbed by automation and managed SOCs, while the roles India actually cannot fill — zero-trust engineers for GPU datacenters, NAC specialists for 50,000-endpoint campuses, SASE migration leads — demand cross-platform depth that no single vendor track provides. RCSP is deliberately multi-vendor and comparable in rigor to Juniper JNCIP-SEC, Cisco CCNP Security, and Aruba's ClearPass professional track, but RKR-owned and assessed on a live multi-vendor rack. The capstone requires every candidate to design, implement, and defend a complete zero-trust segmentation for a three-site enterprise plus a leaf-spine datacenter — the exact deliverable senior security roles are hired to produce.

Measurable outcomes

Walk out able to do this — on record.

Design and implement application-aware NGFW policy with TLS decryption, IPS and sandboxing across Juniper SRX, PAN-OS and Cisco Secure Firewall

Author and tune custom IDS/IPS detection content in Snort 3 and Suricata, validated against evasive replayed attack traffic

Engineer macro- and micro-segmentation using VRFs, security zones, TrustSec SGT/SGACL and EVPN-VXLAN group-based policy

Deploy identity-driven zero-trust access with Aruba ClearPass and Cisco ISE — EAP-TLS, profiling, posture, and dynamic enforcement

Build secure SD-WAN and SASE architectures: IPsec overlays, service-chained inspection, SSE breakout and ZTNA for private applications

Operationalize detection: log pipelines into a SIEM, MITRE ATT&CK-mapped correlation rules, and SOAR-automated containment via NAC APIs

Produce and defend a complete zero-trust segmentation design — policy model, enforcement points, migration plan — for an enterprise plus datacenter

Who it’s for

Built for these starting lines.

RCSA graduates and firewall/NOC engineers with 2-4 years of hands-on experience ready to move from ticket execution to security design

Network engineers (CCNA/JNCIA-level or RKR associate) pivoting into security specialization — NAC, segmentation, SASE

SOC analysts who can read alerts but want to build and own the enforcement infrastructure behind them

Campus and datacenter engineers tasked with an upcoming zero-trust, 802.1X, or SD-WAN security rollout

System integrator and MSP engineers who must deploy across Juniper, Cisco, Palo Alto and Aruba estates

The syllabus

8 modules. 18 graded labs. No filler.

Every module terminates in a graded lab — theory is never left unproven. This is the full RCSP module sequence, exactly as delivered.

RCSP-M01

NGFW Engineering: App-ID, Decryption and Policy Design

Moves beyond port-based rules into application-aware policy engineering. Candidates work Juniper SRX unified policies with AppSecure (AppID, AppFW, AppTrack), PAN-OS App-ID/Content-ID with User-ID mapping, and Cisco Secure Firewall access control policies — then confront the hard part: SSL forward-proxy decryption design, certificate deployment, decryption exclusions for pinned apps, and policy-order pitfalls when application shifts occur mid-session.

You will be able to
  • Learner can design a zone-based, application-aware policy set on SRX unified policies and explain rule-match order including dynamic application resolution
  • Learner can implement SSL forward-proxy decryption on PAN-OS with a subordinate CA, exclusion lists for certificate-pinned applications, and verify via decryption logs
  • Learner can map users to sessions with User-ID/JIMS-style identity sources and write user- and group-based rules instead of IP-based rules
  • Learner can migrate a legacy L4 ACL rulebase to an application-based rulebase and prove functional equivalence with traffic replay
  • Learner can operate firewall HA (SRX chassis cluster, PAN-OS active/passive) and execute a hitless policy push and failover
Graded labs
Lab

SRX App-Aware Zone Policy Build

On vSRX, build trust/DMZ/untrust zones with unified policies using dynamic-applications, enable AppTrack, and verify application shifts with 'show security flow session' and structured syslog.

Lab

PAN-OS TLS Decryption Rollout

Deploy SSL forward proxy on PAN-OS VM-Series with an enterprise subordinate CA, build decryption policy with pinned-app exclusions, and validate with decrypted threat-log evidence against test traffic.

