[NEW] GIAC Defensible Security Architect (GDSA)

Detailed Exam Domain Coverage

• Fundamental Security Architecture Concepts (20%) Topics: Zero Trust Model, Presumption of Compromise, Intrusion Kill Chain, Diamond Model, Software Defined Networking.

• Fundamental Layer 3 Defense (15%) Topics: CIDR and IP addressing, Layer 3 routing attacks and mitigations, SNMP and NTP security, Bogon filtering, Layer 2/3 benchmark tools.

• Cloud-based Security Architecture (20%) Topics: Cloud security models (IaaS, PaaS, SaaS), Securing hypervisors, Network segmentation in cloud, Container security, Shared responsibility model.

• Data Discovery, Governance, and Mobility Management (15%) Topics: File classification, Data Loss Prevention (DLP), Database governance, Mobile Device Management (MDM), Data mobility controls.

• Data-Centric Security (30%) Topics: Reverse proxies, Web Application Firewalls (WAF), Database firewalls, Database activity monitoring, Encryption key management.

Course Description

I have designed this comprehensive practice test course to help you systematically prepare for the GIAC Defensible Security Architect (GDSA) certification. Passing this exam requires a deep understanding of how to balance prevention, detection, and response capabilities across modern enterprise environments. I built these practice exams to mirror the structure, difficulty, and domain weighting of the actual certification, ensuring you have a realistic benchmark of your current knowledge.

Instead of just providing a list of correct answers, I have created detailed explanations for every single option. This ensures that even when you make a mistake, you understand exactly why the correct answer is right and why the other choices are incorrect. This approach turns every practice question into a targeted learning opportunity, helping you master complex concepts like zero-trust architectures, layer 3 network defenses, and data-centric security controls. By working through this extensive question bank, you will build the confidence and technical clarity needed to approach the actual exam successfully.

Sample Practice Questions Preview

• Question 1: Which of the following best describes the primary operational assumption behind the Presumption of Compromise principle in security architecture?

  • A. The network perimeter is entirely impenetrable.

  • B. All users inside the corporate network are fully trusted.

  • C. Threat actors have already breached the network defenses.

  • D. Data encryption is unnecessary for internal traffic.

  • E. Antivirus signatures will catch all known malware variants.

  • F. Cloud environments share the exact same risk profile as on-premise networks.

  • Correct Answer: C

  • Explanation:

    • Option A is incorrect because Presumption of Compromise assumes the opposite, acknowledging that perimeters can be breached.

    • Option B is incorrect because blindly trusting internal users violates core Zero Trust principles.

    • Option C is correct because this principle dictates that systems must be designed under the assumption that attackers are already operating within the environment.

    • Option D is incorrect because internal encryption becomes critical when assuming the network is compromised.

    • Option E is incorrect because relying solely on signature-based detection is highly ineffective against advanced persistent threats.

    • Option F is incorrect because cloud models introduce distinct shared responsibility frameworks and different risk profiles.

• Question 2: When implementing a Cloud-based Security Architecture utilizing an Infrastructure as a Service (IaaS) model, which of the following elements remains the strict responsibility of the cloud service provider?

  • A. Operating system patching.

  • B. Application logic vulnerabilities.

  • C. Physical data center security.

  • D. User access management.

  • E. Network traffic filtering rules.

  • F. Virtual machine data encryption.

  • Correct Answer: C

  • Explanation:

    • Option A is incorrect because in an IaaS model, the customer is responsible for managing and patching the guest operating system.

    • Option B is incorrect because the customer owns and must secure their own application code.

    • Option C is correct because the service provider retains absolute control over physical facility access and base hardware security in IaaS.

    • Option D is incorrect because Identity and Access Management configurations are handled directly by the customer.

    • Option E is incorrect because configuring virtual network security groups and firewalls falls under the customer’s purview.

    • Option F is incorrect because the customer must manage and implement their own data-at-rest encryption strategies within their instances.

• Question 3: In the context of Data-Centric Security, what is the most significant advantage of deploying a Web Application Firewall (WAF) instead of relying solely on a traditional Layer 3 network firewall?

  • A. A WAF filters traffic based strictly on IP addresses and ports.

  • B. A WAF natively handles all Database Activity Monitoring tasks.

  • C. A WAF inspects HTTP/HTTPS traffic for application-layer exploits like SQL injection.

  • D. A WAF replaces the need for standard data encryption key management.

  • E. A WAF manages Mobile Device Management (MDM) policies across the enterprise.

  • F. A WAF mitigates all Layer 2 broadcast domain attacks.

  • Correct Answer: C

  • Explanation:

    • Option A is incorrect because standard network firewalls operate at Layer 3/4, whereas WAFs operate primarily at Layer 7.

    • Option B is incorrect because Database Activity Monitoring is a separate control focused on analyzing backend database queries, not web traffic.

    • Option C is correct because a WAF is specifically built to understand web application protocols and block application-specific attacks like cross-site scripting and SQL injection.

    • Option D is incorrect because WAFs do not perform encryption key management functions required for data at rest.

    • Option E is incorrect because MDM is a distinct governance control meant for securing mobile endpoints.

    • Option F is incorrect because WAFs do not operate at Layer 2 and cannot protect against local network broadcast storms.

• Welcome to the Mock Exam Practice Tests Academy to help you prepare for your GIAC Defensible Security Architect (GDSA) Exam.

• You can retake the exams as many times as you want.

• This is a huge original question bank.

• You get support from me if you have questions.

• Each question has a detailed explanation.

• Mobile-compatible with the Udemy app.

I hope that by now you’re convinced! And there are a lot more questions inside the course.

Courze