hack3rs.ca network-security

/srv/hack3rs.ca :: netsec-certifications

student@hack3rs:~$ cat netsec-certifications.html

Network Security Certifications Roadmap (Learning-First)

Certifications are useful as a learning roadmap — not as a shortcut. The order below builds real skill: networking fundamentals first, then security foundations, then defensive operations, then specialization. That order matters.

A cert doesn't make someone a defender. What does: combining study with packet captures, logs, lab troubleshooting, detection tuning, and clear documentation of what you observed and why it matters.

Timelines are approximate and assume part-time study alongside lab practice. Adjust based on your background and how much hands-on time you can actually commit to.

recommended-order-and-timeline

Network+ (Months 0-2)
Foundational -> CompTIA Network+ (or equivalent networking foundation)
Security+ (Months 2-4)
Foundational Security -> CompTIA Security+ (baseline security concepts and controls)
CCNA (Months 4-8)
Intermediate Networking -> Cisco CCNA (network operations + security-minded networking depth)
CySA+ (Months 8-12)
Blue Team / Analyst -> CompTIA CySA+ (defensive analytics and blue team workflow)
GIAC (GCIH/GSEC) (Months 12-18)
Operations / Incident Handling -> GIAC GCIH or GSEC (defensive operations / incident handling path)
GCIA / NSM Specialization (Months 18-30)
Network Detection Specialization -> GIAC GCIA / IDS-NSM-focused specialization (or equivalent NSM specialization)
CISSP (Months 24-48 (experience-dependent))
Senior / Broad Security -> CISSP (broad senior-level security governance and architecture perspective)

how-to-use-this-roadmap

$Pick the next cert only after you can explain and demonstrate the core skills it assumes.
$Pair every study week with labs (Wireshark, tcpdump, logs, Zeek/Suricata, Nmap).
$Use your learning modules and tools pages as the practical layer beneath each cert topic.
$Document what you learned; employers value demonstrated reasoning and troubleshooting.
$Choose specialization certs based on your target role, not internet hype.

tie-cert-study-to-the-learning-program

open /learning Core curriculum (foundations, detection, vulnerability management, response) open /learning/frameworks Decision frameworks (KEV, baselines, NIST CSF, ATT&CK, docs-driven learning) open /learning/tools Detailed tool guides to turn study into evidence-based workflows open /threats Learn common attack vectors and how defenders detect and triage them

certification-details-and-why-the-order-matters.md

Each entry covers why the cert exists, why defenders use it, what you should actually learn from it, and how to study it in a way that builds real skill — not just enough to pass a test.

CompTIA Network+ (or equivalent networking foundation)

Foundational Months 0-2

$ why-it-exists: Network+ validates broad networking fundamentals across vendors — addressing, routing, switching, protocols, and troubleshooting. It establishes the vocabulary you need before any security topic makes sense.

$ why-you-should-use-it: Start here if networking isn't already solid. Security work falls apart fast when you can't explain subnets, DNS behavior, TCP sessions, or basic routing decisions.

$ real-life-example: A junior analyst sees repeated DNS failures and jumps straight to malware. A Network+-level foundation helps them check the resolver, look for split-horizon misconfiguration, or find a firewall misrule — before escalating a false incident.

what-you-should-learn-from-it

$TCP/IP, ports/protocols, DNS, DHCP, ARP, NAT, VLAN basics
$Switching and routing fundamentals
$Wireless basics and common connectivity failures
$Layered troubleshooting: link -> IP -> transport -> application

how-to-study-it-like-a-defender

$Work through the /learning foundations modules first — TCP/IP, subnetting, and logging.
$Build a small lab: 2–3 VMs plus a router or firewall image. A home router with test devices also works.
$Capture traffic with Wireshark while testing DNS, HTTP, SSH, and ping/traceroute. Watch what actually happens.
$Write your own packet-flow notes. Flashcards for acronyms don't build troubleshooting ability.

$ caution: Don't study to pass — study to troubleshoot. The cert should be evidence you can work through a layered networking problem, not that you can recite definitions.

