GIAC Security Essentials (GSEC) Certification Path

1. Executive Summary

Target Certification: GIAC Security Essentials (GSEC)

Training Course: SANS SEC401: Security Essentials - Network, Endpoint, and Cloud

Timeline: 6 weeks focused study (self-paced) or 6-day intensive (SANS OnDemand/Live)

Foundation Assets:

12 years network engineering (CCNP x4)
6 months terminal-only Arch Linux workflow
Daily ISE/802.1X/PKI operations
Zero-trust dACL implementation experience
Threat hunting documentation in domus-linux-ops
SIEM gap analysis in progress

2. Why GSEC?

Reason	Alignment
Foundational Breadth	Covers network, endpoint, cloud, AND Linux security in one certification
Industry Recognition	GIAC certifications are gold standard for hands-on security skills
Career Positioning	Validates transition from network engineer to security practitioner
Linux Focus	Includes Linux security, hardening, containerization - aligns with daily work
Cloud Security	AWS/Azure basics prepare for future cloud security roles
SIEM Coverage	Security operations, incident handling, log analysis - addresses current skill gaps

Reason

Alignment

Foundational Breadth

Covers network, endpoint, cloud, AND Linux security in one certification

Industry Recognition

GIAC certifications are gold standard for hands-on security skills

Career Positioning

Validates transition from network engineer to security practitioner

Linux Focus

Includes Linux security, hardening, containerization - aligns with daily work

Cloud Security

AWS/Azure basics prepare for future cloud security roles

SIEM Coverage

Security operations, incident handling, log analysis - addresses current skill gaps

3. Exam Overview

Attribute	Value
Certification	GIAC Security Essentials (GSEC)
Exam Code	GSEC
Format	Proctored, web-based with CyberLive hands-on components
Questions	106 questions
Duration	4 hours
Passing Score	73%
Validity	4 years
Renewal	36 CPEs or retake exam + renewal fee
Cost (exam only)	$999 USD (with SANS bundle)
Cost (full course)	$8,525 - $8,645 USD

Attribute

Value

Certification

GIAC Security Essentials (GSEC)

Exam Code

GSEC

Format

Proctored, web-based with CyberLive hands-on components

Questions

106 questions

Duration

4 hours

Passing Score

73%

Validity

4 years

Renewal

36 CPEs or retake exam + renewal fee

Cost (exam only)

$999 USD (with SANS bundle)

Cost (full course)

$8,525 - $8,645 USD

CyberLive Component: The exam includes hands-on practical exercises in a virtual environment. This is where your daily Linux terminal work pays off.

4. Course Domains

4.1. Domain Overview

Domain	Topics	Your Level
Network Security	TCP/IP, firewalls, IDS/IPS, network architecture, VPNs	Expert - 12 years networking
Endpoint Security	Windows/Linux hardening, EDR, malware analysis	Advanced - Daily Linux ops
Linux Security	Structure, permissions, hardening, monitoring, containers	Advanced - 6 months terminal-only
Identity & Access	Authentication, authorization, MFA, SSO	Expert - ISE/802.1X daily
Cryptography	PKI, TLS, encryption, hashing, digital signatures	Expert - Vault PKI implementation
Security Operations	SIEM, log analysis, incident handling, monitoring	Intermediate - Gap area
Cloud Security	AWS/Azure basics, shared responsibility, IAM	Beginner - Gap area
Vulnerability Management	Scanning, assessment, remediation	Intermediate - ISE posture
Incident Response	IR planning, evidence handling, forensics	Intermediate - Gap area

Domain

Topics

Your Level

Network Security

TCP/IP, firewalls, IDS/IPS, network architecture, VPNs

Expert - 12 years networking

Endpoint Security

Windows/Linux hardening, EDR, malware analysis

Advanced - Daily Linux ops

Linux Security

Structure, permissions, hardening, monitoring, containers

Advanced - 6 months terminal-only

Identity & Access

Authentication, authorization, MFA, SSO

Expert - ISE/802.1X daily

Cryptography

PKI, TLS, encryption, hashing, digital signatures

Expert - Vault PKI implementation

Security Operations

SIEM, log analysis, incident handling, monitoring

Intermediate - Gap area

Cloud Security

AWS/Azure basics, shared responsibility, IAM

Beginner - Gap area

Vulnerability Management

Scanning, assessment, remediation

Intermediate - ISE posture

Incident Response

IR planning, evidence handling, forensics

Intermediate - Gap area

4.2. Gap Analysis

Area	Priority	Action
Cloud Security (AWS/Azure)	HIGH	Deep dive on cloud-native security, IAM policies, VPC design
SIEM Operations	HIGH	QRadar skills gap - active learning in progress
Incident Response	MEDIUM	Formalize IR procedures, practice evidence handling
Windows Security	LOW	Review AD security, GPO, Windows hardening (strong AD background)

