Career Employer

FREE CompTIA SecurityX (CASP+) Study Guide 2026: All 4 Domains

The most important things the CompTIA SecurityX (CASP+) CAS-005 exam tests — an interactive study guide with built-in quizzes and flashcards, organized by all 4 official domains.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer SecurityX (CASP+)

By

This free CompTIA SecurityX (CASP+) study guide covers every domain the current CAS-005 exam tests, organized to CompTIA’s official exam objectives.[2] SecurityX is CompTIA’s expert, master-level security certification — it validates the senior practitioner and security-architect skills to architect, engineer, operate, and govern security across complex enterprise environments.

CompTIA rebranded CASP+ as SecurityX in 2024 under its Xpert Series; the current version is CAS-005, which replaced CAS-004. You’ll see “CASP+” and “SecurityX” used interchangeably — they refer to the same advanced credential.

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, crawlable diagrams, flashcards, and practice questions, so you learn by doing — not just reading.

The CAS-005 exam has four domains, and we teach each one as its own module, leading with the heaviest-weighted content. Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview mapped to the official objectives — not a full security-engineering textbook.

CompTIA SecurityX (CASP+) is one of the 14 CompTIA certifications — explore our CompTIA study guides to compare and prep across the whole family.

SecurityX (CASP+) CAS-005 Exam Snapshot

CompTIA SecurityX (CASP+) CAS-005 exam at a glance
DetailSecurityX / CASP+ (CAS-005)
QuestionsMaximum of 90
FormatMultiple-choice + performance-based (PBQs)
Time165 minutes
Passing scorePass/fail only — no numeric scaled cut score
Exam codeCAS-005 (current; replaced CAS-004)
Also known asCASP+ — rebranded SecurityX in 2024 (Xpert Series)
Delivered byPearson VUE (test center or online proctored)
Certifying bodyCompTIA
Recommended prep~10 years of IT experience, including 5 in security (not required)
Cost≈ $509 USD (single voucher, U.S., 2026)
Valid for3 years — renew with 75 CEUs (CompTIA CE program)

Two domains dominate. Security Engineering (31%) and Security Architecture (27%) together are 58% of the exam, so invest there first.[2] Study by weight:

SecurityX CAS-005 weighting by domain (CompTIA exam objectives)
1.0 Security Engineering31% · biggest domain
2.0 Security Architecture27%
3.0 Security Operations22%
4.0 Governance, Risk & Compliance20%

Module 1 · Security Engineering & Cryptography

Domain — 31% of the exam, the single largest domain. This is where SecurityX goes deepest: selecting and integrating the right cryptography and secure technologies for a given constraint. You’ll be asked not just what a control is, but which one fits a scenario’s performance, key-management, or assurance needs. Spend the most time here.

1.1 Applied Cryptography

Start with the three primitive families. uses one shared key () — fast, ideal for bulk data, but key distribution is the hard part. uses a public/private key pair (RSA, ECC) to solve key exchange and enable digital signatures, at the cost of speed. A gives you integrity — a one-way, fixed-length digest — and adding a key turns it into an .

Real systems combine all three: asymmetric crypto exchanges a symmetric session key, symmetric crypto encrypts the data, and hashing verifies its integrity — exactly what a TLS handshake does. SecurityX rewards choosing the right primitive for the constraint, not memorizing algorithm names.

1.2 PKI, Keys & Hardware

is the framework that makes public-key crypto usable at scale. A issues and signs that bind an identity to a public key; trust chains up to a trusted root. When a key is compromised, the certificate is revoked and published via a or checked in real time with .[2]

Protect the keys themselves in hardware. An is a tamper-resistant device that generates and uses keys inside a hardened boundary — keys never leave in plaintext, so even a compromised host can’t extract them (ideal for a root CA’s private key). A is the embedded, per-host equivalent for boot integrity and key storage.

