// Exam Overview
| Detail | Value |
|---|
| Exam code | CAS-005 |
| Number of questions | Up to 90 (multiple choice + performance-based) |
| Duration | 165 minutes |
| Passing score | 750 out of 900 |
| Recommended experience | 10+ years in IT, 5+ years in security � Security+ and CySA+ recommended first |
| Level | Expert � highest level CompTIA security certification |
| Renewal | Every 3 years via CEs or retake |
Domain 1
Security Architecture � ~25%
Domain 2
Security Operations � ~33%
Domain 3
Security Engineering � ~30%
Domain 4
Governance, Risk & Compliance � ~12%
Domain percentages for CAS-005 are approximate � CompTIA does not publish exact weightings for SecurityX. Spend the most time on Domains 2 and 3 as they cover the broadest operational and technical ground.
// SecurityX vs Security+
SecurityX is not just a harder version of Security+. The exam style, scope, and expected depth are fundamentally different.
| Security+ SY0-701 | SecurityX CAS-005 |
|---|
| Level | Intermediate | Expert |
| Duration | 90 minutes | 165 minutes |
| Focus | What security concepts are and how they work | How to architect, implement, and justify security decisions |
| Question style | Select the correct answer | Select the BEST answer given constraints � business context matters |
| Expected role | Junior/mid security analyst, sysadmin | Senior security engineer, architect, manager |
| Business context | Minimal | Heavy � budget, risk appetite, competing priorities |
| Depth required | Know concepts | Know the WHY � trade-offs, limitations, alternatives |
// Domain 1 � Security Architecture (~25%)
Enterprise architecture frameworks
| Framework | Purpose |
|---|
| TOGAF | Enterprise architecture framework � business, data, application, technology layers |
| SABSA | Security architecture framework aligned to business risk |
| NIST SP 800-53 | Security and privacy controls catalogue for US federal systems � widely adopted |
| NIST SP 800-37 | Risk Management Framework (RMF) � categorise, select, implement, assess, authorise, monitor |
| Zero Trust Architecture (NIST SP 800-207) | Formal definition of ZTA � no implicit trust based on network location |
Security architecture patterns
| Pattern | Concept |
|---|
| Defence in depth | Multiple layers of controls � compromise of one layer doesn't lead to full compromise |
| Least privilege | Minimum permissions required to perform a function � limit blast radius of compromise |
| Separation of duties | No single person can complete a critical process alone � prevents fraud and error |
| Fail secure | Default to a secure state on failure � a firewall that fails should block, not allow all |
| Secure by design | Security built into architecture from the start � not bolted on afterwards |
| Resilience by design | Systems designed to continue operating through partial failure � redundancy, failover |
Hybrid and cloud architecture
| Topic | Key points |
|---|
| Shared responsibility model | Know exactly what the CSP secures vs what you must secure for IaaS/PaaS/SaaS � exam will test the boundaries |
| CASB | Proxy between users and cloud services � visibility, DLP, access control for SaaS |
| CSPM | Cloud Security Posture Management � continuous compliance monitoring for misconfigurations in cloud environments |
| CWPP | Cloud Workload Protection Platform � runtime security for VMs, containers, serverless |
| Container security | Image scanning, runtime protection, pod security policies (Kubernetes), least privilege for container runtimes |
// Domain 2 � Security Operations (~33%)
Threat intelligence
| Concept | Definition |
|---|
| Strategic intelligence | High-level, long-term � nation-state actors, industry trends, geopolitical risk. For executives. |
| Operational intelligence | Specific campaigns and attacker tooling in use now. For security managers planning defences. |
| Tactical intelligence | TTPs � how attackers operate. For detection engineers and SOC. |
| Technical intelligence | IOCs � IPs, hashes, domains. For immediate blocking. Short shelf life. |
| STIX / TAXII | STIX = structured format for sharing threat intelligence. TAXII = transport protocol for sharing STIX. |
| ISACs | Information Sharing and Analysis Centres � sector-specific (FS-ISAC, MS-ISAC) threat sharing communities |
Advanced threat hunting
| Concept | Definition |
|---|
| Hypothesis-driven hunting | Start with an assumption ("I believe attacker X is using living-off-the-land binaries") and hunt for evidence |
| IOC-based hunting | Start with known bad (IP, hash, domain) and search logs for matching activity |
| TTP-based hunting | Hunt based on adversary behaviour (MITRE ATT&CK technique) � more robust than IOC as TTPs change slowly |
| Pyramid of Pain | Hash ? IP ? Domain ? Network/Host artefacts ? TTPs � higher up the pyramid, more costly for attacker to change |
| Living off the Land (LotL) | Attackers use built-in OS tools (PowerShell, WMI, certutil) to avoid detection � harder to detect than custom malware |
Vulnerability research and pen testing
| Term | Definition |
|---|
| Black box | No prior knowledge of the target � simulates external attacker |
| White box | Full knowledge � source code, architecture diagrams, credentials. Most thorough. |
| Grey box | Partial knowledge � simulates an attacker who has done some recon or has stolen credentials |
| Red team | Full adversary simulation over extended period � tests detection and response, not just technical controls |
| Purple team | Red and blue team work together � attackers share TTPs so defenders can tune detection in real time |
| Bug bounty | Crowdsourced vulnerability disclosure programme � researchers paid for valid findings |
