Prepare for the Actual CompTIA CASP CAS-005 Exam Practice Materials Collection
CompTIA CASP Certified Official Practice Test CAS-005 - May-2026
CompTIA CAS-005 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
NEW QUESTION # 52
A company sells a security appliance assembled from globally sourced hardware and software components. Installing the security appliance requires enabling administrative permissions for the service accounts on the appliance. Which of the following allows the company to reassure new and existing customers that the risk introduced by the appliance is minimal?
- A. A transparent supply chain risk management and testing program
- B. Results of internal risk reduction studies conducted by a third-party assessor
- C. A business impact analysis and risk prioritization process
- D. The results of a qualitative risk analysis performed on the appliance
Answer: A
Explanation:
A transparent supply chain risk management and testing program gives customers visibility into how the company evaluates, tests, and secures globally sourced components. This directly reassures customers that risks from the appliance are minimized through rigorous, verifiable controls and supply chain oversight.
NEW QUESTION # 53
An organization wants to implement an access control system based on its data classification policy that includes the following data types:
- Confidential
- Restricted
- Internal
- Public Flag for Review
The access control system should support SSO federation to map users into groups. Each group should only access systems that process and store data at the classification assigned to the group. Which of the following should the organization implement to enforce its requirements with a minimal impact to systems and resources?
- A. A rule-based access control strategy enforced by the SSO system with rules managed by the internal LDAP and applied on a per-system basis
- B. Role-based access control that maps data types to internal roles, which are defined in the human resources department's source of truth system
- C. A tagging strategy in which all resources are assigned a tag based on the data classification type, and a system that enforces attribute-based access control
- D. Network microsegmentation based on data types, and a network access control system enforcing mandatory access control based on the user principal
Answer: C
Explanation:
Tagging strategy: All resources (e.g., systems, files, databases) can be assigned tags based on their classification type (Confidential, Restricted, Internal, Public Flag for Review). This allows the access control system to easily associate resources with their respective data classifications without needing significant changes to the underlying systems.
Attribute-based access control (ABAC): ABAC allows access control decisions to be based on attributes (such as user group, resource tags, or data classification). By using ABAC, the system can enforce rules dynamically, allowing users in specific groups (mapped through SSO federation) to only access resources that match their assigned data classification.
NEW QUESTION # 54
An organization recently implemented a purchasing freeze that has impacted endpoint life-cycle management efforts. Which of the following should a security manager do to reduce risk without replacing the endpoints?
- A. Dispose of end-of-support devices
- B. Remove unneeded services
- C. Deploy EDR
- D. Reimage the system
Answer: B
Explanation:
Removing unnecessary services from existing endpoints reduces the attack surface by minimizing the number of potential vulnerabilities attackers could exploit. This is a cost-effective method to harden devices without requiring new purchases, aligning perfectly with a purchasing freeze. Deploying new EDR solutions or disposing of devices would likely conflict with the resource freeze, and reimaging systems does not address minimizing services proactively.
NEW QUESTION # 55
A Chief Information Security Officer requests an action plan to remediate vulnerabilities. A security analyst reviews the output from a recent vulnerability scan and notices hundreds of unique vulnerabilities. The output includes the CVSS score, IP address, hostname, and the list of vulnerabilities. The analyst determines more information is needed in order to decide which vulnerabilities should be fixed immediately. Which of the following is the best source for this information?
- A. Business impact analysis
- B. Crisis management plan
- C. Third-party risk review
- D. Incident response playbook
Answer: A
Explanation:
The correct source is the Business Impact Analysis (BIA). A BIA provides context about which systems and applications are most critical to business operations, regulatory compliance, and customer obligations. While CVSS scores indicate severity in technical terms, they do not reflect the business impact of exploitation. For example, a medium-severity vulnerability on a critical payment system may pose more business risk than a high-severity vulnerability on a test server.
Option A (third-party risk review) focuses on vendor security posture, not internal remediation priorities. Option C (incident response playbook) guides response during active incidents, not vulnerability prioritization. Option D (crisis management plan) addresses executive-level communications during crises, not technical risk assessment.