Where keys live — hardware roots of trust
ComponentScopePrimary use
HSMShared, enterprise-grade applianceHigh-assurance key generation/storage; PKI root protection
TPMEmbedded in one hostSecure boot measurement; hardware-backed local key storage
Key escrowTrusted third partyRecoverable copy of keys for business continuity / legal access
CRL / OCSPPKI revocationWithdraw trust from a compromised or retired certificate

1.3 Secure Protocols & Emerging Crypto

Apply crypto through secure protocols: TLS for transport, SSH for remote administration, SFTP/FTPS for file transfer, and IPsec for VPN tunnels. Prefer ephemeral key exchange to gain , so a future key compromise can’t decrypt recorded sessions.

Look ahead to : large quantum computers could break today’s RSA and elliptic-curve crypto, and adversaries can “harvest now, decrypt later.” NIST has standardized PQC algorithms; the SecurityX response is — designing systems so algorithms can be swapped without re-architecting.[6]

Checkpoint · Security Engineering & Cryptography

Question 1 of 10

Which cryptographic protocol is best suited for securing communication between web servers and browsers?

Module 2 · Security Architecture

Domain — 27% of the exam. This domain is about designing security into the enterprise: the models and patterns that decide how trust, access, and data flow. The recurring exam idea is layered, assume-breach design — no single control is trusted alone.

2.1 Zero Trust & Defense in Depth

Two principles anchor modern architecture. removes implicit trust based on network location and verifies every request on identity, device, and context — “never trust, always verify.”[3] layers overlapping controls so that if one fails, another still protects the asset.

2.2 Network Architecture & Segmentation

divides the network into isolated zones so traffic between them must pass through controls — limiting lateral movement and shrinking the blast radius of a breach. takes this to the workload level. A isolates public-facing services; an is the extreme physical control for the most sensitive systems. Enforce posture at the edge with , , and a for web apps.

Network control — pick the right boundary
ControlWhat it does
Segmentation / VLANIsolates zones so cross-zone traffic passes through controls; limits lateral movement
DMZBuffer segment between the internal network and untrusted external networks
NACAdmits devices only if they meet security policy (patch level, posture, identity)
IPSInline detection that actively blocks identified threats (vs. IDS, which only alerts)
WAFFilters and blocks malicious HTTP traffic to/from a web application
Air gapPhysical isolation — no network connection at all, for the most sensitive systems

2.3 Cloud, Hybrid & Data-Centric Security

In the cloud, the splits duties: the provider secures the cloud infrastructure; you secure your data, identities, and configurations. The split shifts across IaaS, PaaS, and SaaS — and most breaches trace to customer-side misconfiguration, not provider failure. converges networking and security for distributed access.

Protect the data itself. monitors and blocks unauthorized movement of sensitive data across network, endpoint, and storage — but it only works on data you’ve classified. Pair DLP with encryption, rights management, and accurate data classification for a data-centric architecture.

Cloud shared responsibility — who secures what
Service modelProvider securesCustomer secures
IaaSPhysical, hypervisor, network fabricOS, apps, data, identities, configuration (the most)
PaaSUp through the runtime/platformApps, data, identities, access policy
SaaSAlmost everything (app + infra)Data, user access, and configuration (the least)

Checkpoint · Security Architecture

Question 1 of 10

Which of the following best describes a Zero Trust security model in network architecture?

Module 3 · Security Operations

Domain — 22% of the exam. This domain is the running of security: monitoring and detecting threats, responding to incidents, performing forensics, and validating defenses through testing and teaming. It’s where architecture and engineering meet the live adversary.

3.1 Monitoring, SIEM & Threat Detection

Visibility is everything. A aggregates and correlates logs from across the enterprise to detect threats and support investigations — but it must be tuned to control false positives and ingest data at scale. layers automation on top, running playbooks so response is faster and consistent. Use to map detection coverage and a to lure and study attackers.[7]

SIEM vs. SOAR — detection vs. response
CapabilitySIEMSOAR
Primary jobAggregate, correlate, detect, alertAutomate and orchestrate the response
OutputAlerts and investigative contextExecuted playbooks and actions
Key concernTuning false positives; ingestion scalePlaybook quality; safe automation
ImprovesDetection coverageMean time to respond (MTTR)

3.2 Incident Response & Forensics

CompTIA follows the NIST (SP 800-61): preparation; detection & analysis; containment, eradication & recovery; and post-incident activity.[4] In a live incident, containment usually comes first — stop the spread before you eradicate and recover.

