Free CompTIA SecurityX (formerly CASP+) (CAS-005) Practice Questions

Sample CAS-005 Practice Questions

Browse all 31 free CompTIA SecurityX (formerly CASP+) practice questions below.

1. A security architect is designing a Zero Trust architecture for a global enterprise with hybrid cloud infrastructure. The solution must enforce least-privilege access, continuously verify user identity and device health, and eliminate implicit trust. Which combination of controls should the architect implement? (Select TWO)

   • Configure VPN with split-tunneling to reduce latency for cloud applications
   • Implement microsegmentation with software-defined perimeters to enforce granular network access controls
   • Implement perimeter firewall with DMZ for external-facing services
   • Deploy identity-aware proxy with continuous authentication and adaptive access policies
   • Deploy network access control (NAC) with 802.1X authentication at the edge

2. A security architect is designing a PKI infrastructure for a multinational organization that requires certificate issuance across multiple geographic regions. The solution must support certificate lifecycle management, automated renewal, hardware security module (HSM) integration for root CA protection, and OCSP for real-time revocation checking. Which PKI architecture best meets these requirements?

   • Two-tier PKI with offline root CA protected by HSM, online issuing CAs in each region, OCSP responders for each issuing CA, and automated certificate management via ACME protocol
   • Single-tier PKI with one root CA performing all issuance functions, CRL distribution via CDN, and manual certificate renewal processes
   • Cloud-based PKI as a Service with certificates stored in cloud HSM and DNS-based revocation checking
   • Three-tier PKI with offline root CA, intermediate policy CAs, and issuing CAs, using only CRL for revocation checking

3. An organization is implementing a SOAR platform to automate incident response workflows. The security operations team needs to integrate the SOAR solution with existing SIEM, EDR, firewall, and ticketing systems. Which capabilities should the security architect prioritize when selecting a SOAR platform? (Select TWO)

   • RESTful APIs and extensive integration library supporting common security tools and IT systems
   • Pre-built playbooks for common incident types and threat scenarios with customization capabilities
   • Proprietary scripting language exclusive to the SOAR vendor
   • On-premises deployment only to prevent cloud data exposure
   • Built-in machine learning for automatically generating new playbooks without human input

4. A DevSecOps team is implementing container security for a Kubernetes cluster running microservices in production. The security architect needs to implement defense-in-depth controls throughout the container lifecycle. Which combination of security controls provides the most comprehensive protection? (Select TWO)

   • Disabling all network policies to improve application performance and eliminate connectivity issues
   • Storing container image secrets and API keys in container environment variables without encryption
   • Running all containers as root user to ensure administrative access for debugging and troubleshooting
   • Image scanning in CI/CD pipeline with policy enforcement blocking vulnerable images, runtime security monitoring for anomalous container behavior, and regular image updates
   • Pod Security Standards enforcing restricted policy, network policies implementing microsegmentation, and read-only root filesystems for containers

5. A security engineer is implementing cryptographic controls for a healthcare application that must comply with HIPAA requirements. The application stores protected health information (PHI) in a database and transmits data to external partners. Which cryptographic implementation best meets regulatory and security requirements?

   • Symmetric encryption with shared keys distributed via email, HTTP for partner data exchange, and database-level encryption only
   • MD5 hashing for passwords, SSL 3.0 for data transmission, and DES encryption for database fields
   • Custom encryption algorithm developed in-house, proprietary key exchange protocol, and encryption only for backups
   • AES-256-GCM for data at rest with HSM-managed keys, TLS 1.3 with Perfect Forward Secrecy for data in transit, and field-level encryption for particularly sensitive PHI elements

6. An organization is implementing Infrastructure as Code (IaC) using Terraform for cloud resource provisioning. The security team needs to integrate security controls into the IaC workflow. Which security practices should be implemented? (Select TWO)

   • Grant all developers full administrative access to cloud accounts to enable faster troubleshooting
   • Hardcode cloud credentials directly in Terraform configuration files to simplify deployment processes
   • Implement policy as code using tools like Open Policy Agent (OPA) or HashiCorp Sentinel to enforce security policies before infrastructure deployment
   • Disable all pre-deployment validation checks to speed up infrastructure provisioning
   • Store Terraform state files in version control with encryption, use remote state backends with state locking, and implement state file access controls

7. A security architect is designing an automated security testing strategy for a CI/CD pipeline. The development team releases code multiple times per day, and the security team needs to identify vulnerabilities without blocking development velocity. Which combination of automated security testing tools should be integrated into the pipeline? (Select TWO)

   • Software Composition Analysis (SCA) to identify known vulnerabilities in third-party dependencies and open source libraries
   • Disabling all security testing during development and performing comprehensive testing only in production
   • Manual penetration testing performed by security consultants for every code commit
   • Comprehensive security review meetings requiring all stakeholders to approve each deployment
   • Static Application Security Testing (SAST) integrated into the build phase to analyze source code for security vulnerabilities

8. An enterprise security team is implementing a hardware security module (HSM) cluster for cryptographic key management across multiple applications. The HSM solution must provide high availability, support for various cryptographic operations, and compliance with FIPS 140-2 Level 3. What architectural considerations are most important for this implementation?

