Security Study Guide

CompTIA SecurityX (CAS-005, formerly CASP+) Study Guide

CompTIA SecurityX (CAS-005, formerly CASP+) validates advanced practitioner-level skills for senior security engineers and architects who design, implement, and govern enterprise security across hybrid and cloud environments. The exam runs up to 165 minutes with a maximum of about 90 multiple-choice and performance-based questions, scored on a scale where 750 is passing. It covers four domains: Governance/Risk/Compliance, Security Architecture, Security Engineering, and Security Operations.

Domain 1 Domain 2 Domain 3 Domain 4

Practice CompTIA SecurityX (CAS-005, formerly CASP+) questions free Create free account

Domain 1: Governance, Risk, and Compliance

Key concepts you must know · 162 practice questions

Enterprise Risk Management (ERM) is an organization-wide process to identify, assess (likelihood x impact), prioritize, and treat risk using one of four responses: accept, avoid, transfer, or mitigate, aligned to the organization's stated risk appetite.
Residual risk is the risk remaining after controls are applied; it can never reach zero, must be compared against risk appetite/tolerance, and any excess requires a formal risk-acceptance exception with executive sign-off.
Quantitative risk analysis assigns dollar values using SLE = Asset Value x Exposure Factor, ALE = SLE x ARO; qualitative analysis uses subjective high/medium/low ratings when numeric data is unavailable.
Control selection is justified by cost-benefit analysis: a safeguard is worthwhile only if its cost is less than the reduction in Annual Loss Expectancy (the ALE before minus the ALE after the control).
A Business Impact Analysis (BIA) identifies critical processes, dependencies, and tolerable downtime/data-loss, producing the RTO (max acceptable downtime) and RPO (max acceptable data loss) that drive BC/DR priorities.
GDPR applies to any organization processing EU residents' personal data regardless of location; it mandates lawful basis/consent, privacy by design, data-subject rights (access, erasure, portability), and 72-hour breach notification to the supervisory authority.
When regulations overlap (e.g., GDPR and PCI DSS), map controls to both frameworks and apply the most stringent requirement where they conflict, rather than treating them separately.
Third-party/supply-chain risk management requires evidence of independent attestations such as SOC 2 Type II or ISO 27001, plus security obligations, SLAs, and right-to-audit clauses written into the contract.
An Interconnection Security Agreement (ISA) documents the technical and security requirements for connecting two organizations' systems; an MOU/MOA captures broader intent and an SLA defines measurable service levels.
Software supply-chain integrity is demonstrated by maintaining a Software Bill of Materials (SBOM), verifying component provenance/attestations, and validating cryptographic signatures on artifacts.
Security ROI is tracked using ROSI (Return on Security Investment) and KPIs/KRIs that measure risk reduction against control cost over time, supporting budget and tool-rationalization decisions.
Tool rationalization maps each tool's capability to a required control, then consolidates redundant tools to cut cost and complexity while preserving coverage.
Data-retention governance uses tiered lifecycle policies that archive data to cheaper cold storage while still meeting mandated legal/regulatory retention periods, and applies legal holds that suspend deletion during litigation.
Cloud cost governance enforces mandatory resource tagging and cost-allocation policies (e.g., a Terraform validation block with tags = { Environment = var.env }) plus regular review and removal of idle/orphaned resources.