Lab

L4-to-App Policy Migration

Convert a 60-rule port-based ACL export into an application-based rulebase, replay captured production-like traffic through the firewall, and produce a hit-count report proving no service breakage.

EVE-NG topology pack (vSRX, PAN-OS VM-Series, FTDv)Legacy rulebase migration workbookTraffic replay pcap library
RCSP-M02

IDS/IPS and Threat Prevention: Detection Engineering

Treats IPS as an engineering discipline, not a checkbox. Candidates dissect Snort 3 and Suricata rule anatomy — flow keywords, flowbits, content matches with PCRE, metadata and thresholds — write custom rules against live C2 and exploit traffic, tune Juniper IDP policies with custom attack objects, and integrate cloud sandboxing (Juniper ATP Cloud, WildFire-class services). Evasion is covered head-on: fragmentation, session splicing, and TLS-wrapped payloads.

You will be able to
  • Learner can author Snort 3/Suricata rules using flowbits, PCRE and byte_test to detect a multi-stage exploit chain in replayed pcaps
  • Learner can build and tune a Juniper IDP policy with custom attack objects and exempt rules, reducing false positives below a target threshold without missing seeded true positives
  • Learner can demonstrate and then defeat at least three IDS evasion techniques (IP fragmentation, TCP segmentation overlap, TLS encapsulation) using preprocessor/stream tuning
  • Learner can integrate file-based sandboxing verdicts into firewall policy and trace a malicious file from submission to block
Graded labs
Lab

Custom Rule Authoring Against C2 Beaconing

Analyze pcaps of periodic HTTPS beaconing and DNS tunneling, write Suricata rules (JA3/SNI, dns.query, thresholding) that catch the C2 while staying silent on 24 hours of benign background traffic.

Lab

IDP Tuning Under Evasion

On vSRX IDP, detect a seeded exploit set delivered normally, then re-delivered with fragmentation and segmentation evasion; tune stream reassembly and policy until detection holds with zero new false positives.

Curated attack pcap corpus (mapped to CVEs)Suricata/Snort 3 rule-writing cheat cardIDP tuning runbook
RCSP-M03

Macro- and Micro-Segmentation Architecture

The core zero-trust discipline: containing lateral movement. Candidates implement macro-segmentation with VRF-lite, security zones and inter-VRF firewall hairpinning; then micro-segmentation with Cisco TrustSec (SGT classification, SXP propagation, SGACL enforcement), EVPN-VXLAN group-based policy, and host/hypervisor distributed firewalling in the NSX/Secure Workload model. Emphasis on the policy-model design that must precede any config: application dependency mapping, allow-list construction, and enforcement-point selection.

You will be able to
  • Learner can design a macro-segmentation scheme (user/IoT/server/OT VRFs) with all inter-segment traffic hairpinned through an inspection firewall and justify the failure domains
  • Learner can classify endpoints into SGTs (static, 802.1X-derived), propagate tags via SXP to a non-TrustSec firewall, and enforce SGACLs at the fabric edge
  • Learner can build an application dependency map from flow telemetry (IPFIX/NetFlow) and convert it into a least-privilege micro-segmentation allow-list
  • Learner can articulate when EVPN-VXLAN group-based policy, SGT/SGACL, or host-based distributed firewalling is the correct enforcement layer and the migration order between them
Graded labs
Lab

VRF + Firewall Hairpin Macro-Segmentation

Segment a campus core into four VRFs, leak no routes directly, force all inter-VRF traffic through an SRX inspection zone pair, and prove containment by attempting lateral movement from a compromised IoT host.

Lab

TrustSec Micro-Segmentation with SXP

Assign SGTs via ISE authorization policy, propagate IP-SGT bindings over SXP to the firewall, enforce SGACLs blocking PCI-to-guest traffic, and validate with 'show cts role-based counters'.

