Try 10 focused CompTIA SecurityX CAS-005 questions on Security Operations, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA SecurityX CAS-005 on Web View full CompTIA SecurityX CAS-005 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA SecurityX CAS-005 |
| Topic area | Security Operations |
| Blueprint weight | 22% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Security Operations for CompTIA SecurityX CAS-005. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 22% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Security Operations
A global manufacturer wants to add a new threat intelligence source to its hybrid SOC. The source will feed SIEM correlations and a SOAR playbook that can quarantine cloud workloads and on-premises endpoints. Legal requires sharing governance, and operations will approve the source only if it reduces incident response time without increasing false positives. Which validation step is the BEST professional decision before production use?
Options:
A. Run a time-boxed pilot against recent incidents and assets
B. Approve the source based on ISAC membership
C. Enable automated blocking for all high-confidence indicators
D. Compare the feed volume to existing sources
Best answer: A
Explanation: Threat intelligence validation should prove that the source improves decisions in the organization’s actual environment before it drives automation. A time-boxed pilot can measure whether indicators arrive early enough to matter, match the organization’s technologies and threat model, correlate with known incidents or credible external reporting, and produce actions analysts can safely take. Because this feed may trigger SOAR quarantine across cloud and on-premises assets, validation must include false-positive impact and operational outcomes, not just trust in the provider. Sharing and legal constraints can be reviewed during onboarding, but they do not by themselves prove intelligence quality. The key takeaway is to validate intelligence with local context and measurable response value before production enforcement.
Topic: Security Operations
A security engineer is reviewing a production API after a critical application vulnerability alert. Which mitigation best addresses the root issue shown in the exhibit and reduces recurrence risk?
Exhibit: Vulnerability summary
| Finding | Evidence |
|---|---|
| SCA result | Critical RCE in transitive library json-path 2.4.0 |
| Source | Pulled by report-exporter:1.+; no lockfile exists |
| Fixed path | report-exporter 1.2.3 pins json-path 2.9.0 |
| Current controls | Container images are signed; volumes are encrypted |
| Release rule needed | Block promotion when critical dependency CVEs are present |
Options:
A. Allow list approved container image repositories only
B. Require container image signatures before deployment
C. Implement dependency pinning, lockfiles, and an SCA promotion gate
D. Encrypt application volumes and package caches at rest
Best answer: C
Explanation: This is a dependency management problem, not an artifact integrity or data confidentiality problem. The vulnerable library entered production through a floating dependency version and no lockfile, which allowed an unsafe transitive library to be promoted. Pinning approved versions, using lockfiles, and enforcing software composition analysis in the release pipeline address both the immediate vulnerable package and the recurrence path. Existing image signing helps prove artifact integrity, but it does not prove the artifact is free of vulnerable components. The key takeaway is to match the control to the vulnerability’s source: vulnerable third-party code requires dependency governance and release gating.
Topic: Security Operations
A hybrid enterprise uses the same IdP, EDR, firewall, and cloud audit logs for incident response and annual regulatory audits. Auditors require 1 year of immutable raw-log retention with chain-of-custody evidence. The SOC reports that several detections are unreliable because events arrive late, duplicate, or lack normalized identity fields. Hot SIEM storage is limited to 45 days. Which action is the BEST professional decision?
Options:
A. Archive immutable raw logs; validate normalized, deduplicated SIEM feeds
B. Close the SOC finding because raw-log retention is compliant
C. Drop low-value fields to improve SIEM correlation speed
D. Expand hot SIEM retention to 1 year for all sources
Best answer: A
Explanation: Retention compliance and SIEM correlation quality are related but different control objectives. The immutable raw-log archive satisfies audit evidence, legal defensibility, and chain-of-custody requirements. Reliable incident response still requires operational controls in the detection pipeline: source onboarding checks, time synchronization, parsing, field normalization, deduplication, and monitoring for delayed or missing events. Keeping 45 days of hot searchable data can be acceptable if the SOC’s correlation layer is validated and older raw logs remain retrievable for investigations and audits. The key is to preserve evidentiary completeness without assuming that retained logs are automatically usable for timely detection.
Topic: Security Operations
An enterprise SaaS reporting API runs in a cloud VPC and queries an on-premises database through a private link. A preproduction test finds the API builds part of a SQL statement from request parameters. Requirements: keep dynamic filtering/sorting, preserve tenant isolation, and avoid relying only on perimeter controls.
Exhibit: Query construction excerpt
sql = "SELECT id, status, created_at FROM orders WHERE tenant_id = ?"
if request["status"]:
sql += " AND status = '" + request["status"] + "'"
sql += " ORDER BY " + request["sort"]
Which design change is the BEST professional decision to reduce the demonstrated weakness?
