WGU TutoringAbout Us
UF GPA CalculatorUCF GPA CalculatorUC GPA CalculatorASU GPA CalculatorLSAC GPA CalculatorPurdue GPA CalculatorLSU GPA CalculatorRutgers GPA CalculatorOSU GPA CalculatorIU GPA CalculatorUW GPA CalculatorWKU GPA CalculatorTAMU GPA CalculatorUIUC GPA CalculatorUT Austin GPA CalculatorUofSC GPA CalculatorBerkeley GPA CalculatorUNL GPA CalculatorUTK GPA CalculatorUARK GPA CalculatorMizzou GPA CalculatorPenn State GPA CalculatorNYU GPA CalculatorUMich GPA CalculatorFSU GPA CalculatorUCLA GPA CalculatorGeorgia Tech GPA CalculatorUGA GPA CalculatorUNC GPA CalculatorVirginia Tech GPA CalculatorView All Resources →
View All Practice Questions →
Contact
CompTIA Practice Questions

CompTIA CASP+ Practice Questions

CompTIA Advanced Security Practitioner (CAS-004)Practice with free CASP+ CAS-004 sample questions designed for advanced security practitioners. Each question features detailed scenario-based problems covering security architecture, operations, engineering, cryptography, and governance - with thorough explanations that break down the reasoning behind each answer.

90
Total Questions
165 minutes
Time Limit
Pass/Fail (no scaled score)
Passing Score
$494
Registration Fee

Free Sample Questions

Here are 5 free sample questions from our full bank of 300+ CompTIA CASP+ practice questions. Try them out below — click "Show Answer" to reveal the correct response and explanation.

1

A security architect is designing a hybrid cloud environment for an organization that processes sensitive financial data. The organization requires data sovereignty compliance and must ensure that encryption keys never leave on-premises hardware security modules (HSMs). Which approach BEST addresses these requirements while still allowing cloud-based workloads to access encrypted data?

AA) Implement cloud-native key management with BYOK (Bring Your Own Key) and replicate keys to the cloud provider's HSM
BB) Use on-premises HSMs with a key management interoperability protocol (KMIP) gateway, allowing cloud workloads to request encryption operations without exposing keys
CC) Deploy cloud-managed HSMs in the same geographic region and configure automatic key rotation policies
DD) Encrypt all data on-premises before uploading to the cloud and store decryption keys in a cloud-based secrets manager
2

A security operations team discovers that an advanced persistent threat (APT) group has been present in the network for approximately 6 months. The threat actor has established persistence through multiple mechanisms including scheduled tasks, WMI event subscriptions, and modified GPOs. The team needs to eradicate the threat while maintaining business operations. What is the MOST effective remediation strategy?

AA) Immediately isolate all compromised systems, rebuild them from known-good images, and restore data from backups predating the compromise
BB) Deploy additional EDR agents across the environment and wait for the threat actor to trigger new detections before taking action
CC) Conduct parallel containment by silently monitoring attacker C2 channels while preparing a coordinated remediation event to simultaneously remove all persistence mechanisms
DD) Reset all user and service account passwords and revoke all active sessions to cut off the attacker's access
3

An organization is implementing a zero trust architecture for its internal network. Engineers must design the policy decision point (PDP) and policy enforcement point (PEP) components. The environment includes legacy SCADA systems that cannot support modern authentication protocols. Which implementation BEST aligns with zero trust principles while accommodating these constraints?

AA) Place legacy SCADA systems in a separate VLAN with permissive firewall rules and exempt them from zero trust policies
BB) Deploy micro-segmentation gateways as PEPs in front of legacy SCADA systems that act as authentication proxies, while the PDP evaluates contextual signals such as source IP, time of day, and device posture of the requesting system
CC) Implement network access control (NAC) with 802.1X for all systems and configure MAC authentication bypass for legacy SCADA devices
DD) Replace all legacy SCADA systems with modern equivalents that support SAML 2.0 and OAuth 2.0 before implementing zero trust
4

A chief information security officer (CISO) is developing a risk management framework for a multinational organization subject to GDPR, PCI DSS, and SOX compliance requirements. During a risk assessment, the team identifies a critical vulnerability in a payment processing system that could expose cardholder data. The vendor patch requires a full system upgrade that will take 90 days. Which risk treatment approach is MOST appropriate?

AA) Accept the risk and document the decision since the patch timeline is outside the organization's control
BB) Transfer the risk by purchasing additional cyber insurance coverage for the 90-day exposure window
CC) Implement compensating controls such as enhanced network segmentation, additional monitoring, virtual patching via WAF/IPS rules, and increased logging - while documenting a formal risk exception with executive sign-off
DD) Avoid the risk by taking the payment processing system offline until the vendor patch can be applied
5

A security engineer is hardening a containerized microservices environment running on Kubernetes. During a review, the engineer discovers that several pods are running as root, service account tokens are auto-mounted into all pods, and there is no network policy enforcement between namespaces. Which combination of controls should be implemented FIRST to reduce the attack surface most effectively?

