CAS-005 — CompTIA SecurityX (CAS-005) Exam Blueprint

Last revised: June 18, 2026

Practical exam blueprint for CompTIA SecurityX (CAS-005) CAS-005 candidates, covering security architecture, engineering, risk, governance, operations, and final review readiness.

How to Use This Exam Blueprint

Use this page as a practical readiness map for the CompTIA SecurityX (CAS-005) exam. It is not a replacement for the official CompTIA exam objectives, but it can help you turn broad exam areas into concrete review tasks.

For each topic area, ask:

Can I explain the concept without notes?
Can I choose the best control in a scenario with tradeoffs?
Can I identify weak, risky, or incomplete designs?
Can I justify a recommendation to technical and nontechnical stakeholders?
Can I recognize what to do first, next, or best when multiple actions seem valid?

Mark each item as:

Green: I can apply it in a scenario.
Yellow: I recognize it but hesitate under pressure.
Red: I need structured review and more practice.

CAS-005 Topic-Area Readiness Map

Readiness area	What to review	“Ready” means you can…	Final-review check
Enterprise security architecture	Defense in depth, zero trust concepts, segmentation, trust boundaries, control placement	Design layered controls that match business risk, data sensitivity, and operational constraints	Given a network or cloud diagram, identify the weakest trust boundary
Security engineering	Secure design patterns, hardening, secure baselines, compensating controls	Select practical controls for systems, networks, applications, endpoints, and cloud workloads	Explain why one control is preventive, detective, corrective, or compensating
Risk management	Risk identification, likelihood, impact, risk appetite, exceptions, residual risk	Prioritize risk using business context instead of vulnerability severity alone	Decide whether to mitigate, transfer, accept, or avoid a risk
Governance and compliance	Policies, standards, procedures, audits, third-party risk, privacy, data handling	Map requirements to controls and evidence without treating compliance as complete security	Identify what artifact proves a control is operating effectively
Identity and access management	Federation, MFA, SSO, PAM, RBAC, ABAC, JIT/JEA access, lifecycle management	Design least-privilege access across users, administrators, services, and workloads	Spot excessive privilege, stale accounts, and weak federation assumptions
Network security	Firewalls, proxies, IDS/IPS, WAF, NAC, ZTNA, VPNs, DNS security, secure routing	Place controls correctly and troubleshoot gaps in north-south and east-west traffic	Given traffic flow, choose where visibility or enforcement should occur
Cloud and hybrid security	Shared responsibility, identity, logging, encryption, network controls, posture management, workload isolation	Secure cloud resources without assuming on-premises controls transfer directly	Identify which party owns a control in a shared-responsibility model
Application and API security	Secure SDLC, threat modeling, CI/CD security, SAST, DAST, SCA, secrets, API controls	Recommend controls across design, build, test, deployment, and runtime	Choose the right test or gate for a specific development risk
Data security	Classification, encryption, tokenization, masking, DLP, retention, backup, disposal	Protect data based on sensitivity, location, lifecycle stage, and user need	Distinguish encryption, hashing, tokenization, and masking use cases
Cryptography and PKI	Symmetric/asymmetric encryption, hashing, signatures, certificates, key lifecycle, HSMs, mTLS	Select crypto mechanisms and recognize key-management failure points	Explain what fails when a private key, CA, or certificate chain is compromised
Vulnerability and threat management	Scanning, validation, prioritization, exposure, exploitability, threat intelligence	Convert findings into risk-ranked remediation actions	Prioritize a lower-severity internet-facing issue over a higher-severity isolated one when context supports it
Security operations	Logging, SIEM, SOAR, detection engineering, threat hunting, alert triage	Correlate events, reduce noise, and identify likely malicious behavior	Given logs and symptoms, determine the most likely next investigative step
Incident response	Preparation, identification, containment, eradication, recovery, lessons learned	Choose actions that preserve evidence, reduce impact, and restore safely	Know when to isolate, collect, escalate, notify, or recover
Resilience and recovery	BCP, DR, backups, redundancy, failover, RTO, RPO, tabletop exercises	Align continuity controls to business requirements and test assumptions	Identify whether the problem is availability, integrity, recovery time, or recovery point
Communication and leadership	Executive reporting, risk communication, prioritization, stakeholder alignment	Explain security decisions in business terms and defend tradeoffs	Summarize technical risk as impact, likelihood, options, and recommendation

Can You Do This? Core CAS-005 Readiness Checklist

Architecture and Security Engineering

Identify trust boundaries in a diagram or system description.
Recommend segmentation for users, workloads, management planes, and sensitive data zones.
Explain when microsegmentation is more appropriate than broad VLAN-based segmentation.
Choose between preventive, detective, corrective, deterrent, and compensating controls.
Apply defense in depth without stacking redundant controls that do not reduce risk.
Recognize single points of failure in identity, network, logging, and recovery designs.
Evaluate security control tradeoffs involving cost, latency, usability, availability, and manageability.
Recommend hardening steps for servers, endpoints, network devices, containers, and cloud workloads.
Distinguish secure design from after-the-fact remediation.
Explain how a zero trust approach changes access decisions, monitoring, and segmentation.

