At 11:47 p.m., the on-call engineer at a Vancouver-based financial services firm got paged. An endpoint detection alert had fired. Someone was running scanning tools inside the network – not outside trying to break in, but already inside, moving laterally through servers they had no business touching. The attacker had been there for nearly three weeks, slipping past a traditional stateful firewall that only checked IP addresses and port numbers.
If your firewall is still making decisions at layer 4, that scenario isn’t hypothetical. It’s the type of breach that hits organisations with legacy security stacks, and it’s exactly the gap Cisco Firepower Threat Defence (FTD) was built to close.
FTD brings together next-generation firewall (NGFW) capabilities, intrusion prevention, application visibility, advanced malware protection, and URL filtering into a single, unified platform. This guide covers everything you need to know: what FTD is, how its architecture works, how it compares to ASA, how you manage it, what deployment modes exist, common mistakes to avoid, and how FTD skills map to CCNP Security certification and a strong career in network security.
TL;DR – Key Points
- FTD combines the Cisco ASA firewall engine with the Snort IPS into one software image
- It adds native IPS, AMP malware protection, URL filtering, and SSL inspection that ASA doesn’t have
- Managed by FMC (multi-device), FDM (single device on-box), or CDO (cloud-based)
- Cisco recommends FTD for all new deployments; ASA stays for specific migration scenarios
- The 300-710 exam (CCNP Security) tests FTD configuration through FMC, and updates to v1.2 in August 2026
- Common mistakes include skipping SSL inspection, leaving IPS in detection-only mode, and ignoring Talos tuning
What Is Cisco Firepower Threat Defence (FTD)?
Cisco Firepower Threat Defence is Cisco’s unified next-generation firewall software. It merges two previously separate platforms – the Cisco ASA firewall and the Cisco Firepower Next-Generation IPS (NGIPS) – into a single software image running on Cisco’s firewall appliance hardware.
In plain terms: FTD doesn’t just block traffic based on ports and addresses. It inspects the actual content of packets, identifies applications regardless of port, detects known threats and malware signatures, and makes policy decisions based on user identity, URL category, and file reputation.
Cisco officially renamed the product “Cisco Secure Firewall Threat Defense” in 2021, but the industry still uses “FTD” and “Firepower Threat Defence” interchangeably. That rebrand wasn’t cosmetic. It ran across the whole portfolio: the hardware shifted from “Firepower” to “Secure Firewall” naming, the management server became the “Secure Firewall Management Center,” and in 2026 even the CCNP Security exam title changed from “Securing Networks with Cisco Firepower” to “Securing Networks with Cisco Firewalls.” You’ll still see “Firepower” everywhere in older docs, job postings, and the field, so it pays to recognise both names.
The shift FTD represents:
| Old approach | Cisco FTD approach |
|---|---|
| Allow/deny based on IP + port | Decisions based on application, user, URL, file reputation |
| No visibility into encrypted traffic | SSL/TLS inspection built in |
| Signature updates manual or infrequent | Talos threat intelligence, updated continuously |
| IPS requires a separate device or module | IPS is native, part of the same inspection pipeline |
That shift from layer 4 filtering to deep, application-aware security is what makes FTD a genuine next-generation platform – not just a buzzword.
The Architecture Behind Cisco FTD

FTD’s capability comes from combining two technology stacks into one image.
1. LINA – The ASA Firewall Engine
The underlying ASA firewall component runs on LINA (Linux-based ASA), a custom embedded Linux environment. LINA handles stateful packet inspection, NAT, VPN (site-to-site and remote access), access control, and routing. It’s the proven firewall core enterprises have relied on for over two decades.
2. The Snort IPS Engine
Snort is an open-source intrusion detection and prevention system that Cisco acquired through its Sourcefire purchase in 2013. Snort performs deep packet inspection, signature-based threat detection, protocol anomaly detection, and file analysis. This is what gives FTD its next-generation capability on top of the ASA base. Since FTD version 7.0, the default inspection engine is Snort 3, which is faster than the older Snort 2 and uses a more flexible rule syntax. If you’re learning FTD today, learn it on Snort 3.
