CompTIA · CAS-005

CompTIA SecurityX (CAS-005) Practice Test

CompTIA SecurityX (formerly CASP+) is an advanced-level cybersecurity certification for senior security engineers and architects that validates the ability to design, implement, and integrate secure solutions across complex enterprise environments. It covers governance, risk, compliance, security architecture, engineering, and operations.

Exam Details

Questions

599

Duration

165 minutes

Passing Score

Pass/Fail

Difficulty

Professional

Last Updated

Apr 2026

Topics Covered

Governance, Risk, and ComplianceSecurity ArchitectureSecurity EngineeringSecurity OperationsCloud and Hybrid Environment SecurityCryptographic TechnologiesIncident Response and Threat Hunting

CompTIA SecurityX (CAS-005) Practice Exam Preparation

Use this CAS-005 practice exam to prepare for CompTIA SecurityX (CAS-005) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 599 questions for CompTIA CAS-005, so you can review the exam steadily instead of relying on one long cram session.

As you practice, pay extra attention to recurring topics such as Governance, Risk, and Compliance, Security Architecture, Security Engineering, Security Operations, and Cloud and Hybrid Environment Security. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.

The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.

Exam Domain Breakdown

Security Engineering31%

Security Architecture27%

Security Operations22%

Governance, Risk, and Compliance20%

Exam Overview

CompTIA SecurityX (CAS-005), launched on December 17, 2024, is the successor to CompTIA CASP+ (CAS-004) and represents the capstone certification in the CompTIA Cybersecurity Career Pathway. It validates advanced technical skills required to conceptualize, engineer, integrate, and implement secure solutions across complex enterprise environments — encompassing security architecture, engineering, operations, and governance, risk, and compliance. The certification is vendor-neutral, ANSI-accredited to ISO 17024 standards, and approved under DoD 8140/8570 as a baseline for IAT Level III, IAM Level II, and IASAE Levels I and II.

Unlike many cybersecurity certifications that focus on managing security programs, SecurityX emphasizes hands-on technical depth. Candidates must demonstrate proficiency in designing hybrid and multi-cloud secure architectures, applying advanced cryptographic technologies, automating security operations, and leading incident response across enterprise-scale environments. The exam also addresses the security implications of emerging technologies such as artificial intelligence, containerization, and CI/CD pipelines.

Official exam page

Who Should Take This Exam

SecurityX is designed for senior security engineers and security architects who are responsible for designing, implementing, and managing security solutions rather than simply administering them. Ideal candidates typically hold roles such as Security Architect, Senior Security Engineer, Security Operations Lead, Security Integration Engineer, or Systems Requirements Planner.

The certification is also aligned with multiple NICE Cybersecurity Workforce Framework work roles and DoD 8140 positions, making it particularly relevant for professionals in government, defense contracting, and federal agency environments. Candidates should have substantial hands-on experience and be operating at a level where they are making architectural decisions and leading security initiatives, not just executing them.

Prerequisites

CompTIA does not enforce formal prerequisites for CAS-005, but recommends a minimum of 10 years of general hands-on IT experience, including at least 5 years of hands-on technical security experience. Candidates are expected to possess knowledge equivalent to CompTIA Network+, Security+, CySA+, Cloud+, and PenTest+ — either through those certifications or equivalent professional experience.

In practice, candidates who attempt SecurityX without a strong foundation in network security, cryptography, cloud infrastructure, and security operations often find the exam extremely challenging. Professionals who have already earned Security+ and CySA+ (or CISSP/equivalent) and are working in senior technical security roles are the most common and well-prepared candidates.

Exam Format

The CAS-005 exam consists of a maximum of 90 questions, delivered in a maximum of 165 minutes. Question types include both multiple-choice and performance-based questions (PBQs), where candidates must interact with simulated environments or scenarios to demonstrate applied skills. The exam is available in English via online proctoring through Pearson VUE's OnVUE platform or at a physical Pearson VUE testing center.

The exam uses a pass/fail grading model — no scaled score is reported. CompTIA does not publish a numeric passing threshold for SecurityX; candidates simply receive a pass or fail result. The certification is valid for three years and can be renewed through CompTIA's Continuing Education (CE) program by earning 75 CEUs within the three-year cycle.

