Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free SecurityX Practice Questions

Pass your CompTIA SecurityX (CAS-005) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

A security team is evaluating a new threat intelligence platform (TIP). The primary use case is operationalizing threat intel into SIEM detection rules. Which TIP capability is MOST critical for this use case?

A
B
C
D
to track
Same family resources

Explore More CompTIA Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CompTIA A+

Practice QuestionsStudy GuideCheat SheetFlashcards1 video4 blogs

CompTIA Security+

Practice QuestionsStudy GuideCheat SheetFlashcards2 videos4 blogs

CompTIA Network+

Practice QuestionsStudy GuideCheat SheetFlashcards1 video2 blogs

CompTIA CySA+

Practice QuestionsStudy GuideCheat SheetFlashcards1 blog

CompTIA Cloud+

Practice Questions1 blog

CompTIA PenTest+

Practice Questions1 blog

More From This Family

Videos and articles for deeper review.

VideoBest Cable Testers for Network Technicians in 2026: Klein VDV526-200 vs Fluke vs TRENDnetVideoCompTIA A+ Core 1 vs Core 2: Which Is Harder? (2026)VideoFREE Cisco CCST Cybersecurity (100-160) Exam Guide 2026: Pass First TryVideoSecurity+ SY0-701 Domain Weights & Percentages (2026)ArticleBest Cable Testers for Network Technicians in 2026: Klein VDV526-200 vs Fluke vs TRENDnet14 min readArticleBest Electronics Repair Toolkits for CompTIA A+ Exam Candidates: Complete 2026 Buying Guide14 min readArticleBest Network Cable Crimping Tool Kits in 2026: Hands-On Prep for CompTIA A+ and Network+14 min readArticleBest Raspberry Pi 5 Starter Kits for CompTIA A+ and Linux+ Hands-On Lab Practice in 202615 min read
2026 Statistics

Key Facts: SecurityX Exam

Dec 2024

Launch Date

Replaced CASP+ (CAS-004)

CAS-005

Exam Code

CompTIA

Pass/Fail

Scoring

CompTIA (no scaled score)

165 min

Exam Duration

CompTIA

$525

Exam Fee

CompTIA (USD)

3 years

Certification Validity

CompTIA CE program

CompTIA SecurityX (CAS-005) launched December 2024 as the replacement for CASP+. It covers four domains: Governance/Risk/Compliance (~20%), Security Architecture (~30%), Security Engineering (~25%), and Security Operations (~25%). The exam has approximately 90 multiple-choice and performance-based questions in 165 minutes with pass/fail scoring. Exam fee is $525. Recommended experience: 10+ years IT with 5+ years in security.