The FTD inspection pipeline:
- Traffic arrives at the FTD interface
- Security Intelligence checks IPs, URLs, and file hashes against threat intelligence feeds
- Access Control Policy determines whether traffic is allowed, blocked, or passed to inspection
- Allowed traffic enters Snort for deep packet inspection and IPS analysis
- File Policy checks files against AMP (Advanced Malware Protection) for known and unknown malware
- URL Policy filters web traffic by category and reputation score
- Events and logs are sent to FMC for centralised storage and analysis
This pipeline means FTD doesn’t just make one decision at the front door. It watches traffic all the way through the session.
FMC High Availability
In production environments, FMC itself should run in a high-availability pair. FMC HA uses an active/standby model where the standby FMC syncs policy data, events, and device registrations from the active. If the active FMC goes down, the standby takes over management without disrupting the FTD devices themselves – they keep enforcing the last pushed policy.
Hardware Platforms (current lineup)
FTD runs on the Cisco Secure Firewall appliance families. The current generation:
- Secure Firewall 1200 series – branch offices, SD-WAN, and SASE edge (roughly 9-18 Gbps NGFW throughput)
- Secure Firewall 3100 series – mid-to-large enterprise, with clustering up to 16 nodes (roughly 10-45 Gbps)
- Secure Firewall 4200 series – high-performance enterprise and data centre (roughly 65-145 Gbps)
- Firepower 4100 / 9300 series – earlier high-end and service-provider platforms still widely deployed
The older Firepower 1000 and 2100 series are previous-generation and being succeeded by the 1200 and 3100 lines, so check end-of-sale dates before buying for a new build.
FTD also runs as FTDv, a virtual appliance on VMware ESXi, KVM, Microsoft Azure, AWS, OCI, and GCP. The FTDv tiers scale by vCPU count, from light branch workloads up to data-centre throughput in virtual form – so you can build a full lab on a laptop and a production cluster in the cloud using the same image.
Cisco FTD vs ASA: What’s the Actual Difference?

This is the first question every network engineer asks when they encounter FTD. The short answer: both run on the same Cisco Secure Firewall hardware, but the software decides what the device can do.
| Feature | Cisco ASA | Cisco FTD |
|---|---|---|
| Stateful firewall | Yes | Yes |
| NAT | Yes | Yes |
| Site-to-site VPN | Yes | Yes |
| Remote access VPN (Secure Client / AnyConnect) | Yes | Yes |
| Native IPS | No (external module) | Yes (Snort 3) |
| Application visibility and control | Limited | Full |
| URL filtering | Limited | Full |
| Advanced malware protection | External (optional) | Native (AMP) |
| SSL/TLS inspection | Limited | Full |
| Management tool | ASDM / CLI | FMC, FDM, or CDO |
| Clustering | Full support | Full on 3100 / 4200 (up to 16 nodes) |
| OSPF / BGP routing | Full | Full |
A real-world illustration:
A medium-sized manufacturing company in Calgary ran Cisco ASA firewalls for years. Their security team could block known-bad IPs and control port-based access, which worked fine – until they got hit with a fileless malware attack that moved over HTTPS on port 443. The ASA had no way to inspect encrypted traffic. Their investigation showed the attack had been running for four weeks before they noticed an anomaly in endpoint logs.
After migrating to FTD with FMC, they gained SSL inspection, Snort-based IPS, and AMP file analysis in one step. Six months later, when a similar campaign targeted their sector, FTD flagged and blocked the encrypted C2 traffic at the perimeter before it reached any endpoint.
When does ASA still make sense in 2026?
ASA remains a reasonable choice for a few cases: networks where existing ASA VPN configurations are too dense to migrate short-term, brownfield setups where a specific ASA feature doesn’t yet have FTD parity, and teams that simply aren’t ready to retrain on FMC. The clustering gap has largely closed – FTD now supports clustering on the 3100 and 4200 platforms – so that’s no longer the blocker it once was. Cisco’s guidance is clear: new deployments should use FTD, and existing ASA installs should migrate at the next hardware refresh.
If you’re comparing Cisco security options with other vendors, our Fortinet NSE4 vs Cisco Security comparison covers which platform suits which environment. And if you’re deciding between cert tracks, the CCNA vs CCNP breakdown shows exactly how the paths connect and what employers look for at each level.
Core Security Features of Cisco FTD
Application Visibility and Control (AVC)
FTD’s access control policies go beyond ports and protocols. You write rules based on application (Facebook, Dropbox, Salesforce), user identity (integrated with Active Directory or Cisco ISE), geographic location, URL category, and file type. A policy like “allow Salesforce for the sales team, block all unapproved SaaS applications” is straightforward to configure, and it works regardless of what port the application uses.