   • Deploy HSMs in high-availability cluster configuration with N+1 redundancy, implement load balancing across HSMs, establish secure key backup and recovery procedures, and integrate with applications via PKCS#11 or cryptographic APIs
   • Use software-based key management with database storage to avoid HSM cost and complexity
   • Deploy a single HSM appliance, store all cryptographic keys on the HSM, and provide direct network access to all applications
   • Export all private keys from HSM to application servers for better performance, use HSM only for initial key generation

9. A cloud security architect is designing secure API authentication and authorization for microservices running in Kubernetes. The architecture must support service-to-service authentication, fine-grained access control, and zero-trust networking principles. Which approach best implements these requirements?

   • Use shared API keys distributed to all microservices via environment variables, implement IP-based access control lists, and store user credentials in a shared database
   • Implement VPN for all service communication, use session-based authentication with sticky sessions, and centralize all authorization logic in a monolithic gateway
   • Allow all internal service-to-service communication without authentication, use basic authentication for user access, and implement role-based access control in each application
   • Implement service mesh (Istio/Linkerd) with mutual TLS (mTLS) for service-to-service encryption and authentication, use JSON Web Tokens (JWT) for user authentication, integrate with external identity provider via OAuth 2.0/OIDC, and implement policy-based authorization with OPA

10. A security engineer needs to implement automated vulnerability patching for a fleet of 5,000+ servers across multiple cloud regions. The solution must minimize downtime, support rollback capabilities, and provide compliance reporting. Which strategy should be implemented?

    • Deploy all patches immediately to all servers simultaneously without testing, disable rollback mechanisms to prevent users from reverting changes
    • Manually patch servers one at a time, schedule all patching during business hours for maximum visibility, skip backups to save time, and document patching in spreadsheets
    • Wait for vendors to notify the organization about required patches, apply only critical patches while ignoring moderate severity issues
    • Implement patch management automation using AWS Systems Manager Patch Manager or Azure Update Management, deploy patches using maintenance windows with rolling deployment strategy, implement automated pre-patch snapshots for rollback, and integrate with SIEM for compliance reporting

11. A security architect is implementing post-quantum cryptography preparations for an organization's long-term data protection strategy. Some encrypted data must remain confidential for 30+ years. Which approach best addresses the quantum computing threat to current cryptographic systems?

    • Implement custom quantum-resistant algorithms developed by internal cryptography team
    • Continue using RSA-2048 and AES-128 without changes, assuming quantum computers won't be practical for decades
    • Increase key sizes for existing algorithms (RSA-16384, AES-512) to provide quantum resistance
    • Implement cryptographic agility to support algorithm transitions, adopt NIST post-quantum cryptography standardized algorithms (ML-KEM, ML-DSA, SLH-DSA), use hybrid encryption combining classical and post-quantum algorithms during transition, and prioritize re-encryption of long-term sensitive data

12. An organization is implementing secrets management for a cloud-native application with multiple microservices. The solution must support secret rotation, access auditing, and integration with CI/CD pipelines. Which secrets management approach should be implemented? (Select TWO)

    • Use a single shared master password for all services, distributed via documentation wiki
    • Implement short-lived credentials with automatic rotation, use application identity (service accounts, managed identities) for authentication, and integrate secrets injection into pod initialization
    • Store all secrets in environment variables within container images and version control for easy deployment
    • Hardcode database passwords and API keys directly in application source code for simplicity
    • Deploy a dedicated secrets management platform like HashiCorp Vault or AWS Secrets Manager with dynamic secrets generation and automated rotation policies

13. A security engineer is implementing secure CI/CD pipeline controls for a financial services application. The pipeline must enforce code signing, artifact integrity verification, and supply chain security. Which controls should be implemented? (Select TWO)

    • Download dependencies from random public repositories without verification to get latest versions
    • Allow developers to manually modify production artifacts after automated builds to fix urgent issues
    • Implement software bill of materials (SBOM) generation for all builds, sign container images and artifacts with sigstore/cosign, and enforce signature verification before deployment
    • Use immutable build artifacts stored in artifact repository with access controls, implement admission controllers in Kubernetes to enforce image policies, and maintain cryptographic checksums for build verification
    • Disable all code signing requirements to speed up deployment velocity

14. A security architect is designing endpoint detection and response (EDR) deployment for 10,000+ endpoints across multiple operating systems (Windows, macOS, Linux). The solution must support behavioral analysis, threat hunting, and automated response capabilities. What deployment considerations are most important?

