Table of Contents

CompTIA SecurityX (CAS-005) is the advanced-level certification for security architects and senior engineers, formerly known as CASP+. It validates your ability to architect, engineer, and operate secure solutions across complex enterprise environments. This course covers all four exam domains so you build the deep technical and governance skills needed to pass. CompTIA recommends a minimum of 10 years of general IT experience with at least 5 years of hands-on security experience.

DomainTitleExam Weight
1.0Governance, Risk, and Compliance20%
2.0Security Architecture27%
3.0Security Engineering31%
4.0Security Operations22%

Exam details: Maximum of 90 questions, multiple-choice and performance-based, 165 minutes, pass/fail only with no scaled score.

Resources

Domain 1: Governance, Risk, and Compliance (20%)

Governance, Risk, and Compliance

  • Implement governance components, including security program documentation (policies, procedures, standards, guidelines) and governance frameworks (COBIT, ITIL)
  • Apply change and configuration management, including asset management life cycle, CMDB, and inventory
  • Perform risk management activities, including impact analysis, quantitative vs. qualitative analysis, and risk prioritization
  • Manage third-party risk, including supply chain risk, vendor risk, and subprocessor risk
  • Explain how compliance affects security strategies, including PCI DSS, ISO/IEC 27000 series, SOC 2, NIST CSF, CIS, and Cloud Security Alliance
  • Apply privacy regulations, including GDPR, CCPA, LGPD, and COPPA
  • Perform threat-modeling activities using MITRE ATT&CK, CAPEC, Cyber Kill Chain, Diamond Model, STRIDE, and OWASP
  • Summarize AI security challenges, including prompt injection, training data poisoning, model theft, model inversion, and deep fakes

Domain 2: Security Architecture (27%)

Security Architecture

  • Analyze requirements to design resilient systems, including firewall, IPS/IDS, WAF, VPN, NAC, API gateway, and CDN placement
  • Apply availability and integrity design considerations, including load balancing, recoverability, interoperability, and vertical vs. horizontal scaling
  • Implement security throughout the systems life cycle, including SAST, DAST, IAST, RASP, SCA, SBoM, and CI/CD security
  • Manage supply chain risk for software and hardware, plus hardware assurance and end-of-life considerations
  • Integrate Zero Trust concepts, including segmentation, microsegmentation, SASE, SD-WAN, and subject-object relationships
  • Implement cloud capabilities securely, including CASB, shadow IT detection, shared responsibility, container security, and serverless
  • Apply security to access, authentication, and authorization systems, including federation, SSO, PKI architecture, and OCSP stapling
  • Integrate controls into data security design, including classification models, data labeling, DLP, and third-party integrations

At 27% and feeding directly into security engineering, spend solid time on Zero Trust and cloud design here.

Domain 3: Security Engineering (31%)

Security Engineering

  • Troubleshoot IAM components, including SAML, OpenID, MFA, SSO, Kerberos, PAM, 802.1X, and federation
  • Enhance the security of endpoints and servers, including EDR, application control, HIPS/HIDS, MDM, and SELinux
  • Identify threat-actor TTPs, including injections, privilege escalation, credential dumping, lateral movement, and defensive evasion
  • Troubleshoot network infrastructure security, including DNS security (DNSSEC), email security (DKIM, SPF, DMARC), and TLS errors
  • Implement hardware security technologies, including TPM, HSM, vTPM, Secure Boot, measured boot, and self-encrypting drives
  • Secure specialized and legacy systems, including OT, SCADA, ICS, IoT, SoC, and embedded systems
  • Use automation to secure the enterprise with PowerShell, Bash, Python, IaC, SOAR, SCAP, OVAL, and XCCDF
  • Explain advanced cryptographic concepts, including post-quantum cryptography, homomorphic encryption, forward secrecy, and key stretching
  • Apply the appropriate cryptographic use case, including tokenization, code signing, digital signatures, and symmetric/asymmetric cryptography

This is the heaviest-weighted domain at 31%, so build deep hands-on familiarity with cryptography and hardware roots of trust.

Domain 4: Security Operations (22%)

Security Operations

  • Analyze data to enable monitoring and response, including SIEM event parsing, correlation, audit log reduction, and behavior baselines
  • Analyze vulnerabilities and attacks and recommend solutions, including injection, XSS, race conditions, CSRF, SSRF, deserialization, and weak ciphers
  • Apply mitigations, including input validation, output encoding, safe functions, least privilege, secrets management, and defense-in-depth
  • Apply threat-hunting and threat intelligence using internal sources (adversary emulation, hypothesis-based searches, honeypots) and external sources (OSINT, dark web, ISACs)
  • Share indicators of compromise using STIX, TAXII, and rule-based languages such as Sigma, YARA, and Snort
  • Analyze data and artifacts for incident response, including malware analysis, reverse engineering, volatile and non-volatile storage analysis, and metadata analysis
  • Perform timeline reconstruction and root cause analysis to support response activities

Work through all four domains, then test your readiness with the CompTIA SecurityX (CASP+) Practice Test before exam day. SecurityX replaces CASP+ as the certification name, so search for both terms when looking for study material. For more certification courses and hands-on playbooks, visit Courses and Playbooks .