Intrusion Prevention System (IPS)
The Snort-based IPS runs signature sets that Cisco’s Talos threat intelligence team updates on an ongoing basis. Talos is one of the largest commercial threat intelligence operations globally, processing millions of malware samples daily. FTD ships with three pre-tuned intrusion policies:
- Connectivity Over Security – minimal blocking, maximises application performance
- Balanced Security and Connectivity – the standard starting point for most environments
- Security Over Connectivity – aggressive inspection, some risk of false positives
Most organisations start with Balanced and tune based on what Talos recommendations show over the first few weeks.
Advanced Malware Protection (AMP for Networks)
AMP inspects files passing through FTD and checks their SHA-256 hash against Cisco’s cloud threat database. Known malware is blocked immediately. Unknown files can be sent for dynamic (sandboxed) analysis. AMP also does retrospective detection: if a file that passed inspection is later identified as malicious, AMP sends an alert and shows you every device that received it, so you know exactly what to clean up.
URL Filtering
FTD blocks or alerts on traffic based on URL category (phishing, gambling, adult content, file sharing) and URL reputation score. This applies even to HTTPS traffic when SSL inspection is active.
SSL/TLS Inspection
A significant portion of modern malware communicates over encrypted HTTPS channels, knowing that most firewalls won’t inspect it. FTD can decrypt SSL/TLS sessions, inspect the content, and re-encrypt before forwarding. Setting this up requires deploying a CA certificate to endpoints (to prevent browser certificate warnings), but it closes one of the most commonly abused attack vectors.
VPN
FTD supports Secure Client (formerly AnyConnect) remote access VPN for secure employee connections and site-to-site IKEv1/IKEv2 VPN for branch connectivity. The configuration model has moved away from ASA’s ACL-heavy approach toward a more object-based, policy-driven workflow in FMC.
Managing Cisco FTD: FMC vs FDM vs CDO

You’ll manage FTD with one of three tools, and picking the right one depends on your scale and operational model.
Cisco Secure Firewall Management Center (FMC)
FMC – the management server formerly called Firepower Management Center – is a separate appliance (hardware or FMCv virtual) that manages multiple FTD devices from a centralised dashboard. Any deployment with more than one FTD appliance should use FMC.
FMC gives you:
- Centralised policy management across all managed devices
- Detailed event logging, dashboards, and reports
- Correlation rules for threat hunting and automated response
- Integration with Cisco XDR for cross-product detection and response (Cisco XDR replaced the retired SecureX platform, which reached end-of-life on July 31, 2024)
- Health monitoring and alerting for all devices
- Top-tier hardware FMC manages up to 750 FTD devices
FMC is what enterprises use in production, and it’s what the 300-710 certification exam tests on.
Firepower Device Manager (FDM)
FDM is an on-box web GUI that runs directly on the FTD appliance, no separate server required. It’s designed for single-device deployments or smaller environments where a dedicated FMC server isn’t practical.
FDM is simpler and faster to get started with. It covers most common use cases: access control policies, NAT, VPN, and basic IPS. It doesn’t support the full feature set FMC does – no correlation rules, limited reporting, and fewer integration points.
Cisco Defense Orchestrator (CDO)
CDO is Cisco’s cloud-based management platform. It manages FTD, ASA, and Meraki MX devices from a single cloud console, without running a dedicated FMC server on-premises. CDO is worth knowing for distributed or cloud-first environments where maintaining local FMC infrastructure isn’t practical.
CDO supports a subset of FMC features. It’s not a full replacement for FMC in complex enterprise deployments, but it’s a strong choice for managed service providers and organisations with distributed branches.
The decision:
| Scenario | Right tool |
|---|---|
| 1 device, branch or lab | FDM |
| 2-750 devices, on-prem management | FMC |
| Multi-tenant, cloud-managed, MSP | CDO |
| CCNP 300-710 exam study | FMC (exam tests FMC workflows) |
FTD Deployment Modes
Where FTD sits in your network topology determines which deployment mode you choose.
Routed Mode – the default. FTD acts as a layer 3 hop, with its own IP addresses on each interface and traffic routing through it. This is the most common production deployment – internet edge, data centre perimeter, campus core.