    • Install traditional antivirus only on Windows systems, manually deploy software on each endpoint, disable automatic updates to maintain version consistency
    • Implement network-based intrusion detection only without endpoint agents to avoid endpoint performance impact
    • Deploy EDR in detection-only mode without any automated response capabilities, require manual analyst intervention for every alert
    • Deploy EDR agents using centralized endpoint management tools, implement behavioral monitoring with machine learning-based anomaly detection, establish threat hunting workflows and runbooks, configure automated response playbooks for high-confidence threats, and integrate EDR telemetry with SIEM

15. An organization is implementing security automation for cloud infrastructure compliance. The security team needs to automatically detect and remediate security misconfigurations across AWS, Azure, and GCP environments. Which approach provides the most comprehensive automated compliance enforcement?

    • Deploy automated remediation scripts that immediately delete any non-compliant resources without notification or approval
    • Implement compliance scanning only in development environments, assume production will inherit compliant configurations
    • Implement Cloud Security Posture Management (CSPM) tools with custom remediation workflows, use cloud-native services (AWS Config, Azure Policy, GCP Policy Intelligence) for continuous compliance monitoring, deploy automated remediation via serverless functions, and integrate with ticketing system for manual approval workflows
    • Perform quarterly manual reviews of cloud configurations using spreadsheets, remediate issues during scheduled maintenance windows only

16. A security engineer is implementing zero trust network access (ZTNA) to replace traditional VPN infrastructure for remote workforce. The solution must support identity-based access, contextual authentication, and granular application access control. Which architecture best implements zero trust principles?

    • Deploy software-defined perimeter (SDP) or ZTNA gateway with identity provider integration, implement continuous authentication with device posture assessment, enforce least-privilege access with application-level segmentation, use encrypted tunnels directly to applications bypassing network access, and implement risk-based adaptive access policies
    • Implement traditional VPN with added multi-factor authentication as the only change
    • Remove all access controls and allow direct internet exposure of internal applications with strong passwords
    • Replace VPN with broader network access firewall rules allowing remote users to access entire internal network

17. A security operations team is implementing a Security Information and Event Management (SIEM) platform to centralize log collection and correlation across 5,000+ endpoints, network devices, cloud services, and applications. The SIEM must support real-time threat detection, compliance reporting, and forensic investigation. What architectural considerations are most critical for successful SIEM deployment?

    • Collect only firewall logs to reduce storage costs, disable all alerting to prevent alert fatigue, and perform log reviews manually once per quarter
    • Forward all logs directly to a single centralized database without filtering or normalization
    • Store all logs indefinitely without retention policies, create alerts for every single log entry received
    • Design for scalable log ingestion with distributed collectors, implement data retention policies balancing compliance requirements with storage costs, create correlation rules for known attack patterns, integrate threat intelligence feeds, and establish log normalization and parsing for diverse log sources

18. An organization's incident response team is conducting a malware analysis on a sophisticated threat detected in the environment. The malware exhibits anti-analysis techniques and requires advanced reverse engineering. Which approach provides the safest and most effective malware analysis? (Select TWO)

    • Conduct static analysis using disassemblers and decompilers to reverse engineer malware code, extract indicators of compromise (IoCs), identify malware families through code stylometry and YARA rules, and document malware capabilities without execution
    • Forward suspicious files directly to all security analysts' workstations for collaborative analysis
    • Execute malware on production systems to observe real-world behavior and impact
    • Immediately delete all malware samples without analysis to eliminate the threat
    • Perform dynamic analysis in isolated sandbox environment with network simulation, monitor API calls and system changes, capture network traffic, and use anti-anti-analysis techniques to bypass evasion mechanisms

19. A security architect is implementing a threat intelligence program to enhance detection and response capabilities. The program must support both strategic and tactical threat intelligence consumption. Which combination of threat intelligence capabilities should be implemented? (Select TWO)

    • Subscribe to industry-specific threat intelligence sharing communities (ISACs/ISAOs), participate in dark web monitoring for credential leaks and emerging threats, and conduct regular threat actor profiling and attribution analysis
    • Ignore external threat intelligence and rely only on internal telemetry for threat detection
    • Integrate Threat Intelligence Platform (TIP) with automated IoC ingestion from STIX/TAXII feeds, correlation with internal security events, and distribution to security controls (SIEM, EDR, firewall)
    • Rely exclusively on public threat intelligence without validation or contextualization for the organization
    • Share all internal security incidents and IoCs publicly without sanitization or analysis

20. A security operations center (SOC) is experiencing alert fatigue with 10,000+ daily alerts, of which 95% are false positives. The SOC team needs to improve alert quality and analyst efficiency. Which strategies should be implemented to address this challenge?