NEW QUESTION # 56
SIMULATION
[Security Architecture]
You are a security analyst tasked with interpreting an Nmap scan output from company's privileged network.
The company's hardening guidelines indicate the following:
There should be one primary server or service per device.
Only default ports should be used.
Non-secure protocols should be disabled.
INSTRUCTIONS
Using the Nmap output, identify the devices on the network and their roles, and any open ports that should be closed.
For each device found by Nmap, add a device entry to the Devices Discovered list, with the following information:
The IP address of the device
The primary server or service of the device (Note that each IP should by associated with one service/port only) The protocol(s) that should be disabled based on the hardening guidelines (Note that multiple ports may need to be closed to comply with the hardening guidelines) If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Answer:
Explanation:
See explanation below
Explanation:
10.1.45.65 SFTP ServerDisable 8080
10.1.45.66 Email Server Disable 415 and 443
10.1.45.67 Web Server Disable 21, 80
10.1.45.68 UTM Appliance Disable 21
NEW QUESTION # 57
A technician is reviewing the logs and notices a large number of files were transferred to remote sites over the course of three months. This activity then stopped. The files were transferred via TLS-protected HTTP sessions from systems that do not normally send traffic to those sites. The technician will define this threat as:
- A. An advanced persistent threat.
- B. An on-path attack.
- C. A zero-day attack.
- D. A decrypting RSA using an obsolete and weakened encryption attack.
Answer: A
Explanation:
The scenario describes a prolonged, stealthy operation where files were exfiltrated over three months via secure channels (TLS-protected HTTP) from unexpected systems, then ceased. This aligns with anAdvanced Persistent Threat (APT), characterized by long-term, targeted attacks aimed at data theft or surveillance, often using sophisticated methods to remain undetected.
* Option A:Decrypting RSA with weak encryption implies a cryptographic attack, but TLS suggests modern encryption was used, and there's no evidence of decryption here.
* Option B:A zero-day attack exploits unknown vulnerabilities, but the duration and cessation suggest a planned operation, not a single exploit.
* Option C:APT fits perfectly-slow, persistent exfiltration fromunusual systems indicates a coordinated, stealthy threat actor.
* Option D:An on-path (man-in-the-middle) attack intercepts traffic, but there's no indication of interception; the focus is on unauthorized transfers.
Reference:CompTIA SecurityX CAS-005 Domain 1: Risk Management - Threat Identification and Analysis.
NEW QUESTION # 58
A large organization deployed a generative AI platform for its global user population to use. Based on feedback received during beta testing, engineers have identified issues with user interface latency and page-loading performance for international users. The infrastructure is currently maintained within two separate data centers, which are connected using high-availability networking and load balancers. Which of the following is the best way to address the performance issues?
- A. Configuring the application to use a CDN
- B. Remote journaling within a third data center
- C. Implementing RASP to enable large language models queuing
- D. Traffic shaping through the use of a SASE
Answer: A
Explanation:
Comprehensive and Detailed
A Content Delivery Network (CDN) caches and distributes static and dynamic web content across multiple geographically distributed edge servers, reducing latency for global users. This directly addresses page-loading delays caused by distance from the primary data centers.
RASP is for runtime application security, not latency.
Remote journaling is for data replication, not performance optimization.
SASE can improve security and WAN routing, but a CDN is purpose-built for content delivery performance.
NEW QUESTION # 59
After an incident occurred, a team reported during the lessons-learned review that the team.
- Lost important Information for further analysis.
- Did not utilize the chain of communication
- Did not follow the right steps for a proper response
Which of the following solutions is the best way to address these findinds?
- A. Publishing the incident response policy and enforcing it as part of the security awareness program
- B. Requiring professional incident response certifications tor each new team member
- C. Requesting budget for better forensic tools to Improve technical capabilities for Incident response operations
- D. Building playbooks for different scenarios and performing regular table-top exercises
Answer: D
Explanation:
Building playbooks for different incident scenarios provides a structured, repeatable process for the team to follow, ensuring critical steps are followed, information is not lost, and communication is effectively managed. Regular table-top exercises help familiarize the team with these procedures, allowing them to practice and refine their response capabilities before a real incident occurs. This directly addresses the issues raised in the lessons-learned review.