CompTIA Security+ (baseline security concepts and controls)

Foundational Security Months 2-4

$ why-it-exists: Security+ covers broad cybersecurity concepts across identity, network defense, risk, incident response, and secure operations. It gives newcomers a shared vocabulary before they specialize.

$ why-you-should-use-it: Take it after networking fundamentals are solid. It helps frame what attackers target and what defenders implement — IAM, hardening, monitoring, risk, and response — and connects technical controls to business context.

$ real-life-example: A sysadmin enabling remote access has to think through MFA, least privilege, audit logging, certificate trust, and incident reporting. Security+ helps those decisions connect to each other rather than being treated as isolated admin tasks.

what-you-should-learn-from-it

$Identity and access controls, MFA, least privilege, account lifecycle
$Common attack types and the controls that break them
$Incident response, governance, and risk fundamentals
$Security architecture and control categories

how-to-study-it-like-a-defender

$Map each concept to your threat pages — phishing, exposed services, lateral movement.
$Use logging and detection modules to turn abstract controls into evidence-based workflows.
$Write a one-page control plan for a home lab or small business: MFA, backups, patching, centralized logs.
$For every control, practice explaining why it exists and which attack path it disrupts.

$ caution: Security+ is deliberately broad. Don't treat it as a final destination — the real value is applying the concepts to real systems and logs.

Cisco CCNA (network operations + security-minded networking depth)

Intermediate Networking Months 4-8

$ why-it-exists: CCNA builds practical networking depth in routing, switching, IP services, and troubleshooting. Even if you're not going into network engineering, it's one of the best ways to build operational understanding of real networks.

$ why-you-should-use-it: Use CCNA to move past theory and into real networking mechanics. Many defenders who take it come away much better at reading packet paths, understanding segmentation, and diagnosing device-level problems during incidents.

$ real-life-example: A site loses sensor VLAN visibility after a change window. A CCNA-level defender can distinguish an ACL issue, trunk/VLAN mismatch, spanning-tree behavior, or routing asymmetry — instead of defaulting to 'the IDS is broken.'

what-you-should-learn-from-it

$Switching, routing, VLANs, trunks, ACLs, NAT, and device operations in depth
$Operational troubleshooting on real infrastructure
$How topology and policy changes affect visibility and reachability
$Foundations that improve firewall, VPN, and segmentation decisions

how-to-study-it-like-a-defender

$Read packet captures alongside device configs so you connect configuration to traffic behavior.
$Build segmentation labs and test allowed and denied flows deliberately.
$Keep a troubleshooting notebook: symptom -> likely layer -> validation steps.
$Practice explaining why a route, ACL, or NAT rule changes what appears in logs.

$ caution: CCNA is often seen as a networking-admin cert. For security learners, it's a visibility and segmentation advantage — treat it that way.

CompTIA CySA+ (defensive analytics and blue team workflow)

Blue Team / Analyst Months 8-12

$ why-it-exists: CySA+ validates analyst-focused defensive skills: log interpretation, detection, vulnerability management, and response basics. It's more operations-focused than entry-level security certs.

$ why-you-should-use-it: Take it when you're ready to turn security concepts into daily analyst work. It aligns well with SOC responsibilities, alert triage, and practical detection thinking.

$ real-life-example: A SOC analyst gets alerts for suspicious outbound traffic and repeated failed logons. CySA+-level thinking helps correlate the logs, separate noise from signal, and make a prioritized escalation decision based on actual evidence.

what-you-should-learn-from-it

$Alert triage, threat indicators, and detection workflows
$Vulnerability management and prioritization
$Log analysis and correlation across multiple sources
$Incident response support and reporting discipline

how-to-study-it-like-a-defender

$Work through the Zeek, Suricata, and alert triage learning modules before sitting the exam.
$Use lab PCAPs and log sets to practice drawing evidence-based conclusions.
$Write simple analyst runbooks for phishing, scanning, and suspicious outbound traffic.
$Track false positives in your lab and document how you'd tune detections safely.

$ caution: Pair this cert with hands-on logging and packet analysis — without that, it's just another theory exam.

GIAC GCIH or GSEC (defensive operations / incident handling path)

Operations / Incident Handling Months 12-18

$ why-it-exists: These GIAC certs validate practical security operations knowledge and incident handling skills. Employers in SOC and IR environments often want evidence of operational readiness beyond entry-level certs.

