100+ Free GDSA Practice Questions

Pass your GIAC Defensible Security Architecture (GDSA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~70-80% Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

Which NIST Special Publication defines Zero Trust Architecture, including the core logical components (Policy Engine, Policy Administrator, Policy Enforcement Point)?

NIST SP 800-53

NIST SP 800-82

NIST SP 800-207

NIST SP 800-171

to track

2026 Statistics

Key Facts: GDSA Exam

Exam Questions

GIAC

63%

Passing Score

GIAC

2 hours

Exam Duration

GIAC

$2,499

With SANS SEC530

GIAC/SANS

4 years

Validity

GIAC

Open

Book Exam

GIAC

The GDSA has 75 questions in 2 hours with a 63% passing score. It is an open-book exam delivered via ProctorU (remote) or Pearson VUE/OnVUE (onsite). Topics include Zero Trust fundamentals/networking/endpoints, fundamental security architecture concepts, Layer 1/2 defense, Layer 3 defense, network defenses, network proxies and firewalls, network encryption and remote access, cloud-based security architecture, data-centric security, data discovery/governance/mobility, and IPv6. Exam fee is $2,499 with SANS SEC530 training or $979 retake. Valid for 4 years.

Sample GDSA Practice Questions

Try these sample questions to test your GDSA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which NIST Special Publication defines Zero Trust Architecture, including the core logical components (Policy Engine, Policy Administrator, Policy Enforcement Point)?

A.NIST SP 800-53

B.NIST SP 800-82

C.NIST SP 800-207

D.NIST SP 800-171

Explanation: NIST SP 800-207 'Zero Trust Architecture' (2020) is the authoritative reference. It defines the logical components — Policy Engine (PE), Policy Administrator (PA), and Policy Enforcement Point (PEP) — and the seven tenets (resources, sessions, least privilege, explicit verification, etc.). SP 800-53 is a security controls catalog, 800-171 protects CUI, and 800-82 focuses on OT security.

2According to NIST 800-207, which principle MOST directly motivates the move away from implicit trust zones?

A.Perimeter firewalls suffice

B.Trust is granted based on authenticated identity, device posture, and context — not network location

C.Internal users are inherently trusted

D.Protection is provided by network location

Explanation: Zero Trust asserts that network location is not a basis for trust. Access decisions are based on authenticated identity, device posture, workload context, and policy — continually evaluated. This is why 'inside the firewall' is no longer sufficient, and why micro-segmentation, identity-aware proxies, and ZTNA replace broad VPN access.

3Which technology BEST provides east-west micro-segmentation inside a virtualized data center without deploying physical firewalls between VMs?

A.A public DNS server

B.A corporate email gateway

C.VMware NSX-T or Illumio agent-based segmentation

D.A DMZ firewall

Explanation: VMware NSX-T offers distributed firewalling at each hypervisor vNIC; Illumio enforces host-based micro-segmentation using OS firewalls steered by a central policy. Both address east-west traffic between workloads without inserting physical firewalls. Cisco ACI, Azure NSG/ASG, and AWS Security Groups are related patterns in different environments.

4Which capability is MOST characteristic of SASE (Secure Access Service Edge) platforms such as Zscaler, Netskope, Cato, and Palo Alto Prisma?

A.Purely a backup solution

B.On-premises-only application delivery

C.Only local DNS caching

D.Cloud-delivered convergence of SD-WAN with security (SWG, CASB, ZTNA, FWaaS)

Explanation: SASE (Gartner, 2019) converges networking (SD-WAN) with security services (SWG, CASB, ZTNA, FWaaS, DLP) delivered from cloud points of presence. Leaders include Zscaler, Netskope, Cato Networks, Palo Alto Prisma Access, Cisco Umbrella/Secure Access, and Fortinet SASE. SSE (Security Service Edge) is the security-only subset (SWG+CASB+ZTNA).

5Which of the following BEST differentiates ZTNA from a traditional IPsec or SSL VPN?

A.ZTNA provides full network access once connected

B.ZTNA requires site-to-site tunnels

C.ZTNA does not use encryption

D.ZTNA authorizes per application/resource with continuous verification, never exposing the full network

Explanation: ZTNA (Zscaler ZPA, Cloudflare Access, Tailscale, Twingate, Palo Alto Prisma Access) grants access to specific applications/resources after identity and device posture checks, with continuous evaluation. Traditional VPNs, once connected, typically provide broad network access — enabling lateral movement. ZTNA's application-centric model is the core architectural shift.

6Which Layer 2 defense specifically prevents rogue devices from attaching to a switchport by requiring authentication?

A.IEEE 802.1X

B.Dynamic ARP Inspection

C.DHCP Snooping

D.BPDU Guard

Explanation: IEEE 802.1X is port-based network access control. The switch/WLC acts as authenticator, and a RADIUS server (Cisco ISE, Aruba ClearPass, Microsoft NPS) validates credentials. Until authentication succeeds, the port forwards only EAPOL traffic. DHCP Snooping blocks rogue DHCP servers, DAI blocks ARP spoofing, and BPDU Guard prevents spanning-tree hijacking.