// Domain 3 � Security Engineering (~30%)
Cryptography � advanced
| Topic | Key points |
|---|
| PKI | Hierarchy of CAs. Root CA (offline), Intermediate CA, issuing CA. Certificate contains public key + identity. CRL and OCSP for revocation. |
| Perfect Forward Secrecy (PFS) | Ephemeral keys per session � compromise of the server's long-term key doesn't decrypt past sessions. Requires ECDHE or DHE key exchange. |
| Homomorphic encryption | Compute on encrypted data without decrypting � enables privacy-preserving cloud analytics |
| Quantum computing threat | Shor's algorithm breaks RSA and ECC. Post-quantum cryptography (CRYSTALS-Kyber, CRYSTALS-Dilithium) being standardised by NIST. |
| Crypto agility | Design systems to swap cryptographic algorithms without architectural redesign � essential as quantum threats mature |
| HSM | Hardware Security Module � tamper-resistant hardware for key generation and storage. Private keys never leave the HSM in plaintext. |
Secure software development
| Topic | Key points |
|---|
| SSDLC | Secure Software Development Lifecycle � security activities at every phase: requirements, design, implementation, testing, deployment |
| Threat modelling | STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege) � identify threats during design phase |
| SAST | Static Application Security Testing � analysis of source code without execution. Finds code-level flaws early. |
| DAST | Dynamic Application Security Testing � testing running application from outside. Finds runtime and environment issues. |
| IAST | Interactive AST � agent-based, monitors application behaviour during testing. Combines SAST and DAST benefits. |
| DevSecOps | Security integrated into CI/CD pipeline � automated scanning on every commit, security gates before deployment |
// Domain 4 � Governance, Risk & Compliance (~12%)
Enterprise risk management
At SecurityX level, risk is evaluated in business terms � not just technical likelihood/impact. You must be able to justify security investment, communicate risk to executives, and make trade-off decisions.
| Concept | Definition |
|---|
| Risk appetite | The amount of risk an organisation is willing to accept to achieve its objectives � set by the board |
| Risk tolerance | The acceptable deviation from the risk appetite � operational boundaries within which risk is managed |
| Residual risk | Risk remaining after controls are applied � should be within risk appetite |
| Inherent risk | Risk before any controls are applied |
| Third-party risk | Risk introduced by suppliers, vendors, and partners � supply chain attacks exploit weak third-party security |
| BIA | Business Impact Analysis � identifies critical systems, RTOs, RPOs, and financial impact of downtime |
| RTO | Recovery Time Objective � maximum acceptable time to restore a system after failure |
| RPO | Recovery Point Objective � maximum acceptable data loss measured in time |
Privacy and data governance
| Concept | Definition |
|---|
| Data classification | Categorising data by sensitivity (Public, Internal, Confidential, Restricted) to apply appropriate controls |
| Data sovereignty | Data is subject to the laws of the country where it resides � relevant for cloud data placement decisions |
| Privacy by design | Privacy built into systems from the start � GDPR principle, data minimisation, purpose limitation |
| Data retention | Policies defining how long data is kept and when it must be securely destroyed |
| DPO | Data Protection Officer � required by GDPR for certain organisations, oversees data protection compliance |
// Advanced Concepts to Know
| Topic | What to know |
|---|
| Supply chain security | SolarWinds / XZ Utils-style attacks � software build pipeline compromise, signed malicious updates, vendor assessment |
| MITRE ATT&CK | Tactics (why) ? Techniques (how) ? Sub-techniques (specifics). Use for detection gap analysis and red team planning. |
| MITRE D3FEND | Defensive counterpart to ATT&CK � maps defensive techniques to attacker techniques |
| SOAR | Automates repetitive SOC tasks using playbooks � ticket enrichment, IOC lookups, auto-containment |
| Deception technology | Honeypots, honeytokens, honey credentials � detect attackers who reach internal systems by interacting with fake assets |
| UEBA | Baseline normal behaviour for users and entities � alert on statistical deviations (impossible travel, data exfiltration spikes) |
| Secure enclaves / TEE | Trusted Execution Environment � isolated secure area of processor for sensitive computation. Intel SGX, ARM TrustZone. |
// Exam Tips
Business context changes the right answer. SecurityX questions often include budget constraints, regulatory requirements, or organisational politics. A technically perfect control may not be the right answer if it's too expensive, breaks compliance, or requires skills the team doesn't have. Factor in the constraints.
You have 165 minutes � use it. SecurityX scenarios are long and require careful reading. Don't rush. Eliminate clearly wrong answers, then reason through the remaining options based on the scenario context.
Read the Jason Dion or Mike Chapple study materials. The CompTIA SecurityX official study guide covers the objectives in depth. Practice questions are essential � the exam style is significantly different from Security+ and requires practice to get comfortable with.
Don't underestimate it. CAS-005 has a higher failure rate than Security+. If you haven't worked in a senior security role, the practical scenarios may be unfamiliar. Lab experience and real-world exposure matter more here than rote memorisation.