RKR Certified Security Professional
Zero-Trust Network Security Engineering | Professional Tier | 16 Weeks, Lab-First
The blueprint
RCSP builds engineers who can contain a breach by design: application-aware NGFW policy with TLS decryption on Juniper SRX and PAN-OS, custom Snort 3/Suricata detection, macro- and micro-segmentation with TrustSec and EVPN-VXLAN group-based policy, identity-driven access with Aruba ClearPass and Cisco ISE, SASE/SD-WAN edge security, and ATT&CK-mapped SIEM detections with automated containment — proven on a live multi-vendor rack and a defended zero-trust capstone design.
Skill domains
6 assessed domainsNGFW & Threat Prevention
- SRX unified policies + AppSecure; PAN-OS App-ID/User-ID
- SSL forward-proxy decryption design with pinned-app exclusions
- Snort 3/Suricata rule authoring; IDP tuning under evasion
- Firewall HA: chassis cluster and active/passive failover
Segmentation & Zero Trust
- Macro-segmentation: VRFs, zones, firewall hairpinning
- TrustSec SGT/SGACL with SXP propagation to firewalls
- EVPN-VXLAN group-based policy and host-level enforcement
- Dependency mapping to least-privilege allow-lists
NAC & Identity
- ClearPass: EAP-TLS, profiling, OnGuard posture, dynamic roles
- Cisco ISE: policy sets, MAB fallback, pxGrid context sharing
- Phased 802.1X rollouts — monitor to closed mode with rollback gates
SASE & Secure SD-WAN
- IPsec/IKEv2 overlays with segment-aware VPN topologies
- DIA breakout with tunnel steering into SSE (SWG/CASB)
- ZTNA private-app access vs legacy VPN exposure
SecOps & Detection
- Firewall/IPS/NAC telemetry pipelines into Elastic or Splunk
- MITRE ATT&CK-mapped correlation rules; portable Sigma content
- SOAR containment: API-driven quarantine via ClearPass/ISE
Cloud & DC Security
- East-west inspection via service-leaf firewall clusters in EVPN-VXLAN
- Layered AWS/Azure policy: SGs, NACLs, centralized managed firewalls
- Securing hybrid connectivity and the fabric control plane
Signature labs
Rack time, not watch timePAN-OS TLS decryption rollout with enterprise CA and pinned-app exclusions
TrustSec micro-segmentation: SGTs from ISE, SXP to firewall, SGACL enforcement
ClearPass EAP-TLS with posture-gated quarantine and automatic remediation release
Secure SD-WAN overlay with SSE breakout and ZTNA private-app publishing
ATT&CK-mapped detection pack firing on live C2, lateral movement and brute force
Capstone: zero-trust build on the RKR rack surviving scripted attack injection, defended in viva
How you are examined
90-question proctored theory (120 min, 750/1000) + 6-hour graded rack practical: NGFW policy with decryption, ClearPass zero-trust NAC, SGT micro-segmentation, and two live-firing SIEM detections — rubric-scored with a verifiable per-domain scorecard.
Career ladder
- On certification (0-12 months)Network Security Engineer II — NGFW, NAC and segmentation deliveryRs 10-16 LPA
- 1-2 yearsSenior Security Engineer — owns firewall estate, 802.1X rollout, IPS tuningRs 16-24 LPA
- 2-4 yearsZero-Trust / SASE Lead — segmentation and SASE programs across sites and DCRs 22-32 LPA
- 4+ years (RCSE track)Security Architect — enterprise and datacenter security architectureRs 32-48 LPA
Rs 10-24 LPA typical on certification, scaling to Rs 22-35 LPA in senior zero-trust and DC security roles