Segmentation policy-model design templateFlow-telemetry dependency-mapping worksheet
RCSP-M04

Zero-Trust NAC: ClearPass and ISE at Enterprise Scale

Deep, deployment-grade NAC engineering on the two platforms that dominate Indian enterprise RFPs. Aruba ClearPass Policy Manager: service classification, 802.1X with EAP-TLS and OCSP, DHCP/HTTP device profiling, OnGuard posture, and enforcement via Aruba user roles, dACLs and VLAN assignment. Cisco ISE: policy sets, certificate authentication profiles, TrustSec integration and pxGrid context-sharing with firewalls. Includes the operational reality — monitor mode rollouts, MAB fallbacks for printers, and change windows that don't lock out a campus.

You will be able to
  • Learner can deploy end-to-end EAP-TLS on wired and wireless with ClearPass — SCEP/Intune-style cert distribution, OCSP validation, and role-based enforcement on Aruba/Cisco switches
  • Learner can build ClearPass profiling and posture policy (OnGuard) that quarantines non-compliant endpoints to a remediation role and releases them automatically on compliance
  • Learner can configure ISE policy sets with certificate and MAB fallback flows, and share session context to a firewall via pxGrid for identity-based rules
  • Learner can plan and execute a phased NAC rollout (monitor mode, then low-impact, then closed mode) with rollback criteria for a 5,000-port campus
  • Learner can integrate NAC REST APIs to programmatically quarantine an endpoint from an external trigger
Graded labs
Lab

ClearPass EAP-TLS with Dynamic Roles

Stand up ClearPass with an enterprise CA, authenticate wired and wireless clients via EAP-TLS, and push differentiated Aruba user roles and dACLs based on AD group and device profile.

Lab

Posture-Gated Access with OnGuard

Enforce disk-encryption and AV posture via OnGuard; non-compliant machines land in a remediation VLAN with a captive portal, and re-auth automatically restores full access on remediation.

Lab

ISE TrustSec + pxGrid Firewall Integration

Configure ISE to assign SGTs at authorization, feed identity/session context to the firewall over pxGrid/SXP, and write a user-group-based firewall rule that follows the user across IP changes.

ClearPass service-template packPhased 802.1X rollout playbookNAC API quarantine scripts (Python)
RCSP-M05

SASE and Secure SD-WAN

Security for the WAN edge as it actually ships in 2026: SD-WAN overlays with IPsec/BFD, on-box embedded security (app-aware firewall, IPS, DNS-layer security) versus service-chained regional hubs, and SSE integration — secure web gateway, CASB and ZTNA delivered from Zscaler/Prisma Access/Umbrella-class clouds. Candidates design direct-internet-access breakouts with tunnel steering, compare ZTNA against legacy VPN for private-app access, and reason about where inspection lives for latency-sensitive AI/branch traffic.

You will be able to
  • Learner can build a secure SD-WAN overlay (IPsec with IKEv2, BFD liveness, segment-aware VPN topologies) and apply app-aware firewall plus IPS policy at the branch edge
  • Learner can configure DIA breakout with automatic tunnel steering (GRE/IPsec) into an SSE point of presence and fail over to backhaul on tunnel loss
  • Learner can deploy ZTNA for a private application — connector, identity-based access policy, per-app tunnel — and contrast its exposure surface with a full-tunnel VPN
  • Learner can produce a SASE migration design that sequences SWG, CASB and ZTNA adoption for a 40-branch enterprise with an on-prem DC
Graded labs
Lab

Secure SD-WAN Overlay with Embedded Security

Build a 3-site SD-WAN overlay, segment guest vs corporate into separate VPNs, enable branch app-aware firewall and IPS, and verify per-segment policy with generated inter-branch attack traffic.

Lab

SSE Breakout and ZTNA Private Access

Steer branch internet traffic through an IPsec tunnel to an SSE platform with SWG policy, then publish an internal app via ZTNA connector and demonstrate identity-gated, per-app access with no inbound firewall holes.

