🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GDSA
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GDSA GIAC Certifications Coming Soon

GDSA

The GDSA certification validates expertise in designing and implementing defensible network architectures, covering Zero Trust, secure segmentation, monitoring, and cloud security to protect enterprise and hybrid environments.

120
Minutes
75
Questions
63/100
Passing Score
$979
Exam Cost

Who Should Take This

Senior security architects, lead engineers, and infrastructure specialists with five or more years of experience in IT security, networking, and cloud platforms should pursue GDSA. They seek to deepen their ability to craft Zero Trust frameworks, design resilient segmentation, and integrate advanced monitoring across multi‑cloud and on‑premise environments.

What's Covered

1 Defensible Network Architecture Foundations
2 Zero Trust Architecture
3 Network Security Monitoring Infrastructure
4 Cloud Security Architecture
5 Secure Segmentation Strategies
6 Security Architecture Assessment and Evolution

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

60 learning goals
1 Defensible Network Architecture Foundations
3 topics

Defensible Architecture Principles

  • Describe the core principles of defensible security architecture including defense in depth, least privilege, fail-safe defaults, economy of mechanism, complete mediation, and separation of duties as applied to network design.
  • Identify the characteristics that make a network architecture defensible including monitored choke points, consistent policy enforcement, rapid containment capability, and forensic evidence preservation built into the design.
  • Implement a defensible network design that positions security enforcement points at trust boundaries, enables full traffic visibility at critical junctions, and provides rapid isolation capabilities for compromised segments.
  • Evaluate an existing network architecture against defensible design principles to identify areas lacking monitoring visibility, inadequate segmentation boundaries, and single points of security failure requiring remediation.

Network Topology and Trust Zones

  • Describe network trust zone models including DMZ architectures, internal segmentation zones, management networks, and data classification-based zones, and explain the security properties each zone boundary enforces.
  • Implement multi-tier DMZ architecture with separate external, application, and database zones, configuring firewall rules that enforce strict inter-zone traffic policies and prevent direct external access to internal resources.
  • Configure network access control to enforce endpoint health posture checks, VLAN assignment based on authentication and device compliance, and quarantine remediation zones for non-compliant devices.
  • Analyze network traffic flows between trust zones to validate that firewall rule bases enforce intended access policies, identify overly permissive rules, and detect unauthorized cross-zone communications.

Routing and Switching Security

  • List the common Layer 2 attack vectors including ARP spoofing, VLAN hopping, MAC flooding, and STP manipulation, and describe the network security controls that mitigate each attack at the switching infrastructure level.
  • Implement switch port security controls including dynamic ARP inspection, DHCP snooping, port security MAC limiting, and private VLANs to harden the Layer 2 infrastructure against network reconnaissance and spoofing attacks.
  • Configure routing protocol authentication using MD5 or SHA-256 HMAC to prevent unauthorized route injection, and implement route filtering and prefix lists to control route advertisement between security zones.
2 Zero Trust Architecture
3 topics

Zero Trust Principles and Frameworks

  • Describe the NIST SP 800-207 Zero Trust Architecture framework including the policy engine, policy administrator, and policy enforcement point components, and explain the core tenets of never trust and always verify.
  • Identify the key Zero Trust deployment approaches including enhanced identity governance, microsegmentation, and software-defined perimeter, and describe the scenarios where each approach provides the strongest security benefit.
  • Implement a Zero Trust Network Access solution that authenticates users and devices before granting access, applies continuous posture assessment, and enforces least-privilege application-level access policies.
  • Evaluate an organization's Zero Trust maturity by assessing identity verification strength, device trust validation, network segmentation granularity, and continuous monitoring coverage against NIST 800-207 deployment models.

Microsegmentation

  • Describe microsegmentation approaches including host-based firewalls, hypervisor-based segmentation, and agent-based overlay solutions, and explain how each enforces workload-level access controls beyond traditional VLAN segmentation.
  • Implement application-aware microsegmentation policies that map workload communication dependencies, define least-privilege traffic flows between application tiers, and block all unauthorized lateral movement within flat network segments.
  • Configure identity-based segmentation policies that use workload identity attributes rather than IP addresses to enforce access controls, enabling consistent policy enforcement across dynamic and ephemeral infrastructure.
  • Assess microsegmentation policy effectiveness by analyzing blocked connection attempts, validating that authorized communication paths match documented application dependencies, and identifying policy gaps that permit unnecessary east-west traffic.

