This study plan is based on milestones. So, check how much you can cover within the timeline. The more you cover the topics, the better candidate you are for the job roles which require good knowledge of security architecture. Also, I assume you have already checked and are comfortable with Common Security Skills study plan.
Just to make sure that everyone understands what you need to learn to be a Security Architect / Security Architecture-focused engineer. Security Architecture is different from just "doing AppSec" or "doing pentesting". You need to understand how to design secure systems end-to-end across applications, infrastructure, cloud, data, and identities.
It is more towards:
- defining guardrails and reference architectures,
- driving secure design decisions early,
- aligning with frameworks and standards,
- and working closely with AppSec, Cloud, Infrastructure and GRC teams.
Usually it will take you 6-12 months to be good at the Security Architecture fundamentals to get a job at entry level or move laterally into an architect-type role.
- Security Architecture is not only pentesting or only AppSec.
- Think more of a combination of engineer, designer, and risk manager.
- Talking to engineering leaders, architects, product owners, and GRC teams should not scare you.
- You must be comfortable with diagrams, data flows, and threat modeling.
- You should understand both on‑prem and cloud architectures (at least one major CSP).
- You should be able to review designs and propose secure patterns with confidence.
- Security Architecture Fundamentals - 4-6 weeks
- Frameworks, Standards and Models - 3-4 weeks
- Designing Secure Architectures - 4-6 weeks
- Threat Modeling and Risk Management - 3-4 weeks
- Secure SDLC and Architecture Governance - 3-4 weeks
- Reference Architectures and Patterns - 3-4 weeks
- Books
- Videos
- Courses
- Certifications
- Interview Questions
Duration: 4-6 weeks
Goal here is to understand what security architecture means and where it fits in the overall security program.
- Understand the role of a Security Architect vs AppSec Engineer vs Cloud Security Engineer vs GRC.
- Understand high-level components of modern systems:
- Applications / microservices
- APIs and integration layers
- Databases and data stores
- Identity and access management
- Network and perimeter controls
- Observability and logging
- Learn to read and create architecture diagrams (C4 model basics, context/container/component diagrams).
- Understand core security goals (CIA, authenticity, non-repudiation, privacy by design, least privilege, defense in depth).
- Map typical attack surfaces on these diagrams.
You will use these fundamentals in almost every other section.
Duration: 3-4 weeks
You don't need to memorize everything, but you should know what exists, when to use it, and where to look.
- High-level security architecture frameworks
- SABSA (Sherwood Applied Business Security Architecture) – concept of business-driven security architecture
- TOGAF and how security fits into enterprise architecture
- NIST Cybersecurity Framework (CSF) at a high level
- Technical standards and guidelines that influence architecture
- NIST 800-53 / NIST 800-171 basics
- ISO 27001 controls at a high level
- CIS Controls v8 (mapped to architecture capabilities)
- Application- and cloud-focused standards
- OWASP ASVS
- OWASP SAMM
- CSP-specific well-architected frameworks (AWS, Azure, GCP)
Try to understand how these frameworks translate into concrete architecture requirements (e.g. logging, segmentation, encryption, IAM, backups, resilience).
Duration: 4-6 weeks
Focus on how you design secure solutions from the start.
- Network and segmentation concepts
- DMZs, zero trust network concepts, micro‑segmentation
- North-south vs east-west traffic
- Identity and access architecture
- Central IdP, SSO, SAML/OIDC, MFA
- RBAC/ABAC, least privilege, just‑in‑time access
- Data security architecture
- Data classification
- Encryption in transit and at rest, key management (KMS/HSM basics)
- Tokenization, masking, and pseudonymization
- Application and API architecture
- High-level overview of secure web and API architectures
- (Deep API details are covered in API Security Study Plan)
- Resilience and availability
- Redundancy, failover, backups and restore
- Designing for DDoS and capacity
Try to pick one or two small systems (side project, home lab, or existing app at work) and draw the "as‑is" and "to‑be" secure architecture.
Duration: 3-4 weeks
Here, you combine architecture diagrams with attacker thinking.
- Read Threat Modeling Study Plan.
- Learn at least one methodology:
- STRIDE
- Attack trees or kill chain style
- Learn how to:
- Identify assets, trust boundaries, and entry points
- Identify threats and abuses for each component
- Prioritize using simple risk scoring (likelihood x impact)
- Propose architectural mitigations and compensating controls
Repeat this for at least 3–4 different architectures:
- Simple 3‑tier web app
- Public APIs with mobile/SPA client
- Internal line-of-business application
Duration: 3-4 weeks
Security architecture is effective only if it is built into the way software is delivered.
- Revisit Security Development Lifecycle (SDL) Study Plan.
- Understand where security architects engage in SDLC:
- Requirement and design reviews
- Architecture review boards / design review checklists
- Threat modeling as part of design
- Sign-off criteria and security non-functional requirements
- Learn common architecture governance practices:
- Reference architectures and reusable patterns
- Exception management and technical debt tracking
- Security standards, baselines, and guardrails
Duration: 3-4 weeks
Look for and collect reference architectures for typical environments:
- On‑prem or hybrid architectures
- DMZ, VPN, identity, central logging, SIEM, bastion hosts
- Cloud architectures
- Secure VPC/VNet design
- Internet‑facing vs private services
- Centralized logging, monitoring, and alerting
- Common patterns
- Zero Trust style access to internal apps
- Secure API gateway pattern
- Secure data pipeline / analytics architecture
Try to map each reference diagram to:
- which controls are enforced where, and
- how attacks would flow through the system.
- Enterprise Security Architecture: A Business-Driven Approach
- Agile Application Security – good for seeing how architecture and AppSec work together
- Security Engineering by Ross Anderson – classic reference on designing secure systems
- The Tangled Web: A Guide to Securing Modern Web Applications
- Search for "Security Architecture" talks from OWASP, Black Hat, or RSA on YouTube.
- Talks on threat modeling and secure design (many are linked from the Threat Modeling Study Plan).
- Cloud provider "Well‑Architected" security deep‑dives (AWS, Azure, GCP official channels).
- Any good "Enterprise Security Architecture" or "Security Architecture and Design" course from trusted platforms.
- Cloud security architecture courses from your preferred CSP (AWS, Azure, or GCP) – align with your cloud security plan.
- Threat modeling and secure design courses (see Threat Modeling study plan for specific links).
- CSSLP: Certified Secure Software Lifecycle Professional
- CCSP: Certified Cloud Security Professional
- Vendor-specific cloud security or architecture certifications (AWS, Azure, GCP) depending on your focus.
You can use the Application Security interview questions and think how you would answer them from an architecture perspective (design choices, trade‑offs, and patterns), and extend with:
- How would you design a secure architecture for a public web application with APIs and mobile clients?
- How would you design logging and monitoring for a critical payments system?
- How would you approach threat modeling for a new microservices-based product?