    • Disable all automated alerts and rely on manual log review by analysts to identify security incidents
    • Implement alert tuning and threshold optimization to reduce false positives, use SOAR playbooks for automated triage and enrichment, establish alert prioritization based on risk scoring, and create feedback loops for continuous detection improvement
    • Increase SOC staffing proportionally to handle all alerts without optimizing detection logic
    • Set all security alerts to the lowest priority and investigate only when time permits

21. An organization is implementing a formal incident response plan compliant with NIST SP 800-61. The plan must define clear phases, roles, and procedures for handling security incidents. Which components are essential for an effective incident response program? (Select TWO)

    • Establish incident response team with defined roles (Incident Commander, Technical Leads, Communications), document on-call rotation and availability, integrate with legal and public relations teams, and conduct regular tabletop exercises and simulations
    • Delay incident response until complete information is available to avoid premature actions
    • Exclude executive leadership from incident response to avoid distractions during technical work
    • Define incident classification schema with severity levels, establish escalation procedures and communication plans, document containment and eradication procedures, and create post-incident review process for lessons learned
    • Handle all incidents in ad-hoc manner without documented procedures to maintain flexibility

22. A security architect is implementing a comprehensive governance, risk, and compliance (GRC) framework for a financial services organization. The framework must align with multiple regulatory requirements including PCI-DSS, SOX, and GLBA. What approach provides effective GRC implementation?

    • Create separate compliance programs for each regulation without integration, perform compliance assessments only annually before audits, maintain compliance documentation in spreadsheets
    • Implement maximum controls regardless of risk assessment to ensure complete coverage
    • Deploy integrated GRC platform with unified control framework mapping to multiple regulations, implement continuous compliance monitoring with automated evidence collection, establish risk register with regular assessment cycles, create security policies aligned with NIST CSF 2.0 Govern function, and implement third-party risk management program
    • Focus exclusively on passing audits without implementing actual security controls, treat compliance as IT-only concern without business involvement

23. An organization is conducting a comprehensive third-party risk assessment for cloud service providers and critical vendors. The assessment must evaluate security posture, compliance, and ongoing risk monitoring. Which assessment activities should be prioritized? (Select TWO)

    • Request SOC 2 Type II reports, ISO 27001 certification, and penetration test results; conduct security questionnaire assessments using standardized frameworks (SIG, CAIQ); review data handling, encryption, and access controls
    • Implement continuous monitoring with security ratings services, establish contractual security requirements and SLAs, require notification of security incidents and breaches, conduct periodic reassessments based on risk tier, and review vendor business continuity and disaster recovery capabilities
    • Accept vendor self-attestations without verification or independent validation
    • Focus assessment exclusively on initial vendor selection without ongoing monitoring
    • Share all organizational data with vendors before completing security assessment

24. A security leader is developing security policies, standards, procedures, and guidelines for an enterprise organization following NIST SP 800-53 framework. What is the correct relationship and hierarchy between these governance documents?

    • Only policies are needed; standards, procedures, and guidelines are unnecessary overhead
    • Policies provide high-level requirements and management intent, Standards define mandatory specifications and baselines, Procedures document step-by-step implementation instructions, Guidelines offer recommended practices with flexibility
    • All governance documents have equal authority and can contradict each other without resolution
    • Procedures define strategic direction while policies provide technical implementation details

25. An organization is implementing a risk management program following NIST Risk Management Framework (RMF). The security team needs to conduct risk assessments for critical systems. Which risk assessment methodology components should be included? (Select TWO)

    • Determine existing security controls and their effectiveness, calculate residual risk after controls, identify risk treatment options (accept, mitigate, transfer, avoid), and document risk register with risk owners and treatment plans
    • Accept all identified risks without treatment plans to avoid implementation costs
    • Conduct risk assessments only once during initial system authorization without ongoing assessment
    • Implement all possible security controls regardless of risk level to achieve maximum security
    • Identify assets and classify based on criticality and data sensitivity, identify threats using threat intelligence and attack frameworks (MITRE ATT&CK), assess vulnerabilities through scanning and penetration testing, and calculate inherent risk as likelihood × impact

26. A chief information security officer (CISO) is presenting the security program to the board of directors. The presentation must communicate cyber risk in business terms and demonstrate security program effectiveness. Which metrics and communication approaches are most appropriate for board-level reporting?