Sample SecurityX Practice Questions

Try these sample questions to test your SecurityX exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1A security architect is designing a zero-trust architecture for a hybrid enterprise environment. The organization needs to enforce least-privilege access for privileged accounts accessing both on-premises and cloud workloads. Which combination of controls BEST supports continuous verification in this scenario?
A.Perimeter firewall with VLAN segmentation and privileged account password rotation every 90 days
B.Identity-aware proxy with continuous behavioral analytics, just-in-time access provisioning, and device posture assessment
C.Static RBAC roles assigned per department with quarterly access reviews and MFA at login only
D.VPN with split tunneling, certificate-based authentication, and monthly privilege recertification campaigns
Explanation: Identity-aware proxy combined with continuous behavioral analytics, JIT access provisioning, and device posture assessment directly implements zero-trust principles: never trust, always verify. This approach enforces least privilege dynamically by granting access only when needed, validates device health, and continuously monitors behavior rather than trusting based on network location or a single login event.
2An organization is implementing post-quantum cryptography (PQC) to protect long-lived secrets. NIST has finalized several PQC standards. Which algorithm is the PRIMARY NIST-standardized choice for key encapsulation mechanisms (KEM) resistant to quantum attacks?
A.CRYSTALS-Kyber (FIPS 203 / ML-KEM)
B.CRYSTALS-Dilithium (FIPS 204 / ML-DSA)
C.SPHINCS+ (FIPS 205 / SLH-DSA)
D.FALCON (FN-DSA)
Explanation: CRYSTALS-Kyber, standardized as ML-KEM in FIPS 203, is NIST's primary choice for key encapsulation mechanisms in the post-quantum era. It is based on the Module Learning With Errors (MLWE) problem and is designed specifically for establishing shared secrets, replacing RSA and ECDH for key exchange.
3A threat hunter discovers anomalous outbound connections from a bastion host that correlate with MITRE ATT&CK technique T1572 (Protocol Tunneling). The traffic appears to be DNS queries with unusually large TXT record responses. Which BEST describes the threat and the most effective detection control?
A.DNS cache poisoning attack; deploy DNSSEC on all authoritative servers to validate response integrity
B.DNS tunneling C2 channel; deploy DNS traffic analytics to baseline query volume, entropy, and TXT record sizes per internal host
C.BGP hijacking using DNS as a decoy; implement route origin validation (ROV) with RPKI to reject invalid prefixes
D.DNS amplification DDoS; configure response rate limiting (RRL) on recursive resolvers and block open resolvers
Explanation: T1572 Protocol Tunneling via DNS (often called DNS tunneling) is a technique where adversaries encode C2 data in DNS query/response fields, particularly TXT records. The detection control is DNS traffic analytics that baselines per-host query rates, payload entropy (high entropy = encoded data), and anomalous TXT record sizes. This allows detection of the encoding pattern without needing to decrypt the tunnel.
4An enterprise CISO must align security investments with the NIST Cybersecurity Framework (CSF) 2.0. The board requests a metric demonstrating resilience improvement. Which metric BEST maps to the CSF 2.0 'Recover' function and would be most meaningful to board-level stakeholders?
A.Mean Time to Detect (MTTD) measured in hours across all SIEM alert categories
B.Reduction in vulnerability scan findings after each quarterly patch cycle
C.Mean Time to Recover (MTTR) for critical business services following a declared security incident
D.Number of security awareness training completions per quarter normalized by headcount
Explanation: Mean Time to Recover (MTTR) for critical business services directly measures the effectiveness of the CSF 2.0 Recover function, which focuses on timely restoration of capabilities after a cybersecurity incident. Board-level stakeholders understand business continuity impact; MTTR in hours/days for revenue-generating services translates security investment directly into operational resilience.
5A DevSecOps team is embedding security into a CI/CD pipeline for a containerized microservices application. To prevent supply chain attacks, which control provides the MOST comprehensive protection against malicious code introduced through third-party dependencies?
A.Static application security testing (SAST) on first-party code only at the pre-commit stage
B.Software Composition Analysis (SCA) with SBOM generation, dependency pinning, and verified signature checks against a curated artifact registry
C.Container image scanning with CVE database lookups executed at deployment time only
D.Network policy enforcement using Kubernetes NetworkPolicy objects to restrict pod-to-pod communication
Explanation: Software Composition Analysis with SBOM generation provides a complete inventory of all dependencies. Combining SCA with dependency pinning (lockfiles), artifact signature verification (e.g., Sigstore/cosign), and a curated internal registry ensures that only vetted, signed versions of dependencies are used, directly addressing supply chain injection attacks. SBOM also enables rapid impact assessment when new vulnerabilities are disclosed.
6A SOC analyst is investigating a potential lateral movement event. eBPF-based telemetry shows a process on a Linux host making unexpected syscalls: ptrace() on a remote process followed by mmap() with PROT_EXEC. Which MITRE ATT&CK technique does this MOST likely indicate, and what is the appropriate containment action?
A.T1055 Process Injection via ptrace; isolate the host at the network layer and collect a memory forensic image before terminating the injected process