Software-Defined Perimeter and SASE

  • Describe Secure Access Service Edge architecture that converges SD-WAN, secure web gateway, CASB, ZTNA, and firewall-as-a-service into a cloud-delivered security platform for distributed enterprise environments.
  • Implement software-defined perimeter architecture with single-packet authorization, mutual TLS authentication, and dynamic firewall rules that make protected resources invisible to unauthorized scanners and attackers.
  • Compare traditional VPN, ZTNA, and SASE architectures for remote access security and evaluate the tradeoffs in user experience, security posture, management complexity, and cost for distributed workforce scenarios.
3 Network Security Monitoring Infrastructure
3 topics

Monitoring Architecture Design

  • Describe the components of a security monitoring architecture including packet capture sensors, flow collectors, log aggregators, SIEM platforms, and threat intelligence integration points and their placement in a defensible network.
  • Implement network tap and packet broker infrastructure to aggregate, filter, and distribute network traffic copies to multiple monitoring tools without impacting production network performance or introducing packet loss.
  • Configure NetFlow and IPFIX collection at strategic network points to establish traffic baselines, detect anomalous communication patterns, and provide visibility into traffic flows that cannot be captured by inline sensors.
  • Evaluate a monitoring architecture's coverage by mapping sensor placement against network topology, identifying blind spots in encrypted traffic paths and virtual network overlays, and recommending sensor additions for complete visibility.

Encrypted Traffic Visibility

  • Identify the architectural approaches for gaining visibility into encrypted traffic including TLS interception proxies, endpoint-based decryption, and metadata analysis techniques, and describe the privacy and compliance implications of each.
  • Implement TLS inspection architecture with certificate management, bypass lists for sensitive traffic categories, and performance-optimized deployment patterns that balance security visibility with user privacy and regulatory requirements.
  • Assess the security monitoring impact of increasing TLS 1.3 and encrypted DNS adoption on existing monitoring infrastructure and recommend architectural adaptations that maintain threat detection capability.

Security Data Pipeline Architecture

  • Describe security data pipeline architectures including message queues, stream processing, data lakes, and hot-warm-cold storage tiers, and explain how each component supports scalable security analytics at enterprise volumes.
  • Implement a security data collection pipeline using message brokers for event buffering, stream processors for real-time enrichment and normalization, and tiered storage for cost-effective long-term log retention.
  • Configure log routing and filtering rules that direct high-value security events to real-time analysis platforms while routing bulk logs to cost-optimized storage, implementing data quality checks and deduplication at each pipeline stage.
  • Evaluate security data pipeline capacity and reliability by analyzing ingestion rates, processing latency, data loss metrics, and storage utilization to identify bottlenecks and recommend scaling strategies for growing data volumes.
4 Cloud Security Architecture
3 topics

Cloud Network Security Design

  • Describe cloud virtual network security constructs including VPCs, subnets, security groups, network ACLs, and route tables, and explain how they differ from traditional on-premises network segmentation approaches.
  • Implement multi-VPC architecture with hub-and-spoke connectivity using transit gateways, configuring centralized egress inspection, shared services access, and inter-VPC routing policies for enterprise cloud deployments.
  • Configure cloud-native firewall and network security services including web application firewalls, DDoS protection, and cloud-based IDS/IPS to protect internet-facing workloads and internal cloud network traffic.
  • Evaluate cloud network architecture security by reviewing VPC flow logs, security group rules, and network connectivity paths to identify overly permissive configurations and recommend segmentation improvements.

Hybrid and Multi-Cloud Architecture

  • Describe hybrid cloud connectivity options including site-to-site VPN, dedicated interconnects, and cloud peering, and identify the security considerations for each connectivity model including encryption, authentication, and bandwidth.
  • Implement secure hybrid cloud connectivity with encrypted VPN tunnels, consistent firewall policy enforcement across on-premises and cloud environments, and centralized identity federation for cross-environment authentication.
  • Assess hybrid cloud security architecture consistency by comparing security control parity between on-premises and cloud environments, identifying policy enforcement gaps at cloud boundary transitions, and recommending unified security management approaches.

Container and Kubernetes Network Security

  • Describe Kubernetes networking model including pod networking, service abstractions, ingress controllers, and network plugins, and identify the default security posture and common vulnerabilities in container network configurations.
  • Implement Kubernetes network policies using namespace isolation, pod label selectors, and port-specific rules to enforce least-privilege communication between microservices and prevent unauthorized pod-to-pod traffic.
  • Configure service mesh security with mutual TLS between services, fine-grained authorization policies, and traffic observability through distributed tracing and metrics collection for container environments.
  • Evaluate container network security posture by analyzing network policy coverage across namespaces, reviewing service mesh mTLS enforcement rates, and identifying container workloads with unrestricted network access.
5 Secure Segmentation Strategies
3 topics