Identity and Access Management

Compare authentication, authorization, accounting, and access governance.
Distinguish SSO, federation, MFA, conditional access, and adaptive authentication.
Know when to use RBAC, ABAC, rule-based access, or policy-based access.
Recognize risks from standing privilege, shared accounts, orphaned accounts, and service accounts.
Recommend privileged access management controls such as approval, vaulting, session recording, and just-in-time access.
Identify weak onboarding, role-change, and offboarding processes.
Explain the purpose of identity proofing and lifecycle governance.
Recognize when machine identities, API keys, certificates, or workload identities require the same discipline as user identities.
Troubleshoot common federation issues conceptually, such as claim mismatch, audience mismatch, expired certificate, or misconfigured trust.
Choose identity controls that support least privilege without blocking legitimate business workflows.

Network, Infrastructure, and Endpoint Security

Place firewalls, WAFs, proxies, IDS/IPS, NAC, VPN, and ZTNA controls in appropriate locations.
Explain north-south versus east-west traffic concerns.
Identify risks from flat networks, unmanaged devices, split tunneling, insecure DNS, and legacy protocols.
Recommend secure administrative access patterns for infrastructure.
Recognize when network visibility is missing because of encryption, cloud traffic paths, or unmanaged endpoints.
Distinguish host-based and network-based detection use cases.
Evaluate endpoint hardening, EDR, allowlisting, patching, disk encryption, and device compliance controls.
Identify how misconfigured routing, firewall rules, or security groups can expose sensitive services.
Explain secure remote access tradeoffs for employees, administrators, vendors, and contractors.
Recognize when compensating controls are needed for unsupported or hard-to-patch systems.

Cloud, Virtualization, and Hybrid Environments

Apply shared-responsibility thinking to identity, network, data, workload, and logging controls.
Secure management planes with strong identity, least privilege, logging, and change control.
Recognize risks from public exposure, overly permissive access policies, weak secrets handling, and default configurations.
Compare security needs for IaaS, PaaS, SaaS, containers, serverless, and managed services at a conceptual level.
Recommend controls for cloud storage, databases, APIs, and workloads based on sensitivity and exposure.
Identify when encryption is insufficient because access control is weak.
Use posture management concepts to find misconfiguration and policy drift.
Recognize risks in multi-cloud and hybrid identity federation.
Secure CI/CD paths that deploy infrastructure or applications into cloud environments.
Explain how logging, monitoring, and incident response differ in cloud and hybrid environments.

Application, API, and DevSecOps Security

Perform basic threat modeling using assets, actors, entry points, trust boundaries, and abuse cases.
Identify common application risks such as injection, broken access control, insecure deserialization, weak session handling, and insecure file handling.
Recommend secure SDLC activities at requirements, design, coding, testing, release, and maintenance stages.
Choose between SAST, DAST, IAST, SCA, fuzzing, manual review, and penetration testing based on the scenario.
Secure CI/CD pipelines with least privilege, protected branches, signed artifacts, approval gates, and secrets management.
Recognize the risk of dependency confusion, vulnerable libraries, malicious packages, and insecure build runners.
Apply API security controls such as authentication, authorization, schema validation, rate limiting, logging, and gateway enforcement.
Explain why secrets should not be stored in source code, images, logs, or pipeline variables without protection.
Distinguish vulnerability discovery from exploitability and business impact.
Recommend runtime protections where pre-deployment testing is not enough.

Data Security and Privacy

Classify data by sensitivity, business value, regulatory exposure, and lifecycle stage.
Choose appropriate controls for data at rest, in transit, and in use.
Distinguish encryption, hashing, tokenization, anonymization, pseudonymization, and masking.
Apply least privilege to databases, file shares, object storage, analytics platforms, and backups.
Recognize overexposure through logs, exports, test data, screenshots, email, and third-party integrations.
Recommend DLP controls based on data flow, endpoint use, cloud storage, email, and web channels.
Explain retention, legal hold, secure disposal, and backup handling concepts.
Identify when privacy impact, data minimization, or consent-related review is needed.
Recognize that encrypted data can still be mishandled if keys or access policies are weak.
Map data controls to evidence an auditor or risk owner would expect.