Forensics preserves evidence so it stays admissible: maintain a (who handled what, and when), collect by (memory and network state before disk), and analyze a hash-verified forensic image rather than the original.

3.3 Testing, Teams & Threat Hunting

Validate defenses through structured exercises. A emulates real adversaries; a defends through the ; and a integrates the two so each attack finding becomes a durable detection. Go further with — the proactive, hypothesis-driven search for adversaries who slipped past your detections, before any alert fires.

Checkpoint · Security Operations

Question 1 of 10

In a security architecture context, what is the role of a Security Information and Event Management (SIEM) system?

Module 4 · Governance, Risk & Compliance

Domain — 20% of the exam. This domain elevates security from technical controls to business decisions: managing risk in dollars and probabilities, governing through policy, and meeting regulatory obligations. It’s the smallest domain, but it’s what makes a senior practitioner.

4.1 Risk Management

Risk management is a continuous cycle: frame, identify, assess, respond, monitor, and report. Once a risk is assessed, you choose a treatment — mitigate (controls), transfer (insurance/contract), accept (within ), or avoid (stop the activity). Whatever you choose, must still fall within tolerance.[5]

Quantify where you can. × = gives the annualized loss a control’s cost is justified against — a control is worth it when its annual cost is less than the ALE reduction it delivers. Qualitative (high/medium/low) analysis is faster when precise dollars aren’t available.

The four ways to respond to a risk
TreatmentWhat it meansExample
MitigateApply controls to reduce likelihood or impactPatch, segment, add MFA
TransferShift the financial loss to a third partyCyber insurance; contractual indemnity
AcceptTolerate it — it's within risk appetiteDocument and accept a low-impact risk
AvoidEliminate the risk by stopping the activityRetire a risky legacy service entirely

4.2 Governance & Compliance

Governance turns intent into accountability. is investigating and evaluating risk; is acting reasonably on that knowledge — diligence is knowing, care is doing, and failing either creates liability. splits sensitive tasks so no one person can complete them alone, preventing fraud. An inventories software components to manage supply-chain risk.[8]

Know the major frameworks and regulations by purpose: (EU personal-data privacy), PCI DSS (cardholder data), HIPAA (U.S. health data), ISO 27001 and the NIST Cybersecurity Framework (program structure), and CMMI/ITIL (process maturity and service management). The exam tests which applies to a scenario, not memorized clauses.

Governance concepts and frameworks — by purpose
Concept / frameworkWhat it governs
Due diligence vs. due careInvestigating risk vs. acting reasonably on it
Separation of dutiesSplitting tasks so no single person can commit fraud alone
GDPRPrivacy and personal data of EU residents
PCI DSSProtection of payment-card (cardholder) data
ISO 27001 / NIST CSFStructuring and maturing an information-security program
SBOMInventorying software components for supply-chain risk

Checkpoint · Governance, Risk & Compliance

Question 1 of 10

What is the primary purpose of conducting a security gap analysis in an organization?

How to Use This SecurityX (CASP+) Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Study by weight. Security Engineering (31%) and Security Architecture (27%) are nearly 60% of the exam — start there, then Security Operations and Governance, Risk and Compliance.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
  • Practice the PBQs. Performance-based questions reward hands-on skill — configuring controls, analyzing logs, and modeling threats, not just definitions.
  • Drill the weak domain. Send your weak area into the flashcards and a practice test until you can handle complex, scenario-level questions confidently.