B.T1003 OS Credential Dumping via /proc/mem; rotate all credentials on the affected system and rescan with EDR
C.T1059 Command and Scripting Interpreter; block the shell binary hash in the EDR policy and rescan
D.T1134 Access Token Manipulation; revoke the process token and restart the affected service
Explanation: ptrace() combined with mmap(PROT_EXEC) on a remote PID is the classic Linux ptrace process injection technique (T1055.008). The attacker attaches to a running process, maps executable memory, and writes shellcode. Proper containment: isolate the host to prevent C2 or lateral movement, then collect a memory image (volatility) before terminating the process to preserve forensic evidence of the injected payload and its origin.
7An organization is deploying a SOAR platform to automate incident response. A playbook must handle a phishing alert that may involve credential harvesting. Which automated action sequence is MOST appropriate while preserving human oversight for high-risk decisions?
A.Auto-remediate by disabling the user account, blocking the sender domain at the email gateway, and closing the ticket without analyst review
B.Enrich the alert with threat intel (VirusTotal, WHOIS), extract IOCs, query SIEM for other affected users, auto-quarantine the email across all mailboxes, auto-reset the user's MFA, then page an analyst for account disablement decision
C.Immediately quarantine the endpoint, wipe and reimage, then notify the user of the action taken after completion
D.Forward the alert to the help desk queue with no automated actions and wait for manual triage
Explanation: This sequence follows the principle of automating safe, reversible enrichment and containment actions (email quarantine across mailboxes, IOC extraction, SIEM correlation) while escalating irreversible high-impact decisions (account disablement) to a human analyst. This balances speed—containing the immediate threat—with oversight for actions that affect user productivity and may be false positives.
8During a third-party risk assessment, a critical SaaS vendor cannot provide SOC 2 Type II reports and instead offers self-attestation questionnaires. The vendor processes PII covered by GDPR. Which risk treatment is MOST appropriate?
A.Accept the risk and proceed with the vendor relationship given business need, documenting the decision in the risk register
B.Require the vendor to complete a compensating controls framework audit within 90 days as a condition of contract, with right-to-audit clauses and SLA penalties for non-compliance
C.Terminate the vendor relationship immediately as GDPR requires all processors to hold SOC 2 Type II certification
D.Perform a manual penetration test of the vendor's infrastructure and accept results as equivalent to SOC 2 Type II
Explanation: When a critical vendor cannot provide third-party assurance (SOC 2 Type II), the appropriate response is to contractually require a path to independent validation with right-to-audit provisions and financial penalties. This addresses the GDPR Article 28 requirement for appropriate technical and organizational measures from processors while maintaining the business relationship under a defined risk remediation timeline.
9A network engineer must secure BGP peering sessions between autonomous systems to prevent route hijacking. Which combination of controls provides the MOST comprehensive defense against both BGP prefix hijacking and path manipulation attacks?
A.MD5 authentication on BGP sessions and AS_PATH prepending to make the organization's routes less attractive
B.Resource Public Key Infrastructure (RPKI) with Route Origin Validation (ROV), BGP session authentication via TCP-AO, and BGPsec path validation where supported
C.ACLs on router interfaces restricting BGP traffic to known peer IPs and private AS number filtering
D.OSPF authentication within the AS combined with route redistribution filtering at the ASBR
Explanation: RPKI with ROV prevents route origin hijacking by cryptographically validating that an AS is authorized to originate a prefix. TCP-AO (TCP Authentication Option) replaces MD5 with stronger HMAC-based authentication for session integrity. BGPsec adds cryptographic validation of the AS_PATH to prevent path manipulation attacks. Together these address the full threat surface: unauthorized origin announcements and tampered routing paths.
10An organization's OAuth 2.0 implementation allows third-party applications to request the 'openid profile email' scope. A security review finds that refresh tokens are stored in browser localStorage and the authorization server does not enforce token binding. Which attack is MOST feasible and what is the MOST effective mitigation?
A.CSRF on the authorization endpoint; implement state parameter validation and SameSite=Strict cookies on the session cookie
B.Refresh token theft enabling persistent account takeover; store refresh tokens in HttpOnly cookies, implement Demonstrating Proof of Possession (DPoP), and enforce refresh token rotation with detection of concurrent use
C.Clickjacking on the consent screen; add X-Frame-Options DENY header on the authorization server
D.ID token replay across relying parties; enforce audience (aud) claim validation and short expiry on ID tokens
Explanation: Refresh tokens in localStorage are accessible to JavaScript (XSS exfiltration). Combined with no token binding, a stolen refresh token provides persistent access. The mitigation stack: HttpOnly cookies prevent JS access; DPoP cryptographically binds tokens to the client's private key making stolen tokens unusable; refresh token rotation with concurrent use detection (RFC 6819 threat model) invalidates the entire token family on suspected theft.

