The CompTIA CASP+ certification exam is an advanced-level cybersecurity credential, covering technical skills required in security architecture and senior security engineering jobs.
This guide will cover the four knowledge domains of the CASP+ certification exam, and sub topics that you can expect in the CAS-004 exam.
What is the CompTIA CASP+ certification exam?
The CompTIA Advanced Security Practitioner (CASP+) is an advanced-level cybersecurity certification for security architects and senior security engineers, validating risk and compliance skills appraising an enterprise’s cybersecurity readiness.
The CASP+ certification is approved by the U.S. DoD, meets the directive 8140/8570.01-M requirements, and complies with ISO 17024 standards.
As a certified CASP+ professional, you must implement your technical skills and critical thinking to propose and apply the appropriate security solutions, including organizations’ operational strategies, evaluate risk impacts and respond to security incidents.
A successful [CompTIA CASP+ certified professional will have the following skills require to:
- Architect, engineer, integrate, and implement secure solutions across complex environments to support a resilient enterprise.
- Use monitoring, detection, incident response, and automation to proactively support ongoing security operations in an enterprise environment.
- Apply security practices to cloud, on-premises, endpoint, and mobile infrastructure, while considering cryptographic technologies and techniques.
- Consider the impact of governance, risk, and compliance requirements throughout the enterprise.
CompTIA CASP+ exam details
Required exam: CAS-004 Number of questions: Maximum of 90 Types of questions: Multiple-choice and performance-based Length of test: 165 minutes Recommended experience: Minimum of ten years of general hands-on IT experience, with at least five of those years being broad hands-on IT security experience. Network+, Security+, CySA+, Cloud+, and PenTest+ or equivalent certifications/knowledge. Passing score: Pass/Fail only — no scaled score
CompTIA CASP+ exam objectives (domains)
Here is the breakdown of each domain with the percangtage of examination. Take a quick look at the CompTIA CASP+ exam objectives, divided into four major parts:
1.0 Security Architecture - 29% 2.0 Security Operations - 30% 3.0 Security Engineering and Cryptography - 26% 4.0 Governance, Risk, and Compliance - 15%
Domain - 1.0 Security Architecture 29%
1.1 Given a scenario, analyze the security requirements and objectives to ensure an appropriate, secure network architecture for a new or existing network.
• Services • Segmentation • Deperimeterization/zero trust • Merging of networks from various organizations • Software-defined networking (SDN)
1.2 Given a scenario, analyze the organizational requirements to determine the proper infrastructure security design.
• Scalability • Resiliency • Automation • Performance • Containerization • Virtualization • Content delivery network • Caching
1.3 Given a scenario, integrate software applications securely into an enterprise architecture.
• Baseline and templates • Software assurance • Considerations of integrating enterprise applications • Integrating security into development life cycle
1.4 Given a scenario, implement data security techniques for securing enterprise architecture.
• Data loss prevention • Data loss detection • Data classification, labeling, and tagging • Obfuscation • Anonymization • Encrypted vs. unencrypted • Data life cycle • Data inventory and mapping • Data integrity management • Data storage, backup, and recovery
1.5. Given a scenario, analyze the security requirements and objectives to provide the appropriate authentication and authorization controls.
• Credential management • Password policies • Federation • Access control • Protocols • Multifactor authentication (MFA) • One-time password (OTP) • Hardware root of trust • Single sign-on (SSO) • JavaScript Object Notation (JSON) web token (JWT) • Attestation and identity proofing
1.6. Given a set of requirements, implement secure cloud and virtualization solutions.
• Virtualization strategies • Provisioning and deprovisioning • Middleware • Metadata and tags • Deployment models and considerations ��• Hosting models • Service models • Cloud provider limitations • Extending appropriate on-premises controls • Storage models
1.7. Explain how cryptography and public key infrastructure (PKI) support security objectives and requirements.
• Privacy and confidentiality requirements • Integrity requirements • Non-repudiation • Compliance and policy requirements • Common cryptography use cases • Common PKI use cases
1.8. Explain the impact of emerging technologies on enterprise security and privacy.
• Artificial intelligence • Machine learning • Quantum computing • Blockchain • Homomorphic encryption • Big Data • Virtual/augmented reality • 3-D printing • Passwordless authentication • Nano technology • Deep learning • Secure multiparty computation • Distributed consensus • Biometric impersonation