Transparent Mode – FTD acts as a layer 2 bridge and is “invisible” to the network, with no IP addresses on data interfaces. Useful for inserting FTD into an existing network without changing IP addressing or routing tables. Common in data centres where renumbering is impractical.
Inline Mode – FTD sits directly in the traffic path and can actively block traffic. Used when you want the IPS running in prevention (not just detection) mode. Traffic must physically pass through the device.
Inline Tap Mode – FTD receives a copy of traffic via a network tap and analyses it without blocking anything. Used for testing IPS rules before going into prevention mode. Lets you see what would be blocked without impacting traffic.
Passive Mode – FTD monitors traffic from a SPAN port, again without blocking. Useful for visibility, baselining traffic patterns, and evaluating what an IPS policy would catch before you deploy it actively.
Which mode for which scenario:
| Scenario | Mode |
|---|---|
| New deployment, full NGFW | Routed |
| Inserting into existing network, no re-IP | Transparent |
| Active IPS/prevention | Inline |
| Testing IPS rules before going live | Inline Tap |
| Visibility only, SOC monitoring | Passive |
5 Common FTD Configuration Mistakes
Most FTD deployments work well out of the box, but five mistakes show up repeatedly – especially for engineers coming from ASA backgrounds.
1. Leaving IPS in Detection-Only Mode
FTD ships with IPS disabled or in detection-only mode. Engineers often turn it on, see the alerts, and leave it there without switching to prevention. Detection means FTD logs the threat. Prevention means it blocks it. If you’re only detecting, you’re paying for IPS without getting the protection. Start with Balanced Security and Connectivity in prevention mode, then tune from there.
2. Skipping SSL Inspection Entirely
Most networks now carry the majority of their traffic over HTTPS. An FTD deployment without SSL inspection is leaving a large inspection gap open. SSL inspection requires planning (deploying a CA cert, handling certificate pinning exceptions, managing performance impact), but skipping it entirely means attackers can tunnel malware and C2 traffic through encrypted channels freely.
3. Ignoring Talos Tuning Recommendations
FMC surfaces Talos-generated recommendations for IPS rule tuning based on your network’s traffic patterns. Many teams ignore these and run generic intrusion policies indefinitely. Talos tuning reduces false positives, improves performance, and keeps your policy aligned to what Cisco sees in the wild. It takes 30 minutes a week and makes a measurable difference.
4. Not Registering FTD to FMC Before Configuration
Engineers sometimes configure FTD through FDM first, then try to register it to FMC later and hit conflicts. The right sequence: register FTD to FMC first, then push all configuration from FMC. Once a device is managed by FMC, local FDM configuration is locked out – this is by design, not a bug.
5. Treating FTD Like an ASA in the CLI
FTD has its own CLI, and it’s not ASA IOS. The FTD CLI is for diagnostics and troubleshooting – you don’t configure policies there the way you do in ASA. Engineers used to interface GigabitEthernet0/0 / nameif outside will find that FTD CLI looks different. All policy configuration happens in FMC or FDM. The FTD expert CLI (expert command) gives you Linux shell access for deep diagnostics, but it’s not where you build security policies.
Cisco FTD and CCNP Security Certification

FTD sits at the centre of two Cisco certifications worth knowing.
CCNP Security – 300-710
The 300-710 exam covers FTD configuration and management through FMC. Topics include:
- Initial FTD deployment and registration to FMC
- Access control policies and security intelligence
- Intrusion and file policies (IPS tuning, AMP)
- SSL policy configuration
- Site-to-site and remote access VPN
- Troubleshooting FTD and FMC
The 300-710 is a concentration exam. You pair it with the core SCOR exam (350-701) to earn CCNP Security.
A timing note that matters in 2026. Both exams are updating on the same dates – the last day to sit the current versions is August 26, 2026, and the new versions go live August 27, 2026:
- 300-710 updates from v1.1 to v1.2, and is renamed from “Securing Networks with Cisco Firepower” to “Securing Networks with Cisco Firewalls,” reflecting the Firepower-to-Secure-Firewall rebrand.
- 350-701 SCOR updates from v1.1 to v2.0, adding coverage of AI/LLM security, post-quantum cryptography, zero-trust architecture, Splunk, Cisco Secure Access, and Cisco XDR.