Cryptography, PKI, and Key Management

Choose symmetric encryption for efficient bulk data protection and asymmetric cryptography for key exchange, signatures, or identity use cases.
Distinguish hashing from encryption and know why hashes are not reversible.
Explain digital signatures, integrity, nonrepudiation, and certificate trust.
Trace a certificate chain conceptually from end-entity certificate to trusted root.
Recognize issues caused by expired certificates, weak algorithms, improper trust stores, or private key exposure.
Recommend secure key generation, storage, rotation, escrow, revocation, and destruction practices.
Explain when HSMs, key management services, or dedicated secrets managers are appropriate.
Distinguish TLS, mTLS, SSH keys, code-signing certificates, and email certificates by use case.
Identify the operational impact of certificate renewal failure.
Recognize that cryptography does not solve authorization, endpoint compromise, or poor process design.

Vulnerability, Threat, and Exposure Management

Interpret vulnerability scan output without blindly following severity scores.
Prioritize remediation using exploitability, exposure, asset criticality, compensating controls, and business impact.
Distinguish vulnerability scanning, penetration testing, red teaming, purple teaming, and security assessments.
Recommend remediation, mitigation, compensating controls, or risk acceptance based on constraints.
Use threat intelligence to enrich prioritization, not replace validation.
Recognize false positives, duplicate findings, unauthenticated scan limitations, and asset inventory gaps.
Explain how patch management differs for endpoints, servers, appliances, containers, applications, and third-party services.
Identify when emergency change processes are justified.
Track exceptions with owners, expiration dates, business justification, and compensating controls.
Convert technical findings into executive-level risk statements.

Security Operations, Detection, and Incident Response

Identify high-value log sources such as identity providers, endpoints, DNS, firewalls, cloud control planes, applications, databases, and EDR tools.
Correlate events across time, user, host, IP address, process, and data access.
Explain the difference between alert triage, incident investigation, threat hunting, and forensic analysis.
Choose containment actions that limit damage without destroying evidence unnecessarily.
Identify indicators of compromise and indicators of attack conceptually.
Recognize suspicious authentication patterns, privilege escalation, lateral movement, command-and-control behavior, and data exfiltration cues.
Recommend SIEM tuning to reduce false positives while preserving meaningful visibility.
Explain when SOAR automation is appropriate and when human approval is required.
Preserve evidence using sound chain-of-custody thinking.
Identify lessons-learned outputs that improve controls, detection, training, and response plans.

Governance, Risk, Compliance, and Third-Party Risk

Distinguish policies, standards, procedures, guidelines, and baselines.
Map business requirements to control objectives and implementation evidence.
Explain risk appetite, risk tolerance, inherent risk, residual risk, and control effectiveness.
Recommend risk treatment: avoid, mitigate, transfer, or accept.
Identify when a risk exception is appropriate and what must be documented.
Evaluate vendor risk using data access, connectivity, service criticality, compliance needs, incident history, and exit strategy.
Recognize contract and due diligence topics such as right to audit, breach notification, data handling, subcontractors, and service availability.
Understand how audits use evidence, sampling, control design, and control operating effectiveness.
Communicate risk in terms of business impact, not just technical weakness.
Recognize that compliance can reduce risk but does not guarantee adequate security.

Scenario and Decision-Point Checks

Use these prompts to practice the judgment style expected of an advanced security exam.

