CompTIA SecurityX (CAS-005): The Expert-Level Cert That Proves You Can Architect Enterprise Security

Zero Trust and secure network design

Zero Trust Architecture (ZTA) is the central framework for Domain 1. The SecurityX exam tests candidates on ZTA implementation at the enterprise level: not the NIST SP 800-207 definition, but the architectural decisions that translate the definition into deployed controls. Core components:

• Identity as the new perimeter: every access decision is identity-driven, using continuous authentication signals (device health, location, behavioral analytics) rather than network location. Privileged Access Management (PAM) with just-in-time (JIT) provisioning and session recording is the ZTA control for administrative access.
• Microsegmentation: replacing flat network zones with workload-level policy enforcement. Know the difference between network-based segmentation (VLANs, firewall rules) and identity-based microsegmentation (software-defined perimeter, service mesh mTLS) and the architectural trade-offs between them.
• SASE (Secure Access Service Edge): converged network and security delivered from the cloud edge — SD-WAN for routing, CASB for cloud access control, SWG for web filtering, ZTNA for application access. Correct when the scenario describes a distributed, remote workforce that needs consistent policy enforcement without backhauling traffic to a central data center.
• ZTNA vs VPN: ZTNA grants access per-application based on identity and device posture; VPN grants network-level access. SecurityX candidates must articulate why ZTNA is the architectural preference for modern enterprise access and the edge cases where VPN remains appropriate (legacy application protocols that cannot be proxied).

Cloud and hybrid security architecture

SecurityX Domain 1 tests cloud security architecture at a depth that goes well beyond the Security+ and CySA+ service enumeration. Candidates are expected to design multi-cloud security architectures, specify shared responsibility boundaries, and select controls that enforce consistent policy across heterogeneous cloud environments.

• Cloud Security Posture Management (CSPM): continuous assessment of cloud configuration against security benchmarks (CIS benchmarks, cloud provider security baselines). Correct when the question asks for automated drift detection and remediation across AWS, Azure, or GCP environments without per-account manual review.
• Cloud Workload Protection (CWPP): runtime protection for VMs, containers, and serverless functions. Integrates with CI/CD pipelines for pre-deployment image scanning. Distinct from CSPM: CSPM manages configuration posture, CWPP manages runtime workload behavior.
• Infrastructure as Code (IaC) security: shifting security left means scanning Terraform, CloudFormation, and Bicep templates before provisioning. SAST tools for IaC (Checkov, tfsec, Terrascan) catch misconfiguration at the definition stage. SecurityX candidates design the pipeline integration — not just acknowledge that IaC scanning exists.
• Container security: image scanning in the registry (Trivy, Grype), admission controllers enforcing signed images (Cosign, Notary), Pod Security Standards in Kubernetes, and network policies limiting east-west container communication.

Threat intelligence, detection engineering, and SIEM/SOAR/XDR

SecurityX candidates must understand the threat intelligence lifecycle and apply it to detection: consuming threat feeds, mapping TTPs to MITRE ATT&CK, writing detection rules, and feeding intelligence back into the architecture. Key distinctions the exam tests:

• SIEM vs SOAR vs XDR: SIEM aggregates and correlates log data for detection and compliance; SOAR orchestrates automated response playbooks triggered by SIEM alerts; XDR provides integrated detection and response across endpoint, network, email, and cloud with built-in correlation that SIEMs require manual rule authoring to achieve. The correct answer depends on the operational maturity and tooling constraint described in the scenario.
• Threat hunting: proactive hypothesis-driven search for threats not detected by automated rules. Hunters start with a TTP (e.g., MITRE T1059 command-line execution by unusual processes) and query historical SIEM data, EDR telemetry, or DNS logs to find evidence. SecurityX candidates must distinguish threat hunting (proactive, hypothesis-led) from incident response (reactive, alert-triggered).
• Deception technologies: honeypots (full fake systems), honeytokens (fake credentials or files that alert on access), and canary tokens (unique links or documents that alert on opening). Use when the question asks for an early detection mechanism that generates high-confidence alerts with very low false positive rates because only an attacker who has already compromised the network would interact with a decoy.
• MITRE ATT&CK integration: mapping detections to ATT&CK techniques to identify coverage gaps, prioritize new detection rule development, and communicate threat model coverage to stakeholders. The SecurityX exam uses ATT&CK technique IDs in scenario questions — know the major tactic categories (Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Lateral Movement, Exfiltration, Command and Control).

Incident response, digital forensics, and vulnerability management

• Incident response at scale: SecurityX tests IR design — building playbooks, defining escalation paths, establishing evidence preservation procedures, and coordinating cross-functional response teams — not just the NIST IR phase names. Candidates must specify containment strategies (network isolation vs selective blocking) and justify the choice based on business impact tolerance.
• Digital forensics methodology: order of volatility (CPU registers and cache → RAM → swap space → running processes → disk → remote logging). Evidence acquisition: forensic imaging with verified chain of custody, hash verification (SHA-256) at acquisition and analysis. Memory forensics with Volatility for in-memory malware that leaves no disk artifacts.
• Vulnerability management programs: SecurityX candidates design enterprise VM programs — asset discovery scope, scanning frequency and credentialing, CVSS-based prioritization supplemented by EPSS (Exploit Prediction Scoring System) and CISA KEV (Known Exploited Vulnerabilities catalog) to focus remediation on vulnerabilities with active exploitation rather than raw CVSS score alone.
• Purple teaming: structured collaboration between red team (offensive simulation) and blue team (defensive detection and response) to identify and close detection gaps in a controlled way. SecurityX candidates are expected to design purple team exercises, not just describe what they are.