If you’re mid-study, decide whether to finish on the current version before the cutover or start fresh on the new one. Check the official 300-710 exam topics page and the SCOR exam topics page to confirm the current version before you register.
To turn exam topics into hands-on reps, pair your study with a lab workbook. SMEnode Labs’ CCNP Security firewall lab workbook maps each 300-710 topic to a guided FMC exercise you can run in EVE-NG.
CCIE Security
FTD appears in the CCIE Security v6.1 lab exam, the current revision (published October 2023 and still in force in 2026). It’s an eight-hour, hands-on practical split into Design and Deploy/Operate/Optimise modules. At that level you configure FTD through FMC at speed, troubleshoot policy issues in a live multi-device network, and handle edge cases around VPN migration from ASA to FTD. Identity Services Engine (ISE) carries heavy weight – roughly 40% of the lab – so FTD-plus-ISE fluency is non-negotiable. If you’re deciding whether CCIE is the right step after CCNP, the CCIE vs CCNP decision guide breaks down what each level requires and what it pays. For CCIE-level training with FTD and ISE labs, SMEnode Academy’s CCIE Security course covers the full v6.1 lab blueprint.
A study pattern that works:
Diego, a network administrator from Toronto with four years of ASA experience but zero FTD exposure, passed the 300-710 on his first attempt. He spent six weeks studying: two weeks on FMC navigation and policy structure, two weeks building IPS, AMP, and URL filtering configurations in a virtual lab, and two weeks on VPN and troubleshooting scenarios. His main advice – lab every topic, not just read about it. FTD’s behaviour in FMC differs enough from ASA that video-only study leaves gaps that show up under exam pressure.
Career Opportunities with Cisco FTD Skills
Network security engineers who can configure and troubleshoot FTD are consistently in demand. The pay reflects it. In the United States, Robert Half’s 2026 Salary Guide lists network security engineer pay in the range of $119,500 to $169,750, and Salary.com puts the average firewall engineer salary around $148,800. In Canada, Robert Half lists Toronto network security engineers between $111,601 and $152,539. Senior and specialist roles climb well past those midpoints (Sources: Robert Half 2026 Salary Guide; Salary.com, 2026).
Common job titles that list FTD skills:
- Network Security Engineer
- Senior Firewall Engineer
- Security Infrastructure Engineer
- Cisco Firepower / Secure Firewall Engineer
- Security Operations Engineer
Industries with the highest FTD demand include financial services, healthcare, government, defence contractors, and large enterprises in regulated sectors. These environments can’t run basic stateful firewalls and stay compliant. FTD gives them the audit trails, IPS coverage, and malware detection their compliance frameworks require.
FTD skills also combine well with Cisco ISE (Identity Services Engine) knowledge. An engineer who can configure FTD policies tied to ISE identity groups, handle posture assessment, and troubleshoot VPN authentication covers a large portion of what enterprise security teams call their “network access security stack.” For a detailed look at what these roles pay at the senior end, see the CCIE Security salary breakdown – it shows where FTD expertise fits in the compensation curve.
For the Canadian market specifically, the Cybersecurity Jobs in Canada guide covers what roles exist, what they require, and what they actually pay in 2026.
Getting Started: Your FTD Learning Path
If you’re starting from zero with FTD, here’s a practical sequence:
- Understand the ASA baseline. FTD shares core concepts with ASA – NAT, access lists, VPN. Even a surface-level understanding of ASA makes FTD easier to pick up. You don’t need to be an ASA expert, but you should know what stateful inspection and NAT do.
- Set up FTDv in a lab. Cisco offers FTDv as a virtual appliance. You can run it on a laptop or workstation with 8+ GB of free RAM using VMware Workstation or EVE-NG.
- Connect FMCv to your FTDv. FMC is available as FMCv (virtual). Connect the two and you have a full management experience without physical hardware.
- Work through each policy type. Build access control policies first, then enable an IPS policy, add URL filtering, and finish with VPN configuration. Each policy type teaches you a different stage of the FTD inspection pipeline.
- Use the 300-710 exam topics as your checklist. The 300-710 exam topic list is a complete inventory of what a competent FTD engineer should know. Even if certification isn’t your immediate goal, it’s a useful roadmap for making sure you haven’t missed anything.
A structured course with live labs gets you to competency faster than documentation alone. If you want to see which Cisco certifications give you the strongest salary bump before you commit, this breakdown of 5 Cisco certifications that boost salary gives you the data to make that call.