Options:
A. Escape quotes and reject semicolons in request parameters
B. Move reporting to a read-only replica unchanged
C. Place the API behind a WAF and monitor database errors
D. Use prepared statements with server-side sort-field allowlisting
Best answer: D
Explanation: The weakness is SQL injection caused by concatenating untrusted request values into executable query text. Dynamic filtering can be preserved by parameterizing all data values, such as status, so the database treats them as values rather than SQL. Dynamic sorting needs a different safe pattern because column names usually cannot be bound as parameters; the application should map client-provided sort choices to a fixed server-side allowlist of valid column identifiers and directions. This reduces the root weakness inside the application and supports tenant isolation across the cloud-to-on-premises boundary. Perimeter monitoring or a read-only replica may reduce exposure, but they do not make the query construction safe.
Topic: Security Operations
An incident responder is reviewing artifacts after proprietary engineering files appeared on an external sharing site. Which interpretation is best supported by the exhibit?
Exhibit: Correlated response data
Subject: rpatel, senior design engineer
HR status: resignation submitted 4 days ago
21:08 VPN: successful MFA from managed laptop
21:13 EDR: DLP agent stopped by local admin token
21:16 File audit: 1,284 CAD files read from restricted share
21:22 Endpoint: archive created in user Downloads folder
21:29 Proxy: 742 MB upload to personal cloud storage
Peer baseline: no similar bulk reads or uploads this month
Options:
A. False positive from normal engineering collaboration
B. Credential theft from an unmanaged device
C. Ransomware staging before encryption
D. Insider data exfiltration using authorized access
Best answer: D
Explanation: The strongest indicator is a behavioral and contextual pattern consistent with insider exfiltration: a departing privileged user, successful access from a managed device, local stopping of the DLP agent, abnormal bulk reads from a restricted share, local archiving, and upload to personal cloud storage. Insider incidents often use valid credentials and normal access paths, so the absence of failed logins or malware does not reduce concern. The decisive issue is misuse of authorized access combined with policy-violating data movement. A compromised account remains possible in real investigations, but the exhibit does not show an unmanaged device, impossible travel, MFA fatigue, or other account-takeover evidence.
Topic: Security Operations
A security engineer is preparing evidence for an insider-access investigation covering April 1 through May 15. The legal team requires proof that the logs are complete for the investigation window, have not been altered, and were handled under documented custody.
Exhibit: Evidence package review
| Package | Coverage | Integrity evidence | Custody and retention evidence |
|---|---|---|---|
| Apollo | IdP, PAM, cloud admin API, and EDR logs for April 1-May 15 | SHA-256 manifest signed by corporate KMS; immutable ingest receipt IDs | Case ID, collector, UTC collection time, transfer handoff, custodian approval; WORM legal hold for original object versions |
| Borealis | Same sources for April 10-May 15 | SIEM query ID and analyst notes | 90-day hot SIEM retention; no legal-hold confirmation |
| Cygnus | IdP, PAM, and EDR logs for April 1-May 15 | Analyst-generated CSV hashes | Email approval from investigator; originals not referenced |
| Dorado | Same sources for April 1-May 15 | Object version IDs and unsigned hash list | WORM legal hold confirmed; custody record lacks transfer handoff |
Options:
A. Package Cygnus
B. Package Borealis
C. Package Dorado
D. Package Apollo
Best answer: D
Explanation: For investigation evidence, three proof areas must align: retention coverage, integrity, and chain of custody. Coverage means the required data sources span the full investigation window. Integrity is strongest when hashes are tied to immutable originals and signed or otherwise protected by a trusted key-management process. Chain of custody must document who collected the evidence, when, under what case, and each handoff or custodian approval. A legal hold on WORM-preserved original object versions helps show the logs remained available and unmodified for later review. Missing source coverage, unsigned or analyst-only hashes, or incomplete handoff records weakens evidentiary defensibility.
Topic: Security Operations
A multinational manufacturer is investigating a likely supply-chain intrusion affecting an on-premises ERP connector and a cloud file-transfer service. The CISO wants to warn an industry ISAC and two strategic partners within 24 hours, but the evidence includes customer identifiers, a vendor NDA, and detection logic that could reveal monitoring gaps. Which governance decision is the BEST professional approach?
Options:
A. Send the full logs and detection queries to all partners immediately
B. Share only a press statement without technical indicators
C. Delay all sharing until legal attribution is confirmed
D. Share sanitized, validated indicators with TLP markings through approved channels
Best answer: D
Explanation: Indicator-sharing governance should enable timely defense while controlling disclosure risk. In this scenario, the organization can share actionable indicators, such as hashes, domains, IPs, file names, and observed TTPs, after validation and sanitization. Applying Traffic Light Protocol markings, using approved ISAC or partner channels, and coordinating with legal/privacy stakeholders addresses customer data, NDA, and trust constraints without unnecessarily withholding useful intelligence. Detection logic and raw logs should be protected when they expose sensitive monitoring capabilities or regulated data.