Area

Priority

Action

Cloud Security (AWS/Azure)

HIGH

Deep dive on cloud-native security, IAM policies, VPC design

SIEM Operations

HIGH

QRadar skills gap - active learning in progress

Incident Response

MEDIUM

Formalize IR procedures, practice evidence handling

Windows Security

LOW

Review AD security, GPO, Windows hardening (strong AD background)

5. Linux Security Module (SEC401 Day 5)

The Linux security component aligns directly with your daily work:

5.1. Topics Covered

5.1.1. Structure, Permissions & Access

# File permissions
ls -la /etc/passwd
chmod 640 /etc/shadow
chown root:shadow /etc/shadow

# SUID/SGID audit (already in your threat hunting docs)
find / -perm -4000 -type f 2>/dev/null

# ACLs
getfacl /path/to/file
setfacl -m u:username:rx /path/to/file

5.1.2. Hardening & Securing

# Service audit
systemctl list-units --type=service --state=running

# Disable unnecessary services
sudo systemctl disable cups
sudo systemctl mask cups

# Kernel hardening (sysctl)
cat /etc/sysctl.d/99-hardening.conf

5.1.3. Monitoring & Attack Detection

# Process monitoring
ps auxf
top -b -n 1 | head -20

# Network connections
ss -tulpn
netstat -anp

# Login activity
last -n 20
lastlog

5.1.4. Security Utilities

# AIDE (file integrity)
aide --check

# chkrootkit
chkrootkit

# rkhunter
rkhunter --check

# auditd
ausearch -m EXECVE -ts today

5.2. Your Existing Documentation

You’ve already created comprehensive threat hunting documentation in domus-linux-ops:

File Content

File	Content
`persistence.adoc`	Cron, systemd, shell rc, SSH keys audit
`filesystem.adoc`	Recent files, hidden files, SUID/SGID, world-writable
`network.adoc`	Listening ports, established connections, DNS
`process.adoc`	Process tree, suspicious processes, orphaned procs
`users.adoc`	Login activity, account anomalies
`logs.adoc`	Auth logs, sudo usage, bash history
`rootkit.adoc`	Quick checks, binary verification, kernel modules
`elite.adoc`	Timeline analysis, memory forensics, LOLBins, C2 detection

persistence.adoc

Cron, systemd, shell rc, SSH keys audit

filesystem.adoc

Recent files, hidden files, SUID/SGID, world-writable

network.adoc

Listening ports, established connections, DNS

process.adoc

Process tree, suspicious processes, orphaned procs

users.adoc

logs.adoc

Auth logs, sudo usage, bash history

rootkit.adoc

Quick checks, binary verification, kernel modules

elite.adoc

Timeline analysis, memory forensics, LOLBins, C2 detection

This documentation directly maps to SEC401 Linux security topics.

6. Study Plan (6 Weeks)

6.1. Week 1: Network Security & Defense

Review TCP/IP fundamentals (quick - expert level)
Firewall architectures, zones, segmentation
IDS/IPS concepts, signature vs behavioral
VPN technologies (IPsec, SSL/TLS)
Network monitoring and traffic analysis

Lab: Configure firewalld zones, analyze pcap files

6.2. Week 2: Endpoint Security

Windows hardening essentials
Linux hardening (review existing docs)
Endpoint detection and response (EDR)
Malware types and analysis basics
Application whitelisting

Lab: Deploy osquery, create baseline queries

6.3. Week 3: Identity, Access & Cryptography

Authentication methods (review - 802.1X expert)
Authorization models (RBAC, ABAC)
MFA implementation
PKI deep review (expert level)
Cryptographic primitives