FAQ
What does FTD stand for?
FTD stands for Firepower Threat Defense. Cisco’s full product name is Cisco Secure Firewall Threat Defense (rebranded in 2021), but “FTD” and “Firepower Threat Defense” are still widely used across the industry, job postings, and certification exams.
Is Cisco Firepower being renamed?
Yes. Cisco moved the whole line to “Secure Firewall” branding. The appliances are now the Secure Firewall 1200/3100/4200 series, the management server is the Cisco Secure Firewall Management Center, and from the August 2026 update the 300-710 exam title changes from “Securing Networks with Cisco Firepower” to “Securing Networks with Cisco Firewalls.” The “Firepower” name still appears in older documentation and many job listings, so both terms are worth knowing.
Is Cisco Firepower the same as FTD?
Not exactly. “Firepower” refers to the broader product family, including the hardware appliances, the management center, and the NGIPS. FTD is the software image that runs on the hardware and combines ASA firewall capabilities with the Snort IPS engine. So Firepower is the platform; FTD is the operating software.
Can FTD replace ASA completely?
For most organisations, yes. FTD includes everything ASA does – stateful inspection, NAT, VPN, routing – plus the NGFW features ASA lacks. A few brownfield environments stay on ASA for specific VPN features or migration timing, but FTD clustering now works on the 3100 and 4200 platforms, so the old clustering gap is largely closed. Cisco’s direction is FTD for all firewall deployments.
What is the difference between FMC and FDM?
FMC (Cisco Secure Firewall Management Center) is a separate management server that handles multiple FTD devices, with full event logging, correlation rules, dashboards, and reporting. FDM (Firepower Device Manager) is an on-box GUI built into the FTD appliance itself, designed for single-device deployments. FMC is for enterprise multi-device environments; FDM is for single-device or branch deployments where a separate management server isn’t justified.
Does FTD support remote access VPN?
Yes. FTD supports Cisco Secure Client (formerly AnyConnect) for remote access VPN, including SSL and IKEv2 IPsec tunnels. Configuration is handled in FMC via Remote Access VPN policies, using connection profiles, group policies, and AAA integration with LDAP/AD or RADIUS.
How hard is the 300-710 exam?
It’s considered a mid-tier Cisco exam – harder than CCNA-level but more focused than CCIE. Most candidates with hands-on FTD lab experience pass within two to three attempts. The exam tests FMC-based configuration scenarios heavily, so lab time in FMCv is more valuable than reading. Engineers with an ASA background typically need 6-10 weeks; those new to Cisco firewalls should plan for 12-16 weeks.
What hardware do I need to practice FTD?
You don’t need physical hardware. Cisco offers FTDv and FMCv as virtual appliances that run on VMware Workstation, VMware ESXi, or KVM. A laptop or desktop with 32+ GB of total RAM can run a functional FTDv plus FMCv lab, which is enough for the full 300-710 topic list.
Wrapping Up
Cisco Firepower Threat Defence is the standard for enterprise next-generation firewall deployments in 2026. It replaces port-based inspection with deep packet analysis, application awareness, URL filtering, AMP, and integrated Snort 3 IPS, all managed from FMC, FDM, or CDO.
The five things to remember:
- FTD combines the ASA firewall engine (LINA) with Snort 3 IPS into a single, unified platform
- Talos threat intelligence keeps signatures and URL categories current against real-world threats
- FMC (the Cisco Secure Firewall Management Center) is the right tool for multi-device environments; FDM for single devices; CDO for cloud-managed or MSP deployments
- Deployment modes include Routed, Transparent, Inline, Inline Tap, and Passive
- The 300-710 certification validates FTD skills within the CCNP Security track, and updates to v1.2 (renamed “Cisco Firewalls”) in August 2026
The best way to build FTD skills isn’t to read about it – it’s to configure it. Lab time with FTDv and FMCv turns theory into the kind of hands-on knowledge that holds up in a job interview and in production.
Enrol in the Security Engineer Bootcamp at SMEnode Academy and build the hands-on FTD skills that consistently show up on job listings. If you’re aiming for CCIE level, the CCIE Security course covers the full v6.1 lab blueprint. Download the syllabus for either course, or book a free strategy call to map out the right path for where you are right now.