NEW QUESTION # 60
An organization is developing a disaster recovery plan that requires data to be backed up and available at a moment's notice. Which of the following should the organization consider first to address this requirement?
- A. Identify critical business processes and determine associated software and hardware requirements.
- B. Implement a change management plan to ensure systems are using the appropriate versions.
- C. Hire additional on-call staff to be deployed if an event occurs.
- D. Design an appropriate warm site for business continuity.
Answer: A
Explanation:
For a disaster recovery (DR) plan requiring immediate data availability, the first step is understanding what needs to be protected and recovered. Identifying critical business processes and their associated software and hardware requirements establishes the foundation for the DR plan. This ensures that backups and recovery mechanisms align with business priorities, meeting the "moment's notice" requirement.
NEW QUESTION # 61
After a penetration test on the internal network the following report was generated:
Which of the following should be recommended to remediate the attack?
- A. Rotating KRBTGT password
- B. Deleting SQLSV
- C. Reimaging ADMIN01$
- D. Resetting the local domain
Answer: A
Explanation:
The KRBTGT account is a critical account used by the Kerberos authentication protocol. The fact that the hash for KRBTGT.CORP.LOCAL was successfully collected during the attack indicates that the attacker may have gained access to Kerberos tickets and could potentially impersonate users. Rotating the KRBTGT password helps mitigate the risk of Kerberos ticket forging, which is a common post-exploitation technique in attacks such as Pass-the-Ticket and Golden Ticket attacks. This will prevent attackers from using stolen hashes to impersonate users or gain unauthorized access to the domain.
NEW QUESTION # 62
A company discovers intellectual property data on commonly known collaboration web applications that allow the use of slide templates. The systems administrator is reviewing the configurations of each tool to determine how to prevent this issue. The following security solutions are deployed:
- CASB
- SASE
- WAF
- EDR
- Firewall
- IDS
- SIEM
- DLP endpoints
Which of the following should the administrator do to address the issue?
- A. Create an alert within the SIEM for outgoing network traffic to the suspected website.
- B. Enable blocking for all WAF policies.
- C. Enforce a policy to block unauthorized web applications within CASB.
- D. Configure DLP endpoints to block sensitive data to the mass media.
Answer: C
Explanation:
A CASB sits inline between users and cloud services, giving you visibility and control over shadow IT. By configuring your CASB to block or quarantine uploads to any unsanctioned collaboration or file-sharing platforms, you'll prevent sensitive slide decks from being stored in those public web apps. This stops the leakage at the cloud access layer rather than relying on endpoint or network detection alone.
NEW QUESTION # 63
A security administrator is reviewing the following code snippet from a website component:
A review of the inc.tmp file shows the following:
Which of the following is most likely the reason for inaccuracies?
- A. The relevant stylesheet has become corrupted.
- B. A content management solution plug-in has been exploited.
- C. The WAF is configured to be in transparent mode.
- D. A search engine's bots are being blocked at the firewall.
Answer: B
Explanation:
The code indicates that a WordPress (CMS) plug-in has likely been exploited. The function get_hex_cache() combines obfuscated PHP code (hex2bin) with external file retrieval (inc.tmp). This is characteristic of malicious plug-in injections in content management systems such as WordPress, where attackers inject backdoors or malicious scripts through vulnerable plug-ins.
Option B (search engine bots blocked) and C (corrupted stylesheet) would not explain injected PHP logic. Option D (WAF in transparent mode) reduces security controls but does not create malicious functions inside the CMS code.
The presence of obfuscated data in inc.tmp strongly suggests tampering. Exploited CMS plug-ins are a common initial access vector, often used to hide persistent malware or web shells.
NEW QUESTION # 64
An organization is increasing its focus on training that addresses new social engineering and phishing attacks. Which of the following is the organization most concerned about?