Skills Measured

1.Security Engineering (31%): Applies secure configurations and integrates security solutions across enterprise systems, including cloud-native and hybrid architectures, containers, CI/CD pipelines, and infrastructure-as-code. Covers PKI, cryptographic protocol selection, key management, and the security implications of AI and emerging technologies.
2.Security Architecture (27%): Designs secure network and system architectures for complex environments including on-premises, cloud, and hybrid. Addresses zero trust principles, network segmentation, identity federation, CASB, shadow IT detection, shared responsibility models, and integration of security controls across multi-vendor ecosystems.
3.Security Operations (22%): Supports continuous security operations through automation, monitoring, threat hunting, and incident response. Covers SIEM/SOAR integration, vulnerability management, digital forensics, log analysis, and coordinating response activities across enterprise and third-party stakeholders.
4.Governance, Risk, and Compliance (20%): Addresses enterprise risk management frameworks, regulatory compliance (GDPR, HIPAA, CMMC, FedRAMP), third-party risk, security policy development, privacy requirements, and aligning security programs with business objectives and legal obligations.

Study Tips

Download and study the official CAS-005 Exam Objectives document from CompTIA's website — it lists every domain, sub-domain, and example topic tested, and should serve as your primary study outline.
Use CompTIA's official CertMaster Learn and CertMaster Labs for CAS-005, as the labs simulate performance-based question scenarios directly comparable to what appears on the exam.
Focus heavily on Security Engineering (31%) and Security Architecture (27%), which together account for 58% of the exam. Prioritize hands-on practice with cloud security configurations, cryptographic implementations, and zero trust architecture design.
Practice performance-based questions (PBQs) extensively — these scenarios require you to configure, analyze, or troubleshoot within simulated environments and cannot be answered through memorization alone. Third-party practice platforms like PocketPrep or Jason Dion's Udemy course include PBQ-style questions.
Study DoD 8140 work role mappings and NICE Cybersecurity Workforce Framework alignment for SecurityX, as understanding these frameworks helps contextualize exam scenarios related to governance, compliance, and security architecture roles.
Review real-world case studies involving enterprise security architecture decisions — the exam tests judgment and design rationale, not just technical facts. Focus on scenarios involving cloud migrations, zero trust implementations, and incident response at scale.
If you hold an active CASP+ (CAS-004), review what changed in CAS-005: expanded AI/ML security topics, updated cloud security coverage, and deeper coverage of automation and DevSecOps are key additions that may not be in older study materials.

Career Benefits

SecurityX holders command some of the highest salaries in the CompTIA certification portfolio. The average reported salary for SecurityX practitioners is approximately $165,000, with security architects and senior security engineers typically earning between $155,000 and $200,000+ depending on sector and geography. The certification's DoD 8140/8570 approval makes it a direct pathway to roles within federal agencies and defense contractors — organizations including General Dynamics, Booz Allen Hamilton, and Leidos actively seek candidates with this credential.

As the capstone of the CompTIA Cybersecurity Career Pathway, SecurityX is positioned above Security+, CySA+, and PenTest+ and signals to employers that a candidate operates at the architect and integrator level rather than the analyst or administrator level. Compared to alternatives like CISSP (which is management-focused) or OSCP (which is offense-focused), SecurityX occupies a distinct niche as a hands-on, vendor-neutral credential validating advanced defensive architecture and engineering skills. Employers in both the public and private sectors — including Target, Ricoh, and Exxon Mobil — recognize the certification for senior technical security hiring.

Sample Questions

5 sample questions with answers and explanations. Start a practice session to test yourself across all 599 questions.

Preview — answers shown

1. Northwind's incident response team needs to collect volatile evidence from a compromised Windows server. Which order of data collection follows the correct order of volatility from most to least volatile? (Select one!)

ARunning processes → RAM contents → Hard disk data → Remote logging data

BCPU registers and cache → RAM contents → Network connections → Running processes → Disk data

CHard disk data → Running processes → Network connections → CPU registers and cache

DNetwork connections → RAM contents → Running processes → Disk data → Backup archives

Explanation

The correct order of volatility from most to least volatile is: CPU registers/cache → RAM/memory → Network state/connections → Running processes → Disk data → Remote logs/archival media. Data should be collected in this order because the most volatile data is lost first when a system is powered down or reboots. All other sequences collect less volatile data before more volatile data, risking evidence loss.

2. Contoso's vulnerability management team is overwhelmed with 15,000 identified CVEs. The CISO wants a risk-based prioritization strategy using CVSS v4.0 scores, EPSS probability data, and the CISA KEV catalog. Which approach provides the most effective prioritization strategy? (Select one!)