About the SecurityX Exam

CompTIA SecurityX (CAS-005) is the expert-level security certification that replaced CASP+ in December 2024. It validates the advanced skills needed to architect, engineer, integrate, and implement secure solutions across complex enterprise environments. SecurityX is approved for DoD 8140 IASAE Level III and IAM Level III roles and is designed for senior security practitioners with 10+ years of experience.

Questions

90 scored questions

Time Limit

165 minutes

Passing Score

Pass/Fail

Exam Fee

$525 (Pearson VUE)

SecurityX Exam Content Outline

~20%

Governance, Risk, and Compliance

Risk quantification (FAIR), regulatory frameworks (GDPR, CCPA, PCI DSS, HIPAA), data classification, security policy, third-party risk, and tabletop exercises

~30%

Security Architecture

Zero-trust architecture, cloud security design (CSPM, CASB, SASE), PKI design, network micro-segmentation, hypervisor security, disaster recovery (RTO/RPO), and BCP

~25%

Security Engineering

Advanced cryptography, DevSecOps, CI/CD pipeline security, SBOM, supply chain integrity, endpoint protection (TPM, Secure Boot, FDE), IAM, SAML, OAuth 2.0, and API security

~25%

Security Operations

Threat hunting, MITRE ATT&CK mapping, SIEM/SOAR automation, EDR behavioral analytics, digital forensics (memory analysis, chain of custody), incident response, and threat intelligence

How to Pass the SecurityX Exam

What You Need to Know

  • Passing score: Pass/Fail
  • Exam length: 90 questions
  • Time limit: 165 minutes
  • Exam fee: $525

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

SecurityX Study Tips from Top Performers

1Focus on Security Architecture (30%) — practice designing zero-trust architectures, evaluating PKI hierarchies, and sizing BCP/DR solutions to specific RTO/RPO targets
2Master MITRE ATT&CK tactics for Security Operations — map TTPs to detection strategies and know which data sources catch each tactic
3Learn FAIR quantitative risk modeling — understand how to express residual risk in financial terms for board-level reporting
4Practice writing SOAR playbooks — understand which automation steps reduce MTTR for high-volume alert categories
5Know NIST SP 800-53 control families — especially CP (Contingency Planning), IR (Incident Response), SC (System and Communications Protection), and AC (Access Control)
6Understand the tradeoffs between cryptographic approaches — CMEK vs. provider-managed keys, offline CA design, certificate transparency logs
7SecurityX rewards applied judgment — for each scenario, ask what provides the MOST direct risk reduction given the specific constraints described

Frequently Asked Questions

What is CompTIA SecurityX and how does it relate to CASP+?

CompTIA SecurityX (CAS-005) replaced CompTIA CASP+ in December 2024. It is CompTIA's expert-level cybersecurity certification validating advanced skills in security architecture, engineering, governance, and operations. The exam code changed from CAS-004 (CASP+) to CAS-005 (SecurityX). Active CASP+ certifications remain valid through their 3-year cycle.

What is the SecurityX CAS-005 exam format?

SecurityX CAS-005 has approximately 90 questions (multiple choice and performance-based) in 165 minutes. Scoring is pass/fail with no published scaled score. The exam fee is $525 USD. It is administered by Pearson VUE at test centers and online via OnVUE.

What experience do I need for SecurityX?

CompTIA recommends 10+ years of IT administration experience including 5+ years of hands-on technical security experience. Most candidates have Security+, CySA+, or CASP+ and work in senior security roles (security architect, security engineer, senior security analyst). No prerequisite certification is formally required to register.

What are the four SecurityX CAS-005 domains?

CAS-005 covers: Security Architecture (~30%) — zero-trust, cloud design, PKI, micro-segmentation, BCP; Security Engineering (~25%) — cryptography, DevSecOps, SBOM, endpoint security, IAM; Security Operations (~25%) — threat hunting, MITRE ATT&CK, SOAR, forensics, incident response; Governance, Risk, and Compliance (~20%) — FAIR, NIST CSF, regulatory compliance, third-party risk.

Is SecurityX CAS-005 approved for DoD roles?

Yes. CompTIA SecurityX is approved under DoD Directive 8140 for IASAE Level III and IAM Level III positions. It is the expert-level DoD-approved certification for senior security architects and engineers in government and defense contractor environments.

How long should I study for SecurityX?

Most candidates with senior security experience need 200-300 hours over 6-12 months. Focus on Security Architecture (30%) and Security Operations (25%) first. Use MITRE ATT&CK Navigator, practice FAIR risk quantification, study NIST SP 800-53 control families, and complete full-length performance-based practice scenarios.