SD-WAN security reference topologiesSASE vendor-evaluation scorecard
RCSP-M06

SIEM, Detection Engineering and SecOps Automation

Enforcement without detection is theater. Candidates build the telemetry pipeline — structured syslog from SRX/PAN-OS, NetFlow/IPFIX, ClearPass RADIUS accounting — into Elastic Security or Splunk, parse and normalize it, and write correlation rules mapped to MITRE ATT&CK techniques (lateral movement T1021, C2 T1071, credential access T1110). Detection content is expressed portably in Sigma, then compiled per-SIEM. Closes with SOAR-style automation: alert-triggered containment through ClearPass/ISE and firewall APIs.

You will be able to
  • Learner can build an ingestion pipeline for firewall, IPS and NAC telemetry with parsing/normalization into ECS-style fields and prove field fidelity with test events
  • Learner can author five correlation detections mapped to specific MITRE ATT&CK technique IDs and validate them against replayed attack traffic with measured precision
  • Learner can write portable detections in Sigma and compile them to the target SIEM's query language
  • Learner can build an automated containment playbook that quarantines an endpoint via the ClearPass REST API within 60 seconds of a triggered detection
Graded labs
Lab

ATT&CK-Mapped Detection Pack

Ingest SRX, Suricata and ClearPass logs into Elastic; author and tune five detections (SMB lateral movement, DNS tunneling, brute force, beaconing, rogue DHCP) that fire on seeded attacks and stay quiet on benign replay.

Lab

Automated Quarantine Playbook

Wire a detection to a webhook that calls the ClearPass API to bounce the offending session into a quarantine role, notify via chat, and log the containment timeline end to end.

Sigma detection starter packECS field-mapping referenceContainment playbook code (Python)
RCSP-M07

Cloud and Datacenter Security

Securing the environments where India's AI workloads actually run. Datacenter side: firewall clustering and state sync (SRX chassis cluster, PAN-OS HA), east-west inspection insertion via service leafs in an EVPN-VXLAN fabric, and protecting the fabric itself (control-plane policing, storage/RoCE traffic isolation). Cloud side: layered AWS/Azure policy — security groups vs NACLs vs NSGs, managed firewalls (AWS Network Firewall, Azure Firewall) for centralized egress inspection, and securing hybrid connectivity over Direct Connect/ExpressRoute with IPsec.

You will be able to
  • Learner can insert an active/passive firewall cluster as a service leaf in an EVPN-VXLAN fabric and steer selected east-west VNI traffic through inspection without hairpinning everything
  • Learner can design layered cloud network security — SG/NACL/NSG boundaries plus a centralized inspection VPC/VNet with a managed firewall — and justify each layer's role
  • Learner can secure hybrid DC-to-cloud connectivity with IPsec over private circuits and consistent segmentation identifiers across both sides
  • Learner can harden the DC fabric itself: CoPP, dedicated isolation for storage/GPU traffic classes, and management-plane access control
Graded labs
Lab

East-West Inspection in an EVPN-VXLAN Fabric

In a virtual leaf-spine fabric, attach a vSRX cluster to a service leaf, steer database-tier to app-tier traffic through it via route policy, and prove both the inspection path and sub-second cluster failover.

Lab

Layered Cloud Ingress/Egress Security

Build an AWS lab with a centralized inspection VPC (AWS Network Firewall), spoke workload VPCs, SG/NACL least-privilege policy, and demonstrate blocked exfiltration attempts appearing in firewall flow logs.

EVPN-VXLAN security lab topologyCloud security reference architecture (AWS/Azure)
RCSP-M08

Capstone: Zero-Trust Segmentation Design and Defense

The certifying deliverable. Each candidate receives a realistic brief — a three-site enterprise (corporate campus, factory with OT, remote workforce) plus a leaf-spine datacenter hosting regulated workloads — and must produce a complete zero-trust segmentation design: identity and device trust (ClearPass), macro/micro enforcement layers, NGFW and decryption policy, SASE for remote access, detection coverage mapped to ATT&CK, and a phased migration plan that never takes production down. The design is implemented on the RKR rack and defended in a viva before RKR examiners.