    • Report only positive security metrics while omitting challenges and risks to avoid concern
    • Focus exclusively on compliance checkboxes without discussing actual risk or security effectiveness
    • Provide detailed technical vulnerability scan results and individual CVE numbers without business context
    • Present risk in business impact terms (financial loss, operational disruption, reputation), report on risk reduction trend over time, compare security posture to industry benchmarks, highlight compliance status with regulatory requirements, and recommend budget for critical risk mitigation initiatives with ROI justification

27. An organization is implementing a data classification program to support data protection and compliance requirements (GDPR, CCPA, HIPAA). The program must define classification levels, handling requirements, and integration with security controls. Which approach provides effective data classification implementation?

    • Implement data classification labels without integration to security controls or enforcement
    • Allow each employee to self-determine classification levels without guidance or criteria
    • Classify all organizational data as highly confidential and apply maximum security controls universally
    • Define classification levels (Public, Internal, Confidential, Restricted) with clear criteria, document handling requirements for each level (storage, transmission, access, retention, disposal), integrate classification with DLP and encryption tools, establish data owners responsible for classification decisions, and provide training and labeling tools for users

28. A security team is implementing business continuity and disaster recovery (BC/DR) planning for critical systems following industry best practices. The plan must ensure operational resilience and meet Recovery Time Objective (RTO) and Recovery Point Objective (RPO) requirements. Which components are essential for effective BC/DR implementation? (Select TWO)

    • Define same RTO and RPO for all systems regardless of business criticality
    • Implement technical recovery capabilities (backups, replication, failover), test recovery procedures through regular exercises and simulations, maintain updated recovery documentation and runbooks, establish alternate processing sites based on RTO requirements, and integrate BC/DR with incident response
    • Store all backups on-site only to ensure fast recovery access
    • Create BC/DR plans but never test them to avoid disrupting operations
    • Conduct Business Impact Analysis (BIA) to identify critical systems and acceptable downtime, define RTO/RPO for each critical system based on business requirements, establish dependencies and recovery sequencing, and prioritize recovery efforts based on criticality

29. An organization operates in a highly regulated industry and must demonstrate compliance with multiple security frameworks (NIST CSF, ISO 27001, CIS Controls). The security team wants to optimize compliance efforts. What approach provides efficient multi-framework compliance?

    • Implement unified control framework mapping common controls across multiple frameworks, use single GRC platform for centralized evidence collection and reporting, maintain control implementation documentation that addresses overlapping requirements, and leverage automation to generate framework-specific compliance reports from common evidence repository
    • Implement completely separate and independent security controls for each framework without integration
    • Achieve compliance through documentation only without implementing actual security controls
    • Select single framework and ignore all others to simplify compliance efforts

30. A security architect is implementing a security awareness training program that must address human risk factors and comply with regulatory training requirements. The program must be engaging, measurable, and demonstrate behavioral change. Which components provide an effective security awareness program?

    • Implement punitive measures for all users who fail simulated phishing tests without education
    • Require all employees to watch single 60-minute annual compliance video without assessment or follow-up
    • Focus security training exclusively on technical staff, assuming non-technical users don't need awareness
    • Implement role-based training with specialized content for different job functions, conduct simulated phishing campaigns with positive reinforcement coaching, provide engaging content (videos, gamification, micro-learning), measure training effectiveness through knowledge assessments and behavioral metrics, and deliver regular refresher training beyond annual compliance

31. An organization is implementing privacy controls to comply with GDPR and CCPA requirements for personal data protection. The privacy program must address data subject rights, consent management, and cross-border data transfers. Which privacy controls should be prioritized? (Select TWO)

    • Ignore data subject access requests and assume users won't exercise their rights
    • Implement data mapping and inventory to identify personal data locations and flows, establish data subject rights request procedures (access, deletion, portability), implement consent management platform for lawful basis tracking, and conduct Data Protection Impact Assessments (DPIA) for high-risk processing
    • Collect all possible personal data without limitation and retain indefinitely for potential future use
    • Implement purpose limitation and data minimization principles, establish retention schedules with automated deletion, use encryption and pseudonymization for personal data protection, implement Standard Contractual Clauses (SCC) for international transfers, and appoint Data Protection Officer (DPO) if required
    • Transfer personal data internationally without any legal mechanisms or safeguards