$ why-you-should-use-it: If you're targeting SOC, IR, or security operations roles, this is where structured study around incident workflows, evidence handling, and defensive techniques pays off.

$ real-life-example: A team investigating lateral movement has to collect evidence, validate scope, preserve timelines, and contain safely without overreaching. GIAC-style training strengthens exactly the procedural and analytical side of that work.

what-you-should-learn-from-it

$Incident handling process and evidence-driven response
$Detection and analysis across hosts and networks
$Operational decision-making during active incidents
$Threat behavior interpretation and defensive action planning

how-to-study-it-like-a-defender

$Use the threats pages and incident response modules as scenario seeds for study.
$Practice building timelines from logs and packet captures — not from memory.
$Document containment decisions and tradeoffs through tabletop exercises.
$Analyst reasoning matters more than command syntax at this stage.

$ caution: Cost is significant. Only pursue this when it aligns with your job target and you can commit to applying the material in practice — not just passing the exam.

GIAC GCIA / IDS-NSM-focused specialization (or equivalent NSM specialization)

Network Detection Specialization Months 18-30

$ why-it-exists: NSM-focused certs validate deeper packet analysis, IDS reasoning, and protocol-level detection skills. This is where defenders move from surface-level alerts toward real evidence interpretation.

$ why-you-should-use-it: If you want to specialize in network telemetry, packet analysis, IDS/IPS, NSM, or detection engineering tied to traffic behavior — this is the right stage.

$ real-life-example: During a suspected exfiltration event, an NSM specialist correlates Suricata alerts, Zeek logs, DNS patterns, and packet timing to determine whether the traffic is legitimate backup activity, misconfiguration, or an actual transfer.

what-you-should-learn-from-it

$Deep packet and protocol analysis
$IDS/NSM detection interpretation and tuning
$Traffic-pattern analysis and forensic validation
$Detection engineering tied to network evidence

how-to-study-it-like-a-defender

$Finish the Wireshark/TShark, Zeek, Suricata, and tcpdump tool guides before starting.
$Baseline normal behavior across protocols — DNS, HTTP/S, SMB, SSH. You can't spot abnormal without normal.
$Annotate PCAPs and explain conclusions with evidence, not assumptions.
$Tune detections in a lab and document every false positive cause you find.

$ caution: Specializing before fundamentals are solid creates shallow skills. Make sure networking, logging, and analyst workflow basics are already strong.

CISSP (broad senior-level security governance and architecture perspective)

Senior / Broad Security Months 24-48 (experience-dependent)

$ why-it-exists: CISSP validates broad security knowledge across risk, architecture, operations, software, and governance. It's a senior-level benchmark — not a starting point for network security learners.

$ why-you-should-use-it: Consider CISSP when you're moving into senior analyst, engineer, architect, or leadership roles where cross-domain communication about risk and security program design matters.

$ real-life-example: A senior defender proposing segmentation and logging investments has to justify them in terms of business risk, resilience, governance, and operational tradeoffs. CISSP-level breadth supports that conversation with leadership.

what-you-should-learn-from-it

$Enterprise security across domains beyond pure networking
$Risk management, architecture, governance, and operations
$Aligning technical controls with organizational objectives
$Communicating security decisions to non-technical stakeholders

how-to-study-it-like-a-defender

$Treat CISSP as synthesis of real experience — not a shortcut or a starting point.
$Map your own projects and incidents to the domains while studying.
$Keep hands-on netsec practice active. Don't replace lab time with reading only.
$Use NIST CSF and security program frameworks as practical anchors.

$ caution: CISSP is not the right first cert for most people. It pays off after real operations experience — not before it.

certifications-are-not-a-substitute-for-skill

The strongest learners use certs to structure study but measure progress by what they can actually do: explain a packet flow, find a logging gap, validate an exposure safely, tune a noisy alert, write a clear incident note. That's the standard that matters on a real team.

next-steps

start with foundations Build the networking depth required for every later certification practice packet analysis Turn certification study into real evidence interpretation skills