7An architect wants to implement 'identity-aware' application access for internal apps so users authenticate with SSO + MFA and device posture is evaluated. Which architecture is MOST suitable?

A.Open Wi-Fi with captive portal

B.NAT gateway

C.Legacy IPsec VPN

D.An identity-aware proxy / ZTNA service (e.g., Google BeyondCorp, Cloudflare Access, Zscaler ZPA)

Explanation: Google's BeyondCorp pioneered identity-aware access — every request is authenticated (SSO+MFA), authorized based on user/device/context, and proxied to the backend. Commercial equivalents: Cloudflare Access, Zscaler Private Access, Palo Alto Prisma Access ZTNA, Microsoft Entra Private Access, and Tailscale. This replaces VPNs for internal app access.

8Which MITRE framework describes adversary tactics and techniques used to inform detection engineering and defensive architecture?

A.NVD

B.CVE

C.MITRE ATT&CK

D.CWE

Explanation: MITRE ATT&CK catalogs adversary tactics (the 'why') and techniques (the 'how') observed in real attacks — Enterprise, Cloud, ICS, Mobile, and Containers matrices. Defensive architects use ATT&CK to map controls to techniques (coverage maps), prioritize detections, and guide purple team exercises. CWE/CVE/NVD are vulnerability catalogs. D3FEND complements ATT&CK with defensive techniques.

9Which cloud architecture pattern places shared services (DNS, identity, logging, security tooling) in a central VPC/VNet that workload VPCs connect to?

A.Active-active clusters

B.DMZ-only

C.Flat VPC

D.Hub-and-spoke (hub VPC/VNet)

Explanation: Hub-and-spoke designs place shared services (DNS, AD/Entra ID sync, firewall, logging, inspection) in a hub VPC/VNet; workload spokes connect through AWS Transit Gateway, Azure Virtual WAN, or Azure VNet peering/Virtual Network Manager. This centralizes security controls, simplifies governance, and aligns with AWS Well-Architected, Azure landing zones, and GCP network designs.

10Which AWS feature provides private, VPC-routable endpoints to AWS services without traversing the public Internet?

A.AWS Internet Gateway

B.AWS Route 53 public zones

C.AWS VPC Endpoints (Interface and Gateway)

D.AWS CloudFront

Explanation: AWS VPC Endpoints provide private connectivity to supported AWS services. Gateway endpoints work for S3 and DynamoDB; Interface endpoints (PrivateLink) work for most other services. Similar patterns: Azure Private Endpoints/Private Link and Google Cloud Private Service Connect. Using private endpoints reduces data-exfiltration risk and removes the need for Internet egress in many architectures.

About the GDSA Exam

The GIAC Defensible Security Architecture (GDSA) validates the ability to design and build defensible enterprise architectures. It covers Zero Trust (NIST SP 800-207), micro-segmentation, SASE/SSE, identity-centric architecture, cloud security architecture (AWS/Azure/GCP), network proxies and firewalls, data-centric security, endpoint Zero Trust, IPv6, remote access, DevSecOps, and pragmatic controls mapped to adversary tradecraft.

Questions

75 scored questions

Time Limit

120 minutes (2 hours)

Passing Score

63%

Exam Fee

$2,499 (with SANS SEC530) / $979 retake (GIAC / ProctorU / OnVUE)

GDSA Exam Content Outline

~10%

Fundamental Security Architecture Concepts

Defense in depth, threat modeling (STRIDE, PASTA), adversary tradecraft mapping (MITRE ATT&CK, Cyber Kill Chain), pragmatic controls, and architecture trade-offs

~10%

Zero Trust Fundamentals

NIST SP 800-207 Zero Trust Architecture, explicit verification, least privilege, assume breach, policy enforcement points (PEP), policy decision points (PDP)

~10%

Zero Trust Networking

Micro-segmentation (Illumio, VMware NSX, Cisco ACI), ZTNA vs VPN, SDP, software-defined perimeter, east-west controls, and identity-aware proxies

~8%

Zero Trust Endpoints

Endpoint posture, EDR/XDR (Defender XDR, SentinelOne, CrowdStrike), device compliance, application allowlisting, and conditional access on endpoints

~8%

Layer 1/Layer 2 Defense

Port security, 802.1X, MAC filtering, DHCP snooping, ARP inspection, BPDU guard, rogue device detection, and NAC (Cisco ISE, Aruba ClearPass)

~8%

Fundamental Layer 3 Defense

Routing security, OSPF/BGP authentication, uRPF, anti-spoofing ACLs, VRFs, segmentation at Layer 3, and private routing

~8%

Network Defenses

Defense in depth layering, IDS/IPS placement, NDR (Corelight, Vectra, Darktrace), traffic visibility (taps, SPAN, packet brokers), and deception (honeypots, canaries)

~8%

Network Proxies and Firewalls

NGFW (Palo Alto, Fortinet, Check Point), proxies (Squid, Zscaler), web filtering, SSL/TLS inspection, application control, and firewall rule hygiene