SecurityX (CASP+) Concept Questions

Core SecurityX concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

SecurityX (CASP+) Glossary

The high-yield SecurityX terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

AES
Advanced Encryption Standard — the modern, widely trusted symmetric block cipher used for bulk data encryption.
Air gap
A physical control isolating a system or network so it has no connection to other networks, used for the most sensitive environments.
ALE
Annualized Loss Expectancy — SLE × ARO; the expected yearly loss a control's cost is justified against.
ARO
Annualized Rate of Occurrence — how many times per year a given loss event is expected to happen.
Asymmetric encryption
Encryption using a public/private key pair (e.g., RSA, ECC) — solves key exchange and enables digital signatures, but is slower than symmetric.
Blue team
A defensive security team that detects, responds to, and hardens against attacks through the SOC.
CA
Certificate Authority — the trusted entity in a PKI that signs and issues digital certificates and can revoke them.
Chain of custody
The documented, unbroken record of who handled evidence and when — what keeps it admissible in legal proceedings.
CRL
Certificate Revocation List — a published list of certificates a CA has revoked before their expiry.
Crypto-agility
Designing systems so cryptographic algorithms can be swapped out without re-architecting — essential for the post-quantum transition.
Cryptographic hash function
A one-way function mapping input to a fixed-length, irreversible digest (e.g., SHA-256) — provides integrity, not confidentiality.
Defense in depth
Layering multiple, overlapping controls (data, app, host, network, perimeter, people) so that if one fails, others still protect the asset.
Diffie-Hellman
A key-exchange algorithm letting two parties derive a shared secret over an insecure channel; the ephemeral variant provides forward secrecy.
Digital certificate
An X.509 document binding a verified identity to a public key, signed by a CA so relying parties can trust the key.
DLP
Data Loss Prevention — monitoring and blocking unauthorized movement of sensitive data across network, endpoint, and storage based on classification.
DMZ
Demilitarized Zone — a network segment placed between the internal network and untrusted external networks to host public-facing services.
Due care
The reasonable actions and controls a prudent organization implements based on its due-diligence findings.
Due diligence
The investigation and ongoing evaluation of risk involved in a decision, such as a vendor or acquisition.
GDPR
General Data Protection Regulation — the EU law protecting the privacy and personal data of EU residents.
HMAC
Hash-based Message Authentication Code — a hash combined with a secret key to provide both integrity and authenticity of a message.
Honeypot
A decoy system designed to lure, detect, and analyze attackers, diverting them from real assets and revealing their techniques.
HSM
Hardware Security Module — a tamper-resistant device that generates, stores, and uses cryptographic keys inside a hardened boundary; keys never leave in plaintext.
Incident response lifecycle
NIST's four phases: preparation; detection & analysis; containment, eradication & recovery; post-incident activity.
IPS
Intrusion Prevention System — inline monitoring that actively blocks identified threats, unlike an IDS, which only alerts.
Microsegmentation
Segmentation pushed down to individual workloads or hosts, enforcing zero-trust policy at a fine granularity.
MITRE ATT&CK
A knowledge base of real-world adversary tactics (goals) and techniques (methods) used to map detections and drive threat hunting.
NAC
Network Access Control — controls device access to the network based on compliance with security policy (patch level, posture, identity).
Network segmentation
Dividing a network into isolated zones (VLANs, subnets, microsegmentation) so traffic between them passes through controls, limiting lateral movement.
OCSP
Online Certificate Status Protocol — a real-time query to check whether a single certificate has been revoked, instead of downloading a full CRL.
Order of volatility
Collecting evidence most-volatile-first (memory, network state) before less-volatile data (disk) so nothing is lost.
Perfect forward secrecy
Use of ephemeral session keys so that compromise of a long-term private key cannot decrypt previously recorded sessions.
PKI
Public Key Infrastructure — the CAs, RAs, and policies that create, distribute, validate, and revoke digital certificates binding identities to public keys.
Post-quantum cryptography
Algorithms designed to resist attacks by large quantum computers, which could break today's RSA and elliptic-curve cryptography.
Purple team
A function that integrates Red and Blue teams so attack findings immediately improve detections.
Red team
An offensive security team that emulates real adversaries to find exploitable gaps before attackers do.
Residual risk
The risk that remains after a chosen treatment (mitigate, transfer, accept, avoid) has been applied.
Risk appetite
The amount and type of risk an organization is willing to accept in pursuit of its objectives, set by leadership.
SASE
Secure Access Service Edge — converges networking (SD-WAN) and security (SWG, CASB, ZTNA, FWaaS) into one cloud-delivered service.
SBOM
Software Bill of Materials — a machine-readable inventory of every component and dependency in software, key to supply-chain risk.
Separation of duties
Splitting a sensitive task across multiple people so no single person can complete it alone, preventing fraud.
Shared responsibility model
The cloud security split where the provider secures the cloud infrastructure and the customer secures their data, identities, and configurations.
SIEM
Security Information and Event Management — aggregates and correlates logs across the enterprise to detect threats, alert, and support investigations.
SLE
Single Loss Expectancy — the monetary loss from one occurrence of a risk (asset value × exposure factor).
SOAR
Security Orchestration, Automation, and Response — automates and coordinates incident response via playbooks and tool integrations.
SOC
Security Operations Center — the team and facility that monitors, detects, and responds to security events around the clock.
Symmetric encryption
Encryption using one shared secret key for both encrypting and decrypting — fast and ideal for bulk data (e.g., AES), but key distribution is the challenge.
Threat hunting
The proactive, hypothesis-driven search for adversaries that have evaded existing detections, before any alert fires.
TPM
Trusted Platform Module — a chip embedded in a host for secure boot integrity measurement and hardware-backed key storage.
WAF
Web Application Firewall — filters, monitors, and blocks HTTP traffic to and from a web application to defend against web attacks.
Zero trust
A security model that removes implicit trust based on network location and verifies every request on identity, device, and context — 'never trust, always verify.'