- A. Meeting existing regulatory compliance
- B. Overreliance on AI support bots
- C. Generative AI tools increasing the quality of exploits
- D. Differential analysis using AI models
Answer: C
Explanation:
The organization is concerned that generative AI tools can increase the quality and sophistication of phishing and social engineering attacks, making them harder to detect and more convincing to victims.
NEW QUESTION # 65
An organization plans to deploy new software. The project manager compiles a list of roles that will be involved in different phases of the deployment life cycle. Which of the following should the project manager use to track these roles?
- A. RACI matrix
- B. Recall tree
- C. ITIL
- D. CMDB
Answer: A
NEW QUESTION # 66
A security analyst is reviewing a SIEM and generates the following report:
Later, the incident response team notices an attack was executed on the VM001 host. Which of the following should the security analyst do to enhance the alerting process on the SIEM platform?
- A. Improve parsing of data on the SIEM.
- B. Create a new rule set to detect malware.
- C. Include the EDR solution on the SIEM as a new log source.
- D. Perform a log correlation on the SIEM solution.
Answer: D
Explanation:
The logs show related events (e.g., malware detection, IPS alert, and eventual connection allowance) from the same source and host. Log correlation connects these related events across time to generate meaningful, actionable alerts. Enhancing correlation would have helped detect the attack pattern earlier.
NEW QUESTION # 67
A company recentlyexperienced aransomware attack. Although the company performssystems and data backupon a schedule that aligns with itsRPO (Recovery Point Objective) requirements, thebackup administratorcould not recovercritical systems and datafrom its offline backups to meet the RPO. Eventually, the systems and data were restored with information that wassix months outside of RPO requirements.
Which of the following actions should the company take to reduce the risk of a similar attack?
- A. Perform regular disaster recovery testing of IT and non-IT systems and processes.
- B. Carry out a tabletop exercise to update and verify the RACI matrix with IT and critical business functions.
- C. Implement a business continuity process that includes reverting manual business processes.
- D. Encrypt and label the backup tapes with the appropriate retention schedule before they are sent to the off-site location.
Answer: A
Explanation:
Understanding the Ransomware Issue:
The key issue here is thatbackups were not recoverable within the required RPO timeframe.
This means the organizationdid not properly testitsbackup and disaster recovery (DR) processes.
To prevent this from happening again, regular disaster recovery testing is essential.
Why Option C is Correct:
Disaster recovery testing ensures that backups are functionaland can meetbusiness continuity needs.
Frequent DR testingallows organizations to identify and fixgaps in recovery strategies.
Regular testing ensuresthat recoverymeets the RPO & RTO (Recovery Time Objective) requirements.
Why Other Options Are Incorrect:
A (Encrypt & label backup tapes):While encryption is important, it does not address thefailure to meet RPO requirements.
B (Reverting to manual business processes):While amanual continuity planis good for resilience, it doesnot resolve the backup and recovery failure.
D (Tabletop exercise & RACI matrix):Atabletop exerciseis a planning activity, butit does not involve actual recovery testing.
Reference:
CompTIA SecurityX CAS-005 Official Study Guide:Disaster Recovery & Business Continuity Planning NIST SP 800-34:Contingency Planning Guide for Information Systems ISO 22301:Business Continuity Management Standards
NEW QUESTION # 68
An organization has noticed an increase in phishing campaigns utilizing typosquatting. A security analyst needs to enrich the data for commonly used domains against the domains used in phishing campaigns. The analyst uses a log forwarder to forward network logs to the SIEM.
Which of the following would allow the security analyst to perform this analysis?
- A. Implement a dashboard on the SIEM that shows the percentage of traffic by domain.
- B. Develop a query that filters out all matching domain names.
- C. Use a cron job to regularly update and compare domains.
- D. Create a parser that matches domains.
Answer: D
Explanation:
To enrich the data for analysis, the security analyst needs to compare the legitimate domains against those used in phishing campaigns. Creating a parser that matches domains allows the SIEM to automatically identify and analyze the domains in the logs, helping detect typosquatting and other malicious domain usage. This method allows for efficient and automated processing of log data to identify potential threats.