APrioritize all CVEs with CVSS scores above 7.0 regardless of other contextual factors

BFocus exclusively on vulnerabilities in the CISA KEV catalog as the only reliable signal

CCombine CVSS severity with EPSS exploitation probability, prioritizing KEV catalog entries first and then high EPSS score vulnerabilities

DUse EPSS scores exclusively since they represent forward-looking exploitation likelihood

Explanation

Effective vulnerability prioritization requires combining multiple signals: CVSS provides technical severity (impact if exploited), EPSS provides the probability of exploitation in the next 30 days on a 0-to-1 scale, and the CISA KEV catalog identifies vulnerabilities with confirmed active exploitation requiring immediate action. Best practice prioritizes KEV entries first (actively exploited), then vulnerabilities with high CVSS scores combined with high EPSS scores. CVSS alone ignores exploitation probability and has been criticized for scoring inflation. EPSS alone ignores business impact. Focusing only on KEV misses emerging threats. SSVC provides organizational decision framework as an additional layer.

3. Tailspin Toys is implementing a Privileged Access Management (PAM) solution to secure administrative access to critical infrastructure. The security architect wants to minimize standing privileges and implement just-in-time access for system administrators. Which PAM capability best addresses this requirement? (Select one!)

ACredential vaulting with automated password rotation for shared administrative accounts

BSession recording and monitoring of all privileged sessions for compliance auditing

CDual control requiring two administrators to jointly approve and initiate privileged sessions

DJust-in-time (JIT) privilege elevation granting temporary administrative access only when needed with automatic revocation

Explanation

Just-in-time (JIT) privilege elevation directly addresses the requirement to minimize standing privileges by granting administrative access only when needed for a specific task and time period, then automatically revoking it afterward. This eliminates permanently elevated privileges, dramatically reducing the attack surface. Credential vaulting secures privileged credentials and prevents exposure but does not eliminate standing privilege assignments. Session recording provides valuable audit capabilities but does not reduce the duration or scope of privilege grants. Dual control adds approval workflows but does not inherently limit the time window of privilege assignment the way JIT access does. JIT access enforces least privilege on a temporal basis, which is foundational to privileged access security.

4. Fabrikam's application security team is implementing security testing throughout the Software Development Lifecycle (SDLC). They need to distinguish between different testing approaches. Which of the following correctly describes the differences between IAST and RASP technologies? (Select one!)

AIAST is Interactive Application Security Testing that instruments applications during testing to identify vulnerabilities; RASP is Runtime Application Self-Protection that actively protects running applications from attacks in production

BIAST runs in production to block attacks; RASP runs during development to find vulnerabilities

CIAST and RASP are identical technologies with different marketing names used by different vendors

DIAST replaces SAST and DAST by combining their capabilities; RASP replaces the need for penetration testing

Explanation

IAST (Interactive Application Security Testing) is a testing technology that instruments applications with sensors during QA and testing phases to analyze code execution in real-time, combining elements of SAST and DAST to identify vulnerabilities with low false positives and provide precise code-level details about vulnerability location. RASP (Runtime Application Self-Protection) is a security protection technology that integrates into applications in production to monitor execution and actively block attacks in real-time by detecting and preventing exploitation attempts as they occur. IAST finds vulnerabilities during testing; RASP protects against attacks during production. The second option reverses their purposes entirely. The third option is incorrect; they are distinct technologies with fundamentally different purposes (testing versus protection). The fourth option is wrong; IAST complements but does not fully replace SAST and DAST since each finds different vulnerability types, and RASP is a protection mechanism rather than a testing approach, so it does not replace penetration testing which validates overall security posture.

5. Fabrikam Financial is presenting cybersecurity risk to the board of directors. The CISO needs to justify a $150,000 annual investment in a new email security platform. Historical data shows the organization experiences an average of 6 successful phishing attacks per year (ARO = 6), with each incident costing an average of $80,000 in remediation, legal fees, and lost productivity (SLE = $80,000). The new platform is projected to reduce successful phishing attacks to 1 per year. What is the Return on Security Investment (ROSI) for this email security platform? (Select one!)

A$150,000

B$230,000

C$330,000

D$250,000

Explanation

The ROSI calculation works as follows: Current ALE (before control) = SLE × ARO = $80,000 × 6 = $480,000 per year Future ALE (after control) = $80,000 × 1 = $80,000 per year ROSI = (ALE_before − ALE_after) − Cost_of_control ROSI = ($480,000 − $80,000) − $150,000 = $400,000 − $150,000 = $250,000 A positive ROSI of $250,000 clearly justifies the investment. The board should be presented with this financial metric rather than technical severity scores. The $230,000 option represents a common error of subtracting only the cost without computing the full ALE difference. The $150,000 option is just the cost of the control itself. The $330,000 option results from an incorrect partial calculation. ROSI is the correct metric for justifying security investments in business terms because it frames security spending as a financial decision with measurable return.

$7.99

One-time access to this exam

Full access to all 599 questions

Or $15/mo for all 253 exams

Detailed explanations

Free preview stays available