Domain 2: Security Architecture

Key concepts you must know · 149 practice questions

Zero Trust assumes no implicit trust: every access request is continuously verified against identity, device posture, and context, enforcing 'never trust, always verify' regardless of network location.
Microsegmentation isolates workloads/zones to limit lateral movement and contain a breach, in contrast to flat networks where a single compromise spreads freely.
Secure Access Service Edge (SASE) converges networking and security (SWG, CASB, ZTNA, FWaaS) delivered as a cloud-edge service, replacing backhauling traffic to a central data center.
Zero Trust Network Access (ZTNA) replaces traditional VPNs by granting per-application access based on identity and posture, never exposing the broader network, and pairs with MFA and short-lived credentials.
A Cloud Access Security Broker (CASB) sits between users and SaaS to enforce visibility, DLP, threat protection, and shadow-IT discovery for cloud application usage.
Defense in depth layers independent controls (network, host, application, data) with least privilege and segmentation so no single failure exposes the whole system.
High availability and resilience come from redundancy across availability zones/regions to remove single points of failure, plus tested backups and an exercised disaster-recovery plan.
Attack-surface reduction means exposing the minimum set of services and consolidating public entry points behind a shared gateway or CDN protected by a single WAF/DDoS plan.
Service mesh and workload-to-workload security use mutual TLS (mTLS) plus workload identity and short-lived tokens rather than static long-lived credentials.
Egress filtering, microsegmentation, and DLP at the boundary detect and block data exfiltration; private/service endpoints route traffic to managed services privately, bypassing the NAT gateway and the public internet.
Log architecture should tier storage: keep hot, frequently queried data in fast storage and transition older data to cheaper cold/archive tiers (e.g., lifecycle rules after 90 days) with defined retention.
Scaling inline inspection horizontally means deploying the inspection appliance in an autoscaling pool behind a load balancer so throughput grows with demand instead of a single bottleneck.
NSG/firewall rules are evaluated by priority; an explicit deny like 'az network nsg rule create ... -n DenyRDP --priority 100 --access Deny --protocol Tcp --destination-port-ranges 3389 --direction Inbound' blocks RDP at the subnet/NIC edge.
Data-sovereignty and latency goals are met by serving users from the nearest region and keeping traffic intra-region to limit cross-region transfer cost and exposure.

Domain 3: Security Engineering

Key concepts you must know · 158 practice questions

Symmetric encryption (AES) uses one shared key and is fast for bulk data; asymmetric encryption (RSA, ECC) uses a public/private key pair, is slower, and is used for key exchange and digital signatures.
Perfect Forward Secrecy uses ephemeral key exchange (ECDHE/DHE) so compromise of a long-term private key cannot decrypt previously captured session traffic, because each session derives a unique ephemeral key.
A Hardware Security Module (HSM) provides tamper-resistant generation, storage, and use of cryptographic keys (often FIPS 140-2/140-3 validated) so private keys never leave the device in plaintext.
Hardening disables deprecated protocols and weak ciphers (SSL 3.0, TLS 1.0/1.1, RC4, export-grade suites) that enable attacks like POODLE and BEAST, applying secure baselines (CIS Benchmarks/DISA STIGs).
Certificate pinning prevents man-in-the-middle attacks by ensuring only the expected/trusted certificate or public key is accepted, rejecting otherwise-valid certs from rogue CAs.
A measured/secure boot uses a TPM as a root of trust to verify firmware and OS integrity at startup and store boot measurements; secure boot blocks unsigned bootloaders.
Post-quantum cryptography (PQC) addresses the threat that future quantum computers running Shor's algorithm could break current asymmetric algorithms (RSA, ECC); NIST has standardized algorithms such as ML-KEM (CRYSTALS-Kyber) and ML-DSA (Dilithium).
Confidential computing uses Trusted Execution Environments (TEEs/enclaves such as Intel SGX or AMD SEV) to protect data while in use, encrypting memory so even a privileged host cannot read it.
A centralized secrets manager/vault (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) provides encrypted storage, automated rotation, fine-grained access control, and audit logging for application secrets at scale.
Envelope encryption wraps a local Data Encryption Key (DEK) with a Key Encryption Key (KEK) held in the vault/KMS; the DEK is cached and the KEK is used only to wrap/unwrap, minimizing round trips.
Passwords must be stored with an adaptive/memory-hard hash (Argon2, bcrypt, scrypt, or PBKDF2) using a per-user salt and a tuned work factor benchmarked to acceptable latency, never with fast hashes like MD5/SHA-1.
FIDO2/WebAuthn passkeys and hardware security keys provide phishing-resistant, passwordless authentication using public-key cryptography bound to the origin, defeating credential replay.
Secure SDLC shifts left by running SAST, DAST, SCA, and IaC scanning early in CI/CD to catch vulnerabilities before production, and signs build artifacts to verify provenance.
Performance-conscious crypto uses hardware-accelerated AES (AES-NI) for transparent disk encryption, offloads TLS termination to a load balancer/accelerator, and caches short-lived tokens until just before expiry then refreshes.