Applied cryptography and PKI design

SecurityX cryptography questions go well beyond knowing that AES-256 is symmetric and RSA-4096 is asymmetric. The exam tests architectural decisions about cryptographic protocol selection, PKI design, and key lifecycle management in enterprise environments.

• TLS 1.3 and perfect forward secrecy: TLS 1.3 mandates ephemeral Diffie-Hellman key exchange (ECDHE), ensuring each session uses a unique key that is not derived from the server’s long-term private key. If the private key is later compromised, past sessions cannot be decrypted — PFS. Know why TLS 1.2 without PFS cipher suites is still deployed on legacy systems and the architectural risk it represents.
• PKI design for enterprise: offline root CA (air-gapped, used only to sign subordinate CAs), online issuing CAs for certificate issuance at scale, OCSP for real-time certificate status, CRL distribution points for revocation lists. Two-tier vs three-tier PKI hierarchy trade-offs. Certificate lifecycle automation with ACME protocol and tools like Certbot, cert-manager for Kubernetes workloads.
• Hardware Security Modules (HSMs): tamper-resistant hardware that stores private keys and performs cryptographic operations without exposing key material. Use for root CA private keys, payment processing key management, and code signing. FIPS 140-2 Level 3+ HSMs are the correct answer when the question specifies federal or payment industry regulatory requirements.
• Post-quantum cryptography (PQC): NIST finalized PQC standards in 2024 (ML-KEM / CRYSTALS-Kyber for key encapsulation; ML-DSA / CRYSTALS-Dilithium for digital signatures). SecurityX candidates understand why “harvest now, decrypt later” attacks make PQC migration urgency high for long-lived sensitive data and the architectural challenge of crypto-agility: designing systems that can swap cryptographic algorithms without full re-architecture.

DevSecOps and secure software development

Security Engineering in SecurityX extends from cryptography into the software supply chain and CI/CD pipeline. Candidates must design the security controls embedded in the development lifecycle, not just the perimeter controls around deployed applications.

• SAST, DAST, IAST, and SCA: Static Application Security Testing (SAST) analyzes source code at rest for security flaws (injection, hardcoded secrets, dangerous API calls); Dynamic Application Security Testing (DAST) sends attack payloads to a running application (black-box); Interactive Application Security Testing (IAST) instruments the running application from inside to detect vulnerabilities during functional testing; Software Composition Analysis (SCA) scans third-party dependencies for known CVEs and license compliance issues. Know which layer of the pipeline each fits and when each is the correct exam answer.
• Software supply chain security: SLSA (Supply-chain Levels for Software Artifacts) framework for build provenance; Sigstore and Cosign for artifact signing and verification; SBOM (Software Bill of Materials) generation for dependency transparency. The correct architectural recommendation when a question describes a vendor providing software to a regulated industry and needing to attest to the contents of each release.
• Secrets management: eliminating hardcoded credentials from source code using dedicated secrets stores (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault). Dynamic secrets — credentials generated on-demand with short TTLs and automatic rotation — are the SecurityX-preferred pattern over static credentials stored in environment variables.

Risk quantification, frameworks, and third-party risk

• Quantitative risk analysis with FAIR: Factor Analysis of Information Risk (FAIR) models risk as a probability distribution of loss magnitude, expressed in financial terms. SecurityX candidates use FAIR to translate “this vulnerability has CVSS 9.1” into “the annualized loss expectancy of this control gap is $2.4M, which exceeds the $180k cost of remediation by 13x.” That framing enables risk-based investment decisions without requiring executive audiences to understand CVSS.
• NIST CSF 2.0: the 2024 update added a sixth function — Govern — alongside Identify, Protect, Detect, Respond, and Recover. SecurityX candidates understand CSF 2.0 Govern as the overarching function that establishes organizational context, priorities, and accountability for cybersecurity risk management — not just a new label on existing content.
• Regulatory compliance mapping: SecurityX candidates map security controls to overlapping regulatory requirements simultaneously. A healthcare company processing payments in the EU faces HIPAA (PHI protection), PCI DSS (cardholder data), and GDPR (personal data of EU residents) simultaneously. Know the control overlap and where a single control satisfies multiple frameworks versus where frameworks impose conflicting requirements (HIPAA audit log retention vs GDPR right to erasure).
• Third-party risk management: vendor risk assessments (standardized questionnaires like CAIQ, SIG), contractual security requirements (right-to-audit clauses, incident notification SLAs), continuous monitoring of vendor posture via external attack surface management tools. SOC 2 Type II reports as evidence of vendor control effectiveness — know what the Type II report attests to (operating effectiveness over time) vs Type I (design of controls at a point in time).
• Security program metrics: mean time to detect (MTTD), mean time to respond (MTTR), patch compliance rate by severity tier, percentage of assets with current vulnerability scans, and phishing simulation click rates. SecurityX candidates select the metrics that measure program effectiveness rather than activity (patch tickets opened vs patch compliance achieved).