~8%

Network Encryption and Remote Access

IPsec, TLS/mTLS, WireGuard, ZTNA (Zscaler ZPA, Cloudflare Access, Tailscale), SASE (Netskope, Cato, Prisma), and VPN modernization

~8%

Cloud-based Security Architecture

AWS Well-Architected Security Pillar, Azure landing zones, GCP security foundations, hub-and-spoke, transit gateways, private endpoints, CSPM (Wiz, Prisma, Defender for Cloud)

~6%

Data-Centric Security

Data classification, DLP, tokenization, format-preserving encryption, DRM, and Rights Management Services (AIP/Purview)

~4%

Data Discovery, Governance, and Mobility Management

Data discovery tools, CASB (Netskope, McAfee Skyhigh), MDM/UEM (Intune, Jamf, Workspace ONE), BYOD governance, and shadow IT detection

~4%

IPv6

IPv6 addressing, SLAAC vs DHCPv6, IPv6 security risks, ICMPv6, neighbor discovery attacks, dual-stack pitfalls, and IPv6 firewall considerations

How to Pass the GDSA Exam

What You Need to Know

Passing score: 63%
Exam length: 75 questions
Time limit: 120 minutes (2 hours)
Exam fee: $2,499 (with SANS SEC530) / $979 retake

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

GDSA Study Tips from Top Performers

1Master NIST SP 800-207 Zero Trust Architecture — the seven tenets and logical components (PE, PA, PEP)

2Know micro-segmentation vendors: Illumio, VMware NSX, Cisco ACI, Azure NSG/ASG, AWS Security Groups

3Study SASE/SSE: Zscaler, Netskope, Cato, Palo Alto Prisma, Cisco Umbrella, Fortinet — know the capabilities

4Understand cloud security architecture patterns: AWS hub-and-spoke, Azure landing zones, transit gateways

5Learn ZTNA vs VPN differences and ZTNA vendors: Zscaler ZPA, Cloudflare Access, Tailscale, Twingate

6Map every control to MITRE ATT&CK techniques — GDSA emphasizes adversary-informed defense

7Study Layer 2 defenses: 802.1X, port security, DHCP snooping, ARP inspection, BPDU guard

8Know SSL/TLS inspection trade-offs, pinning, and privacy implications

9Build a tabbed open-book index — the 2-hour limit is tight for 75 questions

10Complete all 100 practice questions and focus on architecture decision scenarios

Frequently Asked Questions

What is the GIAC GDSA exam format?

The GDSA consists of 75 questions with a 2-hour (120-minute) time limit. The exam is open-book — candidates may use printed reference materials. The passing score is 63%. The exam is proctored remotely via ProctorU or onsite via Pearson VUE/OnVUE. Candidates have 120 days from activation to complete their attempt.

What are the main GDSA exam domains?

GDSA covers 13 domains including Zero Trust Fundamentals/Networking/Endpoints, Fundamental Security Architecture Concepts, Layer 1/2 Defense, Fundamental Layer 3 Defense, Network Defenses, Network Proxies and Firewalls, Network Encryption and Remote Access, Cloud-based Security Architecture, Data-Centric Security, Data Discovery/Governance/Mobility, and IPv6.

How does GDSA compare to CISSP-ISSAP?

GDSA is a practitioner-focused architecture cert (aligned with SANS SEC530) emphasizing hands-on defensible design with specific controls, vendors, and Zero Trust patterns. CISSP-ISSAP is a broader, management-oriented Information Systems Security Architecture Professional credential. GDSA is more technical and pragmatic; ISSAP is more strategic. Many senior architects hold both.

What are the GDSA renewal requirements?

GIAC certifications are valid for 4 years. Renewal requires 36 CPE credits plus a renewal fee (currently $499), or retaking the current exam. CPEs can be earned through SANS training, industry conferences, publications, teaching, or other approved activities.

What jobs can I get with GDSA certification?

GDSA qualifies you for senior architecture roles: Security Architect ($140,000-185,000), Cloud Security Architect ($150,000-200,000), Zero Trust Architect ($145,000-195,000), Enterprise Security Architect ($150,000-210,000), and Principal Security Engineer ($160,000-220,000). GDSA signals credible design-level expertise to employers.

How long should I study for GDSA?

Plan for 80-120 hours over 6-10 weeks. SANS SEC530 (Defensible Security Architecture and Engineering) is the official course and highly recommended. Focus on Zero Trust (NIST 800-207), micro-segmentation, SASE, cloud architecture patterns, and mapping controls to MITRE ATT&CK. Build a tabbed open-book index — the 2-hour limit is tight for 75 questions.

Is GDSA open book?

Yes. GDSA, like all GIAC exams, is open-book. Candidates may bring printed reference materials (SEC530 books, NIST SP 800-207, cloud architecture guides, personal notes). Electronic materials are not permitted. A well-indexed, tabbed reference set is critical given the 2-hour time constraint on 75 questions.