Scenario cue	Ask yourself first	Strong answer usually considers
“A critical vulnerability is found on an internet-facing system”	Is it exploitable, exposed, and business-critical?	Emergency patching, compensating controls, monitoring, rollback plan, owner communication
“The organization is moving to zero trust”	What identities, devices, apps, and data flows exist?	Strong identity, continuous authorization, segmentation, telemetry, least privilege
“A cloud storage resource is publicly accessible”	Is the exposure intentional, accidental, or inherited?	Access policy review, data sensitivity, logging, key exposure, remediation, notification path
“A privileged account is used from an unusual location”	Is this impossible travel, credential theft, or valid admin work?	MFA signals, session logs, device posture, PAM records, containment, credential reset
“A business unit wants an exception to security policy”	What risk is being accepted and by whom?	Business justification, compensating controls, expiration date, accountable owner
“A vendor needs remote access”	What access is required, for how long, and how monitored?	Least privilege, MFA, ZTNA/VPN, session recording, network restrictions, offboarding
“Backups exist but recovery is failing”	Were restore procedures tested under realistic conditions?	RTO/RPO alignment, immutable backups, access to keys, dependency mapping, runbooks
“A SIEM has too many alerts”	Are alerts mapped to real detection goals?	Tuning, enrichment, suppression rules, severity logic, use-case review
“Developers need faster releases”	Which controls can shift left or automate?	SAST/SCA gates, IaC scanning, secrets detection, approval workflow, exception handling
“Sensitive data appears in logs”	How did it get there and where did it propagate?	Data minimization, masking, log retention, access review, purge process, developer guidance
“An endpoint is suspected of compromise”	What evidence is volatile and what damage can continue?	Isolation, memory/process capture if appropriate, EDR data, credential risk, lateral movement
“A control passed an audit but incidents continue”	Was the control designed well and operating effectively?	Control scope, evidence quality, threat alignment, monitoring, remediation tracking

Artifact Review Checklist

Be ready to interpret artifacts, not just define terms.

Artifact	What to identify	Readiness question
Network diagram	Trust boundaries, exposed services, management paths, segmentation gaps	Can you point to the highest-risk path an attacker would use?
Data flow diagram	Data stores, processors, transmission paths, third parties, sensitive fields	Can you identify where encryption, DLP, or minimization belongs?
IAM policy or access matrix	Excessive privilege, missing separation of duties, stale roles, broad wildcard access	Can you reduce access without breaking the business function?
Firewall or security group rules	Overly broad sources, risky ports, shadowed rules, missing egress control	Can you explain which rule creates the most exposure?
Vulnerability report	Severity, exploitability, asset criticality, remediation owner, false positives	Can you reorder findings by actual risk?
SIEM alert set	Correlated events, repeated failures, privilege changes, impossible travel, endpoint signals	Can you separate noise from a likely incident?
Incident timeline	Initial access, escalation, lateral movement, containment, recovery	Can you identify what should have happened earlier?
Certificate details	Expiration, subject, issuer, SANs, key usage, chain trust	Can you diagnose a certificate or trust failure conceptually?
Cloud account layout	Management plane access, logging coverage, public exposure, key ownership	Can you identify which control prevents accidental exposure?
CI/CD pipeline	Build permissions, secrets, dependency checks, artifact integrity, deployment approval	Can you find where supply-chain risk enters?
Risk register	Owner, impact, likelihood, treatment plan, residual risk, due date	Can you tell whether the risk is being managed or merely recorded?
Third-party assessment	Data access, service criticality, compliance evidence, incident process, exit plan	Can you identify the most important unresolved vendor risk?

Risk and Prioritization Checks

You do not need to force every scenario into a formula, but you should be comfortable with common risk math when values are provided.

\[ \text{Risk} = \text{likelihood} \times \text{impact} \]

A more practical exam-prep mental model is:

\[ \text{Priority} = \text{impact} \times \text{likelihood} \times \text{exposure/context} \]

If annualized loss concepts appear in a practice scenario, remember:

\[ \text{SLE} = \text{asset value} \times \text{exposure factor} \]\[ \text{ALE} = \text{SLE} \times \text{ARO} \]

Review these decision points:

Can you explain the difference between inherent risk and residual risk?
Can you identify when a vulnerability with a lower technical severity should be fixed first?
Can you defend a compensating control when immediate remediation is not feasible?
Can you tell when risk acceptance requires formal approval?
Can you separate risk ownership from technical remediation ownership?
Can you explain why asset criticality changes remediation priority?
Can you recognize when a control reduces likelihood versus impact?
Can you identify whether a proposed control is cost-effective for the scenario?

Security Architecture Decision Prompts

If the scenario emphasizes…	Consider…	Avoid jumping directly to…
Stolen credentials	MFA, conditional access, PAM, passwordless options, anomaly detection, session revocation	Network firewall changes only
Lateral movement	Segmentation, endpoint detection, least privilege, admin tiering, credential protection	More perimeter controls only
Data exfiltration	DLP, egress monitoring, data classification, access review, encryption, user behavior analytics	Encryption alone
Web application attacks	WAF, secure coding, input validation, SAST/DAST, API gateway, patching	Blocking IPs as the only solution
Insider risk	Least privilege, monitoring, separation of duties, behavior analytics, access reviews	Assuming all insiders are malicious
Legacy system risk	Isolation, virtual patching, monitoring, compensating controls, migration plan	Unsupported patching promises
Cloud misconfiguration	Policy-as-code, posture management, IAM review, logging, guardrails	Treating cloud like a traditional data center
Supply-chain risk	Vendor due diligence, SCA, signed artifacts, SBOM concepts, build integrity, contract controls	Trusting reputation alone
Ransomware resilience	EDR, least privilege, segmentation, offline/immutable backups, restore testing, user controls	Backups that are never tested
Audit finding	Root cause, control design, evidence, remediation plan, owner, timeline	A screenshot as permanent proof