AA) Enable PodSecurity admission controller with restricted profile enforcement, disable automatic service account token mounting, and deploy a CNI plugin with default-deny network policies between namespaces
BB) Implement image signing and verification with Cosign/Sigstore, deploy a service mesh with mTLS, and enable audit logging for all API server requests
CC) Configure resource quotas and limit ranges for all namespaces, implement horizontal pod autoscaling, and deploy an ingress controller with rate limiting
DD) Deploy a runtime security tool like Falco, enable Kubernetes audit logging, and implement RBAC with least-privilege service accounts

Get the Full CompTIA CASP+ Question Bank — 300+ Practice Questions

You just saw 5 sample questions. We have a complete bank of 300+ CompTIA CASP+ practice questions with detailed answers and explanations ready for you. Fill out the form below and we'll send you the full question bank — completely free.

We'll send the full question bank to this email.

We won't spam you. Just a quick follow-up if needed.

All fields are required.

About the CompTIA CASP+

Format & Structure

Total Questions
90
Time Limit
165 minutes
Format
Multiple choice and performance-based

Scoring & Cost

Passing Score
Pass/Fail (no scaled score)
Registration Fee
$494

Related Practice Questions

CompTIA Security+ Practice Questions

Start Practicing

CompTIA CySA+ Practice Questions

Start Practicing

CompTIA Network+ Practice Questions

Start Practicing

Frequently Asked Questions

What is the CompTIA CASP+ certification?

CompTIA CASP+ (CompTIA Advanced Security Practitioner) is an advanced-level cybersecurity certification designed for security architects and senior security engineers. It's the highest-level cybersecurity certification CompTIA offers and validates advanced skills in enterprise security, risk management, security architecture, and security operations. Unlike other certifications that focus on management, CASP+ is a hands-on, performance-based certification for practitioners who are still in the technical trenches.

How many questions are on the CASP+ exam?

The CompTIA CASP+ CAS-004 exam has a maximum of 90 questions. The actual number you see may vary slightly since the exam includes a mix of multiple-choice and performance-based questions. Performance-based questions simulate real-world scenarios where you might configure a firewall, analyze logs, or implement security controls in a virtual environment. These take more time than standard multiple-choice, so manage your time accordingly.

Is CASP+ harder than Security+?

Yes, CASP+ is significantly harder than Security+. Security+ covers foundational cybersecurity concepts and is considered an entry-to-intermediate level certification. CASP+ is an advanced practitioner certification that expects deep technical knowledge and the ability to apply security concepts in complex enterprise environments. Where Security+ might ask you to define a concept, CASP+ presents multi-layered scenarios and expects you to analyze trade-offs, integrate solutions across domains, and make advanced architectural decisions. Most people recommend at least 5-10 years of hands-on security experience before attempting CASP+.

What is the CASP+ passing score?

Unlike most CompTIA certifications, CASP+ does not use a scaled numeric score. It's strictly pass/fail. CompTIA does not publicly disclose the exact number of correct answers needed to pass. This means you won't receive a score report with a number - you'll simply be told whether you passed or failed. The pass/fail approach reflects the advanced nature of the certification, where competency is evaluated holistically across all domains rather than by hitting a specific point threshold.

What topics does CASP+ CAS-004 cover?

The CASP+ CAS-004 exam covers four major domains: Security Architecture (29% of the exam) covers enterprise security design, cloud and hybrid infrastructure, and zero trust concepts. Security Operations (30%) addresses threat management, vulnerability management, and incident response at an enterprise scale. Security Engineering and Cryptography (26%) focuses on implementing secure protocols, cryptographic solutions, and PKI. Governance, Risk, and Compliance (15%) includes risk management frameworks, privacy regulations, and business continuity. Each domain expects not just knowledge but the ability to apply concepts in complex, real-world scenarios.

How long is the CASP+ exam?

You get 165 minutes (2 hours and 45 minutes) to complete the CASP+ CAS-004 exam. That might sound generous for up to 90 questions, but performance-based questions can eat up a lot of time. A solid strategy is to tackle multiple-choice questions first, flagging any you're unsure about, and then circle back to performance-based questions with your remaining time. Many test-takers recommend spending no more than 2 minutes on standard multiple-choice questions so you have enough time for the more involved PBQs.

How should I prepare for CASP+?

Start with hands-on experience - CASP+ is not something you can pass through book study alone. Build and secure lab environments, practice with security tools, and work through real-world scenarios. Use CAS-004 study guides from CompTIA or publishers like Pearson and Sybex. Practice questions are crucial for getting comfortable with the scenario-based format - the questions on CASP+ are long and require careful analysis. Focus on understanding why answers are correct, not just memorizing facts. Review each exam domain and honestly assess your weak areas. If you're strong in operations but weak in cryptography, spend extra time on PKI, certificate management, and encryption protocols. Many successful candidates study for 3-6 months while working in security roles.

Get 300+ CompTIA CASP+ Practice Questions

Don't settle for just 5 sample questions. Request the full question bank and start preparing with confidence.

Get Started