CompTIA CAS-005 glossary of governance, controls, zero trust, and detection terms.
Use this glossary when CompTIA SecurityX (CAS-005) terms start to blur together. The goal is practical recognition, not encyclopedia coverage.
| Term | Exam meaning |
|---|---|
| Zero trust | Security model that continuously verifies identity, device, context, and least privilege. |
| Risk appetite | Amount and type of risk an organization is willing to accept. |
| Threat model | Structured analysis of possible threats, assets, and mitigations. |
| Key lifecycle | Creation, use, rotation, escrow, revocation, and destruction of cryptographic keys. |
| Control validation | Evidence-based testing that a security control works as intended. |
| Third-party risk | Risk introduced by vendors, suppliers, partners, or external service providers. |
| Pair | How to separate them |
|---|---|
| Enterprise security architecture vs Security operations and engineering | Ask which layer the scenario is testing, then match the answer to that layer only. |
| Control vs evidence | A control changes behavior; evidence proves behavior or supports investigation. |
| Managed service vs custom build | Managed services win for lower operational effort unless the requirement needs unsupported customization. |
| Prevention vs detection | Prevention blocks or reduces a bad event; detection finds or reports that it happened. |
Do not memorize terms in isolation. For each term, write one scenario where it is the best answer, one scenario where it is a distractor, and one signal that proves it worked.