Common Weak Areas and Exam Traps

Weak area	Why candidates miss it	How to fix it
Choosing tools before requirements	The answer sounds technical and familiar	Identify asset, threat, business goal, and constraint before selecting a control
Treating encryption as a universal solution	Encryption feels strong but may not address access abuse	Ask who has access to keys and plaintext
Confusing authentication and authorization	Both relate to identity	Say: authentication proves identity; authorization grants access
Ignoring operational impact	A control can reduce risk but disrupt availability or workflow	Include rollout, monitoring, exception, and support considerations
Prioritizing by severity only	Scanner scores lack business context	Add exposure, exploitability, asset value, and compensating controls
Overlooking service accounts	Human users get more attention	Review machine identities, keys, tokens, and rotation
Assuming compliance equals security	Passing an audit may not address current threats	Separate control evidence from actual risk reduction
Missing data lifecycle stages	Candidates focus on storage only	Track creation, use, sharing, retention, backup, archive, and disposal
Misplacing network controls	Control placement determines visibility and enforcement	Trace traffic flow before selecting device or policy
Weak cloud responsibility model thinking	On-prem habits do not map cleanly	Ask who controls identity, platform, data, network, and logs
Poor incident sequencing	Many actions seem helpful	Preserve evidence, contain impact, escalate appropriately, recover safely
Forgetting recovery dependencies	Backups are only one component	Include keys, identity, DNS, network, apps, vendors, and runbooks
Confusing risk acceptance with ignoring risk	Acceptance must be intentional and documented	Identify owner, justification, expiration, and residual risk
Not translating to business language	Advanced exams test judgment, not just definitions	State impact, options, tradeoff, and recommendation

Final-Week CAS-005 Checklist

Seven to Five Days Out

Review the official CompTIA SecurityX (CAS-005) CAS-005 objective list alongside your notes.
Mark every topic area green, yellow, or red.
Spend most review time on yellow areas; isolate red areas that are high-value and fixable.
Rework missed practice questions and write why the correct answer is best.
Build one-page summaries for IAM, cloud security, cryptography, risk, incident response, and architecture decisions.
Practice explaining controls in plain business language.
Review diagrams and artifact-style questions, not only definition flashcards.

Four to Two Days Out

Do mixed-topic practice so you must identify the domain yourself.
Drill “best,” “first,” and “next” decision questions.
Review risk treatment, exception handling, incident sequencing, and control selection.
Recheck weak protocol and identity concepts: federation, MFA, PAM, service accounts, certificates, and API authorization.
Review cloud and hybrid scenarios involving misconfiguration, public exposure, logging gaps, and excessive privilege.
Practice prioritizing vulnerabilities using context.
Stop deep-diving obscure edge cases unless they connect to a repeated weak area.

Final Day

Review your condensed notes only.
Rehearse the decision process: asset, threat, risk, control, tradeoff, evidence.
Review common traps and your personal mistake log.
Confirm exam logistics and identification requirements through the official exam process.
Avoid cramming new tools or frameworks late.
Sleep and preserve focus for scenario interpretation.

Exam-Day Decision Routine

When a CAS-005 question feels ambiguous, slow down and use this sequence:

Identify the goal: confidentiality, integrity, availability, safety, compliance, resilience, detection, or governance.
Find the asset: user, system, data, workload, process, vendor, or business service.
Determine the risk: what can go wrong, how likely it is, and what impact it creates.
Check constraints: budget, downtime, legacy systems, legal needs, business continuity, user experience.
Choose the control: prefer the option that directly reduces the stated risk.
Validate the wording: answer what is asked: best, first, next, most secure, most cost-effective, or most appropriate.
Avoid overengineering: the strongest technology is not always the best answer.

Practical Next Step

Use this checklist to build a personal CAS-005 review plan. Pick your weakest three readiness areas, complete targeted review, then practice with scenario-based questions that force you to choose and justify controls under realistic constraints.

Study Plan

Scenario Guide