SecurityX (CASP+) Study Guide FAQ

The SecurityX CAS-005 exam has a maximum of 90 questions — a mix of multiple-choice and performance-based questions (PBQs) — and you get 165 minutes to complete it. The PBQs are hands-on simulations (configuring controls, analyzing logs, modeling threats), so manage your time and consider saving them for last.

References

  1. 1.CompTIA. “CompTIA SecurityX (CASP+) Certification.” comptia.org.
  2. 2.CompTIA. “SecurityX (CAS-005) Exam Objectives.” comptia.org.
  3. 3.National Institute of Standards and Technology. “SP 800-207, Zero Trust Architecture.” csrc.nist.gov.
  4. 4.National Institute of Standards and Technology. “SP 800-61, Computer Security Incident Handling Guide.” csrc.nist.gov.
  5. 5.National Institute of Standards and Technology. “SP 800-30 Rev. 1, Guide for Conducting Risk Assessments.” csrc.nist.gov.
  6. 6.National Institute of Standards and Technology. “Post-Quantum Cryptography Project.” csrc.nist.gov.
  7. 7.The MITRE Corporation. “MITRE ATT&CK.” attack.mitre.org.
  8. 8.Cybersecurity and Infrastructure Security Agency. “Software Bill of Materials (SBOM).” cisa.gov.
  9. 101.National Institute of Standards and Technology (NIST). “Public Key Infrastructure (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026.
  10. 102.National Institute of Standards and Technology (NIST). “Hardware Security Module (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026.
  11. 103.National Institute of Standards and Technology (NIST). “Cryptographic Hash Function (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026.
  12. 104.National Institute of Standards and Technology (NIST). “Perfect Forward Secrecy (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026.
  13. 105.National Institute of Standards and Technology (NIST). “Network Segmentation (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026.
  14. 106.National Institute of Standards and Technology (NIST). “Data Loss Prevention (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026.
  15. 107.National Institute of Standards and Technology (NIST). “Security Information and Event Management (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026.
  16. 108.National Institute of Standards and Technology (NIST). “Chain of Custody (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026.
  17. 109.National Institute of Standards and Technology (NIST). “Separation of Duties (CSRC Glossary).” csrc.nist.gov, accessed 20 June 2026.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.