Domain - 2.0 Security Operations
2.1. Given a scenario, perform threat management activities.
• Intelligence types • Actor types • Threat actor properties • Frameworks
2.2. Given a scenario, analyze indicators of compromise and formulate an appropriate response.
• Indicators of compromise • Response
2.3. Given a scenario, perform vulnerability management activities.
• Vulnerability scans • Self-assessment vs. third- party vendor assessment • Patch management • Information sources • Security Content Automation Protocol (SCAP)
2.4. Given a scenario, use the appropriate vulnerability assessment and penetration testing methods and tools.
• Methods • Tools • Dependency management • Requirements
2.5. Given a scenario, analyze vulnerabilities and recommend risk mitigations.
• Vulnerabilities • Inherently vulnerable system/application • Attacks
2.6. Given a scenario, use processes to reduce risk.
• Proactive and detection • Security data analytics • Preventive • Application control • Security automation • Physical security
2.7. Given an incident, implement the appropriate response.
• Event classifications • Triage event • Preescalation tasks • Incident response process • Specific response playbooks/processes • Communication plan • Stakeholder management
2.8. Explain the importance of forensic concepts.
• Legal vs. internal corporate purposes • Forensic process • Integrity preservation • Cryptanalysis • Steganalysis
2.9. Given a scenario, use forensic analysis tools.
• File carving tools • Binary analysis tools • Analysis tools • Imaging tools • Hashing utilities • Live collection vs. post-mortem tools
Domain - 3.0 Security Engineering and Cryptography
3.1. Given a scenario, apply secure configurations to enterprise mobility.
• Managed configurations • Deployment scenarios • Security considerations
3.2. Given a scenario, configure and implement endpoint security controls.
• Hardening techniques • Processes • Mandatory access control • Trustworthy computing • Compensating controls
3.3. Explain security considerations impacting specific sectors and operational technologies.
• Embedded • ICS/supervisory control and data acquisition (SCADA) • Protocols • Sectors
3.4. Explain how cloud technology adoption impacts organizational security.
• Automation and orchestration • Encryption configuration • Logs • Monitoring configurations • Key ownership and location • Key life-cycle management • Backup and recovery methods • Infrastructure vs. serverless computing • Application virtualization • Software-defined networking • Misconfigurations • Collaboration tools • Storage configurations • Cloud access security broker (CASB)
3.5. Given a business requirement, implement the appropriate PKI solution.
• PKI hierarchy • Certificate types • Certificate usages/profiles/templates • Extensions • Trusted providers • Trust model • Cross-certification • Configure profiles • Life-cycle management • Public and private keys • Digital signature • Certificate pinning • Certificate stapling • Certificate signing requests (CSRs) • Online Certificate Status Protocol (OCSP) vs. certificate revocation list (CRL) • HTTP Strict Transport Security (HSTS)
3.6. Given a business requirement, implement the appropriate cryptographic protocols and algorithms.
• Hashing • Symmetric algorithms • Asymmetric algorithms • Protocols • Elliptic curve cryptography • Forward secrecy • Authenticated encryption with associated data • Key stretching
3.7. Given a scenario, troubleshoot issues with cryptographic implementations.
• Implementation and configuration issues • Keys
Domain - 4.0 Governance, Risk, and Compliance
4.1. Given a set of requirements, apply the appropriate risk strategies.
• Risk assessment • Risk handling techniques • Risk types • Risk management life cycle • Risk tracking • Risk appetite vs. risk tolerance • Policies and security practices
4.2. Explain the importance of managing and mitigating vendor risk.
• Shared responsibility model (roles/responsibilities) • Vendor lock-in and vendor lockout • Vendor viability • Meeting client requirements • Support availability • Geographical considerations • Supply chain visibility • Incident reporting requirements • Source code escrows • Ongoing vendor assessment tools • Third-party dependencies • Technical considerations
4.3. Explain compliance frameworks and legal considerations, and their organizational impact.
• Security concerns of integrating diverse industries • Data considerations • Third-party attestation of compliance • Regulations, accreditations, and standards • Legal considerations • Contract and agreement types • Geographic considerations
4.4. Explain the importance of business continuity and disaster recovery concepts.
• Business impact analysis • Privacy impact assessment • Disaster recovery plan (DRP)/ business continuity plan (BCP) • Incident response plan • Testing plans