Network Segmentation Design

  • Describe network segmentation models including flat networks, VLAN-based segmentation, firewall-based segmentation, and microsegmentation, and identify the security properties, scalability limits, and operational complexity of each approach.
  • Implement data-classification-driven segmentation that maps network zones to data sensitivity levels, enforces access controls based on user clearance and device trust, and prevents unauthorized data flow between classification tiers.
  • Configure software-defined networking security policies that dynamically assign network segments based on workload attributes, automate security group membership, and enforce consistent policies across physical and virtual infrastructure.
  • Analyze an organization's segmentation strategy effectiveness by mapping lateral movement paths, simulating breach scenarios across segment boundaries, and recommending segmentation improvements that reduce blast radius of compromises.

Application and Service Segmentation

  • Implement application-tier segmentation that isolates web frontends, application logic, and database backends into separate network zones with firewall rules permitting only documented application communication flows.
  • Configure API gateway security controls including rate limiting, authentication enforcement, request validation, and API-specific WAF rules to protect microservice architectures exposed through programmatic interfaces.
  • Evaluate application segmentation completeness by mapping all service-to-service communication paths against architecture documentation, identifying undocumented dependencies, and assessing whether existing controls prevent unauthorized service access.

OT and IoT Segmentation

  • Describe the Purdue Enterprise Reference Architecture for industrial control system network segmentation and identify the security challenges of converging operational technology and information technology networks.
  • Implement IT/OT segmentation using industrial demilitarized zones, unidirectional security gateways, and protocol-aware firewalls to protect industrial control systems while enabling necessary data flows to business systems.
  • Configure IoT device network segmentation using dedicated VLANs, MAC-based access controls, and traffic profiling to isolate IoT devices with limited security capabilities from the corporate network.
  • Assess OT and IoT network segmentation effectiveness by analyzing cross-boundary traffic, evaluating protocol filtering granularity, and identifying paths where compromised IoT devices could pivot into enterprise networks.
6 Security Architecture Assessment and Evolution
2 topics

Architecture Risk Assessment

  • Describe threat modeling methodologies including STRIDE, attack trees, and kill chain analysis as applied to network architecture, and explain how architecture threat models inform security control placement and monitoring priorities.
  • Apply threat modeling to a network architecture design to enumerate attack surfaces, identify critical attack paths, prioritize defensive controls, and map detection capabilities to likely adversary techniques.
  • Evaluate the overall security posture of a complex enterprise architecture by synthesizing findings from network assessments, penetration test results, monitoring coverage analysis, and architectural review to produce prioritized remediation recommendations.

Architecture Migration and Modernization

  • Implement a phased migration plan from traditional perimeter-based security to Zero Trust architecture, defining incremental milestones that maintain security posture during transition while progressively implementing microsegmentation and identity-based controls.
  • Compare architecture modernization approaches for legacy environments including network overlay migration, parallel infrastructure deployment, and gradual microsegmentation adoption, and assess risk and complexity tradeoffs for each approach.

Scope

Included Topics

  • All domains covered by the GIAC Defensible Security Architecture (GDSA) certification aligned with SANS SEC530: Defensible Network Architecture, Zero Trust Architecture, Network Security Monitoring Infrastructure, Cloud Security Architecture, Secure Segmentation Strategies, and Security Data Collection Architecture.
  • Advanced-level security architecture design and implementation including defensible network design principles, zero trust network access, microsegmentation, software-defined networking security, cloud-native security controls, and security data pipeline architecture for modern enterprise and hybrid environments.
  • Key technologies and frameworks: Next-generation firewalls, network access control, software-defined perimeter, ZTNA platforms, microsegmentation tools (VMware NSX, Illumio), SD-WAN security, cloud security groups, VPC design, transit gateway architectures, Kubernetes network policies, service mesh security (Istio, Linkerd), security data lakes, protocol analyzers, and NIST SP 800-207 Zero Trust Architecture.
  • Scenario-driven architecture decisions requiring balancing security posture, operational complexity, user experience, scalability, and cost across on-premises, cloud, and hybrid enterprise environments.

Not Covered

  • Detailed vendor-specific product administration for commercial firewall, IDS/IPS, and NAC platforms beyond conceptual architecture and deployment patterns.
  • Penetration testing methodologies and exploit development except as context for understanding architecture attack surfaces.
  • Incident response procedures and digital forensics beyond how architecture design supports evidence collection and containment.
  • Application-level security testing and secure software development lifecycle practices outside network and infrastructure architecture scope.
  • Compliance framework audit procedures and regulatory reporting requirements beyond architecture design considerations.

Official Exam Page

Learn more at GIAC Certifications

Visit

GDSA is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.