CompTIA CAS-005 Sample Questions with Explanations

These original sample questions are designed to help you check how the exam topics appear in decision-style prompts. They are not taken from the live exam.

Use these sample questions as a guided self-assessment for CompTIA SecurityX (CAS-005) topics such as enterprise security architecture, governance, risk, compliance, cryptography, cloud security, control validation, incident command, automation, and emerging technology. The prompts emphasize senior-level trade-offs instead of single-tool answers.

Where these questions fit in the CAS-005 guide

The sample set below is part of the CompTIA SecurityX guide path:

• CompTIA certification hub
• CAS-005 exam guide
• CAS-005 cheat sheet
• CAS-005 study plan
• CAS-005 FAQ
• CAS-005 resources
• CAS-005 glossary

CAS-005 SecurityX sample questions

Work through each prompt before opening the explanation. SecurityX questions usually reward the answer that defines risk, chooses architecture-level controls, assigns ownership, and validates effectiveness.

---

Question 1

Topic: Zero trust architecture decision

An enterprise wants to reduce lateral movement across hybrid cloud and on-premises systems. Leadership asks for a zero trust approach, but business units still need access to shared applications. Which design is strongest?

• A. Buy a product labeled zero trust and disable existing logging to reduce noise.
• B. Use identity-aware access, device posture, least privilege, segmentation, continuous monitoring, and policy enforcement aligned to application risk.
• C. Put every user and workload on one flat network so access is simpler.
• D. Rely only on annual password changes because identity is the only trust boundary.

Best answer: B

Explanation: Zero trust is an architecture pattern, not a single product. Strong designs combine identity, device, network, application, monitoring, and policy controls.

Why the other choices are weaker:

• A treats zero trust as a product and removes validation evidence.
• C increases lateral movement risk.
• D narrows trust to passwords and ignores device, network, data, and application context.

What this tests: Zero trust, segmentation, identity-aware access, monitoring, least privilege, and architecture-level risk reduction.

Related topics: Zero trust; Segmentation; Identity; Architecture

---

Question 2

Topic: Audit evidence and control ownership

An auditor asks whether privileged access reviews are operating effectively. The organization has a policy document, but no review records, owner, exception process, or evidence of remediation. What is the strongest response?

• A. Send only the policy document because written policy is always sufficient evidence.
• B. Delete all privileged accounts during the audit to avoid findings.
• C. Map the requirement to a control owner, review cadence, evidence records, exception approvals, and remediation tracking.
• D. Ask the auditor to rely on verbal assurance without evidence.

Best answer: C

Explanation: SecurityX governance questions distinguish documented intent from operating effectiveness. Auditable controls need owners, frequency, evidence, exceptions, and corrective action.

Why the other choices are weaker:

• A shows policy existence, not operation.
• B is disruptive and does not prove a sustainable control.
• D lacks evidence and accountability.

What this tests: GRC, audit evidence, control ownership, exceptions, remediation, and operating effectiveness.

Related topics: GRC; Audit evidence; Privileged access; Control validation

---

Question 3

Topic: Encryption without key lifecycle

A team encrypted sensitive records in a database, but the same administrators who manage the database also export keys, rotate keys, and approve emergency access. Which improvement best reduces risk?

• A. Keep the keys in the application repository so developers can troubleshoot faster.
• B. Disable encryption because key management adds complexity.
• C. Use a longer table name because it obscures sensitive data.
• D. Move key management into an approved KMS or HSM-backed lifecycle with separation of duties, access review, rotation, logging, and recovery procedure.

Best answer: D

Explanation: Encryption only reduces risk when key lifecycle and access controls are designed correctly. Separation of duties and auditability matter at advanced level.

Why the other choices are weaker:

• A exposes keys and weakens control.
• B removes a protective control instead of fixing lifecycle risk.
• C is obscurity, not cryptographic protection.

What this tests: Encryption, key management, HSM/KMS, separation of duties, access review, and logging.

Related topics: Cryptography; KMS; HSM; Separation of duties

---

Question 4

Topic: SOAR automation guardrails

A SOC wants to automate containment when high-confidence alerts fire. Some alerts affect production systems with strict availability requirements. Which automation design is strongest?

• A. Automatically isolate every production system on any alert, regardless of confidence or business impact.
• B. Disable alert enrichment so automation starts faster.
• C. Define triggers, confidence thresholds, approvals for high-impact actions, rollback paths, logging, and periodic validation of the playbook.
• D. Allow each analyst to edit production automation without review.

Best answer: C

Explanation: Advanced automation needs guardrails. SecurityX answers balance speed with business impact, validation, approvals, rollback, and auditability.

Why the other choices are weaker:

• A can create unnecessary outages.
• B removes context that improves confidence and routing.
• D weakens change control for high-impact response logic.

What this tests: SOAR, automation safety, containment, approvals, rollback, logging, and production impact.

Related topics: SOAR; Automation; Incident response; Change control

Independent study note

Tech Exam Lexicon and IT Mastery are independent study tools. They are not affiliated with, endorsed by, or sponsored by CompTIA or any certification body.