The key takeaway is to share what partners need to defend themselves, not everything the investigation has collected.
Topic: Security Operations
A security operations team is reviewing an application compromise that began during CI/CD. Which action best maps to the attack-surface concern supported by the exhibit?
Exhibit: Build and runtime findings
| Finding | Status |
|---|---|
| CI package resolver checks public registry before private mirror | Enabled |
| Internal package name also exists in public registry | Confirmed |
| Production image signed by organization key | Passed admission check |
| Runtime process allow list | Only permits signed app binary |
| Container includes shell and package manager | Present |
Options:
A. Require signed production images before cluster admission
B. Add a WAF rule for package download requests
C. Force dependencies through an approved private repository with pinned versions
D. Remove the shell and package manager from the container image
Best answer: C
Explanation: The decisive concern is dependency management in the build path. The resolver checks a public registry before the private mirror, and an internal package name also exists publicly, which creates a dependency confusion or package substitution risk. Signing the final image proves the image came through the organization’s signing process, but it does not prove every dependency was trustworthy before the image was signed. The best mitigation is to constrain dependency resolution to approved sources and pinned or verified versions.
Least functionality, runtime allow listing, and defense-in-depth controls still matter, but they do not address the root build-time attack surface shown in the exhibit.
Topic: Security Operations
A multinational enterprise is revising its SOC monitoring plan after two incidents were detected by business users before the SOC. The environment includes SaaS apps, cloud workloads, on-premises identity services, and segmented payment systems. Current dashboards prioritize by raw alert volume, the SIEM lacks IdP risk events and cloud control-plane logs, and analysts spend most of each shift closing duplicate low-severity endpoint alerts. PCI evidence must show monitoring coverage for regulated systems without increasing staffing. Which action is the BEST professional decision?
Options:
A. Replace current dashboards with executive summaries based on alert counts
B. Forward all available telemetry to the SIEM and retain default alert severities
C. Implement risk-based enrichment, onboard missing identity and cloud logs, and tune duplicate detections
D. Auto-contain every endpoint that generates repeated low-severity alerts
Best answer: C
Explanation: A strong monitoring plan balances coverage, signal quality, and prioritization. In this scenario, the SOC has both blind spots and excessive noise: missing IdP and cloud control-plane logs reduce visibility across key trust boundaries, while duplicate endpoint alerts consume analyst time. The best correction is to add the missing high-value telemetry, enrich events with business context such as asset criticality and payment-system scope, and tune or deduplicate detections so dashboards rank likely impact instead of raw volume. This also supports PCI evidence because regulated systems can be explicitly mapped to monitored log sources and alert workflows. Simply collecting more data or reporting more counts does not improve detection quality.
Topic: Security Operations
A security operations lead must assign the first response action for four new intakes. The organization uses the policy and evidence below. Which triage decision is best supported?
Exhibit: Triage evidence
| Intake | Evidence |
|---|---|
| Policy | P1: exploit-in-wild or active exploit indicators on internet-facing systems with confidential data; contain immediately. P2: reproducible high-risk production flaw without exploit evidence. |
| Threat feed + scan | Feed reports a CVE exploited in a current campaign; scanner confirms the CVE on public pay-api; WAF shows matching probes; stores payment tokens. |
| Bounty finding | Reproducible IDOR in beta export; researcher tenant only; no customer data. |
| Third-party report | Subprocessor missed access-review attestation; no failed access controls observed. |
| Vulnerability scan | Critical RCE on internal build worker; segmented; no exploit telemetry. |
Options:
A. Triage the beta IDOR as P1 due to reproducibility.
B. Prioritize the subprocessor attestation gap for containment.
C. Patch the internal build worker before investigating pay-api.
D. Escalate pay-api for P1 containment and investigation.
Best answer: D
Explanation: Response triage should combine source reliability, exploitability, exposure, asset criticality, and observed activity. The pay-api item has corroboration from multiple sources: external threat intelligence says the CVE is being exploited, vulnerability scan data confirms the affected condition, WAF telemetry shows matching probes, and the asset is internet-facing with payment tokens. That combination moves it from vulnerability management into incident response priority. The bounty finding is real but constrained to beta data, the third-party issue is a governance control gap, and the internal RCE lacks exploit telemetry and external reachability. Critical severity alone should not outrank confirmed exploit-in-the-wild evidence against a sensitive public workload.
pay-api.Use the CompTIA SecurityX CAS-005 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA SecurityX CAS-005 on Web View CompTIA SecurityX CAS-005 Practice Test
Read the CompTIA SecurityX CAS-005 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.