You will be able to
  • Learner can translate business and compliance requirements into a written zero-trust policy model: trust zones, identity sources, enforcement points and explicit allow-lists
  • Learner can implement the design end to end on live equipment — NAC, segmentation, NGFW, SASE and SIEM detections working together against a red-team traffic injection
  • Learner can produce a phased migration plan (monitor, low-impact, closed) with rollback gates and defend every design trade-off under examiner questioning
  • Learner can quantify residual risk: what the design does not stop, and the compensating detections that cover it
Graded labs
Lab

Design Workshop and Peer Red-Review

Produce the full segmentation design document (policy model, enforcement matrix, migration phases) and survive a structured peer red-team review that attacks the design on paper before any config is written.

Lab

Graded Capstone Build and Defense

Implement the design on the RKR multi-vendor rack in a timed window, withstand a live scripted attack injection (lateral movement, C2, rogue endpoint), and defend the results in a 30-minute viva.

Capstone brief pack (3 scenario variants)Enforcement-matrix templateExaminer rubric (published)

How you’re examined

The RCSP exam format.

Two-part RKR assessment, both proctored. Part 1: 90-question theory exam (120 minutes, scenario-heavy — policy-order reasoning, IPS rule interpretation, SGT propagation, SASE design trade-offs; 750/1000 to pass). Part 2: a 6-hour graded practical on a live multi-vendor rack — the candidate receives a security requirements document and must configure app-aware zone policy with TLS decryption on SRX/PAN-OS, stand up ClearPass EAP-TLS with posture-gated enforcement, implement SGT-based micro-segmentation propagated over SXP to the firewall, and ship two ATT&CK-mapped SIEM detections that fire against replayed attack traffic. Scored against a published rubric (working configs 60%, detection efficacy 20%, design justification memo 20%); partial credit per task, 70% overall to pass. Results include a per-domain scorecard employers can verify at training.rkr-networks.com.

Career plan

Where the RCSP takes you.

RCSP is engineered for the mid-to-senior jump: from executing firewall changes to owning zero-trust, NAC and SASE programs. Multi-vendor enforcement depth plus detection engineering is precisely the profile GCCs, hyperscale-adjacent datacenter operators and large SIs in Bengaluru, Hyderabad, Mumbai and NCR pay a premium for — and it is the standard prerequisite profile for security architect tracks.

Roles unlocked
Senior Network Security Engineer (NGFW/IPS)NAC / Zero-Trust Engineer (ClearPass, ISE)SASE / SD-WAN Security SpecialistSecurity Delivery Lead (SI/MSP)Datacenter Security EngineerDetection Engineer (network-focused)
Salary band
Rs 10-24 LPA typical on certification, scaling to Rs 22-35 LPA in senior zero-trust and DC security roles
On certification (0-12 months)
Network Security Engineer II — NGFW, NAC and segmentation delivery
Rs 10-16 LPA
1-2 years
Senior Security Engineer — owns firewall estate, 802.1X rollout, IPS tuning
Rs 16-24 LPA
2-4 years
Zero-Trust / SASE Lead — segmentation and SASE programs across sites and DC
Rs 22-32 LPA
4+ years (RCSE track)
Security Architect — enterprise and datacenter security architecture
Rs 32-48 LPA
Demand signal

As of mid-2026, industry surveys peg India's AI-infrastructure skills gap near 53%, with 73% of security and infrastructure operations roles reported hard to fill; niche zero-trust/NAC specialists command roughly a 1.7x pay premium over generalist network engineers as datacenter capacity scales from about 1,700 MW toward 5-6.5 GW — a buildout projected to create on the order of 100,000 datacenter-linked jobs by 2030, a disproportionate share in security operations.

8 modules. 18 graded labs. One verifiable credential.

16 weeks at 10 hours a week — proven at the lab pod, scored against a published rubric.

Compare all certifications