NEW QUESTION # 69
A systems engineer is configuring SSO for a business that will be using SaaS applications for its remote-only workforce. Privileged actions in SaaS applications must be allowed only from corporate mobile devices that meet minimum security requirements, but BYOD must also be permitted for other activity. Which of the following would best meet this objective?
- A. Configure device attestations and continuous authorization controls.
- B. Deploy application protection policies using a corporate, cloud-based MDM solution.
- C. Install machine certificates on corporate devices and perform checks against the clients.
- D. Block any connections from outside the business's network security boundary.
Answer: A
Explanation:
Device attestation ensures that only corporate-approved devices can perform privileged actions in SaaS applications. Continuous authorization monitors ongoing device compliance, dynamically adjusting permissions based on security posture.
* Blocking connections (A) is too restrictive and does not accommodate BYOD.
* Machine certificates (B) help with authentication but do not provide continuous security assessment.
* MDM policies (D) secure mobile devices but do not apply real-time access controls for SaaS applications.
NEW QUESTION # 70
During a gap assessment, an organization notes that OYOD usage is a significant risk. The organization implemented administrative policies prohibiting BYOD usage However, the organization has not implemented technical controls to prevent the unauthorized use of BYOD assets when accessing the organization's resources. Which of the following solutions should the organization implement to best reduce the risk of OYOD devices? (Select two).
- A. Cloud 1AM to enforce the use of token based MFA
- B. NAC, to enforce device configuration requirements
- C. Conditional access, to enforce user-to-device binding
- D. SD-WAN. to enforce web content filtering through external proxies
- E. DLP to enforce data protection capabilities: Protects data but does not control BYOD device access and compliance.
- F. DLP, to enforce data protection capabilities
- G. PAM. to enforce local password policies
Answer: B,C
Explanation:
To reduce the risk of unauthorized BYOD (Bring Your Own Device) usage, the organization should implement Conditional Access and Network Access Control (NAC).
Why Conditional Access and NAC?
Conditional Access:
User-to-Device Binding: Conditional access policies can enforce that only registered and compliant devices are allowed to access corporate resources.
Context-Aware Security: Enforces access controls based on the context of the access attempt, such as user identity, device compliance, location, and more.
Network Access Control (NAC):
Device Configuration Requirements: NAC ensures that only devices meeting specific security configurations are allowed to connect to the network.
Access Control: Provides granular control over network access, ensuring that BYOD devices comply with security policies before gaining access.
Other options, while useful, do not address the specific need to control and secure BYOD devices effectively:
A : Cloud IAM to enforce token-based MFA: Enhances authentication security but does not control device compliance.
D : PAM to enforce local password policies: Focuses on privileged account management, not BYOD control.
E : SD-WAN to enforce web content filtering: Enhances network performance and security but does not enforce BYOD device compliance.
Reference:
CompTIA SecurityX Study Guide
"Conditional Access Policies," Microsoft Documentation
"Network Access Control (NAC)," Cisco Documentation
NEW QUESTION # 71
An analyst wants to conduct a risk assessment on a new application that is being deployed.
Given the following information:
- Total budget allocation for the new application is unavailable.
- Recovery time objectives have not been set.
- Downtime loss calculations cannot be provided.
Which of the following statements describes the reason a qualitative assessment is the best option?
- A. An organizational risk register tracks all risks and mitigations across business units.
- B. The analyst has previous work experience in application development.
- C. The organization wants to find the monetary value of any outages.
- D. Sufficient metrics are not available to conduct other risk assessment types.
Answer: D
Explanation:
A qualitative risk assessment is appropriate when quantitative data such as budget, downtime costs, or RTOs are unavailable. It relies on expert judgment, likelihood, and impact categories rather than precise metrics, making it the best option in this scenario.
NEW QUESTION # 72
......
Ace CompTIA CAS-005 Certification with Actual Questions May 21, 2026 Updated: https://braindumps.exam4tests.com/CAS-005-pdf-braindumps.html