Domain 4: Security Operations

Key concepts you must know · 173 practice questions

A SIEM (Security Information and Event Management) aggregates and correlates logs/events from endpoints, network, and cloud to provide centralized detection, alerting, and investigation for the SOC.
SOAR (Security Orchestration, Automation, and Response) runs playbooks to enrich, deduplicate, and automatically respond to alerts, standardizing handling and reducing analyst time on low-value duplicate alerts.
The NIST SP 800-61 incident response lifecycle is Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity (lessons learned); preparation precedes detection.
MITRE ATT&CK is a knowledge base mapping adversary tactics (goals) and techniques (methods); SOCs use it to build detections, measure coverage, and structure threat-hunting hypotheses.
Threat hunting is proactive, hypothesis-driven searching for undetected threats already in the environment, rather than waiting for an alert to fire.
User and Entity Behavior Analytics (UEBA) baselines normal behavior and flags anomalies (impossible travel, unusual data access) to detect insider threats and compromised accounts that signature rules miss.
Centralized, tamper-evident log collection (immutable/WORM storage, remote syslog) preserves forensic evidence and enables correlation even if an endpoint is compromised or its local logs are wiped.
A tabletop exercise rehearses incident response in a low-risk, discussion-based scenario to validate plans, roles, and decision-making before a real incident.
Log-pipeline tuning filters and drops non-security-relevant noise at the collector before ingestion (keeping security-relevant fields) to control SIEM ingest cost while preserving detection fidelity.
Alert-fatigue reduction comes from tuning detection rules and using SOAR to deduplicate, enrich, and risk-prioritize alerts into cases, and from caching/batching threat-intel indicator lookups instead of per-event live calls.
Sysmon configuration uses the onmatch attribute set to 'include' or 'exclude' on filtering rules to control which events are logged, and event data is mapped to ATT&CK for detection coverage.
Common operational hardening/triage commands include 'iptables -A INPUT -p tcp --dport 23 -j DROP' to block Telnet, 'firewall-cmd --permanent --add-service=https && firewall-cmd --reload' on firewalld, and 'journalctl -u sshd --since "1 hour ago"' to review service logs.
KQL hunting queries summarize anomalies, for example 'signinLogs | where ResultType != 0 | summarize Failures=count() by UserPrincipalName' to surface accounts with repeated failed sign-ins (password spray/brute force).
Vulnerability management uses a risk-based cadence: schedule resource-intensive full scans during off-hours with throttling while lightweight continuous agents and delta/credentialed checks run in between.

CompTIA SecurityX (CAS-005, formerly CASP+) exam tips

Watch for the BEST or MOST/FIRST qualifier - several plausible answers may all be valid, but SecurityX rewards the choice that is most cost-effective, most defense-in-depth, or correctly sequenced (e.g., BIA before BC/DR, preparation before detection).
Memorize the quantitative risk formulas cold (SLE = AV x EF, ALE = SLE x ARO) and be ready to compare ALE before vs. after a control to justify it; numeric scenarios are common.
Expect performance-based questions with real CLI/config snippets (az network nsg, iptables, firewall-cmd, KQL, Terraform, Sysmon) - read the exact flags, ports, and direction (Inbound/Outbound, Allow/Deny) carefully.
Think like an architect: prefer answers that reduce attack surface, enforce least privilege, segment/isolate, and scale horizontally over point fixes; distrust answers that disable monitoring or expose management interfaces.
Manage the clock - at ~165 minutes for up to ~90 items, flag long performance-based simulations, answer the quick multiple-choice first, and never leave blanks since there is no penalty for guessing.

Study guide FAQ

Is SecurityX (CAS-005) the same as CASP+?

Yes. SecurityX is the rebranded continuation of CompTIA Advanced Security Practitioner (CASP+). CAS-005 is the current exam version and replaced CAS-004; the rebrand to SecurityX reflects its place in CompTIA's expert-tier Xpert series. Existing CASP+ certifications remain valid.

How is SecurityX scored and what do I need to pass?

There is no published number of correct answers required. The exam is scored on a scaled range and a 750 is passing. It contains up to about 90 questions (a mix of multiple-choice and performance-based simulations) and you have up to 165 minutes. The exam is pass/fail, not graded on a percentage.

What experience should I have before attempting it?

CompTIA recommends at least 10 years of general IT experience with a minimum of 5 years of hands-on technical security experience. It is an advanced practitioner-level exam aimed at senior security engineers and architects, so prior knowledge equivalent to Security+ and CySA+ is assumed rather than re-tested at the basic level.

What is the difference between SecurityX and CISSP?

SecurityX is hands-on and technical, emphasizing engineering, architecture, and operations with performance-based labs, and has no formal experience prerequisite to sit the exam. CISSP (ISC2) is broader and more managerial across eight domains and requires five years of cumulative paid work experience to be fully certified. Many practitioners use SecurityX to validate deep technical implementation skill.

Test yourself: 642 CompTIA SecurityX (CAS-005, formerly CASP+) practice questions