Lab: Review Vault PKI implementation, document crypto decisions

6.4. Week 4: Security Operations & SIEM

Log management and aggregation
SIEM architecture and use cases
Alert triage and investigation
Security metrics and reporting
Threat intelligence integration

Lab: Build QRadar lab, create custom rules

6.5. Week 5: Cloud Security & Vulnerability Management

AWS security fundamentals (IAM, VPC, S3)
Azure security basics
Shared responsibility model
Vulnerability scanning tools
Patch management strategies

Lab: AWS free tier security audit, Nessus/OpenVAS scanning

6.6. Week 6: Incident Response & Practice Exams

IR lifecycle and planning
Evidence collection and preservation
Forensics fundamentals
Practice exams (2-3 full exams)
Review weak areas

Lab: IR tabletop exercise, practice CyberLive scenarios

7. Study Resources

7.1. Primary Resources

SANS SEC401 OnDemand
- 4-month access window
- Video lectures, labs, materials
- Cost: ~$8,500 USD
GSEC Prep Guide (if available)
- Practice questions
- Domain review
SANS Reading Room
- Free whitepapers
- URL: www.sans.org/white-papers/

7.2. Alternative Self-Study Path

If not purchasing full SANS course:

CompTIA Security+ materials (overlap with GSEC)
Linux Security Documentation (your existing docs)
TryHackMe/HackTheBox (hands-on practice)
AWS Skill Builder (free cloud security content)
Splunk Fundamentals (free SIEM training)

7.3. Lab Resources

Resource	Use Case
Home Enterprise	ISE, 802.1X, Vault PKI, dACL testing
TryHackMe	Incident response, forensics rooms
AWS Free Tier	Cloud security fundamentals
Splunk Dev License	SIEM hands-on (free)
Security Onion	Network security monitoring lab

Resource

Use Case

Home Enterprise

ISE, 802.1X, Vault PKI, dACL testing

TryHackMe

Incident response, forensics rooms

AWS Free Tier

Cloud security fundamentals

Splunk Dev License

SIEM hands-on (free)

Security Onion

Network security monitoring lab

8. Progress Tracking

8.1. Milestones

Week	Milestone	Status
1	Network security review complete	[ ]
2	Endpoint security complete	[ ]
3	Identity/crypto review complete	[ ]
4	SIEM operations proficient	[ ]
5	Cloud security fundamentals	[ ]
6	Practice exams passed (80%+)	[ ]
7	Pass GSEC exam	[ ]

Week

Milestone

Target Date

Status

Network security review complete

[ ]

Endpoint security complete

[ ]

Identity/crypto review complete

[ ]

SIEM operations proficient

[ ]

Cloud security fundamentals

[ ]

Practice exams passed (80%+)

[ ]

Pass GSEC exam

[ ]

8.2. Certification Synergies

Certification	Overlap with GSEC
RHCSA/RHCE (planned)	Linux hardening, SELinux, system administration
CISSP (planned)	Security domains, risk management, governance
CCNP Security (held)	Network security, VPNs, firewalls
QRadar Admin (planned)	SIEM operations, log analysis

Certification

Overlap with GSEC

RHCSA/RHCE (planned)

Linux hardening, SELinux, system administration

CISSP (planned)

Security domains, risk management, governance

CCNP Security (held)

Network security, VPNs, firewalls

QRadar Admin (planned)

SIEM operations, log analysis

9. Quick Reference

9.1. Key Commands for Exam

# Linux hardening
find / -perm -4000 -type f 2>/dev/null  # SUID files
find / -perm -2000 -type f 2>/dev/null  # SGID files
awk -F: '$3 == 0 {print}' /etc/passwd   # UID 0 users
grep -v "^#" /etc/ssh/sshd_config | grep -v "^$"  # SSH config

# Network analysis
ss -tulpn                               # Listening ports
netstat -rn                             # Routing table
tcpdump -i eth0 -w capture.pcap         # Packet capture
nmap -sV -sC target                     # Service scan

# Log analysis
journalctl -u sshd --since "1 hour ago"
grep "Failed password" /var/log/auth.log | wc -l
ausearch -m EXECVE -ts today | head -50

Created: 2026-02-14
Target: GSEC (Q3 2026)
Foundation: CCNP Security, 6 months Arch Linux, ISE/802.1X/PKI expertise